From 798c4b8a1ee42a062da6587f5a0f57f1af47a7da Mon Sep 17 00:00:00 2001 From: Andre Correa Date: Fri, 20 Sep 2024 16:23:01 -0300 Subject: [PATCH] Release 0.1.9 (#10) * Release 0.1.5 * added retention_rules and storage_tier to buckets * updated README, updated sc vision example, added versioning check with retention rules, added precondition for storage_tier * added cursor options for sc streaming source; updated README and example * Revert "Merge branch 'issue-545-sch-bucket-retention-rules' into 'main'" This reverts merge request !12 * Release 0.1.6 * Release 0.1.7 * merge * remove tf version restriction * update terraform version in examples * fix freeform tags error * fix typo in service connectors readme * chore: release notes and version bump * doc: bucket_logs, flow_logs issue with compartment ids documented. Issue 557. * feat: module tag updated to ocilz-terraform-module * chore: release notes and SPECs updated * fix: handling spaces in log names * fix: time_sleep only when enabling oci_log_analytics_namespace * fix: tenancy_ocid variable added * chore: examples updated (variable and comments) * doc: updates * chore: example updated * feat: example for log group injection added * feat: log retention enforced to min of 90 days per CIS framework 8.10. In can be disabled setting enable_cis_checks to false * chore: release notes and version bump --------- Co-authored-by: Erna Guerrero Co-authored-by: Rory Nguyen --- RELEASE-NOTES.md | 8 +++ logging/README.md | 22 ++++--- logging/SPEC.md | 5 +- logging/bucket_logs.tf | 18 ++++-- logging/examples/bucket_logs/variables.tf | 55 +----------------- logging/examples/custom_logs/main.tf | 1 + logging/examples/custom_logs/variables.tf | 55 +----------------- logging/examples/flow_logs/variables.tf | 55 +----------------- .../input.auto.tfvars.template | 48 +++++++++++++++ logging/examples/log_group_injection/main.tf | 8 +++ .../examples/log_group_injection/outputs.tf | 14 +++++ .../examples/log_group_injection/providers.tf | 21 +++++++ .../examples/log_group_injection/variables.tf | 13 +++++ logging/examples/logging-analytics/main.tf | 3 + logging/examples/logging-analytics/outputs.tf | 3 + .../examples/logging-analytics/variables.tf | 58 +------------------ .../vision/input.auto.tfvars.template | 4 +- logging/examples/vision/main.tf | 1 + logging/examples/vision/variables.tf | 55 +----------------- logging/flow_logs.tf | 33 +++++++---- logging/logging-analytics.tf | 1 + logging/main.tf | 30 ++++++---- logging/variables.tf | 39 ++++++++----- release.txt | 2 +- 24 files changed, 223 insertions(+), 329 deletions(-) create mode 100644 logging/examples/log_group_injection/input.auto.tfvars.template create mode 100644 logging/examples/log_group_injection/main.tf create mode 100644 logging/examples/log_group_injection/outputs.tf create mode 100644 logging/examples/log_group_injection/providers.tf create mode 100644 logging/examples/log_group_injection/variables.tf diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md index 5a2b2c4..ff399e7 100644 --- a/RELEASE-NOTES.md +++ b/RELEASE-NOTES.md @@ -1,3 +1,11 @@ +# September 20, 2024 Release Notes - 0.1.9 + +## Updates +1. [Logging module](./logging/) + - Per CIS framework recommendation 8.10, the module now, by default, enforces a retention duration of at least 90 days for all logs. This can be disabled by setting *enable_cis_checks* attribute to false. + - Log groups can now be injected via the external dependency mechanism. Attribute *log_group_id*, in addition to being a reference key defined in *log_groups* attribute, can now also be a log group OCID or a reference key defined in *log_groups_dependency* variable. + - Bug fix: log names can now be created for network resources (like subnets and VCNs) with spaces in their names. + # August 27, 2024 Release Notes - 0.1.8 ## Updates diff --git a/logging/README.md b/logging/README.md index 78e425b..872d991 100644 --- a/logging/README.md +++ b/logging/README.md @@ -67,21 +67,23 @@ module "logging" { For invoking the module remotely, set the module *source* attribute to the logging module folder in this repository, as shown: ``` module "logging" { - source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-observability/logging" + source = "github.com/oci-landing-zones/terraform-oci-modules-observability/logging" tenancy_ocid = var.tenancy_ocid # for deploying bucket logs using bucket_logs attribute. logging_configuration = var.logging_configuration } ``` For referring to a specific module version, append *ref=\* to the *source* attribute value, as in: ``` - source = "github.com/oracle-quickstart/terraform-oci-cis-landing-zone-observability//logging?ref=v0.1.0" + source = "github.com/oci-landing-zones/terraform-oci-modules-observability//logging?ref=v0.1.0" ``` ## Module Functioning -In this module, log groups and logs are defined using the top-level *logging_configuration* variable. It contains a set of attributes starting with the prefix *default_* and a set of attributes to define any number of log groups and logs. The *default_* attribute values are applied to all log groups and logs, unless overriden at the object level. **The module supports defining service and custom logs for single resources or for a set of resources within specified compartments**. For defining logs to single resources, use either *service_logs* or *custom_logs* attributes. For defining service logs to a set of resources within specified compartments, use *flow_logs* or *bucket_logs* attributes. +In this module, log groups and logs are defined using the top-level *logging_configuration* variable. It contains a set of attributes starting with the prefix *default_* and a set of attributes to define any number of log groups and logs. The *default_* attribute values are applied to all log groups and logs, unless overridden at the object level. **The module supports defining service and custom logs for single resources or for a set of resources within specified compartments**. For defining logs to single resources, use either *service_logs* or *custom_logs* attributes. For defining service logs to a set of resources within specified compartments, use *flow_logs* or *bucket_logs* attributes. Additionally, *logging_configuration* defines the *enable_cis_checks* attribute, that by default enforces CIS recommendations throughout the module. For disabling the enforcement, set it to false. **Note**: *log_groups*, *service_logs*, *flow_logs*, *bucket_logs*, and *custom_logs* are maps of objects. Each object is defined as a key/value pair. The key must be unique and not be changed once defined. See the [examples](./examples/) folder for sample declarations. +- **enable_cis_checks**: (Optional) When true (default) enforces CIS recommendations when appropriate. For disabling the enforcement, set it to false. + The *default_* attributes are the following: - **default_compartment_id**: (Optional) The default compartment for all resources managed by this module. It can be overriden by *compartment_id* attribute in each resource. This attribute is overloaded: it can be either a compartment OCID or a reference (a key) to the compartment OCID. See [External Dependencies](#extdep) section. @@ -94,7 +96,7 @@ To disable Logging Analytics, navigate to the Logging Analytics service page on ### Defining Log Groups - **onboard_logging_analytics**: (Optional) Whether your tenancy will enable Logging Analytics. Set to true ONLY if wish to onboard your tenancy to Logging Analytics, set to false if your tenancy has ALREADY enabled Logging Analytics. Check in Console. Default is false. -- **log_groups**: A map of log groups. In OCI, every log must belong to a log group. +- **log_groups**: (Optional) A map of log groups. In OCI, every log must belong to a log group. If a log group is not deployed, the module adds the logs to an existing log group. See [External Dependencies](#extdep) section. - **compartment_id**: (Optional) The compartment where the log group is created. *default_compartment_id* is used if undefined. This attribute is overloaded: it can be either a compartment OCID or a reference (a key) to the compartment OCID. See [External Dependencies](#extdep) section. - **type**: (Optional) Include this value and set it to "logging_analytics" to create a Logging Analytics log group, otherwise a default log group will be created. - **name**: The log group name. @@ -105,7 +107,7 @@ To disable Logging Analytics, navigate to the Logging Analytics service page on ### Defining Service Logs - **service_logs**: (Optional) A map of service logs. **Use this when defining service logs for single resources**. Logs are created in the same compartment as the enclosing log group. - **name**: The log name. - - **log_group_id**: The log group. The value should be one of the reference keys defined in *log_groups*. + - **log_group_id**: The log group. This attribute is overloaded: it can be either one of the reference keys defined in *log_groups* attribute, a log group OCID or a reference key defined in *log_groups_dependency* variable. See [External Dependencies](#extdep) section. - **service**: The resource service name for which the log is being created. Sample valid values: "flowlogs", "objectstorage". Supported services may change over time. See [Services Integrated with the Logging Services and their Categories](#services). - **category**: The category name within each service. This is service specific and valid values may change over time. See [Services Integrated with the Logging Services and their Categories](#services). - **resource_id**: The resource id to create the log for. @@ -117,7 +119,7 @@ To disable Logging Analytics, navigate to the Logging Analytics service page on ### Defining Flow Logs - **flow_logs**: A map of flow logs. **Use this when defining flow logs in bulk within specified compartments**. Logs are created in the same compartment as the enclosing flow log group. - **name_prefix**: (Optional) a prefix to flow log names. - - **log_group_id** The flow log group. The value should be one of the reference keys defined in *log_groups*. + - **log_group_id**: The log group. This attribute is overloaded: it can be either one of the reference keys defined in *log_groups* attribute, a log group OCID or a reference key defined in *log_groups_dependency* variable. See [External Dependencies](#extdep) section. - **target_resource_type** The target resource type for flow logs. Valid values: "vcn", "subnet", "vnic". - **target_compartment_ids** The list of compartments containing the resources of type defined in target_resource_type to create flow logs for. The module searches for all resources of target_resource_type in these compartments. For "vnic" target_resource_type, NLB (Network Load Balancer) private IP VNICs are also included. - **is_enabled**: (Optional) Whether the flow logs are enabled. Default is true. @@ -128,7 +130,7 @@ To disable Logging Analytics, navigate to the Logging Analytics service page on ### Defining Bucket Logs - **bucket_logs**: A map of bucket logs. **Use this when defining bucket logs in bulk within specified compartments**. Logs are created in the same compartment as the enclosing bucket log group. - **name_prefix**: (Optional) a prefix to bucket log names. - - **log_group_id**: The bucket log group. The value should be one of the reference keys defined in *log_groups*. + - **log_group_id**: The log group. This attribute is overloaded: it can be either one of the reference keys defined in *log_groups* attribute, a log group OCID or a reference key defined in *log_groups_dependency* variable. See [External Dependencies](#extdep) section. - **target_compartment_ids**: The list of compartments containing the buckets to create logs for. The module seaeches for all buckets in these compartments. - **category**: The category of operations to enable the bucket logs for. Valid values: "read" or "write". - **is_enabled**: (Optional) Whether the bucket logs are enabled. Default is true. @@ -140,7 +142,7 @@ To disable Logging Analytics, navigate to the Logging Analytics service page on - **custom_logs**: A map of custom logs. **Use this when defining custom logs for single resources**. Logs are created in the same compartment as the enclosing log group. - **compartment_id**: (Optional) The compartment where log is created. *default_compartment_id* is used if undefined. This attribute is overloaded: it can be either a compartment OCID or a reference (a key) to the compartment OCID. - **name**: The log name. - - **log_group_id**: The log group. The value should be one of the reference keys defined in *log_groups*. + - **log_group_id**: The log group. This attribute is overloaded: it can be either one of the reference keys defined in *log_groups* attribute, a log group OCID or a reference key defined in *log_groups_dependency* variable. See [External Dependencies](#extdep) section. - **dynamic_groups**: The list of dynamic groups associated with this configuration - **parser_type**: (Optional) The type of fluent parser. Valid values: "NONE", "SYSLOG", "CSV", "TSV", "REGEXP", "MULTILINE", "APACHE_ERROR", "APACHE2", "AUDITD", "JSON", "CRI". Default is "NONE". - **path**: Absolute paths for log source files. Wildcards can be used. @@ -189,6 +191,8 @@ An optional feature, external dependencies are resources managed elsewhere that - **compartments_dependency**: A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an *id* attribute with the compartment OCID. This mechanism allows for the usage of referring keys (instead of OCIDs) in *default_compartment_id* and *compartment_id* attributes. The module replaces the keys by the OCIDs provided within *compartments_dependency* map. Contents of *compartments_dependency* is typically the output of a [Compartments module](../compartments/) client. +- **log_groups_dependency**: A map of objects containing the externally managed log_groups this module may depend on. All map objects must have the same type and must contain at least an *id* attribute with the log_group