Add views and tags to logging bucket

GoogleCloudPlatform · Dec 18, 2024 · 7127905 · 7127905
1 parent e241624
commit 7127905
Show file tree

Hide file tree

Showing 6 changed files with 257 additions and 13 deletions.
diff --git a/modules/logging-bucket/README.md b/modules/logging-bucket/README.md
@@ -6,9 +6,20 @@ Note that some logging buckets are automatically created for a given folder, pro
 
 See also the `logging_sinks` argument within the [project](../project/), [folder](../folder/) and [organization](../organization) modules.
 
-## Examples
+## TOC
 
-### Create custom logging bucket in a project
+<!-- BEGIN TOC -->
+- [TOC](#toc)
+- [Custom logging bucket in a project](#custom-logging-bucket-in-a-project)
+- [Custom logging bucket in a project with Log Analytics](#custom-logging-bucket-in-a-project-with-log-analytics)
+- [Change retention period of a folder's _Default bucket](#change-retention-period-of-a-folders-_default-bucket)
+- [Organization and billing account buckets](#organization-and-billing-account-buckets)
+- [Custom bucket with views](#custom-bucket-with-views)
+- [Variables](#variables)
+- [Outputs](#outputs)
+<!-- END TOC -->
+
+## Custom logging bucket in a project
 
 ```hcl
 module "bucket" {
@@ -20,7 +31,7 @@ module "bucket" {
 # tftest modules=1 resources=1 inventory=project.yaml
 ```
 
-### Create custom logging bucket in a project enabling Log Analytics and dataset link
+## Custom logging bucket in a project with Log Analytics
 
 ```hcl
 module "bucket" {
@@ -36,7 +47,7 @@ module "bucket" {
 # tftest modules=1 resources=2 inventory=log_analytics.yaml
 ```
 
-### Change retention period of a folder's _Default bucket
+## Change retention period of a folder's _Default bucket
 
 ```hcl
 module "folder" {
@@ -55,7 +66,7 @@ module "bucket-default" {
 # tftest modules=2 resources=2 inventory=retention.yaml
 ```
 
-### Organization and billing account buckets
+## Organization and billing account buckets
 
 ```hcl
 module "bucket-organization" {
@@ -73,6 +84,26 @@ module "bucket-billing-account" {
 }
 # tftest modules=2 resources=2 inventory=org-ba.yaml
 ```
+
+## Custom bucket with views
+
+```hcl
+module "bucket" {
+  source      = "./fabric/modules/logging-bucket"
+  parent_type = "project"
+  parent      = var.project_id
+  id          = "mybucket"
+  views = {
+    myview = {
+      filter = "LOG_ID(\"stdout\")"
+      iam = {
+        "roles/logging.viewAccessor" = ["user:[email protected]"]
+      }
+    }
+  }
+}
+# tftest modules=1 resources=3 inventory=views.yaml
+```
 <!-- BEGIN TFDOC -->
 ## Variables
 
@@ -86,10 +117,13 @@ module "bucket-billing-account" {
 | [location](variables.tf#L34) | Location of the bucket. | <code>string</code> |  | <code>&#34;global&#34;</code> |
 | [log_analytics](variables.tf#L40) | Enable and configure Analytics Log. | <code title="object&#40;&#123;&#10;  enable          &#61; optional&#40;bool, false&#41;&#10;  dataset_link_id &#61; optional&#40;string&#41;&#10;  description     &#61; optional&#40;string, &#34;Log Analytics Dataset&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [retention](variables.tf#L61) | Retention time in days for the logging bucket. | <code>number</code> |  | <code>30</code> |
+| [tag_bindings](variables.tf#L67) | Tag bindings for this bucket, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [views](variables.tf#L74) | Log views for this bucket. | <code title="map&#40;object&#40;&#123;&#10;  filter      &#61; string&#10;  location    &#61; optional&#40;string&#41;&#10;  description &#61; optional&#40;string&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    members &#61; list&#40;string&#41;&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    member &#61; string&#10;    role   &#61; string&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      expression  &#61; string&#10;      title       &#61; string&#10;      description &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
 | name | description | sensitive |
 |---|---|:---:|
 | [id](outputs.tf#L17) | Fully qualified logging bucket id. |  |
+| [view_ids](outputs.tf#L22) | The automatic and user-created views in this bucket. |  |
 <!-- END TFDOC -->
diff --git a/modules/logging-bucket/iam.tf b/modules/logging-bucket/iam.tf
@@ -0,0 +1,100 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  view_iam = flatten([
+    for k, v in var.views : [
+      for role, members in v.iam : {
+        view    = k
+        role    = role
+        members = members
+      }
+    ]
+  ])
+  view_iam_bindings = merge([
+    for k, v in var.views : {
+      for binding_key, data in v.iam_bindings :
+      binding_key => {
+        view      = k
+        role      = data.role
+        members   = data.members
+        condition = data.condition
+      }
+    }
+  ]...)
+  view_iam_bindings_additive = merge([
+    for k, v in var.views : {
+      for binding_key, data in v.iam_bindings_additive :
+      binding_key => {
+        view      = k
+        role      = data.role
+        member    = data.member
+        condition = data.condition
+      }
+    }
+  ]...)
+}
+
+resource "google_logging_log_view_iam_binding" "authoritative" {
+  for_each = {
+    for binding in local.view_iam :
+    "${binding.view}.${binding.role}" => binding
+  }
+  role     = each.value.role
+  members  = each.value.members
+  parent   = google_logging_log_view.views[each.value.view].parent
+  location = google_logging_log_view.views[each.value.view].location
+  bucket   = google_logging_log_view.views[each.value.view].bucket
+  name     = google_logging_log_view.views[each.value.view].name
+}
+
+resource "google_logging_log_view_iam_binding" "bindings" {
+  for_each = local.view_iam_bindings
+  role     = each.value.role
+  members  = each.value.members
+  parent   = google_logging_log_view.views[each.value.view].parent
+  location = google_logging_log_view.views[each.value.view].location
+  bucket   = google_logging_log_view.views[each.value.view].bucket
+  name     = google_logging_log_view.views[each.value.view].name
+
+  dynamic "condition" {
+    for_each = each.value.condition == null ? [] : [""]
+    content {
+      expression  = each.value.condition.expression
+      title       = each.value.condition.title
+      description = each.value.condition.description
+    }
+  }
+}
+
+resource "google_logging_log_view_iam_member" "members" {
+  for_each = local.view_iam_bindings_additive
+  role     = each.value.role
+  member   = each.value.member
+  parent   = google_logging_log_view.views[each.value.view].parent
+  location = google_logging_log_view.views[each.value.view].location
+  bucket   = google_logging_log_view.views[each.value.view].bucket
+  name     = google_logging_log_view.views[each.value.view].name
+
+  dynamic "condition" {
+    for_each = each.value.condition == null ? [] : [""]
+    content {
+      expression  = each.value.condition.expression
+      title       = each.value.condition.title
+      description = each.value.condition.description
+    }
+  }
+}
diff --git a/modules/logging-bucket/main.tf b/modules/logging-bucket/main.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,6 +14,15 @@
  * limitations under the License.
  */
 
