Hands-On Lab

CI/CD with Cloud Functions

Table of contents

• Prerequisite
• Open Cloud Build dashboard
• STEP 1: Connect to Github repository
• STEP 2: Create pull trigger
• STEP 3: Granting permissions to run builds and deployments
• STEP 4: Build failed: Cloud Functions API has not been enabled
• STEP 5: Enable Cloud Functions API
• STEP 6: Manually build again. Build faild: User [PROJECT_NUMBER@cloudbuild.gserviceaccount.com] does not have permission to access project
• STEP 7: Enable Cloud Resource Manager API
• STEP 8: Build successfully
• STEP 9: Test Cloud Functions
• STEP 10: Commit new code and test again

Prerequisite

• Basic knowledge of Cloud Functions, CI/CD

Open Cloud Build dashboard

• In the Cloud Console page, open the left navigation menu
• Go to section TOOLS, select Cloud Build

STEP 1: Connect to Github repository

• In the Cloud Build dashboard, go to Triggers, and click Connect repository

• Authorize Google Cloud Build with Github

• Click Install Google Cloud Build

• Install Google Cloud Build in your repository

• Select your repository, and click Connect repository

STEP 2: Create pull trigger

• Select your repository, and click Create pull trigger

• Trigger has been created, then click on the trigger name to edit

• Update the trigger name as you want
• Update the description Push to master
• Select Push to a branch
• Edit the regular expression ^master$

• Select Cloud Build configuration file (yaml or json)

STEP 3: Granting permissions to run builds and deployments

1. Act as the Cloud Functions Runtime service account

• You will get this error message if you don't allow the Cloud Build service account to act as the Cloud Functions Runtime service account

ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Forbidden],
message=[Missing necessary permission iam.serviceAccounts.actAs for $MEMBER
on the service account dsc-fptu-hcmc-orientation@appspot.gserviceaccount.com.

• To solve this problem

gcloud iam service-accounts add-iam-policy-binding PROJECT_ID@appspot.gserviceaccount.com \
--member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \
--role="roles/iam.serviceAccountUser"

2. The Cloud Functions Developer role

• You will get this error message if you don't assign the Cloud Functions Developer role to the Cloud Build service account, which allows Cloud Build to deploy Cloud Functions

ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Forbidden],
message=[Permission 'cloudfunctions.functions.get' denied on resource
'projects/dsc-fptu-hcmc-orientation/locations/us-central1/functions/helloCiCd' (or resource may not exist).]

• To solve this problem

gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \
--role="roles/cloudfunctions.developer"

STEP 4: Build failed: Cloud Functions API has not been enabled

• Open Cloud Build history

• Error message

ERROR: (gcloud.functions.deploy) PERMISSION_DENIED: Cloud Functions API has not been used in
project PROJECT_NUMBER before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudfunctions.googleapis.com/overview?project=PROJECT_NUMBER then retry.
If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.

STEP 5: Enable Cloud Functions API

• Open search bar and type cloud functions api

• Go to APIs & Services to enable Cloud Functions API

STEP 6: Manually build again. Build faild: User [PROJECT_NUMBER@cloudbuild.gserviceaccount.com] does not have permission to access project

• Error message

ERROR: (gcloud.functions.deploy) User [PROJECT_NUMBER@cloudbuild.gserviceaccount.com] does not
have permission to access project [PROJECT_ID:testIamPermissions] (or it may not exist):
Cloud Resource Manager API has not been used in project PROJECT_NUMBER before or it is disabled.
Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=PROJECT_NUMBER then retry.
If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.

STEP 7: Enable Cloud Resource Manager API

• Go to APIs & Services to enable Cloud Resource Manager API

. . . do it yourself . . .

• Assign the Cloud Functions Developer role to the Cloud Build service account, which allows Cloud Build to deploy Cloud Functions

STEP 8: Build successfully

STEP 9: Test Cloud Functions

• Open left navigation menu and go to Cloud Functions
• Click the details tab, read some informations

• Test the function

STEP 10: Commit new code and test again

• Edit the file index.js, update the response message

/**
* HTTP Cloud Function.
*
* @param {Object} req Cloud Function request context.
* More info: https://expressjs.com/en/api.html#req
* @param {Object} res Cloud Function response context.
* More info: https://expressjs.com/en/api.html#res
*/
exports.helloCiCd = (req, res) => {
  res.send({ yourName: req.body.name });
};

• Commit the code and push to your repository

. . . do it yourself . . .

• Test the function again

Thank you!