This module allows you to create log exports at the project, folder, organization, or billing account level. Coalfire has tested this module with Terraform version 1.5.0 and the Hashicorp Google provider versions 4.70 - 5.0.
FedRAMP Compliance: High
module "log-export" {
source = "github.com/Coalfire-CF/terraform-gcp-log-export"
destination_uri = module.destination.destination_uri
filter = var.log_filter
log_sink_name = "org-log-sink"
parent_resource_id = "your-org-id"
parent_resource_type = "organization"
include_children = true
unique_writer_identity = true
}
module "destination" {
source = "github.com/Coalfire-CF/terraform-gcp-log-export/modules/pubsub"
project_id = google_project.management.project_id
topic_name = "org-logs"
log_sink_writer_identity = module.log_export.writer_identity
create_subscriber = true
kms_key_name = "kms-key-name"
}
No requirements.
| Name | Version |
|---|---|
| n/a |
No modules.
| Name | Type |
|---|---|
| google_logging_billing_account_sink.sink | resource |
| google_logging_folder_sink.sink | resource |
| google_logging_organization_sink.sink | resource |
| google_logging_project_sink.sink | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| destination_uri | The self_link URI of the destination resource (This is available as an output coming from one of the destination submodules) | string |
n/a | yes |
| exclusions | (Optional) A list of sink exclusion filters. | list(object({ |
[] |
no |
| filter | The filter to apply when exporting logs. Only log entries that match the filter are exported. Default is '' which exports all logs. | string |
"" |
no |
| include_children | Only valid if 'organization' or 'folder' is chosen as var.parent_resource.type. Determines whether or not to include children organizations/folders in the sink export. If true, logs associated with child projects are also exported; otherwise only logs relating to the provided organization/folder are included. | bool |
false |
no |
| log_sink_name | The name of the log sink to be created. | string |
n/a | yes |
| parent_resource_id | The ID of the GCP resource in which you create the log sink. If var.parent_resource_type is set to 'project', then this is the Project ID (and etc). | string |
n/a | yes |
| parent_resource_type | The GCP resource in which you create the log sink. The value must not be computed, and must be one of the following: 'project', 'folder', 'billing_account', or 'organization'. | string |
"project" |
no |
| unique_writer_identity | Whether or not to create a unique identity associated with this sink. If false (the default), then the writer_identity used is serviceAccount:[email protected]. If true, then a unique service account is created and used for the logging sink. | bool |
false |
no |
| Name | Description |
|---|---|
| filter | The filter to be applied when exporting logs. |
| log_sink_resource_id | The resource ID of the log sink that was created. |
| log_sink_resource_name | The resource name of the log sink that was created. |
| parent_resource_id | The ID of the GCP resource in which you create the log sink. |
| writer_identity | The service account that logging uses to write log entries to the destination. |