-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlog_sinks.tf
97 lines (87 loc) · 4.03 KB
/
log_sinks.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
/**
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
parent_resource_id = local.parent_folder != "" ? local.parent_folder : local.org_id
parent_resource_type = local.parent_folder != "" ? "folder" : "organization"
parent_resources = { resource = local.parent_resource_id }
logs_filter = <<EOF
logName: /logs/cloudaudit.googleapis.com%2Factivity OR
logName: /logs/cloudaudit.googleapis.com%2Fsystem_event OR
logName: /logs/cloudaudit.googleapis.com%2Fdata_access OR
logName: /logs/cloudaudit.googleapis.com%2Faccess_transparency OR
logName: /logs/cloudaudit.googleapis.com%2Fpolicy OR
logName: /logs/compute.googleapis.com%2Fvpc_flows OR
logName: /logs/compute.googleapis.com%2Ffirewall OR
logName: /logs/dns.googleapis.com%2Fdns_queries
EOF
}
resource "random_string" "suffix" {
length = 4
upper = false
special = false
}
module "logs_export" {
source = "../../modules/centralized-logging"
resources = local.parent_resources
resource_type = local.parent_resource_type
logging_destination_project_id = module.org_audit_logs.project_id
billing_account = local.billing_account
enable_billing_account_sink = true
/******************************************
Send logs to Storage
*****************************************/
storage_options = {
logging_sink_filter = local.logs_filter
logging_sink_name = "sk-c-logging-bkt"
storage_bucket_name = "bkt-${module.org_audit_logs.project_id}-org-logs-${random_string.suffix.result}"
location = coalesce(var.log_export_storage_location, local.default_region)
retention_policy_enabled = var.log_export_storage_retention_policy != null
retention_policy_is_locked = var.log_export_storage_retention_policy == null ? null : var.log_export_storage_retention_policy.is_locked
retention_policy_period_days = var.log_export_storage_retention_policy == null ? null : var.log_export_storage_retention_policy.retention_period_days
force_destroy = var.log_export_storage_force_destroy
versioning = var.log_export_storage_versioning
}
/******************************************
Send logs to Pub\Sub
*****************************************/
pubsub_options = {
logging_sink_filter = local.logs_filter
logging_sink_name = "sk-c-logging-pub"
topic_name = "tp-org-logs-${random_string.suffix.result}"
create_subscriber = true
}
/******************************************
Send logs to Logging project
*****************************************/
project_options = {
logging_sink_name = "sk-c-logging-prj"
logging_sink_filter = local.logs_filter
log_bucket_id = "AggregatedLogs"
log_bucket_description = "Project destination log bucket for aggregated logs"
location = local.default_region
linked_dataset_id = "ds_c_prj_aggregated_logs_analytics"
linked_dataset_description = "Project destination BigQuery Dataset for Logbucket analytics"
}
}
/******************************************
Billing logs (Export configured manually)
*****************************************/
resource "google_bigquery_dataset" "billing_dataset" {
dataset_id = "billing_data"
project = module.org_billing_export.project_id
friendly_name = "GCP Billing Data"
location = coalesce(var.billing_export_dataset_location, local.default_region)
}