/terraform-ibm-observability-instances

Deploys services for Log Analysis, Activity Tracker, Monitoring, and Cloud Logs

Primary LanguageHCLApache License 2.0Apache-2.0

Terraform IBM Observability instances module

Graduated (Supported) semantic-release pre-commit latest release Renovate enabled

Important

The IBM Log Analysis and IBM Cloud Activity Tracker services are deprecated and no longer supported in this module. IBM Cloud Logs is the replacement service and is now the default service created with this module.

This module supports provisioning the following observability services:

  • IBM Cloud Logs
    • IBM® Cloud Logs is a scalable logging service that persists logs and provides users with capabilities for querying, tailing, and visualizing logs.
  • IBM Cloud Activity Tracker Event Routing
    • Use IBM Cloud® Activity Tracker Event Routing to configure how to route auditing events, both global and location-based event data, in your IBM Cloud. Supports routing to the following target types: IBM Cloud Object Storage (COS), IBM Cloud Logs, and IBM® Event Streams for IBM Cloud®.
  • IBM Cloud Monitoring with Cloud Monitoring
    • Monitor the health of services and applications in IBM Cloud.
  • IBM Cloud Metrics Routing
    • Use IBM Cloud® Metrics Routing to configure the routing of platform metrics generated in your IBM Cloud account. Supports routing to IBM Cloud Monitoring target.

Overview

terraform-ibm-observability-instances

Usage

# Locals
locals {
  region      = "us-south"
}

terraform {
  required_version = ">= 1.0.0"
  required_providers {
    ibm = {
      source  = "ibm-cloud/ibm"
      version = "X.Y.Z" # lock into a supported provider version
    }
  }
}

provider "ibm" {
  ibmcloud_api_key = XXXXXXXXXXXX
  region           = local.region
}

# Below config will provision:
# - Cloud Logs instance
# - Monitoring instance
# - Activity Tracker route to the Cloud Logs target
# - Metrics Routing to Cloud Monitoring target
module "observability_instances" {
  source    = "terraform-ibm-modules/observability-instances/ibm"
  version   = "X.Y.Z" # Replace "X.X.X" with a release version to lock into a specific release
  resource_group_id     = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX"
  region                = local.region
  cloud_logs_data_storage = {
    # logs and metrics buckets must be different
    logs_data = {
      enabled         = true
      bucket_crn      = "crn:v1:bluemix:public:cloud-object-storage:global:a/......"
      bucket_endpoint = "s3.direct.us-south.cloud-object-storage.appdomain.cloud"
    },
    metrics_data = {
      enabled         = true
      bucket_crn      = "crn:v1:bluemix:public:cloud-object-storage:global:a/......"
      bucket_endpoint = "s3.direct.us-south.cloud-object-storage.appdomain.cloud"
    }
  }
  at_cloud_logs_targets = [
    {
      instance_id   = module.observability_instances.cloud_logs_crn
      target_region = local.region
      target_name   = "my-icl-target"
    }
  ]
  activity_tracker_routes = [
    {
      locations  = ["*", "global"]
      target_ids = [module.observability_instances.activity_tracker_targets["my-icl-target"].id]
      route_name = "my-icl-route"
    }
  ]
  metric_router_targets = [
    {
      destination_crn   = module.observability_instances.cloud_monitoring_crn
      target_region     = "us-south"
      target_name       = "cloud-monitoring-target"
    }
  ]
  metric_router_routes  = [
    {
        name  = "metric-router-route"
        rules = [
            {
                action  = "send"
                targets = [{
                    id  = module.observability_instances.metrics_router_targets["cloud-monitoring-target"].id
                }]
                inclusion_filters = [{
                    operand       = "location"
                    operator      = "is"
                    values        = ["us-south"]
                }]
            }
        ]
    }
  ]
}

Required IAM access policies

You need the following permissions to run this module.

  • Service
    • Resource group only
      • Viewer access on the specific resource group
    • Activity Tracker Event Routing (Required if creating AT routes and targets)
      • Editor platform access
      • Manager service access
    • Cloud Logs
      • Editor platform access
      • Manager service access
    • IBM Cloud Logs Routing (Required if creating tenants, which are required to enable platform logs)
      • Editor platform access
      • Manager service access
    • Cloud Monitoring
      • Editor platform access
      • Manager service access
    • Tagging service (Required if attaching access tags)
      • Editor platform access

Requirements

Name Version
terraform >= 1.0.0
ibm >= 1.70.0, < 2.0.0

Modules

Name Source Version
activity_tracker ./modules/activity_tracker n/a
cloud_logs ./modules/cloud_logs n/a
cloud_monitoring ./modules/cloud_monitoring n/a
metric_routing ./modules/metrics_routing n/a

Resources

No resources.

Inputs

Name Description Type Default Required
activity_tracker_routes List of routes to be created, maximum four routes are allowed
list(object({
locations = list(string)
target_ids = list(string)
route_name = string
}))
[] no
at_cloud_logs_targets List of Cloud Logs targets to be created
list(object({
instance_id = string
target_region = optional(string)
target_name = string
skip_atracker_cloud_logs_iam_auth_policy = optional(bool, false)
}))
[] no
at_cos_targets List of cos target to be created
list(object({
endpoint = string
bucket_name = string
instance_id = string
api_key = optional(string)
service_to_service_enabled = optional(bool, true)
target_region = optional(string)
target_name = string
skip_atracker_cos_iam_auth_policy = optional(bool, false)
}))
[] no
at_eventstreams_targets List of event streams target to be created
list(object({
instance_id = string
brokers = list(string)
topic = string
api_key = optional(string)
service_to_service_enabled = optional(bool, true)
skip_atracker_es_iam_auth_policy = optional(bool, false)
target_region = optional(string)
target_name = string
}))
[] no
cloud_logs_access_tags A list of access tags to apply to the IBM Cloud Logs instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. list(string) [] no
cloud_logs_data_storage A logs data bucket and a metrics bucket in IBM Cloud Object Storage to store your IBM Cloud Logs data for long term storage, search, analysis and alerting.
object({
logs_data = optional(object({
enabled = optional(bool, false)
bucket_crn = optional(string)
bucket_endpoint = optional(string)
skip_cos_auth_policy = optional(bool, false)
}), {})
metrics_data = optional(object({
enabled = optional(bool, false)
bucket_crn = optional(string)
bucket_endpoint = optional(string)
skip_cos_auth_policy = optional(bool, false)
}), {})
}
)
{
"logs_data": null,
"metrics_data": null
}
no
cloud_logs_existing_en_instances List of Event Notifications instance details for routing critical events that occur in your IBM Cloud Logs.
list(object({
en_instance_id = string
en_region = string
en_integration_name = optional(string)
skip_en_auth_policy = optional(bool, false)
}))
[] no
cloud_logs_instance_name The name of the IBM Cloud Logs instance to create. Defaults to 'cloud_logs-' string null no
cloud_logs_plan The IBM Cloud Logs plan to provision. Available: standard string "standard" no
cloud_logs_policies Configuration of Cloud Logs policies.
list(object({
logs_policy_name = string
logs_policy_description = optional(string, null)
logs_policy_priority = string
application_rule = optional(list(object({
name = string
rule_type_id = optional(string, "unspecified")
})))
subsystem_rule = optional(list(object({
name = string
rule_type_id = optional(string, "unspecified")
})))
log_rules = optional(list(object({
severities = list(string)
})))
archive_retention = optional(list(object({
id = string
})))
}))
[] no
cloud_logs_provision Provision an IBM Cloud Logs instance? bool true no
cloud_logs_retention_period The number of days IBM Cloud Logs will retain the logs data in Priority insights. Allowed values: 7, 14, 30, 60, 90. number 7 no
cloud_logs_service_endpoints The type of the service endpoint that will be set for the IBM Cloud Logs instance. string "public-and-private" no
cloud_logs_tags Tags associated with the IBM Cloud Logs instance (Optional, array of strings). list(string) [] no
cloud_monitoring_access_tags A list of access tags to apply to the Cloud Monitoring instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. list(string) [] no
cloud_monitoring_instance_name The name of the IBM Cloud Monitoring instance to create. Defaults to 'cloud_monitoring-' string null no
cloud_monitoring_manager_key_name The name to give the IBM Cloud Monitoring manager key. string "SysdigManagerKey" no
cloud_monitoring_manager_key_tags Tags associated with the IBM Cloud Monitoring manager key. list(string) [] no
cloud_monitoring_plan The IBM Cloud Monitoring plan to provision. Available: lite, graduated-tier string "lite" no
cloud_monitoring_provision Provision a IBM cloud monitoring instance? bool true no
cloud_monitoring_service_endpoints The type of the service endpoint that will be set for the IBM Cloud Monitoring instance. Allowed values: public-and-private string "public-and-private" no
cloud_monitoring_tags Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings). list(string) [] no
enable_platform_logs Setting this to true will create a tenant in the same region that the Cloud Logs instance is provisioned to enable platform logs for that region. To send platform logs from other regions, you can explicitially specify a list of regions using the logs_routing_tenant_regions input. NOTE: You can only have 1 tenant per region in an account. bool true no
enable_platform_metrics Receive platform metrics in the provisioned IBM Cloud Monitoring instance. bool true no
global_event_routing_settings Global settings for event routing
object({
default_targets = optional(list(string), [])
metadata_region_primary = string
metadata_region_backup = optional(string)
permitted_target_regions = list(string)
private_api_endpoint_only = optional(bool, false)
})
null no
logs_routing_tenant_regions Pass a list of regions to create a tenant for that is targetted to the Cloud Logs instance created by this module. To manage platform logs that are generated by IBM Cloud® services in a region of IBM Cloud, you must create a tenant in each region that you operate. Leave the list empty if you don't want to create any tenants. list(any) [] no
metrics_router_routes List of routes for IBM Metrics Router.
list(object({
name = string
rules = list(object({
action = optional(string, "send")
targets = optional(list(object({
id = string
})))
inclusion_filters = list(object({
operand = string
operator = string
values = list(string)
}))
}))
}))
[] no
metrics_router_settings Global settings for Metrics Routing.
object({
default_targets = optional(list(object({
id = string
})))
permitted_target_regions = optional(list(string))
primary_metadata_region = optional(string)
backup_metadata_region = optional(string)
private_api_endpoint_only = optional(bool, false)
})
null no
metrics_router_targets List of Metrics Router targets to be created.
list(object({
destination_crn = string
target_name = string
target_region = optional(string)
skip_mrouter_sysdig_iam_auth_policy = optional(bool, false)
}))
[] no
region The IBM Cloud region where instances will be created. string "us-south" no
resource_group_id The id of the IBM Cloud resource group where the instance(s) will be created. string null no
skip_logs_routing_auth_policy Whether to create an IAM authorization policy that permits Logs Routing Sender access to the IBM Cloud Logs. bool false no

