Add include_children option folder and organization sinks
This commit is contained in:
parent
8d65a97b11
commit
c6691a6140
|
@ -17,10 +17,11 @@
|
|||
locals {
|
||||
logging_sinks = {
|
||||
audit-logs = {
|
||||
type = "bigquery"
|
||||
destination = module.audit-dataset.id
|
||||
filter = var.audit_filter
|
||||
iam = true
|
||||
type = "bigquery"
|
||||
destination = module.audit-dataset.id
|
||||
filter = var.audit_filter
|
||||
iam = true
|
||||
include_children = true
|
||||
}
|
||||
}
|
||||
root_node_type = split("/", var.root_node)[0]
|
||||
|
|
|
@ -38,10 +38,11 @@ locals {
|
|||
)
|
||||
logging_sinks = {
|
||||
audit-logs = {
|
||||
type = "bigquery"
|
||||
destination = module.audit-dataset.id
|
||||
filter = var.audit_filter
|
||||
iam = true
|
||||
type = "bigquery"
|
||||
destination = module.audit-dataset.id
|
||||
filter = var.audit_filter
|
||||
iam = true
|
||||
include_children = true
|
||||
}
|
||||
}
|
||||
root_node_type = split("/", var.root_node)[0]
|
||||
|
|
|
@ -69,22 +69,25 @@ module "folder-sink" {
|
|||
name = "my-folder"
|
||||
logging_sinks = {
|
||||
warnings = {
|
||||
type = "gcs"
|
||||
destination = module.gcs.name
|
||||
filter = "severity=WARNING"
|
||||
iam = false
|
||||
type = "gcs"
|
||||
destination = module.gcs.name
|
||||
filter = "severity=WARNING"
|
||||
iam = false
|
||||
include_children = true
|
||||
}
|
||||
info = {
|
||||
type = "bigquery"
|
||||
destination = module.dataset.id
|
||||
filter = "severity=INFO"
|
||||
iam = false
|
||||
type = "bigquery"
|
||||
destination = module.dataset.id
|
||||
filter = "severity=INFO"
|
||||
iam = false
|
||||
include_children = true
|
||||
}
|
||||
notice = {
|
||||
type = "pubsub"
|
||||
destination = module.pubsub.id
|
||||
filter = "severity=NOTICE"
|
||||
iam = true
|
||||
type = "pubsub"
|
||||
destination = module.pubsub.id
|
||||
filter = "severity=NOTICE"
|
||||
iam = true
|
||||
include_children = true
|
||||
}
|
||||
}
|
||||
logging_exclusions = {
|
||||
|
@ -147,7 +150,7 @@ module "folder2" {
|
|||
| *iam* | IAM bindings in {ROLE => [MEMBERS]} format. | <code title="map(set(string))">map(set(string))</code> | | <code title="">{}</code> |
|
||||
| *id* | Folder ID in case you use folder_create=false | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *logging_exclusions* | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code title="map(string)">map(string)</code> | | <code title="">{}</code> |
|
||||
| *logging_sinks* | Logging sinks to create for this folder. | <code title="map(object({ destination = string type = string filter = string iam = bool }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *logging_sinks* | Logging sinks to create for this folder. | <code title="map(object({ destination = string type = string filter = string iam = bool include_children = bool }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *name* | Folder name. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *parent* | Parent in folders/folder_id or organizations/org_id format. | <code title="">string</code> | | <code title="null validation { condition = var.parent == null || can(regex("(organizations|folders)/[0-9]+", var.parent)) error_message = "Parent must be of the form folders/folder_id or organizations/organization_id." }">...</code> |
|
||||
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
||||
|
|
|
@ -188,9 +188,10 @@ resource "google_logging_folder_sink" "sink" {
|
|||
for_each = local.logging_sinks
|
||||
name = each.key
|
||||
#description = "${each.key} (Terraform-managed)"
|
||||
folder = local.folder.name
|
||||
destination = "${local.sink_type_destination[each.value.type]}/${each.value.destination}"
|
||||
filter = each.value.filter
|
||||
folder = local.folder.name
|
||||
destination = "${local.sink_type_destination[each.value.type]}/${each.value.destination}"
|
||||
filter = each.value.filter
|
||||
include_children = each.value.include_children
|
||||
}
|
||||
|
||||
resource "google_storage_bucket_iam_binding" "gcs-sinks-binding" {
|
||||
|
|
|
@ -78,10 +78,11 @@ variable "firewall_policy_attachments" {
|
|||
variable "logging_sinks" {
|
||||
description = "Logging sinks to create for this folder."
|
||||
type = map(object({
|
||||
destination = string
|
||||
type = string
|
||||
filter = string
|
||||
iam = bool
|
||||
destination = string
|
||||
type = string
|
||||
filter = string
|
||||
iam = bool
|
||||
include_children = bool
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
|
|
@ -86,22 +86,25 @@ module "org" {
|
|||
|
||||
logging_sinks = {
|
||||
warnings = {
|
||||
type = "gcs"
|
||||
destination = module.gcs.name
|
||||
filter = "severity=WARNING"
|
||||
iam = false
|
||||
type = "gcs"
|
||||
destination = module.gcs.name
|
||||
filter = "severity=WARNING"
|
||||
iam = false
|
||||
include_children = true
|
||||
}
|
||||
info = {
|
||||
type = "bigquery"
|
||||
destination = module.dataset.id
|
||||
filter = "severity=INFO"
|
||||
iam = false
|
||||
type = "bigquery"
|
||||
destination = module.dataset.id
|
||||
filter = "severity=INFO"
|
||||
iam = false
|
||||
include_children = true
|
||||
}
|
||||
notice = {
|
||||
type = "pubsub"
|
||||
destination = module.pubsub.id
|
||||
filter = "severity=NOTICE"
|
||||
iam = true
|
||||
type = "pubsub"
|
||||
destination = module.pubsub.id
|
||||
filter = "severity=NOTICE"
|
||||
iam = true
|
||||
include_children = true
|
||||
}
|
||||
}
|
||||
logging_exclusions = {
|
||||
|
@ -126,7 +129,7 @@ module "org" {
|
|||
| *iam_additive_members* | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_audit_config* | Service audit logging configuration. Service as key, map of log permission (eg DATA_READ) and excluded members as value for each service. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||
| *logging_exclusions* | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code title="map(string)">map(string)</code> | | <code title="">{}</code> |
|
||||
| *logging_sinks* | Logging sinks to create for this organization. | <code title="map(object({ destination = string type = string filter = string iam = bool }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *logging_sinks* | Logging sinks to create for this organization. | <code title="map(object({ destination = string type = string filter = string iam = bool include_children = bool }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
||||
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
|
||||
|
|
|
@ -221,9 +221,10 @@ resource "google_logging_organization_sink" "sink" {
|
|||
for_each = local.logging_sinks
|
||||
name = each.key
|
||||
#description = "${each.key} (Terraform-managed)"
|
||||
org_id = local.organization_id_numeric
|
||||
destination = "${local.sink_type_destination[each.value.type]}/${each.value.destination}"
|
||||
filter = each.value.filter
|
||||
org_id = local.organization_id_numeric
|
||||
destination = "${local.sink_type_destination[each.value.type]}/${each.value.destination}"
|
||||
filter = each.value.filter
|
||||
include_children = each.value.include_children
|
||||
}
|
||||
|
||||
resource "google_storage_bucket_iam_binding" "gcs-sinks-binding" {
|
||||
|
|
|
@ -102,10 +102,11 @@ variable "firewall_policy_attachments" {
|
|||
variable "logging_sinks" {
|
||||
description = "Logging sinks to create for this organization."
|
||||
type = map(object({
|
||||
destination = string
|
||||
type = string
|
||||
filter = string
|
||||
iam = bool
|
||||
destination = string
|
||||
type = string
|
||||
filter = string
|
||||
iam = bool
|
||||
include_children = bool
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
|
|
@ -56,10 +56,11 @@ variable "firewall_policy_attachments" {
|
|||
|
||||
variable "logging_sinks" {
|
||||
type = map(object({
|
||||
destination = string
|
||||
type = string
|
||||
filter = string
|
||||
iam = bool
|
||||
destination = string
|
||||
type = string
|
||||
filter = string
|
||||
iam = bool
|
||||
include_children = bool
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
|
|
@ -25,22 +25,25 @@ def test_sinks(plan_runner):
|
|||
"Test folder-level sinks."
