Treat _Default & _Required Sinks same as buckets (#9384) (#16513)

* Treat _Default & _Required Sinks same as buckets

* Update documentation.

* Update exclusions every time.

* Do not check if _Default bucket has been deleted.

* Clean-up log statements.

* Fixup documentation.

* Ensure SA IAM set before associating with bucket.
[upstream:407631823fe91540101b6747b98f75eafdc3ada4]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/9384.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+logging: `google_logging_project_sink` now will aqcuire and update the resource that already exists at the desired location. These buckets cannot be removed so deleting this resource will remove the bucket config from your terraform state but will leave the logging bucket unchanged.   
+```

google/services/logging/resource_logging_project_sink.go

@@ -8,6 +8,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"log"
 
 	"github.com/hashicorp/terraform-provider-google/google/tpgresource"
 	transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
@@ -19,7 +20,7 @@ const nonUniqueWriterAccount = "serviceAccount:[email protected]
 
 func ResourceLoggingProjectSink() *schema.Resource {
 	schm := &schema.Resource{
-		Create:        resourceLoggingProjectSinkCreate,
+		Create:        resourceLoggingProjectSinkAcquireOrCreate,
 		Read:          resourceLoggingProjectSinkRead,
 		Delete:        resourceLoggingProjectSinkDelete,
 		Update:        resourceLoggingProjectSinkUpdate,
@@ -51,7 +52,7 @@ func ResourceLoggingProjectSink() *schema.Resource {
 	return schm
 }
 
-func resourceLoggingProjectSinkCreate(d *schema.ResourceData, meta interface{}) error {
+func resourceLoggingProjectSinkAcquireOrCreate(d *schema.ResourceData, meta interface{}) error {
 	config := meta.(*transport_tpg.Config)
 	userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
 	if err != nil {
@@ -67,25 +68,32 @@ func resourceLoggingProjectSinkCreate(d *schema.ResourceData, meta interface{})
 	uniqueWriterIdentity := d.Get("unique_writer_identity").(bool)
 	customWriterIdentity := d.Get("custom_writer_identity").(string)
 
-	projectSinkCreateRequest := config.NewLoggingClient(userAgent).Projects.Sinks.Create(id.parent(), sink)
+	log.Printf("[DEBUG] Fetching logging sink config: %#v", id)
 
-	// if custom-sa is specified, use it to write log and it requires uniqueWriterIdentity to be set as well
-	// otherwise set the uniqueWriter identity
-	if customWriterIdentity != "" {
-		projectSinkCreateRequest = projectSinkCreateRequest.UniqueWriterIdentity(uniqueWriterIdentity).CustomWriterIdentity(customWriterIdentity)
-	} else {
-		projectSinkCreateRequest = projectSinkCreateRequest.UniqueWriterIdentity(uniqueWriterIdentity)
-	}
+	res, _ := config.NewLoggingClient(userAgent).Projects.Sinks.Get(id.canonicalId()).Do()
+	if res == nil {
+		projectSinkCreateRequest := config.NewLoggingClient(userAgent).Projects.Sinks.Create(id.parent(), sink)
 
-	_, err = projectSinkCreateRequest.Do()
+		// if custom-sa is specified, use it to write log and it requires uniqueWriterIdentity to be set as well
+		// otherwise set the uniqueWriter identity
+		if customWriterIdentity != "" {
+			projectSinkCreateRequest = projectSinkCreateRequest.UniqueWriterIdentity(uniqueWriterIdentity).CustomWriterIdentity(customWriterIdentity)
+		} else {
+			projectSinkCreateRequest = projectSinkCreateRequest.UniqueWriterIdentity(uniqueWriterIdentity)
+		}
 
-	if err != nil {
-		return err
-	}
+		_, err = projectSinkCreateRequest.Do()
 
+		if err != nil {
+			return err
+		}
+
+		d.SetId(id.canonicalId())
+		return resourceLoggingProjectSinkRead(d, meta)
+	}
 	d.SetId(id.canonicalId())
 
-	return resourceLoggingProjectSinkRead(d, meta)
+	return resourceLoggingProjectSinkUpdate(d, meta)
 }
 
 // if bigquery_options is set unique_writer_identity must be true
@@ -177,6 +185,14 @@ func resourceLoggingProjectSinkUpdate(d *schema.ResourceData, meta interface{})
 }
 
 func resourceLoggingProjectSinkDelete(d *schema.ResourceData, meta interface{}) error {
+	name := d.Get("name")
+	for _, restrictedName := range []string{"_Required", "_Default"} {
+		if name == restrictedName {
+			log.Print("[WARN] Default logging sinks cannot be deleted.")
+			return nil
+		}
+	}
+
 	config := meta.(*transport_tpg.Config)
 	userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
 	if err != nil {

google/services/logging/resource_logging_project_sink_test.go

@@ -35,6 +35,28 @@ func TestAccLoggingProjectSink_basic(t *testing.T) {
 	})
 }
 
+func TestAccLoggingProjectSink_default(t *testing.T) {
+	t.Parallel()
+
+	sinkName := "_Default"
+	bucketName := "tf-test-sink-bucket-" + acctest.RandString(t, 10)
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLoggingProjectSink_basic(sinkName, envvar.GetTestProjectFromEnv(), bucketName),
+			},
+			{
+				ResourceName:      "google_logging_project_sink.basic",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccLoggingProjectSink_described(t *testing.T) {
 	t.Parallel()
 
@@ -515,7 +537,10 @@ resource "google_logging_project_sink" "custom_writer" {
   unique_writer_identity = true
   custom_writer_identity = "serviceAccount:${google_service_account.test-account1.email}"
 
-  depends_on = [google_logging_project_bucket_config.destination-bucket]
+  depends_on = [
+	google_logging_project_bucket_config.destination-bucket,
+	google_service_account_iam_member.loggingsa-customsa-binding,
+	]
 }
 `, project, project, org, billingId, serviceAccount, envvar.GetTestProjectFromEnv(), name, envvar.GetTestProjectFromEnv())
 }
@@ -569,7 +594,10 @@ resource "google_logging_project_sink" "custom_writer" {
   unique_writer_identity = true
   custom_writer_identity = "serviceAccount:${google_service_account.test-account2.email}"
 
-  depends_on = [google_logging_project_bucket_config.destination-bucket]
+  depends_on = [
+	google_logging_project_bucket_config.destination-bucket,
+	google_service_account_iam_member.loggingsa-customsa-binding,
+	]
 }
 `, project, project, org, billingId, serviceAccount, envvar.GetTestProjectFromEnv(), name, envvar.GetTestProjectFromEnv())
 }

google/services/logging/resource_logging_sink.go

@@ -157,10 +157,11 @@ func expandResourceLoggingSinkForUpdate(d *schema.ResourceData) (sink *logging.L
 		Filter:          d.Get("filter").(string),
 		Disabled:        d.Get("disabled").(bool),
 		Description:     d.Get("description").(string),
-		ForceSendFields: []string{"Destination", "Filter", "Disabled"},
+		Exclusions:      expandLoggingSinkExclusions(d.Get("exclusions")),
+		ForceSendFields: []string{"Destination", "Filter", "Disabled", "Exclusions"},
 	}
 
-	updateFields := []string{}
+	updateFields := []string{"exclusions"}
 	if d.HasChange("destination") {
 		updateFields = append(updateFields, "destination")
 	}
@@ -173,10 +174,6 @@ func expandResourceLoggingSinkForUpdate(d *schema.ResourceData) (sink *logging.L
 	if d.HasChange("disabled") {
 		updateFields = append(updateFields, "disabled")
 	}
-	if d.HasChange("exclusions") {
-		sink.Exclusions = expandLoggingSinkExclusions(d.Get("exclusions"))
-		updateFields = append(updateFields, "exclusions")
-	}
 	if d.HasChange("bigquery_options") {
 		sink.BigqueryOptions = expandLoggingSinkBigqueryOptions(d.Get("bigquery_options"))
 		updateFields = append(updateFields, "bigqueryOptions")

website/docs/r/logging_project_sink.html.markdown

@@ -18,6 +18,9 @@ Manages a project-level logging sink. For more information see:
 
 ~> **Note** You must [enable the Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com)
 
+~> **Note:** The `_Default` and `_Required` logging sinks are automatically created for a given project and cannot be deleted. Creating a resource of this type will acquire and update the resource that already exists at the desired location. These sinks cannot be removed so deleting this resource will remove the sink config from your terraform state but will leave the logging sink unchanged. The sinks that are currently automatically created are "_Default" and "_Required".
+
+
 ## Example Usage - Basic Sink
 
 ```hcl
@@ -164,7 +167,7 @@ resource "google_logging_project_sink" "log-bucket" {
 
 The following arguments are supported:
 
-* `name` - (Required) The name of the logging sink.
+* `name` - (Required) The name of the logging sink. Logging automatically creates two sinks: `_Required` and `_Default`.
 
 * `destination` - (Required) The destination of the sink (or, in other words, where logs are written to). Can be a
     Cloud Storage bucket, a PubSub topic, a BigQuery dataset or a Cloud Logging bucket . Examples: