Can't use env variables defined in Cloud build

[jkevingutierrez]

Trying to run a Cloud Build file like the next:

steps:
  - name: 'gcr.io/google-appengine/exec-wrapper'
    id: TEST
    args:
      [
        '-i',
        'gcr.io/$PROJECT_ID/${_BUILD_TARGET}',
        '-s',
        '${_CLOUD_SQL_DEV}',
        '-e',
        'DJANGO_SETTINGS_MODULE=$$DJANGO_SETTINGS_MODULE',
        '-e',
        'CLOUD_SQL=/cloudsql/${_CLOUD_SQL_DEV}',
        '--',
       'python',
        'manage.py',
        'migrate',
        '--no-input',
      ]
    env:
      - 'DJANGO_SETTINGS_MODULE=test.production'

Is throwing an error, as it is assigning the env variable in app engine as the string "$DJANGO_SETTINGS_MODULE" instead of the real value that was coming from the env variable.

Step #0 - "apply migrations": ModuleNotFoundError: No module named '$DJANGO_SETTINGS_MODULE' Finished Step #0 - "apply migrations"

Not sure if the problem is in

ruby-docker/app-engine-exec-wrapper/execute.sh

Line 32 in 05dc673

ENV_PARAMS+=(-e "$OPTARG")

as it is adding the environment variables in quotes ENV_PARAMS+=(-e "$OPTARG"). Maybe removing the quotes would fix the issue

ENV_PARAMS+=(-e $OPTARG)

or the problem can also be in

ruby-docker/app-engine-exec-wrapper/execute.sh

Line 32 in 05dc673

ENV_PARAMS+=(-e "$OPTARG")

as it is adding the ENV_PARAMS using quotes. Maybe removing the quotes would fix the issue

docker run --rm ${ENTRYPOINT} --volumes-from=${CONTAINER} --network=${CONTAINER_NETWORK} ${ENV_PARAMS[@]} ${IMAGE} "$@"

It is a silly example, as I can use a substituion instead of an env variable there, but what I'm really trying to do is something like https://cloud.google.com/build/docs/securing-builds/use-secrets

[rgalite]

If you're using basic plain-text environment variables (no secrets), you don't need to use $$.
DJANGO_SETTINGS_MODULE=$DJANGO_SETTINGS_MODULE should work just fine.

[rgalite]

If you're looking to use secrets with this cloud builder, you'll need to use the entrypoint parameter. This is required to refer to the environment variable for the secret.

You'll need to call the /buildstep/execute.sh script to in the args parameter.

You'll end up with something like this:

steps:
- name: gcr.io/google-appengine/exec-wrapper
  entrypoint: bash
  args:
  - -c
  - |-
    /buildstep/execute.sh -i gcr.io/my-project/appengine/some-long-name \
        -e ENV_VARIABLE_1=value1 -e ENV_2=value2 \
        -s my-project:us-central1:my_cloudsql_instance \
         -- bundle exec rake db:migrate
  secretEnv:
  - ENV_VARIABLE_1
  - ENV_2
availableSecrets:
  secretManager:
  - versionName: projects/my-project/secrets/secret-1/versions/1
    env: ENV_VARIABLE_1
  - versionName: projects/my-project/secrets/secret-2/versions/1
    env: ENV_2

[jkevingutierrez]

Great! Thanks for the answer. It would be great to have it documented, maybe in the README.md?

[swoopej]

@rgalite I'm not sure I understand where value1 and value2 are coming from in your example. Are those values stored in Secret Manager and populated with the $$ notation?