forked from hashicorp/terraform-provider-google
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add stackdriver project sink support (hashicorp#432)
* Vendor cloud logging api * Add logging sink support * Remove typo * Set Filter simpler * Rename typ, typName to resourceType, resourceId * Handle notFoundError * Use # instead of // for hcl comments * Cleanup test code * Change testAccCheckLoggingProjectSink to take a provided api object * Fix whitespace change after merge conflict
Showing
2 changed files
with
129 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
--- | ||
layout: "google" | ||
page_title: "Google: google_logging_project_sink" | ||
sidebar_current: "docs-google-logging-project-sink" | ||
description: |- | ||
Manages a project-level logging sink. | ||
--- | ||
|
||
# google\_logging\_project\_sink | ||
|
||
Manages a project-level logging sink. For more information see | ||
[the official documentation](https://cloud.google.com/logging/docs/), | ||
[Exporting Logs in the API](https://cloud.google.com/logging/docs/api/tasks/exporting-logs) | ||
and | ||
[API](https://cloud.google.com/compute/docs/reference/latest/instances). | ||
|
||
Note that you must have the "Logs Configuration Writer" IAM role (`roles/logging.configWriter`) | ||
granted to the credentials used with terraform. | ||
|
||
## Example Usage | ||
|
||
```hcl | ||
resource "google_logging_project_sink" "my-sink" { | ||
name = "my-pubsub-instance-sink" | ||
# Can export to pubsub, cloud storage, or bigtable | ||
destination = "pubsub.googleapis.com/projects/my-project/topics/instance-activity" | ||
# Log all WARN or higher severity messages relating to instances | ||
filter = "resource.type = gce_instance AND severity >= WARN" | ||
# Use a unique writer (creates a unique service account used for writing) | ||
unique_writer_identity = true | ||
} | ||
``` | ||
|
||
A more complete example follows: this creates a compute instance, as well as a log sink that logs all activity to a | ||
cloud storage bucket. Because we are using `unique_writer_identity`, we must grant it access to the bucket. Note that | ||
this grant requires the "Project IAM Admin" IAM role (`roles/resourcemanager.projectIamAdmin`) granted to the credentials | ||
used with terraform. | ||
|
||
```hcl | ||
# Our logged compute instance | ||
resource "google_compute_instance" "my-logged-instance" { | ||
name = "my-instance" | ||
machine_type = "n1-standard-1" | ||
zone = "us-central1-a" | ||
boot_disk { | ||
initialize_params { | ||
image = "debian-cloud/debian-8" | ||
} | ||
} | ||
network_interface { | ||
network = "default" | ||
access_config {} | ||
} | ||
} | ||
# A bucket to storage logs in. | ||
resource "google_storage_bucket" "log-bucket" { | ||
name = "my-unique-logging-bucket" | ||
} | ||
# Our sink; this logs all activity related to our "my-logged-instance" instance | ||
resource "google_logging_project_sink" "instance-sink" { | ||
name = "my-instance-sink" | ||
destination = "storage.googleapis.com/${google_storage_bucket.log-bucket.name}" | ||
filter = "resource.type = gce_instance AND resource.labels.instance_id = \"${google_compute_instance.my-logged-instance.instance_id}\"" | ||
unique_writer_identity = true | ||
} | ||
# Because our sink uses a unique_writer, we must grant that writer access to the bucket. | ||
resource "google_project_iam_binding" "log-writer" { | ||
role = "roles/storage.objectCreator" | ||
members = [ | ||
"${google_logging_project_sink.instance-sink.writer_identity}", | ||
] | ||
} | ||
``` | ||
|
||
## Argument Reference | ||
|
||
The following arguments are supported: | ||
|
||
* `name` - (Required) The name of the logging sink. | ||
|
||
* `destination` - (Required) The destination of the sink (or, in other words, where logs are written to). Can be a | ||
Cloud Storage bucket, a PubSub topic, or a BigQuery dataset. Examples: | ||
``` | ||
"storage.googleapis.com/[GCS_BUCKET]" | ||
"bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET]" | ||
"pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_ID]" | ||
``` | ||
The writer associated with the sink must have access to write to the above resource. | ||
|
||
* `filter` - (Optional) The filter to apply when exporting logs. Only log entries that match the filter are exported. | ||
See (Advanced Log Filters)[https://cloud.google.com/logging/docs/view/advanced_filters] for information on how to | ||
write a filter. | ||
|
||
* `project` - (Optional) The project to create the sink in. If omitted, the project associated with the provider is | ||
used. | ||
|
||
* `unique_writer_identity` - (Optional) Whether or not to create a unique identity associated with this sink. If `false` | ||
(the default), then the `writer_identity` used is `serviceAccount:cloud-logs@system.gserviceaccount.com`. If `true`, | ||
then a unique service account is created and used for this sink. If you wish to publish logs across projects, you | ||
must set `unique_writer_identity` to true. | ||
|
||
## Attributes Reference | ||
|
||
In addition to the arguments listed above, the following computed attributes are | ||
exported: | ||
|
||
* `writer_identity` - The identity associated with this sink. This identity must be granted write access to the | ||
configured `destination`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters