Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

Commit 6c0b0f15 authored by Adam Robinson's avatar Adam Robinson
Browse files

logging submodule

parent 4228d573
......@@ -8,13 +8,6 @@ resource "random_id" "id" {
locals{
project_name_string = substr(lower(replace(var.project_name, "/\\s/", "-")), 0, 25)
filter_string = "Change_Me_to_Send_Additional_Logs_to_Splunk; Leave_Exclusions_in_Place_PLEASE"
default_cidr = "10.255.0.0/16"
default_subnets = {for x in var.regions : x => cidrsubnet(local.default_cidr,4,index(var.regions, x))}
pods_cidr = "10.255.128.0/17"
pods_range = {for x in var.regions : x => cidrsubnet(local.pods_cidr,3,index(var.regions, x))}
services_cidr = "10.255.224.0/19"
services_range = {for x in var.regions : x => cidrsubnet(local.services_cidr,3,index(var.regions, x))}
curl_body = {
kind = "project"
security_contact = var.security_contact
......@@ -35,15 +28,6 @@ locals{
dt_other_data = var.dt_other_data
dt_other_data_info = var.dt_other_data_info
}
log_filter_list = [
"LOG_ID(\"cloudaudit.googleapis.com/activity\")",
"LOG_ID(\"externalaudit.googleapis.com/activity\")",
"LOG_ID(\"cloudaudit.googleapis.com/system_event\")",
"LOG_ID(\"externalaudit.googleapis.com/system_event\")",
"LOG_ID(\"cloudaudit.googleapis.com/access_transparency\")",
"LOG_ID(\"externalaudit.googleapis.com/access_transparency\")",
]
log_filters = join(" OR ", local.log_filter_list)
}
resource "google_project" "gcp_project" {
......@@ -57,12 +41,6 @@ resource "google_project" "gcp_project" {
}
}
resource "google_project_iam_member" "project_iam" {
project = google_project.gcp_project.project_id
role = "roles/editor"
member = "group:${var.mcomm_group_email}"
}
resource "google_project_service" "compute_api" {
project = google_project.gcp_project.project_id
service = "compute.googleapis.com"
......@@ -73,51 +51,10 @@ resource "google_project_service" "pubsub_api" {
service = "pubsub.googleapis.com"
}
resource "google_logging_project_sink" "log_export" {
project = google_project.gcp_project.project_id
name = "${google_project.gcp_project.project_id}-log-export"
destination = var.log_export_destination
# filter = local.log_filters # Use only if not using aggregate log sink at folder level
filter = local.filter_string # if adding filter to match nothing; use in conjunction with aggregated log sink + exclusion filter
exclusions {
name = "Aggregated_Logs_Exclusion"
description = "Excluding logs already captured by aggregated log sink (at folder). Please DO NOT alter/remove."
filter = local.log_filters
}
unique_writer_identity = true
}
# # does not work - still allows duplicate logs from aggregated log sink :(
# resource "google_logging_project_exclusion" "aggregated_log_exclusions" {
# project = google_project.gcp_project.project_id
# name = "Aggregated_Logs_Exclusion"
# description = "Excluding logs already captured by aggregated log sink (at folder). Please DO NOT alter/remove."
# filter = local.log_filters
# }
# Give unique writer permission to publish/write to pub/sub topic
resource "google_pubsub_topic_iam_member" "publisher" {
project = "vci-mcloud-service" # should make this a var
topic = var.log_export_destination
role = "roles/pubsub.publisher"
member = google_logging_project_sink.log_export.writer_identity
}
resource "google_compute_network" "default_vpc" {
project = google_project.gcp_project.project_id
name = "${var.vpc_prefix}-default-vpc"
routing_mode = "GLOBAL"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "default_subnet" {
for_each = local.default_subnets
project = google_project.gcp_project.project_id
name = "default-${each.key}"
region = each.key
ip_cidr_range = each.value
network = google_compute_network.default_vpc.self_link
secondary_ip_range = var.gke_vpc_ranges ? [{range_name = "${each.key}-pods", ip_cidr_range = local.pods_range[each.key]},{range_name = "${each.key}-services", ip_cidr_range = local.services_range[each.key]}] : []
module "logging" {
source = "./modules/logging"
project_id = google_project.gcp_project.project_id
log_export_destination_topic = var.log_export_destination_topic
}
module "vpn" {
......
locals {
filter_string = "Change_Me_to_Send_Additional_Logs_to_Splunk; Leave_Exclusions_in_Place_PLEASE"
log_filters = join(" OR ", local.log_filter_list)
log_filter_list = [
"log_id(\"cloudaudit.googleapis.com/activity\")",
"log_id(\"externalaudit.googleapis.com/activity\")",
"log_id(\"cloudaudit.googleapis.com/system_event\")",
"log_id(\"externalaudit.googleapis.com/system_event\")",
"log_id(\"cloudaudit.googleapis.com/access_transparency\")",
"log_id(\"externalaudit.googleapis.com/access_transparency\")",
]
log_export_destination_project_id = split("/", var.log_export_destination_topic)[2]
}
resource "google_logging_project_sink" "log_export" {
project = var.project_id
name = "${var.project_id}-log-export"
destination = var.log_export_destination_topic
filter = local.filter_string
unique_writer_identity = true
exclusions {
name = "Aggregated_Logs_Exclusion"
description = "Excluding logs already captured by aggregated log sink (at folder). Please DO NOT alter/remove."
filter = local.log_filters
}
}
# Give unique writer permission to publish/write to pub/sub topic
resource "google_pubsub_topic_iam_member" "publisher" {
project = local.log_export_destination_project_id
topic = var.log_export_destination_topic
role = "roles/pubsub.publisher"
member = google_logging_project_sink.log_export.writer_identity
}
\ No newline at end of file
variable "project_id" {
type = string
}
variable "log_export_destination_topic" {
type = string
description = "The pub/sub topic that logs will be sent to."
}
\ No newline at end of file
......@@ -41,10 +41,10 @@ variable "red_hat_byol" {
default = false
}
variable "log_export_destination" {
variable "log_export_destination_topic" {
type = string
description = "The pub/sub topic that logs will be sent to. This is not a customer facing setting."
default = "pubsub.googleapis.com/projects/vci-mcloud-service/topics/vci-service-project-logs-export"
default = "pubsub.googleapis.com/projects/gcp-at-um-mon/topics/gcp-at-um-logs-prod"
}
variable "requestor" {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment