All Products
Search
Document Center

Simple Log Service:Use Terraform to configure Log Audit Service

Last Updated:Feb 21, 2024

This topic describes how to use Terraform and its CLI to configure Log Audit Service.

Prerequisites

Terraform is installed and configured. For more information, see Use Terraform in Cloud Shell and Install and configure Terraform in the local PC.

Background information

Terraform is an open source tool that can be used to preview, configure, and manage cloud infrastructures and resources in a secure and efficient manner. Terraform provides an easy-to-use CLI that allows you to deploy configuration files on Alibaba Cloud or third-party clouds and manage the versions of the configuration files.

Alibaba Cloud supports more than 163 resources and 113 data sources across multiple Alibaba Cloud services in the following categories: computing, storage, networking, Alibaba Cloud CDN (CDN), Container Service for Kubernetes (ACK), middleware, and database. This helps a large number of customers automatically migrate data to the cloud. For more information, see terraform-provider-alicloud.

Benefits of Terraform

  • Multi-cloud infrastructure deployment

    Terraform is suitable for multi-cloud scenarios in which multiple similar infrastructures are deployed across Alibaba Cloud, third-party cloud service providers, and data centers. You can use the same tools and similar configuration files to manage infrastructures across different cloud service providers.

  • Automated infrastructure management

    You can create configuration file templates to define, provision, and configure Elastic Compute Service (ECS) resources in a repeated and predictable manner. This reduces human errors during deployment and management operations. You can use the same template multiple times to create identical development, test, and production environments.

  • Infrastructure as code (IaC)

    Terraform supports the code-based management and maintenance of resources. Terraform stores a copy of the current configurations of your infrastructure. This way, you can track changes made to the components in the IaC system and share infrastructure configurations with other users.

  • Reduced development costs

    You can create development and deployment environments based on your business requirements. This helps reduce development and deployment costs. You can evaluate development costs before you make changes to your system.

Step 1: Specify the identity information and the region of the central project for Log Audit Service

Use environment variables to specify the identity information and the region of the central project for Log Audit Service. The following table describes the parameters.

export ALICLOUD_ACCESS_KEY="AccessKey ID"
export ALICLOUD_SECRET_KEY="AccessKey Secret"
export ALICLOUD_REGION="cn-huhehaote"

Parameter

Description

ALICLOUD_ACCESS_KEY

The AccessKey ID of your Alibaba Cloud account. For more information, see AccessKey pair.

ALICLOUD_SECRET_KEY

The AccessKey secret of your Alibaba Cloud account. For more information, see AccessKey pair.

ALICLOUD_REGION

The region where the central project of Log Audit Service resides. The following regions are supported:

  • Chinese mainland: China (Qingdao), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Hong Kong)

  • Outside the Chinese mainland: Singapore, Japan (Tokyo), Germany (Frankfurt), and Indonesia (Jakarta)

Step 2: Complete RAM authorization

If the service-linked role AliyunServiceRoleForSLSAudit does not exist in the central account, you must create the service-linked role. For more information, see Initially configure Log Audit Service.

For information about how to configure other member accounts in custom authentication mode and the related custom policies, see Use a custom policy to authorize Simple Log Service to collect and synchronize logs.

Step 3: Configure Log Audit Service

  1. Create a Terraform directory named sls and a file named terraform.tf in the directory.

  2. Open the terraform.tf file and add the following content:

    resource "alicloud_log_audit" "example" {
      display_name = "tf-audit-test"
      aliuid       = "1379186349****"
    }

    The following table describes the parameters that you must configure.

    Parameter

    Description

    example

    The name of the resource. You can specify a custom name.

    display_name

    The name of the collection configuration. You can specify a custom name.

    aliuid

    The ID of your Alibaba Cloud account.

  3. Run the following command in the sls directory to initialize the directory:

    terraform init

    If the command output contains Terraform has been successfully initialized!, the directory is initialized.初始化

  4. Open the terraform.tf file and configure the parameters of Log Audit Service.

    The following sample code provides configuration examples. For more information about the parameters, see Terraform-Aliyun Log Audit.

