fix issue #14893: add the customWriterIdentity parameter to logging_s… (#8995) (#16216)

* fix issue #14893: add the customWriterIdentity parameter to logging_sink resources



* ignore the customer_writer_identity field in test case



* Format the modified code and refactor the log client creation statement



* update project sink creation request object with proper variable name



* Update the sink resource documentation and remove the WriterIdentity field in update input



* refactor logging project sink to have consistent request format between create and patch



* Allow the test case to patch the customer_writer_identity field



* Fix code comment typo based on code review



* Add testCheckFuncs to validate the custom_writer_identity returned as Writer_identity output



* gofmt the test case



* Fix writer_identity TestCheckFunc in create test case



* Fix writer_identity TestCheckFunc in update test case



* Add headers for all Examples in logging sink document page



* Update custom_writer_identity field description in project sink documentation



* Remove uniqueWriterIdentity dependency for customerWriterIdentity in project logging sink documentation



---------





[upstream:cd543bb71eb3c5e146678d93042aaa9580486569]

Signed-off-by: Gang Chen <[email protected]>
Signed-off-by: gangchen03 <[email protected]>
Signed-off-by: Modular Magician <[email protected]>
Co-authored-by: Riley Karson <[email protected]>
Co-authored-by: Stephen Lewis (Burrows) <[email protected]>

Author: 3 people

.changelog/8995.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+logging: added `custom_writer_identity` field to `google_logging_project_sink`
+```

google/services/logging/resource_logging_project_sink.go

@@ -43,6 +43,11 @@ func ResourceLoggingProjectSink() *schema.Resource {
 		Default:     true,
 		Description: `Whether or not to create a unique identity associated with this sink. If false (the legacy behavior), then the writer_identity used is serviceAccount:[email protected]. If true, then a unique service account is created and used for this sink. If you wish to publish logs across projects, you must set unique_writer_identity to true.`,
 	}
+	schm.Schema["custom_writer_identity"] = &schema.Schema{
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: `A service account provided by the caller that will be used to write the log entries. The format must be serviceAccount:some@email. This field can only be specified if you are routing logs to a destination outside this sink's project. If not specified, a Logging service account will automatically be generated.`,
+	}
 	return schm
 }
 
@@ -60,8 +65,20 @@ func resourceLoggingProjectSinkCreate(d *schema.ResourceData, meta interface{})
 
 	id, sink := expandResourceLoggingSink(d, "projects", project)
 	uniqueWriterIdentity := d.Get("unique_writer_identity").(bool)
+	customWriterIdentity := d.Get("custom_writer_identity").(string)
+
+	projectSinkCreateRequest := config.NewLoggingClient(userAgent).Projects.Sinks.Create(id.parent(), sink)
+
+	// if custom-sa is specified, use it to write log and it requires uniqueWriterIdentity to be set as well
+	// otherwise set the uniqueWriter identity
+	if customWriterIdentity != "" {
+		projectSinkCreateRequest = projectSinkCreateRequest.UniqueWriterIdentity(uniqueWriterIdentity).CustomWriterIdentity(customWriterIdentity)
+	} else {
+		projectSinkCreateRequest = projectSinkCreateRequest.UniqueWriterIdentity(uniqueWriterIdentity)
+	}
+
+	_, err = projectSinkCreateRequest.Do()
 
-	_, err = config.NewLoggingClient(userAgent).Projects.Sinks.Create(id.parent(), sink).UniqueWriterIdentity(uniqueWriterIdentity).Do()
 	if err != nil {
 		return err
 	}
@@ -138,9 +155,20 @@ func resourceLoggingProjectSinkUpdate(d *schema.ResourceData, meta interface{})
 
 	sink, updateMask := expandResourceLoggingSinkForUpdate(d)
 	uniqueWriterIdentity := d.Get("unique_writer_identity").(bool)
+	customWriterIdentity := d.Get("custom_writer_identity").(string)
+
+	projectSinkUpdateRequest := config.NewLoggingClient(userAgent).Projects.Sinks.Patch(d.Id(), sink).UpdateMask(updateMask)
+
+	// if custom-sa is specified, use it to write log and it reqiures uniqueWriterIdentity to be set as well
+	// otherwise set the uniqueWriter identity
+	if customWriterIdentity != "" {
+		projectSinkUpdateRequest = projectSinkUpdateRequest.UniqueWriterIdentity(uniqueWriterIdentity).CustomWriterIdentity(customWriterIdentity)
+	} else {
+		projectSinkUpdateRequest = projectSinkUpdateRequest.UniqueWriterIdentity(uniqueWriterIdentity)
+	}
+
+	_, err = projectSinkUpdateRequest.Do()
 
-	_, err = config.NewLoggingClient(userAgent).Projects.Sinks.Patch(d.Id(), sink).
-		UpdateMask(updateMask).UniqueWriterIdentity(uniqueWriterIdentity).Do()
 	if err != nil {
 		return err
 	}

google/services/logging/resource_logging_project_sink_test.go

@@ -144,6 +144,57 @@ func TestAccLoggingProjectSink_updatePreservesUniqueWriter(t *testing.T) {
 	})
 }
 
