terraform-ibm-modules · akocbek · Oct 15, 2024 · Oct 15, 2024 · Oct 15, 2024
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-08-01T14:50:58Z",
+  "generated_at": "2024-10-15T12:05:56Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -90,7 +90,7 @@
         "hashed_secret": "a7c93faaa770c377154ea9d4d0d17a9056dbfa95",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 196,
+        "line_number": 195,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -118,7 +118,7 @@
         "hashed_secret": "a7c93faaa770c377154ea9d4d0d17a9056dbfa95",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 119,
+        "line_number": 116,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -138,7 +138,7 @@
         "hashed_secret": "3e4bdbe0b80e63c22b178576e906810777387b50",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 227,
+        "line_number": 226,
         "type": "Secret Keyword",
         "verified_result": null
       }

@@ -159,8 +159,7 @@ You need the following permissions to run this module.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the Object Storage instance created by the module. [Learn more](https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial). | `list(string)` | `[]` | no |
-| <a name="input_activity_tracker_crn"></a> [activity\_tracker\_crn](#input\_activity\_tracker\_crn) | The CRN of an Activity Tracker instance to send Object Storage bucket events to. If no value passed, events are sent to the instance associated to the container's location unless otherwise specified in the Activity Tracker Event Routing service configuration. Bucket management events are always enabled if a value is passed, regardless of the value of `activity_tracker_management_events`. | `string` | `null` | no |
-| <a name="input_activity_tracker_management_events"></a> [activity\_tracker\_management\_events](#input\_activity\_tracker\_management\_events) | If set to true, all Object Storage management events will be sent to Activity Tracker. Only applies if `activity_tracker_crn` is not populated. | `bool` | `true` | no |
+| <a name="input_activity_tracker_management_events"></a> [activity\_tracker\_management\_events](#input\_activity\_tracker\_management\_events) | If set to true, all Object Storage management events will be sent to Activity Tracker. | `bool` | `true` | no |
 | <a name="input_activity_tracker_read_data_events"></a> [activity\_tracker\_read\_data\_events](#input\_activity\_tracker\_read\_data\_events) | If set to true, all Object Storage bucket read events (i.e. downloads) will be sent to Activity Tracker. | `bool` | `true` | no |
 | <a name="input_activity_tracker_write_data_events"></a> [activity\_tracker\_write\_data\_events](#input\_activity\_tracker\_write\_data\_events) | If set to true, all Object Storage bucket write events (i.e. uploads) will be sent to Activity Tracker. | `bool` | `true` | no |
 | <a name="input_add_bucket_name_suffix"></a> [add\_bucket\_name\_suffix](#input\_add\_bucket\_name\_suffix) | Whether to add a randomly generated 4-character suffix to the new bucket name. | `bool` | `false` | no |

@@ -5,7 +5,6 @@ CRA_TARGETS:
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
     PROFILE_ID: "bfacb71d-4b84-41ac-9825-e8a3a3eb7405" # SCC profile ID (currently set to IBM Cloud Framework for Financial Services 1.6.0 profile).
     CRA_ENVIRONMENT_VARIABLES:  # An optional map of environment variables for CRA, where the key is the variable name and value is the value. Useful for providing TF_VARs.
-      TF_VAR_existing_at_instance_crn: "crn:v1:bluemix:public:logdnaat:eu-de:a/abac0df06b644a9cabc6e44f55b3880e:b1ef3365-dfbf-4d8f-8ac8-75f4f84d6f4a::"
       TF_VAR_bucket_existing_hpcs_instance_guid: "e6dce284-e80f-46e1-a3c1-830f7adff7a9"
       TF_VAR_bucket_hpcs_key_crn: "crn:v1:bluemix:public:hs-crypto:us-south:a/abac0df06b644a9cabc6e44f55b3880e:e6dce284-e80f-46e1-a3c1-830f7adff7a9:key:76170fae-4e0c-48c3-8ebe-326059ebb533"
       TF_VAR_region: "us-south"

@@ -7,7 +7,7 @@ The following resources are provisioned by this example:
 - A new resource group, if an existing one is not passed in.
 - A service ID that is used to generate resource keys.
 - An IBM Cloud Monitoring instance in the given resource group and region.
-- An IBM Cloud Activity Tracker instance, if existing ones is not passed in, in the given resource group and region.
+- An IBM Cloud Logs.
 - A Key Protect instance (with metrics enabled), a key ring, and a root key in the given resource group and region.
 - An IBM Cloud Object Storage instance in the given resource group and region.
 - An IAM authorization policy to allow the Object Storage instance read access to the Key Protect instance.

