Add attributes to GCP PubSub messages

Signed-off-by: Anna Simon <[email protected]>
falcosecurity · Jun 9, 2023 · 7f9d918 · 7f9d918
1 parent cb26002
commit 7f9d918
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -407,6 +407,8 @@ gcp:
     projectid: "" # The GCP Project ID containing the Pub/Sub Topic
     topic: "" # The name of the Pub/Sub topic
     # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+    # customAttributes: # Custom attributes to add to the Pub/Sub messages
+    #   key: value
   storage:
     # prefix : "" # name of prefix, keys will have format: gs://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
     bucket: "" # The name of the bucket
@@ -918,6 +920,9 @@ care of lower/uppercases**) : `yaml: a.b --> envvar: A_B` :
 - **GCP_PUBSUB_TOPIC**: The name of the Pub/Sub topic
 - **GCP_PUBSUB_MINIMUMPRIORITY**: minimum priority of event for using this
   output, order is
+  `emergency|alert|critical|error|warning|notice|informational|debug or "" (default)`
+- **GCP_PUBSUB_CUSTOMATTRIBUTES**: a list of comma separated custom headers to add,
+  syntax is "key:value,key:value"
 - **GCP_STORAGE_BUCKET**: The name of the bucket
 - **GCP_STORAGE_PREFIX**: name of prefix, keys will have format: gs://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
 - **GCP_STORAGE_MINIMUMPRIORITY**: minimum priority of event for using this

diff --git a/config.go b/config.go
@@ -27,6 +27,7 @@ func getConfig() *types.Configuration {
 		Webhook:         types.WebhookOutputConfig{CustomHeaders: make(map[string]string)},
 		Alertmanager:    types.AlertmanagerOutputConfig{ExtraLabels: make(map[string]string), ExtraAnnotations: make(map[string]string)},
 		CloudEvents:     types.CloudEventsOutputConfig{Extensions: make(map[string]string)},
+		GCP:             types.GcpOutputConfig{PubSub: types.GcpPubSub{CustomAttributes: make(map[string]string)}},
 	}
 
 	configFile := kingpin.Flag("config-file", "config file").Short('c').ExistingFile()
@@ -463,6 +464,7 @@ func getConfig() *types.Configuration {
 	v.GetStringMapString("CloudEvents.Extensions")
 	v.GetStringMapString("AlertManager.ExtraLabels")
 	v.GetStringMapString("AlertManager.ExtraAnnotations")
+	v.GetStringMapString("GCP.PubSub.CustomAttributes")
 	if err := v.Unmarshal(c); err != nil {
 		log.Printf("[ERROR] : Error unmarshalling config : %s", err)
 	}
@@ -549,6 +551,16 @@ func getConfig() *types.Configuration {
 		}
 	}
 
+	if value, present := os.LookupEnv("GCP_PUBSUB_CUSTOMATTRIBUTES"); present {
+		customattributes := strings.Split(value, ",")
+		for _, label := range customattributes {
+			tagkeys := strings.Split(label, ":")
+			if len(tagkeys) == 2 {
+				c.GCP.PubSub.CustomAttributes[tagkeys[0]] = tagkeys[1]
+			}
+		}
+	}
+
 	if c.AWS.SecurityLake.Interval < 5 {
 		c.AWS.SecurityLake.Interval = 5
 	}

diff --git a/config_example.yaml b/config_example.yaml
@@ -228,6 +228,8 @@ gcp:
     projectid: "" # The GCP Project ID containing the Pub/Sub Topic
     topic: "" # The name of the Pub/Sub topic
   # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # customAttributes: # Custom attributes to add to the Pub/Sub messages
+  #   key: value
   storage:
     # prefix : "" # name of prefix, keys will have format: gs://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
     bucket: "" # The name of the bucket

diff --git a/outputs/gcp.go b/outputs/gcp.go
@@ -138,7 +138,8 @@ func (c *Client) GCPPublishTopic(falcopayload types.FalcoPayload) {
 
 	payload, _ := json.Marshal(falcopayload)
 	message := &pubsub.Message{
-		Data: payload,
+		Data:       payload,
+		Attributes: c.Config.GCP.PubSub.CustomAttributes,
 	}
 
 	result := c.GCPTopicClient.Publish(context.Background(), message)

diff --git a/types/types.go b/types/types.go
@@ -76,7 +76,7 @@ type Configuration struct {
 	Webhook            WebhookOutputConfig
 	CloudEvents        CloudEventsOutputConfig
 	Azure              azureConfig
-	GCP                gcpOutputConfig
+	GCP                GcpOutputConfig
 	Googlechat         GooglechatConfig
 	Kafka              kafkaConfig
 	KafkaRest          KafkaRestConfig
@@ -409,10 +409,10 @@ type gcpCloudRun struct {
 	MinimumPriority string
 }
 
-type gcpOutputConfig struct {
+type GcpOutputConfig struct {
 	Credentials      string
 	WorkloadIdentity bool
-	PubSub           gcpPubSub
+	PubSub           GcpPubSub
 	Storage          gcpStorage
 	CloudFunctions   gcpCloudFunctions
 	CloudRun         gcpCloudRun
@@ -423,10 +423,11 @@ type gcpCloudFunctions struct {
 	MinimumPriority string
 }
 
-type gcpPubSub struct {
-	ProjectID       string
-	Topic           string
-	MinimumPriority string
+type GcpPubSub struct {
+	ProjectID        string
+	Topic            string
+	MinimumPriority  string
+	CustomAttributes map[string]string
 }
 
 type gcpStorage struct {