feat: added support for the new cloud logs agent to send logs directly to a Cloud Logs instance. This is now the default logging agent deployed by this module as the Log Analysis service is deprecated (#368)

Author: iamar7

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-12-09T09:50:09Z",
+  "generated_at": "2024-10-02T13:57:09Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -76,7 +76,28 @@
       "name": "TwilioKeyDetector"
     }
   ],
-  "results": {},
+  "results": {
+    "README.md": [
+      {
+        "hashed_secret": "3f0155e75563ab3adc0505000a86da5baa207d1f",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 64,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "modules/logs-agent/README.md": [
+      {
+        "hashed_secret": "3f0155e75563ab3adc0505000a86da5baa207d1f",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 36,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ]
+  },
   "version": "0.13.1+ibm.62.dss",
   "word_list": {
     "file": null,

README.md

@@ -1,7 +1,7 @@
 # More info about this file at https://github.com/terraform-ibm-modules/common-pipeline-assets/blob/main/.github/workflows/terraform-test-pipeline.md#cra-config-yaml
 version: "v1"
 CRA_TARGETS:
-  - CRA_TARGET: "examples/basic" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
+  - CRA_TARGET: "examples/obs-agent-ocp" # Target directory for CRA scan. If not provided, the CRA Scan will not be run.
     CRA_IGNORE_RULES_FILE: "cra-tf-validate-ignore-rules.json" # CRA Ignore file to use. If not provided, it checks the repo root directory for `cra-tf-validate-ignore-rules.json`
     PROFILE_ID: "0e6e7b5a-817d-4344-ab6f-e5d7a9c49520" # SCC profile ID (currently set to the FSCloud 1.4.0 profile).
     # SCC_INSTANCE_ID: "" # The SCC instance ID to use to download profile for CRA scan. If not provided, a default global value will be used.

cra-config.yaml

@@ -0,0 +1,11 @@
+# Monitoring agent + Cloud Logs agent on Kubernetes using CSE ingress endpoint with an apikey
+
+An example that shows how to deploy Logs agents and Monitoring agent in a Kubernetes cluster to send Logs directly to IBM Cloud Logs and Cloud Monitoring instance respectively.
+
+The example provisions the following resources:
+- A new resource group, if an existing one is not passed in.
+- A basic VPC (if `is_vpc_cluster` is true).
+- A Kubernetes cluster.
+- A Service ID with `Sender` role to `logs` service and an apikey.
+- An IBM Cloud Logs and Cloud Monitoring instance
+- Logs agents and Monitoring agent

examples/basic/README.md

@@ -3,36 +3,36 @@
 ##############################################################################
 
 module "resource_group" {
-  source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-resource-group.git?ref=v1.1.6"
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.1.6"
   # if an existing resource group is not set (null) create a new one using prefix
   resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
   existing_resource_group_name = var.resource_group
 }
 
 ##############################################################################
-# Observability Instances
+# Service ID with logs sender role + apikey
 ##############################################################################
 
-module "observability_instances" {
-  source = "git::https://github.com/terraform-ibm-modules/terraform-ibm-observability-instances?ref=v2.18.1"
-  providers = {
-    logdna.at = logdna.at
-    logdna.ld = logdna.ld
+# As a `Sender`, you can send logs to your IBM Cloud Logs service instance - but not query or tail logs. This role is meant to be used by agents and routers sending logs.
+module "iam_service_id" {
+  source                          = "terraform-ibm-modules/iam-service-id/ibm"
+  version                         = "1.2.0"
+  iam_service_id_name             = "${var.prefix}-service-id"
+  iam_service_id_description      = "Logs Agent service id"
+  iam_service_id_apikey_provision = true
+  iam_service_policies = {
+    logs = {
+      roles = ["Sender"]
+      resources = [{
+        service = "logs"
+      }]
+    }
   }
-  resource_group_id              = module.resource_group.resource_group_id
-  region                         = var.region
-  log_analysis_plan              = "7-day"
-  cloud_monitoring_plan          = "graduated-tier"
-  activity_tracker_provision     = false
-  enable_platform_logs           = false
-  enable_platform_metrics        = false
-  cloud_logs_provision           = false
-  log_analysis_instance_name     = "${var.prefix}-log-analysis"
-  cloud_monitoring_instance_name = "${var.prefix}-cloud-monitoring"
 }
 
 ##############################################################################
-# Create VPC and Cluster
+# Create VPC and IKS Cluster
 ##############################################################################
 
 resource "ibm_is_vpc" "example_vpc" {
@@ -42,63 +42,36 @@ resource "ibm_is_vpc" "example_vpc" {
   tags           = var.resource_tags
 }
 
