Skip to content

Latest commit

 

History

History
141 lines (98 loc) · 4.12 KB

README.md

File metadata and controls

141 lines (98 loc) · 4.12 KB

Compute Engine VM Labeler - Cloud Run

In this sample, you'll build a Cloud Run service that receives a notification when a Compute Engine VM instance is created with Eventarc. In response, it adds a label to the newly created VM, specifying the creator of the VM.

Determine newly created Compute Engine VMs

Compute Engine emits 2 AuditLogs when a VM is created.

The first one is emitted at the beginning of VM creation as looks like this:

GCE AuditLog

The second one is emitted after the VM creation and looks like this:

GCE AuditLog

Notice the operation field with first:true and last:true values. The second AuditLog contains all the information we need to label an instance, therefore we will use last:true flag to detect it in Cloud Run.

Before you begin

Before deploying the service and trigger, go through some setup steps.

Enable APIs

Make sure that the project id is setup:

gcloud config set project [YOUR-PROJECT-ID]
PROJECT_ID=$(gcloud config get-value project)

Enable all necessary services:

gcloud services enable run.googleapis.com
gcloud services enable eventarc.googleapis.com
gcloud services enable cloudbuild.googleapis.com

Enable Audit Logs

You will use Audit Logs trigger for Compute Engine. Make sure Admin Read, Data Read, and Data Write log types are enabled for Compute Engine.

Region, location, platform

Set region, location and platform for Cloud Run and Eventarc:

REGION=us-central1

gcloud config set run/platform managed
gcloud config set run/region $REGION
gcloud config set eventarc/location $REGION

Configure a service account

Default compute service account will be used in the Audit Log trigger of Eventarc. Grant the eventarc.eventReceiver role to the default compute service account:

PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
    --member=serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com \
    --role='roles/eventarc.eventReceiver'

GCE VM Labeler

This service receives AuditLogs for service compute.googleapis.com and method beta.compute.instances.insert to detect newly created VMs. Then, it checks the received AuditLog if it's the last one in the sequence by checking the last:true flag in operation field. If so, it extracts the relevant info from the AuditLog such as project id, zone, instance id and uses Compute Engine API to label the instance with the username of the creator.

The source code of the service is in csharp folder.

Inside the source folder, build and push the container image by running the following command:

SERVICE_NAME=gce-vm-labeler
gcloud builds submit --tag gcr.io/$PROJECT_ID/$SERVICE_NAME

Deploy the service:

gcloud run deploy $SERVICE_NAME \
  --image gcr.io/$PROJECT_ID/$SERVICE_NAME \
  --allow-unauthenticated

Trigger

Once the service is deployed, create a trigger to filter for the right events:

gcloud eventarc triggers create $SERVICE_NAME-trigger \
  --destination-run-service=$SERVICE_NAME \
  --destination-run-region=$REGION \
  --event-filters="type=google.cloud.audit.log.v1.written" \
  --event-filters="serviceName=compute.googleapis.com" \
  --event-filters="methodName=beta.compute.instances.insert" \
  --service-account=$PROJECT_NUMBER-compute@developer.gserviceaccount.com

Before testing, make sure the trigger is ready by checking ACTIVE flag:

gcloud eventarc triggers list

NAME                                ACTIVE
gce-vm-labeler-trigger              Yes

Test

To test, you need to create a Compute Engine VM in Cloud Console (You can also create VMs with gcloud but it does not seem to generate AuditLogs).

Once the VM creation completes, you should see the added username label on the VM in the Cloud Console or using the following command:

gcloud compute instances describe my-instance

...
labelFingerprint: ULU6pAy2C7s=
labels:
  username: atameldev
...