Terraform is increasingly the preferred tool for building, changing, and versioning infrastructure in Google Cloud and across clouds. In an earlier post, Google showed how to create Eventarc triggers using Google Cloud Console or via the command line with gcloud. In this post, Google show how to create the same triggers with the google_eventarc_trigger Terraform resource. 

See eventarc-samples/terraform on GitHub for the prerequisites and main.tf for full Terraform configuration. 

Define a Cloud Run service as an event sink

Before you can create a trigger, you need to create a Cloud Run service as an event sink for the trigger. You can use Terraform’s google_cloud_run_service resource to define a Cloud Run service: 

  resource "google_cloud_run_service" "default" {
  name     = "cloudrun-hello-tf"
  location = var.region

  template {
    spec {
      containers {
        image = "gcr.io/cloudrun/hello"
      }
    }
  }

  traffic {
    percent         = 100
    latest_revision = true
  }
}

Define a Pub/Sub trigger

A Pub/Sub trigger connects a Pub/Sub topic to a Cloud Run service. 

As a reminder, here’s how you can create a Pub/Sub trigger using gcloud:

  gcloud eventarc triggers create trigger-pubsub \
  --destination-run-service=$SERVICE_NAME \
  --destination-run-region=$REGION \
  --event-filters="type=google.cloud.pubsub.topic.v1.messagePublished"

The same Pub/Sub trigger looks like this as a Terraform resource:

  resource "google_eventarc_trigger" "trigger-pubsub-tf" {
  name     = "trigger-pubsub-tf"
  location = var.region
  matching_criteria {
    attribute = "type"
    value     = "google.cloud.pubsub.topic.v1.messagePublished"
  }
  destination {
    cloud_run_service {
      service = google_cloud_run_service.default.name
      region  = var.region
    }
  }

  depends_on = [google_project_service.eventarc]
}

Note: There’s a slight difference in how events are filtered in gcloud vs. Terraform. In gcloud, events are filtered with the --event-filters flag; whereas in Terraform, matching_criteria is used. This is for legacy reasons and hopefully will be corrected in the future.

Define an Audit Log trigger

An Audit Log trigger connects various Google Cloud services with Audit Logs to a Cloud Run service. Here’s what an Audit Log trigger for the Cloud Storage storage.object.create event looks like in Terraform:

  resource "google_eventarc_trigger" "trigger-auditlog-tf" {
  name     = "trigger-auditlog-tf"
  location = var.region
  matching_criteria {
    attribute = "type"
    value     = "google.cloud.audit.log.v1.written"
  }
  matching_criteria {
    attribute = "serviceName"
    value     = "storage.googleapis.com"
  }
  matching_criteria {
    attribute = "methodName"
    value     = "storage.objects.create"
  }
  destination {
    cloud_run_service {
      service = google_cloud_run_service.default.name
      region  = var.region
    }
  }
  service_account = "${data.google_project.project.number}-compute@developer.gserviceaccount.com"

  depends_on = [google_project_service.eventarc]
}

Deploy with Terraform

Deploying resources with Terraform usually involves three steps:

1. Initialize Terraform:

terraform init

2. See the planned changes:

terraform plan -var="project_id=YOUR-PROJECT-ID" -var="region=YOUR-GCP-REGION"

3. Create resources:

terraform apply -var="project_id=YOUR-PROJECT-ID" -var="region=YOUR-GCP-REGION"

After a few minutes, all the resources (a Cloud Run service and two2 Eventarc triggers) will be created. You can double-check the list of triggers:

gcloud eventarc triggers list --location YOUR-GCP-REGION