Organization
Manages a organization-level logging sink. For more information see:
How-to Guides
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const log_bucket = new gcp.storage.Bucket("log-bucket", {
name: "organization-logging-bucket",
location: "US",
});
const my_sink = new gcp.logging.OrganizationSink("my-sink", {
name: "my-sink",
description: "some explanation on what this is",
orgId: "123456789",
destination: pulumi.interpolate`storage.googleapis.com/${log_bucket.name}`,
filter: "resource.type = gce_instance AND severity >= WARNING",
});
const log_writer = new gcp.projects.IAMMember("log-writer", {
project: "your-project-id",
role: "roles/storage.objectCreator",
member: my_sink.writerIdentity,
});import pulumi
import pulumi_gcp as gcp
log_bucket = gcp.storage.Bucket("log-bucket",
name="organization-logging-bucket",
location="US")
my_sink = gcp.logging.OrganizationSink("my-sink",
name="my-sink",
description="some explanation on what this is",
org_id="123456789",
destination=log_bucket.name.apply(lambda name: f"storage.googleapis.com/{name}"),
filter="resource.type = gce_instance AND severity >= WARNING")
log_writer = gcp.projects.IAMMember("log-writer",
project="your-project-id",
role="roles/storage.objectCreator",
member=my_sink.writer_identity)using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var log_bucket = new Gcp.Storage.Bucket("log-bucket", new()
{
Name = "organization-logging-bucket",
Location = "US",
});
var my_sink = new Gcp.Logging.OrganizationSink("my-sink", new()
{
Name = "my-sink",
Description = "some explanation on what this is",
OrgId = "123456789",
Destination = log_bucket.Name.Apply(name => $"storage.googleapis.com/{name}"),
Filter = "resource.type = gce_instance AND severity >= WARNING",
});
var log_writer = new Gcp.Projects.IAMMember("log-writer", new()
{
Project = "your-project-id",
Role = "roles/storage.objectCreator",
Member = my_sink.WriterIdentity,
});
});package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/logging"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/projects"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/storage"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := storage.NewBucket(ctx, "log-bucket", &storage.BucketArgs{
Name: pulumi.String("organization-logging-bucket"),
Location: pulumi.String("US"),
})
if err != nil {
return err
}
_, err = logging.NewOrganizationSink(ctx, "my-sink", &logging.OrganizationSinkArgs{
Name: pulumi.String("my-sink"),
Description: pulumi.String("some explanation on what this is"),
OrgId: pulumi.String("123456789"),
Destination: log_bucket.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("storage.googleapis.com/%v", name), nil
}).(pulumi.StringOutput),
Filter: pulumi.String("resource.type = gce_instance AND severity >= WARNING"),
})
if err != nil {
return err
}
_, err = projects.NewIAMMember(ctx, "log-writer", &projects.IAMMemberArgs{
Project: pulumi.String("your-project-id"),
Role: pulumi.String("roles/storage.objectCreator"),
Member: my_sink.WriterIdentity,
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.storage.Bucket;
import com.pulumi.gcp.storage.BucketArgs;
import com.pulumi.gcp.logging.OrganizationSink;
import com.pulumi.gcp.logging.OrganizationSinkArgs;
import com.pulumi.gcp.projects.IAMMember;
import com.pulumi.gcp.projects.IAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var log_bucket = new Bucket("log-bucket", BucketArgs.builder()
.name("organization-logging-bucket")
.location("US")
.build());
var my_sink = new OrganizationSink("my-sink", OrganizationSinkArgs.builder()
.name("my-sink")
.description("some explanation on what this is")
.orgId("123456789")
.destination(log_bucket.name().applyValue(name -> String.format("storage.googleapis.com/%s", name)))
.filter("resource.type = gce_instance AND severity >= WARNING")
.build());
var log_writer = new IAMMember("log-writer", IAMMemberArgs.builder()
.project("your-project-id")
.role("roles/storage.objectCreator")
.member(my_sink.writerIdentity())
.build());
}
}resources:
my-sink:
type: gcp:logging:OrganizationSink
properties:
name: my-sink
description: some explanation on what this is
orgId: '123456789'
destination: storage.googleapis.com/${["log-bucket"].name}
filter: resource.type = gce_instance AND severity >= WARNING
log-bucket:
type: gcp:storage:Bucket
properties:
name: organization-logging-bucket
location: US
log-writer:
type: gcp:projects:IAMMember
properties:
project: your-project-id
role: roles/storage.objectCreator
member: ${["my-sink"].writerIdentity}Import
Organization-level logging sinks can be imported using this format:
organizations/{{organization_id}}/sinks/{{sink_id}}When using thepulumi importcommand, organization-level logging sinks can be imported using one of the formats above. For example:
$ pulumi import gcp:logging/organizationSink:OrganizationSink default organizations/{{organization_id}}/sinks/{{sink_id}}Properties
Options that affect sinks exporting data to BigQuery. Structure documented below.
A description of this sink. The maximum length of the description is 8000 characters.
The destination of the sink (or, in other words, where logs are written to). Can be a Cloud Storage bucket, a PubSub topic, a BigQuery dataset, a Cloud Logging bucket, or a Google Cloud project. Examples:
Log entries that match any of the exclusion filters will not be exported. If a log entry is matched by both filter and one of exclusions.filter, it will not be exported. Can be repeated multiple times for multiple exclusions. Structure is documented below.
The filter to apply when exporting logs. Only log entries that match the filter are exported. See Advanced Log Filters for information on how to write a filter.
Whether or not to include children organizations in the sink export. If true, logs associated with child projects are also exported; otherwise only logs relating to the provided organization are included.
Whether or not to intercept logs from child projects. If true, matching logs will not match with sinks in child resources, except _Required sinks. This sink will be visible to child resources when listing sinks.
The identity associated with this sink. This identity must be granted write access to the configured destination.