OCID. This mechanism allows for the usage of referring keys (instead of OCIDs) in *log_group_id* attributes. The module replaces the keys by the OCIDs provided within *log_groups_dependency* map. + ## Related Documentation - [OCI Logging](https://docs.oracle.com/en-us/iaas/Content/Logging/home.htm) - [Logging in Terraform OCI Provider](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/logging_log) @@ -286,4 +290,4 @@ An optional feature, external dependencies are resources managed elsewhere that time to fully converge. ``` -In such scenario, create logs using the *service_logs* attribute instead. \ No newline at end of file +In such scenario, create logs using the *service_logs* attribute instead. diff --git a/logging/SPEC.md b/logging/SPEC.md index 72ee685..6f43151 100644 --- a/logging/SPEC.md +++ b/logging/SPEC.md @@ -43,9 +43,10 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [compartments\_dependency](#input\_compartments\_dependency) | A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type. | `map(any)` | `null` | no | +| [compartments\_dependency](#input\_compartments\_dependency) | A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type. | 
map(object({
    id = string
  }))
| `null` | no | | [enable\_output](#input\_enable\_output) | Whether Terraform should enable module output. | `bool` | `true` | no | -| [logging\_configuration](#input\_logging\_configuration) | Logging configuration settings, defining all aspects to manage logging in OCI. Please see the comments within each attribute for details. | 
object({
    default_compartment_id    = string,
    default_defined_tags      = optional(map(string)),
    default_freeform_tags     = optional(map(string)),
    onboard_logging_analytics = optional(bool),
    log_groups = map(object({
      type           = optional(string)
      compartment_id = optional(string)
      name           = string
      description    = optional(string)
      freeform_tags  = optional(map(string))
      defined_tags   = optional(map(string))
    }))
    service_logs = optional(map(object({
      name               = string
      log_group_id       = string
      service            = string
      category           = string
      resource_id        = string
      is_enabled         = optional(bool)
      retention_duration = optional(number)
      defined_tags       = optional(map(string))
      freeform_tags      = optional(map(string))
    })))
    flow_logs = optional(map(object({
      name_prefix            = optional(string)
      log_group_id           = string
      target_resource_type   = string
      target_compartment_ids = list(string)
      is_enabled             = optional(bool)
      retention_duration     = optional(number)
      defined_tags           = optional(map(string))
      freeform_tags          = optional(map(string))
    })))
    bucket_logs = optional(map(object({
      name_prefix            = optional(string)
      log_group_id           = string
      target_compartment_ids = list(string)
      category               = string
      is_enabled             = optional(bool)
      retention_duration     = optional(number)
      defined_tags           = optional(map(string))
      freeform_tags          = optional(map(string))
    })))
    custom_logs = optional(map(object({
      name               = string
      log_group_id       = string
      dynamic_groups     = list(string)
      parser_type        = optional(string)
      path               = list(string)
      is_enabled         = optional(bool)
      retention_duration = optional(number)
      defined_tags       = optional(map(string))
      freeform_tags      = optional(map(string))
    })))
  })
| n/a | yes | +| [log\_groups\_dependency](#input\_log\_groups\_dependency) | A map of objects containing the externally managed log\_groups this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the log group OCID) of string type. | 
map(object({
    id = string
  }))
| `null` | no | +| [logging\_configuration](#input\_logging\_configuration) | Logging configuration settings, defining all aspects to manage logging in OCI. Please see the comments within each attribute for details. | 
object({
    enable_cis_checks         = optional(bool,true), # Whether to enforce CIS benchmark and framework recommendations. Default is true.
    default_compartment_id    = string,
    default_defined_tags      = optional(map(string)),
    default_freeform_tags     = optional(map(string)),
    onboard_logging_analytics = optional(bool),
    log_groups = optional(map(object({
      type           = optional(string)
      compartment_id = optional(string)
      name           = string
      description    = optional(string)
      freeform_tags  = optional(map(string))
      defined_tags   = optional(map(string))
    })),{})
    service_logs = optional(map(object({
      name               = string
      log_group_id       = string
      service            = string
      category           = string
      resource_id        = string
      is_enabled         = optional(bool)
      retention_duration = optional(number,90)
      defined_tags       = optional(map(string))
      freeform_tags      = optional(map(string))
    })),{})
    flow_logs = optional(map(object({
      name_prefix            = optional(string)
      log_group_id           = string
      target_resource_type   = string
      target_compartment_ids = list(string)
      is_enabled             = optional(bool)
      retention_duration     = optional(number,90)
      defined_tags           = optional(map(string))
      freeform_tags          = optional(map(string))
    })),{})
    bucket_logs = optional(map(object({
      name_prefix            = optional(string)
      log_group_id           = string
      target_compartment_ids = list(string)
      category               = string
      is_enabled             = optional(bool)
      retention_duration     = optional(number,90)
      defined_tags           = optional(map(string))
      freeform_tags          = optional(map(string))
    })),{})
    custom_logs = optional(map(object({
      name               = string
      log_group_id       = string
      dynamic_groups     = list(string)
      parser_type        = optional(string)
      path               = list(string)
      is_enabled         = optional(bool)
      retention_duration = optional(number,90)
      defined_tags       = optional(map(string))
      freeform_tags      = optional(map(string))
    })),{})
  })
| n/a | yes | | [module\_name](#input\_module\_name) | The module name. | `string` | `"logging"` | no | | [tenancy\_ocid](#input\_tenancy\_ocid) | The tenancy OCID | `string` | `null` | no | diff --git a/logging/bucket_logs.tf b/logging/bucket_logs.tf index 1df3f30..bed3f6c 100644 --- a/logging/bucket_logs.tf +++ b/logging/bucket_logs.tf @@ -12,16 +12,17 @@ locals { for bl_key, bl_value in (var.logging_configuration.bucket_logs != null ? var.logging_configuration.bucket_logs : {}) : [ for cmp_id in bl_value.target_compartment_ids : [ for bucket in data.oci_objectstorage_bucket_summaries.these[(length(regexall("^ocid1.*$", cmp_id)) > 0 ? cmp_id : var.compartments_dependency[cmp_id].id)].bucket_summaries : { - key = upper("${bl_key}-${bucket.name}") + key = upper("${bl_key}-${replace(bucket.name,"/\\s+/","-")}") category = bl_value.category resource_id = bucket.name service = "objectstorage" - name = "${bucket.name}-${bl_value.category}-log" + name = "${replace(bucket.name,"/\\s+/","-")}-${bl_value.category}-log" log_group_id = bl_value.log_group_id is_enabled = bl_value.is_enabled retention_duration = bl_value.retention_duration defined_tags = bl_value.defined_tags freeform_tags = bl_value.freeform_tags + enable_cis_checks = var.logging_configuration.enable_cis_checks } ] ] @@ -50,9 +51,16 @@ resource "oci_logging_log" "bucket_logs" { is_enabled = v.is_enabled retention_duration = v.retention_duration defined_tags = v.defined_tags - freeform_tags = v.freeform_tags }} + freeform_tags = v.freeform_tags + enable_cis_checks = v.enable_cis_checks }} + lifecycle { + precondition { + condition = (each.value.enable_cis_checks == true && each.value.retention_duration >= 90) || (each.value.enable_cis_checks == false) + error_message = "VALIDATION FAILURE: Bucket log \"${each.key}\" has an invalid retention duration. For complying with CIS framework, set the \"retention_duration\" attribute to 90 or greater. For forcing a value smaller than 90, set \"enable_cis_checks\" attribute to false." + } + } display_name = each.value.name - log_group_id = oci_logging_log_group.these[each.value.log_group_id].id + log_group_id = contains(keys(var.logging_configuration.log_groups),each.value.log_group_id) ? oci_logging_log_group.these[each.value.log_group_id].id : (length(regexall("^ocid1.*$", each.value.log_group_id)) > 0 ? each.value.log_group_id : var.log_groups_dependency[each.value.log_group_id].id) log_type = "SERVICE" configuration { #compartment_id = each.value.compartment_id @@ -64,7 +72,7 @@ resource "oci_logging_log" "bucket_logs" { } } is_enabled = coalesce(each.value.is_enabled,true) - retention_duration = coalesce(each.value.retention_duration, 60) + retention_duration = each.value.retention_duration defined_tags = each.value.defined_tags != null ? each.value.defined_tags : var.logging_configuration.default_defined_tags freeform_tags = merge(local.cislz_module_tag, each.value.freeform_tags != null ? each.value.freeform_tags : var.logging_configuration.default_freeform_tags) } diff --git a/logging/examples/bucket_logs/variables.tf b/logging/examples/bucket_logs/variables.tf index 2d0860c..9db66f3 100644 --- a/logging/examples/bucket_logs/variables.tf +++ b/logging/examples/bucket_logs/variables.tf @@ -9,60 +9,7 @@ variable "private_key_password" {default = ""} variable "logging_configuration" { description = "Logging configuration settings, defining all aspects to manage logging in OCI. Please see the comments within each attribute for details." - type = object({ - default_compartment_id = string, - default_defined_tags = optional(map(string)), - default_freeform_tags = optional(map(string)), - log_groups = map(object({ - compartment_id = optional(string) - name = string - description = optional(string) - freeform_tags = optional(map(string)) - defined_tags = optional(map(string)) - })) - service_logs = optional(map(object({ - name = string - log_group_id = string - service = string - category = string - resource_id = string - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - flow_logs = optional(map(object({ - name_prefix = optional(string) - log_group_id = string - target_resource_type = string - target_compartment_ids = list(string) - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - bucket_logs = optional(map(object({ - name_prefix = optional(string) - log_group_id = string - target_compartment_ids = list(string) - category = string - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - custom_logs = optional(map(object({ - name = string - log_group_id = string - dynamic_groups = list(string) - parser_type = optional(string) - path = list(string) - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - }) + type = any } variable "external_dependency" { diff --git a/logging/examples/custom_logs/main.tf b/logging/examples/custom_logs/main.tf index d974b04..042c338 100644 --- a/logging/examples/custom_logs/main.tf +++ b/logging/examples/custom_logs/main.tf @@ -3,6 +3,7 @@ module "custom_logging" { source = "../../" + tenancy_ocid = var.tenancy_ocid logging_configuration = var.logging_configuration compartments_dependency = var.external_dependency != null ? merge([for o in data.oci_objectstorage_object.compartments : jsondecode(o.content)]...) : null } diff --git a/logging/examples/custom_logs/variables.tf b/logging/examples/custom_logs/variables.tf index 2d0860c..9db66f3 100644 --- a/logging/examples/custom_logs/variables.tf +++ b/logging/examples/custom_logs/variables.tf @@ -9,60 +9,7 @@ variable "private_key_password" {default = ""} variable "logging_configuration" { description = "Logging configuration settings, defining all aspects to manage logging in OCI. Please see the comments within each attribute for details." - type = object({ - default_compartment_id = string, - default_defined_tags = optional(map(string)), - default_freeform_tags = optional(map(string)), - log_groups = map(object({ - compartment_id = optional(string) - name = string - description = optional(string) - freeform_tags = optional(map(string)) - defined_tags = optional(map(string)) - })) - service_logs = optional(map(object({ - name = string - log_group_id = string - service = string - category = string - resource_id = string - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - flow_logs = optional(map(object({ - name_prefix = optional(string) - log_group_id = string - target_resource_type = string - target_compartment_ids = list(string) - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - bucket_logs = optional(map(object({ - name_prefix = optional(string) - log_group_id = string - target_compartment_ids = list(string) - category = string - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - custom_logs = optional(map(object({ - name = string - log_group_id = string - dynamic_groups = list(string) - parser_type = optional(string) - path = list(string) - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - }) + type = any } variable "external_dependency" { diff --git a/logging/examples/flow_logs/variables.tf b/logging/examples/flow_logs/variables.tf index 2d0860c..9db66f3 100644 --- a/logging/examples/flow_logs/variables.tf +++ b/logging/examples/flow_logs/variables.tf @@ -9,60 +9,7 @@ variable "private_key_password" {default = ""} variable "logging_configuration" { description = "Logging configuration settings, defining all aspects to manage logging in OCI. Please see the comments within each attribute for details." - type = object({ - default_compartment_id = string, - default_defined_tags = optional(map(string)), - default_freeform_tags = optional(map(string)), - log_groups = map(object({ - compartment_id = optional(string) - name = string - description = optional(string) - freeform_tags = optional(map(string)) - defined_tags = optional(map(string)) - })) - service_logs = optional(map(object({ - name = string - log_group_id = string - service = string - category = string - resource_id = string - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - flow_logs = optional(map(object({ - name_prefix = optional(string) - log_group_id = string - target_resource_type = string - target_compartment_ids = list(string) - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - bucket_logs = optional(map(object({ - name_prefix = optional(string) - log_group_id = string - target_compartment_ids = list(string) - category = string - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - custom_logs = optional(map(object({ - name = string - log_group_id = string - dynamic_groups = list(string) - parser_type = optional(string) - path = list(string) - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - }) + type = any } variable "external_dependency" { diff --git a/logging/examples/log_group_injection/input.auto.tfvars.template b/logging/examples/log_group_injection/input.auto.tfvars.template new file mode 100644 index 0000000..95a2605 --- /dev/null +++ b/logging/examples/log_group_injection/input.auto.tfvars.template @@ -0,0 +1,48 @@ +# Copyright (c) 2023 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +#-------------------------------------------------------------------------------------------------------------------------------------- +# 1. Rename this file to .auto.tfvars, where is a name of your choice. +# 2. Provide values for "Tenancy Connectivity Variables". +# 3. Replace placeholder with appropriate compartment OCID or key (if enabling external dependency). +# 4. Replace placeholder with the appropriate log group OCID. +# 5. Replace placeholder with the appropriate subnet OCID. +# 6. Replace placeholder with the appropriate bucket name. +#-------------------------------------------------------------------------------------------------------------------------------------- + +#--------------------------------------- +# Tenancy Connectivity Variables +#--------------------------------------- + +tenancy_ocid = "" # Get this from OCI Console (after logging in, go to top-right-most menu item and click option "Tenancy: "). +user_ocid = "" # Get this from OCI Console (after logging in, go to top-right-most menu item and click option "My profile"). +fingerprint = "" # The fingerprint can be gathered from your user account. In the "My profile page, click "API keys" on the menu in left hand side. +private_key_path = "" # This is the full path on your local system to the API signing private key. +private_key_password = "" # This is the password that protects the private key, if any. +region = "" # This is your region, where all other events are created. It can be the same as home_region. + +#--------------------------------------- +# Input variable +#--------------------------------------- + +logging_configuration = { + + default_compartment_id = "" + + service_logs = { + SUBNET-FLOW-LOG = { + name = "vision-subnet-flow-logs" + log_group_id = "" + service = "flowlogs" + category = "all" + resource_id = "" + } + BUCKET-LOG = { + name = "vision-bucket-write-logs" + log_group_id = "" + service = "objectstorage" + category = "write" + resource_id = "" + } + } +} diff --git a/logging/examples/log_group_injection/main.tf b/logging/examples/log_group_injection/main.tf new file mode 100644 index 0000000..e0a0d4f --- /dev/null +++ b/logging/examples/log_group_injection/main.tf @@ -0,0 +1,8 @@ +# Copyright (c) 2023 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +module "vision_logging" { + source = "../../" + tenancy_ocid = var.tenancy_ocid + logging_configuration = var.logging_configuration +} diff --git a/logging/examples/log_group_injection/outputs.tf b/logging/examples/log_group_injection/outputs.tf new file mode 100644 index 0000000..8135197 --- /dev/null +++ b/logging/examples/log_group_injection/outputs.tf @@ -0,0 +1,14 @@ +# Copyright (c) 2023 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +output "log_group" { + value = module.vision_logging.log_groups +} + +output "service_logs" { + value = module.vision_logging.service_logs +} + +output "custom_logs" { + value = module.vision_logging.custom_logs +} \ No newline at end of file diff --git a/logging/examples/log_group_injection/providers.tf b/logging/examples/log_group_injection/providers.tf new file mode 100644 index 0000000..b2980e0 --- /dev/null +++ b/logging/examples/log_group_injection/providers.tf @@ -0,0 +1,21 @@ +# Copyright (c) 2023 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + +provider "oci" { + region = var.region + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + fingerprint = var.fingerprint + private_key_path = var.private_key_path + private_key_password = var.private_key_password + ignore_defined_tags = ["Oracle-Tags.CreatedBy", "Oracle-Tags.CreatedOn"] +} + +terraform { + required_version = ">= 1.3.0" + required_providers { + oci = { + source = "oracle/oci" + } + } +} \ No newline at end of file diff --git a/logging/examples/log_group_injection/variables.tf b/logging/examples/log_group_injection/variables.tf new file mode 100644 index 0000000..9a8e5c9 --- /dev/null +++ b/logging/examples/log_group_injection/variables.tf @@ -0,0 +1,13 @@ +# Copyright (c) 2023 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +variable "tenancy_ocid" {} +variable "region" {description = "Your tenancy region"} +variable "user_ocid" {default = ""} +variable "fingerprint" {default = ""} +variable "private_key_path" {default = ""} +variable "private_key_password" {default = ""} + +variable "logging_configuration" { + description = "Logging configuration settings, defining all aspects to manage logging in OCI. Please see the comments within each attribute for details." + type = any +} \ No newline at end of file diff --git a/logging/examples/logging-analytics/main.tf b/logging/examples/logging-analytics/main.tf index 133f576..010b974 100644 --- a/logging/examples/logging-analytics/main.tf +++ b/logging/examples/logging-analytics/main.tf @@ -1,3 +1,6 @@ +# Copyright (c) 2023 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + module "test_logging" { source = "../.." tenancy_ocid = var.tenancy_ocid diff --git a/logging/examples/logging-analytics/outputs.tf b/logging/examples/logging-analytics/outputs.tf index 1069cfd..45998de 100644 --- a/logging/examples/logging-analytics/outputs.tf +++ b/logging/examples/logging-analytics/outputs.tf @@ -1,3 +1,6 @@ +# Copyright (c) 2023 Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + output "log_groups" { value = module.test_logging.log_groups } diff --git a/logging/examples/logging-analytics/variables.tf b/logging/examples/logging-analytics/variables.tf index 46e38b9..bcd9f9a 100644 --- a/logging/examples/logging-analytics/variables.tf +++ b/logging/examples/logging-analytics/variables.tf @@ -1,5 +1,6 @@ # Copyright (c) 2023 Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. + variable "tenancy_ocid" {} variable "region" { description = "Your tenancy region" } variable "user_ocid" { default = "" } @@ -9,62 +10,7 @@ variable "private_key_password" { default = "" } variable "logging_configuration" { description = "Logging configuration settings, defining all aspects to manage logging in OCI. Please see the comments within each attribute for details." - type = object({ - default_compartment_id = string, - default_defined_tags = optional(map(string)), - default_freeform_tags = optional(map(string)), - onboard_logging_analytics = optional(bool), - log_groups = map(object({ - type = optional(string) - compartment_id = optional(string) - name = string - description = optional(string) - freeform_tags = optional(map(string)) - defined_tags = optional(map(string)) - })) - service_logs = optional(map(object({ - name = string - log_group_id = string - service = string - category = string - resource_id = string - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - flow_logs = optional(map(object({ - name_prefix = optional(string) - log_group_id = string - target_resource_type = string - target_compartment_ids = list(string) - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - bucket_logs = optional(map(object({ - name_prefix = optional(string) - log_group_id = string - target_compartment_ids = list(string) - category = string - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - custom_logs = optional(map(object({ - name = string - log_group_id = string - dynamic_groups = list(string) - parser_type = optional(string) - path = list(string) - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - }) + type = any } variable "compartments_dependency" { diff --git a/logging/examples/vision/input.auto.tfvars.template b/logging/examples/vision/input.auto.tfvars.template index da64119..a077cef 100644 --- a/logging/examples/vision/input.auto.tfvars.template +++ b/logging/examples/vision/input.auto.tfvars.template @@ -39,14 +39,14 @@ logging_configuration = { service_logs = { SUBNET-FLOW-LOG = { - name = "vision-subnet-flow-logs" + name = "vision-subnet-flow-log" log_group_id = "VCN-FLOW-LOG-GROUP" service = "flowlogs" category = "all" resource_id = "" } BUCKET-LOG = { - name = "vision-bucket-write-logs" + name = "vision-bucket-write-log" log_group_id = "BUCKET-LOG-GROUP" service = "objectstorage" category = "write" diff --git a/logging/examples/vision/main.tf b/logging/examples/vision/main.tf index e952ca7..1d9611c 100644 --- a/logging/examples/vision/main.tf +++ b/logging/examples/vision/main.tf @@ -3,6 +3,7 @@ module "vision_logging" { source = "../../" + tenancy_ocid = var.tenancy_ocid logging_configuration = var.logging_configuration compartments_dependency = var.external_dependency != null ? merge([for o in data.oci_objectstorage_object.compartments : jsondecode(o.content)]...) : null } diff --git a/logging/examples/vision/variables.tf b/logging/examples/vision/variables.tf index 2d0860c..9db66f3 100644 --- a/logging/examples/vision/variables.tf +++ b/logging/examples/vision/variables.tf @@ -9,60 +9,7 @@ variable "private_key_password" {default = ""} variable "logging_configuration" { description = "Logging configuration settings, defining all aspects to manage logging in OCI. Please see the comments within each attribute for details." - type = object({ - default_compartment_id = string, - default_defined_tags = optional(map(string)), - default_freeform_tags = optional(map(string)), - log_groups = map(object({ - compartment_id = optional(string) - name = string - description = optional(string) - freeform_tags = optional(map(string)) - defined_tags = optional(map(string)) - })) - service_logs = optional(map(object({ - name = string - log_group_id = string - service = string - category = string - resource_id = string - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - flow_logs = optional(map(object({ - name_prefix = optional(string) - log_group_id = string - target_resource_type = string - target_compartment_ids = list(string) - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - bucket_logs = optional(map(object({ - name_prefix = optional(string) - log_group_id = string - target_compartment_ids = list(string) - category = string - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - custom_logs = optional(map(object({ - name = string - log_group_id = string - dynamic_groups = list(string) - parser_type = optional(string) - path = list(string) - is_enabled = optional(bool) - retention_duration = optional(number) - defined_tags = optional(map(string)) - freeform_tags = optional(map(string)) - }))) - }) + type = any } variable "external_dependency" { diff --git a/logging/flow_logs.tf b/logging/flow_logs.tf index 9b3ee1b..82e2778 100644 --- a/logging/flow_logs.tf +++ b/logging/flow_logs.tf @@ -15,17 +15,18 @@ locals { for fl_key, fl_value in (var.logging_configuration.flow_logs != null ? var.logging_configuration.flow_logs : {}) : [ for cmp_id in fl_value.target_compartment_ids : [ for subnet in coalesce(data.oci_core_subnets.these[(length(regexall("^ocid1.*$", cmp_id)) > 0 ? cmp_id : var.compartments_dependency[cmp_id].id)].subnets, []) : { - key = upper("${fl_key}-${subnet.display_name}-${substr(subnet.id,-10,-1)}") + key = upper("${fl_key}-${replace(subnet.display_name,"/\\s+/","-")}-${substr(subnet.id,-10,-1)}") category = "subnet" resource_id = subnet.id service = "flowlogs" - name = "${subnet.display_name}-${substr(subnet.id,-10,-1)}-flow-log" + name = "${replace(subnet.display_name,"/\\s+/","-")}-${substr(subnet.id,-10,-1)}-flow-log" log_group_id = fl_value.log_group_id is_enabled = fl_value.is_enabled retention_duration = fl_value.retention_duration defined_tags = fl_value.defined_tags freeform_tags = fl_value.freeform_tags target_resource_type = fl_value.target_resource_type + enable_cis_checks = var.logging_configuration.enable_cis_checks } ] ] if lower(fl_value.target_resource_type) == "subnet" @@ -35,17 +36,18 @@ locals { for fl_key, fl_value in (var.logging_configuration.flow_logs != null ? var.logging_configuration.flow_logs : {}) : [ for cmp_id in fl_value.target_compartment_ids : [ for vcn in coalesce(data.oci_core_vcns.these[(length(regexall("^ocid1.*$", cmp_id)) > 0 ? cmp_id : var.compartments_dependency[cmp_id].id)].virtual_networks, []) : { - key = upper("${fl_key}-${vcn.display_name}-${substr(vcn.id,-10,-1)}") + key = upper("${fl_key}-${replace(vcn.display_name,"/\\s+/","-")}-${substr(vcn.id,-10,-1)}") category = "vcn" resource_id = vcn.id service = "flowlogs" - name = "${vcn.display_name}-${substr(vcn.id,-10,-1)}-flow-log" + name = "${replace(vcn.display_name,"/\\s+/","-")}-${substr(vcn.id,-10,-1)}-flow-log" log_group_id = fl_value.log_group_id is_enabled = fl_value.is_enabled retention_duration = fl_value.retention_duration defined_tags = fl_value.defined_tags freeform_tags = fl_value.freeform_tags target_resource_type = fl_value.target_resource_type + enable_cis_checks = var.logging_configuration.enable_cis_checks } ] ] if lower(fl_value.target_resource_type) == "vcn" @@ -55,17 +57,18 @@ locals { for fl_key, fl_value in (var.logging_configuration.flow_logs != null ? var.logging_configuration.flow_logs : {}) : [ for cmp_id in fl_value.target_compartment_ids : [ for attach in coalesce(data.oci_core_vnic_attachments.these[(length(regexall("^ocid1.