Manage Chat Notifications for Cloud Build pipeline executions

The-Origin

·

Follow

5 min read

·

Apr 17, 2023

--

Listen

Share

It is possible to setup notifications for all of the cloud build pipeline execution to Google Chat, do you know how?

It is currently in pre-GA phase while publishing this article.

What is a Cloud Build Service?

Cloud Build is a service that executes your builds on Google Cloud. Cloud Build can import source code from a variety of repositories or cloud storage spaces, execute a build to your specifications, and produce artifacts such as Docker containers or Java archives.

Architecture Overview:

Pre-requisites:

01. Enable the below list of API’s in a GCP Project

Cloud Build
Secret Manager
Compute Engine
Cloud Run
Pub/Sub

02. Open Google Chat and create a Space.

Once the Chat space is present, create an incoming webhook. Follow the webhook link for the instructions.
https://developers.google.com/chat/how-tos/webhooks

03. IAM permissions

a) Give Secret Manager Secret Accessor to the default compute engine service account

gcloud projects add-iam-policy-binding <PROJECT_NUMBER>\
 --member=serviceAccount:<PROJECT_NUMBER>-compute@developer.gserviceaccount.com \
 --role=roles/secretmanager.secretAccessor

b) Give Token creator Role for pub/sub service agent account. Replace the project number and execute the below.

gcloud projects add-iam-policy-binding <PROJECT_NUMBER>\
 --member=serviceAccount:service-<PROJECT_NUMBER>@gcp-sa-pubsub.iam.gserviceaccount.com \
 --role=roles/iam.serviceAccountTokenCreator

c) Create a service account for invoking Cloud Run service.

gcloud iam service-accounts create cloud-run-pubsub-invoker \
 --display-name "Cloud Run Pub/Sub Invoker"

d) Provide invoker role to the previously created service account. Execute only after creation of cloud run service. Slide down & refer Step 1 to Step 4 and come back here once cloud run is deployed.

gcloud run services add-iam-policy-binding <CLOUD_RUN_SERVICE_NAME> \
 --member=serviceAccount:cloud-run-pubsub-invoker@<PROJECT_ID>.iam.gserviceaccount.com \
 --role=roles/run.invoker

Step 1: Store webhook URL in Secret Manger. Open the Secret Manager page and click on CREATE SECRET, enter the name of your secret, under SECRET VALUE, add the webhook URL.

Step 2: Create a Cloud Storage bucket to store the Chat notifier Config

gsutil mb gs://<BUCKET_NAME>

Chat notifier config below:

apiVersion: cloud-build-notifiers/v1
kind: GoogleChatNotifier
metadata:
  name: example-googlechat-notifier
spec:
  notification:
    filter: build.status == Build.Status.SUCCESS
    delivery:
      webhookUrl:
        secretRef: webhook-url
  secrets:
  - name: webhook-url
    value: projects/<PROJECT_NUMBER>/secrets/<SECRET_NAME>/versions/latest

Note: SECRET_NAME is the name of the secret where you stored the webhook URL

Step 3: Copy/upload the Chat Notifier config to the previously created bucket.

gsutil cp config-file-name.txt gs://bucket-name/config-file-name.txt

Step 4: Create Cloud Run service

Replace SERVICE_NAME, PROJECT_ID, GCS_BUCKET_FILE_PATH and execute the below.

gcloud run deploy <SERVICE_NAME> \
   --image=us-east1-docker.pkg.dev/gcb-release/cloud-build-notifiers/googlechat:latest \
   --no-allow-unauthenticated \
   --update-env-vars=CONFIG_PATH=<GCS_BUCKET_FILE_PATH>,PROJECT_ID=<PROJECT_NUMBER>

Note: Region to be also selected if prompted while deployment of the cloud run service.

Step 5: Create Pub/Sub Topic. By default Cloud Build state changes to Pub/Sub Topic called cloud-builds. To read more refer the below link: https://cloud.google.com/build/docs/subscribe-build-notifications

gcloud pubsub topics create cloud-builds

Note: Do not change the Topic name, use cloud-builds as default.

Step 6: Create Subscription to the previously created pub/sub topic

gcloud pubsub subscriptions create <SUBSCRIPTION_NAME> \
   --topic=cloud-builds \
   --push-endpoint=<CLOUD_RUN_SERVICE_URL>\
   --push-auth-service-account=<Cloud_RUN_INVOKER_SERVICE_ACCOUNT>

Step 7: Setup cloud build trigger. Open the Cloud build Trigger page and click on CREATE TRIGGER. Provide a name to the trigger, in the Event place, select push to a branch and in the Source select the repository and the branch. Finally select the compute engine default service account and click on submit. Hence, any commits or push happens to the repository, it will trigger the cloud build.

Step 8: Add the cloudbuild.yaml to the repository.

Step 8: Cloud build Trigger gets triggered as we have done a push to the repository(cloudbuild.yaml file). After couple of minutes you can observe that the pipeline is successful and screenshot below as reference.

In this article, I have shown how to get notifications for pipeline as success, however we can also configure for other build states. Refer the link below:

FAQ’s

1. Where to find the Project ID & Project number in GCP?

Ans. On the Google Cloud console, select any project and on the home page one can find both project id & number as present in below screenshot.

2. Where to find the Cloud Run service URL?

Ans. select the created/deploy cloud run and in the service details page, one can find the cloud run URL.

3. What are all the different cloud build chat notifiers available?

Ans. Please refer the link below:

https://console.cloud.google.com/artifacts/docker/gcb-release/us-east1/cloud-build-notifiers