@@ -2,6 +2,5 @@
   "ibmcloud_api_key": $VALIDATION_APIKEY,
   "region": "us-south",
   "resource_tags": $TAGS,
-  "prefix": $PREFIX,
-  "existing_at_instance_crn": $AT_CRN
+  "prefix": $PREFIX
 }
@@ -43,32 +43,33 @@ resource "ibm_is_subnet" "testacc_subnet" {
 # Observability Instances (Monitoring + AT)
 ##############################################################################
 
-locals {
-  existing_at = var.existing_at_instance_crn != null ? true : false
-  at_crn      = var.existing_at_instance_crn == null ? module.observability_instances.activity_tracker_crn : var.existing_at_instance_crn
-}
-
-# Create Monitoring and Activity Tracker instance
+# Create Monitoring and Cloud logs instance
 module "observability_instances" {
-  source  = "terraform-ibm-modules/observability-instances/ibm"
-  version = "2.19.1"
-  providers = {
-    logdna.at = logdna.at
-    logdna.ld = logdna.ld
-  }
+  source                         = "terraform-ibm-modules/observability-instances/ibm"
+  version                        = "3.0.1"
   region                         = var.region
   resource_group_id              = module.resource_group.resource_group_id
   cloud_monitoring_instance_name = "${var.prefix}-monitoring"
   cloud_monitoring_plan          = "graduated-tier"
   enable_platform_logs           = false
   enable_platform_metrics        = false
-  log_analysis_provision         = false
-  activity_tracker_instance_name = "${var.prefix}-at"
-  activity_tracker_tags          = var.resource_tags
-  activity_tracker_plan          = "7-day"
-  activity_tracker_provision     = !local.existing_at
-  log_analysis_tags              = var.resource_tags
   cloud_monitoring_tags          = var.resource_tags
+  # Cloud Logs
+  cloud_logs_tags        = var.resource_tags
+  cloud_logs_access_tags = var.access_tags
+  cloud_logs_data_storage = {
+    # logs and metrics buckets must be different
+    logs_data = {
+      enabled         = true
+      bucket_crn      = module.cos_bucket1.bucket_crn
+      bucket_endpoint = module.cos_bucket1.s3_endpoint_direct
+    },
+    metrics_data = {
+      enabled         = true
+      bucket_crn      = module.cos_bucket2.bucket_crn
+      bucket_endpoint = module.cos_bucket2.s3_endpoint_direct
+    }
+  }
 }
 
 ##############################################################################
@@ -127,7 +128,6 @@ module "cbr_zone" {
 # Create COS instance and COS bucket-1 with:
 # - Encryption
 # - Monitoring
-# - Activity Tracking
 ##############################################################################
 
 module "cos_bucket1" {
@@ -144,7 +144,6 @@ module "cos_bucket1" {
   kms_key_crn                         = module.key_protect_all_inclusive.keys["${local.key_ring_name}.${local.key_name}"].crn
   monitoring_crn                      = module.observability_instances.cloud_monitoring_crn
   retention_enabled                   = false # disable retention for test environments - enable for stage/prod
-  activity_tracker_crn                = local.at_crn
   resource_keys = [
     {
       name           = "${var.prefix}-writer-key"
@@ -222,7 +221,6 @@ module "cos_bucket1" {
 # - Cross Region Location
 # - Encryption
 # - Monitoring
-# - Activity Tracking
 ##############################################################################
 
 module "cos_bucket2" {
@@ -235,7 +233,6 @@ module "cos_bucket2" {
   cross_region_location               = var.cross_region_location
   archive_days                        = null
   monitoring_crn                      = module.observability_instances.cloud_monitoring_crn
-  activity_tracker_crn                = local.at_crn
   create_cos_instance                 = false
   existing_cos_instance_id            = module.cos_bucket1.cos_instance_id
   skip_iam_authorization_policy       = true  # Required since cos_bucket1 creates the IAM authorization policy
@@ -267,7 +264,6 @@ module "cos_bucket2" {
 # - Hard Quota
 # - Encryption
 # - Monitoring
-# - Activity Tracking
 ##############################################################################
 
