Skip to content

feat: add PubSub → BigQuery log pipeline addons#231

Open
robbiet480 wants to merge 6 commits intofleetdm:mainfrom
CampusTech:feat/fleet-pubsub-bigquery
Open

feat: add PubSub → BigQuery log pipeline addons#231
robbiet480 wants to merge 6 commits intofleetdm:mainfrom
CampusTech:feat/fleet-pubsub-bigquery

Conversation

@robbiet480
Copy link
Copy Markdown

@robbiet480 robbiet480 commented May 5, 2026

Summary

Adds two new GCP addons for routing Fleet osquery and audit logs from PubSub to BigQuery via a Cloud Run ingest service.

addons/gcp/fleet-pubsub

Consumer-agnostic addon that creates the three PubSub topics Fleet publishes to and grants Fleet's service account publisher access. Outputs the Fleet server env vars required to enable PubSub logging:

  • FLEET_OSQUERY_RESULT_LOG_PLUGIN=pubsub
  • FLEET_OSQUERY_STATUS_LOG_PLUGIN=pubsub
  • FLEET_ACTIVITY_ENABLE_AUDIT_LOG=true
  • FLEET_PUBSUB_ADD_ATTRIBUTES=true
  • Topic names for result, status, and audit logs

addons/gcp/pubsub-to-bigquery

Wires the topics to BigQuery via PubSub push subscriptions and a Cloud Run service:

  • BigQuery: dataset + 3 partitioned/clustered tables (result_logs, status_logs, audit_logs)
  • Cloud Run: fleet-pubsub-bq service receives PubSub push messages and writes rows
  • PubSub: push subscriptions with OIDC authentication for all three topics
  • IAM: dedicated service accounts for the ingest service and PubSub invoker

The bq_project_id variable allows the BigQuery dataset to live in a separate project from the Cloud Run service (e.g. a shared analytics project).

gcp/main.tf wiring

Both addons are wired into the top-level gcp module. The fleet_pubsub module's env vars are merged into the Fleet Cloud Run service automatically. The pubsub_to_bigquery module is gated by the nullable pubsub_to_bigquery_image variable — set it to enable the pipeline.

BigQuery schema

result_logs — one row per osquery result row. Snapshot arrays are exploded; diffResults are split into added/removed rows. Fixed envelope columns + row JSON string.

status_logs — osquery agent status/error messages with severity, filename, line, message, version, and decorations.

audit_logs — Fleet user/automation activity with actor info and a details JSON blob (schema varies by activity type).

Deployment

  1. Build and push the fleet-pubsub-bq service image to Artifact Registry
  2. Set pubsub_to_bigquery_image in your tfvars
  3. terraform apply

Authorship

This code was written by Claude (Anthropic) and reviewed by a human before submission.

robbiet480 and others added 6 commits May 4, 2026 21:14
@robbiet480
feat(fleet-pubsub): add versions and variables
7f95187
@robbiet480
feat(fleet-pubsub): add topics, IAM, and outputs
984d347
@robbiet480
feat(pubsub-to-bigquery): add versions and variables
71925f9
@robbiet480
feat(pubsub-to-bigquery): add service accounts and IAM
22120f5
@robbiet480 @claude
feat(pubsub-to-bigquery): add BigQuery dataset, tables, Cloud Run ser…
107d86e 
…vice, and push subscriptions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@robbiet480 @claude
feat(gcp): wire fleet-pubsub and pubsub-to-bigquery modules, enable P…
43b3a26 
…ubSub/BQ APIs

- Add pubsub_to_bigquery_image variable (optional, gates pubsub_to_bigquery module)
- Add module.fleet_pubsub and module.pubsub_to_bigquery
- Merge fleet_pubsub.fleet_env_vars into module.fleet extra_env_vars
- Enable pubsub.googleapis.com and bigquery.googleapis.com in activate_apis

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@robbiet480 robbiet480 requested review from a team and ddribeiro as code owners May 5, 2026 01:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ddribeiro ddribeiro Awaiting requested review from ddribeiro ddribeiro is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@robbiet480