2022-01-22 02:34:18 -08:00
/ * *
* Copyright 2022 Google LLC
*
* Licensed under the Apache License , Version 2 . 0 ( the " License " ) ;
* you may not use this file except in compliance with the License .
* You may obtain a copy of the License at
*
* http : //www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing , software
* distributed under the License is distributed on an " AS IS " BASIS ,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
* See the License for the specific language governing permissions and
* limitations under the License .
* /
# tfdoc:file:description Log sinks and supporting resources.
locals {
sink_bindings = {
2022-01-29 10:35:33 -08:00
for type in [ " bigquery " , " pubsub " , " logging " , " storage " ] :
2022-01-22 02:34:18 -08:00
type => {
2022-01-29 10:35:33 -08:00
for name , sink in var . logging_sinks :
2022-11-12 10:24:41 -08:00
name => sink if sink . iam && sink . type == type
2022-01-22 02:34:18 -08:00
}
}
}
resource " google_logging_project_sink " " sink " {
2022-11-11 10:05:39 -08:00
for_each = var . logging_sinks
name = each . key
description = coalesce ( each . value . description , " ${ each . key } (Terraform-managed). " )
2022-01-22 02:34:18 -08:00
project = local . project . project_id
2022-11-12 10:24:41 -08:00
destination = " ${ each . value . type } .googleapis.com/ ${ each . value . destination } "
2022-01-22 02:34:18 -08:00
filter = each . value . filter
unique_writer_identity = each . value . unique_writer
2022-11-11 10:05:39 -08:00
disabled = each . value . disabled
dynamic " bigquery_options " {
2022-11-22 06:48:20 -08:00
for_each = each . value . type == " biquery " && each . value . bq_partitioned_table ! = null ? [ " " ] : [ ]
2022-11-11 10:05:39 -08:00
content {
2022-11-12 02:30:34 -08:00
use_partitioned_tables = each . value . bq_partitioned_table
2022-11-11 10:05:39 -08:00
}
}
2022-01-22 02:34:18 -08:00
dynamic " exclusions " {
for_each = each . value . exclusions
iterator = exclusion
content {
name = exclusion . key
filter = exclusion . value
}
}
depends_on = [
google_project_iam_binding . authoritative ,
google_project_iam_member . additive
]
}
resource " google_storage_bucket_iam_member " " gcs-sinks-binding " {
2022-01-29 10:35:33 -08:00
for_each = local . sink_bindings [ " storage " ]
2022-11-12 10:24:41 -08:00
bucket = each . value . destination
2022-01-22 02:34:18 -08:00
role = " roles/storage.objectCreator "
member = google_logging_project_sink . sink [ each . key ] . writer_identity
}
resource " google_bigquery_dataset_iam_member " " bq-sinks-binding " {
for_each = local . sink_bindings [ " bigquery " ]
2022-11-12 10:24:41 -08:00
project = split ( " / " , each . value . destination ) [ 1 ]
dataset_id = split ( " / " , each . value . destination ) [ 3 ]
2022-01-22 02:34:18 -08:00
role = " roles/bigquery.dataEditor "
member = google_logging_project_sink . sink [ each . key ] . writer_identity
}
resource " google_pubsub_topic_iam_member " " pubsub-sinks-binding " {
for_each = local . sink_bindings [ " pubsub " ]
2022-11-12 10:24:41 -08:00
project = split ( " / " , each . value . destination ) [ 1 ]
topic = split ( " / " , each . value . destination ) [ 3 ]
2022-01-22 02:34:18 -08:00
role = " roles/pubsub.publisher "
member = google_logging_project_sink . sink [ each . key ] . writer_identity
}
resource " google_project_iam_member " " bucket-sinks-binding " {
for_each = local . sink_bindings [ " logging " ]
2022-11-12 10:24:41 -08:00
project = split ( " / " , each . value . destination ) [ 1 ]
2022-01-22 02:34:18 -08:00
role = " roles/logging.bucketWriter "
member = google_logging_project_sink . sink [ each . key ] . writer_identity
2022-11-11 10:05:39 -08:00
condition {
title = " ${ each . key } bucket writer "
description = " Grants bucketWriter to ${ google_logging_project_sink . sink [ each . key ] . writer_identity } used by log sink ${ each . key } on ${ local . project . project_id } "
2022-11-12 10:24:41 -08:00
expression = " resource.name.endsWith(' ${ each . value . destination } ') "
2022-11-11 10:05:39 -08:00
}
2022-01-22 02:34:18 -08:00
}
resource " google_logging_project_exclusion " " logging-exclusion " {
2022-01-29 10:35:33 -08:00
for_each = var . logging_exclusions
2022-01-22 02:34:18 -08:00
name = each . key
project = local . project . project_id
2022-01-31 01:45:34 -08:00
description = " ${ each . key } (Terraform-managed). "
2022-01-22 02:34:18 -08:00
filter = each . value
}