-resource "ibm_is_public_gateway" "public_gateway" {
-  count          = var.is_vpc_cluster ? 1 : 0
-  name           = "${var.prefix}-gateway-1"
-  vpc            = ibm_is_vpc.example_vpc[0].id
-  resource_group = module.resource_group.resource_group_id
-  zone           = "${var.region}-1"
-}
-
 resource "ibm_is_subnet" "testacc_subnet" {
   count                    = var.is_vpc_cluster ? 1 : 0
   name                     = "${var.prefix}-subnet"
   vpc                      = ibm_is_vpc.example_vpc[0].id
   zone                     = "${var.region}-1"
   total_ipv4_address_count = 256
   resource_group           = module.resource_group.resource_group_id
-  public_gateway           = ibm_is_public_gateway.public_gateway[0].id
-}
-
-resource "ibm_resource_instance" "cos_instance" {
-  count             = var.is_openshift ? 1 : 0
-  name              = "${var.prefix}-cos"
-  service           = "cloud-object-storage"
-  plan              = "standard"
-  location          = "global"
-  resource_group_id = module.resource_group.resource_group_id
-  tags              = var.resource_tags
 }
 
 # Lookup the current default kube version
 data "ibm_container_cluster_versions" "cluster_versions" {}
 locals {
-  default_version = var.is_openshift ? "${data.ibm_container_cluster_versions.cluster_versions.default_openshift_version}_openshift" : data.ibm_container_cluster_versions.cluster_versions.default_kube_version
+  default_version = data.ibm_container_cluster_versions.cluster_versions.default_kube_version
 }
 
-# Create either a VPC or classic cluster, depending on the is_vpc_cluster variable
 resource "ibm_container_vpc_cluster" "cluster" {
   count                = var.is_vpc_cluster ? 1 : 0
   name                 = var.prefix
   vpc_id               = ibm_is_vpc.example_vpc[0].id
   kube_version         = local.default_version
   flavor               = "bx2.4x16"
   worker_count         = "2"
-  entitlement          = var.is_openshift ? "cloud_pak" : null
-  cos_instance_crn     = var.is_openshift ? ibm_resource_instance.cos_instance[0].id : null
   force_delete_storage = true
-  wait_till            = "Normal"
+  wait_till            = "IngressReady"
   zones {
     subnet_id = ibm_is_subnet.testacc_subnet[0].id
     name      = "${var.region}-1"
   }
   resource_group_id = module.resource_group.resource_group_id
   tags              = var.resource_tags
-
-  timeouts {
-    delete = "2h"
-    create = "3h"
-  }
 }
 
 resource "ibm_container_cluster" "cluster" {
@@ -109,7 +82,6 @@ resource "ibm_container_cluster" "cluster" {
   default_pool_size    = 2
   hardware             = "shared"
   kube_version         = local.default_version
-  entitlement          = var.is_openshift ? "cloud_pak" : null
   force_delete_storage = true
   machine_type         = "b3c.4x16"
   public_vlan_id       = ibm_network_vlan.public_vlan[0].id
@@ -124,6 +96,10 @@ resource "ibm_container_cluster" "cluster" {
   }
 }
 
+locals {
+  cluster_name_id = var.is_vpc_cluster ? ibm_container_vpc_cluster.cluster[0].id : ibm_container_cluster.cluster[0].id
+}
+
 resource "ibm_network_vlan" "public_vlan" {
   count      = var.is_vpc_cluster ? 0 : 1
   datacenter = var.datacenter
@@ -137,39 +113,56 @@ resource "ibm_network_vlan" "private_vlan" {
 }
 
 data "ibm_container_cluster_config" "cluster_config" {
-  cluster_name_id   = var.is_vpc_cluster ? ibm_container_vpc_cluster.cluster[0].id : ibm_container_cluster.cluster[0].id
+  cluster_name_id   = local.cluster_name_id
   resource_group_id = module.resource_group.resource_group_id
 }
 
 # Sleep to allow RBAC sync on cluster
 resource "time_sleep" "wait_operators" {
   depends_on      = [data.ibm_container_cluster_config.cluster_config]
-  create_duration = "5s"
+  create_duration = "45s"
 }
 
 ##############################################################################
-# Observability Agents
+# Observability Instance
 ##############################################################################
 
