feat: added support to specify Cloud Logs policies using new input `c…

…loud_logs_policies` (#600)
terraform-ibm-modules · Oct 29, 2024 · 17dbaaf · 17dbaaf
1 parent b11fe92
commit 17dbaaf
Show file tree

Hide file tree

Showing 12 changed files with 271 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -152,6 +152,7 @@ No resources.
 | <a name="input_cloud_logs_existing_en_instances"></a> [cloud\_logs\_existing\_en\_instances](#input\_cloud\_logs\_existing\_en\_instances) | List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs. | <pre>list(object({<br/>    en_instance_id      = string<br/>    en_region           = string<br/>    en_integration_name = optional(string)<br/>    skip_en_auth_policy = optional(bool, false)<br/>  }))</pre> | `[]` | no |
 | <a name="input_cloud_logs_instance_name"></a> [cloud\_logs\_instance\_name](#input\_cloud\_logs\_instance\_name) | The name of the IBM Cloud Logs instance to create. Defaults to 'cloud\_logs-<region>' | `string` | `null` | no |
 | <a name="input_cloud_logs_plan"></a> [cloud\_logs\_plan](#input\_cloud\_logs\_plan) | The IBM Cloud Logs plan to provision. Available: standard | `string` | `"standard"` | no |
+| <a name="input_cloud_logs_policies"></a> [cloud\_logs\_policies](#input\_cloud\_logs\_policies) | Configuration of Cloud Logs policies. | <pre>list(object({<br/>    logs_policy_name        = string<br/>    logs_policy_description = optional(string, null)<br/>    logs_policy_priority    = string<br/>    application_rule = optional(list(object({<br/>      name         = string<br/>      rule_type_id = optional(string, "unspecified")<br/>    })))<br/>    subsystem_rule = optional(list(object({<br/>      name         = string<br/>      rule_type_id = optional(string, "unspecified")<br/>    })))<br/>    log_rules = optional(list(object({<br/>      severities = list(string)<br/>    })))<br/>    archive_retention = optional(list(object({<br/>      id = string<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_cloud_logs_provision"></a> [cloud\_logs\_provision](#input\_cloud\_logs\_provision) | Provision an IBM Cloud Logs instance? | `bool` | `true` | no |
 | <a name="input_cloud_logs_retention_period"></a> [cloud\_logs\_retention\_period](#input\_cloud\_logs\_retention\_period) | The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90. | `number` | `7` | no |
 | <a name="input_cloud_logs_service_endpoints"></a> [cloud\_logs\_service\_endpoints](#input\_cloud\_logs\_service\_endpoints) | The type of the service endpoint that will be set for the IBM Cloud Logs instance. | `string` | `"public-and-private"` | no |
@@ -190,6 +191,7 @@ No resources.
 | <a name="output_cloud_monitoring_manager_key_name"></a> [cloud\_monitoring\_manager\_key\_name](#output\_cloud\_monitoring\_manager\_key\_name) | The IBM cloud monitoring manager key name |
 | <a name="output_cloud_monitoring_name"></a> [cloud\_monitoring\_name](#output\_cloud\_monitoring\_name) | The name of the provisioned IBM cloud monitoring instance. |
 | <a name="output_cloud_monitoring_resource_group_id"></a> [cloud\_monitoring\_resource\_group\_id](#output\_cloud\_monitoring\_resource\_group\_id) | The resource group where IBM cloud monitoring monitor instance resides |
+| <a name="output_logs_policies_details"></a> [logs\_policies\_details](#output\_logs\_policies\_details) | The details of the Cloud logs policies created. |
 | <a name="output_region"></a> [region](#output\_region) | Region that instance(s) are provisioned to. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

diff --git a/examples/advanced/README.md b/examples/advanced/README.md
@@ -4,6 +4,7 @@ Example that configures:
 
 - COS instance and KMS encrypted COS buckets
 - Cloud Logs with Event Notifications integration
+- Cloud Logs policies
 - Cloud Monitoring
 - Key Protect instance and root key
 - Event Streams instance, topic and resource key

diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf
@@ -199,6 +199,22 @@ module "observability_instances" {
       bucket_endpoint = module.buckets.buckets[local.metrics_bucket_name].s3_endpoint_direct
     }
   }
+  # Cloud Logs policies
+  cloud_logs_policies = [{
+    logs_policy_name     = "${var.prefix}-logs-policy-1"
+    logs_policy_priority = "type_low"
+    application_rule = [{
+      name         = "test-system-app"
+      rule_type_id = "start_with"
+    }]
+    log_rules = [{
+      severities = ["info", "debug"]
+    }]
+    subsystem_rule = [{
+      name         = "test-sub-system"
+      rule_type_id = "start_with"
+    }]
+  }]
   # integrate with multiple Event Notifcations instances
   # (NOTE: This may fail due known issue https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5734)
   cloud_logs_existing_en_instances = [{

diff --git a/examples/advanced/outputs.tf b/examples/advanced/outputs.tf
@@ -11,3 +11,8 @@ output "cloud_logs_crn" {
   value       = module.observability_instances.cloud_logs_crn
   description = "The crn of the provisioned IBM Cloud Logs instance."
 }
+
+output "cloud_logs_policies" {
+  value       = module.observability_instances.logs_policies_details
+  description = "The details of the Cloud logs policies created."
+}
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -59,22 +59,27 @@ module "buckets" {
 ##############################################################################
 
 locals {
-  target_name = "${var.prefix}-icl-target"
+  target_name                    = "${var.prefix}-icl-target"
+  cloud_monitoring_instance_name = "${var.prefix}-cloud-monitoring"
+  cloud_logs_instance_name       = "${var.prefix}-cloud-logs"
 }
 
 module "observability_instances" {
   source = "../../"
   # delete line above and use below syntax to pull module source from hashicorp when consuming this module
   # source    = "terraform-ibm-modules/observability-instances/ibm"
   # version   = "X.Y.Z" # Replace "X.X.X" with a release version to lock into a specific release
-  resource_group_id            = module.resource_group.resource_group_id
-  region                       = var.region
-  enable_platform_logs         = false
-  enable_platform_metrics      = false
-  cloud_monitoring_tags        = var.resource_tags
-  cloud_logs_tags              = var.resource_tags
-  cloud_monitoring_access_tags = var.access_tags
-  cloud_logs_access_tags       = var.access_tags
+  resource_group_id              = module.resource_group.resource_group_id
+  region                         = var.region
+  enable_platform_logs           = false
+  enable_platform_metrics        = false
+  cloud_monitoring_instance_name = local.cloud_monitoring_instance_name
+  cloud_monitoring_tags          = var.resource_tags
+  cloud_monitoring_access_tags   = var.access_tags
+  # Cloud Logs instance
+  cloud_logs_instance_name = local.cloud_logs_instance_name
+  cloud_logs_tags          = var.resource_tags
+  cloud_logs_access_tags   = var.access_tags
   cloud_logs_data_storage = {
     # logs and metrics buckets must be different
     logs_data = {

diff --git a/main.tf b/main.tf
@@ -51,4 +51,5 @@ module "cloud_logs" {
   skip_logs_routing_auth_policy = var.skip_logs_routing_auth_policy
   logs_routing_tenant_regions   = var.logs_routing_tenant_regions
   enable_platform_logs          = var.enable_platform_logs
+  policies                      = var.cloud_logs_policies
 }
diff --git a/modules/cloud_logs/README.md b/modules/cloud_logs/README.md
@@ -1,6 +1,6 @@
 # IBM Cloud Logs module
 
-This module supports configuring an IBM Cloud Logs instance and log routing tenants to enable platform logs.
+This module supports configuring an IBM Cloud Logs instance, log routing tenants to enable platform logs and cloud logs policies.
 
 ## Usage
 
@@ -46,6 +46,22 @@ module "cloud_logs" {
       bucket_endpoint = "s3.direct.us-south.cloud-object-storage.appdomain.cloud"
     }
   }
+  # Create policies
+  policies = [{
+    logs_policy_name        = "logs_policy_name"
+    logs_policy_priority    = "type_medium"
+    application_rule = [{
+      name         = "test-system-app"
+      rule_type_id = "start_with"
+    }]
+    subsystem_rule = [{
+      name         = "test-sub-system"
+      rule_type_id = "start_with"
+    }]
+    log_rules = [{
+      severities = ["info", "debug"]
+    }]
+  }]
 }
 ```
 
@@ -89,6 +105,7 @@ You need the following permissions to run this module.
 | [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_iam_authorization_policy.logs_routing_policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_logs_outgoing_webhook.en_integration](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/logs_outgoing_webhook) | resource |
+| [ibm_logs_policy.logs_policies](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/logs_policy) | resource |
 | [ibm_logs_router_tenant.logs_router_tenant_instances](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/logs_router_tenant) | resource |
 | [ibm_resource_instance.cloud_logs](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [ibm_resource_tag.cloud_logs_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
@@ -103,15 +120,16 @@ You need the following permissions to run this module.
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the IBM Cloud Logs instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no |
 | <a name="input_data_storage"></a> [data\_storage](#input\_data\_storage) | A logs data bucket and a metrics bucket in IBM Cloud Object Storage to store your IBM Cloud Logs data for long term storage, search, analysis and alerting. | <pre>object({<br/>    logs_data = optional(object({<br/>      enabled              = optional(bool, false)<br/>      bucket_crn           = optional(string)<br/>      bucket_endpoint      = optional(string)<br/>      skip_cos_auth_policy = optional(bool, false)<br/>    }), {})<br/>    metrics_data = optional(object({<br/>      enabled              = optional(bool, false)<br/>      bucket_crn           = optional(string)<br/>      bucket_endpoint      = optional(string)<br/>      skip_cos_auth_policy = optional(bool, false)<br/>    }), {})<br/>    }<br/>  )</pre> | <pre>{<br/>  "logs_data": null,<br/>  "metrics_data": null<br/>}</pre> | no |
 | <a name="input_enable_platform_logs"></a> [enable\_platform\_logs](#input\_enable\_platform\_logs) | Setting this to true will create a tenant in the same region that the Cloud Logs instance is provisioned to enable platform logs for that region. To send platform logs from other regions, you can explicitially specify a list of regions using the `logs_routing_tenant_regions` input. NOTE: You can only have 1 tenant per region in an account. | `bool` | `true` | no |
-| <a name="input_existing_en_instances"></a> [existing\_en\_instances](#input\_existing\_en\_instances) | List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs | <pre>list(object({<br/>    en_instance_id      = string<br/>    en_region           = string<br/>    en_integration_name = optional(string)<br/>    skip_en_auth_policy = optional(bool, false)<br/>  }))</pre> | `[]` | no |
+| <a name="input_existing_en_instances"></a> [existing\_en\_instances](#input\_existing\_en\_instances) | List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs. | <pre>list(object({<br/>    en_instance_id      = string<br/>    en_region           = string<br/>    en_integration_name = optional(string)<br/>    skip_en_auth_policy = optional(bool, false)<br/>  }))</pre> | `[]` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Logs instance to create. Defaults to 'cloud-logs-<region>' | `string` | `null` | no |
 | <a name="input_logs_routing_tenant_regions"></a> [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. NOTE: You can only have 1 tenant per region in an account. | `list(any)` | `[]` | no |
 | <a name="input_plan"></a> [plan](#input\_plan) | The IBM Cloud Logs plan to provision. Available: standard | `string` | `"standard"` | no |
+| <a name="input_policies"></a> [policies](#input\_policies) | Configuration of Cloud Logs policies. | <pre>list(object({<br/>    logs_policy_name        = string<br/>    logs_policy_description = optional(string, null)<br/>    logs_policy_priority    = string<br/>    application_rule = optional(list(object({<br/>      name         = string<br/>      rule_type_id = string<br/>    })))<br/>    subsystem_rule = optional(list(object({<br/>      name         = string<br/>      rule_type_id = string<br/>    })))<br/>    log_rules = optional(list(object({<br/>      severities = list(string)<br/>    })))<br/>    archive_retention = optional(list(object({<br/>      id = string<br/>    })))<br/>  }))</pre> | `[]` | no |
 | <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where Cloud logs instance will be created. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance will be created. | `string` | `null` | no |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Tags associated with the IBM Cloud Logs instance (Optional, array of strings). | `list(string)` | `[]` | no |
 | <a name="input_retention_period"></a> [retention\_period](#input\_retention\_period) | The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90. | `number` | `7` | no |
-| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of the service endpoint that will be set for the IBM Cloud Logs instance. Allowed values: public-and-private | `string` | `"public-and-private"` | no |
+| <a name="input_service_endpoints"></a> [service\_endpoints](#input\_service\_endpoints) | The type of the service endpoint that will be set for the IBM Cloud Logs instance. Allowed values: public-and-private. | `string` | `"public-and-private"` | no |
 | <a name="input_skip_logs_routing_auth_policy"></a> [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits the Logs Routing server 'Sender' access to the IBM Cloud Logs instance created by this module. | `bool` | `false` | no |
 
 ### Outputs
@@ -122,6 +140,7 @@ You need the following permissions to run this module.
 | <a name="output_guid"></a> [guid](#output\_guid) | The guid of the provisioned Cloud Logs instance. |
 | <a name="output_ingress_endpoint"></a> [ingress\_endpoint](#output\_ingress\_endpoint) | The public ingress endpoint of the provisioned Cloud Logs instance. |
 | <a name="output_ingress_private_endpoint"></a> [ingress\_private\_endpoint](#output\_ingress\_private\_endpoint) | The private ingress endpoint of the provisioned Cloud Logs instance. |
+| <a name="output_logs_policies_details"></a> [logs\_policies\_details](#output\_logs\_policies\_details) | The details of the Cloud logs policies created. |
 | <a name="output_name"></a> [name](#output\_name) | The name of the provisioned Cloud Logs instance. |
-| <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | The resource group where Cloud Logs instance resides |
+| <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | The resource group where Cloud Logs instance resides. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/cloud_logs/main.tf b/modules/cloud_logs/main.tf
@@ -176,3 +176,50 @@ resource "ibm_logs_router_tenant" "logs_router_tenant_instances" {
     }
   }
 }
+
+##############################################################################
+# Configure Logs Policies - TCO Optimizer
+##############################################################################
+
+resource "ibm_logs_policy" "logs_policies" {
+  for_each = {
+    for policy in var.policies :
+    policy.logs_policy_name => policy
+  }
+  instance_id   = ibm_resource_instance.cloud_logs.guid
+  region        = ibm_resource_instance.cloud_logs.location
+  endpoint_type = ibm_resource_instance.cloud_logs.service_endpoints
+  name          = each.value.logs_policy_name
+  description   = each.value.logs_policy_description
+  priority      = each.value.logs_policy_priority
+
+  dynamic "application_rule" {
+    for_each = each.value.application_rule != null ? each.value.application_rule : []
+    content {
+      name         = application_rule.value["name"]
+      rule_type_id = application_rule.value["rule_type_id"]
+    }
+  }
+
+  dynamic "log_rules" {
+    for_each = each.value.log_rules
+    content {
+      severities = log_rules.value["severities"]
+    }
+  }
+
+  dynamic "subsystem_rule" {
+    for_each = each.value.subsystem_rule != null ? each.value.subsystem_rule : []
+    content {
+      name         = subsystem_rule.value["name"]
+      rule_type_id = subsystem_rule.value["rule_type_id"]
+    }
+  }
+
+  dynamic "archive_retention" {
+    for_each = each.value.archive_retention != null ? each.value.archive_retention : []
+    content {
+      id = archive_retention.value["id"]
+    }
+  }
+}
diff --git a/modules/cloud_logs/outputs.tf b/modules/cloud_logs/outputs.tf
@@ -15,7 +15,7 @@ output "name" {
 
 output "resource_group_id" {
   value       = ibm_resource_instance.cloud_logs.resource_group_id
-  description = "The resource group where Cloud Logs instance resides"
+  description = "The resource group where Cloud Logs instance resides."
 }
 
 output "ingress_endpoint" {
@@ -27,3 +27,8 @@ output "ingress_private_endpoint" {
   value       = ibm_resource_instance.cloud_logs.extensions.external_ingress_private
   description = "The private ingress endpoint of the provisioned Cloud Logs instance."
 }
+
+output "logs_policies_details" {
+  value       = length(var.policies) > 0 ? ibm_logs_policy.logs_policies : null
+  description = "The details of the Cloud logs policies created."
+}