From 81b70695acfaeb8ae000791e0625ebb3762bd1f9 Mon Sep 17 00:00:00 2001
From: Simon Roberts <lyricnz@users.noreply.github.com>
Date: Wed, 25 Feb 2026 03:58:43 +1100
Subject: [PATCH] Add parameter to modules/pubsub to support
 message_storage_policy.enforce_in_transit (#3761)

Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
---
 modules/pubsub/README.md    | 11 ++++++-----
 modules/pubsub/main.tf      |  1 +
 modules/pubsub/variables.tf |  6 ++++++
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/modules/pubsub/README.md b/modules/pubsub/README.md
index f561210d0..de43c0f60 100644
--- a/modules/pubsub/README.md
+++ b/modules/pubsub/README.md
@@ -228,8 +228,8 @@ module "pubsub" {
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [name](variables.tf#L49) | PubSub topic name. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L54) | Project used for resources. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L55) | PubSub topic name. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L60) | Project used for resources. | <code>string</code> | ✓ |  |
 | [context](variables.tf#L17) | Context-specific interpolations. | <code title="object&#40;&#123;&#10;  custom_roles   &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  iam_principals &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  kms_keys       &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  locations      &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;  project_ids    &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam](variables-iam.tf#L17) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  members &#61; list&#40;string&#41;&#10;  role    &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
@@ -238,9 +238,10 @@ module "pubsub" {
 | [kms_key](variables.tf#L30) | KMS customer managed encryption key. | <code>string</code> |  | <code>null</code> |
 | [labels](variables.tf#L36) | Labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 | [message_retention_duration](variables.tf#L43) | Minimum duration to retain a message after it is published to the topic. | <code>string</code> |  | <code>null</code> |
-| [regions](variables.tf#L59) | List of regions used to set persistence policy. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [schema](variables.tf#L66) | Topic schema. If set, all messages in this topic should follow this schema. | <code title="object&#40;&#123;&#10;  definition   &#61; string&#10;  msg_encoding &#61; optional&#40;string, &#34;ENCODING_UNSPECIFIED&#34;&#41;&#10;  schema_type  &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [subscriptions](variables.tf#L76) | Topic subscriptions. Also define push configs for push subscriptions. If options is set to null subscription defaults will be used. Labels default to topic labels if set to null. | <code title="map&#40;object&#40;&#123;&#10;  ack_deadline_seconds         &#61; optional&#40;number&#41;&#10;  enable_exactly_once_delivery &#61; optional&#40;bool, false&#41;&#10;  enable_message_ordering      &#61; optional&#40;bool, false&#41;&#10;  expiration_policy_ttl        &#61; optional&#40;string&#41;&#10;  filter                       &#61; optional&#40;string&#41;&#10;  iam                          &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  labels                       &#61; optional&#40;map&#40;string&#41;&#41;&#10;  message_retention_duration   &#61; optional&#40;string&#41;&#10;  retain_acked_messages        &#61; optional&#40;bool, false&#41;&#10;  bigquery &#61; optional&#40;object&#40;&#123;&#10;    table                 &#61; string&#10;    drop_unknown_fields   &#61; optional&#40;bool, false&#41;&#10;    service_account_email &#61; optional&#40;string&#41;&#10;    use_table_schema      &#61; optional&#40;bool, false&#41;&#10;    use_topic_schema      &#61; optional&#40;bool, false&#41;&#10;    write_metadata        &#61; optional&#40;bool, false&#41;&#10;  &#125;&#41;&#41;&#10;  cloud_storage &#61; optional&#40;object&#40;&#123;&#10;    bucket          &#61; string&#10;    filename_prefix &#61; optional&#40;string&#41;&#10;    filename_suffix &#61; optional&#40;string&#41;&#10;    max_duration    &#61; optional&#40;string&#41;&#10;    max_bytes       &#61; optional&#40;number&#41;&#10;    avro_config &#61; optional&#40;object&#40;&#123;&#10;      write_metadata &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  dead_letter_policy &#61; optional&#40;object&#40;&#123;&#10;    topic                 &#61; string&#10;    max_delivery_attempts &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  push &#61; optional&#40;object&#40;&#123;&#10;    endpoint   &#61; string&#10;    attributes &#61; optional&#40;map&#40;string&#41;&#41;&#10;    no_wrapper &#61; optional&#40;object&#40;&#123;&#10;      write_metadata &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;    oidc_token &#61; optional&#40;object&#40;&#123;&#10;      audience              &#61; optional&#40;string&#41;&#10;      service_account_email &#61; string&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  retry_policy &#61; optional&#40;object&#40;&#123;&#10;    minimum_backoff &#61; optional&#40;number&#41;&#10;    maximum_backoff &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [message_storage_enforce_in_transit](variables.tf#L49) | If true, var.regions is also used to enforce in-transit guarantees for messages. | <code>bool</code> |  | <code>null</code> |
