Terraform IBM Observability instances module

This module supports provisioning the following observability instances:

• IBM Cloud Activity Tracker
  • Records events, compliant with CADF standard, triggered by user-initiated activities that change the state of a service in the cloud.
• IBM Cloud Logging with Log Analysis
  • Manage operating system logs, application logs, and platform logs in IBM Cloud.
• IBM Cloud Monitoring with Cloud Monitoring
  • Monitor the health of services and applications in IBM Cloud.

ℹ️ The module also creates a manager key for each instance, and supports passing COS bucket details to enable archiving for Log Analysis and Activity Tracker, it also supports activity tracker event routing to COS, Log Analysis and Event Streams.

Overview

• terraform-ibm-observability-instances
• Submodules
  • activity_tracker
  • cloud_monitoring
  • log_analysis
• Examples
  • Provision Activity Tracker with event routing to COS bucket, Event streams and Log Analysis
  • Provision IBM Cloud Monitoring, Log Analysis and Activity Tracker with archiving to an encrypted COS bucket
  • Provision basic observability instances (Log Analysis, Cloud Monitoring, Activity Tracker)
• Contributing

terraform-ibm-observability-instances

Usage

To provision Activity Tracker, Log Analysis and IBM Cloud Monitoring

# required ibm provider config
provider "ibm" {
  ibmcloud_api_key = var.ibmcloud_api_key
}

# required logdna provider config
locals {
  at_endpoint = "https://api.${var.region}.logging.cloud.ibm.com"
}

provider "logdna" {
  alias      = "at"
  servicekey = module.observability_instances.activity_tracker_resource_key != null ? module.observability_instances.activity_tracker_resource_key : ""
  url        = local.at_endpoint
}

provider "logdna" {
  alias      = "ld"
  servicekey = module.observability_instances.log_analysis_resource_key != null ? module.observability_instances.log_analysis_resource_key : ""
  url        = local.at_endpoint
}

module "observability_instances" {
  source  = "terraform-ibm-modules/observability-instances/ibm"
  version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  providers = {
    logdna.at  = logdna.at
    logdna.ld  = logdna.ld
  }
  resource_group_id  = var.resource_group.id
  region             = var.ibm_region
}

To provision Log Analysis only

# required ibm provider config
provider "ibm" {
  ibmcloud_api_key = var.ibmcloud_api_key
}

# required log analysis provider config
locals {
  at_endpoint = "https://api.${var.region}.logging.cloud.ibm.com"
}

provider "logdna" {
  alias      = "ld"
  servicekey = module.log_analysis.resource_key
  url        = local.at_endpoint
}

module "log_analysis" {
  source  = "terraform-ibm-modules/observability-instances/ibm//modules/log_analysis"
  version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  providers = {
    logdna.ld = logdna.ld
  }
  resource_group_id = module.resource_group.resource_group_id
  region = var.region
}

To provision Activity Tracker only

# required ibm provider config
provider "ibm" {
  ibmcloud_api_key = var.ibmcloud_api_key
}

# required logdna provider config
locals {
  at_endpoint = "https://api.${var.region}.logging.cloud.ibm.com"
}

provider "logdna" {
  alias      = "at"
  servicekey = module.activity_tracker.at_resource_key
  url        = local.at_endpoint
}

module "activity_tracker" {
  source  = "terraform-ibm-modules/observability-instances/ibm//modules/activity_tracker"
  version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  providers = {
    logdna.at = logdna.at
  }
  resource_group_id = module.resource_group.resource_group_id
  region = var.region
}

To provision IBM Cloud Monitoring only

module "cloud_monitoring" {
  source  = "terraform-ibm-modules/observability-instances/ibm//modules/cloud_monitoring"
  version = "X.X.X" # Replace "X.X.X" with a release version to lock into a specific release
  resource_group_id = module.resource_group.resource_group_id
  region = var.region
}

Required IAM access policies

You need the following permissions to run this module.

• Account Management
  • Resource Group service
    • Viewer platform access
• IAM Services
  • IBM Cloud Activity Tracker service
    • Editor platform access
    • Manager service access
  • IBM Cloud Monitoring service
    • Editor platform access
    • Manager service access
  • IBM Log Analysis service
    • Editor platform access
    • Manager service access

To attach access management tags to resources in this module, you need the following permissions.

• IAM Services
  • Tagging service
    • Administrator platform access

Requirements

Name	Version
terraform	>= 1.0.0, < 1.7.0
ibm	>= 1.56.1, < 2.0.0
logdna	>= 1.14.2, < 2.0.0

Modules

Name	Source	Version
activity_tracker	./modules/activity_tracker	n/a
cloud_monitoring	./modules/cloud_monitoring	n/a
log_analysis	./modules/log_analysis	n/a

Resources

No resources.

Inputs

Name	Description	Type	Default	Required
activity_tracker_access_tags	A list of access tags to apply to the Activity Tracker instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial.	list(string)	[]	no
activity_tracker_instance_name	The name of the Activity Tracker instance to create. Defaults to 'activity-tracker-'	string	null	no
activity_tracker_manager_key_name	The name to give the Activity Tracker manager key.	string	"AtManagerKey"	no
activity_tracker_manager_key_tags	Tags associated with the Activity Tracker manager key.	list(string)	[]	no
activity_tracker_plan	The Activity Tracker plan to provision. Available: lite, 7-day, 14-day, 30-day, hipaa-30-day	string	"lite"	no
activity_tracker_provision	Provision an Activity Tracker instance?	bool	true	no
activity_tracker_routes	List of routes to be created, maximum four routes are allowed	list(object({ locations = list(string) target_ids = list(string) route_name = string }))	[]	no
activity_tracker_service_endpoints	The type of the service endpoint that will be set for the activity tracker instance.	string	"public-and-private"	no
activity_tracker_tags	Tags associated with the Activity Tracker instance (Optional, array of strings).	list(string)	[]	no
at_cos_bucket_endpoint	An endpoint for the COS bucket for the Activity Tracker archive. Pass either the public or private endpoint (Only required when var.enable_archive and var.activity_tracker_provision are true)	string	null	no
at_cos_bucket_name	The name of an existing COS bucket to be used for the Activity Tracker archive (Only required when var.enable_archive and var.activity_tracker_provision are true).	string	null	no
at_cos_instance_id	The ID of the cloud object storage instance containing the Activity Tracker archive bucket (Only required when var.enable_archive and var.activity_tracker_provision are true).	string	null	no
cloud_monitoring_access_tags	A list of access tags to apply to the Cloud Monitoring instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial.	list(string)	[]	no
cloud_monitoring_instance_name	The name of the IBM Cloud Monitoring instance to create. Defaults to 'cloud_monitoring-'	string	null	no
cloud_monitoring_manager_key_name	The name to give the IBM Cloud Monitoring manager key.	string	"SysdigManagerKey"	no
cloud_monitoring_manager_key_tags	Tags associated with the IBM Cloud Monitoring manager key.	list(string)	[]	no
cloud_monitoring_plan	The IBM Cloud Monitoring plan to provision. Available: lite, graduated-tier	string	"lite"	no
cloud_monitoring_provision	Provision a IBM cloud monitoring instance?	bool	true	no
cloud_monitoring_service_endpoints	The type of the service endpoint that will be set for the IBM cloud monitoring instance.	string	"public-and-private"	no
cloud_monitoring_tags	Tags associated with the IBM Cloud Monitoring instance (Optional, array of strings).	list(string)	[]	no
cos_targets	List of cos target to be created	list(object({ endpoint = string bucket_name = string instance_id = string api_key = optional(string) service_to_service_enabled = optional(bool, true) target_region = optional(string) target_name = string skip_atracker_cos_iam_auth_policy = optional(bool, false) }))	[]	no
enable_archive	Enable archive on log analysis and activity tracker instances	bool	false	no
enable_platform_logs	Receive platform logs in the provisioned IBM Cloud Logging instance.	bool	true	no
enable_platform_metrics	Receive platform metrics in the provisioned IBM Cloud Monitoring instance.	bool	true	no
eventstreams_targets	List of event streams target to be created	list(object({ instance_id = string brokers = list(string) topic = string api_key = string target_region = optional(string) target_name = string }))	[]	no
global_event_routing_settings	Global settings for event routing	object({ default_targets = optional(list(string), []) metadata_region_primary = string metadata_region_backup = optional(string) permitted_target_regions = list(string) private_api_endpoint_only = optional(bool, false) })	null	no
ibmcloud_api_key	Restricted IBM Cloud API Key used only for writing Log Analysis archives to Cloud Object Storage	string	null	no
log_analysis_access_tags	A list of access tags to apply to the Log Analysis instance created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial.	list(string)	[]	no
log_analysis_cos_bucket_endpoint	An endpoint for the COS bucket for the Log Analysis archive. Pass either the public or private endpoint. (Only required when var.enable_archive and var.log_analysis_provision are true).	string	null	no
log_analysis_cos_bucket_name	The name of an existing COS bucket to be used for the Log Analysis archive. (Only required when var.enable_archive and var.log_analysis_provision are true).	string	null	no
log_analysis_cos_instance_id	The ID of the cloud object storage instance containing the Log Analysis archive bucket. (Only required when var.enable_archive and var.log_analysis_provision are true).	string	null	no
log_analysis_instance_name	The name of the IBM Cloud Logging instance to create. Defaults to 'log-analysis-'	string	null	no
log_analysis_manager_key_name	The name to give the IBM Cloud Logging manager key.	string	"LogDnaManagerKey"	no
log_analysis_manager_key_tags	Tags associated with the IBM Cloud Logging manager key.	list(string)	[]	no
log_analysis_plan	The IBM Cloud Logging plan to provision. Available: lite, 7-day, 14-day, 30-day, hipaa-30-day	string	"lite"	no
log_analysis_provision	Provision an IBM Cloud Logging instance?	bool	true	no
log_analysis_resource_key_role	Role assigned to provide the IBM Cloud Logging key.	string	"Manager"	no
log_analysis_service_endpoints	The type of the service endpoint that will be set for the Log Analysis instance.	string	"public-and-private"	no
log_analysis_tags	Tags associated with the IBM Cloud Logging instance (Optional, array of strings).	list(string)	[]	no
log_analysis_targets	List of log analysis target to be created	list(object({ instance_id = string ingestion_key = string target_region = optional(string) target_name = string }))	[]	no
region	The IBM Cloud region where instances will be created.	string	"us-south"	no
resource_group_id	The id of the IBM Cloud resource group where the instance(s) will be created.	string	null	no

