From e25ec7f4971e261de43e8bf0b6699f970320e0b1 Mon Sep 17 00:00:00 2001 From: Aashiq-J <122446118+Aashiq-J@users.noreply.github.com> Date: Mon, 21 Oct 2024 18:35:31 +0530 Subject: [PATCH] feat: Support for Log Analysis agents has been fully removed and replaced by the new Logs agent for sending Logs to Cloud Logs (#339) BREAKING CHANGE: Log Analysis agents support has been removed --- README.md | 41 ++++---- examples/end-to-end-example/README.md | 4 +- examples/end-to-end-example/main.tf | 21 ++--- examples/end-to-end-example/provider.tf | 22 ++--- examples/end-to-end-example/version.tf | 4 - main.tf | 100 ++++++++++++++------ tests/pr_test.go | 2 +- variables.tf | 120 +++++++++++++----------- 8 files changed, 179 insertions(+), 135 deletions(-) diff --git a/README.md b/README.md index 648f484..26a929c 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ This module is a wrapper module that groups the following modules: - [base-ocp-vpc-module](https://github.com/terraform-ibm-modules/terraform-ibm-base-ocp-vpc) - Provisions a base (bare) Red Hat OpenShift Container Platform cluster on VPC Gen2 (supports passing Key Protect details to encrypt cluster). -- [observability-agents-module](https://github.com/terraform-ibm-modules/terraform-ibm-observability-agents) - Deploys Log Analysis and Cloud Monitoring agents to a cluster. +- [observability-agents-module](https://github.com/terraform-ibm-modules/terraform-ibm-observability-agents) - Deploys Logs Agent and Cloud Monitoring agents to a cluster. :exclamation: **Important:** You can't update Red Hat OpenShift cluster nodes by using this module. The Terraform logic ignores updates to prevent possible destructive changes. @@ -89,6 +89,12 @@ provider "helm" { host = data.ibm_container_cluster_config.cluster_config.host token = data.ibm_container_cluster_config.cluster_config.token } + # IBM Cloud credentials are required to authenticate to the helm repo + registry { + url = "oci://icr.io/ibm/observe/logs-agent-helm" + username = "iamapikey" + password = "XXXXXXXXXXXXXXXXX" # replace with an IBM cloud apikey # pragma: allowlist secret + } } provider "kubernetes" { @@ -119,8 +125,8 @@ module "ocp_all_inclusive" { } ] } - log_analysis_instance_name = "my-logdna" - log_analysis_ingestion_key = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX" + cloud_logs_ingress_endpoint = ".ingress.us-south.logs.cloud.ibm.com" + cloud_logs_ingress_port = 443 cloud_monitoring_instance_name = "my-sysdig" cloud_monitoring_access_key = "xxXXxxXXxXxXXXXxxXxxxXXXXxXXXXX" } @@ -164,8 +170,9 @@ You need the following permissions to run this module. | Name | Source | Version | |------|--------|---------| -| [observability\_agents](#module\_observability\_agents) | terraform-ibm-modules/observability-agents/ibm | 1.29.1 | +| [observability\_agents](#module\_observability\_agents) | terraform-ibm-modules/observability-agents/ibm | 1.30.2 | | [ocp\_base](#module\_ocp\_base) | terraform-ibm-modules/base-ocp-vpc/ibm | 3.33.0 | +| [trusted\_profile](#module\_trusted\_profile) | terraform-ibm-modules/trusted-profile/ibm | 1.0.4 | ### Resources @@ -181,6 +188,8 @@ No resources. | [addons](#input\_addons) | List of all addons supported by the ocp cluster. | 
object({
    debug-tool                = optional(string)
    image-key-synchronizer    = optional(string)
    openshift-data-foundation = optional(string)
    vpc-file-csi-driver       = optional(string)
    static-route              = optional(string)
    cluster-autoscaler        = optional(string)
    vpc-block-csi-driver      = optional(string)
  })
