feat: added 2 new submodules [logs_policy](https://github.com/terraform-ibm-modules/terraform-ibm-cloud-logs/tree/main/modules/logs_policy) and [webhook](https://github.com/terraform-ibm-modules/terraform-ibm-cloud-logs/tree/main/modules/webhook) that can be called independantly to the root level module. The root level module still supports all the same functionality, but now calls these submodules under the covers. (#38)

Author: iamar7

README.md

@@ -131,22 +131,20 @@ You need the following permissions to run this module.
 |------|--------|---------|
 | <a name="module_cbr_rule"></a> [cbr\_rule](#module\_cbr\_rule) | terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module | 1.31.0 |
 | <a name="module_cos_bucket_crn_parser"></a> [cos\_bucket\_crn\_parser](#module\_cos\_bucket\_crn\_parser) | terraform-ibm-modules/common-utilities/ibm//modules/crn-parser | 1.1.0 |
+| <a name="module_en_integration"></a> [en\_integration](#module\_en\_integration) | ./modules/webhook | n/a |
+| <a name="module_logs_policies"></a> [logs\_policies](#module\_logs\_policies) | ./modules/logs_policy | n/a |
 
 ### Resources
 
 | Name | Type |
 |------|------|
 | [ibm_iam_authorization_policy.cos_policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
-| [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
 | [ibm_iam_authorization_policy.logs_routing_policy](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource |
-| [ibm_logs_outgoing_webhook.en_integration](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/logs_outgoing_webhook) | resource |
-| [ibm_logs_policy.logs_policies](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/logs_policy) | resource |
 | [ibm_logs_router_tenant.logs_router_tenant_instances](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/logs_router_tenant) | resource |
 | [ibm_resource_instance.cloud_logs](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_instance) | resource |
 | [ibm_resource_tag.cloud_logs_tag](https://registry.terraform.io/providers/ibm-cloud/ibm/latest/docs/resources/resource_tag) | resource |
 | [random_string.random_tenant_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [time_sleep.wait_for_cos_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
-| [time_sleep.wait_for_en_authorization_policy](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 
 ### Inputs
 
