I can create a new pub/sub topic in my templates and a new service account.
I can see how to give that service account project wide pub/sub access: https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources
Also that example seems to be using a different resource type, this is my template:
resources:
- name: "mytopic"
type: gcp-types/pubsub-v1:projects.topics
#type: pubsub-v1ubsub.v1.topic
properties:
topic: "mytopic"
labels:
my-lable: mytopic
I'm using gcp-types/pubsub-v1:projects.topics
when I switch to pubsub-v1ubsub.v1.topic
I get:
- code: RESOURCE_NOT_FOUND
message: The type [pubsub-v1ubsub.v1.topic] was not found.
If I try to add accessControl
to gcp-types/pubsub-v1:projects.topics
I get:
- code: RESOURCE_ERROR
location: /deployments/mydeployment/resources/mytopic
message: '{"ResourceType":"gcp-types/pubsub-v1:projects.topics","ResourceErrorCode":"404","ResourceErrorMessage":{"statusMessage":"Not
Found","requestPath":"https://pubsub.googleapis.com/v1/:setIamPolicy","httpMethod":"POST"}}
I want to create a new topic, new service account, and give that service account access to that specific topic only.
Is this possible in deployment manager?
This is the full template with accessControl:
resources:
- name: "mytopic"
type: gcp-types/pubsub-v1:projects.topics
#type: pubsub-v1ubsub.v1.topic
properties:
topic: "mytopic"
labels:
label: "sdfsdfsdf"
accessControl:
gcpIamPolicy:
bindings:
- role: roles/pubsub.editor
members:
- "serviceAccount:[email protected]"
- role: roles/pubsub.publisher
members:
- "serviceAccount:[email protected]"
Edit
I think I got this working but now I have a question about dependencies. Do I need to declare the acl resource is dependant on the pub/sub resource? Or is this unnecessary? If I don't include it it works, but I want to confirm that it won't ever fail and try to deploy the acl first or something.
(Google could do with adding a complete example to their docs - it would go a long way to make them much more accessible).
resources:
- name: "mytopic"
type: gcp-types/pubsub-v1:projects.topics
properties:
topic: "mytopic"
- name: "mytopic-permissions"
type: pubsub.v1.topic
properties:
topic: "mytopic"
accessControl:
gcpIamPolicy:
bindings:
- role: roles/pubsub.editor
members:
- "serviceAccount:[email protected]"
- role: roles/pubsub.publisher
members:
- "serviceAccount:[email protected]"
# Do I need this? If I don't have it, deploys still seem to work
metadata:
dependsOn:
- "mytopic"