feat: add gcp monitoring on-alert trigger#5234
Conversation
Add gcp.monitoring.onAlert, a trigger that fires when a Cloud Monitoring alerting policy opens or closes an incident. On setup the trigger auto-creates a webhook_tokenauth notification channel in Cloud Monitoring pointing at the node's SuperPlane webhook URL; Cloud Monitoring POSTs incidents there and the trigger emits a gcp.monitoring.alert event per matching incident (filtered by open/closed state). Users route a policy's incidents to the trigger by attaching its notification channel (shown on the node) via the Create/Update Alerting Policy components' Notification Channels field. Removing the trigger deletes the channel. Requires roles/monitoring.notificationChannelEditor (or roles/monitoring.editor). Includes backend tests, a frontend trigger renderer, and regenerated docs. Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
|
👋 Commands for maintainers:
|
superplane-policy-bot
Bot
requested review from
andrecalil,
forestileao,
lucaspin and
shiroyasha
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
❌ OSS Guard found dependency licenses that are not permitted for this project. Project license (from repository): Apache-2.0 Permitted dependency licenses: MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,0BSD,Unlicense,CC0-1.0,CC-BY-4.0,Zlib,MPL-2.0,OpenSSL,BlueOak-1.0.0 Reason: One or more dependencies use licenses that are not compatible with the project license. osv-scanner report: Add approved exceptions in your repository's |
Adds the missing frontend spec for the gcp.monitoring.onAlert trigger renderer, matching the convention for the other GCP mappers. Covers getTitleAndSubtitle (summary / state+condition / policy-name fallback / empty), getRootEventValues flattening, and getTriggerProps (node-name and definition-label title fallback, last-event surfacing). Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
|
❌ OSS Guard found dependency licenses that are not permitted for this project. Project license (from repository): Apache-2.0 Permitted dependency licenses: MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,0BSD,Unlicense,CC0-1.0,CC-BY-4.0,Zlib,MPL-2.0,OpenSSL,BlueOak-1.0.0 Reason: One or more dependencies use licenses that are not compatible with the project license. osv-scanner report: Add approved exceptions in your repository's |
The monitoring.onAlert trigger delivers through a SuperPlane node webhook (ctx.Webhook.Setup), so the webhook provisioner looks up the integration's webhook handler — but GCP registered with plain RegisterIntegration and had none, failing with "webhook handler gcp is not registered". GCP's other triggers deliver via Pub/Sub, so this is the first node-webhook trigger. Add a no-op WebhookHandler (the onAlert trigger creates its own Cloud Monitoring notification channel during Setup, so no external wiring is needed here) and register it via RegisterIntegrationWithWebhookHandler, matching the prometheus/aws pattern. Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
|
❌ OSS Guard found dependency licenses that are not permitted for this project. Project license (from repository): Apache-2.0 Permitted dependency licenses: MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,0BSD,Unlicense,CC0-1.0,CC-BY-4.0,Zlib,MPL-2.0,OpenSSL,BlueOak-1.0.0 Reason: One or more dependencies use licenses that are not compatible with the project license. osv-scanner report: Add approved exceptions in your repository's |
Bring the gcp.monitoring.onAlert trigger renderer in line with the other
triggers across the repo:
- Details tab (getRootEventValues): replace the flattenObject dump (~13 raw
fields) with a curated set of at most 6 fields, with "Emitted At" first.
- Subtitle: show the relative event time (renderTimeAgo) instead of the
incident summary; the incident's condition now lives in the title
("Alerting incident · <condition>"), matching on_message/on_tunnel_health.
- Add getEventState for consistency.
Updates the mapper spec accordingly.
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
|
❌ OSS Guard found dependency licenses that are not permitted for this project. Project license (from repository): Apache-2.0 Permitted dependency licenses: MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,0BSD,Unlicense,CC0-1.0,CC-BY-4.0,Zlib,MPL-2.0,OpenSSL,BlueOak-1.0.0 Reason: One or more dependencies use licenses that are not compatible with the project license. osv-scanner report: Add approved exceptions in your repository's |
- Guard Setup against a missing GCP integration (return a clear error
instead of risking a nil-pointer panic), matching the other GCP triggers.
- Update the existing notification channel's URL when the node webhook URL
changes, instead of leaving Cloud Monitoring posting to a stale URL.
- Apply the documented default state ("open") when the states field is
empty/missing rather than failing setup and webhook handling.
