From 147a7c259006e9656dd4b0b513c4f84132f6b064 Mon Sep 17 00:00:00 2001 From: gmherb <13892557+gmherb@users.noreply.github.com> Date: Tue, 15 Apr 2025 14:57:29 -0400 Subject: [PATCH 1/3] Add option of using organization sink --- main.tf | 26 ++++++++++++++++++-------- permissions.tf | 22 +++++++++++++++++++--- variables.tf | 6 ++++++ 3 files changed, 43 insertions(+), 11 deletions(-) diff --git a/main.tf b/main.tf index 9285464..ba2aacb 100644 --- a/main.tf +++ b/main.tf @@ -111,6 +111,8 @@ resource "google_pubsub_subscription" "dataflow_input_pubsub_subscription" { } resource "google_logging_project_sink" "project_log_sink" { + count = var.organization_id == null ? 1 : 0 + project = var.project name = local.project_log_sink_name destination = "pubsub.googleapis.com/projects/${var.project}/topics/${google_pubsub_topic.dataflow_input_pubsub_topic.name}" @@ -125,11 +127,19 @@ resource "google_logging_project_sink" "project_log_sink" { unique_writer_identity = true } -# resource "google_logging_organization_sink" "organization_log_sink" { -# name = local.organization_log_sink_name -# org_id = "ORGANIZATION_ID" -# destination = "pubsub.googleapis.com/projects/${var.project}/topics/${google_pubsub_topic.dataflow_input_pubsub_topic.name}" -# filter = var.log_filter -# -# include_children = "true" -# } +resource "google_logging_organization_sink" "organization_log_sink" { + count = var.organization_id != null ? 1 : 0 + + name = local.organization_log_sink_name + org_id = var.organization_id + destination = "pubsub.googleapis.com/projects/${var.project}/topics/${google_pubsub_topic.dataflow_input_pubsub_topic.name}" + filter = var.log_filter + + exclusions { + name = "exclude_dataflow" + description = "Exclude dataflow logs to not create an infinite loop" + filter = "resource.type=\"dataflow_step\" AND resource.labels.job_name = \"${local.dataflow_main_job_name}\"" + } + + include_children = "true" +} diff --git a/permissions.tf b/permissions.tf index e49a8f8..7a781b4 100644 --- a/permissions.tf +++ b/permissions.tf @@ -12,13 +12,29 @@ # See the License for the specific language governing permissions and # limitations under the License. +locals { + members = compact([ + try(google_logging_project_sink.project_log_sink[0].writer_identity, null), + try(google_logging_organization_sink.organization_log_sink[0].writer_identity, null) + ]) +} + resource "google_pubsub_topic_iam_binding" "input_sub_publisher" { + count = var.organization_id != null ? 1 : 0 + project = google_pubsub_topic.dataflow_input_pubsub_topic.project topic = google_pubsub_topic.dataflow_input_pubsub_topic.name role = "roles/pubsub.publisher" - members = [ - google_logging_project_sink.project_log_sink.writer_identity - ] + members = local.members +} + +resource "google_pubsub_topic_iam_binding" "input_sub_publisher_org" { + count = var.organization_id == null ? 1 : 0 + + project = google_pubsub_topic.dataflow_input_pubsub_topic.project + topic = google_pubsub_topic.dataflow_input_pubsub_topic.name + role = "roles/pubsub.publisher" + members = local.members } resource "google_pubsub_subscription_iam_binding" "input_sub_subscriber" { diff --git a/variables.tf b/variables.tf index a2a2985..0a457fc 100644 --- a/variables.tf +++ b/variables.tf @@ -28,6 +28,12 @@ variable "create_network" { type = bool } +variable "organization_id" { + description = "Organization ID to deploy organization sink instead of project sink" + type = string + default = null +} + variable "network" { description = "Network to deploy into" type = string From 11a5170c89d174f660c1fbf9503ddc6fc330bc3c Mon Sep 17 00:00:00 2001 From: gmherb <13892557+gmherb@users.noreply.github.com> Date: Tue, 15 Apr 2025 15:26:54 -0400 Subject: [PATCH 2/3] reduce to single try and remove compact for local.members --- permissions.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/permissions.tf b/permissions.tf index 7a781b4..1dd8f08 100644 --- a/permissions.tf +++ b/permissions.tf @@ -13,10 +13,10 @@ # limitations under the License. locals { - members = compact([ - try(google_logging_project_sink.project_log_sink[0].writer_identity, null), - try(google_logging_organization_sink.organization_log_sink[0].writer_identity, null) - ]) + members = [ + try(google_logging_organization_sink.organization_log_sink[0].writer_identity, + google_logging_project_sink.project_log_sink[0].writer_identity) + ] } resource "google_pubsub_topic_iam_binding" "input_sub_publisher" { From 218648a79c9f7ea193c2a6367fbf6e6225085f64 Mon Sep 17 00:00:00 2001 From: gmherb <13892557+gmherb@users.noreply.github.com> Date: Mon, 21 Apr 2025 23:01:27 -0400 Subject: [PATCH 3/3] remove duplicate pubsub iam binding resource now that try is use --- permissions.tf | 23 ++++------------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/permissions.tf b/permissions.tf index 1dd8f08..213caa3 100644 --- a/permissions.tf +++ b/permissions.tf @@ -12,29 +12,14 @@ # See the License for the specific language governing permissions and # limitations under the License. -locals { - members = [ - try(google_logging_organization_sink.organization_log_sink[0].writer_identity, - google_logging_project_sink.project_log_sink[0].writer_identity) - ] -} - resource "google_pubsub_topic_iam_binding" "input_sub_publisher" { - count = var.organization_id != null ? 1 : 0 - project = google_pubsub_topic.dataflow_input_pubsub_topic.project topic = google_pubsub_topic.dataflow_input_pubsub_topic.name role = "roles/pubsub.publisher" - members = local.members -} - -resource "google_pubsub_topic_iam_binding" "input_sub_publisher_org" { - count = var.organization_id == null ? 1 : 0 - - project = google_pubsub_topic.dataflow_input_pubsub_topic.project - topic = google_pubsub_topic.dataflow_input_pubsub_topic.name - role = "roles/pubsub.publisher" - members = local.members + members = [ + try(google_logging_organization_sink.organization_log_sink[0].writer_identity, + google_logging_project_sink.project_log_sink[0].writer_identity) + ] } resource "google_pubsub_subscription_iam_binding" "input_sub_subscriber" {