@@ -157,10 +155,10 @@ You need the following permissions to run this module.
 | <a name="input_data_storage"></a> [data\_storage](#input\_data\_storage) | A logs data bucket and a metrics bucket in IBM Cloud Object Storage to store your IBM Cloud Logs data for long term storage, search, analysis and alerting. | <pre>object({<br/>    logs_data = optional(object({<br/>      enabled              = optional(bool, false)<br/>      bucket_crn           = optional(string)<br/>      bucket_endpoint      = optional(string)<br/>      skip_cos_auth_policy = optional(bool, false)<br/>    }), {})<br/>    metrics_data = optional(object({<br/>      enabled              = optional(bool, false)<br/>      bucket_crn           = optional(string)<br/>      bucket_endpoint      = optional(string)<br/>      skip_cos_auth_policy = optional(bool, false)<br/>    }), {})<br/>    }<br/>  )</pre> | <pre>{<br/>  "logs_data": null,<br/>  "metrics_data": null<br/>}</pre> | no |
 | <a name="input_existing_event_notifications_instances"></a> [existing\_event\_notifications\_instances](#input\_existing\_event\_notifications\_instances) | List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs. | <pre>list(object({<br/>    en_instance_id      = string<br/>    en_region           = string<br/>    en_integration_name = optional(string)<br/>    skip_en_auth_policy = optional(bool, false)<br/>  }))</pre> | `[]` | no |
 | <a name="input_instance_name"></a> [instance\_name](#input\_instance\_name) | The name of the IBM Cloud Logs instance to create. Defaults to 'cloud-logs-<region>' | `string` | `null` | no |
-| <a name="input_logs_routing_tenant_regions"></a> [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. NOTE: You can only have 1 tenant per region in an account. | `list(any)` | `[]` | no |
+| <a name="input_logs_routing_tenant_regions"></a> [logs\_routing\_tenant\_regions](#input\_logs\_routing\_tenant\_regions) | Pass a list of regions to create a tenant for that is targetted to the IBM Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. NOTE: You can only have 1 tenant per region in an account. | `list(any)` | `[]` | no |
 | <a name="input_plan"></a> [plan](#input\_plan) | The IBM Cloud Logs plan to provision. Available: standard | `string` | `"standard"` | no |
-| <a name="input_policies"></a> [policies](#input\_policies) | Configuration of Cloud Logs policies. | <pre>list(object({<br/>    logs_policy_name        = string<br/>    logs_policy_description = optional(string, null)<br/>    logs_policy_priority    = string<br/>    application_rule = optional(list(object({<br/>      name         = string<br/>      rule_type_id = string<br/>    })))<br/>    subsystem_rule = optional(list(object({<br/>      name         = string<br/>      rule_type_id = string<br/>    })))<br/>    log_rules = optional(list(object({<br/>      severities = list(string)<br/>    })))<br/>    archive_retention = optional(list(object({<br/>      id = string<br/>    })))<br/>  }))</pre> | `[]` | no |
-| <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where Cloud logs instance will be created. | `string` | `"us-south"` | no |
+| <a name="input_policies"></a> [policies](#input\_policies) | Configuration of IBM Cloud Logs policies. | <pre>list(object({<br/>    logs_policy_name        = string<br/>    logs_policy_description = optional(string, null)<br/>    logs_policy_priority    = string<br/>    application_rule = optional(list(object({<br/>      name         = string<br/>      rule_type_id = string<br/>    })))<br/>    subsystem_rule = optional(list(object({<br/>      name         = string<br/>      rule_type_id = string<br/>    })))<br/>    log_rules = optional(list(object({<br/>      severities = list(string)<br/>    })))<br/>    archive_retention = optional(list(object({<br/>      id = string<br/>    })))<br/>  }))</pre> | `[]` | no |
+| <a name="input_region"></a> [region](#input\_region) | The IBM Cloud region where IBM Cloud logs instance will be created. | `string` | `"us-south"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The id of the IBM Cloud resource group where the instance will be created. | `string` | `null` | no |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Tags associated with the IBM Cloud Logs instance (Optional, array of strings). | `list(string)` | `[]` | no |
 | <a name="input_retention_period"></a> [retention\_period](#input\_retention\_period) | The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90. | `number` | `7` | no |
@@ -171,12 +169,12 @@ You need the following permissions to run this module.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_account_id"></a> [account\_id](#output\_account\_id) | The account id where cloud logs instance is provisioned. |
-| <a name="output_crn"></a> [crn](#output\_crn) | The CRN of the provisioned Cloud Logs instance. |
-| <a name="output_guid"></a> [guid](#output\_guid) | The guid of the provisioned Cloud Logs instance. |
-| <a name="output_ingress_endpoint"></a> [ingress\_endpoint](#output\_ingress\_endpoint) | The public ingress endpoint of the provisioned Cloud Logs instance. |
-| <a name="output_ingress_private_endpoint"></a> [ingress\_private\_endpoint](#output\_ingress\_private\_endpoint) | The private ingress endpoint of the provisioned Cloud Logs instance. |
-| <a name="output_logs_policies_details"></a> [logs\_policies\_details](#output\_logs\_policies\_details) | The details of the Cloud logs policies created. |
-| <a name="output_name"></a> [name](#output\_name) | The name of the provisioned Cloud Logs instance. |
-| <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | The resource group where Cloud Logs instance resides. |
+| <a name="output_account_id"></a> [account\_id](#output\_account\_id) | The account id where IBM Cloud logs instance is provisioned. |
+| <a name="output_crn"></a> [crn](#output\_crn) | The CRN of the provisioned IBM Cloud Logs instance. |
+| <a name="output_guid"></a> [guid](#output\_guid) | The guid of the provisioned IBM Cloud Logs instance. |
+| <a name="output_ingress_endpoint"></a> [ingress\_endpoint](#output\_ingress\_endpoint) | The public ingress endpoint of the provisioned IBM Cloud Logs instance. |
+| <a name="output_ingress_private_endpoint"></a> [ingress\_private\_endpoint](#output\_ingress\_private\_endpoint) | The private ingress endpoint of the provisioned IBM Cloud Logs instance. |
+| <a name="output_logs_policies_details"></a> [logs\_policies\_details](#output\_logs\_policies\_details) | The details of the IBM Cloud logs policies created. |
+| <a name="output_name"></a> [name](#output\_name) | The name of the provisioned IBM Cloud Logs instance. |
+| <a name="output_resource_group_id"></a> [resource\_group\_id](#output\_resource\_group\_id) | The resource group where IBM Cloud Logs instance resides. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/advanced/README.md

@@ -6,7 +6,7 @@
 Example that configures:
 
