modify to use Cloud Run deploy by source (#2795)

* modify to use artifact registry

* enable APIs, use exports

* use different service account for build

* fix role

* deploy from source

* change permissions

* set build service account for Cloud Run

* fix grpc to match

* grpc part 2

Author: mdunker

quests/develop-apis-apigee/grpc-backend/deploy.sh

@@ -12,23 +12,20 @@ if [[ -z "${CLOUDRUN_REGION}" ]]; then
   exit 1
 fi
 
-SERVICE_NAME="simplebank-grpc"
-SVCACCT_NAME="simplebank-grpc"
-SVCACCT_EMAIL="${SVCACCT_NAME}@${GOOGLE_PROJECT_ID}.iam.gserviceaccount.com"
-
-# build image from code
-echo "*** submit build of service ${SERVICE_NAME} to Cloud Build ***"
-gcloud builds submit --tag gcr.io/${GOOGLE_PROJECT_ID}/${SERVICE_NAME} \
-  --project=${GOOGLE_PROJECT_ID}
+export SERVICE_NAME="simplebank-grpc"
+export SVCACCT_NAME="simplebank-grpc"
+export SVCACCT_EMAIL="${SVCACCT_NAME}@${GOOGLE_PROJECT_ID}.iam.gserviceaccount.com"
 
 # deploy service
 # NOTE: in a production environment, you would not use max-instances=1
 echo "*** deploy ${SERVICE_NAME} service to ${CLOUDRUN_REGION} with service account ${SVCACCT_EMAIL} ***"
 gcloud run deploy ${SERVICE_NAME} \
-  --image=gcr.io/${GOOGLE_PROJECT_ID}/${SERVICE_NAME} \
   --platform=managed \
   --max-instances=1 \
   --region=${CLOUDRUN_REGION} \
   --no-allow-unauthenticated \
   --service-account=${SVCACCT_EMAIL} \
-  --project=${GOOGLE_PROJECT_ID}
+  --build-service-account=projects/${GOOGLE_PROJECT_ID}/serviceAccounts/${SVCACCT_EMAIL} \
+  --project=${GOOGLE_PROJECT_ID} \
+  --quiet \
+  --source .

quests/develop-apis-apigee/grpc-backend/init-project.sh

@@ -7,9 +7,9 @@ if [[ -z "${FIRESTORE_LOCATION}" ]]; then
   exit 1
 fi
 
-# enable Cloud Run APIs
-echo "*** enable Cloud Run APIs ***"
-gcloud services enable run.googleapis.com
+# enable APIs
+echo "*** enable Cloud Run, Cloud Build, Artifact Registry, Firestore APIs ***"
+gcloud services enable run.googleapis.com cloudbuild.googleapis.com artifactregistry.googleapis.com firestore.googleapis.com
 
 # create Firestore in Native mode database
 echo "*** create Firestore database ***"

quests/develop-apis-apigee/grpc-backend/init-service.sh

@@ -7,9 +7,10 @@ if [[ -z "${GOOGLE_PROJECT_ID}" ]]; then
   exit 1
 fi
 
-SVCACCT_NAME="simplebank-grpc"
-SVCACCT_EMAIL="${SVCACCT_NAME}@${GOOGLE_PROJECT_ID}.iam.gserviceaccount.com"
-SVCACCT_ROLE="roles/datastore.user"
+export SVCACCT_NAME="simplebank-grpc"
+export SVCACCT_EMAIL="${SVCACCT_NAME}@${GOOGLE_PROJECT_ID}.iam.gserviceaccount.com"
+export SVCACCT_ROLE="roles/datastore.user"
+export SVCACCT_ROLE2="roles/run.builder"
 
 # create service account for Cloud Run service
 echo "*** creating Cloud Run service account: ${SVCACCT_EMAIL} ***"
@@ -21,4 +22,10 @@ gcloud iam service-accounts create ${SVCACCT_NAME} \
 echo "*** adding role ${SVCACCT_ROLE} for Firestore access ***"
 gcloud projects add-iam-policy-binding ${GOOGLE_PROJECT_ID} \
   --member="serviceAccount:${SVCACCT_EMAIL}" \
-  --role=${SVCACCT_ROLE}
+  --role=${SVCACCT_ROLE}
+
+# add permission to access Cloud Run
+echo "*** adding role ${SVCACCT_ROLE2} for Cloud Run access ***"
+gcloud projects add-iam-policy-binding ${GOOGLE_PROJECT_ID} \
+  --member="serviceAccount:${SVCACCT_EMAIL}" \
+  --role=${SVCACCT_ROLE2}

