From c3be7891675247fc23b9dbf1860d6bc2b91ac68a Mon Sep 17 00:00:00 2001 From: "aashiq.jacob@ibm.com" Date: Fri, 6 Sep 2024 20:23:25 +0530 Subject: [PATCH 01/17] feat: add support to set ICL as targets in logs routing --- .secrets.baseline | 4 +-- README.md | 4 ++- examples/advanced/main.tf | 2 +- examples/advanced/providers.tf | 1 + examples/advanced/version.tf | 2 +- examples/basic/main.tf | 1 - examples/basic/providers.tf | 1 + examples/basic/version.tf | 2 +- main.tf | 26 +++++++++--------- modules/activity_tracker/README.md | 2 +- modules/activity_tracker/version.tf | 2 +- modules/cloud_logs/README.md | 6 ++++- modules/cloud_logs/main.tf | 42 ++++++++++++++++++++++++++++- modules/cloud_logs/variables.tf | 16 +++++++++++ modules/cloud_logs/version.tf | 2 +- modules/cloud_monitoring/README.md | 2 +- modules/cloud_monitoring/version.tf | 2 +- modules/log_analysis/README.md | 2 +- modules/log_analysis/version.tf | 2 +- variables.tf | 13 +++++++++ version.tf | 2 +- 21 files changed, 107 insertions(+), 29 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index fb65aceb..bdf9e5b3 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2024-08-22T14:14:55Z", + "generated_at": "2024-09-06T14:51:56Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -90,7 +90,7 @@ "hashed_secret": "3bd02b996f65f3548c1a0b5d93b00bfa7c88341a", "is_secret": true, "is_verified": false, - "line_number": 249, + "line_number": 250, "type": "Secret Keyword", "verified_result": null } diff --git a/README.md b/README.md index 361d8b73..34a85685 100644 --- a/README.md +++ b/README.md @@ -192,7 +192,7 @@ To attach access management tags to resources in this module, you need the follo | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [ibm](#requirement\_ibm) | >= 1.67.1, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 | | [logdna](#requirement\_logdna) | >= 1.14.2, < 2.0.0 | ### Modules @@ -244,6 +244,7 @@ No resources. | [cloud\_monitoring\_service\_endpoints](#input\_cloud\_monitoring\_service\_endpoints) | The type of the service endpoint that will be set for the IBM cloud monitoring instance. | `string` | `"public-and-private"` | no | | [cloud\_monitoring\_tags](#input\_cloud\_monitoring\_tags) | Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no | | [cos\_targets](#input\_cos\_targets) | List of cos target to be created | 
list(object({
    endpoint                          = string
    bucket_name                       = string
    instance_id                       = string
    api_key                           = optional(string)
    service_to_service_enabled        = optional(bool, true)
    target_region                     = optional(string)
    target_name                       = string
    skip_atracker_cos_iam_auth_policy = optional(bool, false)
  }))
| `[]` | no | +| [enable\_cloud\_logs\_as\_target](#input\_enable\_cloud\_logs\_as\_target) | Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region. | `bool` | `false` | no | | [enable\_platform\_logs](#input\_enable\_platform\_logs) | Receive platform logs in the provisioned IBM Cloud Logging instance. | `bool` | `true` | no | | [enable\_platform\_metrics](#input\_enable\_platform\_metrics) | Receive platform metrics in the provisioned IBM Cloud Monitoring instance. | `bool` | `true` | no | | [eventstreams\_targets](#input\_eventstreams\_targets) | List of event streams target to be created | 
list(object({
    instance_id   = string
    brokers       = list(string)
    topic         = string
    api_key       = string
    target_region = optional(string)
    target_name   = string
  }))
| `[]` | no | @@ -265,6 +266,7 @@ No resources. | [log\_analysis\_targets](#input\_log\_analysis\_targets) | List of log analysis target to be created | 
list(object({
    instance_id   = string
    ingestion_key = string
    target_region = optional(string)
    target_name   = string
  }))
| `[]` | no | | [region](#input\_region) | The IBM Cloud region where instances will be created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance(s) will be created. | `string` | n/a | yes | +| [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs. | `bool` | `false` | no | ### Outputs diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf index 9e10f045..6c786245 100644 --- a/examples/advanced/main.tf +++ b/examples/advanced/main.tf @@ -245,7 +245,6 @@ module "observability_instance_creation" { } cloud_logs_retention_period = 14 - cloud_logs_region = "eu-es" cloud_logs_data_storage = { logs_data = { enabled = true @@ -262,4 +261,5 @@ module "observability_instance_creation" { en_instance_id = module.event_notification.guid en_region = var.en_region }] + enable_cloud_logs_as_target = true } diff --git a/examples/advanced/providers.tf b/examples/advanced/providers.tf index 1dc5e434..67c51d8b 100644 --- a/examples/advanced/providers.tf +++ b/examples/advanced/providers.tf @@ -1,5 +1,6 @@ provider "ibm" { ibmcloud_api_key = var.ibmcloud_api_key + region = var.region } locals { diff --git a/examples/advanced/version.tf b/examples/advanced/version.tf index ebe95646..95d51731 100644 --- a/examples/advanced/version.tf +++ b/examples/advanced/version.tf @@ -5,7 +5,7 @@ terraform { required_providers { ibm = { source = "ibm-cloud/ibm" - version = ">= 1.67.1" + version = ">= 1.69.0" } logdna = { source = "logdna/logdna" diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 3be5ca18..4be941b1 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -39,5 +39,4 @@ module "test_observability_instance_creation" { cloud_monitoring_access_tags = var.access_tags activity_tracker_access_tags = var.access_tags cloud_logs_access_tags = var.access_tags - cloud_logs_region = "eu-es" } diff --git a/examples/basic/providers.tf b/examples/basic/providers.tf index 7cde4aab..c782e368 100644 --- a/examples/basic/providers.tf +++ b/examples/basic/providers.tf @@ -1,5 +1,6 @@ provider "ibm" { ibmcloud_api_key = var.ibmcloud_api_key + region = var.region } locals { diff --git a/examples/basic/version.tf b/examples/basic/version.tf index a6a88a56..50a051ec 100644 --- a/examples/basic/version.tf +++ b/examples/basic/version.tf @@ -5,7 +5,7 @@ terraform { # module's version.tf (basic), and 1 example that will always use the latest provider version. ibm = { source = "ibm-cloud/ibm" - version = "1.67.1" + version = "1.69.0" } logdna = { source = "logdna/logdna" diff --git a/main.tf b/main.tf index 4a4249e9..04d8ea6e 100644 --- a/main.tf +++ b/main.tf @@ -75,16 +75,18 @@ module "cloud_monitoring" { # IBM Cloud Logs module "cloud_logs" { - count = var.cloud_logs_provision ? 1 : 0 - source = "./modules/cloud_logs" - region = var.cloud_logs_region != null ? var.cloud_logs_region : var.region - resource_group_id = var.resource_group_id - instance_name = var.cloud_logs_instance_name - plan = var.cloud_logs_plan - resource_tags = var.cloud_logs_tags - access_tags = var.cloud_logs_access_tags - retention_period = var.cloud_logs_retention_period - data_storage = var.cloud_logs_data_storage - service_endpoints = var.cloud_logs_service_endpoints - existing_en_instances = var.cloud_logs_existing_en_instances + count = var.cloud_logs_provision ? 1 : 0 + source = "./modules/cloud_logs" + region = var.cloud_logs_region != null ? var.cloud_logs_region : var.region + resource_group_id = var.resource_group_id + instance_name = var.cloud_logs_instance_name + plan = var.cloud_logs_plan + resource_tags = var.cloud_logs_tags + access_tags = var.cloud_logs_access_tags + retention_period = var.cloud_logs_retention_period + data_storage = var.cloud_logs_data_storage + service_endpoints = var.cloud_logs_service_endpoints + existing_en_instances = var.cloud_logs_existing_en_instances + enable_cloud_logs_as_target = var.enable_cloud_logs_as_target + skip_logs_routing_auth_policy = var.skip_logs_routing_auth_policy } diff --git a/modules/activity_tracker/README.md b/modules/activity_tracker/README.md index c87978c1..198602c1 100644 --- a/modules/activity_tracker/README.md +++ b/modules/activity_tracker/README.md @@ -45,7 +45,7 @@ module "activity_tracker" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [ibm](#requirement\_ibm) | >= 1.67.1, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 | | [logdna](#requirement\_logdna) | >= 1.14.2, < 2.0.0 | | [time](#requirement\_time) | >= 0.9.1, < 1.0.0 | diff --git a/modules/activity_tracker/version.tf b/modules/activity_tracker/version.tf index fb462895..07dc57c5 100644 --- a/modules/activity_tracker/version.tf +++ b/modules/activity_tracker/version.tf @@ -4,7 +4,7 @@ terraform { # Use "greater than or equal to" range in modules ibm = { source = "ibm-cloud/ibm" - version = ">= 1.67.1, < 2.0.0" + version = ">= 1.69.0, < 2.0.0" } logdna = { source = "logdna/logdna" diff --git a/modules/cloud_logs/README.md b/modules/cloud_logs/README.md index 2904d824..d44be05c 100644 --- a/modules/cloud_logs/README.md +++ b/modules/cloud_logs/README.md @@ -32,7 +32,7 @@ module "cloud_logs" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [ibm](#requirement\_ibm) | >= 1.67.1, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 | | [time](#requirement\_time) | >= 0.9.1, < 1.0.0 | ### Modules @@ -45,7 +45,9 @@ No modules. |------|------| | [ibm_iam_authorization_policy.cos_policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | +| [ibm_iam_authorization_policy.logs_routing_policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_logs_outgoing_webhook.en_integration](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/logs_outgoing_webhook) | resource | +| [ibm_logs_router_tenant.logs_router_tenant_instance](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/logs_router_tenant) | resource | | [ibm_resource_instance.cloud_logs](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource | | [ibm_resource_tag.cloud_logs_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource | | [time_sleep.wait_for_en_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | @@ -57,6 +59,7 @@ No modules. |------|-------------|------|---------|:--------:| | [access\_tags](#input\_access\_tags) | A list of access tags to apply to the IBM Cloud Logs instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no | | [data\_storage](#input\_data\_storage) | A logs data bucket and a metrics bucket in IBM Cloud Object Storage to store your IBM Cloud Logs data for long term storage, search, analysis and alerting. | 
object({
    logs_data = optional(object({
      enabled              = optional(bool, false)
      bucket_crn           = optional(string)
      bucket_endpoint      = optional(string)
      skip_cos_auth_policy = optional(bool, false)
    }), {})
    metrics_data = optional(object({
      enabled              = optional(bool, false)
      bucket_crn           = optional(string)
      bucket_endpoint      = optional(string)
      skip_cos_auth_policy = optional(bool, false)
    }), {})
    }
  )
| 
{
  "logs_data": null,
  "metrics_data": null
}
| no | +| [enable\_cloud\_logs\_as\_target](#input\_enable\_cloud\_logs\_as\_target) | Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region. | `bool` | `false` | no | | [existing\_en\_instances](#input\_existing\_en\_instances) | List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs | 
list(object({
    en_instance_id      = string
    en_region           = string
    en_integration_name = optional(string)
    skip_en_auth_policy = optional(bool, false)
  }))