- Surface the auto-created notification channel name on the canvas node
(the renderer previously always passed empty metadata).
Adds tests for the integration guard, the channel-URL update, the
default-state behavior, and the node metadata.
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
|
❌ OSS Guard found dependency licenses that are not permitted for this project. Project license (from repository): Apache-2.0 Permitted dependency licenses: MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,0BSD,Unlicense,CC0-1.0,CC-BY-4.0,Zlib,MPL-2.0,OpenSSL,BlueOak-1.0.0 Reason: One or more dependencies use licenses that are not compatible with the project license. osv-scanner report: Add approved exceptions in your repository's |
Cloud Monitoring webhook channels are otherwise authenticated only by the unguessable webhook URL. To make deliveries verifiable, provision a webhook_basicauth notification channel whose password is the node's webhook secret, and verify it on every incoming request: - createWebhookChannel now creates a webhook_basicauth channel carrying a fixed username plus the node webhook secret as the Basic-auth password, so Cloud Monitoring signs every incident delivery. - Setup reads the node webhook secret and passes it when creating the channel. - HandleWebhook authenticates the Authorization: Basic header against the node secret (constant-time) and returns 401 on mismatch. Legacy nodes with no secret are not blocked. Adds tests for the basicauth channel creation and for accepting, rejecting (bad secret), and rejecting (missing credentials) deliveries. Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
|
❌ OSS Guard found dependency licenses that are not permitted for this project. Project license (from repository): Apache-2.0 Permitted dependency licenses: MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,0BSD,Unlicense,CC0-1.0,CC-BY-4.0,Zlib,MPL-2.0,OpenSSL,BlueOak-1.0.0 Reason: One or more dependencies use licenses that are not compatible with the project license. osv-scanner report: Add approved exceptions in your repository's |
The node previously surfaced the auto-created notification channel name in its metadata, which is internal setup detail. Surface the configured state filter instead (the incident states the user chose to emit on), matching how other alert triggers show their filters on the canvas node. Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
|
❌ OSS Guard found dependency licenses that are not permitted for this project. Project license (from repository): Apache-2.0 Permitted dependency licenses: MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,0BSD,Unlicense,CC0-1.0,CC-BY-4.0,Zlib,MPL-2.0,OpenSSL,BlueOak-1.0.0 Reason: One or more dependencies use licenses that are not compatible with the project license. osv-scanner report: Add approved exceptions in your repository's |
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Address Bugbot review findings on the signed-webhook trigger: - authenticateWebhook now fails closed: a GetSecret error (transient decrypt/lookup failure) returns an error -> 401 instead of being treated as "no secret configured" and letting an unauthenticated request through. Only an empty secret (legacy channel) is allowed. - Setup resyncs the notification channel's URL *and* Basic-auth password whenever the channel already exists, not just when the URL changed, so a rotated webhook secret can't leave Cloud Monitoring signing deliveries with a stale password (renames updateWebhookChannelURL -> updateWebhookChannel, patching labels.url/username/password). - Cleanup no longer blocks node removal when the GCP integration is gone: without an integration we can't call the API, so it returns nil (best-effort) instead of erroring and leaving the node un-removable. Adds tests for the fail-closed auth path, the URL+password resync, and best-effort cleanup without an integration. Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
|
❌ OSS Guard found dependency licenses that are not permitted for this project. Project license (from repository): Apache-2.0 Permitted dependency licenses: MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC,0BSD,Unlicense,CC0-1.0,CC-BY-4.0,Zlib,MPL-2.0,OpenSSL,BlueOak-1.0.0 Reason: One or more dependencies use licenses that are not compatible with the project license. osv-scanner report: Add approved exceptions in your repository's |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit add4155. Configure here.
Cloud Monitoring sends "ended_at": null while an incident is still open. Decode ended_at as a nullable *int64 and omit it from the emitted gcp.monitoring.alert payload when absent, rather than reporting a misleading epoch (0) timestamp. Add tests for the null and resolved cases and drop the placeholder endedAt from the open-incident example. Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
The On Alert example no longer carries endedAt for open incidents; regenerate GoogleCloud.mdx so the committed docs match the source example and check.components.docs stays green. Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
|
👍 |
2 participants
Summary
Adds a trigger to the GCP integration that fires when a Cloud Monitoring alerting policy opens or closes an incident — the event counterpart to the existing alerting-policy actions.
gcp.monitoring.onAlertDemo