Update logging_data_access type (#2816)
* Update logging_data_access variables to use types * Fix dependencies * fix schema * Add missing comma * Fix try
This commit is contained in:
Julio Castillo
@@ -712,12 +712,13 @@ module "project" {
|
||||
prefix = var.prefix
|
||||
logging_data_access = {
|
||||
allServices = {
|
||||
# logs for principals listed here will be excluded
|
||||
ADMIN_READ = ["group:${var.group_email}"]
|
||||
ADMIN_READ = {
|
||||
exempted_members = ["group:${var.group_email}"]
|
||||
}
|
||||
}
|
||||
"storage.googleapis.com" = {
|
||||
DATA_READ = []
|
||||
DATA_WRITE = []
|
||||
DATA_READ = {}
|
||||
DATA_WRITE = {}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1238,12 +1239,13 @@ module "project" {
|
||||
}
|
||||
logging_data_access = {
|
||||
allServices = {
|
||||
# logs for principals listed here will be excluded
|
||||
ADMIN_READ = ["group:${var.group_email}"]
|
||||
ADMIN_READ = {
|
||||
exempted_members = ["group:${var.group_email}"]
|
||||
}
|
||||
}
|
||||
"storage.googleapis.com" = {
|
||||
DATA_READ = []
|
||||
DATA_WRITE = []
|
||||
DATA_READ = {}
|
||||
DATA_WRITE = {}
|
||||
}
|
||||
}
|
||||
logging_sinks = {
|
||||
@@ -1598,13 +1600,13 @@ alerts:
|
||||
| [labels](variables.tf#L96) | Resource labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [lien_reason](variables.tf#L103) | If non-empty, creates a project lien with this description. | <code>string</code> | | <code>null</code> |
|
||||
| [log_scopes](variables-observability.tf#L117) | Log scopes under this project. | <code title="map(object({ description = optional(string) resource_names = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [logging_data_access](variables-observability.tf#L127) | Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [logging_exclusions](variables-observability.tf#L142) | Logging exclusions for this project in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_metrics](variables-observability.tf#L149) | Log-based metrics. | <code title="map(object({ filter = string bucket_name = optional(string) description = optional(string) disabled = optional(bool) label_extractors = optional(map(string)) value_extractor = optional(string) bucket_options = optional(object({ explicit_buckets = optional(object({ bounds = list(number) })) exponential_buckets = optional(object({ num_finite_buckets = number growth_factor = number scale = number })) linear_buckets = optional(object({ num_finite_buckets = number width = number offset = number })) })) metric_descriptor = optional(object({ metric_kind = string value_type = string display_name = optional(string) unit = optional(string) labels = optional(list(object({ key = string description = optional(string) value_type = optional(string) })), []) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables-observability.tf#L189) | Logging sinks to create for this project. | <code title="map(object({ bq_partitioned_table = optional(bool, false) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) type = string unique_writer = optional(bool, true) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [metric_scopes](variables-observability.tf#L220) | List of projects that will act as metric scopes for this project. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [logging_data_access](variables-observability.tf#L127) | Control activation of data access logs. The special 'allServices' key denotes configuration for all services. | <code title="map(object({ ADMIN_READ = optional(object({ exempted_members = optional(list(string)) })), DATA_READ = optional(object({ exempted_members = optional(list(string)) })), DATA_WRITE = optional(object({ exempted_members = optional(list(string)) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [logging_exclusions](variables-observability.tf#L138) | Logging exclusions for this project in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_metrics](variables-observability.tf#L145) | Log-based metrics. | <code title="map(object({ filter = string bucket_name = optional(string) description = optional(string) disabled = optional(bool) label_extractors = optional(map(string)) value_extractor = optional(string) bucket_options = optional(object({ explicit_buckets = optional(object({ bounds = list(number) })) exponential_buckets = optional(object({ num_finite_buckets = number growth_factor = number scale = number })) linear_buckets = optional(object({ num_finite_buckets = number width = number offset = number })) })) metric_descriptor = optional(object({ metric_kind = string value_type = string display_name = optional(string) unit = optional(string) labels = optional(list(object({ key = string description = optional(string) value_type = optional(string) })), []) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables-observability.tf#L185) | Logging sinks to create for this project. | <code title="map(object({ bq_partitioned_table = optional(bool, false) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) type = string unique_writer = optional(bool, true) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [metric_scopes](variables-observability.tf#L216) | List of projects that will act as metric scopes for this project. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform project module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) network = string # project_id/vpc_name values = optional(map(object({ description = optional(string, "Managed by the Terraform project module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [notification_channels](variables-observability.tf#L227) | Monitoring notification channels. | <code title="map(object({ type = string description = optional(string) display_name = optional(string) enabled = optional(bool) labels = optional(map(string)) user_labels = optional(map(string)) sensitive_labels = optional(object({ auth_token = optional(string) password = optional(string) service_key = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [notification_channels](variables-observability.tf#L223) | Monitoring notification channels. | <code title="map(object({ type = string description = optional(string) display_name = optional(string) enabled = optional(bool) labels = optional(map(string)) user_labels = optional(map(string)) sensitive_labels = optional(object({ auth_token = optional(string) password = optional(string) service_key = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policies](variables.tf#L114) | Organization policies applied to this project keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [parent](variables.tf#L141) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
|
||||
| [prefix](variables.tf#L151) | Optional prefix used to generate project id and name. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2024 Google LLC
|
||||
* Copyright 2025 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -50,11 +50,10 @@ resource "google_project_iam_audit_config" "default" {
|
||||
project = local.project.project_id
|
||||
service = each.key
|
||||
dynamic "audit_log_config" {
|
||||
for_each = each.value
|
||||
iterator = config
|
||||
for_each = { for k, v in each.value : k => v if v != null }
|
||||
content {
|
||||
log_type = config.key
|
||||
exempted_members = config.value
|
||||
log_type = audit_log_config.key
|
||||
exempted_members = audit_log_config.value.exempted_members
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -125,18 +125,14 @@ variable "log_scopes" {
|
||||
}
|
||||
|
||||
variable "logging_data_access" {
|
||||
description = "Control activation of data access logs. Format is service => { log type => [exempted members]}. The special 'allServices' key denotes configuration for all services."
|
||||
type = map(map(list(string)))
|
||||
nullable = false
|
||||
default = {}
|
||||
validation {
|
||||
condition = alltrue(flatten([
|
||||
for k, v in var.logging_data_access : [
|
||||
for kk, vv in v : contains(["DATA_READ", "DATA_WRITE", "ADMIN_READ"], kk)
|
||||
]
|
||||
]))
|
||||
error_message = "Log type keys for each service can only be one of 'DATA_READ', 'DATA_WRITE', 'ADMIN_READ'."
|
||||
}
|
||||
description = "Control activation of data access logs. The special 'allServices' key denotes configuration for all services."
|
||||
type = map(object({
|
||||
ADMIN_READ = optional(object({ exempted_members = optional(list(string)) })),
|
||||
DATA_READ = optional(object({ exempted_members = optional(list(string)) })),
|
||||
DATA_WRITE = optional(object({ exempted_members = optional(list(string)) }))
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "logging_exclusions" {
|
||||
|
||||
Reference in New Issue
Block a user