Skip to content

pemujo/Dialogflow-Policy-enforcer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits
.gcloudignore
.gcloudignore
 
 
README.md
README.md
 
 
create_sink.sh
create_sink.sh
 
 
deploy.sh
deploy.sh
 
 
main.py
main.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Dialogflow-Policy-enforcer

Used to enforce Dialogflow CX configuration policies:

Policy 1: Dialogflow CX Agent logging policy is to enable agent logs.

Policy 2. Dialogflow's webhooks cannot include static credentials (username/password)

Policy 3. Dialogflow ES Fullfillment cannot include static credentials (username/password)

##Overall enforcer flow:

Dialogflow audit logs -> Cloud router sink -> Pub/Sub -> Cloud Functions -> Apply policies

Configuration steps:

  1. Enable all Audit logs for Dialoglow API.

  2. Create org-level Cloud log router/log-sink sending to pub/sub topic.

    • Exclude the logs generated by Cloud Functions' service account.

    • Logs included on filter:

      protoPayload.authenticationInfo.principalEmail!="[email protected]" AND protoPayload.serviceName="dialogflow.googleapis.com" AND (Webhooks.CreateWebhook OR Webhooks.UpdateWebhook OR Agents.CreateAgent OR Agents.UpdateAgent OR Fulfillments.UpdateFulfillment )

    • And make sure to grant Publisher permissions to the logging service account.

    Or

    • Run create_sink.sh

  3. Create Cloud Function as a subscription of the Pub/sub topic and implement Cloud function with main.py code

Or

  • Run deploy.sh

About

Used to enforce custom configuration policies

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages