feat: initial release (#3)

Author: kierramarie

.github/CODEOWNERS

@@ -1,2 +1,2 @@
 # Primary owner should be listed first in list of global owners, followed by any secondary owners
-*       @ocofaigh @daniel-butler-irl
+*       @kierramarie @ocofaigh

.github/settings.yml

@@ -22,7 +22,7 @@ repository:
 
   # Uncomment this description property
   # and update the description to the current repo description.
-  # description: ""
+  description: "This module supports configuring an IBM Cloud Logs instance, log routing tenants to enable platform logs and cloud logs policies."
 
   # Use a comma-separated list of topics to set on the repo (ensure not to use any caps in the topic string).
   topics: terraform, ibm-cloud, terraform-module, core-team, cloud-logs, logging, logs, observability

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-11-22T17:36:38Z",
+  "generated_at": "2025-03-10T19:32:13Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -76,18 +76,7 @@
       "name": "TwilioKeyDetector"
     }
   ],
-  "results": {
-    "README.md": [
-      {
-        "hashed_secret": "ff9ee043d85595eb255c05dfe32ece02a53efbb2",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 74,
-        "type": "Secret Keyword",
-        "verified_result": null
-      }
-    ]
-  },
+  "results": {},
   "version": "0.13.1+ibm.62.dss",
   "word_list": {
     "file": null,

README.md

@@ -2,3 +2,10 @@
 
 <!-- There is a pre-commit hook that will take the title of each example add include it in the repos main README.md  -->
 <!-- Add text below should describe exactly what resources are provisioned / configured by the example  -->
+
+Example that configures:
+
+- COS instance and KMS encrypted COS buckets
+- Cloud Logs with Event Notifications integration
+- Cloud Logs policies
+- Key Protect instance and root key

examples/advanced/README.md

@@ -10,23 +10,163 @@ module "resource_group" {
   existing_resource_group_name = var.resource_group
 }
 
+##############################################################################
+# Key Protect Instance + Key (used to encrypt bucket)
+##############################################################################
+
+locals {
+  key_ring_name = "${var.prefix}-cloud-logs"
+  key_name      = "${var.prefix}-cloud-logs-key"
+}
+
+module "key_protect" {
+  source            = "terraform-ibm-modules/kms-all-inclusive/ibm"
+  version           = "4.20.0"
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  resource_tags     = var.resource_tags
+  keys = [
+    {
+      key_ring_name = local.key_ring_name
+      keys = [
+        {
+          key_name = local.key_name
+        }
+      ]
+    }
+  ]
+  key_protect_instance_name = "${var.prefix}-kp"
+}
+
+##############################################################################
+# Event Notification
+##############################################################################
+
+module "event_notification_1" {
+  source            = "terraform-ibm-modules/event-notifications/ibm"
+  version           = "1.18.8"
+  resource_group_id = module.resource_group.resource_group_id
+  name              = "${var.prefix}-en-1"
+  tags              = var.resource_tags
+  plan              = "standard"
+  service_endpoints = "public"
+  region            = var.region
+}
+
+module "event_notification_2" {
+  source            = "terraform-ibm-modules/event-notifications/ibm"
+  version           = "1.18.8"
+  resource_group_id = module.resource_group.resource_group_id
+  name              = "${var.prefix}-en-2"
+  tags              = var.resource_tags
+  plan              = "standard"
+  service_endpoints = "public"
+  region            = var.region
+}
+
+##############################################################################
+# COS instance + buckets
+##############################################################################
+
+module "cos" {
+  source            = "terraform-ibm-modules/cos/ibm"
+  version           = "8.19.5"
+  resource_group_id = module.resource_group.resource_group_id
+  cos_instance_name = "${var.prefix}-cos"
+  cos_tags          = var.resource_tags
+  create_cos_bucket = false
+}
+
+locals {
+  logs_bucket_name    = "${var.prefix}-logs-data"
+  metrics_bucket_name = "${var.prefix}-metrics-data"
+}
+
+module "buckets" {
+  source  = "terraform-ibm-modules/cos/ibm//modules/buckets"
+  version = "8.19.5"
+  bucket_configs = [
+    {
+      bucket_name                   = local.logs_bucket_name
+      kms_encryption_enabled        = true
+      region_location               = var.region
+      resource_instance_id          = module.cos.cos_instance_id
+      kms_guid                      = module.key_protect.kms_guid
+      kms_key_crn                   = module.key_protect.keys["${local.key_ring_name}.${local.key_name}"].crn
+      skip_iam_authorization_policy = false
+    },
+    {
+      bucket_name                   = local.metrics_bucket_name
+      kms_encryption_enabled        = true
+      region_location               = var.region
+      resource_instance_id          = module.cos.cos_instance_id
+      kms_guid                      = module.key_protect.kms_guid
+      kms_key_crn                   = module.key_protect.keys["${local.key_ring_name}.${local.key_name}"].crn
+      skip_iam_authorization_policy = true # Auth policy created in first bucket
+    }
+  ]
+}
+
 ########################################################################################################################
-# COS
+# Cloud Logs
 ########################################################################################################################
 
 #
 # Developer tips:
 #   - Call the local module / modules in the example to show how they can be consumed
-#   - Include the actual module source as a code comment like below so consumers know how to consume from correct location
+#   - include the actual module source as a code comment like below so consumers know how to consume from correct location
 #
 
-module "cos" {
-  source = "../.."
-  # remove the above line and uncomment the below 2 lines to consume the module from the registry
-  # source            = "terraform-ibm-modules/<replace>/ibm"
-  # version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
-  name              = "${var.prefix}-cos"
+locals {
+  cloud_logs_instance_name = "${var.prefix}-cloud-logs"
+}
+
+module "cloud_logs" {
+  source = "../../"
+  # delete line above and use below syntax to pull module source from hashicorp when consuming this module
+  # source    = "terraform-ibm-modules/cloud-logs/ibm"
+  # version   = "X.Y.Z" # Replace "X.X.X" with a release version to lock into a specific release
   resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  instance_name     = local.cloud_logs_instance_name
   resource_tags     = var.resource_tags
-  plan              = "cos-one-rate-plan"
+  access_tags       = var.access_tags
+  data_storage = {
+    # logs and metrics buckets must be different
+    logs_data = {
+      enabled         = true
+      bucket_crn      = module.buckets.buckets[local.logs_bucket_name].bucket_crn
+      bucket_endpoint = module.buckets.buckets[local.logs_bucket_name].s3_endpoint_direct
+    },
+    metrics_data = {
+      enabled         = true
+      bucket_crn      = module.buckets.buckets[local.metrics_bucket_name].bucket_crn
+      bucket_endpoint = module.buckets.buckets[local.metrics_bucket_name].s3_endpoint_direct
+    }
+  }
+  policies = [{
+    logs_policy_name     = "${var.prefix}-logs-policy-1"
+    logs_policy_priority = "type_low"
+    application_rule = [{
+      name         = "test-system-app"
+      rule_type_id = "start_with"
+    }]
+    log_rules = [{
+      severities = ["info", "debug"]
+    }]
+    subsystem_rule = [{
+      name         = "test-sub-system"
+      rule_type_id = "start_with"
+    }]
+  }]
+  existing_event_notifications_instances = [{
+    en_instance_id      = module.event_notification_1.guid
+    en_region           = var.region
+    en_integration_name = "${var.prefix}-en-1"
+    },
+    {
+      en_instance_id      = module.event_notification_2.guid
+      en_region           = var.region
+      en_integration_name = "${var.prefix}-en-2"
+  }]
 }

examples/advanced/main.tf

@@ -7,32 +7,67 @@
 #   - Include all relevant outputs from the modules being called in the example
 #
 
-output "account_id" {
-  description = "An alpha-numeric value identifying the account ID."
-  value       = module.cos.account_id
+output "cloud_logs_crn" {
+  value       = module.cloud_logs.crn
+  description = "The id of the provisioned Cloud Logs instance."
 }
 
-output "guid" {
-  description = "The GUID of the resource instance."
-  value       = module.cos.account_id
+output "cloud_logs_guid" {
+  value       = module.cloud_logs.guid
+  description = "The guid of the provisioned Cloud Logs instance."
 }
 
-output "id" {
-  description = "The unique identifier of the resource instance."
-  value       = module.cos.id
+output "cloud_logs_name" {
+  value       = module.cloud_logs.name
+  description = "The name of the provisioned Cloud Logs instance."
 }
 
-output "crn" {
-  description = "The CRN of the resource instance."
-  value       = module.cos.crn
+output "resource_group_id" {
+  value       = module.cloud_logs.resource_group_id
+  description = "The resource group where Cloud Logs instance resides."
 }
 
-output "resource_group_name" {
-  description = "Resource group name."
-  value       = module.resource_group.resource_group_name
+output "cloud_logs_ingress_endpoint" {
+  value       = module.cloud_logs.ingress_endpoint
+  description = "The public ingress endpoint of the provisioned Cloud Logs instance."
 }
 
-output "resource_group_id" {
-  description = "Resource group ID."
-  value       = module.resource_group.resource_group_id
+output "cloud_logs_ingress_private_endpoint" {
+  value       = module.cloud_logs.ingress_private_endpoint
+  description = "The private ingress endpoint of the provisioned Cloud Logs instance."
+}
+
+output "cos_crn" {
+  value       = module.cos.cos_instance_id
+  description = "The id of the provisioned Cloud Object Storage instance."
+}
+
+output "logs_bucket_crn" {
+  value       = module.buckets.buckets[local.logs_bucket_name].bucket_crn
+  description = "The id of the provisioned Cloud Object Storage bucket for logs."
+}
+
+output "logs_bucket_name" {
+  value       = local.logs_bucket_name
+  description = "The name of the provisioned Cloud Object Storage bucket for logs."
+}
+
+output "metrics_bucket_crn" {
+  value       = module.buckets.buckets[local.metrics_bucket_name].bucket_crn
+  description = "The id of the provisioned Cloud Object Storage bucket for metrics."
+}
+
+output "metrics_bucket_name" {
+  value       = local.metrics_bucket_name
+  description = "The name of the provisioned Cloud Object Storage bucket for metrics."
+}
+
+output "event_notification_1_crn" {
+  value       = module.event_notification_1.crn
+  description = "The id of the provisioned Event Notifications 1 instance."
+}
+
+output "event_notification_2_crn" {
+  value       = module.event_notification_2.crn
+  description = "The id of the provisioned Event Notifications 2 instance."
 }

examples/advanced/outputs.tf

@@ -37,3 +37,9 @@ variable "resource_tags" {
   description = "List of resource tag to associate with all resource instances created by this example."
   default     = []
 }
+
+variable "access_tags" {
+  type        = list(string)
+  description = "Optional list of access management tags to add to resources that are created."
+  default     = []
+}

examples/advanced/variables.tf

@@ -8,4 +8,6 @@ The text below should describe exactly what resources are provisioned / configur
 
 An end-to-end basic example that will provision the following:
 - A new resource group if one is not passed in.
-- A new standard plan Cloud Object Storage instance using the root level module.
+- A new standard plan Cloud Object Storage instance.
+- Two Cloud Object Storage buckets.
+- A Cloud Logs instance using root module, attached to provisioned Cloud Object Storage buckets.