Add AwsMsk & ConfluentCloud to 'google_pubsub_topic' (#12765)

Co-authored-by: Nick Elliot <[email protected]>

Author: andreajialee

mmv1/products/pubsub/Topic.yaml

@@ -91,6 +91,14 @@ examples:
     primary_resource_id: 'example'
     vars:
       topic_name: 'example-topic'
+  - name: 'pubsub_topic_ingestion_aws_msk'
+    primary_resource_id: 'example'
+    vars:
+      topic_name: 'example-topic'
+  - name: 'pubsub_topic_ingestion_confluent_cloud'
+    primary_resource_id: 'example'
+    vars:
+      topic_name: 'example-topic'
 parameters:
 properties:
   - name: 'name'
@@ -186,6 +194,8 @@ properties:
           - 'aws_kinesis'
           - 'cloud_storage'
           - 'azure_event_hubs'
+          - 'aws_msk'
+          - 'confluent_cloud'
         properties:
           - name: 'streamArn'
             type: String
@@ -221,6 +231,8 @@ properties:
           - 'aws_kinesis'
           - 'cloud_storage'
           - 'azure_event_hubs'
+          - 'aws_msk'
+          - 'confluent_cloud'
         properties:
           - name: 'bucket'
             type: String
@@ -320,6 +332,8 @@ properties:
           - 'aws_kinesis'
           - 'cloud_storage'
           - 'azure_event_hubs'
+          - 'aws_msk'
+          - 'confluent_cloud'
         properties:
           - name: 'resourceGroup'
             type: String
@@ -351,3 +365,75 @@ properties:
               The GCP service account to be used for Federated Identity authentication
               with Azure (via a `AssumeRoleWithWebIdentity` call for the provided
               role).
+      - name: 'awsMsk'
+        type: NestedObject
+        description: |
+          Settings for ingestion from Amazon Managed Streaming for Apache Kafka.
+        conflicts:
+          - 'aws_kinesis'
+          - 'cloud_storage'
+          - 'azure_event_hubs'
+          - 'aws_msk'
+          - 'confluent_cloud'
+        properties:
+          - name: 'clusterArn'
+            type: String
+            description: |
+              ARN that uniquely identifies the MSK cluster.
+            required: true
+          - name: 'topic'
+            type: String
+            description: |
+              The name of the MSK topic that Pub/Sub will import from.
+            required: true
+          - name: 'awsRoleArn'
+            type: String
+            description: |
+              AWS role ARN to be used for Federated Identity authentication with
+              MSK. Check the Pub/Sub docs for how to set up this role and the
+              required permissions that need to be attached to it.
+            required: true
+          - name: 'gcpServiceAccount'
+            type: String
+            description: |
+              The GCP service account to be used for Federated Identity authentication
+              with MSK (via a `AssumeRoleWithWebIdentity` call for the provided
+              role). The `awsRoleArn` must be set up with `accounts.google.com:sub`
+              equals to this service account number.
+            required: true
+      - name: 'confluentCloud'
+        type: NestedObject
+        description: |
+          Settings for ingestion from Confluent Cloud.
+        conflicts:
+          - 'aws_kinesis'
+          - 'cloud_storage'
+          - 'azure_event_hubs'
+          - 'aws_msk'
+          - 'confluent_cloud'
+        properties:
+          - name: 'bootstrapServer'
+            type: String
+            description: |
+              The Confluent Cloud bootstrap server. The format is url:port.
+            required: true
+          - name: 'clusterId'
+            type: String
+            description: |
+              The Confluent Cloud cluster ID.
+          - name: 'topic'
+            type: String
+            description: |
+              Name of the Confluent Cloud topic that Pub/Sub will import from.
+            required: true
+          - name: 'identityPoolId'
+            type: String
+            description: |
+              Identity pool ID to be used for Federated Identity authentication with Confluent Cloud.
+            required: true
+          - name: 'gcpServiceAccount'
+            type: String
+            description: |
+              The GCP service account to be used for Federated Identity authentication
+              with Confluent Cloud.
+            required: true

mmv1/templates/terraform/examples/pubsub_topic_ingestion_aws_msk.tf.tmpl

@@ -0,0 +1,13 @@
+resource "google_pubsub_topic" "{{$.PrimaryResourceId}}" {
+  name = "{{index $.Vars "topic_name"}}"
+
+  # Outside of automated terraform-provider-google CI tests, these values must be of actual AWS resources for the test to pass.
+  ingestion_data_source_settings {
+    aws_msk {
+        cluster_arn = "arn:aws:kinesis:us-west-2:111111111111:stream/fake-stream-name"
+        topic = "test-topic"
+        aws_role_arn = "arn:aws:iam::111111111111:role/fake-role-name"
+        gcp_service_account = "[email protected]"
+    }
+  }
+}

mmv1/templates/terraform/examples/pubsub_topic_ingestion_confluent_cloud.tf.tmpl

@@ -0,0 +1,14 @@
+resource "google_pubsub_topic" "{{$.PrimaryResourceId}}" {
+  name = "{{index $.Vars "topic_name"}}"
+
+  # Outside of automated terraform-provider-google CI tests, these values must be of actual Confluent Cloud resources for the test to pass.
+  ingestion_data_source_settings {
+    confluent_cloud {
+        bootstrap_server = "test.us-west2.gcp.confluent.cloud:1111"
+        cluster_id = "1234"
+        topic = "test-topic"
+        identity_pool_id = "test-identity-pool-id"
+        gcp_service_account = "[email protected]"
+    }
+  }
+}

mmv1/third_party/terraform/services/pubsub/resource_pubsub_topic_test.go

@@ -445,3 +445,141 @@ resource "google_pubsub_topic" "foo" {
 }
 `, topic)
 }
+
+func TestAccPubsubTopic_awsMskIngestionUpdate(t *testing.T) {
+	t.Parallel()
+
+	topic := fmt.Sprintf("tf-test-topic-%s", acctest.RandString(t, 10))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckPubsubTopicDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPubsubTopic_updateWithAwsMskIngestionSettings(topic),
+			},
+			{
+				ResourceName:      "google_pubsub_topic.foo",
+				ImportStateId:     topic,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccPubsubTopic_updateWithUpdatedAwsMskIngestionSettings(topic),
+			},
+			{
+				ResourceName:      "google_pubsub_topic.foo",
+				ImportStateId:     topic,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccPubsubTopic_updateWithAwsMskIngestionSettings(topic string) string {
+	return fmt.Sprintf(`
+resource "google_pubsub_topic" "foo" {
+  name = "%s"
+
+  # Outside of automated terraform-provider-google CI tests, these values must be of actual Cloud Storage resources for the test to pass.
+  ingestion_data_source_settings {
+  	aws_msk {
+		cluster_arn = "arn:aws:kinesis:us-west-2:111111111111:stream/fake-stream-name"
+		topic = "test-topic"
+		aws_role_arn = "arn:aws:iam::111111111111:role/fake-role-name"
+		gcp_service_account = "[email protected]"
+    }
+  }
+}
+`, topic)
+}
+
+func testAccPubsubTopic_updateWithUpdatedAwsMskIngestionSettings(topic string) string {
+	return fmt.Sprintf(`
+resource "google_pubsub_topic" "foo" {
+  name = "%s"
+
+  # Outside of automated terraform-provider-google CI tests, these values must be of actual Cloud Storage resources for the test to pass.
+  ingestion_data_source_settings {
+  	aws_msk {
+		cluster_arn = "arn:aws:kinesis:us-west-2:111111111111:stream/fake-stream-name"
+		topic = "test-topic"
+		aws_role_arn = "arn:aws:iam::111111111111:role/fake-role-name"
+		gcp_service_account = "updated-fake-service-account@fake-gcp-project.iam.gserviceaccount.com"
+    }
+  }
+}
+`, topic)
+}
+
+func TestAccPubsubTopic_confluentCloudIngestionUpdate(t *testing.T) {
+	t.Parallel()
+
+	topic := fmt.Sprintf("tf-test-topic-%s", acctest.RandString(t, 10))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckPubsubTopicDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPubsubTopic_updateWithConfluentCloudIngestionSettings(topic),
+			},
+			{
+				ResourceName:      "google_pubsub_topic.foo",
+				ImportStateId:     topic,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccPubsubTopic_updateWithUpdatedConfluentCloudIngestionSettings(topic),
+			},
+			{
+				ResourceName:      "google_pubsub_topic.foo",
+				ImportStateId:     topic,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccPubsubTopic_updateWithConfluentCloudIngestionSettings(topic string) string {
+	return fmt.Sprintf(`
+resource "google_pubsub_topic" "foo" {
+  name = "%s"
+
+  # Outside of automated terraform-provider-google CI tests, these values must be of actual Cloud Storage resources for the test to pass.
+  ingestion_data_source_settings {
+	confluent_cloud {
+		bootstrap_server = "test.us-west2.gcp.confluent.cloud:1111"
+		cluster_id = "1234"
+		topic = "test-topic"
+		identity_pool_id = "test-identity-pool-id"
+		gcp_service_account = "[email protected]"
+    }
+  }
+}
+`, topic)
+}
+
+func testAccPubsubTopic_updateWithUpdatedConfluentCloudIngestionSettings(topic string) string {
+	return fmt.Sprintf(`
+resource "google_pubsub_topic" "foo" {
+  name = "%s"
+
+  # Outside of automated terraform-provider-google CI tests, these values must be of actual Cloud Storage resources for the test to pass.
+  ingestion_data_source_settings {
+	confluent_cloud {
+		bootstrap_server = "test.us-west2.gcp.confluent.cloud:1111"
+		cluster_id = "1234"
+		topic = "test-topic"
+		identity_pool_id = "test-identity-pool-id"
+		gcp_service_account = "updated-fake-service-account@fake-gcp-project.iam.gserviceaccount.com"
+    }
+  }
+}
+`, topic)
+}