| `null` | no | | [allow\_default\_worker\_pool\_replacement](#input\_allow\_default\_worker\_pool\_replacement) | (Advanced users) Set to true to allow the module to recreate a default worker pool. Only use in the case where you are getting an error indicating that the default worker pool cannot be replaced on apply. Once the default worker pool is handled as a stand-alone ibm\_container\_vpc\_worker\_pool, if you wish to make any change to the default worker pool which requires the re-creation of the default pool set this variable to true. | `bool` | `false` | no | | [attach\_ibm\_managed\_security\_group](#input\_attach\_ibm\_managed\_security\_group) | Whether to attach the IBM-defined default security group (named `kube-`) to all worker nodes. Applies only if `custom_security_group_ids` is set. | `bool` | `true` | no | +| [cloud\_logs\_ingress\_endpoint](#input\_cloud\_logs\_ingress\_endpoint) | The host for IBM Cloud Logs ingestion. It is required if `logs_agent_enabled` is set to `true`. Ensure you use the ingress endpoint. See https://cloud.ibm.com/docs/cloud-logs?topic=cloud-logs-endpoints_ingress. | `string` | `null` | no | +| [cloud\_logs\_ingress\_port](#input\_cloud\_logs\_ingress\_port) | The target port for the IBM Cloud Logs ingestion endpoint. The port must be 443 if you connect by using a VPE gateway, or port 3443 when you connect by using CSEs. | `number` | `3443` | no | | [cloud\_monitoring\_access\_key](#input\_cloud\_monitoring\_access\_key) | Access key for the Cloud Monitoring agent to communicate with the instance. | `string` | `null` | no | | [cloud\_monitoring\_add\_cluster\_name](#input\_cloud\_monitoring\_add\_cluster\_name) | If true, configure the cloud monitoring agent to attach a tag containing the cluster name to all metric data. | `bool` | `true` | no | | [cloud\_monitoring\_agent\_name](#input\_cloud\_monitoring\_agent\_name) | Cloud Monitoring agent name. Used for naming all kubernetes and helm resources on the cluster. | `string` | `"sysdig-agent"` | no | @@ -210,18 +219,18 @@ No resources. | [kms\_account\_id](#input\_kms\_account\_id) | Id of the account that owns the KMS instance to encrypt the cluster. It is only required if the KMS instance is in another account. | `string` | `null` | no | | [kms\_use\_private\_endpoint](#input\_kms\_use\_private\_endpoint) | Set as true to use the Private endpoint when communicating between cluster and KMS instance. | `bool` | `true` | no | | [kms\_wait\_for\_apply](#input\_kms\_wait\_for\_apply) | Set true to make terraform wait until KMS is applied to master and it is ready and deployed. Default value is true. | `bool` | `true` | no | -| [log\_analysis\_add\_cluster\_name](#input\_log\_analysis\_add\_cluster\_name) | If true, configure the log analysis agent to attach a tag containing the cluster name to all log messages. | `bool` | `true` | no | -| [log\_analysis\_agent\_custom\_line\_exclusion](#input\_log\_analysis\_agent\_custom\_line\_exclusion) | Log Analysis agent custom configuration for line exclusion setting LOGDNA\_K8S\_METADATA\_LINE\_EXCLUSION. See https://github.com/logdna/logdna-agent-v2/blob/master/docs/KUBERNETES.md#configuration-for-kubernetes-metadata-filtering for more info. | `string` | `null` | no | -| [log\_analysis\_agent\_custom\_line\_inclusion](#input\_log\_analysis\_agent\_custom\_line\_inclusion) | Log Analysis agent custom configuration for line inclusion setting LOGDNA\_K8S\_METADATA\_LINE\_INCLUSION. See https://github.com/logdna/logdna-agent-v2/blob/master/docs/KUBERNETES.md#configuration-for-kubernetes-metadata-filtering for more info. | `string` | `null` | no | -| [log\_analysis\_agent\_name](#input\_log\_analysis\_agent\_name) | Log Analysis agent name. Used for naming all kubernetes and helm resources on the cluster. | `string` | `"logdna-agent"` | no | -| [log\_analysis\_agent\_namespace](#input\_log\_analysis\_agent\_namespace) | Namespace where to deploy the Log Analysis agent. Default value is 'ibm-observe' | `string` | `"ibm-observe"` | no | -| [log\_analysis\_agent\_tags](#input\_log\_analysis\_agent\_tags) | List of tags to associate with the log analysis agents | `list(string)` | `[]` | no | -| [log\_analysis\_agent\_tolerations](#input\_log\_analysis\_agent\_tolerations) | List of tolerations to apply to Log Analysis agent. | 
list(object({
    key               = optional(string)
    operator          = optional(string)
    value             = optional(string)
    effect            = optional(string)
    tolerationSeconds = optional(number)
  }))
| 
[
  {
    "operator": "Exists"
  }
]
| no | -| [log\_analysis\_enabled](#input\_log\_analysis\_enabled) | Deploy IBM Cloud Logging agent | `bool` | `true` | no | -| [log\_analysis\_endpoint\_type](#input\_log\_analysis\_endpoint\_type) | Specify the IBM Log Analysis instance endpoint type (public or private) to use. Used to construct the ingestion endpoint. | `string` | `"private"` | no | -| [log\_analysis\_ingestion\_key](#input\_log\_analysis\_ingestion\_key) | Ingestion key for the Log Analysis agent to communicate with the instance. | `string` | `null` | no | -| [log\_analysis\_instance\_region](#input\_log\_analysis\_instance\_region) | The IBM Log Analysis instance region. Used to construct the ingestion endpoint. | `string` | `null` | no | -| [log\_analysis\_secret\_name](#input\_log\_analysis\_secret\_name) | The name of the secret which will store the ingestion key. | `string` | `"logdna-agent"` | no | +| [logs\_agent\_additional\_log\_source\_paths](#input\_logs\_agent\_additional\_log\_source\_paths) | The list of additional log sources. By default, the Logs agent collects logs from a single source at `/var/log/containers/*.log`. | `list(string)` | `[]` | no | +| [logs\_agent\_additional\_metadata](#input\_logs\_agent\_additional\_metadata) | The list of additional metadata fields to add to the routed logs. | 
list(object({
    key   = optional(string)
    value = optional(string)
  }))
| `[]` | no | +| [logs\_agent\_enabled](#input\_logs\_agent\_enabled) | Whether to deploy the Logs agent. | `bool` | `true` | no | +| [logs\_agent\_exclude\_log\_source\_paths](#input\_logs\_agent\_exclude\_log\_source\_paths) | The list of log sources to exclude. Specify the paths that the Logs agent ignores. | `list(string)` | `[]` | no | +| [logs\_agent\_iam\_api\_key](#input\_logs\_agent\_iam\_api\_key) | The IBM Cloud API key for the Logs agent to authenticate and communicate with the IBM Cloud Logs. It is required if `logs_agent_enabled` is true and `logs_agent_iam_mode` is set to `IAMAPIKey`. | `string` | `null` | no | +| [logs\_agent\_iam\_environment](#input\_logs\_agent\_iam\_environment) | IAM authentication Environment: `Production` or `PrivateProduction` or `Staging` or `PrivateStaging`. `Production` specifies the public endpoint & `PrivateProduction` specifies the private endpoint. | `string` | `"PrivateProduction"` | no | +| [logs\_agent\_iam\_mode](#input\_logs\_agent\_iam\_mode) | IAM authentication mode: `TrustedProfile` or `IAMAPIKey`. If `TrustedProfile` is selected, the module will create one. | `string` | `"TrustedProfile"` | no | +| [logs\_agent\_log\_source\_namespaces](#input\_logs\_agent\_log\_source\_namespaces) | The list of namespaces from which logs should be forwarded by agent. If namespaces are not listed, logs from all namespaces will be sent. | `list(string)` | `[]` | no | +| [logs\_agent\_name](#input\_logs\_agent\_name) | The name of the Logs agent. The name is used in all Kubernetes and Helm resources in the cluster. | `string` | `"logs-agent"` | no | +| [logs\_agent\_namespace](#input\_logs\_agent\_namespace) | The namespace where the Logs agent is deployed. The default value is `ibm-observe`. | `string` | `"ibm-observe"` | no | +| [logs\_agent\_selected\_log\_source\_paths](#input\_logs\_agent\_selected\_log\_source\_paths) | The list of specific log sources paths. Logs will only be collected from the specified log source paths. If no paths are specified, it will send logs from `/var/log/containers`. | `list(string)` | `[]` | no | +| [logs\_agent\_tolerations](#input\_logs\_agent\_tolerations) | List of tolerations to apply to Logs agent. The default value means a pod will run on every node. | 
