google_cloudbuild_trigger

Configuration for an automated build in response to source repository changes.

To get more information about Trigger, see:

Open in Cloud Shell

Example Usage - Cloudbuild Trigger Filename

resource "google_cloudbuild_trigger" "filename-trigger" {
  location = "us-central1"

  trigger_template {
    branch_name = "main"
    repo_name   = "my-repo"
  }

  substitutions = {
    _FOO = "bar"
    _BAZ = "qux"
  }

  filename = "cloudbuild.yaml"
}
Open in Cloud Shell

Example Usage - Cloudbuild Trigger Build

resource "google_cloudbuild_trigger" "build-trigger" {
  name = "my-trigger"
  location = "global"

  trigger_template {
    branch_name = "main"
    repo_name   = "my-repo"
  }

  build {
    step {
      name = "gcr.io/cloud-builders/gsutil"
      args = ["cp", "gs://mybucket/remotefile.zip", "localfile.zip"]
      timeout = "120s"
      secret_env = ["MY_SECRET"]
    }

    step {
      name   = "ubuntu"
      script = "echo hello" # using script field
    }

    source {
      storage_source {
        bucket = "mybucket"
        object = "source_code.tar.gz"
      }
    }
    tags = ["build", "newFeature"]
    substitutions = {
      _FOO = "bar"
      _BAZ = "qux"
    }
    queue_ttl = "20s"
    logs_bucket = "gs://mybucket/logs"
    secret {
      kms_key_name = "projects/myProject/locations/global/keyRings/keyring-name/cryptoKeys/key-name"
      secret_env = {
        PASSWORD = "ZW5jcnlwdGVkLXBhc3N3b3JkCg=="
      }
    }
    available_secrets {
      secret_manager {
        env          = "MY_SECRET"
        version_name = "projects/myProject/secrets/mySecret/versions/latest"
      }
    }
    artifacts {
      images = ["gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA"]
      objects {
        location = "gs://bucket/path/to/somewhere/"
        paths = ["path"]
      }

      npm_packages {
        package_path = "package.json"
        repository   = "https://us-west1-npm.pkg.dev/myProject/quickstart-nodejs-repo"
      }

      python_packages {
        paths      = ["dist/*"]
        repository = "https://us-west1-python.pkg.dev/myProject/quickstart-python-repo"
      }

      maven_artifacts {
        repository  = "https://us-west1-maven.pkg.dev/myProject/quickstart-java-repo"
        path        = "/workspace/my-app/target/my-app-1.0.SNAPSHOT.jar"
        artifact_id = "my-app"
        group_id    = "com.mycompany.app"
        version     = "1.0"
      }
    }
    options {
      source_provenance_hash = ["MD5"]
      requested_verify_option = "VERIFIED"
      machine_type = "N1_HIGHCPU_8"
      disk_size_gb = 100
      substitution_option = "ALLOW_LOOSE"
      dynamic_substitutions = true
      log_streaming_option = "STREAM_OFF"
      worker_pool = "pool"
      logging = "LEGACY"
      env = ["ekey = evalue"]
      secret_env = ["secretenv = svalue"]
      volumes {
        name = "v1"
        path = "v1"
      }
    }
  }
}
Open in Cloud Shell

Example Usage - Cloudbuild Trigger Service Account

data "google_project" "project" {}

resource "google_cloudbuild_trigger" "service-account-trigger" {
  trigger_template {
    branch_name = "main"
    repo_name   = "my-repo"
  }

  service_account = google_service_account.cloudbuild_service_account.id
  filename        = "cloudbuild.yaml"
  depends_on = [
    google_project_iam_member.act_as,
    google_project_iam_member.logs_writer
  ]
}

resource "google_service_account" "cloudbuild_service_account" {
  account_id = "cloud-sa"
}

resource "google_project_iam_member" "act_as" {
  project = data.google_project.project.project_id
  role    = "roles/iam.serviceAccountUser"
  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
}

resource "google_project_iam_member" "logs_writer" {
  project = data.google_project.project.project_id
  role    = "roles/logging.logWriter"
  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
}
## Example Usage - Cloudbuild Trigger Include Build Logs
resource "google_cloudbuild_trigger" "include-build-logs-trigger" {
  location = "us-central1"
  name     = "include-build-logs-trigger"
  filename = "cloudbuild.yaml"

  github {
    owner = "hashicorp"
    name  = "terraform-provider-google-beta"
    push {
      branch = "^main$"
    }
  }

  include_build_logs = "INCLUDE_BUILD_LOGS_WITH_STATUS"
}
Open in Cloud Shell

Example Usage - Cloudbuild Trigger Pubsub Config

resource "google_pubsub_topic" "mytopic" {
  name = "my-topic"
}

resource "google_cloudbuild_trigger" "pubsub-config-trigger" {
  location    = "us-central1"
  name        = "pubsub-trigger"
  description = "acceptance test example pubsub build trigger"

