Add google_logging_organization_sink resource (hashicorp#923)

* Add google_logging_organization_sink resource * cleanup
chrisst · Jan 8, 2018 · 52a607c · 52a607c
1 parent 8a2234f
commit 52a607c
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 0 deletions.
diff --git a/docs/r/logging_organization_sink.hml.markdown b/docs/r/logging_organization_sink.hml.markdown
@@ -0,0 +1,75 @@
+---
+layout: "google"
+page_title: "Google: google_logging_organization_sink"
+sidebar_current: "docs-google-logging-organization-sink"
+description: |-
+  Manages a organization-level logging sink.
+---
+
+# google\_logging\_organization\_sink
+
+Manages a organization-level logging sink. For more information see
+[the official documentation](https://cloud.google.com/logging/docs/) and
+[Exporting Logs in the API](https://cloud.google.com/logging/docs/api/tasks/exporting-logs).
+
+Note that you must have the "Logs Configuration Writer" IAM role (`roles/logging.configWriter`)
+granted to the credentials used with terraform.
+
+## Example Usage
+
+```hcl
+resource "google_logging_organization_sink" "my-sink" {
+    name        = "my-sink"
+    org_id      = "123456789"
+
+    # Can export to pubsub, cloud storage, or bigtable
+    destination = "storage.googleapis.com/${google_storage_bucket.log-bucket.name}"
+
+    # Log all WARN or higher severity messages relating to instances
+    filter      = "resource.type = gce_instance AND severity >= WARN"
+}
+
+resource "google_storage_bucket" "log-bucket" {
+    name = "organization-logging-bucket"
+}
+
+resource "google_project_iam_binding" "log-writer" {
+    role    = "roles/storage.objectCreator"
+
+    members = [
+        "${google_logging_organization_sink.my-sink.writer_identity}",
+    ]
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required) The name of the logging sink.
+
+* `org_id` - (Required) The numeric ID of the organization to be exported to the sink.
+
+* `destination` - (Required) The destination of the sink (or, in other words, where logs are written to). Can be a
+    Cloud Storage bucket, a PubSub topic, or a BigQuery dataset. Examples:
+```
+"storage.googleapis.com/[GCS_BUCKET]"
+"bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET]"
+"pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_ID]"
+```
+    The writer associated with the sink must have access to write to the above resource.
+
+* `filter` - (Optional) The filter to apply when exporting logs. Only log entries that match the filter are exported.
+    See [Advanced Log Filters](https://cloud.google.com/logging/docs/view/advanced_filters) for information on how to
+    write a filter.
+
+* `include_children` - (Optional) Whether or not to include children organizations in the sink export. If true, logs
+    associated with child projects are also exported; otherwise only logs relating to the provided organization are included.
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are
+exported:
+
+* `writer_identity` - The identity associated with this sink. This identity must be granted write access to the
+    configured `destination`.
diff --git a/google.erb b/google.erb
@@ -448,6 +448,10 @@
       <a href="/docs/providers/google/r/logging_billing_account_sink.html">google_logging_billing_account_sink</a>
       </li>
 
+      <li<%= sidebar_current("docs-google-logging-organization-sink") %>>
+      <a href="/docs/providers/google/r/logging_organization_sink.html">google_logging_organization_sink</a>
+      </li>
+
       <li<%= sidebar_current("docs-google-logging-folder-sink") %>>
       <a href="/docs/providers/google/r/logging_folder_sink.html">google_logging_folder_sink</a>
       </li>