+func TestAccLoggingProjectSink_updatePreservesCustomWriter(t *testing.T) {
+	t.Parallel()
+
+	sinkName := "tf-test-sink-" + acctest.RandString(t, 10)
+	account := "tf-test-sink-sa" + acctest.RandString(t, 10)
+	accountUpdated := "tf-test-sink-sa" + acctest.RandString(t, 10)
+	testProject := envvar.GetTestProjectFromEnv()
+
+	// custom_writer_identity is write-only, and writer_dietity is an output only field
+	// verify that the value of writer_identity matches the expected custom_writer_identity.
+	expectedWriterIdentity := fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", account, testProject)
+	expectedUpdatedWriterIdentity := fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", accountUpdated, testProject)
+
+	org := envvar.GetTestOrgFromEnv(t)
+	billingId := envvar.GetTestBillingAccountFromEnv(t)
+	project := fmt.Sprintf("tf-test-%d", acctest.RandInt(t))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckLoggingProjectSinkDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLoggingProjectSink_customWriter(org, billingId, project, sinkName, account),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("google_logging_project_sink.custom_writer", "writer_identity", expectedWriterIdentity),
+				),
+			},
+			{
+				ResourceName:      "google_logging_project_sink.custom_writer",
+				ImportState:       true,
+				ImportStateVerify: true,
+				// Logging sink create API doesn't return this field in response
+				ImportStateVerifyIgnore: []string{"custom_writer_identity"},
+			},
+			{
+				Config: testAccLoggingProjectSink_customWriterUpdated(org, billingId, project, sinkName, accountUpdated),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("google_logging_project_sink.custom_writer", "writer_identity", expectedUpdatedWriterIdentity),
+				),
+			},
+			{
+				ResourceName:            "google_logging_project_sink.custom_writer",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"custom_writer_identity"},
+			},
+		},
+	})
+}
+
 func TestAccLoggingProjectSink_updateBigquerySink(t *testing.T) {
 	t.Parallel()
 
@@ -415,6 +466,114 @@ resource "google_storage_bucket" "gcs-bucket" {
 `, name, envvar.GetTestProjectFromEnv(), bucketName)
 }
 
+func testAccLoggingProjectSink_customWriter(org, billingId, project, name, serviceAccount string) string {
+	return fmt.Sprintf(`
+resource "google_project" "destination-project" {
+  project_id      = "%s"
+  name            = "%s"
+  org_id          = "%s"
+  billing_account = "%s"
+}	
+
+resource "google_logging_project_bucket_config" "destination-bucket" {
+  project    = google_project.destination-project.project_id
+  location  = "us-central1"
+  retention_days = 30
+  bucket_id = "shared-bucket"
+}
+
+resource "google_service_account" "test-account1" {
+  account_id   = "%s"
+  display_name = "Log Sink Custom WriterIdentity Testing Account"
+}
+
+resource "google_project_iam_member" "custom-sa-logbucket-binding" {
+  project = google_project.destination-project.project_id
+  role   = "roles/logging.bucketWriter"
+  member = "serviceAccount:${google_service_account.test-account1.email}"
+}
+
+data "google_project" "testing_project" {
+  project_id = "%s"
+}
+
+locals {
+  project_number = data.google_project.testing_project.number
+}
+
+resource "google_service_account_iam_member" "loggingsa-customsa-binding" {
+  service_account_id = google_service_account.test-account1.name
+  role   = "roles/iam.serviceAccountTokenCreator"
+  member = "serviceAccount:service-${local.project_number}@gcp-sa-logging.iam.gserviceaccount.com"
+}
+
+resource "google_logging_project_sink" "custom_writer" {
+  name        = "%s"
+  destination = "logging.googleapis.com/projects/${google_project.destination-project.project_id}/locations/us-central1/buckets/shared-bucket"
+  filter      = "logName=\"projects/%s/logs/compute.googleapis.com%%2Factivity_log\" AND severity>=ERROR"
+
+  unique_writer_identity = true
+  custom_writer_identity = "serviceAccount:${google_service_account.test-account1.email}"
+
+  depends_on = [google_logging_project_bucket_config.destination-bucket]
+}
+`, project, project, org, billingId, serviceAccount, envvar.GetTestProjectFromEnv(), name, envvar.GetTestProjectFromEnv())
+}
+
+func testAccLoggingProjectSink_customWriterUpdated(org, billingId, project, name, serviceAccount string) string {
+	return fmt.Sprintf(`
+resource "google_project" "destination-project" {
+  project_id      = "%s"
+  name            = "%s"
+  org_id          = "%s"
+  billing_account = "%s"
+}	
+
+resource "google_logging_project_bucket_config" "destination-bucket" {
+  project    = google_project.destination-project.project_id
+  location  = "us-central1"
+  retention_days = 30
+  bucket_id = "shared-bucket"
+}
+
+resource "google_service_account" "test-account2" {
+  account_id   = "%s"
+  display_name = "Updated Log Sink Custom WriterIdentity Testing Account"
+}
+
+resource "google_project_iam_member" "custom-sa-logbucket-binding" {
+  project = google_project.destination-project.project_id
+  role   = "roles/logging.bucketWriter"
+  member = "serviceAccount:${google_service_account.test-account2.email}"
+}
+
+data "google_project" "testing_project" {
+  project_id = "%s"
+}
+
+locals {
+  project_number = data.google_project.testing_project.number
+}
+
+resource "google_service_account_iam_member" "loggingsa-customsa-binding" {
+  service_account_id = google_service_account.test-account2.name
+  role   = "roles/iam.serviceAccountTokenCreator"
+  member = "serviceAccount:service-${local.project_number}@gcp-sa-logging.iam.gserviceaccount.com"
+}
+
+resource "google_logging_project_sink" "custom_writer" {
+  name        = "%s"
+  destination = "logging.googleapis.com/projects/${google_project.destination-project.project_id}/locations/us-central1/buckets/shared-bucket"
+  filter      = "logName=\"projects/%s/logs/compute.googleapis.com%%2Factivity_log\" AND severity>=WARNING"
+
+  unique_writer_identity = true
+  custom_writer_identity = "serviceAccount:${google_service_account.test-account2.email}"
+
+  depends_on = [google_logging_project_bucket_config.destination-bucket]
+}
+`, project, project, org, billingId, serviceAccount, envvar.GetTestProjectFromEnv(), name, envvar.GetTestProjectFromEnv())
+}
+
 func testAccLoggingProjectSink_heredoc(name, project, bucketName string) string {
 	return fmt.Sprintf(`
 resource "google_logging_project_sink" "heredoc" {