  pubsub_config {
    topic = google_pubsub_topic.mytopic.id
  }

  source_to_build {
    uri       = "https://hashicorp/terraform-provider-google-beta"
    ref       = "refs/heads/main"
    repo_type = "GITHUB"
  }

  git_file_source {
    path      = "cloudbuild.yaml"
    uri       = "https://hashicorp/terraform-provider-google-beta"
    revision  = "refs/heads/main"
    repo_type = "GITHUB"
  }

  substitutions = {
    _ACTION       = "$(body.message.data.action)"
  }

  filter = "_ACTION.matches('INSERT')"
}
Open in Cloud Shell

Example Usage - Cloudbuild Trigger Webhook Config

resource "google_secret_manager_secret" "webhook_trigger_secret_key" {
  secret_id = "webhook-trigger-secret-key"

  replication {
    user_managed {
      replicas {
        location = "us-central1"
      }
    }
  }
}

resource "google_secret_manager_secret_version" "webhook_trigger_secret_key_data" {
  secret = google_secret_manager_secret.webhook_trigger_secret_key.id

  secret_data = "secretkeygoeshere"
}

data "google_project" "project" {}

data "google_iam_policy" "secret_accessor" {
  binding {
    role = "roles/secretmanager.secretAccessor"
    members = [
      "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloudbuild.iam.gserviceaccount.com",
    ]
  }
}

resource "google_secret_manager_secret_iam_policy" "policy" {
  project = google_secret_manager_secret.webhook_trigger_secret_key.project
  secret_id = google_secret_manager_secret.webhook_trigger_secret_key.secret_id
  policy_data = data.google_iam_policy.secret_accessor.policy_data
}


resource "google_cloudbuild_trigger" "webhook-config-trigger" {
  name        = "webhook-trigger"
  description = "acceptance test example webhook build trigger"

 webhook_config {
    secret = google_secret_manager_secret_version.webhook_trigger_secret_key_data.id
  }

  source_to_build {
    uri       = "https://hashicorp/terraform-provider-google-beta"
    ref       = "refs/heads/main"
    repo_type = "GITHUB"
  }

  git_file_source {
    path      = "cloudbuild.yaml"
    uri       = "https://hashicorp/terraform-provider-google-beta"
    revision  = "refs/heads/main"
    repo_type = "GITHUB"
  }
}
Open in Cloud Shell

Example Usage - Cloudbuild Trigger Manual

resource "google_cloudbuild_trigger" "manual-trigger" {
  name        = "manual-trigger"

  source_to_build {
    uri       = "https://hashicorp/terraform-provider-google-beta"
    ref       = "refs/heads/main"
    repo_type = "GITHUB"
  }

  git_file_source {
    path      = "cloudbuild.yaml"
    uri       = "https://hashicorp/terraform-provider-google-beta"
    revision  = "refs/heads/main"
    repo_type = "GITHUB"
  }


  // If this is set on a build, it will become pending when it is run, 
  // and will need to be explicitly approved to start.
  approval_config {
     approval_required = true 
  }


}
## Example Usage - Cloudbuild Trigger Manual Github Enterprise
resource "google_cloudbuild_trigger" "manual-ghe-trigger" {
  name        = ""

  source_to_build {
    uri       = "https://hashicorp/terraform-provider-google-beta"
    ref       = "refs/heads/main"
    repo_type = "GITHUB"
    github_enterprise_config = "projects/myProject/locations/global/githubEnterpriseConfigs/configID"
}

git_file_source {
    path      = "cloudbuild.yaml"
    uri       = "https://hashicorp/terraform-provider-google-beta"
    revision  = "refs/heads/main"
    repo_type = "GITHUB"
    github_enterprise_config = "projects/myProject/locations/global/githubEnterpriseConfigs/configID"
  }
}
Open in Cloud Shell

Example Usage - Cloudbuild Trigger Manual Bitbucket Server

resource "google_cloudbuild_trigger" "manual-bitbucket-trigger" {
  name        = "terraform-manual-bbs-trigger"

  source_to_build {
    uri       = "https://bbs.com/scm/stag/test-repo.git"
    ref       = "refs/heads/main"
    repo_type = "BITBUCKET_SERVER"
    bitbucket_server_config = "projects/myProject/locations/global/bitbucketServerConfigs/configID"
  }

  git_file_source {
    path      = "cloudbuild.yaml"
    uri       = "https://bbs.com/scm/stag/test-repo.git"
    revision  = "refs/heads/main"
    repo_type = "BITBUCKET_SERVER"
    bitbucket_server_config = "projects/myProject/locations/global/bitbucketServerConfigs/configID"
  }
}
Open in Cloud Shell

