terraform-google-modules/terraform-google-log-export

Problem having log-export and logbucket destination on same project

Closed this issue · 2 comments

felipecrescencio-cit commented

TL;DR

When trying to use log-export module for a project "X" and create the destination logbucket on the same project "X" it raises an error.

Expected behavior

Create the log sink resource (based on log-export module) and logbucket as a destination of the sink.

Observed behavior

It raised the following error because field log_sink_writer_identity in module.destination has a blank value:

Error: Request `Create IAM Members roles/logging.bucketWriter  for project "my-project"` returned error: Error applying IAM policy for project "my-project": Error setting IAM policy for project "my-project": googleapi: Error 400: Policy members must be of the form "<type>:<value>".
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.BadRequest",
    "fieldViolations": [
      {
        "description": "Policy members must be prefixed of the form '\u003ctype\u003e:\u003cvalue\u003e', where \u003ctype\u003e is 'domain', 'group', 'serviceAccount', or 'user'.",
        "field": "policy.bindings.member"
      }
    ]
  },
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "cloudresourcemanager.googleapis.com",
    "reason": "PROJECT_SET_IAM_DISALLOWED_MEMBER_TYPE"
  },
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "resourceName": "projects/my-project"
  }
]
, badRequest

  on .terraform/modules/destination_logbucket/modules/logbucket/main.tf line 45, in resource "google_project_iam_member" "logbucket_sink_member":
  45: resource "google_project_iam_member" "logbucket_sink_member" {

Terraform Configuration

module "log_export" {
  source  = "terraform-google-modules/log-export/google"
  version = "~> 7.3.0"

  destination_uri        = module.destination_logbucket.destination_uri
  filter                 = ""
  log_sink_name          = "my-sink-name"
  parent_resource_id     = "my-project"
  parent_resource_type   = "project"
  unique_writer_identity = true
  include_children       = true
}

module "destination_logbucket" {
  source  = "terraform-google-modules/log-export/google//modules/logbucket"
  version = "~> 7.4.0"

  project_id               = "my-project"
  name                     = "my-log-bucket-name"
  log_sink_writer_identity = module.log_export.writer_identity
  location                 = "us-east4"
  retention_days           = "30"
}

Terraform Version

Terraform v0.13.7
+ provider registry.terraform.io/hashicorp/google v4.27.0
+ provider registry.terraform.io/hashicorp/google-beta v4.27.0
+ provider registry.terraform.io/hashicorp/random v3.3.2

Additional information

According to Configure and manage sinks documentation:

If you're using a sink to route logs between Logging buckets in the same Cloud project, no new service account is created; the sink works without the unique writer identity.

bharathkkb commented

Thanks for the report @felipecrescencio-cit
We can add a check to make sure

terraform-google-log-export/modules/logbucket/main.tf

Line 48 in b997fa1

member = var.log_sink_writer_identity
is not empty. Another alternative would be add a parent var but I think the first one requires lower effort and conforms to other module apis.

felipecrescencio-cit commented

Hi @bharathkkb
I tried the check that you mentioned but as var.log_sink_writer_identity comes from an output of log-export module terraform cannot handle this check.
I created another variable to handle this issue.