ruby-docker icon indicating copy to clipboard operation
ruby-docker copied to clipboard
verified publisher icon GoogleCloudPlatform

Can't use env variables defined in Cloud build

Open jkevingutierrez opened this issue 4 years ago • 4 comments

Trying to run a Cloud Build file like the next:

steps:
  - name: 'gcr.io/google-appengine/exec-wrapper'
    id: TEST
    args:
      [
        '-i',
        'gcr.io/$PROJECT_ID/${_BUILD_TARGET}',
        '-s',
        '${_CLOUD_SQL_DEV}',
        '-e',
        'DJANGO_SETTINGS_MODULE=$$DJANGO_SETTINGS_MODULE',
        '-e',
        'CLOUD_SQL=/cloudsql/${_CLOUD_SQL_DEV}',
        '--',
       'python',
        'manage.py',
        'migrate',
        '--no-input',
      ]
    env:
      - 'DJANGO_SETTINGS_MODULE=test.production'

Is throwing an error, as it is assigning the env variable in app engine as the string "$DJANGO_SETTINGS_MODULE" instead of the real value that was coming from the env variable.

Step #0 - "apply migrations": ModuleNotFoundError: No module named '$DJANGO_SETTINGS_MODULE' Finished Step #0 - "apply migrations"

Not sure if the problem is in https://github.com/GoogleCloudPlatform/ruby-docker/blob/05dc67368ed07340f648e19a5b1f195df2a397f6/app-engine-exec-wrapper/execute.sh#L32 as it is adding the environment variables in quotes ENV_PARAMS+=(-e "$OPTARG"). Maybe removing the quotes would fix the issue

ENV_PARAMS+=(-e $OPTARG)

or the problem can also be in https://github.com/GoogleCloudPlatform/ruby-docker/blob/05dc67368ed07340f648e19a5b1f195df2a397f6/app-engine-exec-wrapper/execute.sh#L32 as it is adding the ENV_PARAMS using quotes. Maybe removing the quotes would fix the issue

docker run --rm ${ENTRYPOINT} --volumes-from=${CONTAINER} --network=${CONTAINER_NETWORK} ${ENV_PARAMS[@]} ${IMAGE} "$@"

It is a silly example, as I can use a substituion instead of an env variable there, but what I'm really trying to do is something like https://cloud.google.com/build/docs/securing-builds/use-secrets

jkevingutierrez avatar Nov 03 '21 04:11 jkevingutierrez

If you're using basic plain-text environment variables (no secrets), you don't need to use $$. DJANGO_SETTINGS_MODULE=$DJANGO_SETTINGS_MODULE should work just fine.

rgalite avatar Dec 23 '21 23:12 rgalite

If you're looking to use secrets with this cloud builder, you'll need to use the entrypoint parameter. This is required to refer to the environment variable for the secret.

You'll need to call the /buildstep/execute.sh script to in the args parameter.

You'll end up with something like this:

steps:
- name: gcr.io/google-appengine/exec-wrapper
  entrypoint: bash
  args:
  - -c
  - |-
    /buildstep/execute.sh -i gcr.io/my-project/appengine/some-long-name \
        -e ENV_VARIABLE_1=value1 -e ENV_2=value2 \
        -s my-project:us-central1:my_cloudsql_instance \
         -- bundle exec rake db:migrate
  secretEnv:
  - ENV_VARIABLE_1
  - ENV_2
availableSecrets:
  secretManager:
  - versionName: projects/my-project/secrets/secret-1/versions/1
    env: ENV_VARIABLE_1
  - versionName: projects/my-project/secrets/secret-2/versions/1
    env: ENV_2

rgalite avatar Dec 24 '21 17:12 rgalite

Great! Thanks for the answer. It would be great to have it documented, maybe in the README.md?

jkevingutierrez avatar Jan 11 '22 13:01 jkevingutierrez

@rgalite I'm not sure I understand where value1 and value2 are coming from in your example. Are those values stored in Secret Manager and populated with the $$ notation?

swoopej avatar Nov 01 '22 15:11 swoopej