    • Single-account collection

      resource "alicloud_log_audit" "example" {
        display_name = "tf-audit-test"
        aliuid       = "1379186349****"
        variable_map = {
          "actiontrail_enabled" = "true",
          "actiontrail_ttl" = "180"
        }
      }
    • Multi-account collection

      You can configure multi-account collection in custom authentication or resource directory mode. In custom authentication mode, the central account is an Alibaba Cloud account. In resource directory mode, the central account must be the management account of your resource directory or a delegated administrator account. For more information, see Configure multi-account collection.

      • Custom authentication mode

        resource "alicloud_log_audit" "example" {
          display_name = "tf-audit-test"
          aliuid     = "1379186349****"
          variable_map = {
            "actiontrail_enabled" = "true",
            "actiontrail_ttl" = "180"
          }
          multi_account = ["1257918632****", "1324567349****"]
        
        }
      • Resource directory mode (Custom mode)

        resource "alicloud_log_audit" "example" {
          display_name = "tf-audit-test"
          aliuid    = "1379186349****"
          variable_map = {
            "actiontrail_enabled" = "true",
            "actiontrail_ttl" = "180"
          }
          multi_account = ["1257918632****", "1324567349****"]
        resource_directory_type="custom"
        }
      • Resource directory mode (All Members mode)

        resource "alicloud_log_audit" "example" {
          display_name = "tf-audit-test"
          aliuid       = "1379186349****"
          variable_map = {
            "actiontrail_enabled" = "true",
            "actiontrail_ttl" = "180"
          }
        resource_directory_type="all"
        }

    The following table describes the parameters.

    Parameter

    Description

    multi_account

    If you configure multi-account collection in custom authentication or resource directory mode (Custom mode), you must configure the multi_account parameter.

    Note

    The custom authentication mode requires complex configurations. We recommend that you configure multi-account collection in resource directory mode.

    • If you use the custom authentication mode, the resource_directory_type parameter is unavailable. You must set the multi_account parameter to the ID of an Alibaba Cloud account.

    • If you use the resource directory mode (Custom mode), the resource_directory_type parameter is set to custom. You must set the multi_account parameter to a member in your resource directory.

    resource_directory_type

    If you configure multi-account collection in resource directory mode, you must configure the resource_directory_type parameter. Valid values:

    • all: The All Members mode in resource directory mode is used.

    • custom: The Custom mode in resource directory mode is used.

    Note

    If you use the custom authentication mode, you do not need to configure the resource_directory_type parameter.

    variable_map

    Specifies the objects to collect, whether to collect specific data, and the retention period of the objects. For information about the parameters in the variable_map parameter, see Appendix: Parameters in the variable_map parameter.

  5. Validate the configurations in the terraform.tf file.

    1. Run the following command:

      terraform apply
    2. Enter yes.

      If the command output contains Apply complete!, the configurations take effect, and Log Audit Service collects and stores logs based on the configurations.

      配置生效

What to do next

You can use Terraform to perform the following operations:

  • Import existing collection configurations.

    terraform import alicloud_log_audit.example tf-audit-test

    You must replace example and tf-audit-test with the actual values.

    导入配置

    After the command is run, you can view the content of the terraform.tfstate file in the Terraform directory. The terraform.tfstate file contains the imported collection configurations.

    Important
    • If you want to migrate the imported collection configurations to the terraform.tf file, you must manually copy the configurations and change the format of the configurations to meet the format requirements of the terraform.tf file.

    • If you have run the terraform apply or terraform import command in the Terraform directory, the terraform import command fails to be run. Before you can rerun the terraform import command, delete the terraform.tfstate file from the directory.

  • View the current collection configurations.

    terraform show

    查看审计配置

  • View the differences between the terraform.tf file in the Terraform directory and the collection configurations that are in effect.

    terraform plan

    配置文件

Configure Log Audit Service over a virtual private cloud (VPC)

If you want to configure Log Audit Service over a VPC, perform the following steps:

  1. Use Terraform AliCloud Provider V1.214.0 or later.

  2. Use the endpoints argument to specify an actual endpoint. For example, if you want to configure Log Audit Service over a VPC in the China (Beijing) region, specify cn-beijing-intranet.log.aliyuncs.com for the argument. For more information, see Endpoints.

