Actions on the Apigee management plane get recorded via audit logs to track events/changes that occur. Few to mention:
For information about Apigee audit logs, see the details here.
To view a sample of these events in Cloud Logging for your GCP-Project / Apigee-Org execute the below (adjust the query based on your needs):
protoPayload.methodName=~"google.cloud.apigee.v1.Deployment*"
OR protoPayload.methodName=~"google.cloud.apigee.v1.Api*"
OR protoPayload.methodName=~"google.cloud.apigee.v1.Target*"
OR protoPayload.methodName=~"google.cloud.apigee.v1.Developer*"
OR protoPayload.methodName=~"google.cloud.apigee.v1.Environment*"
OR protoPayload.methodName=~"google.cloud.apigee.v1.Project*"
OR protoPayload.methodName=~"google.cloud.apigee.v1.Organization*"
NOT protoPayload.methodName="google.cloud.apigee.v1.RuntimeService.ReportInstanceStatus"
NOT protoPayload.methodName="google.cloud.apigee.v1.EnvironmentService.Subscribe"
NOT protoPayload.methodName="google.cloud.apigee.v1.EnvironmentService.Unsubscribe"
NOT protoPayload.methodName="google.cloud.apigee.v1.DeploymentService.GenerateDeployChangeReport"
There is always a need to better capture the above events and process the events by posting it to a Cloud Function, Pub/Sub, Cloud Run or to an external http endpoint.
One of the ways to achieve the above is by utilizing GCP EventArc. An Eventarc trigger enables capturing specific events from Cloud Logging audit logs and acting on it.
Follow the below steps to capture an Apigee Developer create event via EventArc and post it to GCP Workflow. In this example the Workflow posts the audit log payload to an HTTP endpoint. Follow the steps within your GCP Cloudshell.
gcloud services enable \
logging.googleapis.com \
eventarc.googleapis.com \
workflows.googleapis.com \
workflowexecutions.googleapis.com \
pubsub.googleapis.com
gcloud projects add-iam-policy-binding ${PROJECT_NUMBER} \
--member=user:$USER_ID --role=roles/eventarc.admin
gcloud iam service-accounts create ${TRIGGER_SA}
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member=serviceAccount:${TRIGGER_SA}@$PROJECT_ID.iam.gserviceaccount.com \
--role=roles/workflows.invoker
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member "serviceAccount:${TRIGGER_SA}@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/eventarc.eventReceiver"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member "serviceAccount:${TRIGGER_SA}@$PROJECT_ID.iam.gserviceaccount.com" \
--role "roles/logging.logWriter"
cat <<EOF > workflow.yaml
main:
params: [input]
steps:
- registerPayload:
call: http.post
args:
body:
payload: \${input}
url: <endpoint-to-post-data>
result: httpOutput
- returnOutput:
return: \${httpOutput.body}
EOF