2021-12-12 23:41:02 -08:00
/ * *
2022-01-01 06:52:31 -08:00
* Copyright 2022 Google LLC
2021-12-12 23:41:02 -08:00
*
* Licensed under the Apache License , Version 2 . 0 ( the " License " ) ;
* you may not use this file except in compliance with the License .
* You may obtain a copy of the License at
*
* http : //www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing , software
* distributed under the License is distributed on an " AS IS " BASIS ,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
* See the License for the specific language governing permissions and
* limitations under the License .
* /
2023-07-10 01:08:02 -07:00
# tfdoc:file:description Log sinks and data access logs.
2022-01-29 01:08:17 -08:00
2021-12-12 23:41:02 -08:00
locals {
sink_bindings = {
for type in [ " bigquery " , " logging " , " pubsub " , " storage " ] :
type => {
2022-01-29 01:08:17 -08:00
for name , sink in var . logging_sinks :
2022-11-12 10:24:41 -08:00
name => sink if sink . type == type
2021-12-12 23:41:02 -08:00
}
}
}
2023-07-10 01:08:02 -07:00
resource " google_organization_iam_audit_config " " default " {
for_each = (
var . iam_policy == null ? var . logging_data_access : { }
)
org_id = local . organization_id_numeric
service = each . key
dynamic " audit_log_config " {
for_each = each . value
iterator = config
content {
log_type = config . key
exempted_members = config . value
}
}
}
2021-12-12 23:41:02 -08:00
resource " google_logging_organization_sink " " sink " {
2022-01-29 01:08:17 -08:00
for_each = var . logging_sinks
2021-12-12 23:41:02 -08:00
name = each . key
2022-11-11 10:05:39 -08:00
description = coalesce ( each . value . description , " ${ each . key } (Terraform-managed). " )
2021-12-12 23:41:02 -08:00
org_id = local . organization_id_numeric
2022-11-12 10:24:41 -08:00
destination = " ${ each . value . type } .googleapis.com/ ${ each . value . destination } "
2021-12-12 23:41:02 -08:00
filter = each . value . filter
include_children = each . value . include_children
2022-11-11 10:05:39 -08:00
disabled = each . value . disabled
2021-12-12 23:41:02 -08:00
dynamic " bigquery_options " {
2022-11-22 06:48:20 -08:00
for_each = each . value . type == " biquery " && each . value . bq_partitioned_table ! = null ? [ " " ] : [ ]
2021-12-12 23:41:02 -08:00
content {
2022-11-12 02:30:34 -08:00
use_partitioned_tables = each . value . bq_partitioned_table
2021-12-12 23:41:02 -08:00
}
}
dynamic " exclusions " {
for_each = each . value . exclusions
iterator = exclusion
content {
name = exclusion . key
filter = exclusion . value
}
}
2022-11-11 10:05:39 -08:00
2021-12-12 23:41:02 -08:00
depends_on = [
google_organization_iam_binding . authoritative ,
google_organization_iam_member . additive ,
google_organization_iam_policy . authoritative ,
]
}
resource " google_storage_bucket_iam_member " " storage-sinks-binding " {
for_each = local . sink_bindings [ " storage " ]
2022-11-12 10:24:41 -08:00
bucket = each . value . destination
2021-12-12 23:41:02 -08:00
role = " roles/storage.objectCreator "
member = google_logging_organization_sink . sink [ each . key ] . writer_identity
}
resource " google_bigquery_dataset_iam_member " " bq-sinks-binding " {
for_each = local . sink_bindings [ " bigquery " ]
2022-11-12 10:24:41 -08:00
project = split ( " / " , each . value . destination ) [ 1 ]
dataset_id = split ( " / " , each . value . destination ) [ 3 ]
2021-12-12 23:41:02 -08:00
role = " roles/bigquery.dataEditor "
member = google_logging_organization_sink . sink [ each . key ] . writer_identity
}
resource " google_pubsub_topic_iam_member " " pubsub-sinks-binding " {
for_each = local . sink_bindings [ " pubsub " ]
2022-11-12 10:24:41 -08:00
project = split ( " / " , each . value . destination ) [ 1 ]
topic = split ( " / " , each . value . destination ) [ 3 ]
2021-12-12 23:41:02 -08:00
role = " roles/pubsub.publisher "
member = google_logging_organization_sink . sink [ each . key ] . writer_identity
}
resource " google_project_iam_member " " bucket-sinks-binding " {
for_each = local . sink_bindings [ " logging " ]
2022-11-12 10:24:41 -08:00
project = split ( " / " , each . value . destination ) [ 1 ]
2021-12-12 23:41:02 -08:00
role = " roles/logging.bucketWriter "
member = google_logging_organization_sink . sink [ each . key ] . writer_identity
2022-11-11 10:05:39 -08:00
condition {
title = " ${ each . key } bucket writer "
description = " Grants bucketWriter to ${ google_logging_organization_sink . sink [ each . key ] . writer_identity } used by log sink ${ each . key } on ${ var . organization_id } "
2022-11-12 10:24:41 -08:00
expression = " resource.name.endsWith(' ${ each . value . destination } ') "
2022-11-11 10:05:39 -08:00
}
2021-12-12 23:41:02 -08:00
}
resource " google_logging_organization_exclusion " " logging-exclusion " {
2022-01-29 01:08:17 -08:00
for_each = var . logging_exclusions
2021-12-12 23:41:02 -08:00
name = each . key
org_id = local . organization_id_numeric
2022-01-31 01:45:34 -08:00
description = " ${ each . key } (Terraform-managed). "
2021-12-12 23:41:02 -08:00
filter = each . value
}