list(object({
    key               = optional(string)
    operator          = optional(string)
    value             = optional(string)
    effect            = optional(string)
    tolerationSeconds = optional(number)
  }))
| 
[
  {
    "operator": "Exists"
  }
]
| no | | [manage\_all\_addons](#input\_manage\_all\_addons) | Whether Terraform manages all cluster add-ons, even add-ons installed outside of the module. If set to 'true', this module destroys the add-ons installed by other sources. | `bool` | `false` | no | | [number\_of\_lbs](#input\_number\_of\_lbs) | The number of load balancer to associate with the `additional_lb_security_group_names` security group. Must match the number of load balancers that are associated with the cluster | `number` | `1` | no | | [ocp\_entitlement](#input\_ocp\_entitlement) | Value that is applied to the entitlements for OCP cluster provisioning | `string` | `"cloud_pak"` | no | diff --git a/examples/end-to-end-example/README.md b/examples/end-to-end-example/README.md index f0d0562..13c590f 100644 --- a/examples/end-to-end-example/README.md +++ b/examples/end-to-end-example/README.md @@ -6,10 +6,10 @@ An end-to-end example that will: - Define ACLs to allow inbound and outboud traffic: - from/to Ingress Operator to correctly report cluster ingress status - to the cluster's oAuth server port to enable the Openshift cluster console -- Provision Log Analysis and Cloud Monitoring instances in the given resource group and region. +- Provision Cloud Logs and Cloud Monitoring instances in the given resource group and region. - Provision a Key Protect instance in the given resource group and region and create a new key ring and key in the instance - Call the ocp-all-inclusive-module to do the following: - provision an OCP VPC cluster in the given resource group and region, passing the details of the Key Protect instance and key for cluster encryption - - deploy Log Analysis and Cloud Monitoring agents to the cluster + - deploy Logs Agent and Cloud Monitoring agents to the cluster - deploy service mesh on the cluster - install autoscaler addon and configure certain nodepools to have autoscaling enabled. diff --git a/examples/end-to-end-example/main.tf b/examples/end-to-end-example/main.tf index f847e88..0155ced 100644 --- a/examples/end-to-end-example/main.tf +++ b/examples/end-to-end-example/main.tf @@ -149,26 +149,20 @@ module "vpc" { } ############################################################################## -# Observability Instances (Log Analysis + Cloud Monitoring) +# Observability Instances (Cloud Logs + Cloud Monitoring) ############################################################################## module "observability_instances" { - source = "terraform-ibm-modules/observability-instances/ibm" - version = "2.18.1" - providers = { - logdna.at = logdna.at - logdna.ld = logdna.ld - } + source = "terraform-ibm-modules/observability-instances/ibm" + version = "3.0.1" region = var.region resource_group_id = module.resource_group.resource_group_id - activity_tracker_provision = false - log_analysis_instance_name = "${var.prefix}-logdna" + cloud_logs_instance_name = "${var.prefix}-icl" cloud_monitoring_instance_name = "${var.prefix}-sysdig" - log_analysis_plan = "7-day" cloud_monitoring_plan = "graduated-tier" enable_platform_logs = false enable_platform_metrics = false - log_analysis_tags = var.resource_tags + cloud_logs_tags = var.resource_tags cloud_monitoring_tags = var.resource_tags } @@ -235,12 +229,11 @@ module "ocp_all_inclusive" { access_tags = var.access_tags existing_kms_instance_guid = module.key_protect_all_inclusive.kms_guid existing_kms_root_key_id = module.key_protect_all_inclusive.keys["${local.key_ring_name}.