Outputs

Name	Description
activity_tracker_crn	The id of the provisioned Activity Tracker instance.
activity_tracker_guid	The guid of the provisioned Activity Tracker instance.
activity_tracker_manager_key_name	The Activity Tracker manager key name
activity_tracker_name	The name of the provisioned Activity Tracker instance.
activity_tracker_resource_group_id	The resource group where Activity Tracker instance resides
activity_tracker_resource_key	The resource/service key for agents to use
activity_tracker_routes	The map of created routes
activity_tracker_targets	The map of created targets
cloud_monitoring_access_key	IBM cloud monitoring access key for agents to use
cloud_monitoring_crn	The id of the provisioned IBM cloud monitoring instance.
cloud_monitoring_guid	The guid of the provisioned IBM cloud monitoring instance.
cloud_monitoring_manager_key_name	The IBM cloud monitoring manager key name
cloud_monitoring_name	The name of the provisioned IBM cloud monitoring instance.
cloud_monitoring_resource_group_id	The resource group where IBM cloud monitoring monitor instance resides
log_analysis_crn	The id of the provisioned Log Analysis instance.
log_analysis_guid	The guid of the provisioned Log Analysis instance.
log_analysis_ingestion_key	Log Analysis ingest key for agents to use
log_analysis_manager_key_name	The Log Analysis manager key name
log_analysis_name	The name of the provisioned Log Analysis instance.
log_analysis_resource_group_id	The resource group where Log Analysis instance resides
log_analysis_resource_key	Log Analysis service key for agents to use
region	Region that instance(s) are provisioned to.

Contributing

You can report issues and request features for this module in GitHub issues in the module repo. See Report an issue or request a feature.

To set up your local development environment, see Local development setup in the project documentation.