From 5aeb1899637b4c8ec1cfa5d01e04008d942fa0d3 Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Tue, 30 Jan 2024 11:33:04 -0300 Subject: [PATCH 1/5] sink for billing account --- 1-org/envs/shared/log_sinks.tf | 6 +- 1-org/modules/centralized-logging/main.tf | 112 +++++++++++++++++- .../modules/centralized-logging/variables.tf | 32 ++++- 3 files changed, 141 insertions(+), 9 deletions(-) diff --git a/1-org/envs/shared/log_sinks.tf b/1-org/envs/shared/log_sinks.tf index a884e6db2..454e53dff 100644 --- a/1-org/envs/shared/log_sinks.tf +++ b/1-org/envs/shared/log_sinks.tf @@ -15,8 +15,10 @@ */ locals { - parent_resource_id = local.parent_folder != "" ? local.parent_folder : local.org_id - parent_resource_type = local.parent_folder != "" ? "folder" : "organization" + #parent_resource_id = local.parent_folder != "" ? local.parent_folder : local.org_id + parent_resource_id = local.parent_folder != "" ? local.parent_folder : local.billing_account != "" ? local.billing_account : local.org_id + #parent_resource_type = local.parent_folder != "" ? "folder" : "organization" + parent_resource_type = local.parent_folder != "" ? "folder" : local.billing_account != "" ? "billing account" : "organization" parent_resources = { resource = local.parent_resource_id } logs_filter = < v if k != var.logging_project_key } - include_children = (var.resource_type == "organization" || var.resource_type == "folder") + #include_children = (var.resource_type == "organization" || var.resource_type == "folder") + include_children = var.resource_type == "organization" || var.resource_type == "folder" || var.resource_type == "billing_account" # Create an intermediate list with all resources X all destinations exports_list = flatten([ @@ -90,6 +91,59 @@ module "log_export" { include_children = local.include_children } + +###################### billing account ################# + +module "log_export_billing" { + source = "terraform-google-modules/log-export/google" + version = "~> 7.4" + + for_each = local.log_exports + + destination_uri = local.destination_uri_map[each.value.type] + filter = "" + #filter = each.value.options.logging_sink_filter + log_sink_name = coalesce(each.value.options.logging_sink_name, local.logging_sink_name_map[each.value.type]) + parent_resource_id = each.value.res + parent_resource_type = var.resource_type + unique_writer_identity = true + include_children = local.include_children +} + +# module "logs_export_billing" { +# ###source = "/home/renatojr/git/lab/project-sink/terraform-example-foundation/1-org/modules/centralized-logging" +# source = "terraform-google-modules/log-export/google" +# version = "~> 7.4" + +# #for_each = local.log_exports + +# destination_uri = local.destination_uri_map[each.value.type] +# #filter = each.value.options.logging_sink_filter +# filter = "" +# log_sink_name = coalesce(each.value.options.logging_sink_name, local.logging_sink_name_map[each.value.type]) +# parent_resource_id = each.value.res +# parent_resource_type = var.resource_type +# unique_writer_identity = true +# include_children = local.include_children + +# resources = local.parent_resources +# resource_type = local.parent_resource_type +# logging_destination_project_id = local.logging_destination_project_id + +# billing_options = { +# name = "billing_account_sink" +# logging_sink_filter = "" +# #log_bucket_id = "project-sink-1127" +# #log_bucket_description = "Project destination log bucket" +# #retention_days = 33 +# #location = "us-central1" +# #linked_dataset_id = "ds_c_prj_logbkt_analytics" +# #linked_dataset_description = "Project destination logbucket BigQuery Dataset for Logbucket analytics" +# } +# } + +######################################################## + #-------------------------# # Send logs to Log Bucket # #-------------------------# @@ -97,7 +151,9 @@ module "destination_logbucket" { source = "terraform-google-modules/log-export/google//modules/logbucket" version = "~> 7.7" - count = var.logbucket_options != null ? 1 : 0 + #count = var.logbucket_options != null ? 1 : 0 + count = var.logbucket_options != null && var.billing_account != null ? 1 : 0 + project_id = var.logging_destination_project_id name = coalesce(var.logbucket_options.name, local.logging_tgt_name.lbk) @@ -131,7 +187,9 @@ module "destination_storage" { source = "terraform-google-modules/log-export/google//modules/storage" version = "~> 7.4" - count = var.storage_options != null ? 