 module "cos_bucket3" {
@@ -281,7 +277,6 @@ module "cos_bucket3" {
   hard_quota                          = "1000000" #Sets a maximum amount of storage (in bytes) available for a bucket. If it is set to `null` then quota is disabled.
   archive_days                        = null
   monitoring_crn                      = module.observability_instances.cloud_monitoring_crn
-  activity_tracker_crn                = local.at_crn
   create_cos_instance                 = false
   existing_cos_instance_id            = module.cos_bucket1.cos_instance_id
   kms_encryption_enabled              = false # disable encryption because single site location doesn't support it

@@ -1,19 +1,3 @@
 provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
 }
-
-locals {
-  at_endpoint = "https://api.${var.region}.logging.cloud.ibm.com"
-}
-
-provider "logdna" {
-  alias      = "at"
-  servicekey = module.observability_instances.activity_tracker_resource_key != null ? module.observability_instances.activity_tracker_resource_key : ""
-  url        = local.at_endpoint
-}
-
-provider "logdna" {
-  alias      = "ld"
-  servicekey = module.observability_instances.log_analysis_resource_key != null ? module.observability_instances.log_analysis_resource_key : ""
-  url        = local.at_endpoint
-}
@@ -66,9 +66,3 @@ variable "resource_group" {
   description = "An existing resource group name to use for this example, if unset a new resource group will be created"
   default     = null
 }
-
-variable "existing_at_instance_crn" {
-  type        = string
-  description = "Optionally pass an existing activity tracker instance CRN to use in the example. If not passed, a new instance will be provisioned"
-  default     = null
-}
@@ -8,9 +8,5 @@ terraform {
       source  = "ibm-cloud/ibm"
       version = ">= 1.67.0, < 2.0.0"
     }
-    logdna = {
-      source  = "logdna/logdna"
-      version = ">= 1.14.2, < 2.0.0"
-    }
   }
 }
@@ -7,7 +7,7 @@ The following resources are provisioned by this example:
 
 - A new resource group, if an existing one is not passed in.
 - An IBM Cloud Monitoring instance in the given resource group and region.
-- An IBM Cloud Activity Tracker instance, if existing ones is not passed in, in the given resource group and region.
+- An IBM Cloud Logs.
 - An IBM Cloud Object Storage instance in the given resource group and region.
 - An IAM authorization policy to allow the Object Storage instance read access to the Key Protect instance.
 - A regional bucket with KYOK Hyper Protect Crypto Services (HPCS) encryption, monitoring, and activity tracking enabled.

@@ -3,7 +3,6 @@
   "region": "us-south",
   "resource_tags": $TAGS,
   "prefix": $PREFIX,
-  "existing_at_instance_crn": $AT_CRN,
   "bucket_existing_hpcs_instance_guid": $HPCS_US_SOUTH_GUID,
   "bucket_hpcs_key_crn": $HPCS_US_SOUTH_ROOT_KEY_CRN
 }
@@ -32,31 +32,16 @@ resource "ibm_is_subnet" "testacc_subnet" {
 # Observability Instances (Monitoring + AT)
 ##############################################################################
 
-locals {
-  existing_at = var.existing_at_instance_crn != null ? true : false
-  at_crn      = var.existing_at_instance_crn == null ? module.observability_instances.activity_tracker_crn : var.existing_at_instance_crn
-}
-
 # Create Monitoring and Activity Tracker instance
 module "observability_instances" {
-  source  = "terraform-ibm-modules/observability-instances/ibm"
-  version = "2.19.1"
-  providers = {
-    logdna.at = logdna.at
-    logdna.ld = logdna.ld
-  }
+  source                         = "terraform-ibm-modules/observability-instances/ibm"
+  version                        = "3.0.1"
   region                         = var.region
   resource_group_id              = module.resource_group.resource_group_id
   cloud_monitoring_instance_name = "${var.prefix}-monitoring"
   cloud_monitoring_plan          = "graduated-tier"
   enable_platform_logs           = false
   enable_platform_metrics        = false
-  log_analysis_provision         = false
-  activity_tracker_instance_name = "${var.prefix}-at"
-  activity_tracker_tags          = var.resource_tags
-  activity_tracker_plan          = "7-day"
-  activity_tracker_provision     = !local.existing_at
-  log_analysis_tags              = var.resource_tags
   cloud_monitoring_tags          = var.resource_tags
 }
 
