Getting Alerts on creation of Developer Apps in th...

dchiesa1 · ‎01-26-2022

I often receive the question - how can I get alerted when a developer creates an App in the Apigee developer portal?

It's obvious why someone would want to get an alert. Maybe they have the developer app set to "Manual Approval" and they want to interactively evaluate the request for credentials. Maybe there is an automated workflow that must kick off to provision the app beyond just getting the Apigee generated credentials. Maybe there's some other reason. But for whatever governance purpose, people want to know when developers register !

It's really easy to set this up for Apigee X and hybrid. I'll review the idea here, and then share a demonstration of how it works below.

When a developer signs in to an Apigee developer portal, and then requests a new app, that results in a call from the Developer Portal backend into the control plane of Apigee, saying "Create a new app for THIS developer, authorized for THIS set of API products." The Apigee control plane performs that work and then sends back the response including the credentials.

As with all update operations performed through the Apigee control plane, the creation of a new developer app is Audited. This means there's a log record stored into Google Cloud Logging that describes this change. Cloud Logging is part of the Cloud Operations suite, which includes Monitoring, alerting, Logging and more.

In Google cloud, it's super simple to set up an alert based on the content of a log record. The first step: Go into Log Explorer, perform the query you want. In this case, to search the logs for records indicating creation of a new developer app, the query should be:

protoPayload.methodName:"google.cloud.apigee.v1.DeveloperApps.CreateDeveloperApp"

You should see the log records in the lower part of the screen, under the label "Query results".

After that, Click the "Create alert" button.

*The user creating the alert needs the appropriate permissions. To get the required permissions, you can attach these roles to the user:

Logging Admin
Monitoring AlertPolicy Editor

Confirm the condition for the alert - it should auto-populate with the same thing you used in your query. Then specify the notification channel; your options here are PagerDuty, Slack, email, SMS, Webhook, and more. After that, you'll be alerted via that channel, when a matching log record appears in the audit log. In other words, you will be alerted via the channel of your choice when a developer creates an app in the portal!

You can see a working demonstration here.

dchiesa1 · ‎01-27-2022

Oh! One further comment. You do need to take care with managing the alerts. The semantics and limits are described in this document. for example:

The first time Cloud Logging ingests a log entry that matches your alert query, an incident is created, and a notification is sent. If another matching log entry is then ingested, then a new incident is created only if the previous incident has been closed. However, it might take up to three minutes for a closed incident to be purged. When a matching log entry is received in the three minutes after you closed an incident, the system might reopen that incident rather than creating a new incident.
There is a limit of 20 notifications a day for each log-based alert. If you reach this limit, then your notification includes a message that you have reached the limit for the day.
When you create a log-based alert, you can specify the minimum time between notifications to reduce repeated notifications. For example, if you select 10 minutes as the time between notifications, and your log-based alert is triggered twice within that period, then you receive only one notification.

There is a maximum rate of 1 notification every 5 minutes for each log-based alert. You can configure the notification frequency to be much lower, though.

dchiesa1 · ‎04-26-2022

One FURTHER comment

If you use eventarc to send these events to a Cloud Run service, they always get triggered, so the caveats I listed above will not apply.

Follow this article to use eventarc.

The way to create a trigger for Apigee is:

## Set up some basics
PROJECT_ID=my-project-id
gcloud config set core/project $PROJECT_ID

RECEIVING_SERVICE="cloud-run-event-handler"
RUN_SVC_ACCT="event-handler-1"
RUN_SVC_ACCT_EMAIL="${RUN_SVC_ACCT}@${PROJECT_ID}.iam.gserviceaccount.com"

EA_SVC_ACCT="eventarc-service-account"
EA_SVC_ACCT_EMAIL="${EA_SVC_ACCT}@${PROJECT_ID}.iam.gserviceaccount.com"
EA_TRIGGER_NAME="apigee-createapp-events-trigger"
REGION=us-west4

# create a Service Account for the cloud run service
gcloud iam service-accounts create ${RUN_SVC_ACCT} \
    --description="The Cloud Run event handler uses this service account" 

