Create a trigger using Terraform

Cloud Run

Using Cloud Shell, deploy your resources with Terraform to create Eventarc triggers.

1. Enable the APIs

Use the following code to enable the required APIs:

# Enable Cloud Run API
resource "google_project_service" "run" {
  service            = "run.googleapis.com"
  disable_on_destroy = false
}

# Enable Eventarc API
resource "google_project_service" "eventarc" {
  service            = "eventarc.googleapis.com"
  disable_on_destroy = false
}

# Enable Pub/Sub API
resource "google_project_service" "pubsub" {
  service            = "pubsub.googleapis.com"
  disable_on_destroy = false
}

2. Create a service account and configure IAM

Use the following code to create a dedicated service account and IAM roles:

# Used to retrieve project information later
data "google_project" "project" {}

# Create a dedicated service account
resource "google_service_account" "eventarc" {
  account_id   = "eventarc-trigger-sa"
  display_name = "Eventarc Trigger Service Account"
}

# Grant permission to receive Eventarc events
resource "google_project_iam_member" "eventreceiver" {
  project = data.google_project.project.id
  role    = "roles/eventarc.eventReceiver"
  member  = "serviceAccount:${google_service_account.eventarc.email}"
}

# Grant permission to invoke Cloud Run services
resource "google_project_iam_member" "runinvoker" {
  project = data.google_project.project.id
  role    = "roles/run.invoker"
  member  = "serviceAccount:${google_service_account.eventarc.email}"
}

If you enabled the Pub/Sub service agent on or before April 8, 2021, grant the iam.serviceAccountTokenCreator role to the service agent:

resource "google_project_iam_member" "tokencreator" {
   project  = data.google_project.project.id
   role     = "roles/iam.serviceAccountTokenCreator"
   member   = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
}

3. Create a Cloud Storage bucket as an event provider

Use the following code to create a Cloud Storage bucket, with Eventarc related permissions:

# Cloud Storage bucket names must be globally unique
resource "random_id" "bucket_name_suffix" {
  byte_length = 4
}

# Create a Cloud Storage bucket
resource "google_storage_bucket" "default" {
  name          = "trigger-cloudrun-${data.google_project.project.name}-${random_id.bucket_name_suffix.hex}"
  location      = google_cloud_run_v2_service.default.location
  force_destroy = true

  uniform_bucket_level_access = true
}

# Grant the Cloud Storage service account permission to publish pub/sub topics
data "google_storage_project_service_account" "gcs_account" {}
resource "google_project_iam_member" "pubsubpublisher" {
  project = data.google_project.project.id
  role    = "roles/pubsub.publisher"
  member  = "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"
}

4. Define a Cloud Run service as an event target

Create a Cloud Run service as an event destination for the trigger. Use the google_cloud_run_v2_service resource to define a Cloud Run service:

# Deploy Cloud Run service
resource "google_cloud_run_v2_service" "default" {
  name     = "hello-events"
  location = "us-central1"

  deletion_protection = false # set to "true" in production

  template {
    containers {
      # This container will log received events
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
    service_account = google_service_account.eventarc.email
  }

  depends_on = [google_project_service.run]
}

5. Define an Eventarc trigger

An Eventarc trigger connects the event provider to an event destination. Use the google_eventarc_trigger resource to define the Cloud Storage direct event provider, sending to a Cloud Run destination.

You can define multiple matching_criteria with CloudEvents attributes supported by Eventarc that act like the event-filters you specify when you create a trigger. For more information, follow the instructions when creating a trigger for a specific provider, event type, and Cloud Run destination. Events that match all the filters are sent to the destination.

# Create an Eventarc trigger, routing Cloud Storage events to Cloud Run
resource "google_eventarc_trigger" "default" {
  name     = "trigger-storage-cloudrun-tf"
  location = google_cloud_run_v2_service.default.location

  # Capture objects changed in the bucket
  matching_criteria {
    attribute = "type"
    value     = "google.cloud.storage.object.v1.finalized"
  }
  matching_criteria {
    attribute = "bucket"
    value     = google_storage_bucket.default.name
  }

  # Send events to Cloud Run
  destination {
    cloud_run_service {
      service = google_cloud_run_v2_service.default.name
      region  = google_cloud_run_v2_service.default.location
    }
  }

  service_account = google_service_account.eventarc.email
  depends_on = [
    google_project_service.eventarc,
    google_project_iam_member.pubsubpublisher
  ]
}

6. Apply the changes

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

1. Launch Cloud Shell.

2. Set the default Google Cloud project where you want to apply your Terraform configurations.

   You only need to run this command once per project, and you can run it in any directory.

   export GOOGLE_CLOUD_PROJECT=PROJECT_ID

   Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (also called a root module).

