From f74599a3172e210e3ad7adc7084ae1be1e8a2df5 Mon Sep 17 00:00:00 2001
From: Caio Tavares <89272600+caiotavaresdito@users.noreply.github.com>
Date: Thu, 21 Oct 2021 10:27:35 -0400
Subject: [PATCH] Added GCS notification support (#335)

* Added GCS notification support

* fixed notification output indices

* merged vars and added more conditional validation

* Terraform linting

* Added sa_email serviceAccount variable

* Fixed bool check and use try in notification var

* Fixed typo source path example block

* Fixed assert number tftest gcs example
---
 modules/gcs/README.md    | 26 +++++++++++++++++++++-----
 modules/gcs/main.tf      | 21 +++++++++++++++++++++
 modules/gcs/outputs.tf   |  9 ++++++++-
 modules/gcs/variables.tf | 12 ++++++++++++
 4 files changed, 62 insertions(+), 6 deletions(-)

diff --git a/modules/gcs/README.md b/modules/gcs/README.md
index 3bd174b60..60de84d1d 100644
--- a/modules/gcs/README.md
+++ b/modules/gcs/README.md
@@ -1,9 +1,4 @@
 # Google Cloud Storage Module
-
-## TODO
-
-- [ ] add support for defining [notifications](https://www.terraform.io/docs/providers/google/r/storage_notification.html)
-
 ## Example
 
 ```hcl
@@ -93,6 +88,24 @@ module "bucket" {
 }
 # tftest:modules=1:resources=2
 ```
+### Minimal example with GCS notifications
+```hcl
+module "bucket-gcs-notification" {
+  source     = "./modules/gcs"
+  project_id = "myproject"
+  prefix     = "test"
+  name       = "my-bucket"
+  notification_config = {
+    enabled           = true
+    payload_format    = "JSON_API_V1"
+    sa_email          = "service-<project-number>@gs-project-accounts.iam.gserviceaccount.com" # GCS SA email must be passed or fetched from projects module.
+    topic_name        = "gcs-notification-topic"
+    event_types       = ["OBJECT_FINALIZE"]
+    custom_attributes = {}
+  }
+}
+# tftest:modules=1:resources=4
+```
 
 <!-- BEGIN TFDOC -->
 ## Variables
@@ -109,6 +122,7 @@ module "bucket" {
 | *lifecycle_rule* | Bucket lifecycle rule | <code title="object&#40;&#123;&#10;action &#61; object&#40;&#123;&#10;type &#61; string&#10;storage_class &#61; string&#10;&#125;&#41;&#10;condition &#61; object&#40;&#123;&#10;age                        &#61; number&#10;created_before             &#61; string&#10;with_state                 &#61; string&#10;matches_storage_class      &#61; list&#40;string&#41;&#10;num_newer_versions         &#61; string&#10;custom_time_before         &#61; string&#10;days_since_custom_time     &#61; string&#10;days_since_noncurrent_time &#61; string&#10;noncurrent_time_before     &#61; string&#10;&#125;&#41;&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
 | *location* | Bucket location. | <code title="">string</code> |  | <code title="">EU</code> |
 | *logging_config* | Bucket logging configuration. | <code title="object&#40;&#123;&#10;log_bucket        &#61; string&#10;log_object_prefix &#61; string&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
+| *notification_config* | GCS Notification configuration. | <code title="object&#40;&#123;&#10;enabled           &#61; bool&#10;payload_format    &#61; string&#10;topic_name        &#61; string&#10;sa_email          &#61; string&#10;event_types       &#61; list&#40;string&#41;&#10;custom_attributes &#61; map&#40;string&#41;&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
 | *prefix* | Prefix used to generate the bucket name. | <code title="">string</code> |  | <code title="">null</code> |
 | *retention_policy* | Bucket retention policy. | <code title="object&#40;&#123;&#10;retention_period &#61; number&#10;is_locked        &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
 | *storage_class* | Bucket storage class. | <code title="">string</code> |  | <code title="MULTI_REGIONAL&#10;validation &#123;&#10;condition     &#61; contains&#40;&#91;&#34;STANDARD&#34;, &#34;MULTI_REGIONAL&#34;, &#34;REGIONAL&#34;, &#34;NEARLINE&#34;, &#34;COLDLINE&#34;, &#34;ARCHIVE&#34;&#93;, var.storage_class&#41;&#10;error_message &#61; &#34;Storage class must be one of STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE.&#34;&#10;&#125;">...</code> |
@@ -122,5 +136,7 @@ module "bucket" {
 |---|---|:---:|
 | bucket | Bucket resource. |  |
 | name | Bucket name. |  |
+| notification | GCS Notification self link. |  |
+| topic | Topic ID used by GCS. |  |
 | url | Bucket URL. |  |
 <!-- END TFDOC -->
diff --git a/modules/gcs/main.tf b/modules/gcs/main.tf
index c3cb60db8..04491e438 100644
--- a/modules/gcs/main.tf
+++ b/modules/gcs/main.tf
@@ -20,6 +20,7 @@ locals {
     ? ""
     : join("-", [var.prefix, lower(var.location), ""])
   )
+  notification = try(var.notification_config.enabled, false)
 }
 
 resource "google_storage_bucket" "bucket" {
@@ -105,3 +106,23 @@ resource "google_storage_bucket_iam_binding" "bindings" {
   role     = each.key
   members  = each.value
 }
+
+resource "google_storage_notification" "notification" {
+  count             = local.notification ? 1 : 0
+  bucket            = google_storage_bucket.bucket.name
+  payload_format    = var.notification_config.payload_format
+  topic             = google_pubsub_topic.topic[0].id
+  event_types       = var.notification_config.event_types
+  custom_attributes = var.notification_config.custom_attributes
+}
+resource "google_pubsub_topic_iam_binding" "binding" {
+  count   = local.notification ? 1 : 0
+  topic   = google_pubsub_topic.topic[0].id
+  role    = "roles/pubsub.publisher"
+  members = ["serviceAccount:${var.notification_config.sa_email}"]
+}
+resource "google_pubsub_topic" "topic" {
+  count   = local.notification ? 1 : 0
+  project = var.project_id
+  name    = var.notification_config.topic_name
+}
\ No newline at end of file
diff --git a/modules/gcs/outputs.tf b/modules/gcs/outputs.tf
index 509d7a1ef..ce865f2b0 100644
--- a/modules/gcs/outputs.tf
+++ b/modules/gcs/outputs.tf
@@ -23,7 +23,14 @@ output "name" {
   description = "Bucket name."
   value       = google_storage_bucket.bucket.name
 }
-
+output "notification" {
+  description = "GCS Notification self link."
+  value       = local.notification == true ? google_storage_notification.notification[0].self_link : null
+}
+output "topic" {
+  description = "Topic ID used by GCS."
+  value       = local.notification == true ? google_pubsub_topic.topic[0].id : null
+}
 output "url" {
   description = "Bucket URL."
   value       = google_storage_bucket.bucket.url
diff --git a/modules/gcs/variables.tf b/modules/gcs/variables.tf
index 6433ed09a..2a50f5912 100644
--- a/modules/gcs/variables.tf
+++ b/modules/gcs/variables.tf
@@ -91,6 +91,18 @@ variable "name" {
   type        = string
 }
 
+variable "notification_config" {
+  description = "GCS Notification configuration."
+  type = object({
+    enabled           = bool
+    payload_format    = string
+    topic_name        = string
+    sa_email          = string
+    event_types       = list(string)
+    custom_attributes = map(string)
+  })
+  default = null
+}
 variable "prefix" {
   description = "Prefix used to generate the bucket name."
   type        = string