Google Cloud (Stackdriver) Logging Project Sink

google_logging_project_sink (Terraform)

The Project Sink in Cloud (Stackdriver) Logging can be configured in Terraform with the resource name google_logging_project_sink. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

melscoop-test/check

resource "google_logging_project_sink" "project_sink_good_1" {
  name = "my-pubsub-instance-sink"
  destination = google_storage_bucket.log_bucket_good.name
  filter = "resource.type = gce_instance AND severity >= WARNING"
  unique_writer_identity = true
}

SnidermanIndustries/checkov-fork

resource "google_logging_project_sink" "project_sink_good_1" {
  name = "my-pubsub-instance-sink"
  destination = google_storage_bucket.log_bucket_good.name
  filter = "resource.type = gce_instance AND severity >= WARNING"
  unique_writer_identity = true
}

infracost/infracost

resource "google_logging_project_sink" "basic" {
  name = "my-pubsub-instance-sink"

  destination = "fake"
}

Parameters

• description optional - string

A description of this sink. The maximum length of the description is 8000 characters.

• destination required - string

The destination of the sink (or, in other words, where logs are written to). Can be a Cloud Storage bucket, a PubSub topic, or a BigQuery dataset. Examples: "storage.googleapis.com/[GCS_BUCKET]" "bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET]" "pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_ID]" The writer associated with the sink must have access to write to the above resource.

• disabled optional - bool

If set to True, then this sink is disabled and it does not export any log entries.

• filter optional - string

The filter to apply when exporting logs. Only log entries that match the filter are exported.

• id optional computed - string
• name required - string

The name of the logging sink.

• project optional computed - string

The ID of the project to create the sink in. If omitted, the project associated with the provider is used.

• unique_writer_identity optional - bool

Whether or not to create a unique identity associated with this sink. If false (the default), then the writer_identity used is serviceAccount:cloud-logs@system.gserviceaccount.com. If true, then a unique service account is created and used for this sink. If you wish to publish logs across projects, you must set unique_writer_identity to true.

• writer_identity optional computed - string

The identity associated with this sink. This identity must be granted write access to the configured destination.

• bigquery_options list block
  • use_partitioned_tables required - bool

  Whether to use BigQuery's partition tables. By default, Logging creates dated tables based on the log entries' timestamps, e.g. syslog_20170523. With partitioned tables the date suffix is no longer present and special query syntax has to be used instead. In both cases, tables are sharded based on UTC timezone.

• exclusions list block
  • description optional - string

  A description of this exclusion.

  • disabled optional - bool

  If set to True, then this exclusion is disabled and it does not exclude any log entries

  • filter required - string

  An advanced logs filter that matches the log entries to be excluded. By using the sample function, you can exclude less than 100% of the matching log entries

  • name required - string

  A client-assigned identifier, such as "load-balancer-exclusion". Identifiers are limited to 100 characters and can include only letters, digits, underscores, hyphens, and periods. First character has to be alphanumeric.

Explanation in Terraform Registry

Manages a project-level logging sink. For more information see:

• API documentation
• How-to Guides
  • Exporting Logs

    You can specify exclusions for log sinks created by terraform by using the exclusions field of google_logging_folder_sink

    Note: You must have granted the "Logs Configuration Writer" IAM role (roles/logging.configWriter) to the credentials used with terraform.

    Note You must enable the Cloud Resource Manager API resource "google_compute_instance" "my-logged-instance" { name = "my-instance" machine_type = "e2-medium" zone = "us-central1-a" boot_disk { initialize_params { image = "debian-cloud/debian-9" } } network_interface { network = "default" access_config { } } } resource "google_storage_bucket" "log-bucket" { name = "my-unique-logging-bucket" location = "US" } resource "google_logging_project_sink" "instance-sink" { name = "my-instance-sink" description = "some explanation on what this is" destination = "storage.googleapis.com/${google_storage_bucket.log-bucket.name}" filter = "resource.type = gce_instance AND resource.labels.instance_id = \"${google_compute_instance.my-logged-instance.instance_id}\"" unique_writer_identity = true } resource "google_project_iam_binding" "log-writer" { project = "your-project-id" role = "roles/storage.objectCreator" members = [ google_logging_project_sink.instance-sink.writer_identity, ] }

The following example uses `exclusions` to filter logs that will not be exported. In this example logs are exported to a [log bucket](https://cloud.google.com/logging/docs/buckets) and there are 2 exclusions configured
```hcl
resource "google_logging_project_sink" "log-bucket" {
  name        = "my-logging-sink"
  destination = "logging.googleapis.com/projects/my-project/locations/global/buckets/_Default"
  exclusions {
        name = "nsexcllusion1"
        description = "Exclude logs from namespace-1 in k8s"
        filter = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-1\" "
    }
    exclusions {
        name = "nsexcllusion2"
        description = "Exclude logs from namespace-2 in k8s"
        filter = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-2\" "
    }
  unique_writer_identity = true