From 8101a26652c36653891b8242a262c4aa56c24416 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Wed, 9 Oct 2024 09:22:28 +0200 Subject: [PATCH] support log exclusions in bootstrap log sinks (#2616) --- fast/stages/0-bootstrap/README.md | 16 ++++++++-------- fast/stages/0-bootstrap/organization.tf | 2 ++ fast/stages/0-bootstrap/variables.tf | 9 +++++++-- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/fast/stages/0-bootstrap/README.md b/fast/stages/0-bootstrap/README.md index 5ab77e7650..8599e65594 100644 --- a/fast/stages/0-bootstrap/README.md +++ b/fast/stages/0-bootstrap/README.md @@ -654,8 +654,8 @@ The remaining configuration is manual, as it regards the repositories themselves | name | description | type | required | default | producer | |---|---|:---:|:---:|:---:|:---:| | [billing_account](variables.tf#L17) | Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`. | object({…}) | ✓ | | | -| [organization](variables.tf#L261) | Organization details. | object({…}) | ✓ | | | -| [prefix](variables.tf#L276) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | +| [organization](variables.tf#L266) | Organization details. | object({…}) | ✓ | | | +| [prefix](variables.tf#L281) | Prefix used for resources that need unique names. Use 9 characters or less. | string | ✓ | | | | [bootstrap_user](variables.tf#L27) | Email of the nominal user running this stage for the first time. | string | | null | | | [cicd_repositories](variables.tf#L33) | CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed. | object({…}) | | null | | | [custom_roles](variables.tf#L87) | Map of role names => list of permissions to additionally create at the organization level. | map(list(string)) | | {} | | @@ -667,12 +667,12 @@ The remaining configuration is manual, as it regards the repositories themselves | [iam_bindings_additive](variables.tf#L159) | Organization-level custom additive IAM bindings. Keys are arbitrary. | map(object({…})) | | {} | | | [iam_by_principals](variables.tf#L174) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | map(list(string)) | | {} | | | [locations](variables.tf#L181) | Optional locations for GCS, BigQuery, and logging buckets created here. | object({…}) | | {} | | -| [log_sinks](variables.tf#L195) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | -| [org_policies_config](variables.tf#L243) | Organization policies customization. | object({…}) | | {} | | -| [outputs_location](variables.tf#L270) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | -| [project_parent_ids](variables.tf#L285) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | | -| [workforce_identity_providers](variables.tf#L296) | Workforce Identity Federation pools. | map(object({…})) | | {} | | -| [workload_identity_providers](variables.tf#L312) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | +| [log_sinks](variables.tf#L195) | Org-level log sinks, in name => {type, filter} format. | map(object({…})) | | {…} | | +| [org_policies_config](variables.tf#L248) | Organization policies customization. | object({…}) | | {} | | +| [outputs_location](variables.tf#L275) | Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable. | string | | null | | +| [project_parent_ids](variables.tf#L290) | Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent. | object({…}) | | {} | | +| [workforce_identity_providers](variables.tf#L301) | Workforce Identity Federation pools. | map(object({…})) | | {} | | +| [workload_identity_providers](variables.tf#L317) | Workload Identity Federation pools. The `cicd_repositories` variable references keys here. | map(object({…})) | | {} | | ## Outputs diff --git a/fast/stages/0-bootstrap/organization.tf b/fast/stages/0-bootstrap/organization.tf index 65cf87f14a..18644f83fa 100644 --- a/fast/stages/0-bootstrap/organization.tf +++ b/fast/stages/0-bootstrap/organization.tf @@ -238,6 +238,8 @@ module "organization" { destination = local.log_sink_destinations[name].id filter = attrs.filter type = attrs.type + disabled = attrs.disabled + exclusions = attrs.exclusions } } org_policies = var.bootstrap_user != null ? {} : { diff --git a/fast/stages/0-bootstrap/variables.tf b/fast/stages/0-bootstrap/variables.tf index 93bbaba06c..a2e65ecb22 100644 --- a/fast/stages/0-bootstrap/variables.tf +++ b/fast/stages/0-bootstrap/variables.tf @@ -195,8 +195,10 @@ variable "locations" { variable "log_sinks" { description = "Org-level log sinks, in name => {type, filter} format." type = map(object({ - filter = string - type = string + filter = string + type = string + disabled = optional(bool, false) + exclusions = optional(map(string), {}) })) nullable = false default = { @@ -208,6 +210,9 @@ variable "log_sinks" { log_id("cloudaudit.googleapis.com/access_transparency") FILTER type = "logging" + # exclusions = { + # gke-audit = "protoPayload.serviceName=\"k8s.io\"" + # } } iam = { filter = <<-FILTER