Feat sink billing account

0-bootstrap/sa.tf

@@ -227,3 +227,10 @@ resource "google_billing_account_iam_member" "billing_admin_user" {
     google_billing_account_iam_member.tf_billing_user
   ]
 }
+
+resource "google_billing_account_iam_member" "billing_account_sink" {
+  billing_account_id = var.billing_account
+  role               = "roles/logging.configWriter"
+  member             = "serviceAccount:${google_service_account.terraform-env-sa["org"].email}"
+}
+

1-org/envs/shared/log_sinks.tf

@@ -42,6 +42,7 @@ module "logs_export" {
   resources                      = local.parent_resources
   resource_type                  = local.parent_resource_type
   logging_destination_project_id = module.org_audit_logs.project_id
+  billing_account                = local.billing_account
 
   /******************************************
     Send logs to Storage
@@ -92,3 +93,4 @@ resource "google_bigquery_dataset" "billing_dataset" {
   friendly_name = "GCP Billing Data"
   location      = var.billing_export_dataset_location
 }
+

1-org/envs/shared/org_policy.tf

@@ -90,6 +90,14 @@ module "restrict_protocol_fowarding" {
   IAM
 *******************************************/
 
+// Time sleep
+resource "time_sleep" "wait_org_policies" {
+  create_duration = "30s"
+  depends_on = [
+    module.logs_export
+  ]
+}
+
 module "org_domain_restricted_sharing" {
   source  = "terraform-google-modules/org-policy/google//modules/domain_restricted_sharing"
   version = "~> 5.1"
@@ -98,6 +106,10 @@ module "org_domain_restricted_sharing" {
   folder_id        = local.folder_id
   policy_for       = local.policy_for
   domains_to_allow = var.domains_to_allow
+
+  depends_on = [
+    time_sleep.wait_org_policies
+  ]
 }
 
 /******************************************

1-org/modules/centralized-logging/README.md

@@ -59,11 +59,13 @@ module "logging_logbucket" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| billing\_account | Billing Account ID used in case sinks are under billing account level. Format 000000-000000-000000. | `string` | `null` | no |
+| enable\_billing\_account\_sink | If true, a log router sink will be created for the billing account. The billing\_account variable cannot be null. | `bool` | `false` | no |
 | logbucket\_options | Destination LogBucket options:<br>- name: The name of the log bucket to be created and used for log entries matching the filter.<br>- logging\_sink\_name: The name of the log sink to be created.<br>- logging\_sink\_filter: The filter to apply when exporting logs. Only log entries that match the filter are exported. Default is "" which exports all logs.<br>- location: The location of the log bucket. Default: global.<br>- enable\_analytics: Whether or not Log Analytics is enabled. A Log bucket with Log Analytics enabled can be queried in the Log Analytics page using SQL queries. Cannot be disabled once enabled.<br>- linked\_dataset\_id: The ID of the linked BigQuery dataset. A valid link dataset ID must only have alphanumeric characters and underscores within it and have up to 100 characters.<br>- linked\_dataset\_description: A use-friendly description of the linked BigQuery dataset. The maximum length of the description is 8000 characters.<br>- retention\_days: The number of days data should be retained for the log bucket. Default 30. | <pre>object({<br>    name                       = optional(string, null)<br>    logging_sink_name          = optional(string, null)<br>    logging_sink_filter        = optional(string, "")<br>    location                   = optional(string, "global")<br>    enable_analytics           = optional(bool, true)<br>    linked_dataset_id          = optional(string, null)<br>    linked_dataset_description = optional(string, null)<br>    retention_days             = optional(number, 30)<br>  })</pre> | `null` | no |
 | logging\_destination\_project\_id | The ID of the project that will have the resources where the logs will be created. | `string` | n/a | yes |
 | logging\_project\_key | (Optional) The key of logging destination project if it is inside resources map. It is mandatory when resource\_type = project and logging\_target\_type = logbucket. | `string` | `""` | no |
 | pubsub\_options | Destination Pubsub options:<br>- topic\_name: The name of the pubsub topic to be created and used for log entries matching the filter.<br>- logging\_sink\_name: The name of the log sink to be created.<br>- logging\_sink\_filter: The filter to apply when exporting logs. Only log entries that match the filter are exported. Default is "" which exports all logs.<br>- create\_subscriber: Whether to create a subscription to the topic that was created and used for log entries matching the filter. If 'true', a pull subscription is created along with a service account that is granted roles/pubsub.subscriber and roles/pubsub.viewer to the topic. | <pre>object({<br>    topic_name          = optional(string, null)<br>    logging_sink_name   = optional(string, null)<br>    logging_sink_filter = optional(string, "")<br>    create_subscriber   = optional(bool, true)<br>  })</pre> | `null` | no |
-| resource\_type | Resource type of the resource that will export logs to destination. Must be: project, organization, or folder. | `string` | n/a | yes |
+| resource\_type | Resource type of the resource that will export logs to destination. Must be: project, organization or folder. | `string` | n/a | yes |
 | resources | Export logs from the specified resources. | `map(string)` | n/a | yes |
 | storage\_options | Destination Storage options:<br>- storage\_bucket\_name: The name of the storage bucket to be created and used for log entries matching the filter.<br>- logging\_sink\_name: The name of the log sink to be created.<br>- logging\_sink\_filter: The filter to apply when exporting logs. Only log entries that match the filter are exported. Default is "" which exports all logs.<br>- location: The location of the logging destination. Default: US.<br>- Retention Policy variables: (Optional) Configuration of the bucket's data retention policy for how long objects in the bucket should be retained.<br>  - retention\_policy\_enabled: if a retention policy should be enabled in the bucket.<br>  - retention\_policy\_is\_locked: Set if policy is locked.<br>  - retention\_policy\_period\_days: Set the period of days for log retention. Default: 30.<br>- versioning: Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted.<br>- force\_destroy: When deleting a bucket, this boolean option will delete all contained objects. | <pre>object({<br>    storage_bucket_name          = optional(string, null)<br>    logging_sink_name            = optional(string, null)<br>    logging_sink_filter          = optional(string, "")<br>    location                     = optional(string, "US")<br>    retention_policy_enabled     = optional(bool, false)<br>    retention_policy_is_locked   = optional(bool, false)<br>    retention_policy_period_days = optional(number, 30)<br>    versioning                   = optional(bool, false)<br>    force_destroy                = optional(bool, false)<br>  })</pre> | `null` | no |
 

