I am creating a asset feed for the deleted/created resource. The code below and the link is showing the expression only for when the resources are getting created, but I want another feed when resources are getting deleted only. Reference link - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_asset_organization_feed
I just want to receive the notification ONLY for create and delete no UPDATE.
resource "google_cloud_asset_organization_feed" "organization_feed" {
billing_project = "my-project-name"
org_id = "123456789"
feed_id = "network-updates"
content_type = "RESOURCE"
asset_types = [
"compute.googleapis.com/Subnetwork",
"compute.googleapis.com/Network",
]
feed_output_config {
pubsub_destination {
topic = google_pubsub_topic.feed_output.id
}
}
condition {
expression = <<-EOT
!temporal_asset.deleted &&
temporal_asset.prior_asset_state == google.cloud.asset.v1.TemporalAsset.PriorAssetState.DOES_NOT_EXIST
EOT
title = "created"
description = "Send notifications on creation events"
}
}
To create a deleted asset feed change the condition to:
condition {
expression = temporal_asset.deleted
title = "deleted"
description = "Send notifications on deletion events"
}
Monitoring asset changes with conditions
TemporalAsset
Related
I'm trying to add multiple notification channels to a GCP Alert policy with terraform.
My issue is that I need to add different notification channels based on the production environment where they are deployed.
As long as I keep the notification channel unique, I can easily deploy in the following way.
Here is my variables.tf file:
locals {
notification_channel = {
DEV = "projects/[PROJECT_ID]/notificationChannels/[CHANNEL_ID]"
PRD = "projects/[PROJECT_ID]/notificationChannels/[CHANNEL_ID]"
}
}
Here is my main.tf file:
resource "google_monitoring_alert_policy" "alert_policy" {
display_name = "My Alert Policy"
combiner = "OR"
conditions {
display_name = "test condition"
condition_threshold {
filter = "metric.type=\"compute.googleapis.com/instance/disk/write_bytes_count\" AND resource.type=\"gce_instance\""
duration = "60s"
comparison = "COMPARISON_GT"
aggregations {
alignment_period = "60s"
per_series_aligner = "ALIGN_RATE"
}
}
}
user_labels = {
foo = "bar"
}
notification_channels = [lookup(local.notification_channel, terraform.workspace)]
}
My issue here happens when I try to map multiple notification channels instead of one per environment.
Something like:
locals {
notification_channel = {
DEV = ["projects/[PROJECT_ID]/notificationChannels/[CHANNEL_ID]", "projects/[PROJECT_ID]/notificationChannels/[CHANNEL_ID]" ]...
}
}
However, if I try this way, system tells me that Inappropriate value for attribute "notification_channels": element 0: string.
Here's documentation of:
Terraform Lookup function Terraform
GCP Alert Policy
Could you help?
If I understood your question, you actually need only to remove the square brackets:
notification_channels = lookup(local.notification_channel, terraform.workspace)
Since the local variable notification_channel is already a list, you only need to use lookup to fetch the value based on the workspace you are currently in.
I am trying to alert on KMS Key deletions using terraform.
I have a log based metric, a policy and a notification channel to PagerDuty.
This all works, however, following the alert triggering it soon clears and there seems to be nothing I can do to stop this.
Here is my code:
resource "google_logging_metric" "logging_metric" {
name = "kms-key-pending-deletion"
description = "Logging metric used to alert on scheduled deletions of KMS keys"
filter = "resource.type=cloudkms_cryptokeyversion AND protoPayload.methodName=DestroyCryptoKeyVersion"
metric_descriptor {
metric_kind = "DELTA"
value_type = "INT64"
unit = "1"
display_name = "kms-key-pending-deletion-metric-descriptor"
}
}
resource "google_monitoring_notification_channel" "pagerduty_alerts" {
display_name = "pagerduty-notification-channel"
type = "pagerduty"
sensitive_labels {
service_key = var.token
}
}
resource "google_monitoring_alert_policy" "kms_key_deletion_alert_policy" {
display_name = "kms-key-deletion-alert-policy"
combiner = "OR"
notification_channels = [google_monitoring_notification_channel.pagerduty_alerts.name]
conditions {
display_name = "kms-key-deletion-alert-policy-conditions"
condition_threshold {
comparison = "COMPARISON_GT"
duration = "300s"
filter = "metric.type=\"logging.googleapis.com/user/kms-key-pending-deletion\" AND resource.type=\"global\""
threshold_value = "0"
}
}
documentation {
content = "Runbook: https://blah"
}
}
In the GCP GUI I can disable the option "Notify on incident closure" in the policy and it stops the alert from clearing.
However I cannot set this via terraform.
I have tried setting alert_strategy.auto_close to null and 0s but this did not work:
alert_strategy {
auto_close = "0s"
# auto_close = null
}
How do I keep the alert active and stop it from clearing when building the policy in terraform?
