Repository Mapping Does Not Exist when creating Google Cloudbuild Trigger for GitHub repo

Hello all!

I’m running Terraform v1.1.4 and I’m running into an issue that has been raised previously, but always required a manual workaround.

Take the following simple cloudbuild trigger:

resource "google_cloudbuild_trigger" "build-trigger" {
    filename = "${var.cloudbuild_file}"
    description = local.trigger_description
    project = "${var.project}"
    name = "${var.repo}-master"

    github {
        owner = "${var.github_org}"
        name = "${var.repo}"
        push {
            branch = "^master$"
        }
    }
}

When running a Terraform Apply, I get the following:

google_cloudbuild_trigger.build-trigger: Creating...
╷
│ Error: Error creating Trigger: googleapi: Error 400: Repository mapping does not exist. Please visit https://console.cloud.google.com/cloud-build/triggers/connect?project=<blah> to connect a repository to your project

The terraform plan does reveal that the repository is named correctly, but the issue is that you have to open the Cloud Build UI and “connect the repository” between GitHub and Cloud Build before the Terraform call can succeed.

While this works for deploying existing applications to different places, this somewhat defeats the purpose for being able to seamlessly deploy new/arbitrary github apps, and we have to tell developers to log into cloud build and link the repo first.

Has anyone found a way around this?
Thanks!

Hi,

You have to link your GitHub repo to your GCP project, this requires GitHub authentication.

Hey Compy,

any updates/success on this? just ran also into it and I’m wondering what a proper solution could be …
on SO there is the suggestion to somehow have a persisten project which is connected but that’s kind of sad

greetings

Heya,

Nah, no progress on that front. I think its a side effect of the jankiness in how Google Cloud Build authenticates via interactive OAuth with GitHub.

Hi all,

I ran into a similar problem. In my case, the repository mapping was configured only on a specific region (us-central1), but the Terraform requested to create a build trigger onto the global resion, resulting in “repository mapping does not exist” error.

Since there is no region parameter in the google_cloudbuild_trigger resource, I turned my repository mapping into global for a quick workaround. But I also guess the resource should support explicit region parameter too.

I have the same issue here. Any news?

works for me, thanks

If you dont care about the fancy github-gcloud integration features and just want IaC all-the-way you can combine webhook-trigger and build template with custom steps to achieve what you want.

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloudbuild_trigger#example-usage---cloudbuild-trigger-webhook-config

build {
    step {
      name = "gcr.io/cloud-builders/gsutil"
      entrypoint "/bin/bash"     
      args = ["cp", "gs://mybucket/remotefile.zip", "localfile.zip"]
      timeout = "120s"
      secret_env = ["MY_SECRET"]
    }

The following worked out for me but now having an issue with the global trigger and a repository

Error: Error creating Trigger: googleapi: Error 400: triggers with repository resources cannot be created in the “global” region

resource "google_cloudbuildv2_repository" "my-repository" {
  provider = google-beta
  name = "my-repo"
  parent_connection = google_cloudbuildv2_connection.my-connection.id
  remote_uri = var.github_source
}

resource "google_cloudbuild_trigger" "repo-trigger" {
  provider = google-beta
  #location = "global"

  repository_event_config {
    repository = google_cloudbuildv2_repository.my-repository.id
    push {
      branch = "master"
    }
  }

  filename = "./cloudbuild.yaml"
}

resource "google_secret_manager_secret" "github-token-secret" {
  provider  = google-beta
  secret_id = "github-token-secret"

  replication {
    automatic = true
  }
}

resource "google_secret_manager_secret_version" "github-token-secret-version" {
  provider    = google-beta
  secret      = google_secret_manager_secret.github-token-secret.id
  secret_data = var.github_token
}

data "google_iam_policy" "p4sa-secretAccessor" {
  provider = google-beta
  binding {
    role = "roles/secretmanager.secretAccessor"
    // Here, 123456789 is the Google Cloud project number for my-project-name.
    members = ["serviceAccount:service-<ID>@gcp-sa-cloudbuild.iam.gserviceaccount.com"]
  }
}

resource "google_secret_manager_secret_iam_policy" "policy" {
  provider    = google-beta
  secret_id   = google_secret_manager_secret.github-token-secret.secret_id
  policy_data = data.google_iam_policy.p4sa-secretAccessor.policy_data
}

resource "google_cloudbuildv2_connection" "my-connection" {
  provider = google-beta
  location = var.region
  name     = "github-connection"

  github_config {
    app_installation_id = var.github_app_id
    authorizer_credential {
      oauth_token_secret_version = google_secret_manager_secret_version.github-token-secret-version.id
    }
  }
}

Adding another update for anyone that comes across this. I could not use “2nd Gen” repository connections when creating a trigger. I found only “1st Gen” repository connections that were manually created in the console could be referenced.

That being said, you can use a region (and not global) with this 1st Gen repo connection. Here is what worked for me:

terraform {
  required_providers {
    google = {
      source = "hashicorp/google"
      version = "5.5.0"
    }
  }
}

provider "google" {
  project = var.project_id
}


resource "google_cloudbuild_trigger" "dev-trigger" {
  project  = var.project_id


  location = "northamerica-northeast2"
  name     = "dev-trigger"
  filename = "cloudbuild.yaml"
  tags   = ["dev"]


  github {
    owner = "owner"
    name  = "repo_name"    # repo name only - does not include project/owner in front with a slash
    push {
      branch = "^dev$"
    }
  }

	substitutions = {
		_FOO = "BAR"
	}

}