How to access a GCP Cloud Source Repository from another project?

Question

I have project A and project B.

I use a GCP Cloud Source Repository on project A as my 'origin' remote.

I use Cloud Build with a trigger on changes to the 'develop' branch of the repo to trigger builds. As part of the build I deploy some stuff with the gcloud builder, to project A.

Now, I want to run the same build on project B. Maybe the same branch, maybe a different branch (i.e. 'release-*'). In the end want to deploy some stuff with the gcloud builder to project B.

The problem is, when I'm on project B (in Google Cloud Console), I can't even see the repo in project A. It asks me to "connect repository", but I can only select GitHub or Bitbucket repos for mirroring. The option "Cloud Source Repositories" is greyed out, telling me that they "are already connected". Just evidently not one from another project.

I could set up a new repo on project B, and push to both repos, but that seems inefficient (and likely not sustainable long term). The curious thing is, that such a setup could easily be achieved using an external Bitbucket/GitHub repo as origin and mirrored in both projects.

Is anything like this at all possible in Google Cloud Platform without external dependencies?

I also tried running all my builds in project A and have a separate trigger that deploys to project B (I use substitutions to manage that), but it fails with permission issues. Cloud Builds seem to always run with a Cloud Build service account, of which you can manage the roles, but I can't see how I could give it access to another project. Also in this case both builds would appear indistinguishable in a single build history, which is not ideal.

Answer 1

My solution:

1. From service A, create new Cloud Build on branch release-* with Build Configuration specify $_PROJECT_ID is project B id
2. On GCP Cloud Build definition, add new Variable name _PROJECT_ID is project B id

NOTE: Remember grant permissons for your service account of project A(@cloudbuild.gserviceaccount.com) on project B

cloudbuild.yaml

  - name: gcr.io/cloud-builders/docker
    args:
      - build
      - '--no-cache'
      - '-t'
      - '$_GCR_HOSTNAME/$_PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
      - .
      - '-f'
      - Dockerfile
    id: Build
  - name: gcr.io/cloud-builders/docker
    args:
      - push
      - '$_GCR_HOSTNAME/$_PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
    id: Push
  - name: gcr.io/cloud-builders/gcloud
    args:
      - beta
      - run
      - deploy
      - $_SERVICE_NAME
      - '--platform=managed'
      - '--image=$_GCR_HOSTNAME/$_PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
      - >-
        --labels=managed-by=gcp-cloud-build-deploy-cloud-run,commit-sha=$COMMIT_SHA,gcb-build-id=$BUILD_ID,gcb-trigger-id=$_TRIGGER_ID,$_LABELS
      - '--region=$_DEPLOY_REGION'
      - '--quiet'
      - '--project=$_PROJECT_ID'
    id: Deploy
    entrypoint: gcloud
images:
  - '$_GCR_HOSTNAME/$_PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
options:
  substitutionOption: ALLOW_LOOSE
timeout: '20m'
tags:
  - gcp-cloud-build-deploy-cloud-run
  - gcp-cloud-build-deploy-cloud-run-managed
  - driveit-hp-agreement-mngt-api```


  [1]: https://i.stack.imgur.com/XhRJ4.png

Answer 2

I faced a similar problem and I solved it by having multiple Cloud Build files.

A Cloud Build file (which got triggered when codes were pushed to a certain branch) was dedicated to copying all of my source codes into the new project source repo, of which it also has it's own Cloud Build file for deployment to that project.

Here is a sample of the Cloud Build file that copies sources to another project:

steps:
  - name: gcr.io/cloud-builders/git
    args: ['checkout', '--orphan', 'temp']
  - name: gcr.io/cloud-builders/git
    args: ['add', '-A']
  - name: gcr.io/cloud-builders/git
    args: ['config', '--global', 'user.name', 'Your Name']
  - name: gcr.io/cloud-builders/git
    args: ['config', '--global', 'user.email', 'Your Email']
  - name: gcr.io/cloud-builders/git
    args: ['commit', '-am', 'latest production commit']
  - name: gcr.io/cloud-builders/git
    args: ['branch', '-D', 'master']
  - name: gcr.io/cloud-builders/git
    args: ['branch', '-m', 'master']
  - name: gcr.io/cloud-builders/git
    args: ['push', '-f', 'https://source.developers.google.com/p/project-prod/r/project-repo', 'master']

This pushed all of the source codes into the new project.

Note that: You need to give your Cloud Build service account permissions to push source codes into the other project source repositories.

Answer 3

As you have already said, you can host your repos outside in BitBucket/Github and sync them to each project, but you need to pay an extra for each build.

You could use third party services otherwise to build your repos outside and deploy the result wherever you want for ex. look into CircleCI or similar service.

You could give permissions to build that it could refer to resources from another project, but I would keep them separated to minimize complexity.