| `[]` | no | | [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Logs instance to create. Defaults to 'cloud-logs-' | `string` | `null` | no | | [plan](#input\_plan) | The IBM Cloud Logs plan to provision. Available: standard | `string` | `"standard"` | no | @@ -65,6 +68,7 @@ No modules. | [resource\_tags](#input\_resource\_tags) | Tags associated with the IBM Cloud Logs instance (Optional, array of strings). | `list(string)` | `[]` | no | | [retention\_period](#input\_retention\_period) | The number of days IBM Cloud Logs will retain the logs data in Priority insights. | `number` | `7` | no | | [service\_endpoints](#input\_service\_endpoints) | The type of the service endpoint that will be set for the IBM Cloud Logs instance. | `string` | `"public-and-private"` | no | +| [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs. | `bool` | `false` | no | ### Outputs diff --git a/modules/cloud_logs/main.tf b/modules/cloud_logs/main.tf index 89d64d91..be19ffb4 100644 --- a/modules/cloud_logs/main.tf +++ b/modules/cloud_logs/main.tf @@ -1,5 +1,6 @@ locals { - instance_name = var.instance_name != null ? var.instance_name : "cloud-logs-${var.region}" + instance_name = var.instance_name != null ? var.instance_name : "cloud-logs-${var.region}" + create_access_policy_logs_routing = var.enable_cloud_logs_as_target && !var.skip_logs_routing_auth_policy } @@ -106,3 +107,42 @@ resource "ibm_logs_outgoing_webhook" "en_integration" { region_id = each.value.en_region } } + +############################################################################## +# Logs Routing +############################################################################## +resource "ibm_iam_authorization_policy" "logs_routing_policy" { + count = local.create_access_policy_logs_routing ? 1 : 0 + source_service_name = "logs-router" + roles = ["Sender"] + description = "Allow Logs Routing `Sender` access to the IBM Cloud Logs with ID ${ibm_resource_instance.cloud_logs.guid}." + + resource_attributes { + name = "serviceName" + operator = "stringEquals" + value = "logs" + } + + resource_attributes { + name = "accountId" + operator = "stringEquals" + value = data.ibm_iam_account_settings.iam_account_settings.account_id + } + + resource_attributes { + name = "serviceInstance" + operator = "stringEquals" + value = ibm_resource_instance.cloud_logs.guid + } +} +resource "ibm_logs_router_tenant" "logs_router_tenant_instance" { + name = "${local.instance_name}-tenant" + targets { + log_sink_crn = ibm_resource_instance.cloud_logs.crn + name = local.instance_name + parameters { + host = "${ibm_resource_instance.cloud_logs.guid}.ingress.${var.region}.logs.cloud.ibm.com" + port = 443 + } + } +} diff --git a/modules/cloud_logs/variables.tf b/modules/cloud_logs/variables.tf index 1a94ddbd..2d0c12c3 100644 --- a/modules/cloud_logs/variables.tf +++ b/modules/cloud_logs/variables.tf @@ -122,3 +122,19 @@ variable "existing_en_instances" { default = [] description = "List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs" } + +############################################################################## +# Logs Routing +############################################################################## + +variable "enable_cloud_logs_as_target" { + description = "Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region." + type = bool + default = false +} + +variable "skip_logs_routing_auth_policy" { + description = "Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs." + type = bool + default = false +} diff --git a/modules/cloud_logs/version.tf b/modules/cloud_logs/version.tf index 12050f70..f4b995bb 100644 --- a/modules/cloud_logs/version.tf +++ b/modules/cloud_logs/version.tf @@ -4,7 +4,7 @@ terraform { # Use "greater than or equal to" range in modules ibm = { source = "ibm-cloud/ibm" - version = ">= 1.67.1, < 2.0.0" + version = ">= 1.69.0, < 2.0.0" } time = { source = "hashicorp/time" diff --git a/modules/cloud_monitoring/README.md b/modules/cloud_monitoring/README.md index db23432c..45f01eff 100644 --- a/modules/cloud_monitoring/README.md +++ b/modules/cloud_monitoring/README.md @@ -26,7 +26,7 @@ module "cloud_monitoring" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [ibm](#requirement\_ibm) | >= 1.67.1, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 | ### Modules diff --git a/modules/cloud_monitoring/version.tf b/modules/cloud_monitoring/version.tf index 74d0aa24..51934578 100644 --- a/modules/cloud_monitoring/version.tf +++ b/modules/cloud_monitoring/version.tf @@ -4,7 +4,7 @@ terraform { # Use "greater than or equal to" range in modules ibm = { source = "ibm-cloud/ibm" - version = ">= 1.67.1, < 2.0.0" + version = ">= 1.69.0, < 2.0.0" } } } diff --git a/modules/log_analysis/README.md b/modules/log_analysis/README.md index c3bf0aaa..cead52cc 100644 --- a/modules/log_analysis/README.md +++ b/modules/log_analysis/README.md @@ -45,7 +45,7 @@ module "log_analysis" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [ibm](#requirement\_ibm) | >= 1.67.1, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 | | [logdna](#requirement\_logdna) | >= 1.14.2, < 2.0.0 | ### Modules diff --git a/modules/log_analysis/version.tf b/modules/log_analysis/version.tf index 161d7f95..93907d93 100644 --- a/modules/log_analysis/version.tf +++ b/modules/log_analysis/version.tf @@ -4,7 +4,7 @@ terraform { # Use "greater than or equal to" range in modules ibm = { source = "ibm-cloud/ibm" - version = ">= 1.67.1, < 2.0.0" + version = ">= 1.69.0, < 2.0.0" } logdna = { source = "logdna/logdna" diff --git a/variables.tf b/variables.tf index 66283395..65db3ca1 100644 --- a/variables.tf +++ b/variables.tf @@ -461,4 +461,17 @@ variable "cloud_logs_data_storage" { } description = "A logs data bucket and a metrics bucket in IBM Cloud Object Storage to store your IBM Cloud Logs data for long term storage, search, analysis and alerting." } + +variable "enable_cloud_logs_as_target" { + description = "Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region." + type = bool + default = false +} + +variable "skip_logs_routing_auth_policy" { + description = "Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs." + type = bool + default = false +} + ############################################################################## diff --git a/version.tf b/version.tf index ab817f93..95e09a74 100644 --- a/version.tf +++ b/version.tf @@ -5,7 +5,7 @@ terraform { # tflint-ignore: terraform_unused_required_providers ibm = { source = "ibm-cloud/ibm" - version = ">= 1.67.1, < 2.0.0" + version = ">= 1.69.0, < 2.0.0" } logdna = { source = "logdna/logdna" From 29c157f9cedfad943f4965b212c42767deb7f84c Mon Sep 17 00:00:00 2001 From: "aashiq.jacob@ibm.com" Date: Fri, 6 Sep 2024 23:12:42 +0530 Subject: [PATCH 02/17] fix: add name variable --- .secrets.baseline | 2 +- README.md | 1 + main.tf | 1 + modules/cloud_logs/README.md | 3 +++ modules/cloud_logs/main.tf | 12 +++++++++++- modules/cloud_logs/variables.tf | 10 ++++++++++ modules/cloud_logs/version.tf | 4 ++++ variables.tf | 6 ++++++ 8 files changed, 37 insertions(+), 2 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index bdf9e5b3..de68a52b 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2024-09-06T14:51:56Z", + "generated_at": "2024-09-06T17:41:41Z", "plugins_used": [ { "name": "AWSKeyDetector" diff --git a/README.md b/README.md index 34a85685..4d8f4f47 100644 --- a/README.md +++ b/README.md @@ -264,6 +264,7 @@ No resources. | [log\_analysis\_service\_endpoints](#input\_log\_analysis\_service\_endpoints) | The type of the service endpoint that will be set for the Log Analysis instance. | `string` | `"public-and-private"` | no | | [log\_analysis\_tags](#input\_log\_analysis\_tags) | Tags associated with the IBM Cloud Logging instance (Optional, array of strings). | `list(string)` | `[]` | no | | [log\_analysis\_targets](#input\_log\_analysis\_targets) | List of log analysis target to be created | 
list(object({
    instance_id   = string
    ingestion_key = string
    target_region = optional(string)
    target_name   = string
  }))
| `[]` | no | +| [logs\_routing\_tenant\_name](#input\_logs\_routing\_tenant\_name) | The name for this tenant. The name is regionally unique across all tenants in the account. | `string` | `null` | no | | [region](#input\_region) | The IBM Cloud region where instances will be created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance(s) will be created. | `string` | n/a | yes | | [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs. | `bool` | `false` | no | diff --git a/main.tf b/main.tf index 04d8ea6e..d6d046f4 100644 --- a/main.tf +++ b/main.tf @@ -89,4 +89,5 @@ module "cloud_logs" { existing_en_instances = var.cloud_logs_existing_en_instances enable_cloud_logs_as_target = var.enable_cloud_logs_as_target skip_logs_routing_auth_policy = var.skip_logs_routing_auth_policy + logs_routing_tenant_name = var.logs_routing_tenant_name } diff --git a/modules/cloud_logs/README.md b/modules/cloud_logs/README.md index d44be05c..5d69d49b 100644 --- a/modules/cloud_logs/README.md +++ b/modules/cloud_logs/README.md @@ -33,6 +33,7 @@ module "cloud_logs" { |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | | [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 | +| [random](#requirement\_random) | >= 3.5.1, < 4.0.0 | | [time](#requirement\_time) | >= 0.9.1, < 1.0.0 | ### Modules @@ -50,6 +51,7 @@ No modules. | [ibm_logs_router_tenant.logs_router_tenant_instance](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/logs_router_tenant) | resource | | [ibm_resource_instance.cloud_logs](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource | | [ibm_resource_tag.cloud_logs_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource | +| [random_string.random_tenant_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [time_sleep.wait_for_en_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source | @@ -62,6 +64,7 @@ No modules. | [enable\_cloud\_logs\_as\_target](#input\_enable\_cloud\_logs\_as\_target) | Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region. | `bool` | `false` | no | | [existing\_en\_instances](#input\_existing\_en\_instances) | List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs | 
list(object({
    en_instance_id      = string
    en_region           = string
    en_integration_name = optional(string)
    skip_en_auth_policy = optional(bool, false)
  }))
| `[]` | no | | [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Logs instance to create. Defaults to 'cloud-logs-' | `string` | `null` | no | +| [logs\_routing\_tenant\_name](#input\_logs\_routing\_tenant\_name) | The name for this tenant. The name is regionally unique across all tenants in the account. | `string` | `null` | no | | [plan](#input\_plan) | The IBM Cloud Logs plan to provision. Available: standard | `string` | `"standard"` | no | | [region](#input\_region) | The region where observability resources are created. | `string` | `"eu-es"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance(s) will be created. | `string` | `null` | no | diff --git a/modules/cloud_logs/main.tf b/modules/cloud_logs/main.tf index be19ffb4..10146959 100644 --- a/modules/cloud_logs/main.tf +++ b/modules/cloud_logs/main.tf @@ -135,8 +135,18 @@ resource "ibm_iam_authorization_policy" "logs_routing_policy" { value = ibm_resource_instance.cloud_logs.guid } } + +############################################################################## +# Random Suffix +############################################################################## + +resource "random_string" "random_tenant_suffix" { + length = 13 + numeric = true +} + resource "ibm_logs_router_tenant" "logs_router_tenant_instance" { - name = "${local.instance_name}-tenant" + name = var.logs_routing_tenant_name != null ? var.logs_routing_tenant_name : "${var.region}-${random_string.random_tenant_suffix.result}" targets { log_sink_crn = ibm_resource_instance.cloud_logs.crn name = local.instance_name diff --git a/modules/cloud_logs/variables.tf b/modules/cloud_logs/variables.tf index 2d0c12c3..72740594 100644 --- a/modules/cloud_logs/variables.tf +++ b/modules/cloud_logs/variables.tf @@ -138,3 +138,13 @@ variable "skip_logs_routing_auth_policy" { type = bool default = false } + +variable "logs_routing_tenant_name" { + description = "The name for this tenant. The name is regionally unique across all tenants in the account." + type = string + default = null + validation { + condition = var.logs_routing_tenant_name != null ? length(var.logs_routing_tenant_name) < 35 : true + error_message = "The maximum length is 35 characters." + } +} diff --git a/modules/cloud_logs/version.tf b/modules/cloud_logs/version.tf index f4b995bb..fafb9b83 100644 --- a/modules/cloud_logs/version.tf +++ b/modules/cloud_logs/version.tf @@ -10,5 +10,9 @@ terraform { source = "hashicorp/time" version = ">= 0.9.1, < 1.0.0" } + random = { + source = "hashicorp/random" + version = ">= 3.5.1, < 4.0.0" + } } } diff --git a/variables.tf b/variables.tf index 65db3ca1..618cda4b 100644 --- a/variables.tf +++ b/variables.tf @@ -474,4 +474,10 @@ variable "skip_logs_routing_auth_policy" { default = false } +variable "logs_routing_tenant_name" { + description = "The name for this tenant. The name is regionally unique across all tenants in the account." + type = string + default = null +} + ############################################################################## From 6f9f21fd8cf17daf8228bdbf723986ff5daa50ee Mon Sep 17 00:00:00 2001 From: "aashiq.jacob@ibm.com" Date: Fri, 6 Sep 2024 23:40:23 +0530 Subject: [PATCH 03/17] fix random string --- modules/cloud_logs/main.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/cloud_logs/main.tf b/modules/cloud_logs/main.tf index 10146959..b36243cd 100644 --- a/modules/cloud_logs/main.tf +++ b/modules/cloud_logs/main.tf @@ -143,6 +143,9 @@ resource "ibm_iam_authorization_policy" "logs_routing_policy" { resource "random_string" "random_tenant_suffix" { length = 13 numeric = true + upper = false + lower = false + special = false } resource "ibm_logs_router_tenant" "logs_router_tenant_instance" { From 8791717145c02bc1b0c4b9e24101d8a7d5b151c7 Mon Sep 17 00:00:00 2001 From: Shikha Maheshwari Date: Tue, 10 Sep 2024 16:36:22 +0530 Subject: [PATCH 04/17] fix: address review comments --- README.md | 2 +- modules/cloud_logs/README.md | 2 +- modules/cloud_logs/main.tf | 7 ++++++- modules/cloud_logs/variables.tf | 2 +- variables.tf | 2 +- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 4d8f4f47..4e040a6c 100644 --- a/README.md +++ b/README.md @@ -244,7 +244,7 @@ No resources. | [cloud\_monitoring\_service\_endpoints](#input\_cloud\_monitoring\_service\_endpoints) | The type of the service endpoint that will be set for the IBM cloud monitoring instance. | `string` | `"public-and-private"` | no | | [cloud\_monitoring\_tags](#input\_cloud\_monitoring\_tags) | Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no | | [cos\_targets](#input\_cos\_targets) | List of cos target to be created | 
