docs: low quality example for IBM Cloud Logs

[sean-freeman]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Working example below, including missing IAM Policy for S2S.

variable "ibmcloud_region_name" {}

variable "ibmcloud_resource_group_name" {}

variable "resource_prefix" {}


data "ibm_resource_group" "target" {
  name = var.ibmcloud_resource_group_name
}

# IBM Cloud Logs service instance
resource "ibm_resource_instance" "logs_service_instance" {
  name     = "${var.resource_prefix}-cloud-logs"
  resource_group_id = data.ibm_resource_group.target.id
  service  = "logs"
  plan     = "standard"
  location = var.ibmcloud_region_name
  parameters = {
    retention_period        = 90
    ## Logs data storage
    # logs_bucket_crn         = "s3_bucket_crn_value"
    # logs_bucket_endpoint    = "s3_direct_endpoint"
    ## Logs to metrics storage
    # metrics_bucket_crn      = "s3_bucket_crn_value"
    # metrics_bucket_endpoint = "s3_direct_endpoint"
  }
}

# Service authorization is required to allow IBM Cloud Logs Routing service to communicate with IBM Cloud Logs
# IAM service authorization policy scoped to all resources in this account
resource "ibm_iam_authorization_policy" "s2s_logs_router_to_logs" {
  source_service_name  = "logs-router"
  target_service_name  = "logs"
  roles                = ["Sender"]
}

# Service authorization is required to allow IBM Cloud Activity Tracker Event Routing service to communicate with IBM Cloud Logs
# IAM service authorization policy scoped to all resources in this account
resource "ibm_iam_authorization_policy" "s2s_activity_tracker_to_logs" {
  source_service_name  = "atracker"
  target_service_name  = "logs"
  roles                = ["Sender"]
}

# IBM Cloud Logs Routing targets
# https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/logs-router_tenant
resource "ibm_logs_router_tenant" "logs_router_tenant_instance" {
  for_each = toset(["us-south", "eu-de", "eu-gb", "eu-es", "jp-osa", "br-sao", "au-syd", "au-syd", "jp-tok", "ca-tor", "us-east"])
  name     = "${var.resource_prefix}-cloud-logs-router-tenant"
  region   = each.value
  targets {
    name         = "${var.resource_prefix}-cloud-logs-router-target"
    log_sink_crn = ibm_resource_instance.logs_service_instance.crn # do not use target_crn
    parameters {
      host = ibm_resource_instance.logs_service_instance.extensions.external_ingress # Public
      # host = ibm_resource_instance.logs_service_instance.extensions.external_ingress_private # Private
      port = 443
    }
  }
}

# IBM Cloud Logs - Dashboard - Data Pipelines - Rules
# https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/logs_rule_group
resource "ibm_logs_rule_group" "logs_rule_group_instance" {
  name        = "${var.resource_prefix}-cloud-logs-rule-group"
  description = "Rule Group for X"

  instance_id = ibm_resource_instance.logs_service_instance.guid
  region      = ibm_resource_instance.logs_service_instance.location
  enabled     = true
  order       = 1

  rule_matchers {
    # application_name {
    #   value = "rg-match"
    # }
    subsystem_name {
      value = "rg-match"
    }
    # severity {
    #   value = "error" # debug_or_unspecified, verbose, info, warning, error, critical
    # }
  }

  rule_subgroups {
    enabled = true # Whether to enable the Rule Group
    order   = 1

    rules {
      enabled      = true # Whether to enable the Rule
      order        = 1
      name         = "rule-parse"
      source_field = "text"
      # Object block defines the Rule's type (i.e. Parse)
      parameters {
        parse_parameters {
          destination_field = "text"
          rule              = "(?P<timestamp>[^,]+),(?P<hostname>[^,]+),(?P<username>[^,]+),(?P<ip>[^,]+),(?P<connectionId>[0-9]+),(?P<queryId>[0-9]+),(?P<operation>[^,]+),(?P<database>[^,]+),'?(?P<object>.*)'?,(?P<returnCode>[0-9]+)"
        }
        # allow_parameters {}
        # block_parameters {}
        # extract_parameters {}
        # extract_timestamp_parameters {}
        # json_extract_parameters {}
        # json_parse_parameters {}
        # json_stringify_parameters {}
        # parse_parameters {}
        # remove_fields_parameters {}
        # replace_parameters {}
      }
    }
  }
}


# IBM Cloud Activity Tracker event routing target to IBM Cloud Logs
# https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/atracker_target
resource "ibm_atracker_target" "atracker_cloudlogs_target" {
  name        = "${var.resource_prefix}-cloud-activity-tracker"
  target_type = "cloud_logs"
  region      = var.ibmcloud_region_name
  cloudlogs_endpoint {
    target_crn = ibm_resource_instance.logs_service_instance.crn
  }
}

# Required on first provision to set the metadata location
# https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/atracker_settings
resource "ibm_atracker_settings" "atracker_settings_instance" {
  metadata_region_primary   = var.ibmcloud_region_name
  # metadata_region_backup    = "us-east"
  permitted_target_regions  = ["us-south", "eu-de", "eu-gb", "eu-es", "jp-osa", "br-sao", "au-syd", "au-syd", "jp-tok", "ca-tor", "us-east"]
  private_api_endpoint_only = false # Altering to true may cause an update IBM Cloud Metrics Routing settings for the account
  # default_targets [ id_value ] # Requires ibm_metrics_router_target, which conflicts with need to first define the metadata location

  # Recommended lifecycle flag to ensure target delete order is correct
  lifecycle {
    create_before_destroy = true
    ignore_changes = [
      metadata_region_backup
    ]
  }
}

# https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/atracker_route
resource "ibm_atracker_route" "atracker_route" {
  name     = "${var.resource_prefix}-cloud-activity-tracker-route-default"

  # Limit of 8 locations per rule
  rules {
    target_ids = [ ibm_atracker_target.atracker_cloudlogs_target.id ]
    locations  = [ "global", "us-south", "eu-de", "eu-gb", "eu-es", "jp-osa", "br-sao" ]
  }
  rules {
    target_ids = [ ibm_atracker_target.atracker_cloudlogs_target.id ]
    locations  = [ "au-syd", "au-syd", "jp-tok", "ca-tor", "us-east" ]
  }

  # Recommended lifecycle flag to ensure target delete order is correct
  lifecycle {
    create_before_destroy = true
  }
}