google_cloudbuild_trigger - expose `webhook` url

[tiagojsag]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

I am implementing a Cloud Build trigger closely based on the example in the docs. My ultimate goal is to use TF with the Google + Github providers, and trigger a Cloud Build run when commits are pushed to key Github branches.

AFAICT there is no way to fully reconstruct the webhook URL I would need to pass to Github. Using TF I can create the Cloud Build trigger, and then go to the GCP console and get the url, but programmatically I cannot access the API Key that is needed to fully recreate it (more info here )

(In case anyone points it out, I know that there is a "dedicated" Github configuration for google_cloudbuild_trigger. I explored it up to the point where it requires grating a bunch of permissions to a Google/Github integration, for what seems to be simply creating a webhook on GH's side. Due to privacy concerns, that will be my plan Z, and I'll explore other options first.)

New or Affected Resource(s)

• google_cloudbuild_trigger on google provider v4.15.0 and TF 1.1.17

Potential Terraform Configuration

Ideally, webhook-based google_cloudbuild_trigger resources would have an additional attribute for the final webhook URL, that could be easily accessed programmatically.

b/270750578

[c2thorn]

Hi @tiagojsag, We are limited to what is possible from the API. Taking a look at the API reference, I cannot find a field that exposes the webhook URL, and am not sure how it would be done otherwise. Do you see how this could be done from the API?

[muresan]

The webhook URL format is made from project id, cloud api key and secret. Currently the issues are:

1. Finding out which Cloud API Key is generated automatically when creating a cloudbuild trigger, as there is no field in the cloudbuild trigger that references that key (and there is no corresponding data.google_apikeys_key to look it up). One solution is to create another google_apikeys_key but the issue is that the key_string (needed to build the URL) is : An encrypted and signed value held by this key. This field can be accessed only through the GetKeyString method which is only available (that I could find) in the gcloud alpha services api-keys get-key-string so getting the secret is ugly (data.external script) right now.
2. Decrypting the Cloud API key.

[mike-code]

The missing data.google_apikeys_key makes it indeed tough. Does anyone have a workaround, ugly as it may be?

[mdiloreto]

Im having the same issue here. I'm trying to streamline my Terraform workflow by automating the retrieval and use of webhook URLs within my modules. Could anyone outline any way to achieve this? Thanks!