Skip to content

Added create API for instance level GCP streaming destinations

Hitesh Raghuvanshi requested to merge 423038-create-list-gcp-instance into master

What does this MR do and why?

This MR adds a new mutation to the GitLab API that allows users to create instance-level Google Cloud Logging configurations for streaming audit events. This mutation is only available to users with the admin_instance_external_audit_events permission. When a user creates a new configuration, an audit event is created.

This is quite similar to instance level HTTP destinations and group level google cloud logging configurations.

GraphQL mutation

mutation instanceGoogleCloudLoggingConfigurationCreate {
  instanceGoogleCloudLoggingConfigurationCreate(input: { googleProjectIdName: "my-google-project", clientEmail: "my-email@my-google-project.iam.gservice.account.com", privateKey: "YOUR_PRIVATE_KEY", logIdName: "audit-events", name: "manmua" }) {
    errors
    instanceGoogleCloudLoggingConfiguration {
      id
      logIdName
      googleProjectIdName
      clientEmail
      name
    }
  }
}

How to set up and validate locally

  1. For this you need to have admin access of a GitLab instance with an Ultimate license.
  2. Visit graphql explorer https://gitlab.localdev:3000/-/graphql-explorer.
  3. Run following mutation to add new instance level gcp configuration
mutation instanceGoogleCloudLoggingConfigurationCreate {
  instanceGoogleCloudLoggingConfigurationCreate(input: { googleProjectIdName: "my-google-project", clientEmail: "my-email@my-google-project.iam.gservice.account.com", privateKey: "YOUR_PRIVATE_KEY", logIdName: "audit-events", name: "my-destination" }) {
    errors
    instanceGoogleCloudLoggingConfiguration {
      id
      logIdName
      googleProjectIdName
      clientEmail
      name
    }
  }
}
  1. For credentials you can refer to details in https://docs.gitlab.com/ee/administration/audit_event_streaming/#google-cloud-logging-destinations. But for now dummy details will also work. I will enable streaming for this in another MR which belongs to issue #423041 (closed).
  2. For checking if the configuration got added or not you can run following query for listing the details
query instanceGoogleCloudLoggingConfigurations {
  instanceGoogleCloudLoggingConfigurations {
    nodes {
        id
        logIdName
        googleProjectIdName
        clientEmail
        name
      }
  }
}
  1. You can also run the mutation via a non-admin user for testing. It should return an error in that case.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #423038 (closed)

Edited by Hitesh Raghuvanshi

Merge request reports