*$", cmp_id)) > 0 ? cmp_id : var.compartments_dependency[cmp_id].id)].vnic_attachments, []) : { - key = upper("${fl_key}-${data.oci_core_vnic.these[attach.vnic_id].display_name}") + key = upper("${fl_key}-${replace(data.oci_core_vnic.these[attach.vnic_id].display_name,"/\\s+/","-")}") category = "vnic" resource_id = attach.vnic_id service = "flowlogs" - name = "${data.oci_core_vnic.these[attach.vnic_id].display_name}-flow-log" + name = "${replace(data.oci_core_vnic.these[attach.vnic_id].display_name,"/\\s+/","-")}-flow-log" log_group_id = fl_value.log_group_id is_enabled = fl_value.is_enabled retention_duration = fl_value.retention_duration defined_tags = fl_value.defined_tags freeform_tags = fl_value.freeform_tags target_resource_type = fl_value.target_resource_type + enable_cis_checks = var.logging_configuration.enable_cis_checks } ] ] if lower(fl_value.target_resource_type) == "vnic" @@ -83,17 +86,18 @@ locals { for fl_key, fl_value in (var.logging_configuration.flow_logs != null ? var.logging_configuration.flow_logs : {}) : [ for k, v in coalesce(data.oci_core_private_ips.nlbs, {}) : [ for ip in coalesce(v.private_ips, []) : { - key = upper("${fl_key}-${ip.display_name}") + key = upper("${fl_key}-${replace(ip.display_name,"/\\s+/","-")}") category = "vnic" resource_id = ip.vnic_id service = "flowlogs" - name = "${ip.display_name}-flow-log" + name = "${replace(ip.display_name,"/\\s+/","-")}-flow-log" log_group_id = fl_value.log_group_id is_enabled = fl_value.is_enabled retention_duration = fl_value.retention_duration defined_tags = fl_value.defined_tags freeform_tags = fl_value.freeform_tags target_resource_type = fl_value.target_resource_type + enable_cis_checks = var.logging_configuration.enable_cis_checks } ] ] if lower(fl_value.target_resource_type) == "vnic" @@ -119,7 +123,7 @@ data "oci_identity_compartment" "these" { error_message = "VALIDATION FAILURE: compartment id \"${each.key}\" not found." } } - id = each.key + id = each.key } data "oci_core_subnets" "these" { @@ -182,15 +186,20 @@ resource "oci_logging_log" "flow_logs" { retention_duration = v.retention_duration defined_tags = v.defined_tags freeform_tags = v.freeform_tags - target_resource_type = v.target_resource_type }} + target_resource_type = v.target_resource_type + enable_cis_checks = v.enable_cis_checks }} lifecycle { + precondition { + condition = (each.value.enable_cis_checks == true && each.value.retention_duration >= 90) || (each.value.enable_cis_checks == false) + error_message = "VALIDATION FAILURE: Flow log \"${each.key}\" has an invalid retention duration. For complying with CIS framework, set the \"retention_duration\" attribute to 90 or greater. For forcing a value smaller than 90, set \"enable_cis_checks\" attribute to false." + } precondition { condition = contains(local.flow_logs_target_types, lower(each.value.target_resource_type)) error_message = "VALIDATION FAILURE: \"${each.value.target_resource_type}\" value is invalid for \"target_resource_type\" attribute. Valid values are: ${join(",",local.flow_logs_target_types)} (case insensitive)." } } display_name = each.value.name - log_group_id = oci_logging_log_group.these[each.value.log_group_id].id + log_group_id = contains(keys(var.logging_configuration.log_groups),each.value.log_group_id) ? oci_logging_log_group.these[each.value.log_group_id].id : (length(regexall("^ocid1.*$", each.value.log_group_id)) > 0 ? each.value.log_group_id : var.log_groups_dependency[each.value.log_group_id].id) log_type = "SERVICE" configuration { #compartment_id = each.value.compartment_id @@ -202,7 +211,7 @@ resource "oci_logging_log" "flow_logs" { } } is_enabled = coalesce(each.value.is_enabled,true) - retention_duration = coalesce(each.value.retention_duration, 60) + retention_duration = each.value.retention_duration defined_tags = each.value.defined_tags != null ? each.value.defined_tags : var.logging_configuration.default_defined_tags freeform_tags = merge(local.cislz_module_tag, each.value.freeform_tags != null ? each.value.freeform_tags : var.logging_configuration.default_freeform_tags) } \ No newline at end of file diff --git a/logging/logging-analytics.tf b/logging/logging-analytics.tf index 9625054..a5b8543 100644 --- a/logging/logging-analytics.tf +++ b/logging/logging-analytics.tf @@ -17,6 +17,7 @@ resource "oci_log_analytics_namespace" "this" { } resource "time_sleep" "log_group_propagation_delay" { + count = coalesce(var.logging_configuration.onboard_logging_analytics, false) ? 1 : 0 depends_on = [oci_log_analytics_namespace.this] create_duration = "90s" } \ No newline at end of file diff --git a/logging/main.tf b/logging/main.tf index 65509a7..ce32bee 100644 --- a/logging/main.tf +++ b/logging/main.tf @@ -4,8 +4,8 @@ resource "oci_logging_log_group" "these" { for_each = { for k, v in var.logging_configuration.log_groups : k => v if v.type == null } compartment_id = each.value.compartment_id != null ? (length(regexall("^ocid1.*$", each.value.compartment_id)) > 0 ? each.value.compartment_id : var.compartments_dependency[each.value.compartment_id].id) : (length(regexall("^ocid1.*$", var.logging_configuration.default_compartment_id)) > 0 ? var.logging_configuration.default_compartment_id : var.compartments_dependency[var.logging_configuration.default_compartment_id].id) - display_name = each.value.name - description = each.value.description != null ? each.value.description : each.value.name + display_name = replace(each.value.name,"/\\s+/","-") + description = each.value.description != null ? each.value.description : replace(each.value.name,"/\\s+/","-") defined_tags = each.value.defined_tags != null ? each.value.defined_tags : var.logging_configuration.default_defined_tags freeform_tags = merge(local.cislz_module_tag, each.value.freeform_tags != null ? each.value.freeform_tags : var.logging_configuration.default_freeform_tags) } @@ -13,17 +13,23 @@ resource "oci_logging_log_group" "these" { resource "oci_log_analytics_log_analytics_log_group" "these" { for_each = { for k, v in var.logging_configuration.log_groups : k => v if upper(coalesce(v.type, "__void__")) == "LOGGING_ANALYTICS" } compartment_id = each.value.compartment_id != null ? (length(regexall("^ocid1.*$", each.value.compartment_id)) > 0 ? each.value.compartment_id : var.compartments_dependency[each.value.compartment_id].id) : (length(regexall("^ocid1.