https://cloud.google.com/eventarc/docs/run/create-trigger-cloud-audit-logs-gcloud?hl=ja
-- 1. 前作業
gcloud init
gcloud auth list
gcloud --version
gcloud projects create project01-9999999 \
--name="project01"
gcloud config list
gcloud config set project project01-9999999
gcloud config set compute/region asia-northeast1 --quiet
gcloud config set compute/zone asia-northeast1-a --quiet
gcloud beta billing accounts list
gcloud beta billing projects link project01-9999999 --billing-account=111111-111111-111111
gcloud services enable compute.googleapis.com --project project01-9999999
gcloud components update
-- 2. Cloud Run, Cloud Logging, Cloud Build, Pub/Sub, and Eventarc API を有効にします
gcloud services list --enabled
gcloud services enable \
run.googleapis.com \
logging.googleapis.com \
cloudbuild.googleapis.com \
pubsub.googleapis.com \
eventarc.googleapis.com
-- 3. 構成変数を設定します
gcloud config set run/region asia-northeast1
gcloud config set run/platform managed
gcloud config set eventarc/location asia-northeast1
-- 4. Google Cloud Storage で、Cloud Audit Logs の管理読み取り、データ読み取り、データ書き込みの各ログタイプを有効にします
gcloud projects get-iam-policy project01-9999999 > policy.yaml
下記を追記
auditConfigs:
- auditLogConfigs:
- logType: ADMIN_READ
- logType: DATA_WRITE
- logType: DATA_READ
service: storage.googleapis.com
gcloud projects set-iam-policy project01-9999999 policy.yaml
-- 5. Compute Engine サービス アカウントに eventarc.eventReceiver ロールを付与します
gcloud iam service-accounts list
gcloud projects add-iam-policy-binding project01-9999999 \
--member=serviceAccount:00000000000-compute@developer.gserviceaccount.com \
--role='roles/eventarc.eventReceiver'
-- 6. Pub/Sub サービス アカウントに iam.serviceAccountTokenCreator ロールを付与します
gcloud projects add-iam-policy-binding project01-9999999 \
--member="serviceAccount:service-00000000000@gcp-sa-pubsub.iam.gserviceaccount.com" \
--role='roles/iam.serviceAccountTokenCreator'
-- 7. Cloud Storage バケットを作成する
gsutil mb -l asia-northeast1 gs://bucket123/
-- 8. イベント レシーバ サービスを Cloud Run へデプロイする
git clone https://github.com/GoogleCloudPlatform/golang-samples.git
cd golang-samples/eventarc/audit_storage
gcloud builds submit --tag gcr.io/project01-9999999/helloworld-events
gcloud run deploy helloworld-events \
--image gcr.io/project01-9999999/helloworld-events \
--allow-unauthenticated
-- 9. Eventarc トリガーを作成する
gcloud eventarc triggers create trigger01 \
--destination-run-service=helloworld-events \
--destination-run-region=asia-northeast1 \
--event-filters="type=google.cloud.audit.log.v1.written" \
--event-filters="serviceName=storage.googleapis.com" \
--event-filters="methodName=storage.objects.create" \
--service-account=00000000000-compute@developer.gserviceaccount.com
gcloud eventarc triggers list --location=asia-northeast1
-- 10. イベントを生成して表示する
echo "Hello World" > random.txt
gsutil cp random.txt gs://bucket123/random.txt
gcloud logging read "resource.type=cloud_run_revision AND resource.labels.service_name=helloworld-events AND NOT resource.type=build" |\
grep "Detected change"
-- 11. クリーンアップ
gcloud eventarc triggers delete trigger01
gcloud projects list
gcloud projects delete project01-9999999 \
--quiet