Add datasource syncer (#123)

* add datasource syncer

* update README for datasource syncer

Author: xiangshen-dk

README.md

@@ -19,11 +19,11 @@ You can follow the steps to enable it:
 
 ### Generate a JWT file & Assign IAM Permissions
 
-1. If you don't have gcp project, add a new gcp project. [link](https://cloud.google.com/resource-manager/docs/creating-managing-projects#console)
+1. If you don't have a GCP project, add a new GCP project. [link](https://cloud.google.com/resource-manager/docs/creating-managing-projects#console)
 2. Open the [Credentials](https://console.developers.google.com/apis/credentials) page in the Google API Console
 3. Click **Create Credentials** then click **Service account**
 4. On the Create service account page, enter the Service account details
-5. On the `Create service account` page, fill in the `Service account details` and then click `Create and Continue`
+5. Fill in the `Service account details` and then click `Create and Continue`
 6. On the `Grant this service account access to project` section, add the `Logs Viewer` role and `Logs View Accessor` role under `Logging` to the service account. Click `Done`
 7. In the next step, click the service account you just created. Under the `Keys` tab and select `Add key` and `Create new key`
 8. Choose key type `JSON` and click `Create`. A JSON key file will be created and downloaded to your computer
@@ -32,6 +32,8 @@ If you want to access logs in multiple cloud projects, you need to ensure the se
 
 If you host Grafana on a GCE VM, you can also use the [Compute Engine service account](https://cloud.google.com/compute/docs/access/service-accounts#serviceaccount). You need to make sure the service account has sufficient permissions to access the scopes and logs in all projects.
 
+Similar to [Prometheus data sources on Google Cloud](https://cloud.google.com/stackdriver/docs/managed-prometheus/query#use-serverless), you can also configure a scheduled job to use an OAuth2 access token to view the logs. Please follow the steps in the [data source syncer README](./datasource-syncer/README.md) to configure it.
+
 ### Service account impersonation
 You can also configure the plugin to use [service account impersonation](https://cloud.google.com/iam/docs/service-account-impersonation).
 You need to ensure the service account used by this plugin has the `iam.serviceAccounts.getAccessToken` permission. This permission is in roles like the [Service Account Token Creator role](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountTokenCreator) (roles/iam.serviceAccountTokenCreator). Also, the service account impersonated
@@ -78,4 +80,4 @@ Below is an example of defining a variable for log views.
 
 Cloud Logging Logo (`src/img/logo.svg`) is from Google Cloud's [Official icons and sample diagrams](https://cloud.google.com/icons)
 
-As commented, `JWTForm` and `JWTConfigEditor` are largely based on Apache-2.0 licensed [grafana-google-sdk-react](https://github.com/grafana/grafana-google-sdk-react/)
+As commented in the code, `JWTForm` and `JWTConfigEditor` are largely based on the Apache-2.0 licensed [grafana-google-sdk-react](https://github.com/grafana/grafana-google-sdk-react/).

datasource-syncer/Dockerfile

@@ -0,0 +1,40 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Stage 1: Build the application
+FROM golang:1.24.2-alpine AS buildbase
+
+WORKDIR /app
+
+# Set CGO_ENABLED=0 to build a static binary, essential for distroless images.
+ENV CGO_ENABLED=0
+
+ENV GOEXPERIMENT=noboringcrypto
+ENV GOFIPS140=latest
+
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+
+# Build the Go application.
+# -ldflags="-s -w" strips debugging information and symbols, reducing binary size.
+# The '.' at the end signifies building the package in the current directory.
+RUN go build -ldflags="-s -w" -o datasource-syncer .
+
+# Stage 2: Create the final minimal image
+# Using a distroless static image for a minimal runtime environment.
+# 'nonroot' variant runs the application as a non-root user for better security.
+FROM gcr.io/distroless/static-debian12:nonroot
+COPY --from=buildbase /app/datasource-syncer /bin/datasource-syncer
+ENTRYPOINT ["/bin/datasource-syncer"]

