Receive events using Pub/Sub messages (Terraform)
This quickstart shows you how to use Terraform to create an Eventarc trigger that receives direct events from Pub/Sub and that routes the events to a Cloud Run service. For more information about using Terraform to create Eventarc triggers, see Create a trigger using Terraform.
In this quickstart, you will do the following:
- Prepare to deploy Terraform. 
- Define a Terraform configuration that does the following: - Enable APIs.
- Create a service account and grant it the necessary Identity and Access Management (IAM) roles.
- Deploy a service to Cloud Run as an event destination.
- Create a Pub/Sub topic as an event provider.
- Create an Eventarc trigger.
 
- Apply your Terraform configuration. 
- Publish a message to a Pub/Sub topic to generate an event, and view it in the Cloud Run logs. 
Before you begin
Security constraints defined by your organization might prevent you from completing the following steps. For troubleshooting information, see Develop applications in a constrained Google Cloud environment.
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
- 
      Install the Google Cloud CLI. 
- 
          If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. 
- 
        To initialize the gcloud CLI, run the following command: gcloud init
- 
  
  
    Create or select a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 - 
        Create a Google Cloud project: gcloud projects create PROJECT_ID Replace PROJECT_IDwith a name for the Google Cloud project you are creating.
- 
        Select the Google Cloud project that you created: gcloud config set project PROJECT_ID Replace PROJECT_IDwith your Google Cloud project name.
 
- 
  
    Verify that billing is enabled for your Google Cloud project. 
- 
  
  
    
      Enable the Cloud Resource Manager and IAM APIs: Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable cloudresourcemanager.googleapis.com iam.googleapis.com 
- 
  
      If you're using a local shell, then create local authentication credentials for your user account: gcloud auth application-default login You don't need to do this if you're using Cloud Shell. If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity. 
- 
      Install the Google Cloud CLI. 
- 
          If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity. 
- 
        To initialize the gcloud CLI, run the following command: gcloud init
- 
  
  
    Create or select a Google Cloud project. Roles required to select or create a project - Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- 
      Create a project: To create a project, you need the Project Creator
      (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
 - 
        Create a Google Cloud project: gcloud projects create PROJECT_ID Replace PROJECT_IDwith a name for the Google Cloud project you are creating.
- 
        Select the Google Cloud project that you created: gcloud config set project PROJECT_ID Replace PROJECT_IDwith your Google Cloud project name.
 
- 
  
    Verify that billing is enabled for your Google Cloud project. 
- 
  
  
    
      Enable the Cloud Resource Manager and IAM APIs: Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable cloudresourcemanager.googleapis.com iam.googleapis.com 
- 
  
      If you're using a local shell, then create local authentication credentials for your user account: gcloud auth application-default login You don't need to do this if you're using Cloud Shell. If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity. 
- 
If you are the project creator, you are granted the basic Owner role ( roles/owner). By default, this Identity and Access Management (IAM) role includes the permissions necessary for full access to most Google Cloud resources and you can skip this step.If you are not the project creator, required permissions must be granted on the project to the appropriate principal. For example, a principal can be a Google Account (for end users) or a service account (for applications and compute workloads). For more information, see the Roles and permissions page for your event destination. Required permissionsTo get the permissions that you need to complete this quickstart, ask your administrator to grant you the following IAM roles on your project: - 
  
  
    
      Cloud Run Admin  (roles/run.admin)
- 
  
  
    
      Eventarc Admin  (roles/eventarc.admin)
- 
  
  
    
      Logs View Accessor  (roles/logging.viewAccessor)
- 
  
  
    
      Project IAM Admin  (roles/resourcemanager.projectIamAdmin)
- 
  
  
    
      Pub/Sub Publisher  (roles/pubsub.publisher)
- 
  
  
    
      Service Account Admin  (roles/iam.serviceAccountAdmin)
- 
  
  
    
      Service Account User  (roles/iam.serviceAccountUser)
- 
  
  
    
      Service Usage Admin  (roles/serviceusage.serviceUsageAdmin)
 For more information about granting roles, see Manage access to projects, folders, and organizations. You might also be able to get the required permissions through custom roles or other predefined roles. 
- 
  
  
    