1-org/modules/centralized-logging/main.tf

@@ -90,6 +90,20 @@ module "log_export" {
   include_children       = local.include_children
 }
 
+module "log_export_billing" {
+  source  = "terraform-google-modules/log-export/google"
+  version = "~> 7.4"
+
+  for_each = var.enable_billing_account_sink ? local.log_exports : {}
+
+  destination_uri        = local.destination_uri_map[each.value.type]
+  filter                 = ""
+  log_sink_name          = "${coalesce(each.value.options.logging_sink_name, local.logging_sink_name_map[each.value.type])}-billing-${random_string.suffix.result}"
+  parent_resource_id     = var.billing_account
+  parent_resource_type   = "billing_account"
+  unique_writer_identity = true
+}
+
 #-------------------------#
 # Send logs to Log Bucket #
 #-------------------------#
@@ -124,6 +138,20 @@ resource "google_project_iam_member" "logbucket_sink_member" {
   member = module.log_export["${each.value}_lbk"].writer_identity
 }
 
+#------------------------------------------------------------------#
+# Log Bucket Service account IAM membership for log_export_billing #
+#------------------------------------------------------------------#
+resource "google_project_iam_member" "logbucket_sink_member_billing" {
+  for_each = var.logbucket_options != null ? local.logbucket_sink_member : {}
+
+  project = var.logging_destination_project_id
+  role    = "roles/logging.bucketWriter"
+
+  # Set permission only on sinks for this destination using
+  # module.log_export_billing key "<resource>_<dest>"
+  member = module.log_export_billing["${each.value}_lbk"].writer_identity
+}
+
 #----------------------#
 # Send logs to Storage #
 #----------------------#
@@ -158,6 +186,17 @@ resource "google_storage_bucket_iam_member" "storage_sink_member" {
   member = module.log_export["${each.value}_sto"].writer_identity
 }
 
+#---------------------------------------------------------------#
+# Storage Service account IAM membership for log_export_billing #
+#---------------------------------------------------------------#
+resource "google_storage_bucket_iam_member" "storage_sink_member_billing" {
+  for_each = var.storage_options != null ? var.resources : {}
+
+  bucket = module.destination_storage[0].resource_name
+  role   = "roles/storage.objectCreator"
+  member = module.log_export_billing["${each.value}_sto"].writer_identity
+}
+
 
 #----------------------#
 # Send logs to Pub\Sub #
@@ -185,3 +224,15 @@ resource "google_pubsub_topic_iam_member" "pubsub_sink_member" {
   role    = "roles/pubsub.publisher"
   member  = module.log_export["${each.value}_pub"].writer_identity
 }
+
+#--------------------------------------------------------------#
+# Pubsub Service account IAM membership for log_export_billing #
+#--------------------------------------------------------------#
+resource "google_pubsub_topic_iam_member" "pubsub_sink_member_billing" {
+  for_each = var.pubsub_options != null ? var.resources : {}
+
+  project = var.logging_destination_project_id
+  topic   = module.destination_pubsub[0].resource_name
+  role    = "roles/pubsub.publisher"
+  member  = module.log_export_billing["${each.value}_pub"].writer_identity
+}

1-org/modules/centralized-logging/variables.tf

@@ -25,15 +25,27 @@ variable "resources" {
 }
 
 variable "resource_type" {
-  description = "Resource type of the resource that will export logs to destination. Must be: project, organization, or folder."
+  description = "Resource type of the resource that will export logs to destination. Must be: project, organization or folder."
   type        = string
 
   validation {
     condition     = contains(["project", "folder", "organization"], var.resource_type)
-    error_message = "The resource_type value must be: project, organization, or folder."
+    error_message = "The resource_type value must be: project, organization or folder."
   }
 }
 
+variable "billing_account" {
+  description = "Billing Account ID used in case sinks are under billing account level. Format 000000-000000-000000."
+  type        = string
+  default     = null
+}
+
+variable "enable_billing_account_sink" {
+  description = "If true, a log router sink will be created for the billing account. The billing_account variable cannot be null."
+  type        = bool
+  default     = false
+}
+
 variable "logging_project_key" {
   description = "(Optional) The key of logging destination project if it is inside resources map. It is mandatory when resource_type = project and logging_target_type = logbucket."
   type        = string
@@ -123,3 +135,4 @@ EOT
   })
   default = null
 }
+