feat: pubsub resource (#4)

* feat: pubsub resource

* chore: rename to delegator

* chore: expand score examples

* chore: improved readme

README.md

@@ -6,16 +6,26 @@
 
 ---
 
-A collection of GCP resources ready to be used with [Humanitec](https://humanitec.com/).
+The GCP Resource Pack contains various reference implementation of connecting GCP with [the Humanitec Platform Orchestrator](https://developer.humanitec.com/platform-orchestrator/overview/).
+
+You can find more details about Resource Packs and how to use them [inside the Humanitec documentation](https://developer.humanitec.com/platform-orchestrator/resources/resource-packs/).
 
 The following resources are included:
 
 * [dns/basic](./humanitec-resource-defs/dns/basic): GCP Cloud DNS `dns` resource.
-* [gcs/basic](./humanitec-resource-defs/gcs/basic): A basic cloud storage bucket.
+* [gcp-iam-policy-binding/basic](./humanitec-resource-defs/gcp-iam-policy-binding/basic): Define role bindings for a GCP service account.
+* [gcp-pubsub-subscription/basic](./humanitec-resource-defs/gcp-pubsub-subscription/basic): A `gcp-pubsub-subscription` Resource Definition creating an GCP Pub/Sub Subscription.
+* [gcp-pubsub-topic/basic](./humanitec-resource-defs/gcp-pubsub-topic/basic): A `gcp-pubsub-topic` Resource Definition creating an GCP Pub/Sub Topic.
+* [gcp-service-account/workload](./humanitec-resource-defs/gcp-service-account/workload): An GCP service account, that can be assumed by a workload.
+* [gcs/basic](./humanitec-resource-defs/gcs/basic): A `gcs` Resource Definition creating a GCP Cloud Storage Bucket.
+* [k8s/service-account](./humanitec-resource-defs/k8s/service-account): A `k8s-service-account` linked to an GCP service account.
 * [mysql/basic](./humanitec-resource-defs/mysql/basic): A `mysql` resource using GCP CloudSQL.
 * [postgres/basic](./humanitec-resource-defs/postgres/basic): A `postgres` resource using GCP CloudSQL.
 * [redis/basic](./humanitec-resource-defs/redis/basic): GCP Memorystore `redis` resource.
+* [workload/service-account](./humanitec-resource-defs/workload/service-account): Inject a k8s service account into a `workload`.
 
-The `humanitec-resource-defs` directory includes the respective resource definitions.
+The `humanitec-resource-defs` directory includes the respective Resource Definitions.
 
 The `modules` directory includes the Terraform modules used by the [Humanitec Terraform Driver](https://developer.humanitec.com/integration-and-extensions/drivers/generic-drivers/terraform/) to provision the actual resources.
+
+Checkout `examples/` for example usage of the Resource Definitions listed above.

examples/dns/README.md

@@ -5,10 +5,21 @@ This example configures a [dns](https://developer.humanitec.com/platform-orchest
 The created Resource Definition can be used in your Score file using:
 
 ```yaml
+containers:
+  ...
+  app:
+    variables:
+      PORT: "3000"
 resources:
   ...
   dns:
     type: dns
+  route:
+    type: route
+    params:
+      host: ${resources.dns.host}
+      path: /
+      port: 3000
 ```
 
 <!-- BEGIN_TF_DOCS -->
@@ -46,7 +57,7 @@ resources:
 | managed\_zone | The name of the zone in which this record set will reside. | `string` | n/a | yes |
 | managed\_zone\_dns\_name | The DNS name of the managed zone. | `string` | n/a | yes |
 | project | GCP project ID | `string` | n/a | yes |
-| region | n/a | `string` | n/a | yes |
+| region | GCP region | `string` | n/a | yes |
 | name | Name of the example application | `string` | `"hum-rp-dns-example"` | no |
 | prefix | Prefix of the created resources | `string` | `"hum-rp-dns-ex-"` | no |
 | resource\_packs\_gcp\_rev | GCP Resource Pack git ref | `string` | `"refs/heads/main"` | no |

examples/dns/terraform.tfvars.example

@@ -17,6 +17,7 @@ prefix = "hum-rp-dns-ex-"
 # GCP project ID
 project = ""
 