+module "observability_instances" {
+  source  = "terraform-ibm-modules/observability-instances/ibm"
+  version = "2.19.1"
+  providers = {
+    logdna.at = logdna.at
+    logdna.ld = logdna.ld
+  }
+  resource_group_id              = module.resource_group.resource_group_id
+  region                         = var.region
+  cloud_logs_plan                = "standard"
+  cloud_monitoring_plan          = "graduated-tier"
+  enable_platform_logs           = false
+  enable_platform_metrics        = false
+  cloud_logs_instance_name       = "${var.prefix}-cloud-logs"
+  cloud_monitoring_instance_name = "${var.prefix}-cloud-monitoring"
+}
+
+##############################################################################
+# Observability Agents
+##############################################################################
 
 module "observability_agents" {
-  source                        = "../.."
-  depends_on                    = [time_sleep.wait_operators]
-  is_vpc_cluster                = var.is_vpc_cluster
-  cluster_id                    = var.is_vpc_cluster ? ibm_container_vpc_cluster.cluster[0].id : ibm_container_cluster.cluster[0].id
-  cluster_resource_group_id     = module.resource_group.resource_group_id
-  log_analysis_instance_region  = module.observability_instances.region
-  log_analysis_ingestion_key    = module.observability_instances.log_analysis_ingestion_key
-  cloud_monitoring_access_key   = module.observability_instances.cloud_monitoring_access_key
-  log_analysis_agent_tags       = var.resource_tags
-  log_analysis_add_cluster_name = true
-  # example of how to include / exclude metrics - more info https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_log_metrics
-  cloud_monitoring_metrics_filter  = [{ type = "exclude", name = "metricA.*" }, { type = "include", name = "metricB.*" }]
-  cloud_monitoring_agent_tags      = var.resource_tags
+  source                    = "../.."
+  depends_on                = [time_sleep.wait_operators]
+  cluster_id                = local.cluster_name_id
+  is_vpc_cluster            = var.is_vpc_cluster
+  cluster_resource_group_id = module.resource_group.resource_group_id
+  # Logs Agent
+  logs_agent_enabled          = true
+  logs_agent_iam_mode         = "IAMAPIKey"
+  logs_agent_iam_api_key      = module.iam_service_id.service_id_apikey
+  cloud_logs_ingress_endpoint = module.observability_instances.cloud_logs_ingress_private_endpoint
+  cloud_logs_ingress_port     = 3443
+  logs_agent_enable_scc       = false # only true for Openshift
+  # # Monitoring agent
+  cloud_monitoring_enabled         = true
+  cloud_monitoring_access_key      = module.observability_instances.cloud_monitoring_access_key
   cloud_monitoring_instance_region = module.observability_instances.region
-  # Log Analysis agent custom settings to setup Kubernetes metadata logs filtering by setting
-  # LOGDNA_K8S_METADATA_LINE_INCLUSION and LOGDNA_K8S_METADATA_LINE_EXCLUSION in the agent daemonset definition
-  # Ref https://github.com/logdna/logdna-agent-v2/blob/3.8/docs/KUBERNETES.md#configuration-for-kubernetes-metadata-filtering
-  log_analysis_agent_custom_line_exclusion = "label.app.kubernetes.io/name:sample-app\\, annotation.user:sample-user"
-  log_analysis_agent_custom_line_inclusion = "namespace:default"
 }

examples/basic/version.tf

@@ -3,6 +3,26 @@ provider "ibm" {
   region           = var.region
 }
 
+provider "helm" {
+  kubernetes {
+    host                   = data.ibm_container_cluster_config.cluster_config.host
+    token                  = data.ibm_container_cluster_config.cluster_config.token
+    cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
+  }
+  # IBM Cloud credentials are required to authenticate to the helm repo
+  registry {
+    url      = "oci://icr.io/ibm/observe/logs-agent-helm"
+    username = "iamapikey"
+    password = var.ibmcloud_api_key
+  }
+}
+
+provider "kubernetes" {
+  host                   = data.ibm_container_cluster_config.cluster_config.host
+  token                  = data.ibm_container_cluster_config.cluster_config.token
+  cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
+}
+
 locals {
   at_endpoint = "https://api.${var.region}.logging.cloud.ibm.com"
 }
@@ -18,16 +38,3 @@ provider "logdna" {
   servicekey = module.observability_instances.log_analysis_resource_key != null ? module.observability_instances.log_analysis_resource_key : ""
   url        = local.at_endpoint
 }
-
-provider "kubernetes" {
-  host  = data.ibm_container_cluster_config.cluster_config.host
-  token = data.ibm_container_cluster_config.cluster_config.token
-}
-
-provider "helm" {
-  kubernetes {
-    host                   = data.ibm_container_cluster_config.cluster_config.host
-    token                  = data.ibm_container_cluster_config.cluster_config.token
-    cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
-  }
-}