${local.key_name}"].key_id - log_analysis_instance_region = module.observability_instances.region - log_analysis_ingestion_key = module.observability_instances.log_analysis_ingestion_key + cloud_logs_ingress_endpoint = module.observability_instances.cloud_logs_ingress_private_endpoint + cloud_logs_ingress_port = 3443 cloud_monitoring_access_key = module.observability_instances.cloud_monitoring_access_key cloud_monitoring_instance_region = module.observability_instances.region addons = local.addons disable_public_endpoint = var.disable_public_endpoint - log_analysis_agent_tags = var.resource_tags cloud_monitoring_agent_tags = var.resource_tags } diff --git a/examples/end-to-end-example/provider.tf b/examples/end-to-end-example/provider.tf index 66680a4..334de14 100644 --- a/examples/end-to-end-example/provider.tf +++ b/examples/end-to-end-example/provider.tf @@ -17,6 +17,12 @@ provider "helm" { host = data.ibm_container_cluster_config.cluster_config.host token = data.ibm_container_cluster_config.cluster_config.token } + # IBM Cloud credentials are required to authenticate to the helm repo + registry { + url = "oci://icr.io/ibm/observe/logs-agent-helm" + username = "iamapikey" + password = var.ibmcloud_api_key + } } # Kubernetes provider used to create kube namespace(s) @@ -24,19 +30,3 @@ provider "kubernetes" { host = data.ibm_container_cluster_config.cluster_config.host token = data.ibm_container_cluster_config.cluster_config.token } - -locals { - at_endpoint = "https://api.${var.region}.logging.cloud.ibm.com" -} - -provider "logdna" { - alias = "at" - servicekey = module.observability_instances.activity_tracker_resource_key != null ? module.observability_instances.activity_tracker_resource_key : "" - url = local.at_endpoint -} - -provider "logdna" { - alias = "ld" - servicekey = module.observability_instances.log_analysis_resource_key != null ? module.observability_instances.log_analysis_resource_key : "" - url = local.at_endpoint -} diff --git a/examples/end-to-end-example/version.tf b/examples/end-to-end-example/version.tf index 5732e35..105f5b9 100644 --- a/examples/end-to-end-example/version.tf +++ b/examples/end-to-end-example/version.tf @@ -13,9 +13,5 @@ terraform { source = "hashicorp/kubernetes" version = ">= 2.16.1" } - logdna = { - source = "logdna/logdna" - version = ">= 1.14.2" - } } } diff --git a/main.tf b/main.tf index 81a55b3..40b3a29 100644 --- a/main.tf +++ b/main.tf @@ -57,38 +57,80 @@ module "ocp_base" { allow_default_worker_pool_replacement = var.allow_default_worker_pool_replacement } +############################################################################## +# Trusted Profile +############################################################################## + +locals { + logs_agent_namespace = var.logs_agent_namespace == null ? "ibm-observe" : var.logs_agent_namespace + logs_agent_name = var.logs_agent_name == null ? "logs-agent" : var.logs_agent_name +} + + +module "trusted_profile" { + count = (var.logs_agent_enabled && var.logs_agent_iam_mode == "TrustedProfile") ? 1 : 0 + source = "terraform-ibm-modules/trusted-profile/ibm" + version = "1.0.4" + trusted_profile_name = "${var.cluster_name}-trusted-profile" + trusted_profile_description = "Logs agent Trusted Profile" + # As a `Sender`, you can send logs to your IBM Cloud Logs service instance - but not query or tail logs. This role is meant to be used by agents and routers sending logs. + trusted_profile_policies = [{ + roles = ["Sender"] + resources = [{ + service = "logs" + }] + }] + # Set up fine-grained authorization for `logs-agent` running in ROKS cluster in `ibm-observe` namespace. + trusted_profile_links = [{ + cr_type = "ROKS_SA" + links = [{ + crn = module.ocp_base.cluster_crn + namespace = local.logs_agent_namespace + name = local.logs_agent_name + }] + } + ] +} + + ############################################################################## # observability-agents-module ############################################################################## module "observability_agents" { - count = var.log_analysis_enabled == true || var.cloud_monitoring_enabled == true ? 