+# GCP region
 region = ""
 
 # GCP Resource Pack git ref

examples/dns/variables.tf

@@ -4,7 +4,8 @@ variable "project" {
 }
 
 variable "region" {
-  type = string
+  description = "GCP region"
+  type        = string
 }
 
 variable "credentials" {

examples/gcp-pubsub/README.md

@@ -0,0 +1,97 @@
+# Example: gcp-pubsub resource based on Google Cloud Pub/Sub
+
+This example configures a [gcp-pubsub-topic](https://developer.humanitec.com/platform-orchestrator/reference/resource-types/#gcp-pubsub-topic) and a [gcp-pubsub-subscription](https://developer.humanitec.com/platform-orchestrator/reference/resource-types/#gcp-pubsub-subscription) Resource Definition using Google Cloud Pub/Sub.
+
+The Resource Graph is using [delegator resources](https://developer.humanitec.com/platform-orchestrator/examples/resource-graph-patterns/#delegator-resource) to expose shared resources with different access policies.
+
+Those Resource Definitions can be used in your Score file using:
+
+```yaml
+# publishing workload
+containers:
+  app:
+    ...
+    variables:
+      TOPIC_NAME: ${resources.topic.name}
+resources:
+  ...
+  topic:
+    metadata:
+      annotations:
+        score.humanitec.io/resId: shared.main-topic
+    type: gcp-pubsub-topic
+    class: basic-publisher
+```
+
+```yaml
+# subscribing workload
+containers:
+  app:
+    ...
+    variables:
+      SUBSCRIPTION_NAME: ${resources.subscription.name}
+resources:
+  ...
+  subscription:
+    type: gcp-pubsub-subscription
+    class: basic-subscriber
+    params:
+      topic_name: ${resources['gcp-pubsub-topic.basic#shared.main-topic'].outputs.name}
+```
+
+The workload service account will automatically be assigned the necessary GCP Service Account with the selected role bindings.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| humanitec | ~> 0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| humanitec | ~> 0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| gcp\_service\_account\_workload | ../../humanitec-resource-defs/gcp-service-account/workload | n/a |
+| gps\_basic\_subscriber | ../../humanitec-resource-defs/gcp-pubsub-subscription/delegator | n/a |
+| gpt\_basic\_publisher | ../../humanitec-resource-defs/gcp-pubsub-topic/delegator | n/a |
+| iam\_role\_binding\_gcp\_pubsub\_subscription\_subscriber | ../../humanitec-resource-defs/gcp-iam-policy-binding/basic | n/a |
+| iam\_role\_binding\_gcp\_pubsub\_topic\_publisher | ../../humanitec-resource-defs/gcp-iam-policy-binding/basic | n/a |
+| k8s\_service\_account | ../../humanitec-resource-defs/k8s/service-account | n/a |
+| pubsub\_subscription\_basic | ../../humanitec-resource-defs/gcp-pubsub-subscription/basic | n/a |
+| pubsub\_topic\_basic | ../../humanitec-resource-defs/gcp-pubsub-topic/basic | n/a |
+| workload | ../../humanitec-resource-defs/workload/service-account | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [humanitec_application.example](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource |
+| [humanitec_resource_definition_criteria.gcp_service_account_workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.gps_basic_subscriber](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.gpt_basic_publisher](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.iam_role_binding_gcp_pubsub_subscription_subscriber](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.iam_role_binding_gcp_pubsub_topic_publisher](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.k8s_service_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.pubsub_subscription_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.pubsub_topic_basic](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+| [humanitec_resource_definition_criteria.workload](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| credentials | GCP credentials | `string` | n/a | yes |
+| project | GCP project ID | `string` | n/a | yes |
+| name | Name of the example application | `string` | `"hum-rp-gcp-pubsub-example"` | no |
+| prefix | n/a | `string` | `"hum-rp-gcp-pubsub-ex-"` | no |
+| resource\_packs\_gcp\_rev | GCP Resource Pack git ref | `string` | `"refs/heads/main"` | no |
+| resource\_packs\_gcp\_url | GCP Resource Pack git url | `string` | `"https://github.com/humanitec-architecture/resource-packs-gcp.git"` | no |
+<!-- END_TF_DOCS -->