1. In Cloud Shell, create a directory and a new file within that directory. The filename must have the .tf extension—for example main.tf. In this tutorial, the file is referred to as main.tf.

   mkdir DIRECTORY && cd DIRECTORY && touch main.tf

2. If you are following a tutorial, you can copy the sample code in each section or step.

   Copy the sample code into the newly created main.tf.

   Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.

3. Review and modify the sample parameters to apply to your environment.
4. Save your changes.
5. Initialize Terraform. You only need to do this once per directory.

   terraform init

   Optionally, to use the latest Google provider version, include the -upgrade option:

   terraform init -upgrade

Apply the changes

1. Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:

   terraform plan

   Make corrections to the configuration as necessary.

2. Apply the Terraform configuration by running the following command and entering yes at the prompt:

   terraform apply

   Wait until Terraform displays the "Apply complete!" message.

3. Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.

7. Verify the creation of resources

To confirm the service has been created:

gcloud run services list --region us-central1

To confirm the trigger has been created:

gcloud eventarc triggers list --location us-central1

The output should be similar to the following:

NAME: trigger-storage-cloudrun-tf
TYPE: google.cloud.storage.object.v1.finalized
DESTINATION: Cloud Run service: hello-events
ACTIVE: Yes
LOCATION: us-central1

GKE

Using Cloud Shell, deploy your resources with Terraform to create Eventarc triggers.

The Eventarc trigger requires a Google Kubernetes Engine service. To simplify this tutorial, you will configure this service outside of Terraform, in between applying Terraform configurations.

1. Create a GKE cluster

Use the following code to enable the required APIs:

# Enable GKE API
resource "google_project_service" "container" {
  service            = "container.googleapis.com"
  disable_on_destroy = false
}

# Enable Eventarc API
resource "google_project_service" "eventarc" {
  service            = "eventarc.googleapis.com"
  disable_on_destroy = false
}

# Enable Pub/Sub API
resource "google_project_service" "pubsub" {
  service            = "pubsub.googleapis.com"
  disable_on_destroy = false
}

Use the following code to create a GKE cluster:

# Create an auto-pilot GKE cluster
resource "google_container_cluster" "gke_cluster" {
  name     = "eventarc-cluster"
  location = "us-central1"

  enable_autopilot = true

  depends_on = [
    google_project_service.container
  ]
}

2. Apply the changes

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

1. Launch Cloud Shell.

2. Set the default Google Cloud project where you want to apply your Terraform configurations.

   You only need to run this command once per project, and you can run it in any directory.

   export GOOGLE_CLOUD_PROJECT=PROJECT_ID

   Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (also called a root module).

1. In Cloud Shell, create a directory and a new file within that directory. The filename must have the .tf extension—for example main.tf. In this tutorial, the file is referred to as main.tf.

   mkdir DIRECTORY && cd DIRECTORY && touch main.tf

2. If you are following a tutorial, you can copy the sample code in each section or step.

   Copy the sample code into the newly created main.tf.

   Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.

3. Review and modify the sample parameters to apply to your environment.
4. Save your changes.
5. Initialize Terraform. You only need to do this once per directory.

   terraform init

   Optionally, to use the latest Google provider version, include the -upgrade option:

   terraform init -upgrade

Apply the changes

1. Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:

   terraform plan

   Make corrections to the configuration as necessary.

2. Apply the Terraform configuration by running the following command and entering yes at the prompt:

   terraform apply

   Wait until Terraform displays the "Apply complete!" message.

3. Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.

3. Configure GKE

Deploy a Kubernetes service on GKE that will receive HTTP requests and log events by using a prebuilt Cloud Run image, us-docker.pkg.dev/cloudrun/container/hello:

1. Get authentication credentials to interact with the cluster:

   gcloud container clusters get-credentials eventarc-cluster \
      --region=us-central1
   

2. Create a deployment named hello-gke:

   kubectl create deployment hello-gke \
      --image=us-docker.pkg.dev/cloudrun/container/hello
   

3. Expose the deployment as a Kubernetes service:x

   kubectl expose deployment hello-gke \
      --type ClusterIP --port 80 --target-port 8080
   

4. Make sure the pod is running:

   kubectl get pods
   

   The output should be similar to the following:

   NAME                        READY   STATUS
   hello-gke-df6469d4b-5vv22   1/1     Running
   

   If the STATUS is Pending, the pod is deploying. Wait a minute for the deployment to complete, and check the status again.