 - COS instance and KMS encrypted COS buckets
-- Cloud Logs with Event Notifications integration
-- Cloud Logs policies
+- IBM Cloud Logs with Event Notifications integration
+- IBM Cloud Logs policies
 - Key Protect instance and root key
 - A context-based restriction (CBR) rule to only allow cloud logs to be accessible from schematics

examples/advanced/main.tf

@@ -131,7 +131,7 @@ module "cbr_schematics_zone" {
 }
 
 ########################################################################################################################
-# Cloud Logs
+# IBM Cloud Logs
 ########################################################################################################################
 
 locals {

examples/advanced/outputs.tf

@@ -9,32 +9,32 @@
 
 output "cloud_logs_crn" {
   value       = module.cloud_logs.crn
-  description = "The id of the provisioned Cloud Logs instance."
+  description = "The id of the provisioned IBM Cloud Logs instance."
 }
 
 output "cloud_logs_guid" {
   value       = module.cloud_logs.guid
-  description = "The guid of the provisioned Cloud Logs instance."
+  description = "The guid of the provisioned IBM Cloud Logs instance."
 }
 
 output "cloud_logs_name" {
   value       = module.cloud_logs.name
-  description = "The name of the provisioned Cloud Logs instance."
+  description = "The name of the provisioned IBM Cloud Logs instance."
 }
 
 output "resource_group_id" {
   value       = module.cloud_logs.resource_group_id
-  description = "The resource group where Cloud Logs instance resides."
+  description = "The resource group where IBM Cloud Logs instance resides."
 }
 
 output "cloud_logs_ingress_endpoint" {
   value       = module.cloud_logs.ingress_endpoint
-  description = "The public ingress endpoint of the provisioned Cloud Logs instance."
+  description = "The public ingress endpoint of the provisioned IBM Cloud Logs instance."
 }
 
 output "cloud_logs_ingress_private_endpoint" {
   value       = module.cloud_logs.ingress_private_endpoint
-  description = "The private ingress endpoint of the provisioned Cloud Logs instance."
+  description = "The private ingress endpoint of the provisioned IBM Cloud Logs instance."
 }
 
 output "cos_crn" {

examples/basic/README.md

@@ -10,4 +10,4 @@ An end-to-end basic example that will provision the following:
 - A new resource group if one is not passed in.
 - A new standard plan Cloud Object Storage instance.
 - Two Cloud Object Storage buckets.
-- A Cloud Logs instance using root module, attached to provisioned Cloud Object Storage buckets.
+- A IBM Cloud Logs instance using root module, attached to provisioned Cloud Object Storage buckets.

examples/basic/main.tf

@@ -52,7 +52,7 @@ module "buckets" {
 }
 
 ########################################################################################################################
-# Cloud Logs
+# IBM Cloud Logs
 ########################################################################################################################
 
 #

examples/basic/outputs.tf

@@ -9,32 +9,32 @@
 
 output "cloud_logs_crn" {
   value       = module.cloud_logs.crn
-  description = "The id of the provisioned Cloud Logs instance."
+  description = "The id of the provisioned IBM Cloud Logs instance."
 }
 
 output "cloud_logs_guid" {
   value       = module.cloud_logs.guid
-  description = "The guid of the provisioned Cloud Logs instance."
+  description = "The guid of the provisioned IBM Cloud Logs instance."
 }
 
 output "cloud_logs_name" {
   value       = module.cloud_logs.name
-  description = "The name of the provisioned Cloud Logs instance."
+  description = "The name of the provisioned IBM Cloud Logs instance."
 }
 
 output "resource_group_id" {
   value       = module.cloud_logs.resource_group_id
-  description = "The resource group where Cloud Logs instance resides."
+  description = "The resource group where IBM Cloud Logs instance resides."
 }
 
 output "cloud_logs_ingress_endpoint" {
   value       = module.cloud_logs.ingress_endpoint
-  description = "The public ingress endpoint of the provisioned Cloud Logs instance."
+  description = "The public ingress endpoint of the provisioned IBM Cloud Logs instance."
 }
 
 output "cloud_logs_ingress_private_endpoint" {
   value       = module.cloud_logs.ingress_private_endpoint
-  description = "The private ingress endpoint of the provisioned Cloud Logs instance."
+  description = "The private ingress endpoint of the provisioned IBM Cloud Logs instance."
 }
 
 output "cos_crn" {

main.tf

@@ -29,10 +29,6 @@ resource "ibm_resource_tag" "cloud_logs_tag" {
   tag_type    = "access"
 }
 
