Add LogExportConfig resource (#81)

Add a new LogExportConfig resource, which manages
the log export configuration for a cluster.

docs/resources/log_export_config.md

@@ -0,0 +1,51 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "cockroach_log_export_config Resource - terraform-provider-cockroach"
+subcategory: ""
+description: |-
+  Log Export Config Resource
+---
+
+# cockroach_log_export_config (Resource)
+
+Log Export Config Resource
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `auth_principal` (String) Either the AWS Role ARN that identifies a role that the cluster account can assume to write to CloudWatch or the GCP Project ID that the cluster service account has permissions to write to for cloud logging
+- `id` (String) Cluster ID
+- `log_name` (String) An identifier for the logs in the customer's log sink
+- `type` (String) The cloud selection that we're exporting to along with the cloud logging platform. Possible values are `GCP_CLOUD_LOGGING` or `AWS_CLOUDWATCH`
+
+### Optional
+
+- `groups` (Attributes List) (see [below for nested schema](#nestedatt--groups))
+- `redact` (Boolean) Controls whether logs are redacted before forwarding to customer sinks
+- `region` (String) Controls whether all logs are sent to a specific region in the customer sink
+
+### Read-Only
+
+- `created_at` (String)
+- `status` (String)
+- `updated_at` (String)
+- `user_message` (String)
+
+<a id="nestedatt--groups"></a>
+### Nested Schema for `groups`
+
+Required:
+
+- `channels` (List of String) A list of CRDB log channels to include in this group
+- `log_name` (String) The name of the group, reflected in the log sink
+
+Optional:
+
+- `min_level` (String) The minimum log level to filter to this log group
+- `redact` (Boolean) Governs whether this log group should aggregate redacted logs if unset
+
+

examples/resources/cockroach_log_export_config/cockroach_log_export_config.tf

@@ -0,0 +1,27 @@
+variable "cluster_id" {
+  type = string
+}
+
+variable "auth_principal" {
+  type = string
+}
+
+resource "cockroach_log_export_config" "example" {
+  id             = var.cluster_id
+  auth_principal = var.auth_principal
+  log_name       = "example"
+  type           = "GCP_CLOUD_LOGGING"
+  redact         = true
+  groups = [
+    {
+      log_name : "sql",
+      channels : ["SQL_SCHEMA", "SQL_EXEC"],
+      redact : false
+    },
+    {
+      log_name : "devops",
+      channels : ["OPS", "HEALTH", "STORAGE"]
+      min_level : "WARNING"
+    }
+  ]
+}

examples/workflows/cockroach_log_export_config/aws_cockroach_log_export_config/main.tf

@@ -0,0 +1,174 @@
+# Your CockroachDB Organization ID can be found at 
+# https://cockroachlabs.cloud/information
+variable "org_id" {
+  type     = string
+  nullable = false
+}
+
+# Your AWS Account ID (not the AWS Account ID 
+# of your CockroachDB Dedicated cluster).
+variable "aws_account_id" {
+  type     = string
+  nullable = false
+}
+
+variable "aws_region" {
+  type     = string
+  default  = "us-east-1"
+  nullable = false
+}
+
+variable "cluster_name" {
+  type     = string
+  nullable = false
+}
+
+variable "cluster_node_count" {
+  type     = number
+  nullable = false
+  default  = 3
+}
+
+variable "storage_gib" {
+  type     = number
+  nullable = false
+  default  = 15
+}
+
+variable "machine_type" {
+  type     = string
+  nullable = false
+  default  = "m5.large"
+}
+
+variable "iam_role_name" {
+  type     = string
+  nullable = false
+  default  = "CockroachCloudLogExportRole"
+}
+
+variable "iam_policy_name" {
+  type     = string
+  nullable = false
+  default  = "ExampleCockroachCloudLogExportPolicy"
+}
+
+variable "log_group_name" {
+  type     = string
+  nullable = false
+  default  = "example"
+}
+
+terraform {
+  required_providers {
+    cockroach = {
+      source = "cockroachdb/cockroach"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}
+
+provider "cockroach" {
+  # export COCKROACH_API_KEY with the cockroach cloud API Key
+}
+
+provider "aws" {
+  # See https://registry.terraform.io/providers/hashicorp/aws/latest/docs
+  # for configuration steps.
+
+  # Please don't use a variable for region in production! The AWS provider won't
+  # be able to find any resources if this value changes and you'll get
+  # into a weird state. Be sure to run `terraform destroy` before changing
+  # this value.
+  region = var.aws_region
+}
+
+resource "cockroach_cluster" "example" {
+  name           = var.cluster_name
+  cloud_provider = "AWS"
+  dedicated = {
+    storage_gib  = var.storage_gib
+    machine_type = var.machine_type
+  }
+  regions = [{
+    name       = var.aws_region,
+    node_count = var.cluster_node_count
+    }
+  ]
+}
+
+resource "aws_cloudwatch_log_group" "example" {
+  name              = var.log_group_name
+  retention_in_days = 0
+}
+
+# Cross-account AWS IAM role in your AWS account.
+resource "aws_iam_role" "example-role" {
+  name = var.iam_role_name
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : "sts:AssumeRole",
+        "Principal" : {
+          "AWS" : cockroach_cluster.example.account_id
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "example-policy" {
+  name        = var.iam_policy_name
+  description = "An example log export policy"
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Action" : [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:DescribeLogGroups",
+          "logs:DescribeLogStreams",
+          "logs:PutRetentionPolicy",
+          "logs:PutLogEvents"
+        ],
+        "Effect" : "Allow",
+        "Resource" : [
+          "arn:aws:logs:*:${var.aws_account_id}:log-group:${var.log_group_name}:*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "example-attach" {
+  role       = aws_iam_role.example-role.name
+  policy_arn = aws_iam_policy.example-policy.arn
+}
+
+resource "cockroach_log_export_config" "example" {
+  id             = cockroach_cluster.example.id
+  auth_principal = aws_iam_role.example-role.arn
+  log_name       = var.log_group_name
+  type           = "AWS_CLOUDWATCH"
+  redact         = true
+  region         = var.aws_region
+  groups = [
+    {
+      log_name  = "sql",
+      channels  = ["SQL_SCHEMA", "SQL_EXEC"],
+      min_level = "WARNING"
+    },
+    {
+      log_name = "devops",
+      channels = ["OPS", "HEALTH", "STORAGE"],
+      redact   = false
+    }
+  ]
+}

