Reputation: 523
How to create a google cloud pubsub subscriptions with service account by terraform?
From this document, I want to create the same thing by terraform.
https://cloud.google.com/run/docs/tutorials/pubsub
gcloud pubsub subscriptions create myRunSubscription --topic myRunTopic \
--push-endpoint=SERVICE-URL/ \
--push-auth-service-account=cloud-run-pubsub-invoker@PROJECT_ID.iam.gserviceaccount.com
terraform's main.tf
resource "google_pubsub_subscription" "my_task" {
name = "my-task-subscription"
topic = google_pubsub_topic.my_task.name
ack_deadline_seconds = 20
push_config {
push_endpoint = var.push_endpoint
}
dead_letter_policy {
dead_letter_topic = "[email protected]"
}
}
terraform apply
# module.pubsub.google_pubsub_subscription.my_task will be created
+ resource "google_pubsub_subscription" "my_task" {
+ ack_deadline_seconds = 20
+ id = (known after apply)
+ message_retention_duration = "604800s"
+ name = "my-task-subscription"
+ path = (known after apply)
+ project = (known after apply)
+ topic = "MyTask"
+ dead_letter_policy {
+ dead_letter_topic = "[email protected]"
}
+ expiration_policy {
+ ttl = (known after apply)
}
+ push_config {
+ push_endpoint = "https://an-endpoint.com"
}
}
Got error:
Error: Error creating Subscription: googleapi: Error 400: Invalid resource name given ([email protected]). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information.
From the terraform's document, dead_letter_policy is related to Pub/Sub service account:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription#dead_letter_policy
But why it doesn't work? How to set --push-auth-service-account as google official then?
Upvotes: 0
Views: 4143
Answers (2)
Reputation: 81376
Your problem is here:
dead_letter_policy {
dead_letter_topic = "[email protected]"
}
You are trying to assign a service account identity to dead_letter_topic. That is incorrect.
Instead use something like this to create a topic:
resource "google_pubsub_topic" "example_dead_letter" {
name = "example-topic-dead-letter"
}
Or this to reference an existing topic:
data "google_pubsub_topic" "example_dead_letter" {
name = "example-topic-dead-letter"
}
and then use that resource like this:
dead_letter_policy {
dead_letter_topic = google_pubsub_topic.example_dead_letter.id
}
Upvotes: 3
Reputation: 969
The Terraform document you linked said as below.
The Cloud Pub/Sub service account associated with this subscription's parent project (i.e., service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com) must have permission to Acknowledge() messages on this subscription.
It seems that your service account you use for dead letter policy doesn't have appropriate permission to acknowledge messages.
According to IAM document, It needs at least pub/sub subscriber role to acknowledge messsages.
Refer here to get more info about pubsub roles.
Upvotes: 1
Related Questions
- How to create multiple subscriptions for a single topic in a GCP using terraform scripts
- Google Cloud: Pubsub subscription filter expression options
- Create GCP service account and store service account key in secret manager in terraform
- Add existing Service account to terraform Google compute instance
- Switching to terraform module for google pubsub recreating the topic and subscription
- How to get the id of google_pubsub_subscription_iam_member?
- How to create a google cloud pubsub pull subscriptions with service account by terraform?
- How to use PubSub Rest API with Google service accounts?
- How to properly create gcp service-account with roles in terraform
- gcp terraform - how to add pubsub_topic