1 : 0 - source = "terraform-ibm-modules/observability-agents/ibm" - version = "1.29.1" - cluster_id = module.ocp_base.cluster_id - cluster_resource_group_id = var.resource_group_id - cluster_config_endpoint_type = var.cluster_config_endpoint_type - log_analysis_enabled = var.log_analysis_enabled - log_analysis_ingestion_key = var.log_analysis_ingestion_key - log_analysis_agent_tags = var.log_analysis_agent_tags - log_analysis_add_cluster_name = var.log_analysis_add_cluster_name - log_analysis_secret_name = var.log_analysis_secret_name - log_analysis_instance_region = var.log_analysis_instance_region - log_analysis_endpoint_type = var.log_analysis_endpoint_type - log_analysis_agent_custom_line_inclusion = var.log_analysis_agent_custom_line_inclusion - log_analysis_agent_custom_line_exclusion = var.log_analysis_agent_custom_line_exclusion - log_analysis_agent_name = var.log_analysis_agent_name - log_analysis_agent_namespace = var.log_analysis_agent_namespace - log_analysis_agent_tolerations = var.log_analysis_agent_tolerations - cloud_monitoring_enabled = var.cloud_monitoring_enabled - cloud_monitoring_access_key = var.cloud_monitoring_access_key - cloud_monitoring_agent_tags = var.cloud_monitoring_agent_tags - cloud_monitoring_secret_name = var.cloud_monitoring_secret_name - cloud_monitoring_instance_region = var.cloud_monitoring_instance_region - cloud_monitoring_endpoint_type = var.cloud_monitoring_endpoint_type - cloud_monitoring_metrics_filter = var.cloud_monitoring_metrics_filter - cloud_monitoring_add_cluster_name = var.cloud_monitoring_add_cluster_name - cloud_monitoring_agent_name = var.cloud_monitoring_agent_name - cloud_monitoring_agent_namespace = var.cloud_monitoring_agent_namespace - cloud_monitoring_agent_tolerations = var.cloud_monitoring_agent_tolerations + count = var.logs_agent_enabled == true || var.cloud_monitoring_enabled == true ? 1 : 0 + source = "terraform-ibm-modules/observability-agents/ibm" + version = "1.30.2" + cluster_id = module.ocp_base.cluster_id + cluster_resource_group_id = var.resource_group_id + cluster_config_endpoint_type = var.cluster_config_endpoint_type + # Logs Agent + logs_agent_enabled = var.logs_agent_enabled + logs_agent_name = var.logs_agent_name + logs_agent_namespace = var.logs_agent_namespace + logs_agent_trusted_profile = var.logs_agent_iam_mode == "TrustedProfile" ? module.trusted_profile[0].trusted_profile.id : null + logs_agent_iam_api_key = var.logs_agent_iam_api_key + logs_agent_tolerations = var.logs_agent_tolerations + logs_agent_additional_log_source_paths = var.logs_agent_additional_log_source_paths + logs_agent_exclude_log_source_paths = var.logs_agent_exclude_log_source_paths + logs_agent_selected_log_source_paths = var.logs_agent_selected_log_source_paths + logs_agent_log_source_namespaces = var.logs_agent_log_source_namespaces + logs_agent_iam_mode = var.logs_agent_iam_mode + logs_agent_enable_scc = true + logs_agent_iam_environment = var.logs_agent_iam_environment + logs_agent_additional_metadata = var.logs_agent_additional_metadata + cloud_logs_ingress_endpoint = var.cloud_logs_ingress_endpoint + cloud_logs_ingress_port = var.cloud_logs_ingress_port + # Cloud Monitoring + cloud_monitoring_enabled = var.cloud_monitoring_enabled + cloud_monitoring_access_key = var.cloud_monitoring_access_key + cloud_monitoring_agent_tags = var.cloud_monitoring_agent_tags + cloud_monitoring_secret_name = var.cloud_monitoring_secret_name + cloud_monitoring_instance_region = var.cloud_monitoring_instance_region + cloud_monitoring_endpoint_type = var.cloud_monitoring_endpoint_type + cloud_monitoring_metrics_filter = var.cloud_monitoring_metrics_filter + cloud_monitoring_add_cluster_name = var.cloud_monitoring_add_cluster_name + cloud_monitoring_agent_name = var.cloud_monitoring_agent_name + cloud_monitoring_agent_namespace = var.cloud_monitoring_agent_namespace + cloud_monitoring_agent_tolerations = var.cloud_monitoring_agent_tolerations } diff --git a/tests/pr_test.go b/tests/pr_test.go index 1d0a8c0..b5f2e2f 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -39,7 +39,7 @@ func setupOptions(t *testing.T, prefix string, terraformVars map[string]interfac List: []string{ "module.ocp_all_inclusive.module.observability_agents[0].helm_release.logdna_agent[0]", "module.ocp_all_inclusive.module.observability_agents[0].helm_release.sysdig_agent[0]", - "module.ocp_all_inclusive.module.observability_agents[0].helm_release.log_analysis_agent[0]", + "module.ocp_all_inclusive.module.observability_agents[0].module.logs_agent[0].helm_release.logs_agent", "module.ocp_all_inclusive.module.observability_agents[0].helm_release.cloud_monitoring_agent[0]", }, }, diff --git a/variables.tf b/variables.tf index fa045e9..7f02143 100644 --- a/variables.tf +++ b/variables.tf @@ -369,95 +369,109 @@ variable "custom_security_group_ids" { } ############################################################################## -# Log Analysis Agent Variables +# Logs Agents variables ############################################################################## -variable "log_analysis_enabled" { +variable "logs_agent_enabled" { type = bool - description = "Deploy IBM Cloud Logging agent" + description = "Whether to deploy the Logs agent." default = true } -variable "log_analysis_add_cluster_name" { - type = bool - description = "If true, configure the log analysis agent to attach a tag containing the cluster name to all log messages." - default = true -} - -variable "log_analysis_secret_name" { +variable "logs_agent_name" { + description = "The name of the Logs agent. The name is used in all Kubernetes and Helm resources in the cluster." type = string - description = "The name of the secret which will store the ingestion key." - default = "logdna-agent" + default = "logs-agent" nullable = false } -variable "log_analysis_instance_region" { +variable "logs_agent_namespace" { type = string - description = "The IBM Log Analysis instance region. Used to construct the ingestion endpoint." - default = null + description = "The namespace where the Logs agent is deployed. The default value is `ibm-observe`." + default = "ibm-observe" + nullable = false } -variable "log_analysis_ingestion_key" { +variable "logs_agent_iam_api_key" { type = string - description = "Ingestion key for the Log Analysis agent to communicate with the instance." + description = "The IBM Cloud API key for the Logs agent to authenticate and communicate with the IBM Cloud Logs. It is required if `logs_agent_enabled` is true and `logs_agent_iam_mode` is set to `IAMAPIKey`." sensitive = true default = null } -variable "log_analysis_endpoint_type" { - type = string - description = "Specify the IBM Log Analysis instance endpoint type (public or private) to use. Used to construct the ingestion endpoint." - default = "private" - validation { - error_message = "The specified endpoint_type can be private or public only." - condition = contains(["private", "public"], var.log_analysis_endpoint_type) - } +variable "logs_agent_tolerations" { + description = "List of tolerations to apply to Logs agent. The default value means a pod will run on every node." + type = list(object({ + key = optional(string) + operator = optional(string) + value = optional(string) + effect = optional(string) + tolerationSeconds = optional(number) + })) + default = [{ + operator = "Exists" + }] } -variable "log_analysis_agent_tags" { +variable "logs_agent_additional_log_source_paths" { type = list(string) - description = "List of tags to associate with the log analysis agents" + description = "The list of additional log sources. By default, the Logs agent collects logs from a single source at `/var/log/containers/*.log`." default = [] + nullable = false } -variable "log_analysis_agent_custom_line_inclusion" { - description = "Log Analysis agent custom configuration for line inclusion setting LOGDNA_K8S_METADATA_LINE_INCLUSION. See https://github.com/logdna/logdna-agent-v2/blob/master/docs/KUBERNETES.md#configuration-for-kubernetes-metadata-filtering for more info." - type = string - default = null +variable "logs_agent_exclude_log_source_paths" { + type = list(string) + description = "The list of log sources to exclude. Specify the paths that the Logs agent ignores." + default = [] + nullable = false } -variable "log_analysis_agent_custom_line_exclusion" { - description = "Log Analysis agent custom configuration for line exclusion setting LOGDNA_K8S_METADATA_LINE_EXCLUSION. See https://github.com/logdna/logdna-agent-v2/blob/master/docs/KUBERNETES.md#configuration-for-kubernetes-metadata-filtering for more info." - type = string - default = null +variable "logs_agent_selected_log_source_paths" { + type = list(string) + description = "The list of specific log sources paths. Logs will only be collected from the specified log source paths. If no paths are specified, it will send logs from `/var/log/containers`." + default = [] + nullable = false } -variable "log_analysis_agent_name" { - description = "Log Analysis agent name. Used for naming all kubernetes and helm resources on the cluster." - type = string - default = "logdna-agent" +variable "logs_agent_log_source_namespaces" { + type = list(string) + description = "The list of namespaces from which logs should be forwarded by agent. If namespaces are not listed, logs from all namespaces will be sent." + default = [] nullable = false } -variable "log_analysis_agent_namespace" { +variable "logs_agent_iam_mode" { type = string - description = "Namespace where to deploy the Log Analysis agent. Default value is 'ibm-observe'" - default = "ibm-observe" - nullable = false + default = "TrustedProfile" + description = "IAM authentication mode: `TrustedProfile` or `IAMAPIKey`. If `TrustedProfile` is selected, the module will create one." } -variable "log_analysis_agent_tolerations" { - description = "List of tolerations to apply to Log Analysis agent." +variable "logs_agent_iam_environment" { + type = string + default = "PrivateProduction" + description = "IAM authentication Environment: `Production` or `PrivateProduction` or `Staging` or `PrivateStaging`. `Production` specifies the public endpoint & `PrivateProduction` specifies the private endpoint." +} + +variable "logs_agent_additional_metadata" { + description = "The list of additional metadata fields to add to the routed logs." type = list(object({ - key = optional(string) - operator = optional(string) - value = optional(string) - effect = optional(string) - tolerationSeconds = optional(number) + key = optional(string) + value = optional(string) })) - default = [{ - operator = "Exists" - }] + default = [] +} + +variable "cloud_logs_ingress_endpoint" { + description = "The host for IBM Cloud Logs ingestion. It is required if `logs_agent_enabled` is set to `true`. Ensure you use the ingress endpoint. See https://cloud.ibm.com/docs/cloud-logs?topic=cloud-logs-endpoints_ingress." + type = string + default = null +} + +variable "cloud_logs_ingress_port" { + type = number + default = 3443 + description = "The target port for the IBM Cloud Logs ingestion endpoint. The port must be 443 if you connect by using a VPE gateway, or port 3443 when you connect by using CSEs." } ##############################################################################