Open steenblik opened 2 years ago
@steenblik can you try with the destination like below format?
resource "google_logging_project_sink" "this" {
name = "test-sink"
project = var.project
destination = "storage.googleapis.com/test-bucket"
}
@steenblik is this still an issue?
Hi @edwardmedia - I am not able to get this to work for Cloud Logging buckets, which is what I am interested in. I believe this is an upstream issue or simply a misunderstanding on my part about when a new writer id is required.
b/242557342
@steenblik where did you see below document?
The documentation for the resource says that unique_writer_identity is only required when setting up a cross project sink or when using bigquery_options
Hi @edwardmedia - I got this impression for the terraform documentation. I've just re-read it and my paraphrase was not entirely accurate. However, for me the doc leaves the impression that unique_writer_identity
is required only when for cross project logging or with bigquery_options
. Otherwise why not just say it's always required or when it's not required.
Whether or not to create a unique identity associated with this sink. If
false
(the default), then thewriter_identity
used isserviceAccount:cloud-logs@system.gserviceaccount.com
. Iftrue
, then a unique service account is created and used for this sink. If you wish to publish logs across projects or utilizebigquery_options
, you must setunique_writer_identity
to true.
I also ran into this issue with a sink to a bucket destination:
resource "google_logging_project_bucket_config" "mybucket" {
project = "my-project
location = "global"
retention_days = 120
bucket_id = "MyBucket"
}
resource "google_logging_project_sink" "my_sink" {
name = "my_sink"
destination = "logging.googleapis.com/${google_logging_project_bucket_config.mybucket.id}"
filter = "some filter"
depends_on = [
google_logging_project_bucket_config.mybucket
]
}
with error:
Advanced sink options require using per sink service accounts. Use uniqueWriterIdentity=true to create a unique service account for this sink
We've hit a similar issue with this resource as well.
We initially created a bucket and log sink without unique_writer_identity
set, because from the documentation it seems like false
should be the default:
resource "google_logging_project_bucket_config" "bucket" {
project = "project_id"
location = "europe-west2"
retention_days = 400
enable_analytics = true
locked = false
bucket_id = "bucket_name"
description = "..."
}
resource "google_logging_project_sink" "sink" {
name = "sink_name"
destination = "logging.googleapis.com/${google_logging_project_bucket_config.bucket.id}"
project = "project_id"
...
(6 exclusion filters)
}
A plan and apply successfully creates the bucket and sink.
Subsequent plans then show:
# module.environment.google_logging_project_sink.sink must be replaced
-/+ resource "google_logging_project_sink" "sink" {
- disabled = false -> null
~ id = "projects/project_name/sinks/sink_name" -> (known after apply)
name = "sink_name"
~ unique_writer_identity = true -> false # forces replacement
+ writer_identity = (known after apply)
# (2 unchanged attributes hidden)
# (6 unchanged blocks hidden)
}
Updating the terraform to explicitly set unique_writer_identity = false
and applying does not make the diff go away.
We changed the default value of the unique_writer_identity
value from false to true about 3 weeks ago: https://github.com/GoogleCloudPlatform/magic-modules/pull/8875
and the customer_writer_identity
will be added in https://github.com/GoogleCloudPlatform/magic-modules/pull/8995
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
Affected Resource(s)
Terraform Configuration Files
Debug Output
Expected Behavior
Creating a
google_logging_project_sink
resource pointing at a cloud logging bucket in the same project should not requireunique_writer_identity
to betrue
. The documentation for the resource says thatunique_writer_identity
is only required when setting up a cross project sink or when usingbigquery_options
.results in a failure unless
unique_writer_identity
Actual Behavior
When creating a simple
google_logging_project_sink
withoutbigquery_options
the apply fails unlessunique_writer_identity
is set totrue
(See above Debug output).b/300616737