feat: create audit log sink for Minecraft access audit

matihost · Nov 17, 2023 · 73ec0b1 · 73ec0b1
1 parent a2cfdab
commit 73ec0b1
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 2 deletions.
diff --git a/terraform/gcp/minecraft-server/README.md b/terraform/gcp/minecraft-server/README.md
@@ -12,6 +12,8 @@ Features:
 
 * Minecraft server world and configuration is automatically backup each hour to Cloud Storage. When server crashes - after 200 seconds of inactivity - the instance is recreated. Upon startup , the last backup is downloaded, otherwise it creates a new fresh world. Upon ordinary reboot, the backup is not downloaded.
 
+* Attempt to logging and logout from the server are kept in separate log bucket sing for 30 days.
+
 * Minecraft server is automatically shutdown (instanceGroup is scaled to 0) at 10:05 PM and automatically started at 10:05 AM every day.
 
 Limitations:

diff --git a/terraform/gcp/minecraft-server/module/monitoring.tf b/terraform/gcp/minecraft-server/module/monitoring.tf
@@ -0,0 +1,42 @@
+# resource.type="gce_instance"
+# AND log_id("syslog")
+# AND labels."compute.googleapis.com/resource_name" =~ "prod-02.*"
+# AND (jsonPayload.message =~ ".*joined the game.*"  OR jsonPayload.message =~ ".*left the game.*")
+
+
+
+resource "google_logging_project_bucket_config" "minecraft" {
+    project        = var.project
+    location       = "global"
+    retention_days = 30
+    bucket_id      = "${var.minecraft_server_name}-minecraft"
+}
+
+resource "google_logging_project_sink" "minecraft-audit" {
+  name        = "${var.minecraft_server_name}-minecraft-audit"
+  description = "${var.minecraft_server_name} minecraft audit log"
+  destination = "logging.googleapis.com/projects/${var.project}/locations/global/buckets/${google_logging_project_bucket_config.minecraft.bucket_id}"
+
+
+  filter  = join(" AND ", [
+    "resource.type=\"gce_instance\"",
+    "log_id(\"syslog\")",
+    "labels.\"compute.googleapis.com/resource_name\"=~\"${var.minecraft_server_name}.*\"",
+    "(jsonPayload.message =~ \".*joined the game.*\" OR jsonPayload.message =~ \".*left the game.*\")"
+  ])
+
+  # TODO for some reason it is not created
+  unique_writer_identity = false
+  # unique_writer_identity = true
+}
+
+# Because our sink uses a unique_writer, we must grant that writer access to the bucket.
+# resource "google_project_iam_binding" "minecraft-audit" {
+#   project = var.project
+
+#   role = "roles/storage.objectCreator"
+
+#   members = [
+#     google_logging_project_sink.minecraft-audit.writer_identity,
+#   ]
+# }
diff --git a/terraform/gcp/minecraft-server/module/versions.tf b/terraform/gcp/minecraft-server/module/versions.tf
@@ -5,13 +5,13 @@ terraform {
       # Cluster uses config options available at:
       # https://github.com/hashicorp/terraform-provider-google/blob/master/website/docs/r/container_cluster.html.markdown
       # in version:
-      version = "= 5.0.0"
+      version = "~> 5"
       # Full Changelog for all version is here:
       # https://github.com/hashicorp/terraform-provider-google/blob/master/CHANGELOG.md
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "= 5.0.0"
+      version = "~> 5"
     }
     null = {
       source  = "hashicorp/null"