Example

The following code shows how to configure Log Audit Service over a VPC in the China (Beijing) region:

terraform {
     required_providers {
          alicloud = { 
               version = "1.214.0" // Use Terraform AliCloud Provider V1.214.0 or later.
          }   
     }   
}
provider "alicloud" {
    endpoints {
        log = "cn-beijing-intranet.log.aliyuncs.com"// Replace the value with an actual endpoint.
    }
}

resource "alicloud_log_audit" "example" {
    display_name = "tf-audit-test"
    aliuid       = "148*******3782"
    variable_map = {
        "actiontrail_enabled" = "true",
        "actiontrail_ttl" ="30"
    }
}
  1. Upgrade Terraform AliCloud Provider.

    terraform init --upgrade
  2. Apply application configurations.

    terraform apply

Examples

If you use Terraform to configure collection policies in Log Audit Service, take note of the configurations of special character escapes and multi-line policies. For example, if you want to collect logs from only VPCs whose tag variable env exactly matches test, you can configure the following collection policy:

accept tag.env == "test"
drop "*"

A collection policy consists of multi-line statements and contains special characters such as double quotation marks ("). If you configure a collection policy in Log Audit Service in the Simple Log Service console, the system automatically escapes special characters in the policy. However, if you use Terraform to configure a collection policy, you must manually escape special characters and wrap lines. You can use one of the following methods to complete the configurations:

  • Use EOF. For more information, see Configuration Syntax.

    variable vpcflow_policy {
      type        = string
      default     = <<EOF
    accept tag.env == \"test\"
    drop \"*\"
    EOF
    }
    
    resource "alicloud_log_audit" "example" {
      display_name = "tf-audit-test"
      aliuid       = "1234************"
      variable_map = {
        "vpc_flow_enabled" = "true",
        "vpc_flow_ttl" = "7",
        "vpc_sync_enabled" = "true",
        "vpc_sync_ttl" = "180"
        "vpc_flow_collection_policy" = var.vpcflow_policy
      }
      #if using rd custom mode for multi-account
      multi_account = ["1235************","1236************"]
      resource_directory_type="custom"
    }
  • Escape backslashes (\) and double quotation marks ("), and wrap lines based on \n. For more information, see Built-in Functions.

    resource "alicloud_log_audit" "example" {
      display_name = "tf-audit-test"
      aliuid       = "1234************"
      variable_map = {
        "vpc_flow_enabled" = "true",
        "vpc_flow_ttl" = "7",
        "vpc_sync_enabled" = "true",
        "vpc_sync_ttl" = "180"
        "vpc_flow_collection_policy" = "accept tag.env == \\\"test\\\"\\ndrop \\\"*\\\""
      }
      #if using rd custom mode for multi-account
      multi_account = ["1235************","1236************"]
      resource_directory_type="custom"
    }

Appendix: Parameters in the variable_map parameter

Parameter

Description

Default value

actiontrail_enabled

Specifies whether to collect ActionTrail logs. Valid values:

  • true: The system synchronizes intranet private DNS logs to the central project.

  • false: The system does not collect intranet private DNS logs.

false

actiontrail_ttl

The retention period of ActionTrail logs in the central Logstore. Unit: days.

180

cloudconfig_change_enabled

Specifies whether to collect Cloud Config change logs. Valid values:

  • true: The system collects Cloud Config change logs.

  • false: The system does not collect intranet private DNS logs.

false

cloudconfig_change_ttl

The retention period of Cloud Config change logs in the central Logstore. Unit: days.

180

cloudconfig_noncom_enabled

Specifies whether to collect Cloud Config non-compliance events. Valid values:

  • true: The system collects Cloud Config non-compliance events.

  • false: The system does not collect intranet private DNS logs.

false

cloudconfig_noncom_ttl

The retention period of Cloud Config non-compliance events in the central Logstore. Unit: days.

