Workflows to notify developers via email when there is an update to Cloud Run services. - Part 1

Notify developers by email each time there are service updates.

This article is part of a series of articles dedicated to setting up a development and production environment on Google Cloud for Cloud Run. For more information👇.

CI/CD pipeline with Cloud Build and Cloud Run.

Let’s move on to the configuration of our system.

Enable the APIs of all necessary services

gcloud services enable run.googleapis.com
gcloud services enable eventarc.googleapis.com
gcloud services enable logging.googleapis.com
gcloud services enable workflows.googleapis.com
gcloud services enable artifactregistry.googleapis.com
gcloud services enable secretmanager.googleapis.com 

Create a test Cloud Run service

We will deploy a Cloud Run service with the hello image us-docker.pkg.dev/cloudrun/container/hello

Leave the rest of the settings as default.

Deploy the code that will trigger workflows on Cloud Run

We will first retrieve the code from GitHub.

GitHub - EZFRICA/cloudrun-workflows: Cloud Run service to execute the workflow

Let’s see how some of our code works.

source = event_request.headers.get(‘ce-subject’) : allows us to retrieve the source of the event (example: run.googleapis.com/namespaces/my-project/services/service-name)

tab_element_source = source.split(“/”) : divide the resulting string into a list.

workflows_argument = {“serviceName”: tab_element_source[-1]} : pass the name of the Cloud Run service that triggered Eventarc to Workflows as an argument.

execution_client.create_execution(parent=parent, execution=execution) : run our workflow.

For more information on the CloudEvents format👇.

CloudEvents format - HTTP protocol binding | Eventarc | Google Cloud

Once we have retrieved the code, we will :

• Create a docker image or use my image us-central1-docker.pkg.dev/myfreestyle/public/cloudrun-workflows:v1
• Push the docker image to Artifact Registry.
• Create a service account with the role Workflows Invoker
• Deploy the docker image on Cloud Run with the previously created service account (don’t forget to set the environment variables GOOGLE_CLOUD_PROJECT, WORKFLOW_LOCATION, WORKFLOW_NAME).

NB: WORKFLOW_LOCATION is the location of your workflow.

Enable cloud Audit logs

To receive events from a service, you must enable Cloud Audit Logs.

In Cloud Console, select IAM & Admin followed by Audit Logs in the top left menu. In the list of services, check Cloud Run Admin API :

Select Data Write. Click SAVE to save your selection.

Configure service accounts for Eventarc

Cloud Pub/Sub will need the roles/iam.serviceAccountTokenCreator role granted to the service account service-Project_Number@gcp-sa-pubsub.iam.gserviceaccount.com to create identity tokens.

To access it, select IAM & Admin followed by IAM in the top left menu. Then check the box Include Google-provided role grants.

We will create a service account that we will call eventarc notif mail which will have the role roles/eventarc.eventReceiver .

Create an Eventarc trigger

Now let’s proceed to the configuration of our Eventarc trigger with the service account eventarc notif mail .

NB: Eventarc must be in the same region as the Cloud Run service that triggers our workflow.

Configure service accounts for Workflows

To use Workflows, we will need a workflow-push-mail service account which will have the following role:

Cloud Run Viewer : this will allow us to retrieve the information related to the Cloud Run service that triggered Eventarc.

Secret Manager Secret Accessor : with this role we can access the environment variable SENDGRID_API_KEY .

To register the variable SENDGRID_API_KEY in Secret Manager, select Security followed by Secret Manager in the top left menu. Then click on CREATE SECRET and put the name of your variable and the value of the secret.

In the following workflow, we will retrieve the information of the Cloud Run service that triggered the event. Then, we will extract the url of the Cloud Run service that will be sent to the developer by email.

It’s time to test our configuration. To do so, you just have to update the hello service we have deployed (for example, change the maximum number of requests per container) and you will receive an email.

For sending mail from workflow, I used the article of Guillaume Laforge.

NB: cloud_run_location is the region of the Cloud Run service.

As you can see, here we just grabbed the Cloud Run service url. You can retrieve other information about the Cloud Run service, it will all depend on your goals.

In addition, you can use a function (Cloud Functions) to send emails. You will just have to call your function and pass him the information of the Cloud Run service. If you are interested, here is an article that will help you.

Workflows Tutorial | Cloud Functions Documentation | Google Cloud

NB: if you have multiple Cloud Run services in different regions, you must have multiple workflows simply because the region of the Cloud Run service is required for the get_cloud_run_details step.

In the following article, we will see how to improve our architecture by removing the Cloud Run service that triggers workflows. This way Eventarc will be able to directly trigger a workflow that will retrieve all the information related to the trigger including its region.

Workflows to notify developers by email when there is an update to Cloud Run services. — Part 2

Thanks to you for reading and to my mentor guillaume blaquiere for the advice.