1 : 0 + #count = var.storage_options != null ? 1 : 0 + count = var.storage_options != null && var.billing_account != null ? 1 : 0 + project_id = var.logging_destination_project_id storage_bucket_name = coalesce(var.storage_options.storage_bucket_name, local.logging_tgt_name.sto) @@ -166,7 +224,8 @@ module "destination_pubsub" { source = "terraform-google-modules/log-export/google//modules/pubsub" version = "~> 7.4" - count = var.pubsub_options != null ? 1 : 0 + #count = var.pubsub_options != null ? 1 : 0 + count = var.pubsub_options != null && var.billing_account != null ? 1 : 0 project_id = var.logging_destination_project_id topic_name = coalesce(var.pubsub_options.topic_name, local.logging_tgt_name.pub) @@ -185,3 +244,48 @@ resource "google_pubsub_topic_iam_member" "pubsub_sink_member" { role = "roles/pubsub.publisher" member = module.log_export["${each.value}_pub"].writer_identity } + +################################ +#-----------------------------------------------------------# +# Log Bucket Service account IAM membership billing account # +#-----------------------------------------------------------# + +resource "google_project_iam_member" "billing_account_member_logbucket" { + project = var.logging_destination_project_id + role = "roles/logging.configWriter" + member = module.log_export["${local.value_first_resource}_lbk"].writer_identity + + depends_on = [ + module.log_export_billing, + module.destination_logbucket + ] +} + +#--------------------------------------------------------# +# Storage Service account IAM membership billing account # +#--------------------------------------------------------# +resource "google_project_iam_member" "billing_account_member_storage" { + project = var.logging_destination_project_id + role = "roles/logging.configWriter" + member = module.log_export["${local.value_first_resource}_sto"].writer_identity + + depends_on = [ + module.log_export_billing, + module.destination_storage + ] +} + +#-------------------------------------------------------# +# Pubsub Service account IAM membership billing account # +#-------------------------------------------------------# +resource "google_project_iam_member" "billing_account_member_pubsub" { + project = var.logging_destination_project_id + role = "roles/logging.configWriter" + member = module.log_export["${local.value_first_resource}_pub"].writer_identity + + depends_on = [ + module.log_export_billing, + module.destination_pubsub + ] +} +################################## diff --git a/1-org/modules/centralized-logging/variables.tf b/1-org/modules/centralized-logging/variables.tf index 3cebb9d70..3cf1b03c9 100644 --- a/1-org/modules/centralized-logging/variables.tf +++ b/1-org/modules/centralized-logging/variables.tf @@ -24,13 +24,14 @@ variable "resources" { } } +### variable "resource_type" { - description = "Resource type of the resource that will export logs to destination. Must be: project, organization, or folder." + description = "Resource type of the resource that will export logs to destination. Must be: project, organization, folder or billing_account." type = string validation { - condition = contains(["project", "folder", "organization"], var.resource_type) - error_message = "The resource_type value must be: project, organization, or folder." + condition = contains(["project", "folder", "organization", "billing_account"], var.resource_type) + error_message = "The resource_type value must be: project, organization, folder or billing_account." } } @@ -40,6 +41,13 @@ variable "logging_project_key" { default = "" } +#### +variable "billing_account" { + description = "Billing Account ID used in case sinks are under billing account level. Format 000000-000000-000000." + type = string + default = "" +} + variable "logging_destination_project_id" { description = "The ID of the project that will have the resources where the logs will be created." type = string @@ -123,3 +131,21 @@ EOT }) default = null } + +#----------------------------------- # +# Billing Account specific variables # +#----------------------------------- # +variable "billing_options" { + description = < Date: Tue, 30 Jan 2024 11:40:14 -0300 Subject: [PATCH 2/5] remove comments --- 1-org/modules/centralized-logging/main.tf | 32 ----------------------- 