add team/squad labels to dlq topic (#703)

this would enable routing dlq alerts to the appropriate team

Signed-off-by: Kenny Leung <kleung@chainguard.dev>

modules/bucket-events/main.tf

@@ -99,6 +99,10 @@ module "authorize-delivery" {
 resource "google_pubsub_topic" "dead-letter" {
   name = "${var.name}-dlq-${random_string.delivery-suffix.result}"
 
+  labels = var.squad == "" ? {} : {
+    team = var.squad
+  }
+
   message_storage_policy {
     allowed_persistence_regions = [local.region]
   }

modules/cloudevent-recorder/recorder.tf

@@ -39,8 +39,8 @@ module "this" {
   name       = var.name
   regions    = var.regions
 
-  squad            = var.squad
-  require_squad    = var.require_squad
+  squad           = var.squad
+  require_squad   = var.require_squad
   service_account = google_service_account.recorder.email
   containers = {
     "recorder" = {
@@ -111,6 +111,9 @@ module "triggers" {
     name   = var.name
   }
 
+  team         = var.squad
+  require_team = var.require_squad
+
   notification_channels = var.notification_channels
 }
 

modules/cloudevent-recorder/subscriber-gcs.tf

@@ -25,6 +25,10 @@ resource "google_pubsub_topic" "dead-letter" {
 
   name = "${var.name}-dlq-${substr(md5(each.key), 0, 6)}"
 
+  labels = var.squad == "" ? {} : {
+    team = var.squad
+  }
+
   message_storage_policy {
     allowed_persistence_regions = [each.value.region]
   }

modules/cloudevent-trigger/README.md

@@ -126,6 +126,8 @@ No requirements.
 | <a name="input_private-service"></a> [private-service](#input\_private-service) | The private cloud run service that is subscribing to these events. | <pre>object({<br/>    name   = string<br/>    region = string<br/>  })</pre> | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes |
 | <a name="input_raw_filter"></a> [raw\_filter](#input\_raw\_filter) | Raw PubSub filter to apply, ignores other variables. https://cloud.google.com/pubsub/docs/subscription-message-filter#filtering_syntax | `string` | `""` | no |
+| <a name="input_require_team"></a> [require\_team](#input\_require\_team) | Whether to require team variable to be specified | `bool` | `true` | no |
+| <a name="input_team"></a> [team](#input\_team) | team label to apply to the service. | `string` | `""` | no |
 
 ## Outputs
 

modules/cloudevent-trigger/main.tf

@@ -55,6 +55,10 @@ locals {
 resource "google_pubsub_topic" "dead-letter" {
   name = "${var.name}-dlq-${random_string.suffix.result}"
 
+  labels = var.team == "" ? {} : {
+    team = var.team
+  }
+
   message_storage_policy {
     allowed_persistence_regions = [var.private-service.region]
   }

modules/cloudevent-trigger/variables.tf

@@ -109,3 +109,20 @@ variable "ack_deadline_seconds" {
   type        = number
   default     = 300
 }
+
+variable "require_team" {
+  description = "Whether to require team variable to be specified"
+  type        = bool
+  default     = true
+}
+
+variable "team" {
+  description = "team label to apply to the service."
+  type        = string
+  default     = ""
+
+  validation {
+    condition     = !var.require_team || var.team != ""
+    error_message = "team needs to specified or disable check by setting require_team = false"
+  }
+}

modules/github-bots/main.tf

@@ -76,6 +76,9 @@ module "cloudevent-trigger" {
     name   = var.name
   }
 
+  team         = var.squad
+  require_team = var.require_squad
+
   notification_channels = var.notification_channels
 }