datasource-syncer/README.md

@@ -0,0 +1,219 @@
+# Data Source Syncer
+
+This CLI tool acts as a scheduled job that remotely syncs data to a given Grafana Cloud Logging data source. This ensures that the Grafana data source has the following set correctly:
+
+* Authentication by refreshing an OAuth2 access token periodically
+* The Google Cloud project ID
+
+By regularly refreshing the OAuth2 access token, you can configure Grafana to directly query Google Cloud Logging.
+
+[Google access tokens have a lifetime of 1 hour.](https://cloud.google.com/docs/authentication/token-types#at-lifetime) This script should be scheduled to run every 10 minutes to ensure you have an uninterrupted connection between Grafana and Google Cloud Logging.
+
+## Flags
+
+```bash mdox-exec="bash hack/format_help.sh datasource-syncer"
+Usage of datasource-syncer:
+  -datasource-uids string
+    	datasource-uids is a comma separated list of data source UIDs to update.
+  -grafana-api-endpoint string
+    	grafana-api-endpoint is the endpoint of the Grafana instance that contains the data sources to update.
+  -grafana-api-token string
+    	grafana-api-token used to access Grafana. Can be created using: https://grafana.com/docs/grafana/latest/administration/service-accounts/#create-a-service-account-in-grafana
+  -insecure-skip-verify
+    	Skip TLS certificate verification
+  -project-id string
+    	Project ID of the Google Cloud Monitoring scoping project to query. Queries sent to this project will union results from all projects within the scope.
+  -query.credentials-file string
+    	JSON-encoded credentials (service account or refresh token). Can be left empty if default credentials have sufficient permission.
+  -tls-ca-cert string
+    	Path to the server certificate authority
+  -tls-cert string
+    	Path to the server TLS certificate.
+  -tls-key string
+    	Path to the server TLS key.
+```
+## Scheduled the job using Cloud Run
+
+To deploy and run a serverless data source syncer by using [Cloud Run](https://cloud.google.com/run)
+and [Cloud Scheduler](https://cloud.google.com/scheduler), do the following:
+
+1. Choose a project to deploy the data source syncer in. We recommend choosing
+   the [scoping project of a multi-project log scope](https://cloud.google.com/logging/docs/log-scope/create-and-manage).
+   The data source syncer uses the configured Google Cloud project as the
+   scoping project.
+
+   Next, configure and authorize a service account for the data source syncer.
+   The following command sequence creates a service account and grants it
+   several IAM roles. The first three roles let the service account
+   read from the Cloud Logging API and generate service account tokens. The
+   last two roles allow the service account to read the Grafana service account
+   token from Secret Manager and to invoke Cloud Run:
+
+   ```bash
+   # Replace the values if needed
+   export PROJECT_ID=YOUR_LOGGING_PROJECT_ID
+   export SA_DS_SYNCER=grafana-ds-syncer-sa
+   export REGION=us-central1 # The Google Cloud region where you want to run your Cloud Run job, such as us-central1.
+
+
+   gcloud config set project ${PROJECT_ID} \
+   &&
+   gcloud iam service-accounts create ${SA_DS_SYNCER} \
+   &&
+   gcloud projects add-iam-policy-binding ${PROJECT_ID} \
+   --member=serviceAccount:${SA_DS_SYNCER}@${PROJECT_ID}.iam.gserviceaccount.com \
+   --role=roles/logging.viewer \
+   --condition=None \
+   && \
+   gcloud projects add-iam-policy-binding ${PROJECT_ID} \
+   --member=serviceAccount:${SA_DS_SYNCER}@${PROJECT_ID}.iam.gserviceaccount.com \
+   --role=roles/logging.viewAccessor \
+   --condition=None \
+   && \
+   gcloud projects add-iam-policy-binding ${PROJECT_ID} \
+   --member=serviceAccount:${SA_DS_SYNCER}@${PROJECT_ID}.iam.gserviceaccount.com \
+   --role=roles/iam.serviceAccountTokenCreator \
+    --condition=None \
+   && \
+   gcloud projects add-iam-policy-binding ${PROJECT_ID} \
+   --member=serviceAccount:${SA_DS_SYNCER}@${PROJECT_ID}.iam.gserviceaccount.com \
+   --role=roles/secretmanager.secretAccessor \
+    --condition=None \
+   && \
+   gcloud projects add-iam-policy-binding ${PROJECT_ID} \
+   --member=serviceAccount:${SA_DS_SYNCER}@${PROJECT_ID}.iam.gserviceaccount.com \
+   --role=roles/run.invoker \
+    --condition=None
+   ```
+
+1. Build the container image:
+    ```bash
+    # Create the artifact registry to store the image
+    gcloud artifacts repositories create datasource-syncer-repo \
+    --repository-format=docker \
+    --location=${REGION} --description="Docker repository for Grafana data source syncer"
+    
+    gcloud builds submit --region=${REGION} --tag ${REGION}-docker.pkg.dev/${PROJECT_ID}/datasource-syncer-repo/datasource-syncer
+    ```
+
+1. Determine the URL of your Grafana instance, for example
+   `https://yourcompanyname.grafana.net` for a Grafana Cloud deployment. Your
+   Grafana instance needs to be accessible from Cloud Run, meaning it
+   needs to be accessible from the wider internet.
+
