IBM Cloud Logs module

This module supports configuring an IBM Cloud Logs instance, log routing tenants to enable platform logs and cloud logs policies.

Usage

To provision Cloud Logs instance

# Locals
locals {
  region      = "us-south"
  default_operations = [{
    api_types = [
      {
        "api_type_id" : "crn:v1:bluemix:public:context-based-restrictions::::api-type:"
      }
    ]
  }]
}

# Required providers
terraform {
  required_version = ">= 1.0.0"
  required_providers {
    ibm = {
      source  = "ibm-cloud/ibm"
      version = "X.Y.Z" # lock into a supported provider version
    }
  }
}
provider "ibm" {
  ibmcloud_api_key = XXXXXXXXXXXX  # pragma: allowlist secret
  region           = local.region
}

# IBM Cloud Logs
module "cloud_logs" {
  source            = "terraform-ibm-modules/cloud-logs/ibm"
  version           = "X.Y.Z" # Replace "X.Y.Z" with a release version to lock into a specific release
  resource_group_id = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
  region            = local.region
  data_storage = {
    # logs and metrics buckets must be different
    logs_data = {
      enabled         = true
      bucket_crn      = "crn:v1:bluemix:public:cloud-object-storage:global:a/......"
      bucket_endpoint = "s3.direct.us-south.cloud-object-storage.appdomain.cloud"
    },
    metrics_data = {
      enabled         = true
      bucket_crn      = "crn:v1:bluemix:public:cloud-object-storage:global:a/......"
      bucket_endpoint = "s3.direct.us-south.cloud-object-storage.appdomain.cloud"
    }
  }

  # Create policies
  policies = [{
    logs_policy_name        = "logs_policy_name"
    logs_policy_priority    = "type_medium"
    application_rule = [{
      name         = "test-system-app"
      rule_type_id = "start_with"
    }]
    subsystem_rule = [{
      name         = "test-sub-system"
      rule_type_id = "start_with"
    }]
    log_rules = [{
      severities = ["info", "debug"]
    }]
  }]

  # CBR
  cbr_rules = [{
    description      = "Rules for cloud logs access"
    account_id       = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
    enforcement_mode = "report"
    rule_contexts = [{
      attributes = [
        {
          "name" : "endpointType",
          "value" : "private"
        },
        {
          name  = "networkZoneId"
          value = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
        }
      ]
      }]
      operations = local.default_operations
  }]
}

Required IAM access policies

You need the following permissions to run this module.

• Service
  • Resource group only
    • Viewer access on the specific resource group
  • Cloud Logs
    • Editor platform access
    • Manager service access
  • IBM Cloud Logs Routing (Required if creating tenants, which are required to enable platform logs)
    • Editor platform access
    • Manager service access
  • Tagging service (Required if attaching access tags to the ICL instance)
    • Editor platform access

Requirements

Name	Version
terraform	>= 1.9.0
ibm	>= 1.76.1, < 2.0.0
random	>= 3.5.1, < 4.0.0
time	>= 0.9.1, < 1.0.0

Modules

Name	Source	Version
cbr_rule	terraform-ibm-modules/cbr/ibm//modules/cbr-rule-module	1.31.0
cos_bucket_crn_parser	terraform-ibm-modules/common-utilities/ibm//modules/crn-parser	1.1.0
en_integration	./modules/webhook	n/a
logs_policies	./modules/logs_policy	n/a

Resources

Name	Type
ibm_iam_authorization_policy.cos_policy	resource
ibm_iam_authorization_policy.logs_routing_policy	resource
ibm_logs_router_tenant.logs_router_tenant_instances	resource
ibm_resource_instance.cloud_logs	resource
ibm_resource_tag.cloud_logs_tag	resource
random_string.random_tenant_suffix	resource
time_sleep.wait_for_cos_authorization_policy	resource

Inputs

Name	Description	Type	Default	Required
access_tags	A list of access tags to apply to the IBM Cloud Logs instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial.	list(string)	[]	no
cbr_rules	(Optional, list) List of context-based restrictions rules to create	list(object({ description = string account_id = string rule_contexts = list(object({ attributes = optional(list(object({ name = string value = string }))) })) enforcement_mode = string operations = optional(list(object({ api_types = list(object({ api_type_id = string })) }))) }))	[]	no
data_storage	A logs data bucket and a metrics bucket in IBM Cloud Object Storage to store your IBM Cloud Logs data for long term storage, search, analysis and alerting.	object({ logs_data = optional(object({ enabled = optional(bool, false) bucket_crn = optional(string) bucket_endpoint = optional(string) skip_cos_auth_policy = optional(bool, false) }), {}) metrics_data = optional(object({ enabled = optional(bool, false) bucket_crn = optional(string) bucket_endpoint = optional(string) skip_cos_auth_policy = optional(bool, false) }), {}) } )	{ "logs_data": null, "metrics_data": null }	no
existing_event_notifications_instances	List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs.	list(object({ en_instance_id = string en_region = string en_integration_name = optional(string) skip_en_auth_policy = optional(bool, false) }))	[]	no
instance_name	The name of the IBM Cloud Logs instance to create. Defaults to 'cloud-logs-'	string	null	no
logs_routing_tenant_regions	Pass a list of regions to create a tenant for that is targetted to the IBM Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. NOTE: You can only have 1 tenant per region in an account.	list(any)	[]	no
plan	The IBM Cloud Logs plan to provision. Available: standard	string	"standard"	no
policies	Configuration of IBM Cloud Logs policies.	list(object({ logs_policy_name = string logs_policy_description = optional(string, null) logs_policy_priority = string application_rule = optional(list(object({ name = string rule_type_id = string }))) subsystem_rule = optional(list(object({ name = string rule_type_id = string }))) log_rules = optional(list(object({ severities = list(string) }))) archive_retention = optional(list(object({ id = string }))) }))	[]	no
region	The IBM Cloud region where IBM Cloud logs instance will be created.	string	"us-south"	no
resource_group_id	The id of the IBM Cloud resource group where the instance will be created.	string	null	no
resource_tags	Tags associated with the IBM Cloud Logs instance (Optional, array of strings).	list(string)	[]	no
retention_period	The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90.	number	7	no
service_endpoints	The type of the service endpoint that will be set for the IBM Cloud Logs instance. Allowed values: public-and-private.	string	"public-and-private"	no
skip_logs_routing_auth_policy	Whether to create an IAM authorization policy that permits the Logs Routing server 'Sender' access to the IBM Cloud Logs instance created by this module.	bool	false	no

Outputs

Name	Description
account_id	The account id where IBM Cloud logs instance is provisioned.
crn	The CRN of the provisioned IBM Cloud Logs instance.
guid	The guid of the provisioned IBM Cloud Logs instance.
ingress_endpoint	The public ingress endpoint of the provisioned IBM Cloud Logs instance.
ingress_private_endpoint	The private ingress endpoint of the provisioned IBM Cloud Logs instance.
logs_policies_details	The details of the IBM Cloud logs policies created.
name	The name of the provisioned IBM Cloud Logs instance.
resource_group_id	The resource group where IBM Cloud Logs instance resides.