Refactor project module, support per-file tags in tfdoc (#450)

* add support for in-doc tfdoc options overrides * clean up project module * add file description tags * only output module and resource columns in tfdoc file table if they exist * update fast READMEs * fix check docs
2022-01-22 11:34:18 +01:00
parent 19c6e54298
commit 9a533180a0
17 changed files with 544 additions and 428 deletions
--- a/modules/project/logging.tf
+++ b/modules/project/logging.tf
@@ -0,0 +1,98 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# tfdoc:file:description Log sinks and supporting resources.
+
+locals {
+  logging_sinks = coalesce(var.logging_sinks, {})
+  sink_bindings = {
+    for type in ["gcs", "bigquery", "pubsub", "logging"] :
+    type => {
+      for name, sink in local.logging_sinks :
+      name => sink if sink.iam && sink.type == type
+    }
+  }
+  sink_type_destination = {
+    gcs      = "storage.googleapis.com"
+    bigquery = "bigquery.googleapis.com"
+    pubsub   = "pubsub.googleapis.com"
+    logging  = "logging.googleapis.com"
+  }
+}
+
+resource "google_logging_project_sink" "sink" {
+  for_each = local.logging_sinks
+  name     = each.key
+  #description = "${each.key} (Terraform-managed)"
+  project                = local.project.project_id
+  destination            = "${local.sink_type_destination[each.value.type]}/${each.value.destination}"
+  filter                 = each.value.filter
+  unique_writer_identity = each.value.unique_writer
+
+  dynamic "exclusions" {
+    for_each = each.value.exclusions
+    iterator = exclusion
+    content {
+      name   = exclusion.key
+      filter = exclusion.value
+    }
+  }
+
+  depends_on = [
+    google_project_iam_binding.authoritative,
+    google_project_iam_member.additive
+  ]
+}
+
+resource "google_storage_bucket_iam_member" "gcs-sinks-binding" {
+  for_each = local.sink_bindings["gcs"]
+  bucket   = each.value.destination
+  role     = "roles/storage.objectCreator"
+  member   = google_logging_project_sink.sink[each.key].writer_identity
+}
+
+resource "google_bigquery_dataset_iam_member" "bq-sinks-binding" {
+  for_each   = local.sink_bindings["bigquery"]
+  project    = split("/", each.value.destination)[1]
+  dataset_id = split("/", each.value.destination)[3]
+  role       = "roles/bigquery.dataEditor"
+  member     = google_logging_project_sink.sink[each.key].writer_identity
+}
+
+resource "google_pubsub_topic_iam_member" "pubsub-sinks-binding" {
+  for_each = local.sink_bindings["pubsub"]
+  project  = split("/", each.value.destination)[1]
+  topic    = split("/", each.value.destination)[3]
+  role     = "roles/pubsub.publisher"
+  member   = google_logging_project_sink.sink[each.key].writer_identity
+}
+
+resource "google_project_iam_member" "bucket-sinks-binding" {
+  for_each = local.sink_bindings["logging"]
+  project  = split("/", each.value.destination)[1]
+  role     = "roles/logging.bucketWriter"
+  member   = google_logging_project_sink.sink[each.key].writer_identity
+  # TODO(jccb): use a condition to limit writer-identity only to this
+  # bucket
+}
+
+resource "google_logging_project_exclusion" "logging-exclusion" {
+  for_each    = coalesce(var.logging_exclusions, {})
+  name        = each.key
+  project     = local.project.project_id
+  description = "${each.key} (Terraform-managed)"
+  filter      = each.value
+}