Tools for automating Cloud Run stuff for use on your machine, Cloud Build, and GitHub Actions.
Does a gcloud run deploy
with a dedicated service account and sets the CI/CD details on the service if the BUILD_ID
env var is set (which it is on Cloud Build)
Required APIs
Required Roles
Name | Role |
---|---|
Security Admin | roles/iam.securityAdmin |
Service Account Admin | roles/iam.serviceAccountAdmin |
Service Account User | roles/iam.serviceAccountUser |
Cloud Run Admin | roles/run.admin |
Run Locally
export PROJECT_ID=YOUR_PROJECT_ID
export IMAGE_NAME=YOUR_GCR_IMAGE_NAME # gcr.io/YOUR_PROJECT/IMAGE_NAME
export IMAGE_VERSION=OPTIONAL_IMAGE_VERSION
export REGION=us-central1 # or whatever region you want
export DEPLOY_OPTS=OPTIONAL_DEPLOY_OPTIONS
export ROLES=OPTIONAL_ROLES_COMMA_SEPARATED
export GOOGLE_APPLICATION_CREDENTIALS=YOUR_TEST_CREDS_JSON
docker run --rm \
-ePROJECT_ID=$PROJECT_ID \
-eIMAGE_NAME=$IMAGE_NAME \
-eIMAGE_VERSION=$IMAGE_VERSION \
-eREGION=$REGION \
-eDEPLOY_OPTS=$DEPLOY_OPTS \
-eROLES=$ROLES \
-eCLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/certs/svc_account.json \
-v$GOOGLE_APPLICATION_CREDENTIALS:/certs/svc_account.json \
--entrypoint=deploy \
ghcr.io/jamesward/easycloudruneasycloudrun
Cloud Build
steps:
- name: ghcr.io/jamesward/easycloudrun
entrypoint: deploy
env:
- 'PROJECT_ID=$PROJECT_ID'
- 'BUILD_ID=$BUILD_ID'
- 'COMMIT_SHA=$COMMIT_SHA'
- 'IMAGE_NAME=$REPO_NAME'
- 'IMAGE_VERSION=$COMMIT_SHA'
- 'REGION=YOUR_REGION'
- 'DEPLOY_OPTS=OPTIONAL_DEPLOY_OPTIONS'
- 'ROLES=OPTIONAL_ROLES_COMMA_SEPARATED'
GitHub Actions
Setup GitHub Actions secrets: GCP_PROJECT
, GCP_REGION
, GCP_CREDENTIALS
(the JSON for a service account with the required roles)
steps:
- name: Setup gcloud
uses: google-github-actions/setup-gcloud@v0.2
with:
project_id: ${{ secrets.GCP_PROJECT }}
service_account_key: ${{ secrets.GCP_CREDENTIALS }}
export_default_credentials: true
- name: Deploy
uses: jamesward/easycloudrun/deploy@main
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT }}
COMMIT_SHA: ${{ github.sha }}
IMAGE_NAME: ${{ github.event.repository.name }}
IMAGE_VERSION: ${{ github.sha }}
REGION: ${{ secrets.GCP_REGION }}
Sets a generated env var in the .env file if the Cloud Run service does not already have one
Required APIs
Required Roles
Name | Role |
---|---|
Cloud Run Admin | roles/run.admin |
Run Locally
export PROJECT_ID=YOUR_PROJECT_ID
export IMAGE_NAME=YOUR_GCR_IMAGE_NAME # gcr.io/YOUR_PROJECT/IMAGE_NAME
export ENV_NAME=YOUR_SECRETS_ENV_NAME
export REGION=YOUR_REGION
export GOOGLE_APPLICATION_CREDENTIALS=YOUR_TEST_CREDS_JSON
# todo: need a way to read the env file out
docker run --rm \
-ePROJECT_ID=$PROJECT_ID \
-eIMAGE_NAME=$IMAGE_NAME \
-eENV_NAME=$ENV_NAME \
-eREGION=$REGION \
-eCLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/certs/svc_account.json \
-v$GOOGLE_APPLICATION_CREDENTIALS:/certs/svc_account.json \
--entrypoint=appsecret \
ghcr.io/jamesward/easycloudrun
Cloud Build
steps:
- name: ghcr.io/jamesward/easycloudrun
entrypoint: appsecret
env:
- 'PROJECT_ID=$PROJECT_ID'
- 'IMAGE_NAME=$REPO_NAME'
- 'ENV_NAME=YOUR_ENV_NAME'
- 'REGION=YOUR_REGION'
GitHub Actions
TODO
Like deploy
but automatically adds --update-env-vars
for everything in a .env
file
Required APIs
Required Roles
Name | Role |
---|---|
Security Admin | roles/iam.securityAdmin |
Service Account Admin | roles/iam.serviceAccountAdmin |
Cloud Run Admin | roles/run.admin |
Service Account User | roles/iam.serviceAccountUser |
Run Locally
export PROJECT_ID=YOUR_PROJECT_ID
export IMAGE_NAME=YOUR_GCR_IMAGE_NAME # gcr.io/YOUR_PROJECT/IMAGE_NAME
export IMAGE_VERSION=OPTIONAL_IMAGE_VERSION
export REGION=us-central1 # or whatever region you want
export DEPLOY_OPTS=OPTIONAL_DEPLOY_OPTIONS
export ROLES=OPTIONAL_ROLES_COMMA_SEPARATED
export GOOGLE_APPLICATION_CREDENTIALS=YOUR_TEST_CREDS_JSON
docker run --rm \
-ePROJECT_ID=$PROJECT_ID \
-eIMAGE_NAME=$IMAGE_NAME \
-eIMAGE_VERSION=$IMAGE_VERSION \
-eREGION=$REGION \
-eDEPLOY_OPTS=$DEPLOY_OPTS \
-eROLES=$ROLES \
-eCLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/certs/svc_account.json \
-v$GOOGLE_APPLICATION_CREDENTIALS:/certs/svc_account.json \
--entrypoint=deploywithenvs \
ghcr.io/jamesward/easycloudrun
Cloud Build
steps:
- name: ghcr.io/jamesward/easycloudrun
entrypoint: deploywithenvs
env:
- 'PROJECT_ID=$PROJECT_ID'
- 'BUILD_ID=$BUILD_ID'
- 'COMMIT_SHA=$COMMIT_SHA'
- 'IMAGE_NAME=$REPO_NAME'
- 'IMAGE_VERSION=$COMMIT_SHA'
- 'REGION=YOUR_REGION'
- 'DEPLOY_OPTS=OPTIONAL_DEPLOY_OPTIONS'
- 'ROLES=OPTIONAL_ROLES_COMMA_SEPARATED'
GitHub Actions
TODO
Deploy a service to all available regions and setup a GCLB in front
Required APIs
Required Roles
Name | Role |
---|---|
Security Admin | roles/iam.securityAdmin |
Service Account Admin | roles/iam.serviceAccountAdmin |
Cloud Run Admin | roles/run.admin |
Compute Network Admin | roles/compute.networkAdmin |
Compute Instance Admin | roles/compute.instanceAdmin.v1 |
Service Account User | roles/iam.serviceAccountUser |
Run Locally
export PROJECT_ID=YOUR_PROJECT_ID
export IMAGE_NAME=YOUR_GCR_IMAGE_NAME # gcr.io/YOUR_PROJECT/IMAGE_NAME
export IMAGE_VERSION=OPTIONAL_IMAGE_VERSION
export DEPLOY_OPTS=OPTIONAL_DEPLOY_OPTIONS
export ROLES=OPTIONAL_ROLES_COMMA_SEPARATED
export DOMAINS=YOUR_DOMAIN
export GOOGLE_APPLICATION_CREDENTIALS=YOUR_TEST_CREDS_JSON
docker run --rm \
-ePROJECT_ID=$PROJECT_ID \
-eIMAGE_NAME=$IMAGE_NAME \
-eIMAGE_VERSION=$IMAGE_VERSION \
-eDEPLOY_OPTS=$DEPLOY_OPTS \
-eROLES=$ROLES \
-eDOMAINS=$DOMAINS \
-eCLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/certs/svc_account.json \
-v$GOOGLE_APPLICATION_CREDENTIALS:/certs/svc_account.json \
--entrypoint=multiregion \
ghcr.io/jamesward/easycloudrun
Cloud Build
steps:
- name: ghcr.io/jamesward/easycloudrun
entrypoint: multiregion
env:
- 'PROJECT_ID=$PROJECT_ID'
- 'BUILD_ID=$BUILD_ID'
- 'COMMIT_SHA=$COMMIT_SHA'
- 'IMAGE_NAME=$REPO_NAME'
- 'IMAGE_VERSION=$COMMIT_SHA'
- 'DEPLOY_OPTS=OPTIONAL_DEPLOY_OPTIONS'
- 'ROLES=OPTIONAL_ROLES_COMMA_SEPARATED'
- 'DOMAINS=YOUR_DOMAIN'
GitHub Actions
TODO
Create a Cloud SQL instance in a VPC, deploy a Cloud Run service connected to that database using VPC Egress
Required APIs
Required Roles
Name | Role |
---|---|
Cloud Run Admin | roles/run.admin |
Compute Network Admin | roles/compute.networkAdmin |
Compute Instance Admin | roles/compute.instanceAdmin.v1 |
Cloud SQL Admin | roles/cloudsql.admin |
Service Account User | roles/iam.serviceAccountUser |
Service Account Admin | roles/iam.serviceAccountAdmin |
Serverless VPC Access Admin | roles/vpcaccess.admin |
Security Admin | roles/iam.securityAdmin |
Run Locally
export PROJECT_ID=YOUR_PROJECT_ID
export IMAGE_NAME=YOUR_GCR_IMAGE_NAME # gcr.io/YOUR_PROJECT/IMAGE_NAME
export REGION=YOUR_REGION
export DB_VERSION=YOUR_DB_VERSION # like: POSTGRES_13
export DB_TIER=YOUR_DB_TIER # like: db-f1-micro
export DB_INIT_ARGS=OPTIONAL_CONTAINER_ARGS_FOR_DB_INIT
export GOOGLE_APPLICATION_CREDENTIALS=YOUR_TEST_CREDS_JSON
docker run --rm \
-ePROJECT_ID=$PROJECT_ID \
-eIMAGE_NAME=$IMAGE_NAME \
-eREGION=$REGION \
-eDB_VERSION=$DB_VERSION \
-eDB_TIER=$DB_TIER \
-eDB_INIT_ARGS=$DB_INIT_ARGS \
-eCLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/certs/svc_account.json \
-v$GOOGLE_APPLICATION_CREDENTIALS:/certs/svc_account.json \
--entrypoint=vpcegresssql \
ghcr.io/jamesward/easycloudrun
Cloud Build
steps:
- name: ghcr.io/jamesward/easycloudrun
entrypoint: vpcegresssql
env:
- 'PROJECT_ID=$PROJECT_ID'
- 'BUILD_ID=$BUILD_ID'
- 'COMMIT_SHA=$COMMIT_SHA'
- 'IMAGE_NAME=$REPO_NAME'
- 'IMAGE_VERSION=$COMMIT_SHA'
- 'ROLES=roles/cloudsql.client'
- 'REGION=YOUR_REGION'
- 'DB_VERSION=YOUR_DB_VERSION'
- 'DB_TIER=YOUR_DB_TIER'
- 'DB_INIT_ARGS=OPTIONAL_CONTAINER_ARGS_FOR_DB_INIT'
timeout: 30m
GitHub Actions
Setup GitHub Actions secrets: GCP_PROJECT
, GCP_REGION
, GCP_CREDENTIALS
(the JSON for a service account with the required roles)
steps:
- name: Setup gcloud
uses: google-github-actions/setup-gcloud@v0.2
with:
project_id: ${{ secrets.GCP_PROJECT }}
service_account_key: ${{ secrets.GCP_CREDENTIALS }}
export_default_credentials: true
- name: Deploy
uses: jamesward/easycloudrun/vpcegresssql@main
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT }}
COMMIT_SHA: ${{ github.sha }}
IMAGE_NAME: ${{ github.event.repository.name }}
IMAGE_VERSION: ${{ github.sha }}
REGION: ${{ secrets.GCP_REGION }}
DB_VERSION: YOUR_DB_VERSION
DB_TIER: YOUR_DB_TIER
DB_INIT_ARGS: OPTIONAL_CONTAINER_ARGS_FOR_DB_INIT
Create a Cloud SQL instance in a VPC, deploy a Cloud Run service connected to that database
Required APIs
Required Roles
Name | Role |
---|---|
Cloud Run Admin | roles/run.admin |
Compute Network Admin | roles/compute.networkAdmin |
Compute Instance Admin | roles/compute.instanceAdmin.v1 |
Cloud SQL Admin | roles/cloudsql.admin |
Service Account User | roles/iam.serviceAccountUser |
Service Account Admin | roles/iam.serviceAccountAdmin |
Serverless VPC Access Admin | roles/vpcaccess.admin |
Security Admin | roles/iam.securityAdmin |
Run Locally
export PROJECT_ID=YOUR_PROJECT_ID
export IMAGE_NAME=YOUR_GCR_IMAGE_NAME # gcr.io/YOUR_PROJECT/IMAGE_NAME
export REGION=YOUR_REGION
export DB_VERSION=YOUR_DB_VERSION # like: POSTGRES_13
export DB_TIER=YOUR_DB_TIER # like: db-f1-micro
export DB_INIT_ARGS=OPTIONAL_CONTAINER_ARGS_FOR_DB_INIT
export GOOGLE_APPLICATION_CREDENTIALS=YOUR_TEST_CREDS_JSON
docker run --rm \
-ePROJECT_ID=$PROJECT_ID \
-eIMAGE_NAME=$IMAGE_NAME \
-eREGION=$REGION \
-eDB_VERSION=$DB_VERSION \
-eDB_TIER=$DB_TIER \
-eDB_INIT_ARGS=$DB_INIT_ARGS \
-eCLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/certs/svc_account.json \
-v$GOOGLE_APPLICATION_CREDENTIALS:/certs/svc_account.json \
--entrypoint=vpcsql \
ghcr.io/jamesward/easycloudrun
Cloud Build
steps:
- name: ghcr.io/jamesward/easycloudrun
entrypoint: vpcsql
env:
- 'PROJECT_ID=$PROJECT_ID'
- 'BUILD_ID=$BUILD_ID'
- 'COMMIT_SHA=$COMMIT_SHA'
- 'IMAGE_NAME=$REPO_NAME'
- 'IMAGE_VERSION=$COMMIT_SHA'
- 'ROLES=roles/cloudsql.client'
- 'REGION=YOUR_REGION'
- 'DB_VERSION=YOUR_DB_VERSION'
- 'DB_TIER=YOUR_DB_TIER'
- 'DB_INIT_ARGS=OPTIONAL_CONTAINER_ARGS_FOR_DB_INIT'
timeout: 30m
GitHub Actions
Setup GitHub Actions secrets: GCP_PROJECT
, GCP_REGION
, GCP_CREDENTIALS
(the JSON for a service account with the required roles)
steps:
- name: Setup gcloud
uses: google-github-actions/setup-gcloud@v0.2
with:
project_id: ${{ secrets.GCP_PROJECT }}
service_account_key: ${{ secrets.GCP_CREDENTIALS }}
export_default_credentials: true
- name: Deploy
uses: jamesward/easycloudrun/vpcsql@main
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT }}
COMMIT_SHA: ${{ github.sha }}
IMAGE_NAME: ${{ github.event.repository.name }}
IMAGE_VERSION: ${{ github.sha }}
REGION: ${{ secrets.GCP_REGION }}
DB_VERSION: YOUR_DB_VERSION
DB_TIER: YOUR_DB_TIER
DB_INIT_ARGS: OPTIONAL_CONTAINER_ARGS_FOR_DB_INIT
Setup a load balancer where /
is static and /something
is backed by a Cloud Run service
Required Roles
Name | Role |
---|---|
Compute Network Admin | roles/compute.networkAdmin |
Compute Load Balancer Admin | roles/compute.loadBalancerAdmin |
Service Account User | roles/iam.serviceAccountUser |
Cloud Run Admin | roles/run.admin |
Run Locally
export PROJECT_ID=YOUR_PROJECT_ID
export IMAGE_NAME=YOUR_GCR_IMAGE_NAME # gcr.io/YOUR_PROJECT/IMAGE_NAME
export REGION=YOUR_REGION
export DOMAINS=YOUR_DOMAINS
export FILE_PATH=YOUR_FILE_PATH
export API_PATH=YOUR_API_PATH # Defaults to /api
export GOOGLE_APPLICATION_CREDENTIALS=YOUR_TEST_CREDS_JSON
docker run --rm \
-ePROJECT_ID=$PROJECT_ID \
-eIMAGE_NAME=$IMAGE_NAME \
-eREGION=$REGION \
-eDOMAINS=$DOMAINS \
-eFILE_PATH=$FILE_PATH \
-eAPI_PATH=$API_PATH \
-eCLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/certs/svc_account.json \
-v$GOOGLE_APPLICATION_CREDENTIALS:/certs/svc_account.json \
--entrypoint=staticandapi \
ghcr.io/jamesward/easycloudrun
Cloud Build
steps:
- name: ghcr.io/jamesward/easycloudrun
entrypoint: staticandapi
env:
- 'PROJECT_ID=$PROJECT_ID'
- 'IMAGE_NAME=$REPO_NAME'
- 'REGION=YOUR_REGION'
- 'DOMAINS=YOUR_DOMAINS'
- 'FILE_PATH=YOUR_PATH_TO_STATIC_FILES'
- 'API_PATH=YOUR_PATH_TO_ROUTE_TO_CLOUD_RUN'
GitHub Actions
Setup GitHub Actions secrets: GCP_PROJECT
, GCP_REGION
, GCP_CREDENTIALS
(the JSON for a service account with the required roles), DOMAINS
steps:
- name: Setup gcloud
uses: google-github-actions/setup-gcloud@v0.2
with:
project_id: ${{ secrets.GCP_PROJECT }}
service_account_key: ${{ secrets.GCP_CREDENTIALS }}
export_default_credentials: true
- name: Deploy
uses: jamesward/easycloudrun/staticandapi@main
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT }}
COMMIT_SHA: ${{ github.sha }}
IMAGE_NAME: ${{ github.event.repository.name }}
IMAGE_VERSION: ${{ github.sha }}
REGION: ${{ secrets.GCP_REGION }}
DOMAINS: ${{ secrets.DOMAINS }}
FILE_PATH: YOUR_PATH_TO_STATIC_FILES
API_PATH: YOUR_PATH_TO_ROUTE_TO_CLOUD_RUN
Deploys a Cloud Run service which handles Pub/Sub events.
Required Roles
Name | Role |
---|---|
Security Admin | roles/iam.securityAdmin |
Service Account Admin | roles/iam.serviceAccountAdmin |
Service Account User | roles/iam.serviceAccountUser |
Cloud Run Admin | roles/run.admin |
Pub/Sub Editor | roles/pubsub.editor |
Run Locally
export PROJECT_ID=YOUR_PROJECT_ID
export IMAGE_NAME=YOUR_GCR_IMAGE_NAME # gcr.io/YOUR_PROJECT/IMAGE_NAME
export IMAGE_VERSION=OPTIONAL_IMAGE_VERSION
export REGION=us-central1 # or whatever region you want
export DEPLOY_OPTS=OPTIONAL_DEPLOY_OPTIONS
export ROLES=OPTIONAL_ROLES_COMMA_SEPARATED
export TOPIC=PUBSUB_TOPIC
export GOOGLE_APPLICATION_CREDENTIALS=YOUR_TEST_CREDS_JSON
docker run --rm \
-ePROJECT_ID=$PROJECT_ID \
-eIMAGE_NAME=$IMAGE_NAME \
-eIMAGE_VERSION=$IMAGE_VERSION \
-eREGION=$REGION \
-eDEPLOY_OPTS=$DEPLOY_OPTS \
-eROLES=$ROLES \
-eTOPIC=$TOPIC \
-eCLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/certs/svc_account.json \
-v$GOOGLE_APPLICATION_CREDENTIALS:/certs/svc_account.json \
--entrypoint=pubsubhandler \
ghcr.io/jamesward/easycloudruneasycloudrun
Cloud Build
steps:
- name: ghcr.io/jamesward/easycloudrun
entrypoint: pubsubhandler
env:
- 'PROJECT_ID=$PROJECT_ID'
- 'BUILD_ID=$BUILD_ID'
- 'COMMIT_SHA=$COMMIT_SHA'
- 'IMAGE_NAME=$REPO_NAME'
- 'IMAGE_VERSION=$COMMIT_SHA'
- 'REGION=YOUR_REGION'
- 'DEPLOY_OPTS=OPTIONAL_DEPLOY_OPTIONS'
- 'ROLES=OPTIONAL_ROLES_COMMA_SEPARATED'
- 'TOPIC=PUBSUB_TOPIC'
GitHub Actions
Setup GitHub Actions secrets: GCP_PROJECT
, GCP_REGION
, GCP_CREDENTIALS
(the JSON for a service account with the required roles), PUBSUB_TOPIC
steps:
- name: Setup gcloud
uses: google-github-actions/setup-gcloud@v0.2
with:
project_id: ${{ secrets.GCP_PROJECT }}
service_account_key: ${{ secrets.GCP_CREDENTIALS }}
export_default_credentials: true
- name: Deploy
uses: jamesward/easycloudrun/pubsubhandler@main
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT }}
COMMIT_SHA: ${{ github.sha }}
IMAGE_NAME: ${{ github.event.repository.name }}
IMAGE_VERSION: ${{ github.sha }}
REGION: ${{ secrets.GCP_REGION }}
TOPIC: ${{ secrets.PUBSUB_TOPIC }}
Required APIs
Required Roles
Name | Role |
---|---|
Cloud Run Admin | roles/run.admin |
Run Locally
export GOOGLE_APPLICATION_CREDENTIALS=YOUR_TEST_CREDS_JSON
export PROJECT_ID=YOUR_PROJECT_ID
docker run --rm \
-ePROJECT_ID=$PROJECT_ID
-eCLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/certs/svc_account.json \
-v$GOOGLE_APPLICATION_CREDENTIALS:/certs/svc_account.json \
--entrypoint=listservices \
ghcr.io/jamesward/easycloudrun
Cloud Build
steps:
- name: ghcr.io/jamesward/easycloudrun
entrypoint: listservices
env:
- 'PROJECT_ID=$PROJECT_ID'
GitHub Actions
TODO