website/docs/r/logging_project_sink.html.markdown

@@ -18,7 +18,7 @@ Manages a project-level logging sink. For more information see:
 
 ~> **Note** You must [enable the Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com)
 
-## Example Usage
+## Example Usage - Basic Sink
 
 ```hcl
 resource "google_logging_project_sink" "my-sink" {
@@ -35,6 +35,8 @@ resource "google_logging_project_sink" "my-sink" {
 }
 ```
 
+## Example Usage - Cloud Storage Bucket Destination
+
 A more complete example follows: this creates a compute instance, as well as a log sink that logs all activity to a
 cloud storage bucket. Because we are using `unique_writer_identity`, we must grant it access to the bucket.
 
@@ -89,6 +91,50 @@ resource "google_project_iam_binding" "gcs-bucket-writer" {
 }
 ```
 
+## Example Usage - User-managed Service Account 
+
+The following example creates a sink that are configured with user-managed service accounts, by specifying
+the `custom_writer_identity` field.
+
+Note that you can only create a sink that uses a user-managed service account when the sink destination
+is a log bucket.
+
+```hcl
+resource "google_service_account" "custom-sa" {
+  project      = "other-project-id"
+  account_id   = "gce-log-bucket-sink"
+  display_name = "gce-log-bucket-sink"
+}
+
+# Create a sink that uses user-managed service account
+resource "google_logging_project_sink" "my-sink" {
+  name = "other-project-log-bucket-sink"
+
+  # Can export to log bucket in another project
+  destination = "logging.googleapis.com/projects/other-project-id/locations/global/buckets/gce-logs"
+
+  # Log all WARN or higher severity messages relating to instances
+  filter = "resource.type = gce_instance AND severity >= WARNING"
+
+  unique_writer_identity = true
+  
+  # Use a user-managed service account
+  custom_writer_identity = google_service_account.custom-sa.email
+}
+
+# grant writer access to the user-managed service account
+resource "google_project_iam_member" "custom-sa-logbucket-binding" {
+  project = "destination-project-id"
+  role   = "roles/logging.bucketWriter"
+  member = "serviceAccount:${google_service_account.custom-sa.email}"
+}
+```
+
+The above example will create a log sink that route logs to destination GCP project using
+an user-managed service account. 
+
+## Example Usage - Sink Exclusions
+
 The following example uses `exclusions` to filter logs that will not be exported. In this example logs are exported to a [log bucket](https://cloud.google.com/logging/docs/buckets) and there are 2 exclusions configured
 
 ```hcl
@@ -147,6 +193,11 @@ The following arguments are supported:
     then a unique service account is created and used for this sink. If you wish to publish logs across projects or utilize
     `bigquery_options`, you must set `unique_writer_identity` to true.
 
+* `custom_writer_identity` - (Optional) A user managed service account that will be used to write
+    the log entries. The format must be `serviceAccount:some@email`. This field can only be specified if you are
+    routing logs to a destination outside this sink's project. If not specified, a Logging service account 
+    will automatically be generated.
+
 * `bigquery_options` - (Optional) Options that affect sinks exporting data to BigQuery. Structure [documented below](#nested_bigquery_options).
 
 * `exclusions` - (Optional) Log entries that match any of the exclusion filters will not be exported. If a log entry is matched by both `filter` and one of `exclusions.filter`, it will not be exported.  Can be repeated multiple times for multiple exclusions. Structure is [documented below](#nested_exclusions).