+locals {
+  bucket = try(
+    google_logging_project_bucket_config.bucket[0],
+    google_logging_folder_bucket_config.bucket[0],
+    google_logging_organization_bucket_config.bucket[0],
+    google_logging_billing_account_bucket_config.bucket[0],
+  )
+}
+
 resource "google_logging_project_bucket_config" "bucket" {
   count            = var.parent_type == "project" ? 1 : 0
   project          = var.parent
@@ -66,3 +75,18 @@ resource "google_logging_billing_account_bucket_config" "bucket" {
   bucket_id       = var.id
   description     = var.description
 }
+
+resource "google_logging_log_view" "views" {
+  for_each    = var.views
+  name        = each.key
+  bucket      = local.bucket.id
+  description = each.value.description
+  location    = coalesce(each.value.location, var.location)
+  filter      = each.value.filter
+}
+
+resource "google_tags_tag_binding" "binding" {
+  for_each  = var.tag_bindings
+  parent    = "//logging.googleapis.com/${local.bucket.id}"
+  tag_value = each.value
+}
diff --git a/modules/logging-bucket/outputs.tf b/modules/logging-bucket/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,10 +16,18 @@
 
 output "id" {
   description = "Fully qualified logging bucket id."
-  value = try(
-    google_logging_project_bucket_config.bucket[0].id,
-    google_logging_folder_bucket_config.bucket[0].id,
-    google_logging_organization_bucket_config.bucket[0].id,
-    google_logging_billing_account_bucket_config.bucket[0].id,
+  value       = local.bucket.id
+}
+
+output "view_ids" {
+  description = "The automatic and user-created views in this bucket."
+  value = merge(
+    {
+      for k, v in google_logging_log_view.views :
+      k => v.id
+    },
+    {
+      "_AllLogs" = "${local.bucket.id}/views/_AllLogs"
+    }
   )
 }
diff --git a/modules/logging-bucket/variables.tf b/modules/logging-bucket/variables.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -63,3 +63,39 @@ variable "retention" {
   type        = number
   default     = 30
 }
+
+variable "tag_bindings" {
+  description = "Tag bindings for this bucket, in key => tag value id format."
+  type        = map(string)
+  default     = {}
+  nullable    = false
+}
+
+variable "views" {
+  description = "Log views for this bucket."
+  type = map(object({
+    filter      = string
+    location    = optional(string)
+    description = optional(string)
+    iam         = optional(map(list(string)), {})
+    iam_bindings = optional(map(object({
+      members = list(string)
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      member = string
+      role   = string
+      condition = optional(object({
+        expression  = string
+        title       = string
+        description = optional(string)
+      }))
+    })), {})
+  }))
+  default  = {}
+  nullable = false
+}
diff --git a/tests/modules/logging_bucket/examples/views.yaml b/tests/modules/logging_bucket/examples/views.yaml
@@ -0,0 +1,42 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.bucket.google_logging_log_view.views["myview"]:
+    description: null
+    filter: LOG_ID("stdout")
+    location: global
+    name: myview
+    timeouts: null
+  module.bucket.google_logging_log_view_iam_binding.authoritative["myview.roles/logging.viewAccessor"]:
+    condition: []
+    location: global
+    members:
+    - user:[email protected]
+    name: myview
+    role: roles/logging.viewAccessor
+  module.bucket.google_logging_project_bucket_config.bucket[0]:
+    bucket_id: mybucket
+    cmek_settings: []
+    enable_analytics: false
+    index_configs: []
+    location: global
+    locked: null
+    project: project-id
+    retention_days: 30
+
+counts:
+  google_logging_log_view: 1
+  google_logging_log_view_iam_binding: 1
+  google_logging_project_bucket_config: 1