feat: added support for project as log exp destination (#154)

README.md

@@ -25,6 +25,7 @@ example that will configure a Cloud Storage destination and a log export at the
 ```hcl
 module "log_export" {
   source                 = "terraform-google-modules/log-export/google"
+  version                = "~> 7.0"
   destination_uri        = "${module.destination.destination_uri}"
   filter                 = "severity >= ERROR"
   log_sink_name          = "storage_example_logsink"
@@ -35,6 +36,7 @@ module "log_export" {
 
 module "destination" {
   source                   = "terraform-google-modules/log-export/google//modules/storage"
+  version                  = "~> 7.0"
   project_id               = "sample-project"
   storage_bucket_name      = "storage_example_bucket"
   log_sink_writer_identity = "${module.log_export.writer_identity}"

examples/project/project/README.md

@@ -0,0 +1,20 @@
+# Log Export: Storage destination at Project level
+
+This example configures a project-level log sink that feeds a storage bucket destination
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| parent\_resource\_id | The ID of the project to which logs will be routed. | `string` | n/a | yes |
+| project\_id | The ID of the project in which the log export will be created. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| destination\_map | Outputs from the destination module |
+| log\_export\_map | Outputs from the log export module |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/project/project/main.tf

@@ -0,0 +1,38 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "random_string" "suffix" {
+  length  = 4
+  upper   = false
+  special = false
+}
+
+module "log_export" {
+  source                 = "../../../"
+  destination_uri        = module.destination.destination_uri
+  filter                 = "resource.type = gce_instance"
+  log_sink_name          = "project_${random_string.suffix.result}"
+  parent_resource_id     = var.parent_resource_id
+  parent_resource_type   = "project"
+  unique_writer_identity = true
+}
+
+module "destination" {
+  source                   = "../../..//modules/project"
+  project_id               = var.project_id
+  log_sink_writer_identity = module.log_export.writer_identity
+}
+

examples/project/project/outputs.tf

@@ -0,0 +1,35 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "log_export_map" {
+  description = "Outputs from the log export module"
+
+  value = {
+    filter             = module.log_export.filter
+    parent_resource_id = module.log_export.parent_resource_id
+    writer_identity    = module.log_export.writer_identity
+  }
+}
+
+output "destination_map" {
+  description = "Outputs from the destination module"
+
+  value = {
+    project         = module.destination.project
+    destination_uri = module.destination.destination_uri
+  }
+}
+

examples/project/project/variables.tf

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The ID of the project in which the log export will be created."
+  type        = string
+}
+
+variable "parent_resource_id" {
+  description = "The ID of the project to which logs will be routed."
+  type        = string
+}
+

examples/project/project/versions.tf

@@ -0,0 +1,29 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.0"
+    }
+    random = {
+      source = "hashicorp/random"
+    }
+  }
+}

modules/bigquery/README.md

@@ -1,6 +1,6 @@
 # Log Export: BigQuery destination submodule
 
-This submodule allows you to configure a BigQuery dataset destination that
+This submodule allows you to configure a [BigQuery dataset destination](https://cloud.google.com/logging/docs/routing/overview#destinations) that
 can be used by the log export created in the root module.
 
 ## Usage

modules/bq-log-alerting/main.tf

@@ -27,7 +27,7 @@ locals {
 resource "random_string" "service_account" {
   length  = 6
   upper   = "false"
-  number  = "false"
+  numeric = "false"
   special = "false"
 }
 

modules/logbucket/README.md

@@ -1,6 +1,6 @@
 # Log Export: Log Bucket destination submodule
 
-This submodule allows you to configure a Logging Log bucket destination that
+This submodule allows you to configure a [Logging Log bucket destination](https://cloud.google.com/logging/docs/routing/overview#destinations) that
 can be used by the log export created in the root module.
 
 ## Usage

modules/project/README.md

@@ -0,0 +1,49 @@
+# Log Export: project destination submodule
+
+This submodule allows you to Route log entries to a different [Google Cloud project](https://cloud.google.com/logging/docs/routing/overview#destinations).
+
+## Usage
+
+The [examples](../../examples) directory contains directories for each destination, and within each destination directory are directories for each parent resource level. Consider the following
+example that will configure a storage bucket destination and a log export at the project level:
+
+```hcl
+module "log_export" {
+  source                 = "terraform-google-modules/log-export/google"
+  version                = "~> 7.0"
+  destination_uri        = "${module.destination.destination_uri}"
+  filter                 = "severity >= ERROR"
+  log_sink_name          = "storage_example_logsink"
+  parent_resource_id     = "sample-project"
+  parent_resource_type   = "project"
+  unique_writer_identity = true
+}
+
+module "destination" {
+  source                   = "terraform-google-modules/log-export/google//modules/project"
+  version                  = "~> 7.0"
+  project_id               = "sample-project"
+  log_sink_writer_identity = "${module.log_export.writer_identity}"
+}
+```
+
+At first glance that example seems like a circular dependency as each module declaration is
+using an output from the other, however Terraform is able to collect and order all the resources
+so that all dependencies are met.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| log\_sink\_writer\_identity | The service account that logging uses to write log entries to the destination. (This is available as an output coming from the root module). | `string` | n/a | yes |
+| project\_id | The ID of the project to which logs will be routed. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| destination\_uri | The destination URI for project. |
+| project | The ID of the project to which logs will be routed. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/project/main.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  destination_uri = "logging.googleapis.com/projects/${var.project_id}"
+}
+
+
+#--------------------------------#
+# Service account IAM membership #
+#--------------------------------#
+
+resource "google_project_iam_member" "log_sink_member" {
+  project = var.project_id
+  role    = "roles/logging.logWriter"
+  member  = var.log_sink_writer_identity
+}

modules/project/outputs.tf

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project" {
+  description = "The ID of the project to which logs will be routed."
+  value       = var.project_id
+}
+
+output "destination_uri" {
+  description = "The destination URI for project."
+  value       = local.destination_uri
+}
+

modules/project/variables.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "log_sink_writer_identity" {
+  description = "The service account that logging uses to write log entries to the destination. (This is available as an output coming from the root module)."
+  type        = string
+}
+
+variable "project_id" {
+  description = "The ID of the project to which logs will be routed."
+  type        = string
+}

modules/project/versions.tf

@@ -0,0 +1,31 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 3.53, < 5.0"
+    }
+  }
+
+  provider_meta "google" {
+    module_name = "blueprints/terraform/terraform-google-log-export:project/v7.4.3"
+  }
+
+}

modules/pubsub/README.md

@@ -1,6 +1,6 @@
 # Log Export: PubSub destination submodule
 
-This submodule allows you to configure a PubSub topic destination that
+This submodule allows you to configure a [PubSub topic destination](https://cloud.google.com/logging/docs/routing/overview#destinations) that
 can be used by the log export created in the root module.
 
 ## Usage
@@ -37,7 +37,7 @@ so that all dependencies are met.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| create\_push\_subscriber | Whether to add a push configuration to the subcription. If 'true', a push subscription is created along with a service account that is granted roles/pubsub.subscriber and roles/pubsub.viewer to the topic. | `bool` | `false` | no |
+| create\_push\_subscriber | Whether to add a push configuration to the subcription. If 'true', a push subscription is created for push\_endpoint | `bool` | `false` | no |
 | create\_subscriber | Whether to create a subscription to the topic that was created and used for log entries matching the filter. If 'true', a pull subscription is created along with a service account that is granted roles/pubsub.subscriber and roles/pubsub.viewer to the topic. | `bool` | `false` | no |
 | kms\_key\_name | ID of a Cloud KMS CryptoKey to be used to protect access to messages published on this topic. Your project's PubSub service account requires access to this encryption key. | `string` | `null` | no |
 | log\_sink\_writer\_identity | The service account that logging uses to write log entries to the destination. (This is available as an output coming from the root module). | `string` | n/a | yes |

modules/pubsub/variables.tf

@@ -33,7 +33,7 @@ variable "subscription_labels" {
 }
 
 variable "create_push_subscriber" {
-  description = "Whether to add a push configuration to the subcription. If 'true', a push subscription is created along with a service account that is granted roles/pubsub.subscriber and roles/pubsub.viewer to the topic."
+  description = "Whether to add a push configuration to the subcription. If 'true', a push subscription is created for push_endpoint"
   type        = bool
   default     = false
 }

modules/storage/README.md

@@ -1,6 +1,6 @@
 # Log Export: Storage destination submodule
 
-This submodule allows you to configure a Google Cloud Storage bucket destination that
+This submodule allows you to configure a [Google Cloud Storage bucket destination](https://cloud.google.com/logging/docs/routing/overview#destinations) that
 can be used by the log export created in the root module.
 
 ## Usage