Terraform-provider-google: Add support for push-auth-service-account to pubsub_subscription

Created on 18 Oct 2019  路  1Comment  路  Source: hashicorp/terraform-provider-google


Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

The gcloud commandline tool has this arg --push-auth-service-account but it doesn't seem to be available in terraform. We use this config at the moment to work around this:

resource "null_resource" "google_pubsub_subscription_xxx" {
  provisioner "local-exec" {
    command = "gcloud --project $GCP_PROJECT_ID beta pubsub subscriptions create $SUBSCRIPTION --topic=$TOPIC --expiration-period=$EXPIRATION_PERIOD --ack-deadline=$ACK_DEADLINE --push-endpoint=$PUSH_ENDPOINT --push-auth-service-account=$SERVICE_ACCOUNT --push-auth-token-audience=$OPTIONAL_AUDIENCE_OVERRIDE"
    environment = {
      ACK_DEADLINE               = 10
      EXPIRATION_PERIOD          = "never"
      GCP_PROJECT_ID             = var.project_id
      OPTIONAL_AUDIENCE_OVERRIDE = "xxx"
      PUSH_ENDPOINT              = "https://xxx.${var.env}.yyy.com/xxx/v1/queue-zzz"
      SERVICE_ACCOUNT            = "id-pubsub-push-svc@${var.project_id}.iam.gserviceaccount.com"
      SUBSCRIPTION               = "qqq"
      TOPIC                      = "ppp"
    }
  }
}

New or Affected Resource(s)

  • google_pubsub_subscription

References

https://github.com/terraform-providers/terraform-provider-google-beta/pull/1024

enhancement sizS
Source
picture lc-chrisbarton
👍12

Most helpful comment

So I was digging through this and was going to start working on it when I realized it has already been solved... In order to authenticate requests made from a PubSub PUSH subscription to the PUSH endpoint, you need to set the oidc_token in the push_config on the resource. You set the oidc_token.service_account_email to the email of the service account you wish to use to generate the authorization header (making sure it has permissioned subscriptions.create, subscriptions.patch and subscriptions.modifyPushConfig RPCs with the iam.serviceAccounts.actAs permission).

Using @lc-chrisbarton's example, we can update the configuration as follows:

resource "google_pubsub_subscription" "google_pubsub_subscription_xxx" {
  project = var.project_id
  name = "qqq"
  topic = "ppp"
  ack_deadline_seconds = 10
  push_config {
    push_endpoint = "https://xxx.${var.env}.yyy.com/xxx/v1/queue-zzz"
    oidc_token {
      service_account_email = "id-pubsub-push-svc@${var.project_id}.iam.gserviceaccount.com"
      audience = "xxx"
    }
  }
}

The above is equivilant to the provided command in the issue description. All functionality is supported by the provider explicitly.

You don't need to specify an audience for this field either.

This should help anyone who is experiencing difficulty setting up authentication for pubsub subscription PUSH endpoints.

I think this issue can be closed.

picture ericvolp12 on 12 May 2020
👍3

>All comments

So I was digging through this and was going to start working on it when I realized it has already been solved... In order to authenticate requests made from a PubSub PUSH subscription to the PUSH endpoint, you need to set the oidc_token in the push_config on the resource. You set the oidc_token.service_account_email to the email of the service account you wish to use to generate the authorization header (making sure it has permissioned subscriptions.create, subscriptions.patch and subscriptions.modifyPushConfig RPCs with the iam.serviceAccounts.actAs permission).

Using @lc-chrisbarton's example, we can update the configuration as follows:

resource "google_pubsub_subscription" "google_pubsub_subscription_xxx" {
  project = var.project_id
  name = "qqq"
  topic = "ppp"
  ack_deadline_seconds = 10
  push_config {
    push_endpoint = "https://xxx.${var.env}.yyy.com/xxx/v1/queue-zzz"
    oidc_token {
      service_account_email = "id-pubsub-push-svc@${var.project_id}.iam.gserviceaccount.com"
      audience = "xxx"
    }
  }
}

The above is equivilant to the provided command in the issue description. All functionality is supported by the provider explicitly.

You don't need to specify an audience for this field either.

This should help anyone who is experiencing difficulty setting up authentication for pubsub subscription PUSH endpoints.

I think this issue can be closed.

ericvolp12 picture ericvolp12 on 12 May 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nysthee picture nysthee  路  45Comments
Lirt picture Lirt  路  33Comments
jjorissen52 picture jjorissen52  路  46Comments
drzero42 picture drzero42  路  29Comments
pdaborowski-playtech picture pdaborowski-playtech  路  24Comments