Feat sink billing account

0-bootstrap/sa.tf

@@ -227,3 +227,10 @@ resource "google_billing_account_iam_member" "billing_admin_user" {
     google_billing_account_iam_member.tf_billing_user
   ]
 }
+
+resource "google_billing_account_iam_member" "billing_account_sink" {
+  billing_account_id = var.billing_account
+  role               = "roles/logging.configWriter"
+  member             = "serviceAccount:${google_service_account.terraform-env-sa["org"].email}"
+}
+

1-org/envs/shared/README.md

@@ -11,6 +11,7 @@
 | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no |
 | data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no |
 | domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes |
+| enable\_billing\_account\_sink | If true, a log router sink will be created for the billing account. The billing\_account variable cannot be null. | `bool` | `false` | no |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
 | enforce\_allowed\_worker\_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | `bool` | `false` | no |
 | essential\_contacts\_domains\_to\_allow | The list of domains that email addresses added to Essential Contacts can have. | `list(string)` | n/a | yes |

1-org/envs/shared/log_sinks.tf

@@ -42,6 +42,8 @@ module "logs_export" {
   resources                      = local.parent_resources
   resource_type                  = local.parent_resource_type
   logging_destination_project_id = module.org_audit_logs.project_id
+  billing_account                = local.billing_account
+  enable_billing_account_sink    = var.enable_billing_account_sink
 
   /******************************************
     Send logs to Storage

1-org/envs/shared/org_policy.tf

@@ -90,6 +90,13 @@ module "restrict_protocol_fowarding" {
   IAM
 *******************************************/
 
+resource "time_sleep" "wait_logs_export" {
+  create_duration = "30s"
+  depends_on = [
+    module.logs_export
+  ]
+}
+
 module "org_domain_restricted_sharing" {
   source  = "terraform-google-modules/org-policy/google//modules/domain_restricted_sharing"
   version = "~> 5.1"
@@ -98,6 +105,10 @@ module "org_domain_restricted_sharing" {
   folder_id        = local.folder_id
   policy_for       = local.policy_for
   domains_to_allow = var.domains_to_allow
+
+  depends_on = [
+    time_sleep.wait_logs_export
+  ]
 }
 
 /******************************************

1-org/envs/shared/variables.tf

@@ -14,6 +14,12 @@
  * limitations under the License.
  */
 
+variable "enable_billing_account_sink" {
+  description = "If true, a log router sink will be created for the billing account. The billing_account variable cannot be null."
+  type        = bool
+  default     = false
+}
+
 variable "enable_hub_and_spoke" {
   description = "Enable Hub-and-Spoke architecture."
   type        = bool

1-org/modules/centralized-logging/README.md

@@ -59,6 +59,8 @@ module "logging_logbucket" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| billing\_account | Billing Account ID used in case sinks are under billing account level. Format 000000-000000-000000. | `string` | `null` | no |
+| enable\_billing\_account\_sink | If true, a log router sink will be created for the billing account. The billing\_account variable cannot be null. | `bool` | `false` | no |
 | logbucket\_options | Destination LogBucket options:<br>- name: The name of the log bucket to be created and used for log entries matching the filter.<br>- logging\_sink\_name: The name of the log sink to be created.<br>- logging\_sink\_filter: The filter to apply when exporting logs. Only log entries that match the filter are exported. Default is "" which exports all logs.<br>- location: The location of the log bucket. Default: global.<br>- enable\_analytics: Whether or not Log Analytics is enabled. A Log bucket with Log Analytics enabled can be queried in the Log Analytics page using SQL queries. Cannot be disabled once enabled.<br>- linked\_dataset\_id: The ID of the linked BigQuery dataset. A valid link dataset ID must only have alphanumeric characters and underscores within it and have up to 100 characters.<br>- linked\_dataset\_description: A use-friendly description of the linked BigQuery dataset. The maximum length of the description is 8000 characters.<br>- retention\_days: The number of days data should be retained for the log bucket. Default 30. | <pre>object({<br>    name                       = optional(string, null)<br>    logging_sink_name          = optional(string, null)<br>    logging_sink_filter        = optional(string, "")<br>    location                   = optional(string, "global")<br>    enable_analytics           = optional(bool, true)<br>    linked_dataset_id          = optional(string, null)<br>    linked_dataset_description = optional(string, null)<br>    retention_days             = optional(number, 30)<br>  })</pre> | `null` | no |
 | logging\_destination\_project\_id | The ID of the project that will have the resources where the logs will be created. | `string` | n/a | yes |
 | logging\_project\_key | (Optional) The key of logging destination project if it is inside resources map. It is mandatory when resource\_type = project and logging\_target\_type = logbucket. | `string` | `""` | no |
@@ -71,6 +73,7 @@ module "logging_logbucket" {
 
 | Name | Description |
 |------|-------------|
+| enable\_billing\_account\_sink | If true, a log router sink will be created for the billing account. The billing\_account variable cannot be null. |
 | logbucket\_destination\_name | The resource name for the destination Log Bucket. |
 | logbucket\_linked\_dataset\_name | The resource name of the Log Bucket linked BigQuery dataset. |
 | pubsub\_destination\_name | The resource name for the destination Pub/Sub. |

