Summary
Currently, the otelcol-contrib filelog collector runs on the provisioned machine and ships runtime logs (syslog, auth, audit, gitlab-runner) to an OTLP endpoint. However, Pulumi provisioning and decommissioning events are not captured anywhere — meaning there is no audit trail for who created what, when, and whether it succeeded.
This issue tracks integrating the Pulumi Automation API event stream with OpenTelemetry so that stack-up and stack-destroy operations are also exported as OTel log records.
Motivation
For IBM Power and IBM Z targets running in an internal network, auditability of all actions is a hard requirement — not just what runs on the machine, but also the provisioning lifecycle itself. GitLab job logs are already being shipped via otelcol, but the provisioning events that precede and follow any job are currently dark.
Proposed approach
1. Hook into the Pulumi Automation API event stream
auto.Stack.Up() and auto.Stack.Destroy() accept auto.EventStreams(ch), which delivers typed events in real time:
engine.ResourcePreEvent — before a resource operation startsengine.ResourceOutputsEvent — after a resource is created/updatedengine.DiagnosticEvent — log messages from providers/programsengine.SummaryEvent — final outcome (succeeded/failed, duration, resource change counts)engine.CancelEvent — cancellation
2. Convert events to OTel log records
Consume the channel in a goroutine inside pkg/manager (where UpStack/DestroyStack live). Convert each relevant event to an OTel log record using the Go OTel SDK and export directly to the configured --otel-endpoint.
Relevant resource attributes (matching what the filelog collector already attaches):
appcode — from --otel-app-codecom.redhat.otel.auth_token — from --otel-auth-tokenproject-name — from --project-nameoperation — up or destroystack — Pulumi stack name
3. Dependencies
Add to the mapt binary:
go.opentelemetry.io/otelgo.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttpgo.opentelemetry.io/otel/sdk/log
The --otel-* flags are already first-class CLI params on all targets that support otelcol, so no new flags are needed.
4. Integration point
The event consumer would be enabled only when OtelAppCode and OtelAuthToken are set in the mapt context (pkg/manager/context). The manager's UpStack/DestroyStack wrappers are the right place to attach it, keeping the concern isolated from individual provider implementations.
Tradeoffs
|
This approach |
Current otelcol on machine |
| Captures provisioning events |
✅ |
❌ (machine doesn't exist yet) |
| Captures runtime logs |
❌ |
✅ |
| Requires otelcol on target |
No |
Yes |
| OTel SDK in mapt binary |
Yes |
No |
| Needs new flags |
No |
No |
The two approaches are complementary and can coexist.
Related
Summary
Currently, the otelcol-contrib filelog collector runs on the provisioned machine and ships runtime logs (syslog, auth, audit, gitlab-runner) to an OTLP endpoint. However, Pulumi provisioning and decommissioning events are not captured anywhere — meaning there is no audit trail for who created what, when, and whether it succeeded.
This issue tracks integrating the Pulumi Automation API event stream with OpenTelemetry so that stack-up and stack-destroy operations are also exported as OTel log records.
Motivation
For IBM Power and IBM Z targets running in an internal network, auditability of all actions is a hard requirement — not just what runs on the machine, but also the provisioning lifecycle itself. GitLab job logs are already being shipped via otelcol, but the provisioning events that precede and follow any job are currently dark.
Proposed approach
1. Hook into the Pulumi Automation API event stream
auto.Stack.Up()andauto.Stack.Destroy()acceptauto.EventStreams(ch), which delivers typed events in real time:engine.ResourcePreEvent— before a resource operation startsengine.ResourceOutputsEvent— after a resource is created/updatedengine.DiagnosticEvent— log messages from providers/programsengine.SummaryEvent— final outcome (succeeded/failed, duration, resource change counts)engine.CancelEvent— cancellation2. Convert events to OTel log records
Consume the channel in a goroutine inside
pkg/manager(whereUpStack/DestroyStacklive). Convert each relevant event to an OTel log record using the Go OTel SDK and export directly to the configured--otel-endpoint.Relevant resource attributes (matching what the filelog collector already attaches):
appcode— from--otel-app-codecom.redhat.otel.auth_token— from--otel-auth-tokenproject-name— from--project-nameoperation—upordestroystack— Pulumi stack name3. Dependencies
Add to the mapt binary:
go.opentelemetry.io/otelgo.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttpgo.opentelemetry.io/otel/sdk/logThe
--otel-*flags are already first-class CLI params on all targets that support otelcol, so no new flags are needed.4. Integration point
The event consumer would be enabled only when
OtelAppCodeandOtelAuthTokenare set in the mapt context (pkg/manager/context). The manager'sUpStack/DestroyStackwrappers are the right place to attach it, keeping the concern isolated from individual provider implementations.Tradeoffs
The two approaches are complementary and can coexist.
Related