list(object({
    endpoint                          = string
    bucket_name                       = string
    instance_id                       = string
    api_key                           = optional(string)
    service_to_service_enabled        = optional(bool, true)
    target_region                     = optional(string)
    target_name                       = string
    skip_atracker_cos_iam_auth_policy = optional(bool, false)
  }))
| `[]` | no | -| [enable\_cloud\_logs\_as\_target](#input\_enable\_cloud\_logs\_as\_target) | Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region. | `bool` | `false` | no | +| [enable\_cloud\_logs\_as\_target](#input\_enable\_cloud\_logs\_as\_target) | Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region. | `bool` | `true` | no | | [enable\_platform\_logs](#input\_enable\_platform\_logs) | Receive platform logs in the provisioned IBM Cloud Logging instance. | `bool` | `true` | no | | [enable\_platform\_metrics](#input\_enable\_platform\_metrics) | Receive platform metrics in the provisioned IBM Cloud Monitoring instance. | `bool` | `true` | no | | [eventstreams\_targets](#input\_eventstreams\_targets) | List of event streams target to be created | 
list(object({
    instance_id   = string
    brokers       = list(string)
    topic         = string
    api_key       = string
    target_region = optional(string)
    target_name   = string
  }))
| `[]` | no | diff --git a/modules/cloud_logs/README.md b/modules/cloud_logs/README.md index 5d69d49b..cb4ec631 100644 --- a/modules/cloud_logs/README.md +++ b/modules/cloud_logs/README.md @@ -61,7 +61,7 @@ No modules. |------|-------------|------|---------|:--------:| | [access\_tags](#input\_access\_tags) | A list of access tags to apply to the IBM Cloud Logs instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no | | [data\_storage](#input\_data\_storage) | A logs data bucket and a metrics bucket in IBM Cloud Object Storage to store your IBM Cloud Logs data for long term storage, search, analysis and alerting. | 
object({
    logs_data = optional(object({
      enabled              = optional(bool, false)
      bucket_crn           = optional(string)
      bucket_endpoint      = optional(string)
      skip_cos_auth_policy = optional(bool, false)
    }), {})
    metrics_data = optional(object({
      enabled              = optional(bool, false)
      bucket_crn           = optional(string)
      bucket_endpoint      = optional(string)
      skip_cos_auth_policy = optional(bool, false)
    }), {})
    }
  )
| 
{
  "logs_data": null,
  "metrics_data": null
}
| no | -| [enable\_cloud\_logs\_as\_target](#input\_enable\_cloud\_logs\_as\_target) | Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region. | `bool` | `false` | no | +| [enable\_cloud\_logs\_as\_target](#input\_enable\_cloud\_logs\_as\_target) | Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region. | `bool` | `true` | no | | [existing\_en\_instances](#input\_existing\_en\_instances) | List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs | 
list(object({
    en_instance_id      = string
    en_region           = string
    en_integration_name = optional(string)
    skip_en_auth_policy = optional(bool, false)
  }))
| `[]` | no | | [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Logs instance to create. Defaults to 'cloud-logs-' | `string` | `null` | no | | [logs\_routing\_tenant\_name](#input\_logs\_routing\_tenant\_name) | The name for this tenant. The name is regionally unique across all tenants in the account. | `string` | `null` | no | diff --git a/modules/cloud_logs/main.tf b/modules/cloud_logs/main.tf index b36243cd..a3c6ad62 100644 --- a/modules/cloud_logs/main.tf +++ b/modules/cloud_logs/main.tf @@ -148,13 +148,18 @@ resource "random_string" "random_tenant_suffix" { special = false } +locals { + cloud_logs_endpoint = (var.service_endpoints == "public-and-private") ? "public" : var.service_endpoints + log_sink_host = (local.cloud_logs_endpoint == "public") ? "${ibm_resource_instance.cloud_logs.guid}.ingress.${var.region}.logs.cloud.ibm.com" : "${ibm_resource_instance.cloud_logs.guid}.ingress.private.${var.region}.logs.cloud.ibm.com" +} + resource "ibm_logs_router_tenant" "logs_router_tenant_instance" { name = var.logs_routing_tenant_name != null ? var.logs_routing_tenant_name : "${var.region}-${random_string.random_tenant_suffix.result}" targets { log_sink_crn = ibm_resource_instance.cloud_logs.crn name = local.instance_name parameters { - host = "${ibm_resource_instance.cloud_logs.guid}.ingress.${var.region}.logs.cloud.ibm.com" + host = local.log_sink_host port = 443 } } diff --git a/modules/cloud_logs/variables.tf b/modules/cloud_logs/variables.tf index 72740594..d57ced34 100644 --- a/modules/cloud_logs/variables.tf +++ b/modules/cloud_logs/variables.tf @@ -130,7 +130,7 @@ variable "existing_en_instances" { variable "enable_cloud_logs_as_target" { description = "Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region." type = bool - default = false + default = true } variable "skip_logs_routing_auth_policy" { diff --git a/variables.tf b/variables.tf index 618cda4b..b80ffecb 100644 --- a/variables.tf +++ b/variables.tf @@ -465,7 +465,7 @@ variable "cloud_logs_data_storage" { variable "enable_cloud_logs_as_target" { description = "Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region." type = bool - default = false + default = true } variable "skip_logs_routing_auth_policy" { From aef6c7a7f7a7eee73a1810a27f8d6352a8a726fc Mon Sep 17 00:00:00 2001 From: Shikha Maheshwari Date: Wed, 11 Sep 2024 11:28:20 +0530 Subject: [PATCH 05/17] SKIP UPGRADE TEST --- modules/cloud_logs/README.md | 2 +- modules/cloud_logs/variables.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/cloud_logs/README.md b/modules/cloud_logs/README.md index cb4ec631..702b8da9 100644 --- a/modules/cloud_logs/README.md +++ b/modules/cloud_logs/README.md @@ -66,7 +66,7 @@ No modules. | [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Logs instance to create. Defaults to 'cloud-logs-' | `string` | `null` | no | | [logs\_routing\_tenant\_name](#input\_logs\_routing\_tenant\_name) | The name for this tenant. The name is regionally unique across all tenants in the account. | `string` | `null` | no | | [plan](#input\_plan) | The IBM Cloud Logs plan to provision. Available: standard | `string` | `"standard"` | no | -| [region](#input\_region) | The region where observability resources are created. | `string` | `"eu-es"` | no | +| [region](#input\_region) | The IBM Cloud region where Cloud logs instance will be created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance(s) will be created. | `string` | `null` | no | | [resource\_tags](#input\_resource\_tags) | Tags associated with the IBM Cloud Logs instance (Optional, array of strings). | `list(string)` | `[]` | no | | [retention\_period](#input\_retention\_period) | The number of days IBM Cloud Logs will retain the logs data in Priority insights. | `number` | `7` | no | diff --git a/modules/cloud_logs/variables.tf b/modules/cloud_logs/variables.tf index d57ced34..ea3e6b27 100644 --- a/modules/cloud_logs/variables.tf +++ b/modules/cloud_logs/variables.tf @@ -1,7 +1,7 @@ variable "region" { - description = "The region where observability resources are created." + description = "The IBM Cloud region where Cloud logs instance will be created." type = string - default = "eu-es" + default = "us-south" } variable "resource_group_id" { From ed3e3de4c97800c87c3bc9db660317296254cf41 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Wed, 11 Sep 2024 21:16:42 +0100 Subject: [PATCH 06/17] refactor --- .secrets.baseline | 4 +-- README.md | 8 +++--- examples/advanced/main.tf | 2 +- examples/advanced/variables.tf | 1 + main.tf | 30 +++++++++++----------- modules/cloud_logs/README.md | 15 ++++++----- modules/cloud_logs/main.tf | 38 +++++++++++++++++++--------- modules/cloud_logs/variables.tf | 45 +++++++++++++++++++-------------- variables.tf | 41 +++++++++++++++++++----------- 9 files changed, 109 insertions(+), 75 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index de68a52b..537196ae 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2024-09-06T17:41:41Z", + "generated_at": "2024-09-11T20:13:42Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -90,7 +90,7 @@ "hashed_secret": "3bd02b996f65f3548c1a0b5d93b00bfa7c88341a", "is_secret": true, "is_verified": false, - "line_number": 250, + "line_number": 249, "type": "Secret Keyword", "verified_result": null } diff --git a/README.md b/README.md index 4e040a6c..dd4cd430 100644 --- a/README.md +++ b/README.md @@ -232,7 +232,7 @@ No resources. | [cloud\_logs\_plan](#input\_cloud\_logs\_plan) | The IBM Cloud Logs plan to provision. Available: standard | `string` | `"standard"` | no | | [cloud\_logs\_provision](#input\_cloud\_logs\_provision) | Provision a IBM Cloud Logs instance? | `bool` | `true` | no | | [cloud\_logs\_region](#input\_cloud\_logs\_region) | The IBM Cloud region where Cloud Logs instances will be created. | `string` | `null` | no | -| [cloud\_logs\_retention\_period](#input\_cloud\_logs\_retention\_period) | The number of days IBM Cloud Logs will retain the logs data in Priority insights. | `number` | `7` | no | +| [cloud\_logs\_retention\_period](#input\_cloud\_logs\_retention\_period) | The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90. | `number` | `7` | no | | [cloud\_logs\_service\_endpoints](#input\_cloud\_logs\_service\_endpoints) | The type of the service endpoint that will be set for the IBM Cloud Logs instance. | `string` | `"public-and-private"` | no | | [cloud\_logs\_tags](#input\_cloud\_logs\_tags) | Tags associated with the IBM Cloud Logs instance (Optional, array of strings). | `list(string)` | `[]` | no | | [cloud\_monitoring\_access\_tags](#input\_cloud\_monitoring\_access\_tags) | A list of access tags to apply to the Cloud Monitoring instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no | @@ -241,10 +241,9 @@ No resources. | [cloud\_monitoring\_manager\_key\_tags](#input\_cloud\_monitoring\_manager\_key\_tags) | Tags associated with the IBM Cloud Monitoring manager key. | `list(string)` | `[]` | no | | [cloud\_monitoring\_plan](#input\_cloud\_monitoring\_plan) | The IBM Cloud Monitoring plan to provision. Available: lite, graduated-tier | `string` | `"lite"` | no | | [cloud\_monitoring\_provision](#input\_cloud\_monitoring\_provision) | Provision a IBM cloud monitoring instance? | `bool` | `true` | no | -| [cloud\_monitoring\_service\_endpoints](#input\_cloud\_monitoring\_service\_endpoints) | The type of the service endpoint that will be set for the IBM cloud monitoring instance. | `string` | `"public-and-private"` | no | +| [cloud\_monitoring\_service\_endpoints](#input\_cloud\_monitoring\_service\_endpoints) | The type of the service endpoint that will be set for the IBM Cloud Logs instance. Allowed values: public-and-private | `string` | `"public-and-private"` | no | | [cloud\_monitoring\_tags](#input\_cloud\_monitoring\_tags) | Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). | `list(string)` | `[]` | no | | [cos\_targets](#input\_cos\_targets) | List of cos target to be created | 
list(object({
    endpoint                          = string
    bucket_name                       = string
    instance_id                       = string
    api_key                           = optional(string)
    service_to_service_enabled        = optional(bool, true)
    target_region                     = optional(string)
    target_name                       = string
    skip_atracker_cos_iam_auth_policy = optional(bool, false)
  }))
| `[]` | no | -| [enable\_cloud\_logs\_as\_target](#input\_enable\_cloud\_logs\_as\_target) | Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region. | `bool` | `true` | no | | [enable\_platform\_logs](#input\_enable\_platform\_logs) | Receive platform logs in the provisioned IBM Cloud Logging instance. | `bool` | `true` | no | | [enable\_platform\_metrics](#input\_enable\_platform\_metrics) | Receive platform metrics in the provisioned IBM Cloud Monitoring instance. | `bool` | `true` | no | | [eventstreams\_targets](#input\_eventstreams\_targets) | List of event streams target to be created | 
list(object({
    instance_id   = string
    brokers       = list(string)
    topic         = string
    api_key       = string
    target_region = optional(string)
    target_name   = string
  }))
| `[]` | no | @@ -264,10 +263,11 @@ No resources. | [log\_analysis\_service\_endpoints](#input\_log\_analysis\_service\_endpoints) | The type of the service endpoint that will be set for the Log Analysis instance. | `string` | `"public-and-private"` | no | | [log\_analysis\_tags](#input\_log\_analysis\_tags) | Tags associated with the IBM Cloud Logging instance (Optional, array of strings). | `list(string)` | `[]` | no | | [log\_analysis\_targets](#input\_log\_analysis\_targets) | List of log analysis target to be created | 
list(object({
    instance_id   = string
    ingestion_key = string
    target_region = optional(string)
    target_name   = string
  }))
| `[]` | no | -| [logs\_routing\_tenant\_name](#input\_logs\_routing\_tenant\_name) | The name for this tenant. The name is regionally unique across all tenants in the account. | `string` | `null` | no | +| [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. CURRENT LIMITATION: This list can currently only contain 1 region, and it must be the same region that is defined in the provider config used when consuming this module. | `list(any)` | `[]` | no | | [region](#input\_region) | The IBM Cloud region where instances will be created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance(s) will be created. | `string` | n/a | yes | | [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs. | `bool` | `false` | no | +| [use\_private\_endpoint\_logs\_routing](#input\_use\_private\_endpoint\_logs\_routing) | Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VFR enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint | `bool` | `true` | no | ### Outputs diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf index dfe8d2b9..d8479634 100644 --- a/examples/advanced/main.tf +++ b/examples/advanced/main.tf @@ -261,5 +261,5 @@ module "observability_instance_creation" { en_instance_id = module.event_notification.guid en_region = var.en_region }] - enable_cloud_logs_as_target = true + logs_routing_tenant_regions = [var.region] } diff --git a/examples/advanced/variables.tf b/examples/advanced/variables.tf index e1c0ac6b..11dc4760 100644 --- a/examples/advanced/variables.tf +++ b/examples/advanced/variables.tf @@ -19,6 +19,7 @@ variable "prefix" { variable "region" { description = "Region where resources will be created" type = string + default = "us-south" } variable "resource_group" { diff --git a/main.tf b/main.tf index d6d046f4..25a80c8a 100644 --- a/main.tf +++ b/main.tf @@ -75,19 +75,19 @@ module "cloud_monitoring" { # IBM Cloud Logs module "cloud_logs" { - count = var.cloud_logs_provision ? 1 : 0 - source = "./modules/cloud_logs" - region = var.cloud_logs_region != null ? var.cloud_logs_region : var.region - resource_group_id = var.resource_group_id - instance_name = var.cloud_logs_instance_name - plan = var.cloud_logs_plan - resource_tags = var.cloud_logs_tags - access_tags = var.cloud_logs_access_tags - retention_period = var.cloud_logs_retention_period - data_storage = var.cloud_logs_data_storage - service_endpoints = var.cloud_logs_service_endpoints - existing_en_instances = var.cloud_logs_existing_en_instances - enable_cloud_logs_as_target = var.enable_cloud_logs_as_target - skip_logs_routing_auth_policy = var.skip_logs_routing_auth_policy - logs_routing_tenant_name = var.logs_routing_tenant_name + count = var.cloud_logs_provision ? 1 : 0 + source = "./modules/cloud_logs" + region = var.cloud_logs_region != null ? var.cloud_logs_region : var.region + resource_group_id = var.resource_group_id + instance_name = var.cloud_logs_instance_name + plan = var.cloud_logs_plan + resource_tags = var.cloud_logs_tags + access_tags = var.cloud_logs_access_tags + retention_period = var.cloud_logs_retention_period + data_storage = var.cloud_logs_data_storage + service_endpoints = var.cloud_logs_service_endpoints + existing_en_instances = var.cloud_logs_existing_en_instances + skip_logs_routing_auth_policy = var.skip_logs_routing_auth_policy + logs_routing_tenant_regions = var.logs_routing_tenant_regions + use_private_endpoint_logs_routing = var.use_private_endpoint_logs_routing } diff --git a/modules/cloud_logs/README.md b/modules/cloud_logs/README.md index 702b8da9..c97ca2da 100644 --- a/modules/cloud_logs/README.md +++ b/modules/cloud_logs/README.md @@ -48,12 +48,13 @@ No modules. | [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_iam_authorization_policy.logs_routing_policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | | [ibm_logs_outgoing_webhook.en_integration](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/logs_outgoing_webhook) | resource | -| [ibm_logs_router_tenant.logs_router_tenant_instance](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/logs_router_tenant) | resource | +| [ibm_logs_router_tenant.logs_router_tenant_instances](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/logs_router_tenant) | resource | | [ibm_resource_instance.cloud_logs](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource | | [ibm_resource_tag.cloud_logs_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource | | [random_string.random_tenant_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [time_sleep.wait_for_en_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source | +| [ibm_is_region.provider_region](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_region) | data source | ### Inputs @@ -61,17 +62,17 @@ No modules. |------|-------------|------|---------|:--------:| | [access\_tags](#input\_access\_tags) | A list of access tags to apply to the IBM Cloud Logs instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no | | [data\_storage](#input\_data\_storage) | A logs data bucket and a metrics bucket in IBM Cloud Object Storage to store your IBM Cloud Logs data for long term storage, search, analysis and alerting. | 
object({
    logs_data = optional(object({
      enabled              = optional(bool, false)
      bucket_crn           = optional(string)
      bucket_endpoint      = optional(string)
      skip_cos_auth_policy = optional(bool, false)
    }), {})
    metrics_data = optional(object({
      enabled              = optional(bool, false)
      bucket_crn           = optional(string)
      bucket_endpoint      = optional(string)
      skip_cos_auth_policy = optional(bool, false)
    }), {})
    }
  )
| 
{
  "logs_data": null,
  "metrics_data": null
}
| no | -| [enable\_cloud\_logs\_as\_target](#input\_enable\_cloud\_logs\_as\_target) | Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region. | `bool` | `true` | no | | [existing\_en\_instances](#input\_existing\_en\_instances) | List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs | 
list(object({
    en_instance_id      = string
    en_region           = string
    en_integration_name = optional(string)
    skip_en_auth_policy = optional(bool, false)
  }))
| `[]` | no | | [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Logs instance to create. Defaults to 'cloud-logs-' | `string` | `null` | no | -| [logs\_routing\_tenant\_name](#input\_logs\_routing\_tenant\_name) | The name for this tenant. The name is regionally unique across all tenants in the account. | `string` | `null` | no | +| [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. CURRENT LIMITATION: This list can currently only contain 1 region, and it must be the same region that is defined in the provider config used when consuming this module. | `list(any)` | `[]` | no | | [plan](#input\_plan) | The IBM Cloud Logs plan to provision. Available: standard | `string` | `"standard"` | no | | [region](#input\_region) | The IBM Cloud region where Cloud logs instance will be created. | `string` | `"us-south"` | no | -| [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance(s) will be created. | `string` | `null` | no | +| [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance will be created. | `string` | `null` | no | | [resource\_tags](#input\_resource\_tags) | Tags associated with the IBM Cloud Logs instance (Optional, array of strings). | `list(string)` | `[]` | no | -| [retention\_period](#input\_retention\_period) | The number of days IBM Cloud Logs will retain the logs data in Priority insights. | `number` | `7` | no | -| [service\_endpoints](#input\_service\_endpoints) | The type of the service endpoint that will be set for the IBM Cloud Logs instance. | `string` | `"public-and-private"` | no | -| [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs. | `bool` | `false` | no | +| [retention\_period](#input\_retention\_period) | The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90. | `number` | `7` | no | +| [service\_endpoints](#input\_service\_endpoints) | The type of the service endpoint that will be set for the IBM Cloud Logs instance. Allowed values: public-and-private | `string` | `"public-and-private"` | no | +| [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits the Logs Routing server 'Sender' access to the IBM Cloud Logs instance created by this module. | `bool` | `false` | no | +| [use\_private\_endpoint\_logs\_routing](#input\_use\_private\_endpoint\_logs\_routing) | Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VFR enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint | `bool` | `true` | no | ### Outputs diff --git a/modules/cloud_logs/main.tf b/modules/cloud_logs/main.tf index a3c6ad62..db3306fd 100644 --- a/modules/cloud_logs/main.tf +++ b/modules/cloud_logs/main.tf @@ -1,6 +1,5 @@ locals { - instance_name = var.instance_name != null ? var.instance_name : "cloud-logs-${var.region}" - create_access_policy_logs_routing = var.enable_cloud_logs_as_target && !var.skip_logs_routing_auth_policy + instance_name = var.instance_name != null ? var.instance_name : "cloud-logs-${var.region}" } @@ -111,8 +110,10 @@ resource "ibm_logs_outgoing_webhook" "en_integration" { ############################################################################## # Logs Routing ############################################################################## + +# Create required auth policy to allow log routing service to send logs to the cloud logs instance resource "ibm_iam_authorization_policy" "logs_routing_policy" { - count = local.create_access_policy_logs_routing ? 1 : 0 + count = !var.skip_logs_routing_auth_policy ? 1 : 0 source_service_name = "logs-router" roles = ["Sender"] description = "Allow Logs Routing `Sender` access to the IBM Cloud Logs with ID ${ibm_resource_instance.cloud_logs.guid}." @@ -136,25 +137,38 @@ resource "ibm_iam_authorization_policy" "logs_routing_policy" { } } -############################################################################## -# Random Suffix -############################################################################## - resource "random_string" "random_tenant_suffix" { - length = 13 + length = 4 numeric = true upper = false lower = false special = false } +# Lookup supported regions (Cloud Logs support the same as VPC regions) +# data "ibm_is_regions" "regions" {} # uncomment when region support comes in https://github.com/IBM-Cloud/terraform-provider-ibm/pull/5634 + +# Lookup current provider region +data "ibm_is_region" "provider_region" {} + locals { - cloud_logs_endpoint = (var.service_endpoints == "public-and-private") ? "public" : var.service_endpoints - log_sink_host = (local.cloud_logs_endpoint == "public") ? "${ibm_resource_instance.cloud_logs.guid}.ingress.${var.region}.logs.cloud.ibm.com" : "${ibm_resource_instance.cloud_logs.guid}.ingress.private.${var.region}.logs.cloud.ibm.com" + log_sink_host = var.use_private_endpoint_logs_routing ? "${ibm_resource_instance.cloud_logs.guid}.ingress.private.${var.region}.logs.cloud.ibm.com" : "${ibm_resource_instance.cloud_logs.guid}.ingress.${var.region}.logs.cloud.ibm.com" + + # Temporary validation to ensure the provider region matches the region passed in the var.logs_routing_tenant_regions + region_validate_condition = length(var.logs_routing_tenant_regions) != 0 ? data.ibm_is_region.provider_region.name != var.logs_routing_tenant_regions[0] : false + region_validate_msg = "The provider region defined in the provider config, and the region passed in the 'logs_routing_tenant_regions' list currently must match. If not region has been defined in the provider config, it defaults to us-south." + # tflint-ignore: terraform_unused_declarations + region_validate_check = regex("^${local.region_validate_msg}$", (!local.region_validate_condition ? local.region_validate_msg : "")) } -resource "ibm_logs_router_tenant" "logs_router_tenant_instance" { - name = var.logs_routing_tenant_name != null ? var.logs_routing_tenant_name : "${var.region}-${random_string.random_tenant_suffix.result}" +resource "ibm_logs_router_tenant" "logs_router_tenant_instances" { + # until provider supports passing region to this resource (coming in https://github.com/IBM-Cloud/terraform-provider-ibm/pull/5634), + # the for_each will only ever include the provider region + + # for_each = contains(var.logs_routing_tenant_regions, "*") ? toset(data.ibm_is_regions.regions.regions[*].name) : var.logs_routing_tenant_regions + for_each = contains(var.logs_routing_tenant_regions, "*") ? toset([data.ibm_is_region.provider_region.name]) : toset(var.logs_routing_tenant_regions) + name = "${each.key}-${random_string.random_tenant_suffix.result}" + # region = each.key targets { log_sink_crn = ibm_resource_instance.cloud_logs.crn name = local.instance_name diff --git a/modules/cloud_logs/variables.tf b/modules/cloud_logs/variables.tf index ea3e6b27..4ee9581b 100644 --- a/modules/cloud_logs/variables.tf +++ b/modules/cloud_logs/variables.tf @@ -6,7 +6,7 @@ variable "region" { variable "resource_group_id" { type = string - description = "The id of the IBM Cloud resource group where the instance(s) will be created." + description = "The id of the IBM Cloud resource group where the instance will be created." default = null } @@ -25,7 +25,7 @@ variable "plan" { condition = anytrue([ var.plan == "standard", ]) - error_message = "The cloud_logs_plan value must be one of the following: standard." + error_message = "The plan value must be one of the following: standard." } } @@ -43,8 +43,13 @@ variable "access_tags" { variable "retention_period" { type = number - description = "The number of days IBM Cloud Logs will retain the logs data in Priority insights." + description = "The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90." default = 7 + + validation { + condition = contains([7, 14, 30, 60, 90], var.retention_period) + error_message = "Valid values 'retention_period' are: 7, 14, 30, 60, 90" + } } variable "data_storage" { @@ -99,12 +104,12 @@ variable "data_storage" { } variable "service_endpoints" { - description = "The type of the service endpoint that will be set for the IBM Cloud Logs instance." + description = "The type of the service endpoint that will be set for the IBM Cloud Logs instance. Allowed values: public-and-private" type = string default = "public-and-private" validation { - condition = contains(["public", "private", "public-and-private"], var.service_endpoints) - error_message = "The specified service_endpoints is not a valid selection" + condition = contains(["public-and-private"], var.service_endpoints) + error_message = "The specified service_endpoints is not a valid selection. Allowed values: public-and-private" } } @@ -127,24 +132,26 @@ variable "existing_en_instances" { # Logs Routing ############################################################################## -variable "enable_cloud_logs_as_target" { - description = "Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region." +variable "logs_routing_tenant_regions" { + type = list(any) + default = [] + description = "Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. CURRENT LIMITATION: This list can currently only contain 1 region, and it must be the same region that is defined in the provider config used when consuming this module." + nullable = false + + validation { + condition = (length(var.logs_routing_tenant_regions) == 0 || length(var.logs_routing_tenant_regions) == 1) + error_message = "CURRENT LIMITATION: This list can currently only contain 1 region, and it must be the same region that is defined in the provider config used when consuming this module. Leave the list empty if you don't want to create any tenants." + } +} + +variable "use_private_endpoint_logs_routing" { type = bool default = true + description = "Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VFR enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint" } variable "skip_logs_routing_auth_policy" { - description = "Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs." + description = "Whether to create an IAM authorization policy that permits the Logs Routing server 'Sender' access to the IBM Cloud Logs instance created by this module." type = bool default = false } - -variable "logs_routing_tenant_name" { - description = "The name for this tenant. The name is regionally unique across all tenants in the account." - type = string - default = null - validation { - condition = var.logs_routing_tenant_name != null ? length(var.logs_routing_tenant_name) < 35 : true - error_message = "The maximum length is 35 characters." - } -} diff --git a/variables.tf b/variables.tf index b80ffecb..5f0f4237 100644 --- a/variables.tf +++ b/variables.tf @@ -198,12 +198,12 @@ variable "enable_platform_metrics" { } variable "cloud_monitoring_service_endpoints" { - description = "The type of the service endpoint that will be set for the IBM cloud monitoring instance." + description = "The type of the service endpoint that will be set for the IBM Cloud Logs instance. Allowed values: public-and-private" type = string default = "public-and-private" validation { - condition = contains(["public", "private", "public-and-private"], var.cloud_monitoring_service_endpoints) - error_message = "The specified service_endpoints is not a valid selection" + condition = contains(["public-and-private"], var.cloud_monitoring_service_endpoints) + error_message = "The specified service_endpoints is not a valid selection. Allowed values: public-and-private" } } @@ -415,15 +415,20 @@ variable "cloud_logs_service_endpoints" { type = string default = "public-and-private" validation { - condition = contains(["public", "private", "public-and-private"], var.cloud_logs_service_endpoints) + condition = contains(["public-and-private"], var.cloud_logs_service_endpoints) error_message = "The specified service_endpoints is not a valid selection" } } variable "cloud_logs_retention_period" { type = number - description = "The number of days IBM Cloud Logs will retain the logs data in Priority insights." + description = "The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90." default = 7 + + validation { + condition = contains([7, 14, 30, 60, 90], var.cloud_logs_retention_period) + error_message = "Valid values 'cloud_logs_retention_period' are: 7, 14, 30, 60, 90" + } } variable "cloud_logs_existing_en_instances" { @@ -462,22 +467,28 @@ variable "cloud_logs_data_storage" { description = "A logs data bucket and a metrics bucket in IBM Cloud Object Storage to store your IBM Cloud Logs data for long term storage, search, analysis and alerting." } -variable "enable_cloud_logs_as_target" { - description = "Whether to set IBM Cloud Logs be designated as a target for logs routing in a specific region." - type = bool - default = true -} - variable "skip_logs_routing_auth_policy" { description = "Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs." type = bool default = false } -variable "logs_routing_tenant_name" { - description = "The name for this tenant. The name is regionally unique across all tenants in the account." - type = string - default = null +variable "logs_routing_tenant_regions" { + type = list(any) + default = [] + description = "Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. CURRENT LIMITATION: This list can currently only contain 1 region, and it must be the same region that is defined in the provider config used when consuming this module." + nullable = false + + validation { + condition = (length(var.logs_routing_tenant_regions) == 0 || length(var.logs_routing_tenant_regions) == 1) + error_message = "CURRENT LIMITATION: This list can currently only contain 1 region, and it must be the same region that is defined in the provider config used when consuming this module. Leave the list empty if you don't want to create any tenants." + } +} + +variable "use_private_endpoint_logs_routing" { + type = bool + default = true + description = "Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VFR enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint" } ############################################################################## From 76b568f6731550eb318fa2c2fe5cf24f91af05ff Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Wed, 11 Sep 2024 22:01:52 +0100 Subject: [PATCH 07/17] disable tenant creation in example --- examples/advanced/main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf index d8479634..8ff625f7 100644 --- a/examples/advanced/main.tf +++ b/examples/advanced/main.tf @@ -261,5 +261,6 @@ module "observability_instance_creation" { en_instance_id = module.event_notification.guid en_region = var.en_region }] - logs_routing_tenant_regions = [var.region] + # Only 1 account level tenant can be created per region, so to prevent tests from clashing, not creating any tenants until https://github.ibm.com/GoldenEye/issues/issues/10676 is implemented + # logs_routing_tenant_regions = [var.region] } From 814b015ae72f65de96d9a72a10bdbeb7d04d5e5d Mon Sep 17 00:00:00 2001 From: "aashiq.jacob@ibm.com" Date: Thu, 12 Sep 2024 09:19:29 +0530 Subject: [PATCH 08/17] get ingress url from resource output --- modules/cloud_logs/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/cloud_logs/main.tf b/modules/cloud_logs/main.tf index db3306fd..0b8f5166 100644 --- a/modules/cloud_logs/main.tf +++ b/modules/cloud_logs/main.tf @@ -152,7 +152,7 @@ resource "random_string" "random_tenant_suffix" { data "ibm_is_region" "provider_region" {} locals { - log_sink_host = var.use_private_endpoint_logs_routing ? "${ibm_resource_instance.cloud_logs.guid}.ingress.private.${var.region}.logs.cloud.ibm.com" : "${ibm_resource_instance.cloud_logs.guid}.ingress.${var.region}.logs.cloud.ibm.com" + log_sink_host = var.use_private_endpoint_logs_routing ? ibm_resource_instance.cloud_logs.extensions.external_ingress_private : ibm_resource_instance.cloud_logs.extensions.external_ingress # Temporary validation to ensure the provider region matches the region passed in the var.logs_routing_tenant_regions region_validate_condition = length(var.logs_routing_tenant_regions) != 0 ? data.ibm_is_region.provider_region.name != var.logs_routing_tenant_regions[0] : false From f815d4fa839fb5d64e621dbaefd718858f50729a Mon Sep 17 00:00:00 2001 From: "aashiq.jacob@ibm.com" Date: Thu, 12 Sep 2024 10:10:44 +0530 Subject: [PATCH 09/17] remove cloud logs region variable --- .secrets.baseline | 4 ++-- README.md | 1 - main.tf | 2 +- variables.tf | 6 ------ 4 files changed, 3 insertions(+), 10 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 537196ae..89499591 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2024-09-11T20:13:42Z", + "generated_at": "2024-09-12T04:40:00Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -90,7 +90,7 @@ "hashed_secret": "3bd02b996f65f3548c1a0b5d93b00bfa7c88341a", "is_secret": true, "is_verified": false, - "line_number": 249, + "line_number": 248, "type": "Secret Keyword", "verified_result": null } diff --git a/README.md b/README.md index dd4cd430..7eaf8bd9 100644 --- a/README.md +++ b/README.md @@ -231,7 +231,6 @@ No resources. | [cloud\_logs\_instance\_name](#input\_cloud\_logs\_instance\_name) | The name of the IBM Cloud Logs instance to create. Defaults to 'cloud\_logs-' | `string` | `null` | no | | [cloud\_logs\_plan](#input\_cloud\_logs\_plan) | The IBM Cloud Logs plan to provision. Available: standard | `string` | `"standard"` | no | | [cloud\_logs\_provision](#input\_cloud\_logs\_provision) | Provision a IBM Cloud Logs instance? | `bool` | `true` | no | -| [cloud\_logs\_region](#input\_cloud\_logs\_region) | The IBM Cloud region where Cloud Logs instances will be created. | `string` | `null` | no | | [cloud\_logs\_retention\_period](#input\_cloud\_logs\_retention\_period) | The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90. | `number` | `7` | no | | [cloud\_logs\_service\_endpoints](#input\_cloud\_logs\_service\_endpoints) | The type of the service endpoint that will be set for the IBM Cloud Logs instance. | `string` | `"public-and-private"` | no | | [cloud\_logs\_tags](#input\_cloud\_logs\_tags) | Tags associated with the IBM Cloud Logs instance (Optional, array of strings). | `list(string)` | `[]` | no | diff --git a/main.tf b/main.tf index 25a80c8a..b026af1a 100644 --- a/main.tf +++ b/main.tf @@ -77,7 +77,7 @@ module "cloud_monitoring" { module "cloud_logs" { count = var.cloud_logs_provision ? 1 : 0 source = "./modules/cloud_logs" - region = var.cloud_logs_region != null ? var.cloud_logs_region : var.region + region = var.region resource_group_id = var.resource_group_id instance_name = var.cloud_logs_instance_name plan = var.cloud_logs_plan diff --git a/variables.tf b/variables.tf index 5f0f4237..cab0ca1a 100644 --- a/variables.tf +++ b/variables.tf @@ -385,12 +385,6 @@ variable "cloud_logs_plan" { default = "standard" } -variable "cloud_logs_region" { - description = "The IBM Cloud region where Cloud Logs instances will be created." - type = string - default = null -} - variable "cloud_logs_tags" { type = list(string) description = "Tags associated with the IBM Cloud Logs instance (Optional, array of strings)." From 66f4136f2f3325d2708df1cbdb7c41b73a60c166 Mon Sep 17 00:00:00 2001 From: "aashiq.jacob@ibm.com" Date: Thu, 12 Sep 2024 10:37:06 +0530 Subject: [PATCH 10/17] typo --- README.md | 2 +- modules/cloud_logs/README.md | 2 +- modules/cloud_logs/variables.tf | 2 +- variables.tf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7eaf8bd9..516ab85a 100644 --- a/README.md +++ b/README.md @@ -266,7 +266,7 @@ No resources. | [region](#input\_region) | The IBM Cloud region where instances will be created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance(s) will be created. | `string` | n/a | yes | | [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs. | `bool` | `false` | no | -| [use\_private\_endpoint\_logs\_routing](#input\_use\_private\_endpoint\_logs\_routing) | Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VFR enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint | `bool` | `true` | no | +| [use\_private\_endpoint\_logs\_routing](#input\_use\_private\_endpoint\_logs\_routing) | Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VRF enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint | `bool` | `true` | no | ### Outputs diff --git a/modules/cloud_logs/README.md b/modules/cloud_logs/README.md index c97ca2da..12d40f33 100644 --- a/modules/cloud_logs/README.md +++ b/modules/cloud_logs/README.md @@ -72,7 +72,7 @@ No modules. | [retention\_period](#input\_retention\_period) | The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90. | `number` | `7` | no | | [service\_endpoints](#input\_service\_endpoints) | The type of the service endpoint that will be set for the IBM Cloud Logs instance. Allowed values: public-and-private | `string` | `"public-and-private"` | no | | [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits the Logs Routing server 'Sender' access to the IBM Cloud Logs instance created by this module. | `bool` | `false` | no | -| [use\_private\_endpoint\_logs\_routing](#input\_use\_private\_endpoint\_logs\_routing) | Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VFR enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint | `bool` | `true` | no | +| [use\_private\_endpoint\_logs\_routing](#input\_use\_private\_endpoint\_logs\_routing) | Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VRF enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint | `bool` | `true` | no | ### Outputs diff --git a/modules/cloud_logs/variables.tf b/modules/cloud_logs/variables.tf index 4ee9581b..5100bfaf 100644 --- a/modules/cloud_logs/variables.tf +++ b/modules/cloud_logs/variables.tf @@ -147,7 +147,7 @@ variable "logs_routing_tenant_regions" { variable "use_private_endpoint_logs_routing" { type = bool default = true - description = "Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VFR enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint" + description = "Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VRF enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint" } variable "skip_logs_routing_auth_policy" { diff --git a/variables.tf b/variables.tf index cab0ca1a..60d3e44a 100644 --- a/variables.tf +++ b/variables.tf @@ -482,7 +482,7 @@ variable "logs_routing_tenant_regions" { variable "use_private_endpoint_logs_routing" { type = bool default = true - description = "Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VFR enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint" + description = "Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VRF enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint" } ############################################################################## From 75720ce8b2b4b84afe36261144d15448cee11fb6 Mon Sep 17 00:00:00 2001 From: "aashiq.jacob@ibm.com" Date: Thu, 12 Sep 2024 19:24:29 +0530 Subject: [PATCH 11/17] remove use_private_endpoint_logs_routing --- README.md | 1 - main.tf | 29 ++++++++++++++--------------- modules/cloud_logs/README.md | 1 - modules/cloud_logs/main.tf | 5 +---- modules/cloud_logs/variables.tf | 6 ------ variables.tf | 6 ------ 6 files changed, 15 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 516ab85a..978f3a6d 100644 --- a/README.md +++ b/README.md @@ -266,7 +266,6 @@ No resources. | [region](#input\_region) | The IBM Cloud region where instances will be created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance(s) will be created. | `string` | n/a | yes | | [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs. | `bool` | `false` | no | -| [use\_private\_endpoint\_logs\_routing](#input\_use\_private\_endpoint\_logs\_routing) | Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VRF enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint | `bool` | `true` | no | ### Outputs diff --git a/main.tf b/main.tf index b026af1a..6a64c565 100644 --- a/main.tf +++ b/main.tf @@ -75,19 +75,18 @@ module "cloud_monitoring" { # IBM Cloud Logs module "cloud_logs" { - count = var.cloud_logs_provision ? 1 : 0 - source = "./modules/cloud_logs" - region = var.region - resource_group_id = var.resource_group_id - instance_name = var.cloud_logs_instance_name - plan = var.cloud_logs_plan - resource_tags = var.cloud_logs_tags - access_tags = var.cloud_logs_access_tags - retention_period = var.cloud_logs_retention_period - data_storage = var.cloud_logs_data_storage - service_endpoints = var.cloud_logs_service_endpoints - existing_en_instances = var.cloud_logs_existing_en_instances - skip_logs_routing_auth_policy = var.skip_logs_routing_auth_policy - logs_routing_tenant_regions = var.logs_routing_tenant_regions - use_private_endpoint_logs_routing = var.use_private_endpoint_logs_routing + count = var.cloud_logs_provision ? 1 : 0 + source = "./modules/cloud_logs" + region = var.region + resource_group_id = var.resource_group_id + instance_name = var.cloud_logs_instance_name + plan = var.cloud_logs_plan + resource_tags = var.cloud_logs_tags + access_tags = var.cloud_logs_access_tags + retention_period = var.cloud_logs_retention_period + data_storage = var.cloud_logs_data_storage + service_endpoints = var.cloud_logs_service_endpoints + existing_en_instances = var.cloud_logs_existing_en_instances + skip_logs_routing_auth_policy = var.skip_logs_routing_auth_policy + logs_routing_tenant_regions = var.logs_routing_tenant_regions } diff --git a/modules/cloud_logs/README.md b/modules/cloud_logs/README.md index 12d40f33..acbb7a87 100644 --- a/modules/cloud_logs/README.md +++ b/modules/cloud_logs/README.md @@ -72,7 +72,6 @@ No modules. | [retention\_period](#input\_retention\_period) | The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90. | `number` | `7` | no | | [service\_endpoints](#input\_service\_endpoints) | The type of the service endpoint that will be set for the IBM Cloud Logs instance. Allowed values: public-and-private | `string` | `"public-and-private"` | no | | [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits the Logs Routing server 'Sender' access to the IBM Cloud Logs instance created by this module. | `bool` | `false` | no | -| [use\_private\_endpoint\_logs\_routing](#input\_use\_private\_endpoint\_logs\_routing) | Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VRF enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint | `bool` | `true` | no | ### Outputs diff --git a/modules/cloud_logs/main.tf b/modules/cloud_logs/main.tf index 0b8f5166..af29c702 100644 --- a/modules/cloud_logs/main.tf +++ b/modules/cloud_logs/main.tf @@ -152,8 +152,6 @@ resource "random_string" "random_tenant_suffix" { data "ibm_is_region" "provider_region" {} locals { - log_sink_host = var.use_private_endpoint_logs_routing ? ibm_resource_instance.cloud_logs.extensions.external_ingress_private : ibm_resource_instance.cloud_logs.extensions.external_ingress - # Temporary validation to ensure the provider region matches the region passed in the var.logs_routing_tenant_regions region_validate_condition = length(var.logs_routing_tenant_regions) != 0 ? data.ibm_is_region.provider_region.name != var.logs_routing_tenant_regions[0] : false region_validate_msg = "The provider region defined in the provider config, and the region passed in the 'logs_routing_tenant_regions' list currently must match. If not region has been defined in the provider config, it defaults to us-south." @@ -165,7 +163,6 @@ resource "ibm_logs_router_tenant" "logs_router_tenant_instances" { # until provider supports passing region to this resource (coming in https://github.com/IBM-Cloud/terraform-provider-ibm/pull/5634), # the for_each will only ever include the provider region - # for_each = contains(var.logs_routing_tenant_regions, "*") ? toset(data.ibm_is_regions.regions.regions[*].name) : var.logs_routing_tenant_regions for_each = contains(var.logs_routing_tenant_regions, "*") ? toset([data.ibm_is_region.provider_region.name]) : toset(var.logs_routing_tenant_regions) name = "${each.key}-${random_string.random_tenant_suffix.result}" # region = each.key @@ -173,7 +170,7 @@ resource "ibm_logs_router_tenant" "logs_router_tenant_instances" { log_sink_crn = ibm_resource_instance.cloud_logs.crn name = local.instance_name parameters { - host = local.log_sink_host + host = ibm_resource_instance.cloud_logs.extensions.external_ingress port = 443 } } diff --git a/modules/cloud_logs/variables.tf b/modules/cloud_logs/variables.tf index 5100bfaf..7db2e360 100644 --- a/modules/cloud_logs/variables.tf +++ b/modules/cloud_logs/variables.tf @@ -144,12 +144,6 @@ variable "logs_routing_tenant_regions" { } } -variable "use_private_endpoint_logs_routing" { - type = bool - default = true - description = "Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VRF enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint" -} - variable "skip_logs_routing_auth_policy" { description = "Whether to create an IAM authorization policy that permits the Logs Routing server 'Sender' access to the IBM Cloud Logs instance created by this module." type = bool diff --git a/variables.tf b/variables.tf index 60d3e44a..93392fb5 100644 --- a/variables.tf +++ b/variables.tf @@ -479,10 +479,4 @@ variable "logs_routing_tenant_regions" { } } -variable "use_private_endpoint_logs_routing" { - type = bool - default = true - description = "Set to true to use a private endpoint when setting up a tenant for IBM Cloud Logs. Set to false if you want to use a public endpoint. NOTE: In order to use private, you must have a VRF enabled account. More info: https://cloud.ibm.com/docs/account?topic=account-vrf-service-endpoint" -} - ############################################################################## From 4c98455bbbf0ca2f81027e976261d2c548ecd84e Mon Sep 17 00:00:00 2001 From: "aashiq.jacob@ibm.com" Date: Fri, 13 Sep 2024 09:06:51 +0530 Subject: [PATCH 12/17] add a commented line back --- modules/cloud_logs/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/cloud_logs/main.tf b/modules/cloud_logs/main.tf index af29c702..6568eb46 100644 --- a/modules/cloud_logs/main.tf +++ b/modules/cloud_logs/main.tf @@ -163,6 +163,7 @@ resource "ibm_logs_router_tenant" "logs_router_tenant_instances" { # until provider supports passing region to this resource (coming in https://github.com/IBM-Cloud/terraform-provider-ibm/pull/5634), # the for_each will only ever include the provider region + # for_each = contains(var.logs_routing_tenant_regions, "*") ? toset(data.ibm_is_regions.regions.regions[*].name) : var.logs_routing_tenant_regions for_each = contains(var.logs_routing_tenant_regions, "*") ? toset([data.ibm_is_region.provider_region.name]) : toset(var.logs_routing_tenant_regions) name = "${each.key}-${random_string.random_tenant_suffix.result}" # region = each.key From b7c0be748a42f2a6dcf3094b3964458faf500561 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 13 Sep 2024 17:11:40 +0100 Subject: [PATCH 13/17] bump provider and remove limitation for tenants --- README.md | 4 ++-- examples/advanced/version.tf | 2 +- examples/basic/version.tf | 2 +- modules/activity_tracker/README.md | 2 +- modules/activity_tracker/version.tf | 2 +- modules/cloud_logs/README.md | 6 +++--- modules/cloud_logs/main.tf | 21 +++------------------ modules/cloud_logs/variables.tf | 7 +------ modules/cloud_logs/version.tf | 2 +- modules/cloud_monitoring/README.md | 2 +- modules/cloud_monitoring/version.tf | 2 +- modules/log_analysis/README.md | 2 +- modules/log_analysis/version.tf | 2 +- variables.tf | 7 +------ version.tf | 2 +- 15 files changed, 20 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index 649adcc0..4dc50b7a 100644 --- a/README.md +++ b/README.md @@ -192,7 +192,7 @@ To attach access management tags to resources in this module, you need the follo | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.69.2, < 2.0.0 | | [logdna](#requirement\_logdna) | >= 1.14.2, < 2.0.0 | ### Modules @@ -262,7 +262,7 @@ No resources. | [log\_analysis\_service\_endpoints](#input\_log\_analysis\_service\_endpoints) | The type of the service endpoint that will be set for the Log Analysis instance. | `string` | `"public-and-private"` | no | | [log\_analysis\_tags](#input\_log\_analysis\_tags) | Tags associated with the IBM Cloud Logging instance (Optional, array of strings). | `list(string)` | `[]` | no | | [log\_analysis\_targets](#input\_log\_analysis\_targets) | List of log analysis target to be created | 
list(object({
    instance_id   = string
    ingestion_key = string
    target_region = optional(string)
    target_name   = string
  }))
| `[]` | no | -| [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. CURRENT LIMITATION: This list can currently only contain 1 region, and it must be the same region that is defined in the provider config used when consuming this module. | `list(any)` | `[]` | no | +| [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. Its possible to select all VPC regions by using `["*"]` | `list(any)` | `[]` | no | | [region](#input\_region) | The IBM Cloud region where instances will be created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance(s) will be created. | `string` | n/a | yes | | [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs. | `bool` | `false` | no | diff --git a/examples/advanced/version.tf b/examples/advanced/version.tf index 95d51731..e7529087 100644 --- a/examples/advanced/version.tf +++ b/examples/advanced/version.tf @@ -5,7 +5,7 @@ terraform { required_providers { ibm = { source = "ibm-cloud/ibm" - version = ">= 1.69.0" + version = ">= 1.69.2" } logdna = { source = "logdna/logdna" diff --git a/examples/basic/version.tf b/examples/basic/version.tf index 50a051ec..91f37e52 100644 --- a/examples/basic/version.tf +++ b/examples/basic/version.tf @@ -5,7 +5,7 @@ terraform { # module's version.tf (basic), and 1 example that will always use the latest provider version. ibm = { source = "ibm-cloud/ibm" - version = "1.69.0" + version = "1.69.2" } logdna = { source = "logdna/logdna" diff --git a/modules/activity_tracker/README.md b/modules/activity_tracker/README.md index 198602c1..b3188194 100644 --- a/modules/activity_tracker/README.md +++ b/modules/activity_tracker/README.md @@ -45,7 +45,7 @@ module "activity_tracker" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.69.2, < 2.0.0 | | [logdna](#requirement\_logdna) | >= 1.14.2, < 2.0.0 | | [time](#requirement\_time) | >= 0.9.1, < 1.0.0 | diff --git a/modules/activity_tracker/version.tf b/modules/activity_tracker/version.tf index 07dc57c5..4ef7414c 100644 --- a/modules/activity_tracker/version.tf +++ b/modules/activity_tracker/version.tf @@ -4,7 +4,7 @@ terraform { # Use "greater than or equal to" range in modules ibm = { source = "ibm-cloud/ibm" - version = ">= 1.69.0, < 2.0.0" + version = ">= 1.69.2, < 2.0.0" } logdna = { source = "logdna/logdna" diff --git a/modules/cloud_logs/README.md b/modules/cloud_logs/README.md index 73a7f5a6..46b3c542 100644 --- a/modules/cloud_logs/README.md +++ b/modules/cloud_logs/README.md @@ -32,7 +32,7 @@ module "cloud_logs" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.69.2, < 2.0.0 | | [random](#requirement\_random) | >= 3.5.1, < 4.0.0 | | [time](#requirement\_time) | >= 0.9.1, < 1.0.0 | @@ -54,7 +54,7 @@ No modules. | [random_string.random_tenant_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [time_sleep.wait_for_en_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source | -| [ibm_is_region.provider_region](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_region) | data source | +| [ibm_is_regions.regions](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_regions) | data source | ### Inputs @@ -64,7 +64,7 @@ No modules. | [data\_storage](#input\_data\_storage) | A logs data bucket and a metrics bucket in IBM Cloud Object Storage to store your IBM Cloud Logs data for long term storage, search, analysis and alerting. | 
object({
    logs_data = optional(object({
      enabled              = optional(bool, false)
      bucket_crn           = optional(string)
      bucket_endpoint      = optional(string)
      skip_cos_auth_policy = optional(bool, false)
    }), {})
    metrics_data = optional(object({
      enabled              = optional(bool, false)
      bucket_crn           = optional(string)
      bucket_endpoint      = optional(string)
      skip_cos_auth_policy = optional(bool, false)
    }), {})
    }
  )
| 
{
  "logs_data": null,
  "metrics_data": null
}
| no | | [existing\_en\_instances](#input\_existing\_en\_instances) | List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs | 
list(object({
    en_instance_id      = string
    en_region           = string
    en_integration_name = optional(string)
    skip_en_auth_policy = optional(bool, false)
  }))
| `[]` | no | | [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Logs instance to create. Defaults to 'cloud-logs-' | `string` | `null` | no | -| [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. CURRENT LIMITATION: This list can currently only contain 1 region, and it must be the same region that is defined in the provider config used when consuming this module. | `list(any)` | `[]` | no | +| [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. Its possible to select all VPC regions by using `["*"]` | `list(any)` | `[]` | no | | [plan](#input\_plan) | The IBM Cloud Logs plan to provision. Available: standard | `string` | `"standard"` | no | | [region](#input\_region) | The IBM Cloud region where Cloud logs instance will be created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance will be created. | `string` | `null` | no | diff --git a/modules/cloud_logs/main.tf b/modules/cloud_logs/main.tf index 6568eb46..89bdf3b8 100644 --- a/modules/cloud_logs/main.tf +++ b/modules/cloud_logs/main.tf @@ -146,27 +146,12 @@ resource "random_string" "random_tenant_suffix" { } # Lookup supported regions (Cloud Logs support the same as VPC regions) -# data "ibm_is_regions" "regions" {} # uncomment when region support comes in https://github.com/IBM-Cloud/terraform-provider-ibm/pull/5634 - -# Lookup current provider region -data "ibm_is_region" "provider_region" {} - -locals { - # Temporary validation to ensure the provider region matches the region passed in the var.logs_routing_tenant_regions - region_validate_condition = length(var.logs_routing_tenant_regions) != 0 ? data.ibm_is_region.provider_region.name != var.logs_routing_tenant_regions[0] : false - region_validate_msg = "The provider region defined in the provider config, and the region passed in the 'logs_routing_tenant_regions' list currently must match. If not region has been defined in the provider config, it defaults to us-south." - # tflint-ignore: terraform_unused_declarations - region_validate_check = regex("^${local.region_validate_msg}$", (!local.region_validate_condition ? local.region_validate_msg : "")) -} +data "ibm_is_regions" "regions" {} resource "ibm_logs_router_tenant" "logs_router_tenant_instances" { - # until provider supports passing region to this resource (coming in https://github.com/IBM-Cloud/terraform-provider-ibm/pull/5634), - # the for_each will only ever include the provider region - - # for_each = contains(var.logs_routing_tenant_regions, "*") ? toset(data.ibm_is_regions.regions.regions[*].name) : var.logs_routing_tenant_regions - for_each = contains(var.logs_routing_tenant_regions, "*") ? toset([data.ibm_is_region.provider_region.name]) : toset(var.logs_routing_tenant_regions) + for_each = contains(var.logs_routing_tenant_regions, "*") ? toset(data.ibm_is_regions.regions.regions[*].name) : var.logs_routing_tenant_regions name = "${each.key}-${random_string.random_tenant_suffix.result}" - # region = each.key + region = each.key targets { log_sink_crn = ibm_resource_instance.cloud_logs.crn name = local.instance_name diff --git a/modules/cloud_logs/variables.tf b/modules/cloud_logs/variables.tf index 7db2e360..dad36abf 100644 --- a/modules/cloud_logs/variables.tf +++ b/modules/cloud_logs/variables.tf @@ -135,13 +135,8 @@ variable "existing_en_instances" { variable "logs_routing_tenant_regions" { type = list(any) default = [] - description = "Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. CURRENT LIMITATION: This list can currently only contain 1 region, and it must be the same region that is defined in the provider config used when consuming this module." + description = "Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. Its possible to select all VPC regions by using `[\"*\"]`" nullable = false - - validation { - condition = (length(var.logs_routing_tenant_regions) == 0 || length(var.logs_routing_tenant_regions) == 1) - error_message = "CURRENT LIMITATION: This list can currently only contain 1 region, and it must be the same region that is defined in the provider config used when consuming this module. Leave the list empty if you don't want to create any tenants." - } } variable "skip_logs_routing_auth_policy" { diff --git a/modules/cloud_logs/version.tf b/modules/cloud_logs/version.tf index fafb9b83..71bc8f62 100644 --- a/modules/cloud_logs/version.tf +++ b/modules/cloud_logs/version.tf @@ -4,7 +4,7 @@ terraform { # Use "greater than or equal to" range in modules ibm = { source = "ibm-cloud/ibm" - version = ">= 1.69.0, < 2.0.0" + version = ">= 1.69.2, < 2.0.0" } time = { source = "hashicorp/time" diff --git a/modules/cloud_monitoring/README.md b/modules/cloud_monitoring/README.md index 45f01eff..d77f1a67 100644 --- a/modules/cloud_monitoring/README.md +++ b/modules/cloud_monitoring/README.md @@ -26,7 +26,7 @@ module "cloud_monitoring" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.69.2, < 2.0.0 | ### Modules diff --git a/modules/cloud_monitoring/version.tf b/modules/cloud_monitoring/version.tf index 51934578..7a2edbdb 100644 --- a/modules/cloud_monitoring/version.tf +++ b/modules/cloud_monitoring/version.tf @@ -4,7 +4,7 @@ terraform { # Use "greater than or equal to" range in modules ibm = { source = "ibm-cloud/ibm" - version = ">= 1.69.0, < 2.0.0" + version = ">= 1.69.2, < 2.0.0" } } } diff --git a/modules/log_analysis/README.md b/modules/log_analysis/README.md index cead52cc..9a5b6c70 100644 --- a/modules/log_analysis/README.md +++ b/modules/log_analysis/README.md @@ -45,7 +45,7 @@ module "log_analysis" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [ibm](#requirement\_ibm) | >= 1.69.0, < 2.0.0 | +| [ibm](#requirement\_ibm) | >= 1.69.2, < 2.0.0 | | [logdna](#requirement\_logdna) | >= 1.14.2, < 2.0.0 | ### Modules diff --git a/modules/log_analysis/version.tf b/modules/log_analysis/version.tf index 93907d93..1be94e3c 100644 --- a/modules/log_analysis/version.tf +++ b/modules/log_analysis/version.tf @@ -4,7 +4,7 @@ terraform { # Use "greater than or equal to" range in modules ibm = { source = "ibm-cloud/ibm" - version = ">= 1.69.0, < 2.0.0" + version = ">= 1.69.2, < 2.0.0" } logdna = { source = "logdna/logdna" diff --git a/variables.tf b/variables.tf index 93392fb5..9fa504aa 100644 --- a/variables.tf +++ b/variables.tf @@ -470,13 +470,8 @@ variable "skip_logs_routing_auth_policy" { variable "logs_routing_tenant_regions" { type = list(any) default = [] - description = "Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. CURRENT LIMITATION: This list can currently only contain 1 region, and it must be the same region that is defined in the provider config used when consuming this module." + description = "Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. Its possible to select all VPC regions by using `[\"*\"]`" nullable = false - - validation { - condition = (length(var.logs_routing_tenant_regions) == 0 || length(var.logs_routing_tenant_regions) == 1) - error_message = "CURRENT LIMITATION: This list can currently only contain 1 region, and it must be the same region that is defined in the provider config used when consuming this module. Leave the list empty if you don't want to create any tenants." - } } ############################################################################## diff --git a/version.tf b/version.tf index 95e09a74..0757048d 100644 --- a/version.tf +++ b/version.tf @@ -5,7 +5,7 @@ terraform { # tflint-ignore: terraform_unused_required_providers ibm = { source = "ibm-cloud/ibm" - version = ">= 1.69.0, < 2.0.0" + version = ">= 1.69.2, < 2.0.0" } logdna = { source = "logdna/logdna" From ee77686abbc73314961da33317832694de70e0e4 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 13 Sep 2024 17:36:54 +0100 Subject: [PATCH 14/17] remove support for * --- README.md | 2 +- modules/cloud_logs/README.md | 3 +-- modules/cloud_logs/main.tf | 5 +---- modules/cloud_logs/variables.tf | 2 +- variables.tf | 2 +- 5 files changed, 5 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 6fcdf97b..faf87267 100644 --- a/README.md +++ b/README.md @@ -263,7 +263,7 @@ No resources. | [log\_analysis\_resource\_key\_role](#input\_log\_analysis\_resource\_key\_role) | Role assigned to provide the IBM Cloud Logging key. | `string` | `"Manager"` | no | | [log\_analysis\_service\_endpoints](#input\_log\_analysis\_service\_endpoints) | The type of the service endpoint that will be set for the Log Analysis instance. | `string` | `"public-and-private"` | no | | [log\_analysis\_tags](#input\_log\_analysis\_tags) | Tags associated with the IBM Cloud Logging instance (Optional, array of strings). | `list(string)` | `[]` | no | -| [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. Its possible to select all VPC regions by using `["*"]` | `list(any)` | `[]` | no | +| [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. | `list(any)` | `[]` | no | | [region](#input\_region) | The IBM Cloud region where instances will be created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance(s) will be created. | `string` | n/a | yes | | [skip\_logs\_routing\_auth\_policy](#input\_skip\_logs\_routing\_auth\_policy) | Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs. | `bool` | `false` | no | diff --git a/modules/cloud_logs/README.md b/modules/cloud_logs/README.md index 46b3c542..79a33555 100644 --- a/modules/cloud_logs/README.md +++ b/modules/cloud_logs/README.md @@ -54,7 +54,6 @@ No modules. | [random_string.random_tenant_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [time_sleep.wait_for_en_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [ibm_iam_account_settings.iam_account_settings](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/iam_account_settings) | data source | -| [ibm_is_regions.regions](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/data-sources/is_regions) | data source | ### Inputs @@ -64,7 +63,7 @@ No modules. | [data\_storage](#input\_data\_storage) | A logs data bucket and a metrics bucket in IBM Cloud Object Storage to store your IBM Cloud Logs data for long term storage, search, analysis and alerting. | 
object({
    logs_data = optional(object({
      enabled              = optional(bool, false)
      bucket_crn           = optional(string)
      bucket_endpoint      = optional(string)
      skip_cos_auth_policy = optional(bool, false)
    }), {})
    metrics_data = optional(object({
      enabled              = optional(bool, false)
      bucket_crn           = optional(string)
      bucket_endpoint      = optional(string)
      skip_cos_auth_policy = optional(bool, false)
    }), {})
    }
  )
| 
{
  "logs_data": null,
  "metrics_data": null
}
| no | | [existing\_en\_instances](#input\_existing\_en\_instances) | List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs | 
list(object({
    en_instance_id      = string
    en_region           = string
    en_integration_name = optional(string)
    skip_en_auth_policy = optional(bool, false)
  }))
| `[]` | no | | [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Logs instance to create. Defaults to 'cloud-logs-' | `string` | `null` | no | -| [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. Its possible to select all VPC regions by using `["*"]` | `list(any)` | `[]` | no | +| [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. | `list(any)` | `[]` | no | | [plan](#input\_plan) | The IBM Cloud Logs plan to provision. Available: standard | `string` | `"standard"` | no | | [region](#input\_region) | The IBM Cloud region where Cloud logs instance will be created. | `string` | `"us-south"` | no | | [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance will be created. | `string` | `null` | no | diff --git a/modules/cloud_logs/main.tf b/modules/cloud_logs/main.tf index 89bdf3b8..cb96baea 100644 --- a/modules/cloud_logs/main.tf +++ b/modules/cloud_logs/main.tf @@ -145,11 +145,8 @@ resource "random_string" "random_tenant_suffix" { special = false } -# Lookup supported regions (Cloud Logs support the same as VPC regions) -data "ibm_is_regions" "regions" {} - resource "ibm_logs_router_tenant" "logs_router_tenant_instances" { - for_each = contains(var.logs_routing_tenant_regions, "*") ? toset(data.ibm_is_regions.regions.regions[*].name) : var.logs_routing_tenant_regions + for_each = var.logs_routing_tenant_regions name = "${each.key}-${random_string.random_tenant_suffix.result}" region = each.key targets { diff --git a/modules/cloud_logs/variables.tf b/modules/cloud_logs/variables.tf index dad36abf..266a401b 100644 --- a/modules/cloud_logs/variables.tf +++ b/modules/cloud_logs/variables.tf @@ -135,7 +135,7 @@ variable "existing_en_instances" { variable "logs_routing_tenant_regions" { type = list(any) default = [] - description = "Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. Its possible to select all VPC regions by using `[\"*\"]`" + description = "Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants." nullable = false } diff --git a/variables.tf b/variables.tf index b34f7215..89930eb4 100644 --- a/variables.tf +++ b/variables.tf @@ -480,7 +480,7 @@ variable "skip_logs_routing_auth_policy" { variable "logs_routing_tenant_regions" { type = list(any) default = [] - description = "Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. Its possible to select all VPC regions by using `[\"*\"]`" + description = "Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants." nullable = false } From aac053daae5b2f14b6c751fb66f56d5a319e1126 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 13 Sep 2024 19:19:24 +0100 Subject: [PATCH 15/17] add missing toset --- modules/cloud_logs/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/cloud_logs/main.tf b/modules/cloud_logs/main.tf index cb96baea..8d46be15 100644 --- a/modules/cloud_logs/main.tf +++ b/modules/cloud_logs/main.tf @@ -146,7 +146,7 @@ resource "random_string" "random_tenant_suffix" { } resource "ibm_logs_router_tenant" "logs_router_tenant_instances" { - for_each = var.logs_routing_tenant_regions + for_each = toset(var.logs_routing_tenant_regions) name = "${each.key}-${random_string.random_tenant_suffix.result}" region = each.key targets { From 0dbf4ece0e30108bb62a9c7c501784837ba44964 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 13 Sep 2024 20:57:12 +0100 Subject: [PATCH 16/17] add workarond to test --- examples/advanced/main.tf | 1 + examples/advanced/variables.tf | 6 ++++++ tests/pr_test.go | 5 +++++ 3 files changed, 12 insertions(+) diff --git a/examples/advanced/main.tf b/examples/advanced/main.tf index 77a0dd2a..441caf8e 100644 --- a/examples/advanced/main.tf +++ b/examples/advanced/main.tf @@ -175,6 +175,7 @@ module "observability_instance_creation" { activity_tracker_plan = "7-day" cloud_logs_plan = "standard" log_analysis_tags = var.resource_tags + activity_tracker_provision = var.activity_tracker_provision cloud_monitoring_tags = var.resource_tags activity_tracker_tags = var.resource_tags log_analysis_manager_key_tags = var.resource_tags diff --git a/examples/advanced/variables.tf b/examples/advanced/variables.tf index 6e996cc1..f707ea6e 100644 --- a/examples/advanced/variables.tf +++ b/examples/advanced/variables.tf @@ -77,3 +77,9 @@ variable "en_region" { description = "Region where event notification will be created" default = "au-syd" } + +variable "activity_tracker_provision" { + type = bool + description = "Whether to provision an Activity Tracker instance" + default = true +} diff --git a/tests/pr_test.go b/tests/pr_test.go index 344f1d25..26e0f7c3 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -90,6 +90,9 @@ func TestRunAdvanceExampleInSchematics(t *testing.T) { Tags: []string{"test-schematic"}, DeleteWorkspaceOnFail: false, WaitJobCompleteMinutes: 60, + CloudInfoService: sharedInfoSvc, + // Support being tracked in https://github.ibm.com/GoldenEye/issues/issues/10723 + // ExcludeActivityTrackerRegions: true, }) options.TerraformVars = []testschematic.TestSchematicTerraformVar{ @@ -97,6 +100,8 @@ func TestRunAdvanceExampleInSchematics(t *testing.T) { {Name: "prefix", Value: options.Prefix, DataType: "string"}, {Name: "region", Value: options.Region, DataType: "string"}, {Name: "atracker_target_region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"}, + // Disable AT provisioning in this test until ExcludeActivityTrackerRegions is supported (https://github.ibm.com/GoldenEye/issues/issues/10723) + {Name: "activity_tracker_provision", Value: false, DataType: "boolean"}, } err := options.RunSchematicTest() From 2e6d4b20fc687ceb89cb1b452261681a2122c26c Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 13 Sep 2024 22:50:09 +0100 Subject: [PATCH 17/17] bool --- tests/pr_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/pr_test.go b/tests/pr_test.go index 26e0f7c3..5ef2bb94 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -101,7 +101,7 @@ func TestRunAdvanceExampleInSchematics(t *testing.T) { {Name: "region", Value: options.Region, DataType: "string"}, {Name: "atracker_target_region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"}, // Disable AT provisioning in this test until ExcludeActivityTrackerRegions is supported (https://github.ibm.com/GoldenEye/issues/issues/10723) - {Name: "activity_tracker_provision", Value: false, DataType: "boolean"}, + {Name: "activity_tracker_provision", Value: false, DataType: "bool"}, } err := options.RunSchematicTest()