|
||||
logging_sinks = """ {
|
||||
warning = {
|
||||
type = "gcs"
|
||||
destination = "mybucket"
|
||||
filter = "severity=WARNING"
|
||||
iam = true
|
||||
type = "gcs"
|
||||
destination = "mybucket"
|
||||
filter = "severity=WARNING"
|
||||
iam = true
|
||||
include_children = true
|
||||
}
|
||||
info = {
|
||||
type = "bigquery"
|
||||
destination = "projects/myproject/datasets/mydataset"
|
||||
filter = "severity=INFO"
|
||||
iam = true
|
||||
type = "bigquery"
|
||||
destination = "projects/myproject/datasets/mydataset"
|
||||
filter = "severity=INFO"
|
||||
iam = true
|
||||
include_children = true
|
||||
}
|
||||
notice = {
|
||||
type = "pubsub"
|
||||
destination = "projects/myproject/topics/mytopic"
|
||||
filter = "severity=NOTICE"
|
||||
iam = true
|
||||
type = "pubsub"
|
||||
destination = "projects/myproject/topics/mytopic"
|
||||
filter = "severity=NOTICE"
|
||||
iam = true
|
||||
include_children = false
|
||||
}
|
||||
}
|
||||
"""
|
||||
|
@ -63,16 +66,19 @@ def test_sinks(plan_runner):
|
|||
'notice',
|
||||
'warning',
|
||||
]
|
||||
values = [(r['index'], r['values']['filter'], r['values']['destination'])
|
||||
values = [(r['index'], r['values']['filter'], r['values']['destination'],
|
||||
r['values']['include_children'])
|
||||
for r in sinks]
|
||||
assert sorted(values) == [
|
||||
('info',
|
||||
'severity=INFO',
|
||||
'bigquery.googleapis.com/projects/myproject/datasets/mydataset'),
|
||||
'bigquery.googleapis.com/projects/myproject/datasets/mydataset',
|
||||
True),
|
||||
('notice',
|
||||
'severity=NOTICE',
|
||||
'pubsub.googleapis.com/projects/myproject/topics/mytopic'),
|
||||
('warning', 'severity=WARNING', 'storage.googleapis.com/mybucket')]
|
||||
'pubsub.googleapis.com/projects/myproject/topics/mytopic',
|
||||
False),
|
||||
('warning', 'severity=WARNING', 'storage.googleapis.com/mybucket', True)]
|
||||
|
||||
bindings = [r for r in resources
|
||||
if 'binding' in r['type']]
|
||||
|
|
|
@ -76,10 +76,11 @@ variable "firewall_policy_attachments" {
|
|||
|
||||
variable "logging_sinks" {
|
||||
type = map(object({
|
||||
destination = string
|
||||
type = string
|
||||
filter = string
|
||||
iam = bool
|
||||
destination = string
|
||||
type = string
|
||||
filter = string
|
||||
iam = bool
|
||||
include_children = bool
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
|
|
@ -25,22 +25,25 @@ def test_sinks(plan_runner):
|
|||
"Test folder-level sinks."
|
||||
logging_sinks = """ {
|
||||
warning = {
|
||||
type = "gcs"
|
||||
destination = "mybucket"
|
||||
filter = "severity=WARNING"
|
||||
iam = true
|
||||
type = "gcs"
|
||||
destination = "mybucket"
|
||||
filter = "severity=WARNING"
|
||||
iam = true
|
||||
include_children = true
|
||||
}
|
||||
info = {
|
||||
type = "bigquery"
|
||||
destination = "projects/myproject/datasets/mydataset"
|
||||
filter = "severity=INFO"
|
||||
iam = true
|
||||
}
|
||||
type = "bigquery"
|
||||
destination = "projects/myproject/datasets/mydataset"
|
||||
filter = "severity=INFO"
|
||||
iam = true
|
||||
include_children = true
|
||||
}
|
||||
notice = {
|
||||
type = "pubsub"
|
||||
destination = "projects/myproject/topics/mytopic"
|
||||
filter = "severity=NOTICE"
|
||||
iam = true
|
||||
type = "pubsub"
|
||||
destination = "projects/myproject/topics/mytopic"
|
||||
filter = "severity=NOTICE"
|
||||
iam = true
|
||||
include_children = false
|
||||
}
|
||||
}
|
||||
"""
|
||||
|
@ -62,16 +65,19 @@ def test_sinks(plan_runner):
|
|||
'notice',
|
||||
'warning',
|
||||
]
|
||||
values = [(r['index'], r['values']['filter'], r['values']['destination'])
|
||||
values = [(r['index'], r['values']['filter'], r['values']['destination'],
|
||||
r['values']['include_children'])
|
||||
for r in sinks]
|
||||
assert sorted(values) == [
|
||||
('info',
|
||||
'severity=INFO',
|
||||
'bigquery.googleapis.com/projects/myproject/datasets/mydataset'),
|
||||
'bigquery.googleapis.com/projects/myproject/datasets/mydataset',
|
||||
True),
|
||||
('notice',
|
||||
'severity=NOTICE',
|
||||
'pubsub.googleapis.com/projects/myproject/topics/mytopic'),
|
||||
('warning', 'severity=WARNING', 'storage.googleapis.com/mybucket')]
|
||||
'pubsub.googleapis.com/projects/myproject/topics/mytopic',
|
||||
False),
|
||||
('warning', 'severity=WARNING', 'storage.googleapis.com/mybucket', True)]
|
||||
|
||||
bindings = [r for r in resources
|
||||
if 'binding' in r['type']]
|
||||
|
|
Loading…
Reference in New Issue