This topic describes how to use Terraform and its CLI to configure Log Audit Service.

Prerequisites

Terraform is installed and configured. For more information, see Use Terraform in Cloud Shell and Install and configure Terraform in the local PC.

Background information

Terraform is an open source tool that you can use to preview, configure, and manage cloud infrastructures and resources in a secure and efficient manner. Terraform provides an easy-to-use CLI that allows you to deploy configuration files on Alibaba Cloud or other supported clouds and control the versions of the configuration files.

Alibaba Cloud is the first cloud service provider in China to offer services that are integrated with Terraform. The Alibaba Cloud provider supports more than 163 resources and 113 data sources. Alibaba Cloud products, such as computing, storage, networking, CDN, container, middleware, and database, are supported. This helps a large number of customers implement automated data migration to the cloud. For more information, see Alibaba Cloud Provider.

Benefits of Terraform

  • Multi-cloud infrastructure deployment

    Terraform is suitable for multi-cloud scenarios in which similar infrastructures are deployed to Alibaba Cloud, other clouds, or data centers. Terraform allows developers to use the same tools and similar configuration files to manage infrastructures across different cloud service providers.

  • Automated infrastructure management

    Terraform allows you to create configuration file templates to repeatedly define, provision, and configure Elastic Compute Service (ECS) resources in a predictable manner. This reduces human errors during deployment and management operations. You can deploy the same template multiple times to create identical development, test, and production environments.

  • Infrastructure as Code (IaC)

    Terraform supports code-based management and maintenance of resources. Terraform stores a copy of the current configurations of your infrastructure. This way, you can track changes made to the components in the IaC system and share infrastructure configurations with other users.

  • Reduced development costs

    You can use Terraform to create development and deployment environments based on your business requirements. This way, your development and deployment costs can be reduced. In addition, you can evaluate development costs before you make changes to your system.

Step 1: Specify the identity information and the region of the central project for Log Audit Service

Use environment variables to specify the identity information and the region of the central project for Log Audit Service.

export ALICLOUD_ACCESS_KEY="AccessKey ID"
export ALICLOUD_SECRET_KEY="AccessKey Secret"
export ALICLOUD_REGION="cn-huhehaote"
Parameter Description
ALICLOUD_ACCESS_KEY The AccessKey ID of your Alibaba Cloud account. For more information, see AccessKey pair.
ALICLOUD_SECRET_KEY The AccessKey secret of your Alibaba Cloud account. For more information, see AccessKey pair.
ALICLOUD_REGION The region where the central project for Log Audit Service resides. The following regions are supported:
  • China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Hong Kong)
  • Singapore (Singapore), Japan (Tokyo), Germany (Frankfurt), and Indonesia (Jakarta)

Step 2: Complete RAM authorization

Use Terraform to complete RAM authorization. For more information, see alicloud_ram_policy. For more information about the policies used for authorization, see Use a custom policy to authorize Log Service to collect and synchronize logs.

Step 3: Configure Log Audit Service

  1. Create a Terraform directory named sls and create a file named terraform.tf in the directory.
  2. Open the terraform.tf file and add the following content:
    resource "alicloud_log_audit" "example" {
      display_name = "tf-audit-test"
      aliuid       = "12345678"
    }

    The following table describes the parameters.

    Parameter Description
    example The name of the resource. You can specify a custom name.
    display_name The name of the collection configuration. You can specify a custom name.
    aliuid The ID of your Alibaba Cloud account.
  3. Run the following command in the sls directory to initialize the directory:
    terraform init
    If the command output contains Terraform has been successfully initialized!, the directory is initialized. Initialize
  4. Open the terraform.tf file and configure the parameters related to Log Audit Service.

    The following sample codes provide configuration examples. For more information about the parameters, see alicloud_log_audit.

    • Single-account collection
      resource "alicloud_log_audit" "example" {
        display_name = "tf-audit-test"
        aliuid       = "12345678"
        variable_map = {
          "actiontrail_enabled" = "true",
          "actiontrail_ttl" = "180"
        }
      }
    • Multi-account collection

      You can configure multi-account collection in custom authentication mode or resource directory mode. The resource directory mode is recommended. For more information, see Configure multi-account collection.

      resource "alicloud_log_audit" "example" {
        display_name = "tf-audit-test"
        aliuid       = "12345678"
        variable_map = {
          "actiontrail_enabled" = "true",
          "actiontrail_ttl" = "180"
        }
        multi_account = ["123456789123", "123456789123"]
        resource_directory_type="custom"
      }
    Parameter Description
    actiontrail_enabled Specifies whether to collect ActionTrail logs. Valid values:
    • true: ActionTrail logs are collected.
    • false: ActionTrail logs are not collected.
    actiontrail_ttl The retention period of ActionTrail logs.
    multi_account If you configure multi-account collection in custom authentication mode or by using the Custom mode in resource directory mode, you must configure the multi_account parameter.
    Note The custom authentication mode requires complex configurations. We recommend that you configure multi-account collection in resource directory mode.
    • If you use the custom authentication mode, the resource_directory_type parameter is unavailable, and you must set the multi_account parameter to the ID of an Alibaba Cloud account.
    • If you use the Custom mode in resource directory mode, the resource_directory_type parameter is set to custom, and you must set the multi_account parameter to a member in your resource directory.
    resource_directory_type If you configure multi-account collection in resource directory mode, you must configure the resource_directory_type parameter. Valid values:
    • all: The All Members mode in resource directory mode is used.
    • custom: The Custom mode in resource directory mode is used.
    Note If you use the custom authentication mode, you do not need to configure the resource_directory_type parameter.
  5. Validate the configurations in the terraform.tf file.
    1. Run the following command:
      terraform apply
    2. Enter yes.

      If the command output contains Apply complete!, the configurations take effect, and Log Audit Service collects and stores logs based on the configurations.

      Configurations validated

What to do next

You can use Terraform to perform the following operations:

  • Import existing collection configurations.
    terraform import alicloud_log_audit.example tf-audit-test

    You must replace example and tf-audit-test with the actual values.

    Import configurations

    After the command is run, you can view the content of the terraform.tfstate file in the Terraform directory. The terraform.tfstate file contains the imported collection configurations.

    Notice
    • If you want to migrate the imported collection configurations to the terraform.tf file, you must manually copy the configurations and adjust the format of the configurations to meet the format requirements of the terraform.tf file.
    • If you have run the terrraform apply or terraform import command in the Terraform directory, the execution of the terraform import command in this situation fails. Then, you must delete the terraform.tfstate file from the directory and run the terraform import command again.
  • View the current collection configurations.
    terraform show
    View configurations
  • View the differences between the terraform.tf file in the Terraform directory and the collection configurations that are in effect.
    terraform plan
    Configuration file