steps: - id: Deploy Restricted Function name: "gcr.io/google.com/cloudsdktool/cloud-sdk" entrypoint: gcloud dir: "${_SAMPLE_DIR}" args: [ "functions", "deploy", "restricted-${SHORT_SHA}", "--runtime=python311", "--trigger-http", "--no-allow-unauthenticated", "--ingress-settings=internal-only", "--entry-point=hello_world", ] - id: "Build Allow Container Image" name: "gcr.io/cloud-builders/docker:latest" dir: "${_SAMPLE_DIR}" args: ["build", "-t", "${_SERVICE_REGION}-docker.pkg.dev/${PROJECT_ID}/${_REPO_NAME}/${_SERVICE}:${SHORT_SHA}", "."] # Tag docker image with git commit sha waitFor: ["-"] # Run this step in parallel with Deploy Restricted Function - id: "Push Container Image" name: "gcr.io/cloud-builders/docker:latest" args: ["push", "${_SERVICE_REGION}-docker.pkg.dev/${PROJECT_ID}/${_REPO_NAME}/${_SERVICE}:${SHORT_SHA}"] waitFor: ["Build Allow Container Image"] - id: "Deploy to Cloud Run" name: "gcr.io/google.com/cloudsdktool/cloud-sdk:$_CLOUDSDK_VERSION" entrypoint: /bin/bash args: - "-c" - | gcloud run deploy ${_SERVICE}-$BUILD_ID \ --image ${_SERVICE_REGION}-docker.pkg.dev/${PROJECT_ID}/${_REPO_NAME}/${_SERVICE}:${SHORT_SHA} \ --no-allow-unauthenticated \ --update-env-vars=URL=https://${_SERVICE_REGION}-$PROJECT_ID.cloudfunctions.net/restricted-${SHORT_SHA} \ --vpc-egress=all \ --vpc-connector=samples-connector \ --region=${_SERVICE_REGION} waitFor: ["Push Container Image"] - id: "Get Cloud Run URL" name: "gcr.io/google.com/cloudsdktool/cloud-sdk:$_CLOUDSDK_VERSION" entrypoint: "/bin/bash" args: - "-c" - | set -e . /workspace/testing/cloudbuild-templates/common.sh echo $(get_url ${BUILD_ID}) > _service_url echo "Cloud Run URL for ${_SERVICE}-$BUILD_ID is $(cat _service_url)" echo $(get_idtoken) > _id_token env: # Make substitutions available in shell script. - "_SECRET_NAME=${_SECRET_NAME}" - "_RUNNER_IDENTITY=${_RUNNER_IDENTITY}" - "_SERVICE=${_SERVICE}" - "CLOUDSDK_RUN_REGION=${_SERVICE_REGION}" waitFor: ["Deploy to Cloud Run"] - id: "Testing: <-- Cloud Run <-- VPC Connector <-- Cloud Function" name: "gcr.io/cloud-builders/curl" entrypoint: "/bin/bash" args: - "-c" - | set -e # Ingress-restricted Cloud Function should return 404. msg=$(curl -si --show-error -H "Authorization: Bearer $(cat _id_token)" https://${_SERVICE_REGION}-$PROJECT_ID.cloudfunctions.net/restricted-${SHORT_SHA}) if grep -q "404" <<< "$msg"; then echo "Restricted Function Test: PASSED" else echo "Restricted Function Test: FAILED" echo $msg && exit 1 fi # Attempt to reduce flakiness sleep 10 # Cloud Run service should return "Hello World" from the ingress-restricted Cloud Function via the VPC Connector. msg=$(curl -si --fail --show-error -H "Authorization: Bearer $(cat _id_token)" $(cat _service_url)) if grep -q "200" <<< "$msg"; then echo "VPC Function Test: PASSED" else echo "VPC Function Test: FAILED" echo $msg && exit 1 fi waitFor: ["Deploy to Cloud Run", "Deploy Restricted Function"] - id: "Teardown" name: "gcr.io/google.com/cloudsdktool/cloud-sdk:$_CLOUDSDK_VERSION" entrypoint: "/bin/bash" args: - "-c" - | set -x gcloud --quiet run services delete ${_SERVICE}-$BUILD_ID --region ${_SERVICE_REGION} gcloud --quiet functions delete restricted-${SHORT_SHA} set +x echo "View build details in the console: https://console.cloud.google.com/cloud-build/builds/${BUILD_ID}" waitFor: ["Testing: <-- Cloud Run <-- VPC Connector <-- Cloud Function"] options: env: - "CLOUDSDK_RUN_REGION=${_SERVICE_REGION}" - "GOOGLE_CLOUD_PROJECT=${PROJECT_ID}" substitutions: _SERVICE: vpc-sample _SAMPLE_DIR: vpc-sample _SERVICE_REGION: us-central1 _REPO_NAME: samples # Artifact Registry repo, "samples", was manually created _CLOUDSDK_VERSION: latest