google_cloudbuild_trigger webhook triggered build created with no source repository to clone

[frehov]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

version: V1.0.4

Affected Resource(s)

• google_cloudbuild_trigger

Terraform Configuration Files

# Copy-paste your Terraform configurations here.
#
# For large Terraform configs, please use a service like Dropbox and share a link to the ZIP file.
# For security, you can also encrypt the files using our GPG public key:
#    https://www.hashicorp.com/security
#
# If reproducing the bug involves modifying the config file (e.g., apply a config,
# change a value, apply the config again, see the bug), then please include both:
# * the version of the config before the change, and
# * the version of the config after the change.

# from cloudbuild_trigger_file
# this secret was created when we made a manual trigger, and later imported it to terraform
resource "google_secret_manager_secret" "sanity_webhook_secret" {
  secret_id = "sanity_webhook_secret"
  labels    = {}

  replication {
    automatic = true
  }
}

data "google_secret_manager_secret_version" "sanity_webhook_secret_content" {
  secret = google_secret_manager_secret.sanity_webhook_secret.id
}

resource "google_cloudbuild_trigger" "website-sanity-deploy-dev" {
   provider    = google
   name        = "sanity-webhook-trigger-dev"
   description = "Trigger build on changes from sanity"
   filename    = ".cloudbuild/gatsby_sanity_build.yml"

   webhook_config {
     secret = data.google_secret_manager_secret_version.sanity_webhook_secret_content.name
   }

   substitutions = {
     _DIR = "website/"
     _BUILD_ENV = "development"
     _NODE_VERSION = "12-alpine3.12"
     _SUPPRESS_OUTPUT = "true"
   }
 }

# from project configuration
provider "google" {
  project = var.project_id
  region  = "europe-west"
}

provider "google-beta" {
  project = var.project_id
  region  = "europe-west"
}


# from version file
terraform {
  required_version = ">= 0.14.4"

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 3.78"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = ">= 3.78"
    }
  }
}

Debug Output

Output created with:

• TF_LOG_PATH=out.txt TF_LOG=DEBUG terraform apply -var 'project_id=innbyggerkontakt-dev' -target=google_cloudbuild_trigger.website-sanity-deploy-dev -auto-approve -no-color
  https://gist.github.com/frehov/ccfe48f6405d0aedc66375eaae036d89

Panic Output

Expected Behavior

It should throw an error as there is no inline steps or repository associated with the build trigger being created.

Editing the trigger manually and highlighting the repository field at the "Source" heading, and exciting it yields the following message.

Actual Behavior

The cloudbuild trigger is created without issues, but is missing build steps or a source control association.

Steps to Reproduce

1. terraform plan -var='project_id=innbyggerkontakt-dev -target=google_cloudbuild_trigger.website-sanity-deploy-dev -auto-approve -no-color'

Important Factoids

We're authentication with application default credentials from personal accounts
The webhook triggers were imported into terraform state, and ran with terraform plan until no diff was shown

when configuring the webhook manually and adding the source repository, the response provided from google to terraform is the following

{
  "id": "0c9d044e-511d-49f9-bfdb-7b7da28b83bb",
  "createTime": "2021-08-17T12:54:54.073894520Z",
  "description": "Trigger website build on changes from sanity",
  "substitutions": {
    "_BUILD_ENV": "development",
    "_DIR": "website/",
    "_NODE_VERSION": "12-alpine3.12",
    "_SUPPRESS_OUTPUT": "true"
  },
  "name": "website-sanity-deploy-dev",
  "gitFileSource": {
    "path": ".cloudbuild/gatsby_sanity_build.yml",
    "uri": "https://github.com/knowit/Innbyggerkontakt",
    "repoType": "GITHUB",
    "revision": "refs/heads/master"
  },
  "sourceToBuild": {
    "uri": "https://github.com/knowit/Innbyggerkontakt",
    "ref": "refs/heads/master",
    "repoType": "GITHUB"
  },
  "webhookConfig": {
    "secret": "projects/252132971822/secrets/sanity_webhook_secret/versions/1"
  }
}

References

• Support cloud build triggers via pubsub messages and webhooks #9189

[cvalla]

I also noticed that webhook-config and trigger template are not mutually excluding. in Cloudbuild you can buidup a trigger that relies on both. in the provider only one of them can be included in resource configuration (if you see Google APIs doc you can vier that only trigger_template and github are mutually exclusive )

[edwardmedia]

@frehov I am not clear what this issue is trying to solve? You provided the link of #9189 which is not released. Can you explain the details?

[frehov]

@edwardmedia I added the other issue mainly as a reference.
release 3.76.0 added the webhook_config parameter, and as such I'm raising this issue to raise awareness that the google_cloudbuild_trigger created by using webhook_config is not a valid configuration in cloud build given that there is no source repository connected after creation of the trigger.

[edwardmedia]

@frehov are you talking about the field sourceToBuild (available according to below api spec)? That is a separate field. You may file an enhancement to ask for the field to be included.

https://cloud.google.com/build/docs/api/reference/rest/v1/projects.triggers

[frehov]

@edwardmedia, I'm not trying to be rude here, but the documentation was last updated today (August 19th, 2021) and when I opened this issue on the 17th those fields were definitely not present in the documentation.
I was looking at the debug output from terraform and comparing that to which fields were available in the api spec you linked, and did not find them.

I'll see about opening an enhancement request about having both the field sourceToBuild and the field gitFileSource as both looks to be necessary to get this to work.
Should the enhancement request be split into one for each field, or can it be submitted as a single request? Should this issue be referenced when opening the enhancement request?

[edwardmedia]

@frehov I had the same question as yours. If these two fields should be part of the feature, I agreed they should be included in that original implementation. But I don't know the details about the scope of this feature. I have checked the code. Unfortunately there is no a test / example for this feature. For a feature like this, we do like to have an example. On the other side, please keep in mind, there are a lot of times when fields are enabled one by one. In your case, you may ask for these two fields together. Sorry about the inconvenience.

[edwardmedia]

See #9883 Closing this issue then

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.