terraform-google-collection/main.tf at main · acryldata/terraform-google-collection · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
locals {
  resource_type = split("/", var.resource)[0]
  resource_id   = split("/", var.resource)[1]

  writer_identity = (
    local.resource_type == "projects" ?
    google_logging_project_sink.this[0].writer_identity : (
      local.resource_type == "folders" ?
      google_logging_folder_sink.this[0].writer_identity :
      google_logging_organization_sink.this[0].writer_identity
    )
  )

  # inject "obs" into all of our named resources
  name = var.name == "obs" ? var.name : "${var.name}-obs"
}

data "google_project" "this" {
  project_id = local.resource_type == "projects" ? local.resource_id : null
}

data "google_folder" "this" {
  count  = local.resource_type == "folders" ? 1 : 0
  folder = local.resource_id
}

resource "google_pubsub_topic" "this" {
  name   = local.name
  labels = var.labels
}

resource "google_pubsub_subscription" "this" {
  name   = local.name
  labels = var.labels
  topic  = google_pubsub_topic.this.name

  ack_deadline_seconds       = var.pubsub_ack_deadline_seconds
  message_retention_duration = var.pubsub_message_retention_duration
  retry_policy {
    minimum_backoff = var.pubsub_minimum_backoff
    maximum_backoff = var.pubsub_maximum_backoff
  }
}

resource "google_logging_project_sink" "this" {
  count       = local.resource_type == "projects" ? 1 : 0
  name        = local.name
  project     = data.google_project.this.project_id
  destination = "pubsub.googleapis.com/${google_pubsub_topic.this.id}"
  filter      = var.logging_filter

  description = "Exports logs to the Observe Pub/Sub topic"

  dynamic "exclusions" {
    for_each = var.logging_exclusions
    content {
      name        = exclusions.value.name
      description = exclusions.value.description
      filter      = exclusions.value.filter
      disabled    = exclusions.value.disabled
    }
  }
}

resource "google_logging_folder_sink" "this" {
  count = local.resource_type == "folders" ? 1 : 0

  name             = local.name
  folder           = data.google_folder.this[0].folder_id
  destination      = "pubsub.googleapis.com/${google_pubsub_topic.this.id}"
  filter           = var.logging_filter
  include_children = var.folder_include_children

  description = "Exports logs to the Observe Pub/Sub topic"

  dynamic "exclusions" {
    for_each = var.logging_exclusions
    content {
      name        = exclusions.value.name
      description = exclusions.value.description
      filter      = exclusions.value.filter
      disabled    = exclusions.value.disabled
    }
  }
}

resource "google_logging_organization_sink" "this" {
  count = local.resource_type == "organizations" ? 1 : 0

  name        = local.name
  org_id      = local.resource_id
  destination = "pubsub.googleapis.com/${google_pubsub_topic.this.id}"
  filter      = var.logging_filter

  description = "Exports logs to the Observe Pub/Sub topic"

  dynamic "exclusions" {
    for_each = var.logging_exclusions
    content {
      name        = exclusions.value.name
      description = exclusions.value.description
      filter      = exclusions.value.filter
      disabled    = exclusions.value.disabled
    }
  }
}

resource "google_pubsub_topic_iam_member" "sink_pubsub" {
  topic  = google_pubsub_topic.this.name
  role   = "roles/pubsub.publisher"
  member = local.writer_identity
}

resource "google_service_account" "poller" {
  account_id  = "${local.name}-poll"
  description = "A service account for the Observe Pub/Sub and Logging pollers"
}

resource "google_pubsub_subscription_iam_member" "poller_pubsub" {
  subscription = google_pubsub_subscription.this.name
  role         = "roles/pubsub.subscriber"
  member       = "serviceAccount:${google_service_account.poller.email}"
}

resource "google_project_iam_member" "poller" {
  for_each = var.poller_roles

  project = data.google_project.this.project_id
  role    = each.key
  member  = "serviceAccount:${google_service_account.poller.email}"
}

resource "google_service_account_key" "poller" {
  service_account_id = google_service_account.poller.name
}