Set up gcloud defaults

To configure gcloud with defaults for your Cloud Run service:

1. Set your default project:

   gcloudconfigsetprojectPROJECT_ID

   ReplacePROJECT_ID with the name of the project you created forthis tutorial.

2. Configure gcloud for your chosen region:

   gcloudconfigsetrun/regionREGION

   ReplaceREGION with the supported Cloud Runregionof your choice.

Retrieving the code sample

To retrieve the code sample for use:

1. Clone the sample app repository to your local machine:

   gitclonehttps://github.com/GoogleCloudPlatform/cloud-run-samples.git

   Alternatively, you can download the sample as a zip file and extract it.

2. Change to the directory that contains the Cloud Run samplecode:

   cdcloud-run-samples/gcloud-report/

Review the code

This section includes information about thecode sample you retrieved.

Generate a report and upload it to Cloud Storage

This shell script generates a report of Cloud Run services in thecurrent project and region and uploads the result to Cloud Storage. It listsservices whose name contains the provided stringsearch argument.

The script uses thegcloud run services list command,gcloud advanced format options, andgcloud streaming transfer copy mode.

set-eopipefail# Check for required environment variables.requireEnv(){test"${!1}"||(echo"gcloud-report: '$1' not found">&2 &&exit1)}requireEnvGCLOUD_REPORT_BUCKET# Prepare formatting: Default search term to include all services.search=${1:-'.'}limits='spec.template.spec.containers.resources.limits.flatten("", "", " ")'format='table[box, title="Cloud Run Services"](name,status.url,metadata.annotations.[serving.knative.dev/creator],'${limits}')'# Create a specific object name that will not be overridden in the future.obj="gs://${GCLOUD_REPORT_BUCKET}/report-${search}-$(date+%s).txt"# Write a report containing the service name, service URL, service account or user that# deployed it, and any explicitly configured service "limits" such as CPU or Memory.gcloudrunserviceslist\--format"${format}"\--filter"metadata.name~${search}"|gcloudstoragecp--gzip-in-flight-all-"${obj}"# /dev/stderr is sent to Cloud Logging.echo"gcloud-report: wrote to${obj}">&2echo"Wrote report to${obj}"

This script is safe to run as a service because repeated invocations of itupdate the report without further costly churn. Other scripts using thegcloud CLI can be more costly when invoked repeatedly, such ascreating new Cloud resources or performing expensive tasks. Idempotent scripts,which yield the same result on repeated invocations, are safer to run as aservice.

Invoke the script on HTTP request

This Go code sets up a web service that runs a shell script to generate a report.Since the search query is user input, the code validates it to ensure that itonly contains letters, numbers, or hyphens to prevent malicious commands as input.This set of characters is narrow enough to preventcommand injection attacks.

The web service passes the search parameter as an argument to the shell script.

// Service gcloud-report is a Cloud Run shell-script-as-a-service.packagemainimport("log""net/http""os""os/exec""regexp")funcmain(){http.HandleFunc("/",scriptHandler)// Determine port for HTTP service.port:=os.Getenv("PORT")ifport==""{port="8080"log.Printf("defaulting to port %s",port)}// Start HTTP server.log.Printf("listening on port %s",port)iferr:=http.ListenAndServe(":"+port,nil);err!=nil{log.Fatal(err)}}funcscriptHandler(whttp.ResponseWriter,r*http.Request){search:=r.URL.Query().Get("search")re:=regexp.MustCompile(`^[a-z]+[a-z0-9\-]*$`)if!re.MatchString(search){log.Printf("invalid search criteria %q, using default",search)search="."}cmd:=exec.CommandContext(r.Context(),"/bin/bash","script.sh",search)cmd.Stderr=os.Stderrout,err:=cmd.Output()iferr!=nil{log.Printf("Command.Output: %v",err)http.Error(w,http.StatusText(http.StatusInternalServerError),http.StatusInternalServerError)return}w.Write(out)}

Ago.mod file declares the application dependencies in ago module:

modulegithub.com/GoogleCloudPlatform/cloud-run-samples/gcloud-reportgo1.19

Define the container environment

The Dockerfile defines how the environment is put together for the service.It is similar to the Dockerfile from thehelloworld-shell quickstart,except that the final container image is based on thegcloud Google Cloud CLI image. Thisallows your service to usegcloud without custom installation andconfiguration steps for the Google Cloud CLI.

# Use the official golang image to create a binary.# This is based on Debian and sets the GOPATH to /go.# https://hub.docker.com/_/golangFROMgolang:1.20-busterasbuilder# Create and change to the app directory.WORKDIR/app# Retrieve application dependencies.# This allows the container build to reuse cached dependencies.# Expecting to copy go.mod and if present go.sum.COPYgo.*./RUNgomoddownload# Copy local code to the container image.COPYinvoke.go./# Build the binary.RUNgobuild-mod=readonly-v-oserver# Use a gcloud image based on debian:buster-slim for a lean production container.# https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-buildsFROMgcr.io/google.com/cloudsdktool/cloud-sdk:slimWORKDIR/app# Copy the binary to the production image from the builder stage.COPY--from=builder/app/server/app/serverCOPY*.sh/app/RUNchmod+x/app/*.sh# Run the web service on container startup.CMD["/app/server"]

Create an Artifact Registry standard repository

Create an Artifact Registry standard repository to store your container image:

gcloudartifactsrepositoriescreateREPOSITORY\--repository-format=docker\--location=REGION

Replace:

• REPOSITORY with a unique name for the repository.
• REGION with the Google Cloud region of the Artifact Registry.

