The log export module fails to create a unique service account in the correct format and to generate the writer_identity for export.

Question

The log export module fails to create a unique service account in the correct format and to generate the writer_identity for export.

Closed this issue 18 days ago · 1 comments

TL;DR

Objective:

Create a log sink that exports logs and dumps it into a log bucket in the same project.

Issue:

The base log-export module outputs an empty writer_identity string, rendering it unusable as an input for the destination logbucket submodule. The root cause seems to be that the log-export module is not creating the service account in the correct format, despite unique_writer_identity being set to true.

Expected behavior

The parent module should create a service account in the correct format and generate a valid writer_identity string that can be used as an input for the logbucket submodule.

Observed behavior

This throws an error:
Error: invalid value for member (IAM members must have one of the values outlined here: https://cloud.google.com/billing/docs/reference/rest/v1/Policy#Binding)
│
│ with module.destination_log_bucket.google_project_iam_member.logbucket_sink_member[0],
│ on .terraform\modules\destination_log_bucket\modules\logbucket\main.tf line 73, in resource "google_project_iam_member" "logbucket_sink_member":
│ 73: member = var.log_sink_writer_identity

Terraform Configuration

# Create a log sink in the central logging project
module "log_export" {
  source                 = "terraform-google-modules/log-export/google"
  version                = "~> 8.0"
  destination_uri        = module.destination_log_bucket.destination_uri
  filter                 = "logName:\"logs/cloudaudit.googleapis.com\""
  log_sink_name          = "project_${local.logging_project_id}_logsink"
  parent_resource_id     = local.logging_project_id
  parent_resource_type   = "project"
  unique_writer_identity = true
}

# The log sink is backed by a Log bucket
module "destination_log_bucket" {
  source                   = "terraform-google-modules/log-export/google//modules/logbucket"
  version                  = "~> 8.0"
  project_id               = local.logging_project_id
  name                     = "logbucket_${local.logging_project_id}_${random_string.suffix.result}"
  location                 = "global"
  log_sink_writer_identity = module.log_export.writer_identity
  retention_days           = 365
}

Terraform Version

Terraform v1.8.5
on windows_amd64

Additional information

The code works when unique_writer_identity = false in module "log_export" and log_sink_writer_identity = serviceAccount:"cloud-logs@system.gserviceaccount.com" in module "destination_log_bucket" is assigned a common non-unique service account.
But, this will only work when both the log sink and log bucket is in the same project.

Answer 1 · 2024-08-10T23:09:09.000Z

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days