Added create API for instance level GCP streaming destinations
What does this MR do and why?
This MR adds a new mutation to the GitLab API that allows users to create instance-level Google Cloud Logging configurations for streaming audit events. This mutation is only available to users with the admin_instance_external_audit_events
permission. When a user creates a new configuration, an audit event is created.
This is quite similar to instance level HTTP destinations and group level google cloud logging configurations.
GraphQL mutation
mutation instanceGoogleCloudLoggingConfigurationCreate {
instanceGoogleCloudLoggingConfigurationCreate(input: { googleProjectIdName: "my-google-project", clientEmail: "my-email@my-google-project.iam.gservice.account.com", privateKey: "YOUR_PRIVATE_KEY", logIdName: "audit-events", name: "manmua" }) {
errors
instanceGoogleCloudLoggingConfiguration {
id
logIdName
googleProjectIdName
clientEmail
name
}
}
}
How to set up and validate locally
- For this you need to have admin access of a GitLab instance with an Ultimate license.
- Visit graphql explorer https://gitlab.localdev:3000/-/graphql-explorer.
- Run following mutation to add new instance level gcp configuration
mutation instanceGoogleCloudLoggingConfigurationCreate {
instanceGoogleCloudLoggingConfigurationCreate(input: { googleProjectIdName: "my-google-project", clientEmail: "my-email@my-google-project.iam.gservice.account.com", privateKey: "YOUR_PRIVATE_KEY", logIdName: "audit-events", name: "my-destination" }) {
errors
instanceGoogleCloudLoggingConfiguration {
id
logIdName
googleProjectIdName
clientEmail
name
}
}
}
- For credentials you can refer to details in https://docs.gitlab.com/ee/administration/audit_event_streaming/#google-cloud-logging-destinations. But for now dummy details will also work. I will enable streaming for this in another MR which belongs to issue #423041 (closed).
- For checking if the configuration got added or not you can run following query for listing the details
query instanceGoogleCloudLoggingConfigurations {
instanceGoogleCloudLoggingConfigurations {
nodes {
id
logIdName
googleProjectIdName
clientEmail
name
}
}
}
- You can also run the mutation via a non-admin user for testing. It should return an error in that case.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #423038 (closed)
Edited by Hitesh Raghuvanshi