examples/gcp-pubsub/main.tf

@@ -0,0 +1,63 @@
+resource "humanitec_application" "example" {
+  id   = var.name
+  name = var.name
+}
+
+# GCP pubsub
+
+locals {
+  # Classes used to build the resource definition graph
+  gpt_basic_class             = "basic"
+  gps_basic_class             = "basic"
+  gpt_publisher_policy_class  = "gcp-pubsub-subscription-basic-publisher"
+  gps_subscriber_policy_class = "gcp-pubsub-subscription-basic-subscriber"
+
+  # Classes that developers can select from
+  gpt_basic_publisher_class  = "basic-publisher"
+  gps_basic_subscriber_class = "basic-subscriber"
+}
+
+# Required resources for workload identity
+
+module "k8s_service_account" {
+  source = "../../humanitec-resource-defs/k8s/service-account"
+
+  prefix = var.prefix
+}
+
+resource "humanitec_resource_definition_criteria" "k8s_service_account" {
+  resource_definition_id = module.k8s_service_account.id
+  app_id                 = humanitec_application.example.id
+  force_delete           = true
+}
+
+module "gcp_service_account_workload" {
+  source = "../../humanitec-resource-defs/gcp-service-account/workload"
+
+  resource_packs_gcp_url = var.resource_packs_gcp_url
+  resource_packs_gcp_rev = var.resource_packs_gcp_rev
+
+  project     = var.project
+  credentials = var.credentials
+  prefix      = var.prefix
+
+  name = "hrp-ps-$${context.res.id}"
+}
+
+resource "humanitec_resource_definition_criteria" "gcp_service_account_workload" {
+  resource_definition_id = module.gcp_service_account_workload.id
+  app_id                 = humanitec_application.example.id
+  force_delete           = true
+}
+
+module "workload" {
+  source = "../../humanitec-resource-defs/workload/service-account"
+
+  prefix = var.prefix
+}
+
+resource "humanitec_resource_definition_criteria" "workload" {
+  resource_definition_id = module.workload.id
+  app_id                 = humanitec_application.example.id
+  force_delete           = true
+}

examples/gcp-pubsub/providers.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    humanitec = {
+      source  = "humanitec/humanitec"
+      version = "~> 0"
+    }
+  }
+
+  required_version = ">= 1.3.0"
+}
+
+provider "humanitec" {}