180

oss_access_enabled

Specifies whether to collect Object Storage Service (OSS) access logs. Valid values:

  • true: The system synchronizes intranet private DNS logs to the central project.

  • false: The system does not collect intranet private DNS logs.

false

oss_access_ttl

The retention period of OSS access logs in the regional Logstore. Unit: days.

7

oss_sync_enabled

Specifies whether to synchronize OSS access logs to the central project. Valid values:

  • true: The system synchronizes intranet private DNS logs to the central project.

  • false: The system does not synchronize intranet private DNS logs to the central project.

true

oss_sync_ttl

The retention period of OSS access logs in the central Logstore. Unit: days.

180

oss_metering_enabled

Specifies whether to collect OSS metering logs. Valid values:

  • true: The system synchronizes intranet private DNS logs to the central project.

  • false: The system does not collect intranet private DNS logs.

false

oss_metering_ttl

The retention period of OSS metering logs in the central Logstore. Unit: days.

180

rds_enabled

Specifies whether to collect ApsaraDB RDS for MySQL audit logs. Valid values:

  • true: The system synchronizes intranet private DNS logs to the central project.

  • false: The system does not collect intranet private DNS logs.

false

rds_audit_collection_policy

The collection policy for ApsaraDB RDS for MySQL audit logs.

""

rds_ttl

The retention period of ApsaraDB RDS for MySQL audit logs in the central Logstore. Unit: days.

180

rds_slow_enabled

Specifies whether to collect ApsaraDB RDS for MySQL slow query logs. Valid values:

  • true

  • false

false

rds_slow_collection_policy

The collection policy for ApsaraDB RDS for MySQL slow query logs.

""

rds_slow_ttl

The retention period of ApsaraDB RDS for MySQL slow query logs in the central Logstore. Unit: days.

180

rds_error_enabled

Specifies whether to collect ApsaraDB RDS for MySQL error logs. Valid values:

  • true

  • false

false

rds_error_collection_policy

The collection policy for ApsaraDB RDS for MySQL error logs.

""

rds_error_ttl

The retention period of ApsaraDB RDS for MySQL error logs in the central Logstore. Unit: days.

180

rds_perf_enabled

Specifies whether to collect ApsaraDB RDS for MySQL performance logs. Valid values:

  • true

  • false

false

rds_perf_collection_policy

The collection policy for ApsaraDB RDS for MySQL performance logs.

""

rds_perf_ttl

The retention period of ApsaraDB RDS for MySQL performance logs in the central Logstore. Unit: days.

180

vpc_flow_enabled

Specifies whether to collect VPC flow logs. Valid values:

  • true

  • false

false

vpc_flow_ttl

The retention period of VPC flow logs in the regional Logstore. Unit: days.

7

vpc_flow_collection_policy

The collection policy for VPC flow logs.

""

vpc_sync_enabled

Specifies whether to synchronize VPC flow logs to the central project. Valid values:

  • true

  • false

true

vpc_sync_ttl

The retention period of VPC flow logs in the central Logstore. Unit: days.

180

dns_intranet_enabled

Specifies whether to collect intranet Alibaba Cloud DNS (DNS) logs. Valid values:

  • true

  • false

false

dns_intranet_ttl

The retention period of intranet DNS logs in the regional Logstore. Unit: days.

7

dns_intranet_collection_policy

The collection policy for intranet DNS logs.

None

dns_sync_enabled

Specifies whether to synchronize intranet DNS logs to the central project. Valid values:

  • true

  • false

true

dns_sync_ttl

The retention period of intranet DNS logs in the central Logstore. Unit: days.

180

polardb_enabled

Specifies whether to collect PolarDB for MySQL audit logs. Valid values:

  • true

  • false

false

polardb_audit_collection_policy

The collection policy for PolarDB for MySQL audit logs.

""

polardb_ttl

The retention period of PolarDB for MySQL audit logs in the central Logstore. Unit: days.

180

polardb_slow_enabled

Specifies whether to collect PolarDB for MySQL slow query logs. Valid values:

  • true

  • false

false

polardb_slow_collection_policy

The collection policy for PolarDB for MySQL slow query logs.

""

polardb_slow_ttl

The retention period of PolarDB for MySQL slow query logs in the central Logstore. Unit: days.

180

polardb_error_enabled

Specifies whether to collect PolarDB for MySQL error logs. Valid values:

  • true

  • false

false

polardb_error_collection_policy

The collection policy for PolarDB for MySQL error logs.

""

polardb_error_ttl

The retention period of PolarDB for MySQL error logs in the central Logstore. Unit: days.

180

polardb_perf_enabled

Specifies whether to collect PolarDB for MySQL performance logs. Valid values:

  • true

  • false

false

polardb_perf_collection_policy

The collection policy for PolarDB for MySQL performance logs.

""

polardb_perf_ttl

The retention period of PolarDB for MySQL performance logs in the central Logstore. Unit: days.

180

drds_audit_enabled

Specifies whether to collect PolarDB-X 1.0 audit logs. Valid values:

  • true

  • false

false

drds_audit_collection_policy

The collection policy for PolarDB-X 1.0 audit logs.

""

drds_audit_ttl

The retention period of PolarDB-X 1.0 audit logs in the regional Logstore. Unit: days.

7

drds_sync_enabled

Specifies whether to synchronize PolarDB-X 1.0 audit logs to the central project. Valid values:

  • true

  • false

true

drds_sync_ttl

The retention period of PolarDB-X 1.0 audit logs in the central Logstore. Unit: days.

180

slb_access_enabled

Specifies whether to collect Server Load Balancer (SLB) access logs. Valid values:

  • true

  • false

false

slb_access_collection_policy

The collection policy for SLB access logs.

""

slb_access_ttl

The retention period of SLB access logs in the regional Logstore. Unit: days.

7

slb_sync_enabled

Specifies whether to synchronize SLB access logs to the central project. Valid values:

  • true

  • false

true

slb_sync_ttl

The retention period of SLB access logs in the central Logstore. Unit: days.

180

alb_access_enabled

Specifies whether to collect Application Load Balancer (ALB) access logs. Valid values:

  • true

  • false

false

alb_access_collection_policy

The collection policy for ALB access logs.

""

alb_access_ttl

The retention period of ALB access logs in the regional Logstore. Unit: days.

7

alb_sync_enabled

Specifies whether to synchronize ALB access logs to the central project. Valid values:

  • true

  • false

true

alb_sync_ttl

The retention period of ALB access logs in the central Logstore. Unit: days.

180

bastion_enabled

Specifies whether to collect Bastionhost operation logs. Valid values:

  • true

  • false

false

bastion_ttl

The retention period of Bastionhost operation logs in the central Logstore. Unit: days.

180

waf_enabled

Specifies whether to collect Web Application Firewall (WAF) access logs. Valid values:

  • true

  • false

false

waf_ttl

The retention period of WAF access logs in the central Logstore. Unit: days.

180

cloudfirewall_enabled

Specifies whether to collect Internet firewall traffic logs from Cloud Firewall. Valid values:

  • true

  • false

false

cloudfirewall_ttl

The retention period of Cloud Firewall Internet firewall traffic logs in the central Logstore. Unit: days.

180

cloudfirewall_vpc_enabled

Specifies whether to collect VPC firewall traffic logs from Cloud Firewall. Valid values:

  • true

  • false

false

cloudfirewall_vpc_ttl

The retention period of Cloud Firewall VPC firewall traffic logs in the central Logstore. Unit: days.

180

ddos_coo_access_enabled

Specifies whether to collect Anti-DDoS Pro access logs. Valid values:

  • true

  • false

false

ddos_coo_access_ttl

The retention period of Anti-DDoS Pro access logs in the central Logstore. Unit: days.

180

ddos_bgp_access_enabled

Specifies whether to collect Anti-DDoS Origin access logs. Valid values:

  • true

  • false

false

ddos_bgp_access_ttl

The retention period of Anti-DDoS Origin access logs in the central Logstore. Unit: days.

180

ddos_dip_access_enabled

Specifies whether to collect Anti-DDoS Premium access logs. Valid values:

  • true

  • false

false

ddos_dip_access_ttl

The retention period of Anti-DDoS Premium access logs in the central Logstore. Unit: days.

180

sas_ttl

The retention period of Security Center (SAS) logs in the central Logstore. Unit: days.

180

sas_process_enabled

Specifies whether to collect SAS process startup logs. Valid values:

  • true

  • false

false

sas_network_enabled

Specifies whether to collect SAS network connection logs. Valid values:

  • true

  • false

false

sas_login_enabled

Specifies whether to collect SAS logon logs. Valid values:

  • true

  • false

false

sas_crack_enabled

Specifies whether to collect SAS brute-force attack logs. Valid values:

  • true

  • false

false

sas_snapshot_process_enabled

Specifies whether to collect SAS process snapshot logs. Valid values:

  • true

  • false

false

sas_snapshot_account_enabled

Specifies whether to collect SAS account snapshot logs. Valid values:

  • true

  • false

false

sas_snapshot_port_enabled

Specifies whether to collect SAS port snapshot logs. Valid values:

  • true

  • false

false

sas_dns_enabled

Specifies whether to collect SAS DNS logs. Valid values:

  • true

  • false

false

sas_local_dns_enabled

Specifies whether to collect SAS local DNS logs. Valid values:

  • true

  • false

false

sas_session_enabled

Specifies whether to collect SAS network session logs. Valid values:

  • true

  • false

false

sas_http_enabled

Specifies whether to collect SAS web access logs. Valid values:

  • true

  • false

false

sas_security_vul_enabled

Specifies whether to collect SAS vulnerability logs. Valid values:

  • true

  • false

false

sas_security_hc_enabled

Specifies whether to collect SAS baseline logs. Valid values:

  • true

  • false

false

sas_security_alert_enabled

Specifies whether to collect SAS security alert logs. Valid values:

  • true

  • false

false

sas_dns_query_enabled

Specifies whether to collect SAS DNS request logs. Valid values:

  • true

  • false

false

apigateway_enabled

Specifies whether to collect API Gateway access logs. Valid values:

  • true

  • false

false

apigateway_ttl

The retention period of API Gateway access logs in the central Logstore. Unit: days.

180

nas_enabled

Specifies whether to collect Apsara File Storage NAS (NAS) access logs. Valid values:

  • true

  • false

false

nas_ttl

The retention period of NAS access logs in the central Logstore. Unit: days.

180

appconnect_enabled

Specifies whether to collect Cloud Service Bus (CSB) App Connect logs. Valid values:

  • true

  • false

false

appconnect_ttl

The retention period of CSB App Connect logs in the central Logstore. Unit: days.

180

cps_enabled

Specifies whether to collect Alibaba Cloud Mobile Push logs. Valid values:

  • true

  • false

false

cps_ttl

The retention period of Alibaba Cloud Mobile Push logs in the central Logstore. Unit: days.

180

k8s_audit_enabled

Specifies whether to collect Kubernetes audit logs. Valid values:

  • true

  • false

false

k8s_audit_collection_policy

The collection policy for Kubernetes audit logs.

""

k8s_audit_ttl

The retention period of Kubernetes audit logs in the central Logstore. Unit: days.

180

k8s_event_enabled

Specifies whether to collect Kubernetes event logs. Valid values:

  • true

  • false

false

k8s_event_collection_policy

The collection policy for Kubernetes event logs.

""

k8s_event_ttl

The retention period of Kubernetes event logs in the central Logstore. Unit: days.

180

k8s_ingress_enabled

Specifies whether to collect Kubernetes Ingress access logs. Valid values:

  • true

  • false

false

k8s_ingress_collection_policy

The collection policy for Kubernetes Ingress access logs.

""

k8s_ingress_ttl

The retention period of Kubernetes Ingress access logs in the central Logstore. Unit: days.

180