Terraform で Logging → PubSub

#Terraform #PubSub #GoogleCloud

from PubSub

topic 作る

google_pubsub_topic | Resources | hashicorp/google | Terraform Registry

Logging sink 作る

google_logging_project_sink | Resources | hashicorp/google | Terraform Registry

PubSub に書き込む権限が必要

トラブルシューティング - Google Cloud Console でのログのエクスポート | Cloud Logging

エクスポート先の権限 - Google Cloud Console でのログのエクスポート | Cloud Logging

unique_writer_identity と、それに roles/pubsub.publisher が必要かな?

unique~ でなくてもデフォルトのを参照してもよいか

serviceAccount:cloud-logs@system.gserviceaccount.com

Exporting logs in the API | Cloud Logging | Google Cloud

serviceAccount:cloud-logs@system.gserviceaccount.com ← これどこかの data resource にないのかな

google_service_account | Data Sources | hashicorp/google | Terraform Registry

こうやる?

code:shared.tf

data "google_service_account" "shared_logging_sink_writer" {

account_id = "cloud-logs@system.gserviceaccount.com"

}

code:loggin_to_pubsub.tf

resource "google_pubsub_topic" "pubsub_topic" {

name = "pubsub_topic_test"

}

# 1. unique_writer_identity を使う

resource "google_logging_project_sink" "sink_to_pubsub_topic" {

name = "logs_to_pubsub"

destination = "pubsub.googleapis.com/${google_pubsub_topic.pubsub_topic.id}"

filter = "..."

unique_writer_identity = true #=> sink ごとにサービスアカウントが作られる

}

# unique_writer_identity により作られたサービスアカウントに role を付与

resource "google_project_iam_member" "sink_to_pubsub_topic_writer" {

member = google_logging_project_sink.sink_to_pubsub_topic.writer_identity

role = "roles/pubsub.publisher"

}

# 2. 共通のサービスアカウントに権限を付与する

resource "google_logging_project_sink" "sink_to_pubsub_topic" {

name = "logs_to_pubsub"

destination = "pubsub.googleapis.com/${google_pubsub_topic.pubsub_topic.id}"

filter = "..."

}

# uniqe_writer_identity にしない場合 GCP 共通のサービスアカウントが writer となる

data "google_service_account" "shared_logging_sink_writer" {

account_id = "cloud-logs@system.gserviceaccount.com"

}

# 共通 writer の IAM に role を付与する

resource "google_project_iam_member" "sink_to_pubsub_topic_writer" {

member = "serviceAccount:${data.google_service_account.shared_logging_sink_writer.email}"

role = "roles/pubsub.publisher"

}

↑ data.google_service_account で account_id にメールアドレス渡すとエラーになる?

google_service_account | Data Sources | hashicorp/google | Terraform Registry では渡せる

"account_id" ("...") doesn't match regexp "^a-z(?:-a-z0-9{4,28}a-z0-9)$"

data で参照したいけど素朴に書けばいいっちゃいい

code:writer.tf

resource "google_project_iam_member" "sink_to_pubsub_topic_writer" {

member = "serviceAccount:cloud-logs@system.gserviceaccount.com"

role = "roles/pubsub.publisher"

}

Push

https://gyazo.com/9b0303fd8748eb94d2dd6c4b8f6dd090

これも Terraform で有効にしたい

Pub/Sub での push 認証の設定 - push サブスクリプションの使用 | Cloud Pub/Sub ドキュメント | Google Cloud

Unable to add roles/iam.serviceAccountTokenCreator role to the default Pub/Sub service account · Issue #7281 · hashicorp/terraform-provider-google

PubSub アカウントに roles/iam.serviceAccountTokenCreator を付与する(全体的に作れる)

google_project_service_identity | Resources | hashicorp/google | Terraform Registry

特定の(Push に使う)サービスアカウントのトークンを発行できるようにする

google_service_account_access_token | Data Sources | hashicorp/google | Terraform Registry これか?

面倒だからいいや

Error: Error updating Subscription "...": googleapi: Error 400: The value for maximum_backoff is out of bounds. You passed 30m in the request, but the value must be between 0 and 10m.

maximum_backoff の最大は 10分、もっとゆっくりながくリトライしてほしかったのだが...