1-org/modules/centralized-logging/main.tf

@@ -62,6 +62,12 @@ locals {
     lbk = try(module.destination_logbucket[0].destination_uri, "")
   }
 
+  destination_resource_uri = {
+    pub = try(module.destination_pubsub[0].destination_name, "")
+    sto = try(module.destination_storage[0].destination_name, "")
+    lbk = try(module.destination_logbucket[0].destination_name, "")
+  }
+
   logging_tgt_prefix = {
     pub = "tp-logs-"
     sto = try("bkt-logs-${var.logging_destination_project_id}-", "bkt-logs-")
@@ -90,6 +96,27 @@ module "log_export" {
   include_children       = local.include_children
 }
 
+module "log_export_billing" {
+  source  = "terraform-google-modules/log-export/google"
+  version = "~> 7.4"
+
+  for_each = var.enable_billing_account_sink ? local.destination_resource_uri : {}
+
+  destination_uri        = local.destination_resource_uri[each.value.type]
+  filter                 = ""
+  log_sink_name          = "${coalesce(each.value.options.logging_sink_name, local.logging_sink_name_map[each.value.type])}-billing-${random_string.suffix.result}"
+  parent_resource_id     = var.billing_account
+  parent_resource_type   = "billing_account"
+  unique_writer_identity = true
+}
+
+resource "time_sleep" "wait_sa_iam_membership" {
+  create_duration = "30s"
+  depends_on = [
+    module.log_export_billing
+  ]
+}
+
 #-------------------------#
 # Send logs to Log Bucket #
 #-------------------------#
@@ -124,6 +151,24 @@ resource "google_project_iam_member" "logbucket_sink_member" {
   member = module.log_export["${each.value}_lbk"].writer_identity
 }
 
+#------------------------------------------------------------------#
+# Log Bucket Service account IAM membership for log_export_billing #
+#------------------------------------------------------------------#
+resource "google_project_iam_member" "logbucket_sink_member_billing" {
+  count = var.enable_billing_account_sink == true && var.logbucket_options != null ? 1 : 0
+
+  project = var.logging_destination_project_id
+  role    = "roles/logging.bucketWriter"
+
+  # Set permission only on sinks for this destination using
+  # module.log_export_billing key "<resource>_<dest>"
+  member = module.log_export_billing["_lbk"].writer_identity
+
+  depends_on = [
+    time_sleep.wait_sa_iam_membership
+  ]
+}
+
 #----------------------#
 # Send logs to Storage #
 #----------------------#
@@ -158,6 +203,21 @@ resource "google_storage_bucket_iam_member" "storage_sink_member" {
   member = module.log_export["${each.value}_sto"].writer_identity
 }
 
+#---------------------------------------------------------------#
+# Storage Service account IAM membership for log_export_billing #
+#---------------------------------------------------------------#
+resource "google_storage_bucket_iam_member" "storage_sink_member_billing" {
+  count = var.enable_billing_account_sink == true && var.storage_options != null ? 1 : 0
+
+  bucket = module.destination_storage[0].resource_name
+  role   = "roles/storage.objectCreator"
+  member = module.log_export_billing["_sto"].writer_identity
+
+  depends_on = [
+    google_project_iam_member.logbucket_sink_member_billing
+  ]
+}
+
 
 #----------------------#
 # Send logs to Pub\Sub #
@@ -185,3 +245,19 @@ resource "google_pubsub_topic_iam_member" "pubsub_sink_member" {
   role    = "roles/pubsub.publisher"
   member  = module.log_export["${each.value}_pub"].writer_identity
 }
+
+#--------------------------------------------------------------#
+# Pubsub Service account IAM membership for log_export_billing #
+#--------------------------------------------------------------#
+resource "google_pubsub_topic_iam_member" "pubsub_sink_member_billing" {
+  count = var.enable_billing_account_sink == true && var.pubsub_options != null ? 1 : 0
+
+  project = var.logging_destination_project_id
+  topic   = module.destination_pubsub[0].resource_name
+  role    = "roles/pubsub.publisher"
+  member  = module.log_export_billing["_pub"].writer_identity
+
+  depends_on = [
+    google_storage_bucket_iam_member.storage_sink_member_billing
+  ]
+}

1-org/modules/centralized-logging/outputs.tf

@@ -14,6 +14,11 @@
  * limitations under the License.
  */
 
+output "enable_billing_account_sink" {
+  description = "If true, a log router sink will be created for the billing account. The billing_account variable cannot be null."
+  value       = var.enable_billing_account_sink
+}
+
 output "storage_destination_name" {
   description = "The resource name for the destination Storage."
   value       = try(module.destination_storage[0].resource_name, "")

1-org/modules/centralized-logging/variables.tf

@@ -34,6 +34,18 @@ variable "resource_type" {
   }
 }
 
+variable "billing_account" {
+  description = "Billing Account ID used in case sinks are under billing account level. Format 000000-000000-000000."
+  type        = string
+  default     = null
+}
+
+variable "enable_billing_account_sink" {
+  description = "If true, a log router sink will be created for the billing account. The billing_account variable cannot be null."
+  type        = bool
+  default     = false
+}
+
 variable "logging_project_key" {
   description = "(Optional) The key of logging destination project if it is inside resources map. It is mandatory when resource_type = project and logging_target_type = logbucket."
   type        = string