GCP Gen2 Cloud Function Terraform Auditlog Event Arc Trigger Creating Empty PubSub Topic Error

[gulledgecole]

I am trying to create an event-driven Cloud Function via gen2 terraform utilizing the auditlog event type. Essentially, I would like to trigger the function each time a GCP secret is created.

Following this: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloudfunctions2_function#example-usage---cloudfunctions2-basic-auditlogs. For some reason, cloud function is attempting to spin a pubsub topic with an empty string as its name. This fails in my org due to cmek encryption standards. Nowhere in the code am I attempting to spin a pubsub topic, yet, the resource is trying to spin one my behalf. Auditlog type eventarc triggers do not accept

Terraform Version

Terraform v1.4.6 on windows_amd64

Affected Resource(s)

• google_cloudfunctions2_function.function

Terraform Configuration Files

resource "google_cloudfunctions2_function" "function" {
  for_each = toset(var.gcp_locations)

  location    = each.value
  project     = var.project_id
  name        = var.function_name
  description = "service-account"

  build_config {
    runtime     = "python311"
    entry_point = "entry_point"
    environment_variables = {
      HTTP_PROXY  = "xxxx0",
      HTTPS_PROXY = "xxx",
      NO_PROXY    = "grc.io,pkg.dev"
    }
    source {
      storage_source {
        bucket = google_storage_bucket.code_bucket[each.value].name
        object = google_storage_bucket_object.code_object[each.value].name
      }
    }
    worker_pool = google_cloudbuild_worker_pool.pool[each.value].id
  }

  service_config {
    max_instance_count             = 3
    min_instance_count             = 1
    available_memory               = "4Gi"
    timeout_seconds                = 60
    ingress_settings               = "ALLOW_INTERNAL_AND_GCLB"
    vpc_connector                  = var.serverless_conn[format("%s-%s", var.environment, each.value)]
    vpc_connector_egress_settings  = "PRIVATE_RANGES_ONLY"
    all_traffic_on_latest_revision = true
    service_account_email          = var.sa_email
  }
  event_trigger {
    trigger_region        = "us-east4"
    event_type            = "google.cloud.audit.log.v1.written"
    retry_policy          = "RETRY_POLICY_RETRY"
    service_account_email = google_service_account.trigger.email

    event_filters {
      attribute = "serviceName"
      value = "secretmanager.googleapis.com"
    }
    event_filters {
        attribute = "methodName"
        value = "secretmanager.secrets.create"
    }
    event_filters {
      attribute = "resourceName"
      value = "projects/_/secrets/_"
      operator = "match-path-pattern" # This allows path patterns to be used in the value field
    }

  }

}

Debug Output

I don't have a gist, but here is the debug error.

023-05-17T09:37:12.856-0400 [ERROR] provider.terraform-provider-google_v4.64.0_x5.exe: Response contains error diagnostic: diagnostic_summary="Error waiting to create function: Error waiting for Creating function: Error code 9, message: Creating trigger failed for projects/xxxxxxx/locations/us-east4/triggers/secret-checker-749994: generic::failed_precondition: Constraint constraints/gcp.restrictNonCmekServices violated for projects/p-a0945882-dev-cp-f6da attempting to set the kms_key_name for a Pub/Sub topic to ." tf_proto_version=5.3 tf_provider_addr=registry.terraform.io/hashicorp/google tf_req_id=6c0927d7-773c-0025-79a4-422367bca582 tf_resource_type=google_cloudfunctions2_function @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/diag/diagnostics.go:55 diagnostic_detail= diagnostic_severity=ERROR tf_rpc=ApplyResourceChange @module=sdk.proto timestamp=2023-05-17T09:37:12.835-0400 2023-05-17T09:37:12.856-0400 [TRACE] provider.terraform-provider-google_v4.64.0_x5.exe: Served request: @module=sdk.proto tf_proto_version=5.3 tf_req_id=6c0927d7-773c-0025-79a4-422367bca582 tf_resource_type=google_cloudfunctions2_function tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/tf5server/server.go:831 tf_provider_addr=registry.terraform.io/hashicorp/google timestamp=2023-05-17T09:37:12.835-0400 ╷ │ Error: Error waiting to create function: Error waiting for Creating function: Error code 9, message: Creating trigger failed for projects/p-a0945882-dev-cp-f6da/locations/us-east4/triggers/secret-checker-749994: generic::failed_precondition: Constraint `constraints/gcp.restrictNonCmekServices` violated for `projects/xxxx` attempting to set the kms_key_name for a Pub/Sub topic to. │ │ with module.all_things_cp_test.google_cloudfunctions2_function.function["us-east4"], │ on ....\modules\sa_key_strat_secret\main.tf line 142, in resource "google_cloudfunctions2_function" "function": │ 142: resource "google_cloudfunctions2_function" "function" {

Expected Behavior

Expected behavior would be to create an event arc trigger. Audit log type events to not accept pubsub as an argument.

Actual Behavior

Tried to spin a pubsub topic without an empty string as as name.

Steps to Reproduce

Create a gen2 cloud function, with an eventarc trigger of type: google.cloud.audit.log.v1.written in us-east4 region.

Important Factoids

Organization policies are enabled, thus requiring a pubsub topic to be CMEK encrypted.

References

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloudfunctions2_function#example-usage---cloudfunctions2-basic-auditlogs

[edwardmedia]

@gulledgecole are you able to create the same function via console or gcloud? Please share the gclould command if you can

[slevenick]

Closing as inactive. Feel free to reopen if you're able to answer the above question

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.