Workflows to notify developers via email when there is an update to Cloud Run services. - Part 1
This article is part of a series of articles dedicated to setting up a development and production environment on Google Cloud for Cloud Run. For more informationš.
Letās move on to the configuration of our system.
Enable the APIs of all necessary services
gcloud services enable run.googleapis.com
gcloud services enable eventarc.googleapis.com
gcloud services enable logging.googleapis.com
gcloud services enable workflows.googleapis.com
gcloud services enable artifactregistry.googleapis.com
gcloud services enable secretmanager.googleapis.com
Create a test Cloud Run service
We will deploy a Cloud Run service with the hello image us-docker.pkg.dev/cloudrun/container/hello
Leave the rest of the settings as default.
Deploy the code that will trigger workflows on Cloud Run
We will first retrieve the code from GitHub.
Letās see how some of our code works.
source = event_request.headers.get(āce-subjectā)
: allows us to retrieve the source of the event (example: run.googleapis.com/namespaces/my-project/services/service-name
)
tab_element_source = source.split(ā/ā)
: divide the resulting string into a list.
workflows_argument = {āserviceNameā: tab_element_source[-1]}
: pass the name of the Cloud Run service that triggered Eventarc to Workflows as an argument.
execution_client.create_execution(parent=parent, execution=execution)
: run our workflow.
For more information on the CloudEvents formatš.
Once we have retrieved the code, we will :
- Create a docker image or use my image
us-central1-docker.pkg.dev/myfreestyle/public/cloudrun-workflows:v1
- Push the docker image to Artifact Registry.
- Create a service account with the role
Workflows Invoker
- Deploy the docker image on Cloud Run with the previously created service account (donāt forget to set the environment variables GOOGLE_CLOUD_PROJECT, WORKFLOW_LOCATION, WORKFLOW_NAME).
NB: WORKFLOW_LOCATION is the location of your workflow.
Enable cloud Audit logs
To receive events from a service, you must enable Cloud Audit Logs.
In Cloud Console, select IAM & Admin
followed by Audit Logs
in the top left menu. In the list of services, check Cloud Run Admin API :
Select Data Write. Click SAVE to save your selection.
Configure service accounts for Eventarc
Cloud Pub/Sub will need the roles/iam.serviceAccountTokenCreator
role granted to the service account service-Project_Number@gcp-sa-pubsub.iam.gserviceaccount.com
to create identity tokens.
To access it, select IAM & Admin
followed by IAM
in the top left menu. Then check the box Include Google-provided role grants.
We will create a service account that we will call eventarc notif mail
which will have the role roles/eventarc.eventReceiver
.
Create an Eventarc trigger
Now letās proceed to the configuration of our Eventarc trigger with the service account eventarc notif mail
.
NB: Eventarc must be in the same region as the Cloud Run service that triggers our workflow.
Configure service accounts for Workflows
To use Workflows, we will need a workflow-push-mail
service account which will have the following role:
Cloud Run Viewer
: this will allow us to retrieve the information related to the Cloud Run service that triggered Eventarc.
Secret Manager Secret Accessor
: with this role we can access the environment variable SENDGRID_API_KEY
.
To register the variable SENDGRID_API_KEY
in Secret Manager
, select Security
followed by Secret Manager
in the top left menu. Then click on CREATE SECRET and put the name of your variable and the value of the secret.
In the following workflow, we will retrieve the information of the Cloud Run service that triggered the event. Then, we will extract the url of the Cloud Run service that will be sent to the developer by email.
Itās time to test our configuration. To do so, you just have to update the hello service we have deployed (for example, change the maximum number of requests per container) and you will receive an email.
For sending mail from workflow, I used the article of Guillaume Laforge.
NB: cloud_run_location
is the region of the Cloud Run service.
As you can see, here we just grabbed the Cloud Run service url. You can retrieve other information about the Cloud Run service, it will all depend on your goals.
In addition, you can use a function (Cloud Functions) to send emails. You will just have to call your function and pass him the information of the Cloud Run service. If you are interested, here is an article that will help you.
NB: if you have multiple Cloud Run services in different regions, you must have multiple workflows simply because the region of the Cloud Run service is required for the get_cloud_run_details
step.
In the following article, we will see how to improve our architecture by removing the Cloud Run service that triggers workflows. This way Eventarc will be able to directly trigger a workflow that will retrieve all the information related to the trigger including its region.
Thanks to you for reading and to my mentor guillaume blaquiere for the advice.