# Deploy your Cloud Run service that will handle events.
# The "--source ." means it deploys the code in the current directory as a 
# container in Cloud Run.  For the code, you can use Python, Java, Nodejs, C#, 
# whatever you like. It should listen on port 8080 for http requests. 
# The service will receive a POST from the EventArc trigger, with an application/json
# payload containing the Audit log record referring to the app that has just been created. 
gcloud run deploy ${RECEIVING_SERVICE} \
  --source . \
  --project "${PROJECT_ID}" \
  --region "${REGION}" \
  --service-account "${RUN_SVC_ACCT_EMAIL}" \
  --concurrency 2 \
  --cpu 1 \
  --memory '384Mi' \
  --min-instances 0 \
  --max-instances 1 \
  --no-allow-unauthenticated \
  --timeout 300

# Create a service account for EventArc and add the required roles to it
gcloud iam service-accounts create ${EA_SVC_ACCT} \
    --description="A service account for the eventarc example" 

#  Grant permissions for the SA used by EventArc to receive events
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${EA_SVC_ACCT_EMAIL}" \
  --role="roles/eventarc.eventReceiver"

# Grant permissions for the SA used by EventArc to invoke the Cloud Run service
gcloud run services add-iam-policy-binding ${RECEIVING_SERVICE} \
  --project="${PROJECT_ID}" \
  --region "${REGION}" \
  --member="serviceAccount:${EA_SVC_ACCT_EMAIL}" \
  --role='roles/run.invoker'

# grant self necessary permissions to create a trigger
WHOAMI=$(gcloud auth list --filter=status:ACTIVE --format="value(account)")
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="user:${WHOAMI}" \
  --role='roles/eventarc.admin'

gcloud iam service-accounts add-iam-policy-binding ${EA_SVC_ACCT_EMAIL} \
  --member="user:${WHOAMI}" \
  --role="roles/iam.serviceAccountUser"

# Create the trigger - note, the location must be global
gcloud eventarc triggers create ${EA_TRIGGER_NAME} \
   --destination-run-service=${RECEIVING_SERVICE} \
   --destination-run-region=${REGION} \
   --location="global" \
   --event-filters="type=google.cloud.audit.log.v1.written" \
   --event-filters="serviceName=apigee.googleapis.com" \
   --event-filters="methodName=google.cloud.apigee.v1.DeveloperApps.CreateDeveloperApp" \
   --service-account=${EA_SVC_ACCT_EMAIL}

Wait 5-10 minutes. Then use a developer portal to create a new app. You will see the cloud run service get invoked.

The invocation will be a POST to /, with an application/json payload. For the CreateDeveloperApp event, the payload looks like this:

{
  "insertId": "1vfs339ea40ze",
  "logName": "projects/MY-PROJECT-NAME/logs/cloudaudit.googleapis.com%2Factivity",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "service-714366284403@gcp-sa-apigee.iam.gserviceaccount.com"
    },
    "authorizationInfo": [
      {
        "granted": true,
        "permission": "apigee.developerapps.create",
        "resource": "organizations/MY-PROJECT-NAME/developers/developer@example.com"
      }
    ],
    "methodName": "google.cloud.apigee.v1.DeveloperApps.CreateDeveloperApp",
    "request": {
      "@type": "type.googleapis.com/google.cloud.apigee.v1.CreateDeveloperAppRequest"
      "developerApp": {
        "apiProducts": ["Product1"]
        "attributes": [ { "name" : "Description", "value": "data-from-portal"}, { "name" : "DisplayName", "value": "name-of-developer-app"} ]
        "callbackUrl": ""
        "name": "name-of-developer-app"
      },
      "parent": "organizations/MY-PROJECT-NAME/developers/developer@example.com"
    }
    "requestMetadata": {5},
    "resourceName": "organizations/MY-PROJECT-NAME/developers/developer@example.com",
    "response": {6},
    "serviceName": "apigee.googleapis.com"
  },
  "receiveTimestamp": "2022-04-27T05:20:54.707420233Z",
  "resource": {…},
  "timestamp": "2022-04-27T05:20:54.707420233Z"
}

pointlesspun · ‎05-03-2022

Nice article, how would one go about doing this in Apigee Edge ?

davestevens · ‎07-19-2022

Yes, I have the same question from above. How would you notify on app registration within the Apigee Edge Integrated Portal? I'm assuming it's not possible and will not be added as a "feature."

gregkuelgen · ‎09-28-2022

@davestevens @pointlesspun There is no equivalent in Apigee Edge currently for this functionality. The creation of these events take advantage of audit logging in Google Cloud used by Apigee X / hybrid.

Getting Alerts on creation of Developer Apps in the Apigee Developer Portal