1 file changed, 32 deletions(-) diff --git a/1-org/modules/centralized-logging/main.tf b/1-org/modules/centralized-logging/main.tf index 30a140c60..6550183bc 100644 --- a/1-org/modules/centralized-logging/main.tf +++ b/1-org/modules/centralized-logging/main.tf @@ -110,38 +110,6 @@ module "log_export_billing" { include_children = local.include_children } -# module "logs_export_billing" { -# ###source = "/home/renatojr/git/lab/project-sink/terraform-example-foundation/1-org/modules/centralized-logging" -# source = "terraform-google-modules/log-export/google" -# version = "~> 7.4" - -# #for_each = local.log_exports - -# destination_uri = local.destination_uri_map[each.value.type] -# #filter = each.value.options.logging_sink_filter -# filter = "" -# log_sink_name = coalesce(each.value.options.logging_sink_name, local.logging_sink_name_map[each.value.type]) -# parent_resource_id = each.value.res -# parent_resource_type = var.resource_type -# unique_writer_identity = true -# include_children = local.include_children - -# resources = local.parent_resources -# resource_type = local.parent_resource_type -# logging_destination_project_id = local.logging_destination_project_id - -# billing_options = { -# name = "billing_account_sink" -# logging_sink_filter = "" -# #log_bucket_id = "project-sink-1127" -# #log_bucket_description = "Project destination log bucket" -# #retention_days = 33 -# #location = "us-central1" -# #linked_dataset_id = "ds_c_prj_logbkt_analytics" -# #linked_dataset_description = "Project destination logbucket BigQuery Dataset for Logbucket analytics" -# } -# } - ######################################################## #-------------------------# From 2d3c7c01d80e9ba0cbe9272bc4d91d440bf5d85a Mon Sep 17 00:00:00 2001 From: Renato Rudnicki Date: Fri, 2 Feb 2024 18:39:25 -0300 Subject: [PATCH 3/5] update code --- 1-org/envs/shared/log_sinks.tf | 6 ++---- 1-org/modules/centralized-logging/main.tf | 20 ++++++++++++++++++- .../modules/centralized-logging/variables.tf | 16 ++++++++++++--- 3 files changed, 34 insertions(+), 8 deletions(-) diff --git a/1-org/envs/shared/log_sinks.tf b/1-org/envs/shared/log_sinks.tf index 454e53dff..a884e6db2 100644 --- a/1-org/envs/shared/log_sinks.tf +++ b/1-org/envs/shared/log_sinks.tf @@ -15,10 +15,8 @@ */ locals { - #parent_resource_id = local.parent_folder != "" ? local.parent_folder : local.org_id - parent_resource_id = local.parent_folder != "" ? local.parent_folder : local.billing_account != "" ? local.billing_account : local.org_id - #parent_resource_type = local.parent_folder != "" ? "folder" : "organization" - parent_resource_type = local.parent_folder != "" ? "folder" : local.billing_account != "" ? "billing account" : "organization" + parent_resource_id = local.parent_folder != "" ? local.parent_folder : local.org_id + parent_resource_type = local.parent_folder != "" ? "folder" : "organization" parent_resources = { resource = local.parent_resource_id } logs_filter = < Date: Thu, 8 Feb 2024 17:38:30 -0300 Subject: [PATCH 4/5] update --- 0-bootstrap/sa.tf | 6 + 1-org/modules/centralized-logging/main.tf | 157 ++++++++++++------ .../modules/centralized-logging/variables.tf | 44 ++--- 3 files changed, 127 insertions(+), 80 deletions(-) diff --git a/0-bootstrap/sa.tf b/0-bootstrap/sa.tf index 205995603..1cff3efab 100644 --- a/0-bootstrap/sa.tf +++ b/0-bootstrap/sa.tf @@ -227,3 +227,9 @@ resource "google_billing_account_iam_member" "billing_admin_user" { google_billing_account_iam_member.tf_billing_user ] } + +resource "google_billing_account_iam_member" "billing_account_sink" { + billing_account_id = var.billing_account + role = "roles/logging.configWriter" + member = "serviceAccount:${google_service_account.terraform-env-sa["org"].email}" +} diff --git a/1-org/modules/centralized-logging/main.tf b/1-org/modules/centralized-logging/main.tf index 30894806c..f83d8241a 100644 --- a/1-org/modules/centralized-logging/main.tf +++ b/1-org/modules/centralized-logging/main.tf @@ -17,8 +17,8 @@ locals { value_first_resource = values(var.resources)[0] logbucket_sink_member = { for k, v in var.resources : k => v if k != var.logging_project_key } - #include_children = (var.resource_type == "organization" || var.resource_type == "folder") - include_children = var.resource_type == "organization" || var.resource_type == "folder" || var.resource_type == "billing_account" + include_children = (var.resource_type == "organization" || var.resource_type == "folder") + #include_children = var.resource_type == "organization" || var.resource_type == "folder" || var.resource_type == "billing_account" # Create an intermediate list with all resources X all destinations @@ -95,39 +95,48 @@ module "log_export" { ###################### billing account ################# -resource "null_resource" "trigger_log_export_billing" { - count = var.billing_account != "" ? 