2023-10-15 08:02:50 -07:00
/ * *
* Copyright 2023 Google LLC
*
* Licensed under the Apache License , Version 2 . 0 ( the " License " ) ;
* you may not use this file except in compliance with the License .
* You may obtain a copy of the License at
*
* http : //www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing , software
* distributed under the License is distributed on an " AS IS " BASIS ,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
* See the License for the specific language governing permissions and
* limitations under the License .
* /
# tfdoc:file:description Log sinks and supporting resources.
locals {
2024-02-20 23:41:13 -08:00
logging_sinks = {
for k , v in var . logging_sinks :
# rewrite destination and type when type="project"
k => merge ( v , v . type ! = " project " ? { } : {
destination = " projects/ ${ v . destination } "
type = " logging "
} )
}
2023-10-15 08:02:50 -07:00
sink_bindings = {
2024-02-20 23:41:13 -08:00
for type in [ " bigquery " , " logging " , " project " , " pubsub " , " storage " ] :
2023-10-15 08:02:50 -07:00
type => {
for name , sink in var . logging_sinks :
name => sink
if sink . type == type
}
}
}
resource " google_logging_billing_account_sink " " sink " {
2024-02-20 23:41:13 -08:00
for_each = local . logging_sinks
2023-10-15 08:02:50 -07:00
name = each . key
description = coalesce ( each . value . description , " ${ each . key } (Terraform-managed). " )
billing_account = var . id
destination = " ${ each . value . type } .googleapis.com/ ${ each . value . destination } "
filter = each . value . filter
disabled = each . value . disabled
dynamic " bigquery_options " {
2024-01-28 01:27:28 -08:00
for_each = each . value . type == " bigquery " ? [ " " ] : [ ]
2023-10-15 08:02:50 -07:00
content {
use_partitioned_tables = each . value . bq_partitioned_table
}
}
dynamic " exclusions " {
for_each = each . value . exclusions
iterator = exclusion
content {
name = exclusion . key
filter = exclusion . value . filter
description = exclusion . value . description
disabled = exclusion . value . disabled
}
}
}
resource " google_storage_bucket_iam_member " " gcs-sinks-binding " {
for_each = local . sink_bindings [ " storage " ]
bucket = each . value . destination
role = " roles/storage.objectCreator "
member = google_logging_billing_account_sink . sink [ each . key ] . writer_identity
}
resource " google_bigquery_dataset_iam_member " " bq-sinks-binding " {
for_each = local . sink_bindings [ " bigquery " ]
project = split ( " / " , each . value . destination ) [ 1 ]
dataset_id = split ( " / " , each . value . destination ) [ 3 ]
role = " roles/bigquery.dataEditor "
member = google_logging_billing_account_sink . sink [ each . key ] . writer_identity
}
resource " google_pubsub_topic_iam_member " " pubsub-sinks-binding " {
for_each = local . sink_bindings [ " pubsub " ]
project = split ( " / " , each . value . destination ) [ 1 ]
topic = split ( " / " , each . value . destination ) [ 3 ]
role = " roles/pubsub.publisher "
member = google_logging_billing_account_sink . sink [ each . key ] . writer_identity
}
resource " google_project_iam_member " " bucket-sinks-binding " {
for_each = local . sink_bindings [ " logging " ]
project = split ( " / " , each . value . destination ) [ 1 ]
role = " roles/logging.bucketWriter "
member = google_logging_billing_account_sink . sink [ each . key ] . writer_identity
condition {
title = " ${ each . key } bucket writer "
description = " Grants bucketWriter to ${ google_logging_billing_account_sink . sink [ each . key ] . writer_identity } used by log sink ${ each . key } on billing account ${ var . id } "
expression = " resource.name.endsWith(' ${ each . value . destination } ') "
}
}
2024-02-20 23:41:13 -08:00
resource " google_project_iam_member " " project-sinks-binding " {
for_each = local . sink_bindings [ " project " ]
project = each . value . destination
role = " roles/logging.logWriter "
member = google_logging_billing_account_sink . sink [ each . key ] . writer_identity
}