Configure Dead Lettering for Pub/Sub-Triggered Services

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Run console available at https://console.cloud.google.com/run/.

04 Select the SERVICES tab to view the Cloud Run services deployed for the selected GCP project.

05 Click on the name (link) of the service that you want to examine, listed in the Name column.

06 Select the TRIGGERS tab and check the Event provider attribute value listed under Eventarc trigger to determine if the selected resource is a Pub/Sub-triggered service. If Event provider is not set to Cloud Pub/Sub, the selected Cloud Run service is not triggered by Pub/Sub and the Audit process ends here. If Event provider is set to Cloud Pub/Sub, you can continue the Audit process with the next step.

07 Click on the name (link) of the Pub/Sub topic listed under Receive events from, to access the Pub/Sub topic associated with your service.

08 Select the SUBSCRIPTION tab and click on the identifier (ID) of the subscription that you want to examine, listed in the Subcription ID column.

09 Choose the DETAILS tab and check the Dead lettering feature status. If the Dead lettering status is set to Disabled, the selected Pub/Sub subscription does not have a Dead-Letter Topic (DLT) configured to capture undeliverable messages.

10 Repeat steps no. 8 and 9 for each Pub/Sub subscription created for the associated topic. If none of these subscriptions has a Dead-Letter Topic (DLT) set up to handle undeliverable messages, dead lettering is not configured for the selected Cloud Run Pub/Sub-triggered service.

11 Repeat steps no. 5 - 10 for each Cloud Run service created for the selected GCP project.

12 Repeat steps no. 2 - 11 for each project deployed within your Google Cloud account.

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project ID(s):

cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run services list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each Cloud Run service deployed within the selected project:

gcloud run services list
	--project cc-bigdata-project-123123
	--format="(NAME,REGION)"

04 The command output should return the requested service names and the associated regions:

NAME: cc-project5-service
REGION: us-central1

NAME: tm-stream-service
REGION: us-central1

NAME: tm-vertex-service
REGION: us-central1

05 Run eventarc triggers list command (Windows/macOS/Linux) to list the Eventarc triggers available within the selected GCP project:

gcloud eventarc triggers list
	--project cc-bigdata-project-123123
	--format="value(name,destination,transport)"

06 The command output should return the configuration information available for each Eventarc trigger available in the selected GCP project. Check the destination.cloudRun.service element for each listed Eventarc trigger to identify your Cloud Run service. If your Cloud Run service is not found, the selected service is not triggered by Google Cloud Pub/Sub and the Audit process ends here. If your Cloud Run service is found, check the transport.pubsub.subscription element to identify the ID of the Pub/Sub subscription associated with your service, and continue the Audit process with the next step:

---
destination:
	cloudRun:
	path: /
	region: us-central1
	service: cc-project5-service
name: projects/cc-bigdata-project-123123/locations/us-central1/triggers/trigger-abcd1234
transport:
	pubsub:
	subscription: projects/cc-bigdata-project-123123/subscriptions/eventarc-us-central1-trigger-abcd1234-sub-abc
	topic: projects/cc-bigdata-project-123123/topics/cc-cloudrun-pubsub-topic

