Eventarc Pub/Sub Trigger

gcp-eventarc

An Eventarc Pub/Sub trigger wired into a self-contained event pipeline: a Cloud Run service target (created by the module by default), a dedicated trigger service account, and the two IAM grants Eventarc silently requires — roles/run.invoker on the destination and roles/eventarc.eventReceiver on the project. Without those grants the trigger applies but never delivers an event. Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

For the google.cloud.pubsub.topic.v1.messagePublished event type Eventarc auto-provisions (and tears down) the backing Pub/Sub topic and subscription — publish to the topic exported as pubsub_topic to fire events.

What you get per module call:

• An Eventarc trigger on Pub/Sub message-published events
• A dedicated trigger service account (least privilege)
• run.invoker + eventarc.eventReceiver grants for that account
• A Cloud Run destination service created inline (or route to an existing one)

Requirements

Requirement	Version
Terraform / OpenTofu	>= 1.6
hashicorp/google	>= 7.0, < 8.0

The Eventarc (eventarc.googleapis.com), Pub/Sub (pubsub.googleapis.com) and Cloud Run (run.googleapis.com) APIs must be enabled on the project. Eventarc manages the Pub/Sub-service-agent token-creator grant it needs for authenticated push on its own.

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).