+| [regions](variables.tf#L65) | List of regions used to set persistence policy. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [schema](variables.tf#L72) | Topic schema. If set, all messages in this topic should follow this schema. | <code title="object&#40;&#123;&#10;  definition   &#61; string&#10;  msg_encoding &#61; optional&#40;string, &#34;ENCODING_UNSPECIFIED&#34;&#41;&#10;  schema_type  &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [subscriptions](variables.tf#L82) | Topic subscriptions. Also define push configs for push subscriptions. If options is set to null subscription defaults will be used. Labels default to topic labels if set to null. | <code title="map&#40;object&#40;&#123;&#10;  ack_deadline_seconds         &#61; optional&#40;number&#41;&#10;  enable_exactly_once_delivery &#61; optional&#40;bool, false&#41;&#10;  enable_message_ordering      &#61; optional&#40;bool, false&#41;&#10;  expiration_policy_ttl        &#61; optional&#40;string&#41;&#10;  filter                       &#61; optional&#40;string&#41;&#10;  iam                          &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  labels                       &#61; optional&#40;map&#40;string&#41;&#41;&#10;  message_retention_duration   &#61; optional&#40;string&#41;&#10;  retain_acked_messages        &#61; optional&#40;bool, false&#41;&#10;  bigquery &#61; optional&#40;object&#40;&#123;&#10;    table                 &#61; string&#10;    drop_unknown_fields   &#61; optional&#40;bool, false&#41;&#10;    service_account_email &#61; optional&#40;string&#41;&#10;    use_table_schema      &#61; optional&#40;bool, false&#41;&#10;    use_topic_schema      &#61; optional&#40;bool, false&#41;&#10;    write_metadata        &#61; optional&#40;bool, false&#41;&#10;  &#125;&#41;&#41;&#10;  cloud_storage &#61; optional&#40;object&#40;&#123;&#10;    bucket          &#61; string&#10;    filename_prefix &#61; optional&#40;string&#41;&#10;    filename_suffix &#61; optional&#40;string&#41;&#10;    max_duration    &#61; optional&#40;string&#41;&#10;    max_bytes       &#61; optional&#40;number&#41;&#10;    avro_config &#61; optional&#40;object&#40;&#123;&#10;      write_metadata &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  dead_letter_policy &#61; optional&#40;object&#40;&#123;&#10;    topic                 &#61; string&#10;    max_delivery_attempts &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    role    &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  push &#61; optional&#40;object&#40;&#123;&#10;    endpoint   &#61; string&#10;    attributes &#61; optional&#40;map&#40;string&#41;&#41;&#10;    no_wrapper &#61; optional&#40;object&#40;&#123;&#10;      write_metadata &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;    oidc_token &#61; optional&#40;object&#40;&#123;&#10;      audience              &#61; optional&#40;string&#41;&#10;      service_account_email &#61; string&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  retry_policy &#61; optional&#40;object&#40;&#123;&#10;    minimum_backoff &#61; optional&#40;number&#41;&#10;    maximum_backoff &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
diff --git a/modules/pubsub/main.tf b/modules/pubsub/main.tf
index 7dde62ab1..33cd45092 100644
--- a/modules/pubsub/main.tf
+++ b/modules/pubsub/main.tf
@@ -49,6 +49,7 @@ resource "google_pubsub_topic" "default" {
       allowed_persistence_regions = [
         for v in var.regions : lookup(local.ctx.locations, v, v)
       ]
+      enforce_in_transit = var.message_storage_enforce_in_transit
     }
   }
   dynamic "schema_settings" {
diff --git a/modules/pubsub/variables.tf b/modules/pubsub/variables.tf
index d868afa23..21c50b975 100644
--- a/modules/pubsub/variables.tf
+++ b/modules/pubsub/variables.tf
@@ -46,6 +46,12 @@ variable "message_retention_duration" {
   default     = null
 }
 
+variable "message_storage_enforce_in_transit" {
+  description = "If true, var.regions is also used to enforce in-transit guarantees for messages."
+  type        = bool
+  default     = null
+}
+
 variable "name" {
   description = "PubSub topic name."
   type        = string