google_logging_project_sink

Manages a project-level logging sink. For more information see:

Example Usage - Basic Sink

resource "google_logging_project_sink" "my-sink" {
  name = "my-pubsub-instance-sink"

  # Can export to pubsub, cloud storage, bigquery, log bucket, or another project
  destination = "pubsub.googleapis.com/projects/my-project/topics/instance-activity"

  # Log all WARN or higher severity messages relating to instances
  filter = "resource.type = gce_instance AND severity >= WARNING"

  # Use a unique writer (creates a unique service account used for writing)
  unique_writer_identity = true
}

Example Usage - Cloud Storage Bucket Destination

A more complete example follows: this creates a compute instance, as well as a log sink that logs all activity to a cloud storage bucket. Because we are using unique_writer_identity, we must grant it access to the bucket.

Note that this grant requires the "Project IAM Admin" IAM role (roles/resourcemanager.projectIamAdmin) granted to the credentials used with Terraform.

# Our logged compute instance
resource "google_compute_instance" "my-logged-instance" {
  name         = "my-instance"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  network_interface {
    network = "default"

    access_config {
    }
  }
}

# A gcs bucket to store logs in
resource "google_storage_bucket" "gcs-bucket" {
  name     = "my-unique-logging-bucket"
  location = "US"
}

# Our sink; this logs all activity related to our "my-logged-instance" instance
resource "google_logging_project_sink" "instance-sink" {
  name        = "my-instance-sink"
  description = "some explanation on what this is"
  destination = "storage.googleapis.com/${google_storage_bucket.gcs-bucket.name}"
  filter      = "resource.type = gce_instance AND resource.labels.instance_id = \"${google_compute_instance.my-logged-instance.instance_id}\""

  unique_writer_identity = true
}

# Because our sink uses a unique_writer, we must grant that writer access to the bucket.
resource "google_project_iam_binding" "gcs-bucket-writer" {
  project = "your-project-id"
  role = "roles/storage.objectCreator"

  members = [
    google_logging_project_sink.instance-sink.writer_identity,
  ]
}

Example Usage - User-managed Service Account

The following example creates a sink that are configured with user-managed service accounts, by specifying the custom_writer_identity field.

Note that you can only create a sink that uses a user-managed service account when the sink destination is a log bucket.

resource "google_service_account" "custom-sa" {
  project      = "other-project-id"
  account_id   = "gce-log-bucket-sink"
  display_name = "gce-log-bucket-sink"
}

# Create a sink that uses user-managed service account
resource "google_logging_project_sink" "my-sink" {
  name = "other-project-log-bucket-sink"

  # Can export to log bucket in another project
  destination = "logging.googleapis.com/projects/other-project-id/locations/global/buckets/gce-logs"

  # Log all WARN or higher severity messages relating to instances
  filter = "resource.type = gce_instance AND severity >= WARNING"

  unique_writer_identity = true

  # Use a user-managed service account
  custom_writer_identity = google_service_account.custom-sa.email
}

# grant writer access to the user-managed service account
resource "google_project_iam_member" "custom-sa-logbucket-binding" {
  project = "destination-project-id"
  role   = "roles/logging.bucketWriter"
  member = "serviceAccount:${google_service_account.custom-sa.email}"
}

The above example will create a log sink that route logs to destination GCP project using an user-managed service account.

Example Usage - Sink Exclusions

The following example uses exclusions to filter logs that will not be exported. In this example logs are exported to a log bucket and there are 2 exclusions configured

resource "google_logging_project_sink" "log-bucket" {
  name        = "my-logging-sink"
  destination = "logging.googleapis.com/projects/my-project/locations/global/buckets/_Default"

  exclusions {
    name        = "nsexcllusion1"
    description = "Exclude logs from namespace-1 in k8s"
    filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-1\" "
  }

  exclusions {
    name        = "nsexcllusion2"
    description = "Exclude logs from namespace-2 in k8s"
    filter      = "resource.type = k8s_container resource.labels.namespace_name=\"namespace-2\" "
  }

  unique_writer_identity = true
}

Argument Reference

The following arguments are supported:

The bigquery_options block supports:

The exclusions block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Import

Project-level logging sinks can be imported using their URI, e.g.

In Terraform v1.5.0 and later, use an import block to import project-level logging sinks using one of the formats above. For example:

import {
  id = "projects/{{project_id}}/sinks/{{name}}"
  to = google_logging_project_sink.default
}

When using the terraform import command, project-level logging sinks can be imported using one of the formats above. For example:

$ terraform import google_logging_project_sink.default projects/{{project_id}}/sinks/{{name}}