Am I using the correct resource type? - Should I be using cloudkms.cryptoKey.state that are in "DESTROY_SCHEDULED" state somehow?
For others wanting to find the answer to this:
The need to keep an alert open and not allow it to automatically close is missing in the API.
The issue is tracked here: https://issuetracker.google.com/issues/151052441?pli=1
I'm creating a cloudtrail using terraform. The problem is my source bucket keeps changing after 3 months. Now I want to give the dynamic S3 bucket value for field_selector.
I'm doing something like this:
resource "aws_cloudtrail" "test" {
name = "test_trail"
s3_bucket_name = bucket.id
enable_logging = true
include_global_service_events = true
is_multi_region_trail = true
enable_log_file_validation = true
advanced_event_selector {
name = "Log download event data"
field_selector {
field = "eventCategory"
equals = ["Data"]
}
field_selector {
field = "resources.type"
equals = ["AWS::S3::Object"]
}
field_selector {
field = "eventName"
equals = ["GetObject"]
}
field_selector {
field = "resources.ARN"
**starts_with = ["aws_s3_bucket.sftp_file_upload_bucket.arn"]**
}
}
Here, I'm giving the arn but logs are not getting created this way but if I hard code the bucket name it's getting created.
When you want to log the object events for a bucket, the ARN is not enough. As the AWS CLI documentation states [1]:
For example, if resources.type equals AWS::S3::Object , the ARN must be in one of the following formats. To log all data events for all objects in a specific S3 bucket, use the StartsWith operator, and include only the bucket ARN as the matching value. The trailing slash is intentional; do not exclude it.
So in your case you would have to fix the last field selector to:
field_selector {
field = "resources.ARN"
starts_with = ["${aws_s3_bucket.sftp_file_upload_bucket.arn}/"]
}
[1] https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/put-event-selectors.html#id11
when using an attribute of a resource you should either specify it like
"${aws_s3_bucket.sftp_file_upload_bucket.arn}"
or without quotes like
aws_s3_bucket.sftp_file_upload_bucket.arn
so, the correct version would be
field_selector {
field = "resources.ARN"
starts_with = [aws_s3_bucket.sftp_file_upload_bucket.arn]
}
I would like to understand about the resources reference in terraform.
Example:
In my project, pubsub topic has been referred with .name as well as .id
resource "google_pubsub_topic" "topic" {
name = "my_topic"
}
resource "google_pubsub_subscription" "subscription" {
name = "my_subscription"
topic = google_pubsub_topic.topic.name
}
resource "google_cloudiot_registry" "cloudiot" {
name = "my_iot_registry"
region = "us-central1"
log_level = "ERROR"
event_notification_configs {
pubsub_topic_name = google_pubsub_topic.topic.id
}
mqtt_config = {
mqtt_enabled_state = "MQTT_ENABLED"
}
}
I could not get the information the difference in referring by .name/.id from many online forums.
For which resources using terraform we need to refer by .name and .id?
There is no such hard referring notion, it appears to be an anomaly with usage specific to this resource.
I guess it needs to be
event_notification_configs {
pubsub_topic_id = google_pubsub_topic.topic.id
}
From google_cloudiot_registry, I see id being returned by the resource which contains the resource name & the same is being passed to pubsub_topic_name part of event_notification_configs block.
If you wish to change pubsub_topic_name to pubsub_topic_id, you could create PR on the provider code base.
To conclude, if you would like to refer output of some resource/data source, you would need to fetch the attributes returned in the response & assign it to appropriate field in the next resource.
I'm trying to create a slack notification channel in GCP with terraform. I am able to create a channel with the code below, but it's missing "Team" and "Owner" attributes.
resource "google_monitoring_notification_channel" "default" {
display_name = "Test Slack Channel"
type = "slack"
enabled = "true"
labels = {
"channel_name" = "#testing"
"auth_token" = "<my_slack_app_token>"
}
}
The first channel in the screenshot below was created via GUI and works fine. The second channel was created via terraform and is unable to send notificaitons:
Terraform registry does not mention these attributes, I have tried defining them in labels right after channel_name:
labels = {
"channel_name" = "#testing"
"team" = "<my_team>"
"owner" = "google_cloud_monitoring"
"auth_token" = "<my_slack_app_token>"
}
I got the following error:
Error creating NotificationChannel: googleapi: Error 400: Field "notification_channel.labels['owner']" is not allowed; labels must conform to the channel type's descriptor; permissible label keys for "slack" are: {"auth_token", "channel_name"}
Apparently, only channel_name and auth_token are valid labels.
What am I missing?
Slack needs the sensitive_lables option for tokens. There is an example in the docs
resource "google_monitoring_notification_channel" "default" {
display_name = "Test Slack Channel"
type = "slack"
labels = {
"channel_name" = "#foobar"
}
sensitive_labels {
auth_token = "...."
}
}