+   If your Grafana instance is not accessible from the wider internet, we
+   recommend deploying the data source syncer on Kubernetes instead.
+
+1. Choose the Grafana Cloud Logging data source to
+   use for Cloud Logging, which can be either a new or a
+   pre-existing data source, and then find and write down the data
+   source UID. The data source UID can be found in the last
+   part of the URL when exploring or configuring a data source, for example
+   `https://yourcompanyname.grafana.net/connections/datasources/edit/`**_grafana_datasource_uid_**.
+
+   **Do not copy the entire datasource URL**. Copy only the unique identifier in
+   the URL.
+
+    ![Locate a data source UID in Grafana.](./grafana-datasource-uid.png)
+
+1. [Set up a Grafana service account](https://grafana.com/docs/grafana/latest/administration/service-accounts/#create-a-service-account-in-grafana) by creating the
+   service account and generating a token for the account to use:
+
+    1. In the Grafana navigation sidebar, click
+       **Administration > Users and Access > Service Accounts**.
+
+    1. Create the service account in Grafana by clicking **Add service
+       account**, giving it a name, and granting it the "Data Sources >
+       Writer" role. Make sure you hit the **Apply** button to assign the role.
+       In older versions of Grafana, you can use the "Admin" role
+       instead.
+
+    1. Click **Add service account token**.
+
+    1. Set the token expiration to "No expiration" and click **Generate
+       token**, then copy the generated token to the clipboard for use as
+       GRAFANA_SERVICE_ACCOUNT_TOKEN in the next step:
+
+       ![Generate and save a service account token in Grafana.](https://cloud.google.com/static/stackdriver/images/grafana-generate-save-service-account-token.png)
+
+1. Set the following 
+   variables using the results of the previous steps:
+
+    ```bash
+    # These values are required.
+    export GRAFANA_INSTANCE_URL=YOUR_GRAFANA_INSTANCE_URL # The Grafana instance URL from step 2. This is a URL. Include "http://" or "https://".
+    export GRAFANA_DATASOURCE_UID=YOUR_GRAFANA_DATASOURCE_UID # The Grafana data source UID from step 3. This is not a URL.
+    export GRAFANA_SERVICE_ACCOUNT_TOKEN=YOUR_GRAFANA_SERVICE_ACCOUNT_TOKEN # The Grafana service account token from step 4.
+    ```
+
+1. Create a secret in Secret Manager:
+
+   ```bash
+   gcloud secrets create datasource-syncer --replication-policy="automatic" && \
+   echo -n ${GRAFANA_SERVICE_ACCOUNT_TOKEN} | gcloud secrets versions add datasource-syncer --data-file=-
+   ```
+
+1. Run the following command to create a YAML file and name it
+   `cloud-run-datasource-syncer.yaml`:
+
+   ```bash
+   cat > cloud-run-datasource-syncer.yaml <<EOF
+   apiVersion: run.googleapis.com/v1
+   kind: Job
+   metadata:
+     name: logging-datasource-syncer-job
+   spec:
+     template:
+       spec:
+         taskCount: 1
+         template:
+           spec:
+             containers:
+             - name: datasource-syncer
+               image: ${REGION}-docker.pkg.dev/${PROJECT_ID}/datasource-syncer-repo/datasource-syncer
+               args:
+               - "--datasource-uids=${GRAFANA_DATASOURCE_UID}"
+               - "--grafana-api-endpoint=${GRAFANA_INSTANCE_URL}"
+               - "--project-id=${PROJECT_ID}"
+               env:
+               - name: GRAFANA_SERVICE_ACCOUNT_TOKEN
+                 valueFrom:
+                   secretKeyRef:
+                     key: latest
+                     name: datasource-syncer
+             serviceAccountName: ${SA_DS_SYNCER}@${PROJECT_ID}.iam.gserviceaccount.com
+   EOF
+   ```
+
+   Then run the following command to create a Cloud Run job using the
+   YAML file:
+
+   ```bash
+   gcloud run jobs replace cloud-run-datasource-syncer.yaml --region ${REGION}
+   ```
+
+1. Create a schedule in Cloud Scheduler to run the Cloud Run job
+   every 10 minutes:
+
+   ```bash
+   gcloud scheduler jobs create http datasource-syncer \
+   --location ${REGION} \
+   --schedule="*/10 * * * *" \
+   --uri="https://${REGION}-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${PROJECT_ID}/jobs/logging-datasource-syncer-job:run" \
+   --http-method POST \
+   --oauth-service-account-email=${SA_DS_SYNCER}@${PROJECT_ID}.iam.gserviceaccount.com
+   ```
+
+   Then force run the scheduler you just created:
+
+   ```bash
+   gcloud scheduler jobs run datasource-syncer --location ${REGION}
+   ```
+
+   It can take up to 15 seconds for the data source to be updated.
+
+1. Go to your newly configured Grafana data source and verify the **Access Token
+   ** field has the value `configured` and the **Project ID** field has your cloud project id. You might have to refresh the page. Once verified, go to the bottom
+   of the page, select **Save & test**, and ensure you see a green checkmark saying that
+   the datasource is properly configured. You need to select **Save & test** at
+   least once to ensure that label autocompletion in Grafana works.