Set up the Cloud Storage bucket

Create a Cloud Storage bucket for uploading reports:

gcloudstoragebucketscreategs://REPORT_ARCHIVE_BUCKET

ReplaceREPORT_ARCHIVE_BUCKET with a globally unique bucket name.

Set up the service identity

In order to limit the privileges that the service has to other infrastructure,you create a service identity and customize the specific IAM permissionsnecessary to do the work.

In this case, the required privileges are permission to read Cloud Runservices and permission to read from and write to the Cloud Storage bucket.

1. Create a service account:

   gcloudiamservice-accountscreategcloud-report-identity

2. Grant the service account permission to read Cloud Run services:

   gcloudprojectsadd-iam-policy-bindingPROJECT_ID\--member=serviceAccount:gcloud-report-identity@PROJECT_ID.iam.gserviceaccount.com\--roleroles/run.viewer

3. Grant the service account permission to read from and write to the Cloud Storage bucket:

   gcloudstoragebucketsadd-iam-policy-bindinggs://REPORT_ARCHIVE_BUCKET\--member=serviceAccount:gcloud-report-identity@PROJECT_ID.iam.gserviceaccount.com\--role=roles/storage.objectUser

The limited access of this customized service identity prevents the service fromaccessing other Google Cloud resources.

Ship the service

Shipping code consists of three steps:

• Building a container image with Cloud Build
• Uploading the container image to Artifact Registry
• Deploying the container image to Cloud Run.

To ship your code:

1. Build your container and publish on Artifact Registry:

   gcloudbuildssubmit--tagREGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/gcloud-report

   Replace:

   • PROJECT_ID with your Google Cloud project ID
   • REPOSITORY with the name of the Artifact Registry repository.
   • REGION with the Google Cloud region of the Artifact Registry.

   gcloud-report is the name of your service.

   Upon success, a SUCCESS message displays the ID, creation time, and image name.The image is stored in Artifact Registry and can be reused if required.

2. Run the following command to deploy your service:

   gcloudrundeploygcloud-report\--imageREGION-docker.pkg.dev/PROJECT_ID/REPOSITORY/gcloud-report\--update-env-varsGCLOUD_REPORT_BUCKET=REPORT_ARCHIVE_BUCKET\--service-accountgcloud-report-identity\--no-allow-unauthenticated

   Replace:

   • PROJECT_ID with your Google Cloud project ID.
   • REPOSITORY with the name of the Artifact Registry repository.
   • REGION with the Google Cloud region of the service.

   gcloud-report is part of the container name and the name of the service.The container image is deployed to the service and region(Cloud Run) that you configuredpreviously underSetting up gcloud.

   The--no-allow-unauthenticated flag restricts public access to theservice. By keeping the service private you can rely on Cloud Run'sbuilt-in authentication to block unauthorized requests. For more details aboutauthentication that is based on Identity and Access Management (IAM), seeManaging access using IAM.

   Wait until the deployment is complete. This can take about half a minute.On success, the command line displays the service URL.

3. If you want to deploy a code update to the service, repeat the previoussteps. Each deployment to a service creates a new revision and automaticallystarts serving traffic when ready.

SeeManaging access using IAM for how to grant Google Cloud users access to invoke this service.Project editors and owners automatically have this access.

Generate a report

To generate a report of Cloud Run services:

1. Use curl to send an authenticated request:

   curl-H"Authorization: Bearer$(gcloudauthprint-identity-token)"SERVICE_URL

   ReplaceSERVICE_URL with the URL provided by Cloud Run after completing deployment.

   If you created a new project and followed this tutorial, the output will besimilar to:

   Wrotereporttogs://REPORT_ARCHIVE_BUCKET/report-.-DATE.txt

   The. in the filename is the default search argument as mentioned in the source code.

   To use the search feature, add asearch argument to the request:

   curl-H"Authorization: Bearer$(gcloudauthprint-identity-token)"SERVICE_URL?search=gcloud

   This query will return output similar to:

   Wrotereporttogs://REPORT_ARCHIVE_BUCKET/report-gcloud-DATE.txt

2. Retrieve the file using the gcloud CLI locally:

   gcloudstoragecpgs://REPORT_FILE_NAME.

   The. in the command means the current working directory.

   ReplaceREPORT_FILE_NAME with the Cloud Storage object nameoutput in the previous step.

Open the file to see the report. It should look like this:

If you intend to further develop this service, consider rewriting in a morerobust programming language and using theCloud Run Admin APIand theCloud Storage client library.

You can examine the API calls being made (and see some authentication details)by adding--log-http to gcloud CLI commands.

Automate this operation

Now that the report of Cloud Run services can be triggered by an HTTPrequest, use automation to generate reports when you need them:

• Run this service on aschedule with Cloud Scheduler
• Create the report as aqueued task or schedule in the future with Google Tasks