5. Make sure the service is running:

   kubectl get svc
   

   The output should be similar to the following:

   NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
   hello-gke    ClusterIP   34.118.226.144   <none>        80/TCP
   kubernetes   ClusterIP   34.118.224.1     <none>        443/TCP
   

4. Create and configure Eventarc

Use the following configuration to set up a service account, and grant it specific roles for Eventarc to manage events for GKE.

# Create a service account to be used by GKE trigger
resource "google_service_account" "eventarc_gke_trigger_sa" {
  account_id   = "eventarc-gke-trigger-sa"
  display_name = "Evenarc GKE Trigger Service Account"
}

# Grant permission to receive Eventarc events
resource "google_project_iam_member" "eventreceiver" {
  project = data.google_project.project.id
  role    = "roles/eventarc.eventReceiver"
  member  = "serviceAccount:${google_service_account.eventarc_gke_trigger_sa.email}"
}

# Grant permission to subscribe to Pub/Sub topics
resource "google_project_iam_member" "pubsubscriber" {
  project = data.google_project.project.id
  role    = "roles/pubsub.subscriber"
  member  = "serviceAccount:${google_service_account.eventarc_gke_trigger_sa.email}"
}

Use the following code to create a Cloud Storage bucket, with Eventarc related permissions:

# Cloud Storage bucket names must be globally unique
resource "random_id" "bucket_name_suffix" {
  byte_length = 4
}

# Create a Cloud Storage bucket
resource "google_storage_bucket" "default" {
  name          = "trigger-gke-${data.google_project.project.name}-${random_id.bucket_name_suffix.hex}"
  location      = "us-central1"
  force_destroy = true

  uniform_bucket_level_access = true
}

# Grant the Cloud Storage service account permission to publish pub/sub topics
data "google_storage_project_service_account" "gcs_account" {}
resource "google_project_iam_member" "pubsubpublisher" {
  project = data.google_project.project.id
  role    = "roles/pubsub.publisher"
  member  = "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"
}

Use the following configuration to enable the required APIs and initialize Eventarc GKE destination services:

# Used to retrieve project_number later
data "google_project" "project" {}

# Enable Eventarc to manage GKE clusters
# This is usually done with: gcloud eventarc gke-destinations init
#
# Eventarc creates a separate Event Forwarder pod for each trigger targeting a
# GKE service, and  requires explicit permissions to make changes to the
# cluster. This is done by granting permissions to a special service account
# (the Eventarc P4SA) to manage resources in the cluster. This needs to be done
# once per Google Cloud project.

# This identity is created with: gcloud beta services identity create --service eventarc.googleapis.com
# This local variable is used for convenience
locals {
  eventarc_sa = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-eventarc.iam.gserviceaccount.com"
}

resource "google_project_iam_member" "computeViewer" {
  project = data.google_project.project.id
  role    = "roles/compute.viewer"
  member  = local.eventarc_sa
}

resource "google_project_iam_member" "containerDeveloper" {
  project = data.google_project.project.id
  role    = "roles/container.developer"
  member  = local.eventarc_sa
}

resource "google_project_iam_member" "serviceAccountAdmin" {
  project = data.google_project.project.id
  role    = "roles/iam.serviceAccountAdmin"
  member  = local.eventarc_sa
}

Create an Eventarc trigger that routes Pub/Sub events to the hello-gke GKE service.

You can define multiple matching_criteria with CloudEvents attributes supported by Eventarc that act like the event-filters you specify when you create a trigger. For more information, follow the instructions when creating a trigger for a specific provider, event type, and GKE destination. Events that match all the filters are sent to the destination.

# Create an Eventarc trigger, routing Storage events to GKE
resource "google_eventarc_trigger" "default" {
  name     = "trigger-storage-gke-tf"
  location = "us-central1"

  # Capture objects changed in the bucket
  matching_criteria {
    attribute = "type"
    value     = "google.cloud.storage.object.v1.finalized"
  }
  matching_criteria {
    attribute = "bucket"
    value     = google_storage_bucket.default.name
  }

  # Send events to GKE service
  destination {
    gke {
      cluster   = "eventarc-cluster"
      location  = "us-central1"
      namespace = "default"
      path      = "/"
      service   = "hello-gke"
    }
  }

  service_account = google_service_account.eventarc_gke_trigger_sa.email
}

5. Apply the additional changes

To apply the additional Terraform configuration in a Google Cloud project, complete the following steps:

1. Create the Eventarc identity account:

   gcloud beta services identity create --service eventarc.googleapis.com
   

2. Add the new Terraform code from the previous step to your existing main.tf file.

3. Apply the updated Terraform configurations:

   terraform plan
   terraform apply
   

   Wait until Terraform displays the "Apply complete!" message.

4. Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.

Workflows

Using Cloud Shell, deploy your resources with Terraform to create a workflow and an Eventarc trigger.

1. Enable the APIs

Use the following code to enable the required APIs:

# Enable Eventarc API
resource "google_project_service" "eventarc" {
  service            = "eventarc.googleapis.com"
  disable_on_destroy = false
}

# Enable Workflows API
resource "google_project_service" "workflows" {
  service            = "workflows.googleapis.com"
  disable_on_destroy = false
}

# Enable Pub/Sub API
resource "google_project_service" "pubsub" {
  service            = "pubsub.googleapis.com"
  disable_on_destroy = false
}

2. Create a service account and configure IAM

Use the following code to create a dedicated service account and add IAM roles:

# Used to retrieve project information later
data "google_project" "project" {}

# Create a service account for Eventarc trigger and Workflows
resource "google_service_account" "eventarc" {
  account_id   = "eventarc-workflows-sa"
  display_name = "Eventarc Workflows Service Account"
}

# Grant permission to invoke workflows
resource "google_project_iam_member" "workflowsinvoker" {
  project = data.google_project.project.id
  role    = "roles/workflows.invoker"
  member  = "serviceAccount:${google_service_account.eventarc.email}"
}

# Grant permission to receive events
resource "google_project_iam_member" "eventreceiver" {
  project = data.google_project.project.id
  role    = "roles/eventarc.eventReceiver"
  member  = "serviceAccount:${google_service_account.eventarc.email}"
}

If you enabled the Pub/Sub service agent on or before April 8, 2021, grant the iam.serviceAccountTokenCreator role to the service agent:

resource "google_project_iam_member" "tokencreator" {
   project  = data.google_project.project.id
   role     = "roles/iam.serviceAccountTokenCreator"
   member   = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
}

3. Create a Cloud Storage bucket as an event provider

Use the following code to create a Cloud Storage bucket, with Eventarc related permissions:

# Cloud Storage bucket names must be globally unique
resource "random_id" "bucket_name_suffix" {
  byte_length = 4
}

# Create a Cloud Storage bucket
resource "google_storage_bucket" "default" {
  name          = "trigger-workflows-${data.google_project.project.name}-${random_id.bucket_name_suffix.hex}"
  location      = google_workflows_workflow.default.region
  force_destroy = true

  uniform_bucket_level_access = true
}

# Grant the Cloud Storage service account permission to publish Pub/Sub topics
data "google_storage_project_service_account" "gcs_account" {}
resource "google_project_iam_member" "pubsubpublisher" {
  project = data.google_project.project.id
  role    = "roles/pubsub.publisher"
  member  = "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"
}

4. Create and deploy a workflow

Define and deploy a workflow that gets executed when an object is updated in the created bucket:

# Create a workflow
resource "google_workflows_workflow" "default" {
  name        = "storage-workflow-tf"
  region      = "us-central1"
  description = "Workflow that returns information about storage events"

  # Note that $$ is needed for Terraform
  source_contents = <<EOF
  main:
    params: [event]
    steps:
      - log_event:
          call: sys.log
          args:
            text: $${event}
            severity: INFO
      - gather_data:
          assign:
            - bucket: $${event.data.bucket}
            - name: $${event.data.name}
            - message: $${"Received event " + event.type + " - " + bucket + ", " + name}
      - return_data:
          return: $${message}
  EOF

  depends_on = [
    google_project_service.workflows
  ]
}

5. Create an Eventarc trigger

Create an Eventarc trigger that routes direct events on the created bucket to Workflows. Use the google_eventarc_trigger resource to define the Eventarc trigger resource.

You can define multiple matching_criteria with CloudEvents attributes supported by Eventarc that act like the event-filters you specify when you create a trigger. For more information, follow the instructions when creating a trigger for a specific provider, event type, and Workflows destination.

Events that match all the filters are sent to the destination.