1 : 0 +# resource "null_resource" "trigger_log_export_billing" { +# count = var.billing_account != "" ? 1 : 0 - triggers = { - billing_account_id = var.billing_account - } - - provisioner "local-exec" { - command = "echo Log Export Billing Trigger" - } -} +# triggers = { +# billing_account_id = var.billing_account +# } +# # provisioner "local-exec" { +# # command = "echo Log Export Billing Trigger" +# # } +# } +### TO-DO: +# Verify if billing account has some value module "log_export_billing" { source = "terraform-google-modules/log-export/google" version = "~> 7.4" + #for_each = var.billing_account =!"" ? local.log_export : {} for_each = local.log_exports destination_uri = local.destination_uri_map[each.value.type] filter = "" - #filter = each.value.options.logging_sink_filter - log_sink_name = coalesce(each.value.options.logging_sink_name, local.logging_sink_name_map[each.value.type]) - parent_resource_id = each.value.res - parent_resource_type = var.resource_type + log_sink_name = "${coalesce(each.value.options.logging_sink_name, local.logging_sink_name_map[each.value.type])}-billing" + #parent_resource_id = each.value.res #billing account id + parent_resource_id = var.billing_account + parent_resource_type = "billing_account" unique_writer_identity = true - include_children = local.include_children - depends_on = [ - null_resource.trigger_log_export_billing, - ] + # depends_on = [ + # null_resource.trigger_log_export_billing, + # ] } +# resource "google_billing_account_iam_member" "billing_account_sink" { +# billing_account_id = var.billing_account +# role = "roles/logging.configWriter" +# member = "serviceAccount:${var.org_step_terraform_service_account_email}" +# #member = "serviceAccount:${var.org_step_terraform_service_account_email}" +# #member = "serviceAccount:${module.env_shared.org_step_terraform_service_account_email}" +# } + ######################################################## #-------------------------# @@ -137,8 +146,8 @@ module "destination_logbucket" { source = "terraform-google-modules/log-export/google//modules/logbucket" version = "~> 7.7" - #count = var.logbucket_options != null ? 1 : 0 - count = var.logbucket_options != null && var.billing_options != null ? 1 : 0 + count = var.logbucket_options != null ? 1 : 0 + #count = var.logbucket_options != null && var.billing_options != null ? 1 : 0 project_id = var.logging_destination_project_id @@ -173,8 +182,8 @@ module "destination_storage" { source = "terraform-google-modules/log-export/google//modules/storage" version = "~> 7.4" - #count = var.storage_options != null ? 1 : 0 - count = var.storage_options != null && var.billing_account != null ? 1 : 0 + count = var.storage_options != null ? 1 : 0 + #count = var.storage_options != null && var.billing_account != null ? 1 : 0 project_id = var.logging_destination_project_id @@ -210,8 +219,8 @@ module "destination_pubsub" { source = "terraform-google-modules/log-export/google//modules/pubsub" version = "~> 7.4" - #count = var.pubsub_options != null ? 1 : 0 - count = var.pubsub_options != null && var.billing_account != null ? 1 : 0 + count = var.pubsub_options != null ? 1 : 0 + #count = var.pubsub_options != null && var.billing_account != null ? 1 : 0 project_id = var.logging_destination_project_id topic_name = coalesce(var.pubsub_options.topic_name, local.logging_tgt_name.pub) @@ -236,42 +245,84 @@ resource "google_pubsub_topic_iam_member" "pubsub_sink_member" { # Log Bucket Service account IAM membership billing account # #-----------------------------------------------------------# -resource "google_project_iam_member" "billing_account_member_logbucket" { - project = var.logging_destination_project_id - role = "roles/logging.configWriter" - member = module.log_export["${local.value_first_resource}_lbk"].writer_identity +# resource "google_project_iam_member" "billing_account_member_logbucket" { +# project = var.logging_destination_project_id +# role = "roles/logging.configWriter" +# member = module.log_export_billing["${local.value_first_resource}_lbk"].writer_identity - depends_on = [ - module.log_export_billing, - module.destination_logbucket - ] -} + # depends_on = [ + # module.log_export_billing, + # module.destination_logbucket + # ] +#} + +# resource "google_project_iam_member" "billing_logbucket_sink_member" { +# for_each = var.logbucket_options != null ? local.logbucket_sink_member : {} + +# project = var.logging_destination_project_id +# role = "roles/logging.bucketWriter" +# member = module.log_export_billing["${each.value}_lbk"].writer_identity + +# # depends_on = [ +# # module.log_export_billing, +# # module.destination_logbucket +# # ] +# } #--------------------------------------------------------# # Storage Service account IAM membership billing account # #--------------------------------------------------------# -resource "google_project_iam_member" "billing_account_member_storage" { - project = var.logging_destination_project_id - role = "roles/logging.configWriter" - member = module.log_export["${local.value_first_resource}_sto"].writer_identity - depends_on = [ - module.log_export_billing, - module.destination_storage - ] -} +# resource "google_project_iam_member" "billing_account_member_storage" { +# project = var.logging_destination_project_id +# role = "roles/logging.configWriter" +# member = module.log_export_billing["${local.value_first_resource}_sto"].writer_identity + +# # depends_on = [ +# # module.log_export_billing, +# # module.destination_storage +# # ] +# } + +# resource "google_storage_bucket_iam_member" "billing_storage_sink_member" { +# for_each = var.storage_options != null ? var.resources : {} + +# bucket = module.destination_storage[0].resource_name +# role = "roles/storage.objectCreator" +# member = module.log_export_billing["${each.value}_sto"].writer_identity + +# # depends_on = [ +# # module.log_export_billing, +# # module.destination_storage +# # ] +# } #-------------------------------------------------------# # Pubsub Service account IAM membership billing account # #-------------------------------------------------------# -resource "google_project_iam_member" "billing_account_member_pubsub" { - project = var.logging_destination_project_id - role = "roles/logging.configWriter" - member = module.log_export["${local.value_first_resource}_pub"].writer_identity - depends_on = [ - module.log_export_billing, - module.destination_pubsub - ] -} +# resource "google_project_iam_member" "billing_account_member_pubsub" { +# project = var.logging_destination_project_id +# role = "roles/logging.configWriter" +# member = module.log_export_billing["${local.value_first_resource}_pub"].writer_identity + +# # depends_on = [ +# # module.log_export_billing, +# # module.destination_pubsub +# # ] +# } + +# resource "google_pubsub_topic_iam_member" "billing_pubsub_sink_member" { +# for_each = var.pubsub_options != null ? var.resources : {} + +# project = var.logging_destination_project_id +# topic = module.destination_pubsub[0].resource_name +# role = "roles/pubsub.publisher" +# member = module.log_export_billing["${each.value}_pub"].writer_identity + +# # depends_on = [ +# # module.log_export_billing, +# # module.destination_pubsub +# # ] +# } ################################## diff --git a/1-org/modules/centralized-logging/variables.tf b/1-org/modules/centralized-logging/variables.tf index 5dab8e97e..61f230fbe 100644 --- a/1-org/modules/centralized-logging/variables.tf +++ b/1-org/modules/centralized-logging/variables.tf @@ -26,25 +26,15 @@ variable "resources" { ### variable "resource_type" { - description = "Resource type of the resource that will export logs to destination. Must be: project, organization, or folder." + description = "Resource type of the resource that will export logs to destination. Must be: project, organization, billing_account or folder." type = string validation { - condition = contains(["project", "folder", "organization"], var.resource_type) - error_message = "The resource_type value must be: project, organization, or folder." + condition = contains(["project", "folder", "organization", "billing_account"], var.resource_type) + error_message = "The resource_type value must be: project, organization, billing_account or folder." } } -# variable "resource_type" { -# description = "Resource type of the resource that will export logs to destination. Must be: project, organization, folder or billing_account." -# type = string - -# validation { -# condition = contains(["project", "folder", "organization", "billing_account"], var.resource_type) -# error_message = "The resource_type value must be: project, organization, folder or billing_account." -# } -# } - variable "logging_project_key" { description = "(Optional) The key of logging destination project if it is inside resources map. It is mandatory when resource_type = project and logging_target_type = logbucket." type = string @@ -145,17 +135,17 @@ EOT #----------------------------------- # # Billing Account specific variables # #----------------------------------- # -variable "billing_options" { - description = < Date: Wed, 14 Feb 2024 13:41:26 -0300 Subject: [PATCH 5/5] update code --- 1-org/modules/centralized-logging/main.tf | 129 +----------------- .../modules/centralized-logging/variables.tf | 29 ++-- 2 files changed, 11 insertions(+), 147 deletions(-) diff --git a/1-org/modules/centralized-logging/main.tf b/1-org/modules/centralized-logging/main.tf index f83d8241a..cf03fe350 100644 --- a/1-org/modules/centralized-logging/main.tf +++ b/1-org/modules/centralized-logging/main.tf @@ -18,8 +18,6 @@ locals { value_first_resource = values(var.resources)[0] logbucket_sink_member = { for k, v in var.resources : k => v if k != var.logging_project_key } include_children = (var.resource_type == "organization" || var.resource_type == "folder") - #include_children = var.resource_type == "organization" || var.resource_type == "folder" || var.resource_type == "billing_account" - # Create an intermediate list with all resources X all destinations exports_list = flatten([ @@ -92,51 +90,20 @@ module "log_export" { include_children = local.include_children } - -###################### billing account ################# - -# resource "null_resource" "trigger_log_export_billing" { -# count = var.billing_account != "" ? 1 : 0 - -# triggers = { -# billing_account_id = var.billing_account -# } - -# # provisioner "local-exec" { -# # command = "echo Log Export Billing Trigger" -# # } -# } - -### TO-DO: -# Verify if billing account has some value +######################################################## module "log_export_billing" { source = "terraform-google-modules/log-export/google" version = "~> 7.4" - #for_each = var.billing_account =!"" ? local.log_export : {} - for_each = local.log_exports + for_each = var.enable_billing_account_sink != "" ? local.log_export : {} destination_uri = local.destination_uri_map[each.value.type] filter = "" log_sink_name = "${coalesce(each.value.options.logging_sink_name, local.logging_sink_name_map[each.value.type])}-billing" - #parent_resource_id = each.value.res #billing account id parent_resource_id = var.billing_account parent_resource_type = "billing_account" unique_writer_identity = true - - # depends_on = [ - # null_resource.trigger_log_export_billing, - # ] } - -# resource "google_billing_account_iam_member" "billing_account_sink" { -# billing_account_id = var.billing_account -# role = "roles/logging.configWriter" -# member = "serviceAccount:${var.org_step_terraform_service_account_email}" -# #member = "serviceAccount:${var.org_step_terraform_service_account_email}" -# #member = "serviceAccount:${module.env_shared.org_step_terraform_service_account_email}" -# } - ######################################################## #-------------------------# @@ -147,8 +114,6 @@ module "destination_logbucket" { version = "~> 7.7" count = var.logbucket_options != null ? 1 : 0 - #count = var.logbucket_options != null && var.billing_options != null ? 1 : 0 - project_id = var.logging_destination_project_id name = coalesce(var.logbucket_options.name, local.logging_tgt_name.lbk) @@ -183,8 +148,6 @@ module "destination_storage" { version = "~> 7.4" count = var.storage_options != null ? 1 : 0 - #count = var.storage_options != null && var.billing_account != null ? 1 : 0 - project_id = var.logging_destination_project_id storage_bucket_name = coalesce(var.storage_options.storage_bucket_name, local.logging_tgt_name.sto) @@ -220,7 +183,6 @@ module "destination_pubsub" { version = "~> 7.4" count = var.pubsub_options != null ? 1 : 0 - #count = var.pubsub_options != null && var.billing_account != null ? 1 : 0 project_id = var.logging_destination_project_id topic_name = coalesce(var.pubsub_options.topic_name, local.logging_tgt_name.pub) @@ -239,90 +201,3 @@ resource "google_pubsub_topic_iam_member" "pubsub_sink_member" { role = "roles/pubsub.publisher" member = module.log_export["${each.value}_pub"].writer_identity } - -################################ -#-----------------------------------------------------------# -# Log Bucket Service account IAM membership billing account # -#-----------------------------------------------------------# - -# resource "google_project_iam_member" "billing_account_member_logbucket" { -# project = var.logging_destination_project_id -# role = "roles/logging.configWriter" -# member = module.log_export_billing["${local.value_first_resource}_lbk"].writer_identity - - # depends_on = [ - # module.log_export_billing, - # module.destination_logbucket - # ] -#} - -# resource "google_project_iam_member" "billing_logbucket_sink_member" { -# for_each = var.logbucket_options != null ? local.logbucket_sink_member : {} - -# project = var.logging_destination_project_id -# role = "roles/logging.bucketWriter" -# member = module.log_export_billing["${each.value}_lbk"].writer_identity - -# # depends_on = [ -# # module.log_export_billing, -# # module.destination_logbucket -# # ] -# } - -#--------------------------------------------------------# -# Storage Service account IAM membership billing account # -#--------------------------------------------------------# - -# resource "google_project_iam_member" "billing_account_member_storage" { -# project = var.logging_destination_project_id -# role = "roles/logging.configWriter" -# member = module.log_export_billing["${local.value_first_resource}_sto"].writer_identity - -# # depends_on = [ -# # module.log_export_billing, -# # module.destination_storage -# # ] -# } - -# resource "google_storage_bucket_iam_member" "billing_storage_sink_member" { -# for_each = var.storage_options != null ? var.resources : {} - -# bucket = module.destination_storage[0].resource_name -# role = "roles/storage.objectCreator" -# member = module.log_export_billing["${each.value}_sto"].writer_identity - -# # depends_on = [ -# # module.log_export_billing, -# # module.destination_storage -# # ] -# } - -#-------------------------------------------------------# -# Pubsub Service account IAM membership billing account # -#-------------------------------------------------------# - -# resource "google_project_iam_member" "billing_account_member_pubsub" { -# project = var.logging_destination_project_id -# role = "roles/logging.configWriter" -# member = module.log_export_billing["${local.value_first_resource}_pub"].writer_identity - -# # depends_on = [ -# # module.log_export_billing, -# # module.destination_pubsub -# # ] -# } - -# resource "google_pubsub_topic_iam_member" "billing_pubsub_sink_member" { -# for_each = var.pubsub_options != null ? var.resources : {} - -# project = var.logging_destination_project_id -# topic = module.destination_pubsub[0].resource_name -# role = "roles/pubsub.publisher" -# member = module.log_export_billing["${each.value}_pub"].writer_identity - -# # depends_on = [ -# # module.log_export_billing, -# # module.destination_pubsub -# # ] -# } -################################## diff --git a/1-org/modules/centralized-logging/variables.tf b/1-org/modules/centralized-logging/variables.tf index 61f230fbe..e07c94c04 100644 --- a/1-org/modules/centralized-logging/variables.tf +++ b/1-org/modules/centralized-logging/variables.tf @@ -41,11 +41,18 @@ variable "logging_project_key" { default = "" } -#### +### variable "billing_account" { description = "Billing Account ID used in case sinks are under billing account level. Format 000000-000000-000000." type = string - default = "" + default = "010ECE-40301B-50DDD5" +} + +### +variable "enable_billing_account_sink" { +description = "Verify if billing account will be logged in the sink." + type = bool + default = true } variable "logging_destination_project_id" { @@ -131,21 +138,3 @@ EOT }) default = null } - -#----------------------------------- # -# Billing Account specific variables # -#----------------------------------- # -# variable "billing_options" { -# description = <