Outputs

Name Description
activity_tracker_routes The map of created routes
activity_tracker_targets The map of created targets
cloud_logs_crn The id of the provisioned Cloud Logs instance.
cloud_logs_guid The guid of the provisioned Cloud Logs instance.
cloud_logs_ingress_endpoint The public ingress endpoint of the provisioned Cloud Logs instance.
cloud_logs_ingress_private_endpoint The private ingress endpoint of the provisioned Cloud Logs instance.
cloud_logs_name The name of the provisioned Cloud Logs instance.
cloud_logs_resource_group_id The resource group where Cloud Logs instance resides.
cloud_monitoring_access_key IBM cloud monitoring access key for agents to use
cloud_monitoring_crn The id of the provisioned IBM cloud monitoring instance.
cloud_monitoring_guid The guid of the provisioned IBM cloud monitoring instance.
cloud_monitoring_manager_key_name The IBM cloud monitoring manager key name
cloud_monitoring_name The name of the provisioned IBM cloud monitoring instance.
cloud_monitoring_resource_group_id The resource group where IBM cloud monitoring monitor instance resides
logs_policies_details The details of the Cloud logs policies created.
metrics_router_routes The created metrics routing routes.
metrics_router_settings The global metrics routing settings.
metrics_router_targets The created metrics routing targets.
region Region that instance(s) are provisioned to.

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.