Notification system for Cloud Run with Google Chat for CI/CD pipelines.
Imagine being notified every time your CI/CD pipeline fires and performs an action (updated, deleted, and more) on your various Cloud Run services 🤔🤔. This will allow you and your teams to be informed in real time about what’s going on with your services. If you are interested in a CI/CD pipeline for Cloud Run, you can read my previous article 👇.
In this article, we will see how to set up a notification system for Cloud Run services. You can extend this to other Google Cloud services. Here, we will use the Update event for our setup. Depending on your needs, you can choose the Cloud Audit Logs event that suits you.
Let’s go now !
Activation of necessary APIs
gcloud services enable run.googleapis.com
gcloud services enable eventarc.googleapis.com
gcloud services enable logging.googleapis.com
gcloud services enable workflows.googleapis.com
gcloud services enable secretmanager.googleapis.comCreation of a Service for the final test
Deploy the image us-docker.pkg.dev/cloudrun/container/hello on Cloud Run with the service name hello.
Leave the rest of the settings as default.
Deployment of the notification code on Cloud Run
We will first retrieve the code from GitHub.
As you can see, we have three environment variables in our code which are :
GOOGLE_CHAT_SPACE : the id of your Space.
GOOGLE_CHAT_KEY : the key of your Webhook.
GOOGLE_CHAT_TOKEN : the token of your Webhook.
For more information on these different variables 👇👇.
Secure environment variables
To register the variables GOOGLE_CHAT_SPACE, GOOGLE_CHAT_KEY, GOOGLE_CHAT_TOKEN in Secret Manager, select Security followed by Secret Manager in the top left menu. Then click on CREATE SECRET and put the name of the variable and the value of the secret. Leave the rest of the settings as default. Perform the same operation for each environment variable.
Once we have retrieved the code, we will :
- Create a docker image or use my image
us-central1-docker.pkg.dev/myfreestyle/public/cloudrun-notify-google-chat:v1 - Push the docker image to Artifact Registry.
- Create a service account for the Cloud Run service with the
Secret Manager Secret Accessorrole. - Require authentication for the service.
- Add the environment variables.
- Deploy the docker image on Cloud Run with the service account created previously and which has only the
Secret Manager Secret Accessorrole.
Workflows service account configuration
To use Workflows, we will need a service account workflows-notify-google-chat which will have the following role :
Cloud Run Invoker : Can invoke services.
Creating our workflow
In the following workflow, we will retrieve the information from the Cloud Run service that triggered the event. Then we will send it to our Cloud Run service which will send the notification in Google Chat.
- serviceImage: image that has been deployed
- serviceCreator: the coordinates of the person who made the update
- serviceRegion: Cloud Run service region
- dateCreation: the date and time of the Cloud Run service update
- serviceName: Cloud Run service name
- revisionName: the name of the latest revision of the Cloud Run service
- serviceUrl: Cloud Run service url
NB : Replace the url and audience with the information from your Cloud Run notification service.
Now we’ll configure Eventarc.
Enable Cloud Audit Logs
To receive events from a service, you must enable Cloud Audit Logs.
In Cloud Console, select IAM & Admin followed by Audit Logs in the top left menu. In the list of services, check Cloud Run Admin API :
Select Data Write and click SAVE to save your choice.
Configuration of the Eventarc service account
We will create a service account that we will call trigger-notification-google-chat which will have the roles :
Eventarc Event Receiver : event receiver.
Workflows Invoker : Access to run workflows and manage executions.
Creating an Eventarc Trigger
Before you start, you should know that if you use a single region for your Eventarc trigger, only events from Cloud Run services in that region will be captured. If you want to support all your Cloud Run services, you should use the globalregion .
Now, let’s proceed to the configuration of our Eventarc trigger with the service account trigger-notification-google-chat . We will use our previous workflow as the destination source.
It’s time to test our configuration. To do this, we just need to make an update to the hello service we deployed first (for example, change the maximum number of requests per container) and you will receive a notification in Google Chat.
Depending on your needs, you can change the current configuration and extend it to other Google Cloud services. You can also add labels to distinguish notifications (update, delete and other notifications).
Bonus
- Using Microsoft Teams
The configuration is almost the same as Google Chat. The difference is in the code that is deployed on Cloud Run for notifications.
Here you will need the Microsoft_Webhook_URL environment variable that you will add in Secret Manager .
- Using Slack
It’s the same procedure with Slack. You’ll need the code below 👇.
For Slack, you will need the SLACK_URL_WEBHOOK environment variable that you will add in Secret Manager .
- Use the Google Chat API directly in Workflows
Since using a Cloud Run service for notifications can incur costs, you can use the Google Chat API directly in Workflows to save money. To do this, you’ll need the workflow below 👇.
Your workflow will need a service account that has the following rights:
Eventarc Event Receiver : event receiver.
Secret Manager Secret Accessor : with this role we can access the environment variable GOOGLE_CHAT_WEBHOOK_URL .
Thanks to you for reading and to my mentor guillaume blaquiere for the advice.
