fix:adds iam for the log-sink writer id for the logbucket module

g-awmalik · web-flow · commit 545b1d792cb7 · 2022-07-01T21:15:29.000+05:00
diff --git a/examples/logbucket/folder/main.tf b/examples/logbucket/folder/main.tf
@@ -21,17 +21,19 @@ resource "random_string" "suffix" {
 }
 
 module "log_export" {
-  source               = "../../../"
-  destination_uri      = module.destination.destination_uri
-  filter               = "resource.type = gce_instance"
-  log_sink_name        = "logbucket_folder_${random_string.suffix.result}"
-  parent_resource_id   = var.parent_resource_folder
-  parent_resource_type = "folder"
+  source                 = "../../../"
+  destination_uri        = module.destination.destination_uri
+  filter                 = "resource.type = gce_instance"
+  log_sink_name          = "logbucket_folder_${random_string.suffix.result}"
+  parent_resource_id     = var.parent_resource_folder
+  parent_resource_type   = "folder"
+  unique_writer_identity = true
 }
 
 module "destination" {
-  source     = "../../..//modules/logbucket"
-  project_id = var.project_id
-  name       = "logbucket_folder_${random_string.suffix.result}"
-  location   = "global"
+  source                   = "../../..//modules/logbucket"
+  project_id               = var.project_id
+  name                     = "logbucket_folder_${random_string.suffix.result}"
+  location                 = "global"
+  log_sink_writer_identity = module.log_export.writer_identity
 }
diff --git a/examples/logbucket/organization/main.tf b/examples/logbucket/organization/main.tf
@@ -21,17 +21,19 @@ resource "random_string" "suffix" {
 }
 
 module "log_export" {
-  source               = "../../../"
-  destination_uri      = module.destination.destination_uri
-  filter               = "resource.type = gce_instance"
-  log_sink_name        = "logbucket_org_${random_string.suffix.result}"
-  parent_resource_id   = var.parent_resource_organization
-  parent_resource_type = "organization"
+  source                 = "../../../"
+  destination_uri        = module.destination.destination_uri
+  filter                 = "resource.type = gce_instance"
+  log_sink_name          = "logbucket_org_${random_string.suffix.result}"
+  parent_resource_id     = var.parent_resource_organization
+  parent_resource_type   = "organization"
+  unique_writer_identity = true
 }
 
 module "destination" {
-  source     = "../../..//modules/logbucket"
-  project_id = var.project_id
-  name       = "logbucket_org_${random_string.suffix.result}"
-  location   = "global"
+  source                   = "../../..//modules/logbucket"
+  project_id               = var.project_id
+  name                     = "logbucket_org_${random_string.suffix.result}"
+  location                 = "global"
+  log_sink_writer_identity = module.log_export.writer_identity
 }
diff --git a/modules/logbucket/README.md b/modules/logbucket/README.md
@@ -38,6 +38,7 @@ module "destination" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | location | The location of the log bucket. | `string` | `"global"` | no |
+| log\_sink\_writer\_identity | The service account that logging uses to write log entries to the destination. (This is available as an output coming from the root module). | `string` | n/a | yes |
 | name | The name of the log bucket to be created and used for log entries matching the filter. | `string` | n/a | yes |
 | project\_id | The ID of the project in which the log bucket will be created. | `string` | n/a | yes |
 | retention\_days | The number of days data should be retained for the log bucket. | `number` | `30` | no |
diff --git a/modules/logbucket/main.tf b/modules/logbucket/main.tf
@@ -38,3 +38,12 @@ resource "google_logging_project_bucket_config" "bucket" {
   retention_days = var.retention_days
   bucket_id      = var.name
 }
+
+#--------------------------------#
+# Service account IAM membership #
+#--------------------------------#
+resource "google_project_iam_member" "logbucket_sink_member" {
+  project = google_logging_project_bucket_config.bucket.project
+  role    = "roles/logging.bucketWriter"
+  member  = var.log_sink_writer_identity
+}
diff --git a/modules/logbucket/variables.tf b/modules/logbucket/variables.tf
@@ -19,6 +19,11 @@ variable "project_id" {
   type        = string
 }
 
+variable "log_sink_writer_identity" {
+  description = "The service account that logging uses to write log entries to the destination. (This is available as an output coming from the root module)."
+  type        = string
+}
+
 variable "name" {
   description = "The name of the log bucket to be created and used for log entries matching the filter."
   type        = string