      Cloud Run Admin  (
Prepare to deploy Terraform
Prepare to deploy Terraform resources by creating a Terraform configuration file. A Terraform configuration file lets you define your preferred end-state for your infrastructure using the Terraform syntax.
- If you are using a local shell, install and configure Terraform. - Terraform is already integrated into the Cloud Shell environment and you can use Cloud Shell to deploy your Terraform resources without having to install Terraform. 
- In Cloud Shell or your local shell, set the default Google Cloud project where you want to apply your Terraform configurations. You only need to run this command once per project, and you can run it in any directory: - export GOOGLE_CLOUD_PROJECT=PROJECT_ID - Replace - PROJECT_IDwith the ID of your Google Cloud project.
Note that environment variables are overridden if you set explicit values in the Terraform configuration file.
Prepare the directory
Each Terraform configuration file must have its own directory (also called a root module). Create a directory and create a new file within that directory:
mkdir DIRECTORY && cd DIRECTORY && touch main.tf
The filename must have the .tf extension—for
example, in this quickstart, the file is referred to as main.tf.
Define your Terraform configuration
Copy the following Terraform code snippets into your newly created
main.tf file. Optionally, you can copy the code from GitHub. (In
the top right corner of the code snippet, click
>
View on GitHub.)
Enable APIs
Terraform samples typically assume that the required APIs are enabled in your Google Cloud project. Use the following code snippet to enable the APIs needed for this quickstart:
Create a service account and configure its access
Every Eventarc trigger is associated with an IAM service account. To complete this quickstart, you must grant a user-managed service account the following IAM roles:
- 
Cloud Run Invoker role (roles/run.invoker)
- 
Pub/Sub Publisher role (roles/pubsub.publisher)
Use the following code snippet to create a dedicated service account and grant it specific IAM roles to manage events:
If you enabled the Pub/Sub service agent on or before April 8,
2021, grant the
Service
Account Token Creator role (roles/iam.serviceAccountTokenCreator)
to the service agent.
resource "google_project_iam_member" "tokencreator" { project = data.google_project.project.id role = "roles/iam.serviceAccountTokenCreator" member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com" }
Deploy an event receiver to Cloud Run
Create a Cloud Run service as an event destination for the
Eventarc trigger using the
google_cloud_run_v2_service
Terraform resource:
Create a Pub/Sub topic as an event provider
Create a Pub/Sub topic using the
google_pubsub_topic
Terraform resource:
Create an Eventarc trigger
Create an Eventarc trigger to listen for Pub/Sub
messages using the google_eventarc_trigger
Terraform resource:
Apply Terraform
Use the Terraform CLI to provision infrastructure based on the configuration file.
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
- Initialize Terraform. You only need to do this once per directory. - terraform init - Optionally, to use the latest Google provider version, include the - -upgradeoption:- terraform init -upgrade 
- Review the configuration and verify that the resources that Terraform is going to create or update match your expectations: - terraform plan - Make corrections to the configuration as necessary. 
- Apply the Terraform configuration by running the following command and entering - yesat the prompt:- terraform apply - Typically, you apply the entire configuration at once. However, you can also target a specific resource. For example: - terraform apply -target="google_eventarc_trigger.default" - After enabling the APIs, it might take a few minutes for the action to propagate and before you can deploy any further resources. If you run into an issue, try applying the Terraform configuration again. - Wait until Terraform displays the "Apply complete!" message. 
Verify the creation of resources
- Confirm that the Cloud Run service has been created: - gcloud run services list --region us-central1- The output should be similar to the following: - SERVICE: hello-events REGION: us-central1 URL: https://hello-events-13335919645.us-central1.run.app LAST DEPLOYED BY: ... LAST DEPLOYED AT: 2024-12-16T15:00:52.606160Z
- Confirm that the Eventarc trigger has been created: - gcloud eventarc triggers list --location us-central1- The output should be similar to the following: - NAME: trigger-pubsub-cloudrun-tf TYPE: google.cloud.pubsub.topic.v1.messagePublished DESTINATION: Cloud Run service: hello-events ACTIVE: Yes LOCATION: us-central1
Generate and view a Pub/Sub topic event
You can generate an event by publishing a message to the Pub/Sub topic. The Eventarc trigger routes the message to the event receiver service deployed on Cloud Run and the service logs the event message.
- Find and set the Pub/Sub topic as an environment variable: - gcloud config set eventarc/location us-central1 export RUN_TOPIC=$(gcloud eventarc triggers describe trigger-pubsub-cloudrun-tf \ --format='value(transport.pubsub.topic)')
- Publish a message to the Pub/Sub topic to generate an event: - gcloud pubsub topics publish $RUN_TOPIC --message "Hello World!"- The event is routed to the Cloud Run service, which logs the event message. 
- To view the event-related log entries created by your service, run the following command: - gcloud logging read 'jsonPayload.message: "Received event of type google.cloud.pubsub.topic.v1.messagePublished"' 
- Look for a log entry similar to: - jsonPayload: ... message: 'Received event of type google.cloud.pubsub.topic.v1.messagePublished. Event data: Hello World!'
You have successfully used Terraform to deploy an event receiver service to Cloud Run and create an Eventarc trigger. After generating an event from Pub/Sub, you are able to view it in the Cloud Run logs.
Clean up
When you finish the tasks that are described in this quickstart, you can avoid continued billing by deleting the resources that you created.
Remove resources previously applied with your Terraform configuration by running the following
   command and entering yes at the prompt:
terraform destroy
Alternatively, you can delete your Google Cloud project to avoid incurring charges. Deleting your Google Cloud project stops billing for all the resources used within that project.
Delete a Google Cloud project:
gcloud projects delete PROJECT_ID
If you plan to explore multiple tutorials and quickstarts, reusing projects can help you avoid exceeding project quota limits.