support custom log filters (#609)

GoogleCloudPlatform · Oct 14, 2020 · 3db1b70 · 3db1b70
1 parent 2a01379
commit 3db1b70
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 4 deletions.
diff --git a/docs/tfengine/schemas/audit.md b/docs/tfengine/schemas/audit.md
@@ -4,6 +4,17 @@
 
 ## Properties
 
+### additional_filters
+
+Additional filters for log collection and export. List entries will be
+concatenated by "OR" operator. Refer to
+<https://cloud.google.com/logging/docs/view/query-library> for query syntax.
+Need to escape \ and " to preserve them in the final filter strings.
+See example usages under "examples/tfengine/".
+Logs with filter "logName:\"logs/cloudaudit.googleapis.com\"" is always enabled.
+
+Type: array(string)
+
 ### auditors_group
 
 This group will be granted viewer access to the audit log dataset and

diff --git a/examples/tfengine/folder_foundation.hcl b/examples/tfengine/folder_foundation.hcl
@@ -99,6 +99,11 @@ template "audit" {
     logs_storage_bucket = {
       name = "7yr-folder-audit-logs"
     }
+    additional_filters = [
+      # Need to escape \ and " to preserve them in the final filter strings.
+      "logName=\\\"logs/forseti\\\"",
+      "logName=\\\"logs/application\\\"",
+    ]
   }
 }
 

diff --git a/examples/tfengine/generated/folder_foundation/audit/main.tf b/examples/tfengine/generated/folder_foundation/audit/main.tf
diff --git a/templates/tfengine/components/audit/main.tf b/templates/tfengine/components/audit/main.tf
@@ -19,6 +19,11 @@ limitations under the License. */ -}}
   {{- $parent_var = "var.folder"}}
 {{- end}}
 
+{{- $filter := `logName:\"logs/cloudaudit.googleapis.com\"`}}
+{{- range get . "additional_filters"}}
+{{- $filter = printf "%s OR %s" $filter .}}
+{{- end}}
+
 # IAM Audit log configs to enable collection of all possible audit logs.
 resource "google_{{.parent_type}}_iam_audit_config" "config" {
   {{$parent_field}} = {{$parent_var}}
@@ -40,7 +45,7 @@ resource "google_logging_{{.parent_type}}_sink" "bigquery_audit_logs_sink" {
   name                 = "bigquery-audit-logs-sink"
   {{$parent_field}}    = {{$parent_var}}
   include_children     = true
-  filter               = "logName:\"logs/cloudaudit.googleapis.com\""
+  filter               = "{{$filter}}"
   destination          = "bigquery.googleapis.com/projects/${module.project.project_id}/datasets/${module.bigquery_destination.bigquery_dataset.dataset_id}"
 }
 
@@ -75,7 +80,7 @@ resource "google_logging_{{.parent_type}}_sink" "storage_audit_logs_sink" {
   name                 = "storage-audit-logs-sink"
   {{$parent_field}}    = {{$parent_var}}
   include_children     = true
-  filter               = "logName:\"logs/cloudaudit.googleapis.com\""
+  filter               = "{{$filter}}"
   destination          = "storage.googleapis.com/${module.storage_destination.bucket.name}"
 }
 

diff --git a/templates/tfengine/recipes/audit.hcl b/templates/tfengine/recipes/audit.hcl
@@ -81,6 +81,20 @@ schema = {
       description = "Location of logs storage bucket."
       type        = "string"
     }
+    additional_filters = {
+      description = <<EOF
+        Additional filters for log collection and export. List entries will be
+        concatenated by "OR" operator. Refer to
+        <https://cloud.google.com/logging/docs/view/query-library> for query syntax.
+        Need to escape \ and " to preserve them in the final filter strings.
+        See example usages under "examples/tfengine/".
+        Logs with filter "logName:\"logs/cloudaudit.googleapis.com\"" is always enabled.
+      EOF
+      type        = "array"
+      items = {
+        type = "string"
+      }
+    }
   }
 }