---
destination:
	cloudRun:
	path: /
	region: us-central1
	service: tm-stream-service
name: projects/cc-bigdata-project-123123/locations/us-central1/triggers/trigger-12341bcd
transport:
	pubsub:
	subscription: projects/cc-bigdata-project-123123/subscriptions/eventarc-us-central1-trigger-12341bcd-sub-cba
	topic: projects/cc-bigdata-project-123123/topics/cc-stream-pubsub-topic
```

07 Run pubsub subscriptions describe command (Windows/macOS/Linux) with custom output filters to describe the Dead-Letter Topic (DLT) configured for the Pub/Sub subscription associated with your Cloud Run service:

gcloud pubsub subscriptions describe projects/cc-bigdata-project-123123/subscriptions/eventarc-us-central1-trigger-abcd1234-sub-abc
	--format="json(deadLetterPolicy.deadLetterTopic)"

08 The command output should return the requested DLT identifier:

null

09 Repeat steps no. 7 and 8 for each Cloud Run service created for the selected GCP project.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 We recommend using a separate Pub/Sub topic for your Dead-Letter Topic (DLT). Navigate to Pub/Sub console available at https://console.cloud.google.com/cloudpubsub, choose CREATE TOPIC, and perform the following actions to set up your Dead-Letter Topic:

1. Provide a unique identifier for the new topic in the Topic ID box.
2. Your Dead-Letter Topic (DLT) should have at least one subscription so that dead-lettered messages will not be lost. Check the Add a default subscription setting checkbox to create a subscription for your new DLT.
3. For Encryption, choose Cloud KMS key, and select your own Customer-Managed Encryption Key (CMEK) from the Select a Cloud KMS key dropdown list.
4. Choose CREATE to deploy your new Dead-Letter Topic (DLT).

04 Navigate to Cloud Run console available at https://console.cloud.google.com/run/.

05 Select the SERVICES tab to access the Cloud Run services deployed for the selected GCP project.

06 Click on the name (link) of the service that you want to configure, listed in the Name column.

07 Select the TRIGGERS tab and click on the name (link) of the Pub/Sub topic listed under Receive events from, to access the Pub/Sub topic associated with your service.

08 Select the SUBSCRIPTION tab and click on the identifier (ID) of the subscription that you want to configure, listed in the Subcription ID column.

09 Choose EDIT and perform the following actions to enable dead lettering for the selected subscription:

1. In the Dead lettering section, check the Enable dead lettering checkbox, and choose the Dead-Letter Topic (DLT) created earlier in the Remediation section from the Select a dead letter topic dropdown list.
2. (Optional) For Maximum delivery attempts, specify an integer between 5 and 100, based on your application needs.
3. Choose UPDATE to apply the configuration changes.

10 Select the DEAD LETTERING tab, and click on the GRANT PUBLISHER ROLE and GRANT SUBSCRIBER ROLE links to assign the Publisher and Subscriber roles. The Pub/Sub service account for the selected GCP project needs the Publisher role to publish dead-lettered messages to the specified topic and the Subscriber role to forward messages from this subscription to the Dead-Letter Topic (DLT). The selected subscription can dead letter messages to the new DLT once it exceeds the specified delivery attempt count.

11 Repeat steps no. 6 - 10 for each Cloud Run service that you want to configure, available within the selected project.

12 Repeat steps no. 2 – 11 for each project deployed in your Google Cloud account.

01 The best practice is to use a dedicated Pub/Sub topic for your Dead-Letter Topic (DLT). Run pubsub topics create command (Windows/macOS/Linux) to create the Pub/Sub Dead-Letter Topic (DLT) that will capture undeliverable messages:

gcloud pubsub topics create cc-dead-letter-topic
	--project cc-bigdata-project-123123

02 The command output should return the full resource identifier of the newly created topic:

Created topic [projects/cc-bigdata-project-123123/topics/cc-dead-letter-topic].

03 The new DLT should have at least one subscription so that dead-lettered messages will not be lost. Run pubsub subscriptions create command (Windows/macOS/Linux) to create the required subscription for your new Dead-Letter Topic (DLT):

gcloud pubsub subscriptions create cc-dead-letter-subscription
	--topic=cc-dead-letter-topic
	--topic-project=cc-bigdata-project-123123

04 The command output should return the resource ID of the new Pub/Sub subscription:

Created subscription [projects/cc-bigdata-project-123123/subscriptions/cc-dead-letter-subscription].

05 Run pubsub subscriptions update command (Windows/macOS/Linux) to enable dead lettering for the subscription associated with your Pub/Sub-triggered service:

gcloud pubsub subscriptions update eventarc-us-central1-service-1-123123-sub-abc
	--dead-letter-topic=cc-dead-letter-topic
	--max-delivery-attempts=10
	--dead-letter-topic-project=cc-bigdata-project-123123

06 The command output should return the URL of the configured Pub/Sub subscription:

Updated subscription [projects/cc-bigdata-project-123123/subscriptions/eventarc-us-central1-service-1-123123-sub-abc].

07 The Pub/Sub service account for the selected Google Cloud project needs the Publisher role to publish dead-lettered messages to the newly created Dead-Letter Topic (DLT). To grant Pub/Sub permission to publish messages to the specified topic, run pubsub topics add-iam-policy-binding command (Windows/macOS/Linux). Replace \<project-number\> with your own GCP project number:

gcloud pubsub topics add-iam-policy-binding cc-dead-letter-topic
	--member="serviceAccount:service-<project-number>@gcp-sa-pubsub.iam.gserviceaccount.com"
	--role="roles/pubsub.publisher"

08 The command output should return the IAM policy binding information:

Updated IAM policy for topic [cc-dead-letter-topic].
bindings:
- members:
- serviceAccount:service-<project-number>@gcp-sa-pubsub.iam.gserviceaccount.com
role: roles/pubsub.publisher
etag: abcdabcdabcd
version: 1

09 The Pub/Sub service account for the selected Google Cloud project needs the Subscriber role to forward messages from the configured subscription to the new DLT. To grant Pub/Sub permission to acknowledge forwarded messages and remove them from the specified subscription, run pubsub subscriptions add-iam-policy-binding command (Windows/macOS/Linux). Replace \<project-number\> with your own GCP project number:

gcloud pubsub subscriptions add-iam-policy-binding eventarc-us-central1-service-1-123123-sub-abc
	--member="serviceAccount:service-<project-number>@gcp-sa-pubsub.iam.gserviceaccount.com"
	--role="roles/pubsub.subscriber"

10 The command output should return the new IAM policy binding information:

Updated IAM policy for subscription [eventarc-us-central1-service-1-123123-sub-abc].
bindings:
- members:
- serviceAccount:service-<project-number>@gcp-sa-pubsub.iam.gserviceaccount.com
role: roles/pubsub.subscriber
etag: abcdabcdabcd
version: 1

11 Repeat steps no. 5 - 10 for each Cloud Run service that you want to configure, available in the selected project.

12 Repeat steps no. 1 – 11 for each GCP project deployed in your Google Cloud account.