Example Usage - Cloudbuild Trigger Repo

resource "google_cloudbuildv2_connection" "my-connection" {
  location = "us-central1"
  name = "my-connection"

  github_config {
    app_installation_id = 123123
    authorizer_credential {
      oauth_token_secret_version = "projects/my-project/secrets/github-pat-secret/versions/latest"
    }
  }
}

resource "google_cloudbuildv2_repository" "my-repository" {
  name = "my-repo"
  parent_connection = google_cloudbuildv2_connection.my-connection.id
  remote_uri = "https://github.com/myuser/my-repo.git"
}

resource "google_cloudbuild_trigger" "repo-trigger" {
  location = "us-central1"

  repository_event_config {
    repository = google_cloudbuildv2_repository.my-repository.id
    push {
      branch = "feature-.*"
    }
  }

  filename = "cloudbuild.yaml"
}
Open in Cloud Shell

Example Usage - Cloudbuild Trigger Bitbucket Server Push

resource "google_cloudbuild_trigger" "bbs-push-trigger" {
  name        = "bbs-push-trigger"
  location    = "us-central1"

  bitbucket_server_trigger_config {
    repo_slug = "bbs-push-trigger"
    project_key = "STAG"
    bitbucket_server_config_resource = "projects/123456789/locations/us-central1/bitbucketServerConfigs/myBitbucketConfig"
    push {
        tag = "^0.1.*"
        invert_regex = true
    }
  }

  filename = "cloudbuild.yaml"
}
Open in Cloud Shell

Example Usage - Cloudbuild Trigger Bitbucket Server Pull Request

resource "google_cloudbuild_trigger" "bbs-pull-request-trigger" {
  name        = "ghe-trigger"
  location    = "us-central1"

  bitbucket_server_trigger_config {
    repo_slug = "terraform-provider-google"
    project_key = "STAG"
    bitbucket_server_config_resource = "projects/123456789/locations/us-central1/bitbucketServerConfigs/myBitbucketConfig"
    pull_request {
        branch = "^master$"
        invert_regex = false
        comment_control = "COMMENTS_ENABLED"
    }
  }

  filename = "cloudbuild.yaml"
}
## Example Usage - Cloudbuild Trigger Github Enterprise
resource "google_cloudbuild_trigger" "ghe-trigger" {
  name        = "ghe-trigger"
  location    = "us-central1"

  github {
    owner = "hashicorp"
    name  = "terraform-provider-google"
    push {
      branch = "^main$"
    }
    enterprise_config_resource_name = "projects/123456789/locations/us-central1/githubEnterpriseConfigs/configID"
  }

  filename = "cloudbuild.yaml"
}
Open in Cloud Shell

Example Usage - Cloudbuild Trigger Allow Failure

resource "google_cloudbuild_trigger" "allow-failure-trigger" {
  name = "my-trigger"
  location = "global"

  trigger_template {
    branch_name = "main"
    repo_name   = "my-repo"
  }

  build {
    step {
      name = "ubuntu"
      args = ["-c", "exit 1"]
      allow_failure = true
    }

    source {
      storage_source {
        bucket = "mybucket"
        object = "source_code.tar.gz"
      }
    }
    tags = ["build", "newFeature"]
    substitutions = {
      _FOO = "bar"
      _BAZ = "qux"
    }
    queue_ttl = "20s"
    logs_bucket = "gs://mybucket/logs"
    secret {
      kms_key_name = "projects/myProject/locations/global/keyRings/keyring-name/cryptoKeys/key-name"
      secret_env = {
        PASSWORD = "ZW5jcnlwdGVkLXBhc3N3b3JkCg=="
      }
    }
    available_secrets {
      secret_manager {
        env          = "MY_SECRET"
        version_name = "projects/myProject/secrets/mySecret/versions/latest"
      }
    }
    artifacts {
      images = ["gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA"]
      objects {
        location = "gs://bucket/path/to/somewhere/"
        paths = ["path"]
      }
    }
    options {
      source_provenance_hash = ["MD5"]
      requested_verify_option = "VERIFIED"
      machine_type = "N1_HIGHCPU_8"
      disk_size_gb = 100
      substitution_option = "ALLOW_LOOSE"
      dynamic_substitutions = true
      log_streaming_option = "STREAM_OFF"
      worker_pool = "pool"
      logging = "LEGACY"
      env = ["ekey = evalue"]
      secret_env = ["secretenv = svalue"]
      volumes {
        name = "v1"
        path = "v1"
      }
    }
  }
}
Open in Cloud Shell

