A template repository for a Cloud Run microservice, written in Python

• Enable the Cloud Run API via the console or CLI:

gcloud services enable run.googleapis.com

• Flask: Web server framework
• Buildpack support Tooling to build production-ready container images from source code and without a Dockerfile
• Dockerfile: Container build instructions, if needed to replace buildpack for custom build
• SIGTERM handler: Catch termination signal for cleanup before Cloud Run stops the container
• Service metadata: Access service metadata, project ID and region, at runtime
• Local development utilities: Auto-restart with changes and prettify logs
• Structured logging w/ Log Correlation JSON formatted logger, parsable by Cloud Logging, with automatic correlation of container logs to a request log.
• Unit and System tests: Basic unit and system tests setup for the microservice
• Task definition and execution: Uses invoke to execute defined tasks in tasks.py.

This template works with Cloud Code, an IDE extension to let you rapidly iterate, debug, and run code on Kubernetes and Cloud Run.

Learn how to use Cloud Code for:

• Local development - VSCode, IntelliJ

• Local debugging - VSCode, IntelliJ

• Deploying a Cloud Run service - VSCode, IntelliJ

• Creating a new application from a custom template (.template/templates.json allows for use as an app template) - VSCode, IntelliJ

To run the invoke commands below, install invoke system wide:

pip install invoke

Invoke will handle establishing local virtual environments, etc. Task definitions can be found in tasks.py.

1. Set Project Id:

   export GOOGLE_CLOUD_PROJECT=<GCP_PROJECT_ID>

2. Start the server with hot reload:

   invoke dev

1. Set Project Id:

   export GOOGLE_CLOUD_PROJECT=<GCP_PROJECT_ID>

2. Enable the Artifact Registry API:

   gcloud services enable artifactregistry.googleapis.com

3. Create an Artifact Registry repo:

   export REPOSITORY="samples"
   export REGION=us-central1
   gcloud artifacts repositories create $REPOSITORY --location $REGION --repository-format "docker"
   export REPOSITORY_URL=`$REGION-docker.pkg.dev`

4. Use the gcloud credential helper to authorize Docker to push to your Artifact Registry:

   gcloud auth configure-docker

5. Build the container using a buildpack:

   invoke build

6. Deploy to Cloud Run:

   invoke deploy

1. Pass credentials via GOOGLE_APPLICATION_CREDENTIALS env var:

   export GOOGLE_APPLICATION_CREDENTIALS="[PATH]"

2. Set Project Id:

   export GOOGLE_CLOUD_PROJECT=<GCP_PROJECT_ID>

3. Run unit tests

   invoke test

4. Run system tests

   gcloud builds submit \
       --config test/advance.cloudbuild.yaml \
       --substitutions 'COMMIT_SHA=manual,REPO_NAME=manual'

   The Cloud Build configuration file will build and deploy the containerized service to Cloud Run, run tests managed by pytest, then clean up testing resources. This configuration restricts public access to the test service. Therefore, service accounts need to have the permission to issue ID tokens for request authorization:

   • Enable Cloud Run, Cloud Build, Artifact Registry, and IAM APIs:

     gcloud services enable run.googleapis.com cloudbuild.googleapis.com iamcredentials.googleapis.com artifactregistry.googleapis.com

   • Set environment variables.

     export PROJECT_ID="$(gcloud config get-value project)"
     export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"

   • Create an Artifact Registry repo (or use another already created repo):

     export REPOSITORY="samples"
     export REGION=us-central1
     gcloud artifacts repositories create $REPOSITORY --location $REGION --repository-format "docker"

   • Create service account token-creator with Service Account Token Creator and Cloud Run Invoker roles.

     gcloud iam service-accounts create token-creator
     
     gcloud projects add-iam-policy-binding $PROJECT_ID \
         --member="serviceAccount:token-creator@$PROJECT_ID.iam.gserviceaccount.com" \
         --role="roles/iam.serviceAccountTokenCreator"
     gcloud projects add-iam-policy-binding $PROJECT_ID \
         --member="serviceAccount:token-creator@$PROJECT_ID.iam.gserviceaccount.com" \
         --role="roles/run.invoker"

   • Add Service Account Token Creator role to the Cloud Build service account.

     gcloud projects add-iam-policy-binding $PROJECT_ID \
         --member="serviceAccount:$PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \
         --role="roles/iam.serviceAccountTokenCreator"

   • Cloud Build also requires permission to deploy Cloud Run services and administer artifacts:

     gcloud projects add-iam-policy-binding $PROJECT_ID \
         --member="serviceAccount:$PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \
         --role="roles/run.admin"
     gcloud projects add-iam-policy-binding $PROJECT_ID \
         --member="serviceAccount:$PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \
         --role="roles/iam.serviceAccountUser"
     gcloud projects add-iam-policy-binding $PROJECT_ID \
         --member="serviceAccount:$PROJECT_NUMBER@cloudbuild.gserviceaccount.com" \
         --role="roles/artifactregistry.repoAdmin"

This repo performs basic periodic testing for maintenance. Please use the issue tracker for bug reports, features requests and submitting pull requests.

Please see the contributing guidelines

This library is licensed under Apache 2.0. Full license text is available in LICENSE.