@@ -156,9 +141,6 @@ module "cos_fscloud" {
     kms_guid                 = var.bucket_existing_hpcs_instance_guid
     management_endpoint_type = var.management_endpoint_type_for_bucket
     region_location          = var.region
-    activity_tracking = {
-      activity_tracker_crn = local.at_crn
-    }
     metrics_monitoring = {
       metrics_monitoring_crn = module.observability_instances.cloud_monitoring_crn
     }

@@ -2,19 +2,3 @@ provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.region
 }
-
-locals {
-  at_endpoint = "https://api.${var.region}.logging.cloud.ibm.com"
-}
-
-provider "logdna" {
-  alias      = "at"
-  servicekey = module.observability_instances.activity_tracker_resource_key != null ? module.observability_instances.activity_tracker_resource_key : ""
-  url        = local.at_endpoint
-}
-
-provider "logdna" {
-  alias      = "ld"
-  servicekey = module.observability_instances.log_analysis_resource_key != null ? module.observability_instances.log_analysis_resource_key : ""
-  url        = local.at_endpoint
-}
@@ -37,12 +37,6 @@ variable "resource_group" {
   default     = null
 }
 
-variable "existing_at_instance_crn" {
-  type        = string
-  description = "Optionally pass an existing activity tracker instance CRN to use in the example. If not passed, a new instance will be provisioned"
-  default     = null
-}
-
 variable "access_tags" {
   type        = list(string)
   description = "Optional list of access tags to be added to the created resources"

@@ -8,9 +8,5 @@ terraform {
       source  = "ibm-cloud/ibm"
       version = ">= 1.67.0, < 2.0.0"
     }
-    logdna = {
-      source  = "logdna/logdna"
-      version = ">= 1.14.2, < 2.0.0"
-    }
   }
 }
@@ -5,7 +5,7 @@
 ##############################################################################
 
 locals {
-  at_enabled                 = var.activity_tracker_read_data_events || var.activity_tracker_write_data_events || var.activity_tracker_crn != null ? [1] : []
+  at_enabled                 = var.activity_tracker_read_data_events || var.activity_tracker_write_data_events ? [1] : []
   metrics_enabled            = var.request_metrics_enabled || var.usage_metrics_enabled ? [1] : []
   archive_enabled            = var.archive_days == null ? [] : [1]
   expire_enabled             = var.expire_days == null ? [] : [1]
@@ -179,10 +179,9 @@ resource "ibm_cos_bucket" "cos_bucket" {
   dynamic "activity_tracking" {
     for_each = local.at_enabled
     content {
-      read_data_events     = var.activity_tracker_read_data_events
-      write_data_events    = var.activity_tracker_write_data_events
-      management_events    = var.activity_tracker_management_events # NOTE: The value of this is ignored if consumer passes value for `activity_tracker_crn`
-      activity_tracker_crn = var.activity_tracker_crn
+      read_data_events  = var.activity_tracker_read_data_events
+      write_data_events = var.activity_tracker_write_data_events
+      management_events = var.activity_tracker_management_events
     }
   }
   ## This for_each block is NOT a loop to attach to multiple Sysdig instances.
@@ -258,10 +257,9 @@ resource "ibm_cos_bucket" "cos_bucket1" {
   dynamic "activity_tracking" {
     for_each = local.at_enabled
     content {
-      read_data_events     = var.activity_tracker_read_data_events
-      write_data_events    = var.activity_tracker_write_data_events
-      management_events    = var.activity_tracker_management_events # NOTE: The value of this is ignored if consumer passes value for `activity_tracker_crn`
-      activity_tracker_crn = var.activity_tracker_crn
+      read_data_events  = var.activity_tracker_read_data_events
+      write_data_events = var.activity_tracker_write_data_events
+      management_events = var.activity_tracker_management_events
     }
   }
   ## This for_each block is NOT a loop to attach to multiple Sysdig instances.