Example Usage - Cloudbuild Trigger Allow Exit Codes

resource "google_cloudbuild_trigger" "allow-exit-codes-trigger" {
  name = "my-trigger"
  location = "global"

  trigger_template {
    branch_name = "main"
    repo_name   = "my-repo"
  }

  build {
    step {
      name = "ubuntu"
      args = ["-c", "exit 1"]
      allow_exit_codes = [1,3]
    }

    source {
      storage_source {
        bucket = "mybucket"
        object = "source_code.tar.gz"
      }
    }
    tags = ["build", "newFeature"]
    substitutions = {
      _FOO = "bar"
      _BAZ = "qux"
    }
    queue_ttl = "20s"
    logs_bucket = "gs://mybucket/logs"
    secret {
      kms_key_name = "projects/myProject/locations/global/keyRings/keyring-name/cryptoKeys/key-name"
      secret_env = {
        PASSWORD = "ZW5jcnlwdGVkLXBhc3N3b3JkCg=="
      }
    }
    available_secrets {
      secret_manager {
        env          = "MY_SECRET"
        version_name = "projects/myProject/secrets/mySecret/versions/latest"
      }
    }
    artifacts {
      images = ["gcr.io/$PROJECT_ID/$REPO_NAME:$COMMIT_SHA"]
      objects {
        location = "gs://bucket/path/to/somewhere/"
        paths = ["path"]
      }
    }
    options {
      source_provenance_hash = ["MD5"]
      requested_verify_option = "VERIFIED"
      machine_type = "N1_HIGHCPU_8"
      disk_size_gb = 100
      substitution_option = "ALLOW_LOOSE"
      dynamic_substitutions = true
      log_streaming_option = "STREAM_OFF"
      worker_pool = "pool"
      logging = "LEGACY"
      env = ["ekey = evalue"]
      secret_env = ["secretenv = svalue"]
      volumes {
        name = "v1"
        path = "v1"
      }
    }
  }
}
Open in Cloud Shell

Example Usage - Cloudbuild Trigger Pubsub With Repo

resource "google_cloudbuildv2_connection" "my-connection" {
  location = "us-central1"
  name = "my-connection"

  github_config {
    app_installation_id = 123123
    authorizer_credential {
      oauth_token_secret_version = "projects/my-project/secrets/github-pat-secret/versions/latest"
    }
  }
}

resource "google_cloudbuildv2_repository" "my-repository" {
  name = "my-repo"
  parent_connection = google_cloudbuildv2_connection.my-connection.id
  remote_uri = "https://github.com/myuser/my-repo.git"
}

resource "google_pubsub_topic" "mytopic" {
  name = "my-topic"
}

resource "google_cloudbuild_trigger" "pubsub-with-repo-trigger" {
  name = "pubsub-with-repo-trigger"
  location = "us-central1"

  pubsub_config {
    topic = google_pubsub_topic.mytopic.id
  }
  source_to_build {
    repository = google_cloudbuildv2_repository.my-repository.id
    ref = "refs/heads/main"
    repo_type = "GITHUB"
  }
  git_file_source {
    path = "cloudbuild.yaml"
    repository = google_cloudbuildv2_repository.my-repository.id
    revision = "refs/heads/main"
    repo_type = "GITHUB"
  }
}

Argument Reference

The following arguments are supported:


The git_file_source block supports:

The repository_event_config block supports:

The pull_request block supports:

The push block supports:

The source_to_build block supports:

The trigger_template block supports:

The github block supports:

The pull_request block supports:

The push block supports:

The bitbucket_server_trigger_config block supports:

The pull_request block supports:

The push block supports:

The pubsub_config block supports:

The webhook_config block supports:

The approval_config block supports:

The build block supports:

The source block supports:

The storage_source block supports:

The repo_source block supports:

The secret block supports:

The available_secrets block supports:

The secret_manager block supports:

The step block supports:

The volumes block supports:

The artifacts block supports:

The objects block supports:

The timing block contains:

The maven_artifacts block supports:

The python_packages block supports:

The npm_packages block supports:

The options block supports:

The volumes block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

Trigger can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import Trigger using one of the formats above. For example:

import {
  id = "projects/{{project}}/locations/{{location}}/triggers/{{trigger_id}}"
  to = google_cloudbuild_trigger.default
}

When using the terraform import command, Trigger can be imported using one of the formats above. For example:

$ terraform import google_cloudbuild_trigger.default projects/{{project}}/locations/{{location}}/triggers/{{trigger_id}}
$ terraform import google_cloudbuild_trigger.default projects/{{project}}/triggers/{{trigger_id}}
$ terraform import google_cloudbuild_trigger.default {{project}}/{{trigger_id}}
$ terraform import google_cloudbuild_trigger.default {{trigger_id}}

User Project Overrides

This resource supports User Project Overrides.