examples/gcp-pubsub/pubsub_subscription.tf

@@ -0,0 +1,58 @@
+# gcp pubsub subscription related resources
+
+module "pubsub_subscription_basic" {
+  source = "../../humanitec-resource-defs/gcp-pubsub-subscription/basic"
+
+  resource_packs_gcp_url = var.resource_packs_gcp_url
+  resource_packs_gcp_rev = var.resource_packs_gcp_rev
+
+  project     = var.project
+  credentials = var.credentials
+  prefix      = var.prefix
+}
+
+resource "humanitec_resource_definition_criteria" "pubsub_subscription_basic" {
+  resource_definition_id = module.pubsub_subscription_basic.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.gps_basic_class
+  force_delete           = true
+}
+
+# policy
+
+module "iam_role_binding_gcp_pubsub_subscription_subscriber" {
+  source = "../../humanitec-resource-defs/gcp-iam-policy-binding/basic"
+
+  prefix = var.prefix
+  name   = "gcp-pubsub-subscription-basic-subscriber"
+
+  type        = "pubsub_subscription"
+  scope_key   = "subscription"
+  scope_value = "$${resources['gcp-pubsub-subscription.${local.gps_basic_class}'].outputs.name}"
+  role        = "roles/pubsub.subscriber"
+}
+
+resource "humanitec_resource_definition_criteria" "iam_role_binding_gcp_pubsub_subscription_subscriber" {
+  resource_definition_id = module.iam_role_binding_gcp_pubsub_subscription_subscriber.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.gps_subscriber_policy_class
+  force_delete           = true
+}
+
+## Exposed delegator resource definition
+
+module "gps_basic_subscriber" {
+  source = "../../humanitec-resource-defs/gcp-pubsub-subscription/delegator"
+
+  prefix = var.prefix
+
+  gps_resource_class    = local.gps_basic_class
+  policy_resource_class = local.gps_subscriber_policy_class
+}
+
+resource "humanitec_resource_definition_criteria" "gps_basic_subscriber" {
+  resource_definition_id = module.gps_basic_subscriber.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.gps_basic_subscriber_class
+  force_delete           = true
+}

examples/gcp-pubsub/pubsub_topic.tf

@@ -0,0 +1,58 @@
+# gcp pubsub topic related resources
+
+module "pubsub_topic_basic" {
+  source = "../../humanitec-resource-defs/gcp-pubsub-topic/basic"
+
+  resource_packs_gcp_url = var.resource_packs_gcp_url
+  resource_packs_gcp_rev = var.resource_packs_gcp_rev
+
+  project     = var.project
+  credentials = var.credentials
+  prefix      = var.prefix
+}
+
+resource "humanitec_resource_definition_criteria" "pubsub_topic_basic" {
+  resource_definition_id = module.pubsub_topic_basic.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.gpt_basic_class
+  force_delete           = true
+}
+
+# policy
+
+module "iam_role_binding_gcp_pubsub_topic_publisher" {
+  source = "../../humanitec-resource-defs/gcp-iam-policy-binding/basic"
+
+  prefix = var.prefix
+  name   = "gcp-pubsub-topic-basic-publisher"
+
+  type        = "pubsub_topic"
+  scope_key   = "topic"
+  scope_value = "$${resources['gcp-pubsub-topic.${local.gpt_basic_class}'].outputs.name}"
+  role        = "roles/pubsub.publisher"
+}
+
+resource "humanitec_resource_definition_criteria" "iam_role_binding_gcp_pubsub_topic_publisher" {
+  resource_definition_id = module.iam_role_binding_gcp_pubsub_topic_publisher.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.gpt_publisher_policy_class
+  force_delete           = true
+}
+
+## Exposed delegator resource definition
+
+module "gpt_basic_publisher" {
+  source = "../../humanitec-resource-defs/gcp-pubsub-topic/delegator"
+
+  prefix = var.prefix
+
+  gpt_resource_class    = local.gpt_basic_class
+  policy_resource_class = local.gpt_publisher_policy_class
+}
+
+resource "humanitec_resource_definition_criteria" "gpt_basic_publisher" {
+  resource_definition_id = module.gpt_basic_publisher.id
+  app_id                 = humanitec_application.example.id
+  class                  = local.gpt_basic_publisher_class
+  force_delete           = true
+}

examples/gcp-pubsub/terraform.tfvars.example

@@ -0,0 +1,17 @@
+
+# GCP credentials
+credentials = ""
+
+# Name of the example application
+name = "hum-rp-gcp-pubsub-example"
+
+prefix = "hum-rp-gcp-pubsub-ex-"
+
+# GCP project ID
+project = ""
+
+# GCP Resource Pack git ref
+resource_packs_gcp_rev = "refs/heads/main"
+
+# GCP Resource Pack git url
+resource_packs_gcp_url = "https://github.com/humanitec-architecture/resource-packs-gcp.git"