3

I have a large set of GCP Cloud Build Triggers that I invoke via a Cloud scheduler, all running fine. Now I want to invoke these triggers by an external API call and pass them dynamic parameters that vary in values and number of parameters.

I was able to start a trigger by running an API request but any JSON parameters in the API request that I sent were ignored. Google talks about substitution parameters at https://cloud.google.com/cloud-build/docs/configuring-builds/substitute-variable-values. I define these variables in the cloudbuild.yaml file, however they were not propagated into my shell script from the API request. I don't any errors with authentication or authorization, so security may not be an issue.

Is my idea supported at all or do I need to resort to another solution such as running a GKE cluster with containers that would expose its API (a very heavy-boxing solution).

Stan
  • 121
  • 1
  • 5
  • 1
    The solution was to use the substitution directive in the API request such as: curl -X POST -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" -H "Content-Type: application/json" https://cloudbuild.googleapis.com/v1/projects/PROJECTID/triggers/TRIGGERID:run -d '{"branchName":"master","substitutions":{"_SCA_PROJECT_NAME":"test",_SCA_VERSION_NAME":"test","_REPO_URLS"="","_BUILD_TOOL"="npm"}}' – Stan Apr 15 '20 at 15:47

1 Answers1

4

We do something similar -- we migrated from Jenkins to GCB but for some people we still need a nicer "UI" to start builds / pass variables.

I got scripts from here and modified them to our own needs: https://medium.com/@nieldw/put-your-build-triggers-into-source-control-with-the-cloud-build-api-ed0c18d6fcac

Here is their REST API: https://cloud.google.com/cloud-build/docs/api/reference/rest/v1/projects.triggers/run

For the script below, keep in mind you need the trigger-id of what you want to run. (you can also get this by parsing the output of another REST API.)

TRIGGER_ID=1
# we need to specify ATLEAST the branch name or commit id (check after)
BRANCH_OR_SHA=$2

# check if branch_name or commit_sha
if [[ $BRANCH_OR_SHA =~ [0-9a-f]{5,40} ]]; then
    # is COMMIT_HASH
    COMMIT_SHA=$BRANCH_OR_SHA
    BRANCH_OR_SHA="\"commitSha\": \"$COMMIT_SHA\""
else
    # is BRANCH_NAME
    BRANCH_OR_SHA="\"branchName\": \"$BRANCH_OR_SHA\""
fi

# This is the request we send to google so it knows what to build
# Here we're overriding some variables that we have already set in the default 'cloudbuild.yaml' file of the repo
cat <<EOF > request.json
{
  "projectId": "$PROJECT_ID",
  $BRANCH_OR_SHA,
  "substitutions": {
    "_MY_VAR_1": "my_value",
    "_MY_VAR_2": "my_value_2"
   }
}
EOF

# our curl post, we send 'request.json' with info, add our Token, and set the trigger_id
curl -X POST -T request.json -H "Authorization: Bearer $(gcloud config config-helper \
    --format='value(credential.access_token)')" \
        https://cloudbuild.googleapis.com/v1/projects/"$PROJECT_ID"/triggers/"$TRIGGER_ID":run
Lance Sandino
  • 316
  • 1
  • 4
  • Also there is a limitation for `kmsKeyName` and `secretEnv` fields. Substitution is not supported for them https://cloud.google.com/cloud-build/docs/securing-builds/use-encrypted-secrets-credentials#using_the_encrypted_variable_in_build_requests. – Emil Gi Jan 22 '20 at 08:45