quests/develop-apis-apigee/rest-backend/deploy.sh

@@ -12,23 +12,20 @@ if [[ -z "${CLOUDRUN_REGION}" ]]; then
   exit 1
 fi
 
-SERVICE_NAME="simplebank-rest"
-SVCACCT_NAME="simplebank-rest"
-SVCACCT_EMAIL="${SVCACCT_NAME}@${GOOGLE_PROJECT_ID}.iam.gserviceaccount.com"
-
-# build image from code
-echo "*** submit build of service ${SERVICE_NAME} to Cloud Build ***"
-gcloud builds submit --tag gcr.io/${GOOGLE_PROJECT_ID}/${SERVICE_NAME} \
-  --project=${GOOGLE_PROJECT_ID}
+export SERVICE_NAME="simplebank-rest"
+export SVCACCT_NAME="simplebank-rest"
+export SVCACCT_EMAIL="${SVCACCT_NAME}@${GOOGLE_PROJECT_ID}.iam.gserviceaccount.com"
 
 # deploy service
 # NOTE: in a production environment, you would not use max-instances=1
 echo "*** deploy ${SERVICE_NAME} service to ${CLOUDRUN_REGION} with service account ${SVCACCT_EMAIL} ***"
 gcloud run deploy ${SERVICE_NAME} \
-  --image=gcr.io/${GOOGLE_PROJECT_ID}/${SERVICE_NAME} \
   --platform=managed \
   --max-instances=1 \
   --region=${CLOUDRUN_REGION} \
   --no-allow-unauthenticated \
   --service-account=${SVCACCT_EMAIL} \
-  --project=${GOOGLE_PROJECT_ID}
+  --build-service-account=projects/${GOOGLE_PROJECT_ID}/serviceAccounts/${SVCACCT_EMAIL} \
+  --project=${GOOGLE_PROJECT_ID} \
+  --quiet \
+  --source .

quests/develop-apis-apigee/rest-backend/init-project.sh

@@ -7,9 +7,9 @@ if [[ -z "${FIRESTORE_LOCATION}" ]]; then
   exit 1
 fi
 
-# enable Cloud Run APIs
-echo "*** enable Cloud Run APIs ***"
-gcloud services enable run.googleapis.com
+# enable APIs
+echo "*** enable Cloud Run, Cloud Build, Artifact Registry, Firestore APIs ***"
+gcloud services enable run.googleapis.com cloudbuild.googleapis.com artifactregistry.googleapis.com firestore.googleapis.com
 
 # create Firestore in Native mode database
 echo "*** create Firestore database ***"

quests/develop-apis-apigee/rest-backend/init-service.sh

@@ -7,9 +7,10 @@ if [[ -z "${GOOGLE_PROJECT_ID}" ]]; then
   exit 1
 fi
 
-SVCACCT_NAME="simplebank-rest"
-SVCACCT_EMAIL="${SVCACCT_NAME}@${GOOGLE_PROJECT_ID}.iam.gserviceaccount.com"
-SVCACCT_ROLE="roles/datastore.user"
+export SVCACCT_NAME="simplebank-rest"
+export SVCACCT_EMAIL="${SVCACCT_NAME}@${GOOGLE_PROJECT_ID}.iam.gserviceaccount.com"
+export SVCACCT_ROLE="roles/datastore.user"
+export SVCACCT_ROLE2="roles/run.builder"
 
 # create service account for Cloud Run service
 echo "*** creating Cloud Run service account: ${SVCACCT_EMAIL} ***"
@@ -22,3 +23,9 @@ echo "*** adding role ${SVCACCT_ROLE} for Firestore access ***"
 gcloud projects add-iam-policy-binding ${GOOGLE_PROJECT_ID} \
   --member="serviceAccount:${SVCACCT_EMAIL}" \
   --role=${SVCACCT_ROLE}
+
+# add permission to access Cloud Run
+echo "*** adding role ${SVCACCT_ROLE2} for Cloud Run access ***"
+gcloud projects add-iam-policy-binding ${GOOGLE_PROJECT_ID} \
+  --member="serviceAccount:${SVCACCT_EMAIL}" \
+  --role=${SVCACCT_ROLE2}