# Create an Eventarc trigger, routing Cloud Storage events to Workflows
resource "google_eventarc_trigger" "default" {
  name     = "trigger-storage-workflows-tf"
  location = google_workflows_workflow.default.region

  # Capture objects changed in the bucket
  matching_criteria {
    attribute = "type"
    value     = "google.cloud.storage.object.v1.finalized"
  }
  matching_criteria {
    attribute = "bucket"
    value     = google_storage_bucket.default.name
  }

  # Send events to Workflows
  destination {
    workflow = google_workflows_workflow.default.id
  }

  service_account = google_service_account.eventarc.email

  depends_on = [
    google_project_service.eventarc,
    google_project_service.workflows,
  ]
}

6. Apply the changes

To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

1. Launch Cloud Shell.

2. Set the default Google Cloud project where you want to apply your Terraform configurations.

   You only need to run this command once per project, and you can run it in any directory.

   export GOOGLE_CLOUD_PROJECT=PROJECT_ID

   Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (also called a root module).

1. In Cloud Shell, create a directory and a new file within that directory. The filename must have the .tf extension—for example main.tf. In this tutorial, the file is referred to as main.tf.

   mkdir DIRECTORY && cd DIRECTORY && touch main.tf

2. If you are following a tutorial, you can copy the sample code in each section or step.

   Copy the sample code into the newly created main.tf.

   Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.

3. Review and modify the sample parameters to apply to your environment.
4. Save your changes.
5. Initialize Terraform. You only need to do this once per directory.

   terraform init

   Optionally, to use the latest Google provider version, include the -upgrade option:

   terraform init -upgrade

Apply the changes

1. Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:

   terraform plan

   Make corrections to the configuration as necessary.

2. Apply the Terraform configuration by running the following command and entering yes at the prompt:

   terraform apply

   Wait until Terraform displays the "Apply complete!" message.

3. Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.

7. Verify the creation of the workflow

To verify that the workflow is created, run:

gcloud workflows list --location us-central1

8. Verify the creation of the Eventarc trigger

To verify that the Eventarc trigger is created, run:

gcloud eventarc triggers list --location us-central1

The output should be similar to the following:

NAME: trigger-storage-workflows-tf
TYPE: google.cloud.storage.object.v1.finalized
DESTINATION: Workflows: storage-workflow-tf
ACTIVE: Yes
LOCATION: us-central1

Cloud Run

1. To generate an event:

   Upload a text file to Cloud Storage:

   echo "Hello World" > random.txt
   gcloud storage cp random.txt gs://trigger-cloudrun-PROJECT_ID/random.txt
   

   The upload generates an event and the Cloud Run service logs the event's message.

2. To verify that an event is received:

   1. View the event-related log entries created by your service:

   gcloud logging read "resource.type=cloud_run_revision \
       AND resource.labels.service_name=hello-events"
   

   Alternatively, open the Google Cloud console, navigate to the Cloud Run resource, and view the logs.

   1. Look for a log entry similar to the following:

   Received event of type google.cloud.storage.object.v1.finalized.
   Event data: { "kind": "storage#object", "id": "trigger-cloudrun-PROJECT_ID/random.txt", ...}
   

GKE

1. To generate an event:

   Upload a text file to Cloud Storage:

   echo "Hello World" > random.txt
   gcloud storage cp random.txt gs://trigger-gke-PROJECT_ID/random.txt
   

   The upload generates an event and the Cloud Run service logs the event's message.

2. To verify that an event is received:

   1. Find the pod ID:

      POD_NAME=$(kubectl get pods -o custom-columns=":metadata.name" --no-headers)
      

      This command uses kubectl's formatted output.

   2. Check the logs of the pod:

      kubectl logs $POD_NAME
      

   3. Look for a log entry similar to the following:

      {"severity":"INFO","eventType":"google.cloud.pubsub.topic.v1.messagePublished",
      "message":"Received event of type google.cloud.pubsub.topic.v1.messagePublished.", [...]}
      

Workflows

1. To generate an event:

   Upload a text file to Cloud Storage:

   echo "Hello World" > random.txt
   gcloud storage cp random.txt gs://trigger-workflows-PROJECT_ID/random.txt
   

   The upload generates an event and the Cloud Run service logs the event's message.

2. To verify that an event is received:

   1. Verify that a workflows execution is triggered by listing the last five executions:

      gcloud workflows executions list storage-workflow-tf --limit=5
      

      The output should include a list of executions with a NAME, START_TIME, END_TIME, and STATUS.

   2. Get the results for the most recent execution:

      EXECUTION_NAME=$(gcloud workflows executions list storage-workflow-tf --limit=1 --format "value(name)")
      gcloud workflows executions describe $EXECUTION_NAME
      

   3. Confirm the output is similar to the following:

      ...
      result: '"Received event google.cloud.storage.object.v1.finalized - trigger-workflows-PROJECT_ID, random.txt"'
      state: SUCCEEDED
      ...
      

      Look for the state: SUCCEEDED and result: "Received event" in the workflows output.