*$", var.logging_configuration.default_compartment_id)) > 0 ? var.logging_configuration.default_compartment_id : var.compartments_dependency[var.logging_configuration.default_compartment_id].id) - display_name = each.value.name - description = each.value.description != null ? each.value.description : each.value.name + display_name = replace(each.value.name,"/\\s+/","-") + description = each.value.description != null ? each.value.description : replace(each.value.name,"/\\s+/","-") namespace = data.oci_log_analytics_namespaces.logging_analytics_namespaces.namespace_collection[0].items[0].namespace depends_on = [time_sleep.log_group_propagation_delay] } resource "oci_logging_log" "these" { - for_each = var.logging_configuration.service_logs != null ? var.logging_configuration.service_logs : {} - display_name = each.value.name - log_group_id = oci_logging_log_group.these[each.value.log_group_id].id + for_each = var.logging_configuration.service_logs != null ? var.logging_configuration.service_logs : {} + lifecycle { + precondition { + condition = (var.logging_configuration.enable_cis_checks == true && each.value.retention_duration >= 90) || (var.logging_configuration.enable_cis_checks == false) + error_message = "VALIDATION FAILURE: Log \"${each.key}\" has an invalid retention duration. For complying with CIS framework, set the \"retention_duration\" attribute to 90 or greater. For forcing a value smaller than 90, set \"enable_cis_checks\" attribute to false." + } + } + display_name = replace(each.value.name,"/\\s+/","-") + log_group_id = contains(keys(var.logging_configuration.log_groups),each.value.log_group_id) ? oci_logging_log_group.these[each.value.log_group_id].id : (length(regexall("^ocid1.*$", each.value.log_group_id)) > 0 ? each.value.log_group_id : var.log_groups_dependency[each.value.log_group_id].id) log_type = "SERVICE" configuration { #compartment_id = each.value.compartment_id @@ -35,15 +41,15 @@ resource "oci_logging_log" "these" { } } is_enabled = coalesce(each.value.is_enabled, true) - retention_duration = coalesce(each.value.retention_duration, 60) + retention_duration = each.value.retention_duration defined_tags = each.value.defined_tags != null ? each.value.defined_tags : var.logging_configuration.default_defined_tags freeform_tags = merge(local.cislz_module_tag, each.value.freeform_tags != null ? each.value.freeform_tags : var.logging_configuration.default_freeform_tags) } resource "oci_logging_log" "these_custom" { - for_each = var.logging_configuration.custom_logs != null ? var.logging_configuration.custom_logs : {} - display_name = each.value.name - log_group_id = oci_logging_log_group.these[each.value.log_group_id].id + for_each = var.logging_configuration.custom_logs != null ? var.logging_configuration.custom_logs : {} + display_name = replace(each.value.name,"/\\s+/","-") + log_group_id = contains(keys(var.logging_configuration.log_groups),each.value.log_group_id) ? oci_logging_log_group.these[each.value.log_group_id].id : (length(regexall("^ocid1.*$", each.value.log_group_id)) > 0 ? each.value.log_group_id : var.log_groups_dependency[each.value.log_group_id].id) log_type = "CUSTOM" is_enabled = each.value.is_enabled retention_duration = each.value.retention_duration @@ -52,7 +58,7 @@ resource "oci_logging_log" "these_custom" { } resource "oci_logging_unified_agent_configuration" "these" { - for_each = var.logging_configuration.custom_logs != null ? var.logging_configuration.custom_logs : {} + for_each = var.logging_configuration.custom_logs != null ? var.logging_configuration.custom_logs : {} compartment_id = each.value.compartment_id != null ? each.value.compartment_id : var.logging_configuration.default_compartment_id is_enabled = each.value.is_enabled description = format("%s%s", "Agent configuration for ", each.value.name) diff --git a/logging/variables.tf b/logging/variables.tf index 8c66b7b..ef4cbb8 100644 --- a/logging/variables.tf +++ b/logging/variables.tf @@ -10,18 +10,19 @@ variable "tenancy_ocid" { variable "logging_configuration" { description = "Logging configuration settings, defining all aspects to manage logging in OCI. Please see the comments within each attribute for details." type = object({ + enable_cis_checks = optional(bool,true), # Whether to enforce CIS benchmark and framework recommendations. Default is true. default_compartment_id = string, default_defined_tags = optional(map(string)), default_freeform_tags = optional(map(string)), onboard_logging_analytics = optional(bool), - log_groups = map(object({ + log_groups = optional(map(object({ type = optional(string) compartment_id = optional(string) name = string description = optional(string) freeform_tags = optional(map(string)) defined_tags = optional(map(string)) - })) + })),{}) service_logs = optional(map(object({ name = string log_group_id = string @@ -29,30 +30,30 @@ variable "logging_configuration" { category = string resource_id = string is_enabled = optional(bool) - retention_duration = optional(number) + retention_duration = optional(number,90) defined_tags = optional(map(string)) freeform_tags = optional(map(string)) - }))) + })),{}) flow_logs = optional(map(object({ name_prefix = optional(string) log_group_id = string target_resource_type = string target_compartment_ids = list(string) is_enabled = optional(bool) - retention_duration = optional(number) + retention_duration = optional(number,90) defined_tags = optional(map(string)) freeform_tags = optional(map(string)) - }))) + })),{}) bucket_logs = optional(map(object({ name_prefix = optional(string) log_group_id = string target_compartment_ids = list(string) category = string is_enabled = optional(bool) - retention_duration = optional(number) + retention_duration = optional(number,90) defined_tags = optional(map(string)) freeform_tags = optional(map(string)) - }))) + })),{}) custom_logs = optional(map(object({ name = string log_group_id = string @@ -60,10 +61,10 @@ variable "logging_configuration" { parser_type = optional(string) path = list(string) is_enabled = optional(bool) - retention_duration = optional(number) + retention_duration = optional(number,90) defined_tags = optional(map(string)) freeform_tags = optional(map(string)) - }))) + })),{}) }) } @@ -79,8 +80,18 @@ variable "module_name" { default = "logging" } -variable "compartments_dependency" { - description = "A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type." - type = map(any) - default = null +variable compartments_dependency { + description = "A map of objects containing the externally managed compartments this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the compartment OCID) of string type." + type = map(object({ + id = string + })) + default = null +} + +variable "log_groups_dependency" { + description = "A map of objects containing the externally managed log_groups this module may depend on. All map objects must have the same type and must contain at least an 'id' attribute (representing the log group OCID) of string type." + type = map(object({ + id = string + })) + default = null } \ No newline at end of file diff --git a/release.txt b/release.txt index 84aa3a7..82551ad 100644 --- a/release.txt +++ b/release.txt @@ -1 +1 @@ -0.1.8 \ No newline at end of file +0.1.9 \ No newline at end of file