I am trying to create an event-driven Cloud Function via gen2 terraform utilizing the auditlog event type. Essentially, I would like to trigger the function each time a GCP secret is created.
Following this [documentation] https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloudfunctions2_function#example-usage---cloudfunctions2-basic-auditlogs , my code looks as such:
resource "google_cloudfunctions2_function" "function" {
for_each = toset(var.gcp_locations)
location = each.value
project = var.project_id
name = var.function_name
description = "test!"
build_config {
runtime = "python311"
entry_point = "entry_point"
environment_variables = {
HTTP_PROXY = "xxxx",
HTTPS_PROXY = "xxxx",
NO_PROXY = "grc.io,pkg.dev"
}
source {
storage_source {
bucket = google_storage_bucket.code_bucket[each.value].name
object = google_storage_bucket_object.code_object[each.value].name
}
}
worker_pool = google_cloudbuild_worker_pool.pool[each.value].id
}
service_config {
max_instance_count = 3
min_instance_count = 1
available_memory = "4Gi"
timeout_seconds = 60
ingress_settings = "ALLOW_INTERNAL_AND_GCLB"
vpc_connector = var.serverless_conn[format("%s-%s", var.environment, each.value)]
vpc_connector_egress_settings = "PRIVATE_RANGES_ONLY"
all_traffic_on_latest_revision = true
service_account_email = var.sa_email
}
event_trigger {
trigger_region = "us-east4"
event_type = "google.cloud.audit.log.v1.written"
retry_policy = "RETRY_POLICY_RETRY"
service_account_email = google_service_account.trigger.email
event_filters {
attribute = "serviceName"
value = "secretmanager.googleapis.com"
}
event_filters {
attribute = "methodName"
value = "secretmanager.secrets.create"
}
event_filters {
attribute = "resourceName"
value = "projects/_/secrets/_"
operator = "match-path-pattern" # This allows path patterns to be used in the value field
}
}
}
Focusing on the "event trigger" section. When I try to apply this, it appears GCP tries to create a PubSub Topic in the background, and we have organization policy in place to block anything non CMEK encrypted. I do not understand why GCP is trying to spin a pubsub topic named ``? This is the error message
ā Error: Error waiting to create function: Error waiting for Creating function: Error code 9, message: Creating trigger failed for projects/<PROJECT_ID>/locations/us-east4/triggers/secret-checker-077177: generic::failed_precondition: Constraint `constraints/gcp.restrictNonCmekServices` violated for `projects/<PROJECT_ID>` attempting to set the kms_key_name for a Pub/Sub topic to ``.
Despite this not making any sense per the documentation, I try to spin the function with an CMEK encrypted pubsub topic, and then I get this error :
Error: Error creating function: googleapi: Error 400: Pubsub topic can only be set for events with type google.cloud.pubsub.topic.v1.messagePublished.
Really confused on why it the provider would try to spin a pubsub topic, and then when I try to add a pubsub, it yells at me for the incorrect event type?
Any help appreciated! Thanks
This is because, when using this event type, GCP actually spins a pubsub topic on your behalf. As a result of this, I an unable to encrypt it with my companies cmek key.
Simply, this is not possible to do with this org policy in place.