Folder
Default resource settings control whether CMEK is required for new log buckets. These settings also determine the storage location for the _Default and _Required log buckets, and whether the _Default sink is enabled or disabled. To get more information about FolderSettings, see:
Example Usage
Logging Folder Settings All
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const myFolder = new gcp.organizations.Folder("my_folder", {
displayName: "folder-name",
parent: "organizations/123456789",
});
const settings = gcp.logging.getFolderSettingsOutput({
folder: myFolder.folderId,
});
const iam = new gcp.kms.CryptoKeyIAMMember("iam", {
cryptoKeyId: "kms-key",
role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
member: settings.apply(settings => `serviceAccount:${settings.kmsServiceAccountId}`),
});
const example = new gcp.logging.FolderSettings("example", {
disableDefaultSink: true,
folder: myFolder.folderId,
kmsKeyName: "kms-key",
storageLocation: "us-central1",
}, {
dependsOn: [iam],
});Content copied to clipboard
import pulumi
import pulumi_gcp as gcp
my_folder = gcp.organizations.Folder("my_folder",
display_name="folder-name",
parent="organizations/123456789")
settings = gcp.logging.get_folder_settings_output(folder=my_folder.folder_id)
iam = gcp.kms.CryptoKeyIAMMember("iam",
crypto_key_id="kms-key",
role="roles/cloudkms.cryptoKeyEncrypterDecrypter",
member=settings.apply(lambda settings: f"serviceAccount:{settings.kms_service_account_id}"))
example = gcp.logging.FolderSettings("example",
disable_default_sink=True,
folder=my_folder.folder_id,
kms_key_name="kms-key",
storage_location="us-central1",
opts = pulumi.ResourceOptions(depends_on=[iam]))Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var myFolder = new Gcp.Organizations.Folder("my_folder", new()
{
DisplayName = "folder-name",
Parent = "organizations/123456789",
});
var settings = Gcp.Logging.GetFolderSettings.Invoke(new()
{
Folder = myFolder.FolderId,
});
var iam = new Gcp.Kms.CryptoKeyIAMMember("iam", new()
{
CryptoKeyId = "kms-key",
Role = "roles/cloudkms.cryptoKeyEncrypterDecrypter",
Member = $"serviceAccount:{settings.Apply(getFolderSettingsResult => getFolderSettingsResult.KmsServiceAccountId)}",
});
var example = new Gcp.Logging.FolderSettings("example", new()
{
DisableDefaultSink = true,
Folder = myFolder.FolderId,
KmsKeyName = "kms-key",
StorageLocation = "us-central1",
}, new CustomResourceOptions
{
DependsOn =
{
iam,
},
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/kms"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/logging"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
myFolder, err := organizations.NewFolder(ctx, "my_folder", &organizations.FolderArgs{
DisplayName: pulumi.String("folder-name"),
Parent: pulumi.String("organizations/123456789"),
})
if err != nil {
return err
}
settings := logging.LookupFolderSettingsOutput(ctx, logging.GetFolderSettingsOutputArgs{
Folder: myFolder.FolderId,
}, nil)
iam, err := kms.NewCryptoKeyIAMMember(ctx, "iam", &kms.CryptoKeyIAMMemberArgs{
CryptoKeyId: pulumi.String("kms-key"),
Role: pulumi.String("roles/cloudkms.cryptoKeyEncrypterDecrypter"),
Member: settings.ApplyT(func(settings logging.GetFolderSettingsResult) (string, error) {
return fmt.Sprintf("serviceAccount:%v", settings.KmsServiceAccountId), nil
}).(pulumi.StringOutput),
})
if err != nil {
return err
}
_, err = logging.NewFolderSettings(ctx, "example", &logging.FolderSettingsArgs{
DisableDefaultSink: pulumi.Bool(true),
Folder: myFolder.FolderId,
KmsKeyName: pulumi.String("kms-key"),
StorageLocation: pulumi.String("us-central1"),
}, pulumi.DependsOn([]pulumi.Resource{
iam,
}))
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.Folder;
import com.pulumi.gcp.organizations.FolderArgs;
import com.pulumi.gcp.logging.LoggingFunctions;
import com.pulumi.gcp.logging.inputs.GetFolderSettingsArgs;
import com.pulumi.gcp.kms.CryptoKeyIAMMember;
import com.pulumi.gcp.kms.CryptoKeyIAMMemberArgs;
import com.pulumi.gcp.logging.FolderSettings;
import com.pulumi.gcp.logging.FolderSettingsArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myFolder = new Folder("myFolder", FolderArgs.builder()
.displayName("folder-name")
.parent("organizations/123456789")
.build());
final var settings = LoggingFunctions.getFolderSettings(GetFolderSettingsArgs.builder()
.folder(myFolder.folderId())
.build());
var iam = new CryptoKeyIAMMember("iam", CryptoKeyIAMMemberArgs.builder()
.cryptoKeyId("kms-key")
.role("roles/cloudkms.cryptoKeyEncrypterDecrypter")
.member(settings.applyValue(getFolderSettingsResult -> getFolderSettingsResult).applyValue(settings -> String.format("serviceAccount:%s", settings.applyValue(getFolderSettingsResult -> getFolderSettingsResult.kmsServiceAccountId()))))
.build());
var example = new FolderSettings("example", FolderSettingsArgs.builder()
.disableDefaultSink(true)
.folder(myFolder.folderId())
.kmsKeyName("kms-key")
.storageLocation("us-central1")
.build(), CustomResourceOptions.builder()
.dependsOn(iam)
.build());
}
}Content copied to clipboard
resources:
example:
type: gcp:logging:FolderSettings
properties:
disableDefaultSink: true
folder: ${myFolder.folderId}
kmsKeyName: kms-key
storageLocation: us-central1
options:
dependson:
- ${iam}
myFolder:
type: gcp:organizations:Folder
name: my_folder
properties:
displayName: folder-name
parent: organizations/123456789
iam:
type: gcp:kms:CryptoKeyIAMMember
properties:
cryptoKeyId: kms-key
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
member: serviceAccount:${settings.kmsServiceAccountId}
variables:
settings:
fn::invoke:
Function: gcp:logging:getFolderSettings
Arguments:
folder: ${myFolder.folderId}Content copied to clipboard
Import
FolderSettings can be imported using any of these accepted formats:
folders/{{folder}}/settings{{folder}}When using thepulumi importcommand, FolderSettings can be imported using one of the formats above. For example:
$ pulumi import gcp:logging/folderSettings:FolderSettings default folders/{{folder}}/settingsContent copied to clipboard
$ pulumi import gcp:logging/folderSettings:FolderSettings default {{folder}}Content copied to clipboard
Properties
Link copied to clipboard
If set to true, the _Default sink in newly created projects and folders will created in a disabled state. This can be used to automatically disable log storage if there is already an aggregated sink configured in the hierarchy. The _Default sink can be re-enabled manually if needed.
Link copied to clipboard
The resource name for the configured Cloud KMS key.
Link copied to clipboard
The service account that will be used by the Log Router to access your Cloud KMS key.
Link copied to clipboard
The service account for the given container. Sinks use this service account as their writerIdentity if no custom service account is provided.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
The storage location that Cloud Logging will use to create new resources when a location is needed but not explicitly provided.