datasource-syncer/go.mod

@@ -0,0 +1,16 @@
+module datasource-syncer
+
+go 1.24.2
+
+require (
+	github.com/go-kit/log v0.2.1
+	github.com/google/go-cmp v0.7.0
+	github.com/grafana/grafana-api-golang-client v0.27.0
+	github.com/hashicorp/go-cleanhttp v0.5.2
+	golang.org/x/oauth2 v0.30.0
+)
+
+require (
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	github.com/go-logfmt/logfmt v0.5.1 // indirect
+)

datasource-syncer/go.sum

@@ -0,0 +1,24 @@
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU=
+github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
+github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA=
+github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
+github.com/gobs/pretty v0.0.0-20180724170744-09732c25a95b h1:/vQ+oYKu+JoyaMPDsv5FzwuL2wwWBgBbtj/YLCi4LuA=
+github.com/gobs/pretty v0.0.0-20180724170744-09732c25a95b/go.mod h1:Xo4aNUOrJnVruqWQJBtW6+bTBDTniY8yZum5rF3b5jw=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/grafana/grafana-api-golang-client v0.27.0 h1:zIwMXcbCB4n588i3O2N6HfNcQogCNTd/vPkEXTr7zX8=
+github.com/grafana/grafana-api-golang-client v0.27.0/go.mod h1:uNLZEmgKtTjHBtCQMwNn3qsx2mpMb8zU+7T4Xv3NR9Y=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=