-##############################################################################
-# Get Cloud Account ID
-##############################################################################
-
 # If logs or metrics data is enabled, parse details from it
 module "cos_bucket_crn_parser" {
   for_each = { for index, bucket in var.data_storage : index => bucket if bucket.enabled && !bucket.skip_cos_auth_policy }
@@ -90,34 +86,13 @@ resource "time_sleep" "wait_for_cos_authorization_policy" {
 # EN Integration
 ##############################################################################
 
-# Create IAM Authorization Policies to allow Cloud Logs to access event notification
-resource "ibm_iam_authorization_policy" "en_policy" {
-  for_each                    = { for idx, en in var.existing_event_notifications_instances : idx => en if !en.skip_en_auth_policy }
-  source_service_name         = "logs"
-  source_resource_instance_id = ibm_resource_instance.cloud_logs.guid
-  target_service_name         = "event-notifications"
-  target_resource_instance_id = each.value.en_instance_id
-  roles                       = ["Event Source Manager", "Viewer"]
-  description                 = "Allow Cloud Logs with instance ID ${ibm_resource_instance.cloud_logs.guid} 'Event Source Manager' and 'Viewer' role access on the Event Notification instance GUID ${each.value.en_instance_id}"
-}
-
-resource "time_sleep" "wait_for_en_authorization_policy" {
-  depends_on      = [ibm_iam_authorization_policy.en_policy]
-  create_duration = "30s"
-}
-
-resource "ibm_logs_outgoing_webhook" "en_integration" {
-  depends_on  = [time_sleep.wait_for_en_authorization_policy]
-  for_each    = { for idx, en in var.existing_event_notifications_instances : idx => en }
-  instance_id = ibm_resource_instance.cloud_logs.guid
-  region      = var.region
-  name        = each.value.en_integration_name == null ? "${local.instance_name}-en-integration-${each.key}" : each.value.en_integration_name
-  type        = "ibm_event_notifications"
-
-  ibm_event_notifications {
-    event_notifications_instance_id = each.value.en_instance_id
-    region_id                       = each.value.en_region
-  }
+module "en_integration" {
+  count                                  = length(var.existing_event_notifications_instances) > 0 ? 1 : 0
+  source                                 = "./modules/webhook"
+  cloud_logs_instance_id                 = ibm_resource_instance.cloud_logs.guid
+  cloud_logs_instance_name               = local.instance_name
+  cloud_logs_region                      = var.region
+  existing_event_notifications_instances = var.existing_event_notifications_instances
 }
 
 ##############################################################################
@@ -180,50 +155,15 @@ resource "ibm_logs_router_tenant" "logs_router_tenant_instances" {
 # Configure Logs Policies - TCO Optimizer
 ##############################################################################
 
-resource "ibm_logs_policy" "logs_policies" {
-  for_each = {
-    for policy in var.policies :
-    policy.logs_policy_name => policy
-  }
-  instance_id   = ibm_resource_instance.cloud_logs.guid
-  region        = ibm_resource_instance.cloud_logs.location
-  endpoint_type = ibm_resource_instance.cloud_logs.service_endpoints
-  name          = each.value.logs_policy_name
-  description   = each.value.logs_policy_description
-  priority      = each.value.logs_policy_priority
-
-  dynamic "application_rule" {
-    for_each = each.value.application_rule != null ? each.value.application_rule : []
-    content {
-      name         = application_rule.value["name"]
-      rule_type_id = application_rule.value["rule_type_id"]
-    }
-  }
-
-  dynamic "log_rules" {
-    for_each = each.value.log_rules
-    content {
-      severities = log_rules.value["severities"]
-    }
-  }
-
-  dynamic "subsystem_rule" {
-    for_each = each.value.subsystem_rule != null ? each.value.subsystem_rule : []
-    content {
-      name         = subsystem_rule.value["name"]
-      rule_type_id = subsystem_rule.value["rule_type_id"]
-    }
-  }
-
-  dynamic "archive_retention" {
-    for_each = each.value.archive_retention != null ? each.value.archive_retention : []
-    content {
-      id = archive_retention.value["id"]
-    }
-  }
+module "logs_policies" {
+  count                        = length(var.policies) > 0 ? 1 : 0
+  source                       = "./modules/logs_policy"
+  cloud_logs_instance_id       = ibm_resource_instance.cloud_logs.guid
+  cloud_logs_region            = ibm_resource_instance.cloud_logs.location
+  cloud_logs_service_endpoints = ibm_resource_instance.cloud_logs.service_endpoints
+  policies                     = var.policies
 }
 
-
 ##############################################################################
 # CBR
 ##############################################################################