examples/workflows/cockroach_log_export_config/gcp_cockroach_log_export_config/main.tf

@@ -0,0 +1,125 @@
+variable "gcp_project_id" {
+  type     = string
+  nullable = false
+}
+
+variable "gcp_region" {
+  type     = string
+  default  = "us-west2"
+  nullable = false
+}
+
+variable "cluster_name" {
+  type     = string
+  nullable = false
+}
+
+variable "cluster_node_count" {
+  type     = number
+  nullable = false
+  default  = 3
+}
+
+variable "storage_gib" {
+  type     = number
+  nullable = false
+  default  = 15
+}
+
+variable "machine_type" {
+  type     = string
+  nullable = false
+  default  = "n1-standard-2"
+}
+
+variable "iam_role_id" {
+  type     = string
+  nullable = false
+  default  = "ExampleLogExportRole"
+}
+
+variable "iam_role_title" {
+  type     = string
+  nullable = false
+  default  = "Example LogExport Role"
+}
+
+# For GCP, auth_principal should be the gcp_project_id.
+variable "auth_principal" {
+  type     = string
+  nullable = false
+}
+
+terraform {
+  required_providers {
+    cockroach = {
+      source = "cockroachdb/cockroach"
+    }
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 4.0.0"
+    }
+  }
+}
+
+provider "cockroach" {
+  # export COCKROACH_API_KEY with the cockroach cloud API Key
+}
+
+provider "google" {
+  # For configuration help, see
+  # https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started
+  project = var.gcp_project_id
+  region  = var.gcp_region
+}
+
+resource "cockroach_cluster" "example" {
+  name           = var.cluster_name
+  cloud_provider = "GCP"
+  dedicated = {
+    storage_gib  = var.storage_gib
+    machine_type = var.machine_type
+  }
+  regions = [{
+    name       = var.gcp_region,
+    node_count = var.cluster_node_count
+    }
+  ]
+}
+
+# New role in your GCP project.
+resource "google_project_iam_custom_role" "example-logexport-role" {
+  project     = var.gcp_project_id
+  role_id     = var.iam_role_id
+  title       = var.iam_role_title
+  permissions = ["logging.logEntries.create"]
+}
+
+# Grants example-logexport-role to the CockroachDB Cloud service account.
+resource "google_project_iam_member" "role-sa-binding" {
+  project = var.gcp_project_id
+  role    = "projects/${var.gcp_project_id}/roles/${google_project_iam_custom_role.example-logexport-role.role_id}"
+  # member is the CockroachDB Cloud log export service account for the cluster.
+  # Example: crl-logging-user-a1c42be2e53b@crl-prod-abc.iam.gserviceaccount.com
+  member = "serviceAccount:crl-logging-user-${element(split("-", cockroach_cluster.example.id), 4)}@${cockroach_cluster.example.account_id}.iam.gserviceaccount.com"
+}
+
+resource "cockroach_log_export_config" "example" {
+  id             = cockroach_cluster.example.id
+  auth_principal = var.auth_principal
+  log_name       = "example"
+  type           = "GCP_CLOUD_LOGGING"
+  redact         = true
+  groups = [
+    {
+      log_name = "sql",
+      channels = ["SQL_SCHEMA", "SQL_EXEC"],
+      redact   = false
+    },
+    {
+      log_name  = "devops",
+      channels  = ["OPS", "HEALTH", "STORAGE"],
+      min_level = "WARNING"
+    }
+  ]
+}