Skip to content

Adding name field to google cloud logging audit destinations

Hitesh Raghuvanshi requested to merge 416572-add-name-field-gcp-logging into master

What does this MR do and why?

This MR is adding a new attribute name in GraphQL APIs for google cloud logging configurations for streaming audit events to google cloud. Following changes are been made in this MR:

  1. Added name attribute while creation, updation and listing of googleCloudLoggingConfigurations for a group.
  2. Modified auditing for update api for not sending audit events in case there is no update in any of the attributes.

How to set up and validate locally

  1. You would require a group with Ultimate license for this and owner access for the group.
  2. Add a custom http destination for the group by following instructions at https://docs.gitlab.com/ee/administration/audit_event_streaming/#add-a-new-http-destination. This will help in checking whether the audit events are being streamed as expected or not.
  3. Follow the instructions at https://docs.gitlab.com/ee/administration/audit_event_streaming/#add-a-new-google-cloud-logging-destination and add 2 google cloud logging configurations for the group. You can use dummy values for setting up these destinations, not necessary to use actual credentials.
  4. Login as the group admin and go to GraphQL explorer https://gitlab.localdev:3000/-/graphql-explorer for running GraphQL queries and mutations.
  5. In graphql-explorer dashboard run following query for listing all the google cloud configurations for the above group, you will notice that for the destinations the name field will be something like Destination_b1428ecf-021a-4154-86b2-38b1db107599, since on UI we haven't provided any name so this is the default generated name with some random id.
query {
  group(fullPath: "<group_full_path>") {
    id
    googleCloudLoggingConfigurations {
      nodes {
        id
        logIdName
        googleProjectIdName
        privateKey
        clientEmail
        name
      }
    }
  }
}
  1. Now let's create a new destination by running following mutation and we will be providing destination name this time

mutation {
  googleCloudLoggingConfigurationCreate(input: { name: "destination with name", groupPath: "<group_full_path>", googleProjectIdName: "my-google-project", clientEmail: "my-email@my-google-project.iam.gservice.account.com", privateKey: "YOUR_PRIVATE_KEY", logIdName: "audit-events" } ) {
    errors
    googleCloudLoggingConfiguration {
      id
      googleProjectIdName
      logIdName
      privateKey
      clientEmail
      name
    }
    errors
  }
}
  1. List all the destinations by running query mentioned in step 5. Notice the name field, in the newly created one it will be the given name.
  2. Now, let's update the destination, especially the name by running following mutation, notice in output the following attributes will be updated, also in external http destination added in step 2, you would have received audit events for each updated column.
mutation {
  googleCloudLoggingConfigurationUpdate(
    input: {id: "gid://gitlab/AuditEvents::GoogleCloudLoggingConfiguration/<id>", googleProjectIdName: "updated-google-id", privateKey: "YOUR_UPDATED_PRIVATE_KEY", logIdName: "audit-events", name: "updated name"}
  ) {
    errors
    googleCloudLoggingConfiguration {
      id
      logIdName
      privateKey
      googleProjectIdName
      clientEmail
      name
    }
  }
}
  1. List all the destinations for this group by running query in step 5. Everything should be in place.
  2. Note: On updating the attributes with the same values as previous ones, audit events for those fields should not get streamed or generated.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #416572 (closed)

Edited by Hitesh Raghuvanshi

Merge request reports

Loading