This topic describes how to use Terraform and its CLI to configure Log Audit Service.
Prerequisites
Terraform is installed and configured. For more information, see Use Terraform in Cloud Shell and Install and configure Terraform in the local PC.
Background information
Terraform is an open source tool that can be used to preview, configure, and manage cloud infrastructures and resources in a secure and efficient manner. Terraform provides an easy-to-use CLI that allows you to deploy configuration files on Alibaba Cloud or third-party clouds and manage the versions of the configuration files.
Alibaba Cloud supports more than 163 resources and 113 data sources across multiple Alibaba Cloud services in the following categories: computing, storage, networking, Alibaba Cloud CDN (CDN), Container Service for Kubernetes (ACK), middleware, and database. This helps a large number of customers automatically migrate data to the cloud. For more information, see terraform-provider-alicloud.
Benefits of Terraform
Multi-cloud infrastructure deployment
Terraform is suitable for multi-cloud scenarios in which multiple similar infrastructures are deployed across Alibaba Cloud, third-party cloud service providers, and data centers. You can use the same tools and similar configuration files to manage infrastructures across different cloud service providers.
Automated infrastructure management
You can create configuration file templates to define, provision, and configure Elastic Compute Service (ECS) resources in a repeated and predictable manner. This reduces human errors during deployment and management operations. You can use the same template multiple times to create identical development, test, and production environments.
Infrastructure as code (IaC)
Terraform supports the code-based management and maintenance of resources. Terraform stores a copy of the current configurations of your infrastructure. This way, you can track changes made to the components in the IaC system and share infrastructure configurations with other users.
Reduced development costs
You can create development and deployment environments based on your business requirements. This helps reduce development and deployment costs. You can evaluate development costs before you make changes to your system.
Step 1: Specify the identity information and the region of the central project for Log Audit Service
Use environment variables to specify the identity information and the region of the central project for Log Audit Service. The following table describes the parameters.
export ALICLOUD_ACCESS_KEY="AccessKey ID"
export ALICLOUD_SECRET_KEY="AccessKey Secret"
export ALICLOUD_REGION="cn-huhehaote"
Parameter | Description |
ALICLOUD_ACCESS_KEY | The AccessKey ID of your Alibaba Cloud account. For more information, see AccessKey pair. |
ALICLOUD_SECRET_KEY | The AccessKey secret of your Alibaba Cloud account. For more information, see AccessKey pair. |
ALICLOUD_REGION | The region where the central project of Log Audit Service resides. The following regions are supported:
|
Step 2: Complete RAM authorization
If the service-linked role AliyunServiceRoleForSLSAudit does not exist in the central account, you must create the service-linked role. For more information, see Initially configure Log Audit Service.
For information about how to configure other member accounts in custom authentication mode and the related custom policies, see Use a custom policy to authorize Simple Log Service to collect and synchronize logs.
Step 3: Configure Log Audit Service
Create a Terraform directory named sls and a file named terraform.tf in the directory.
Open the terraform.tf file and add the following content:
resource "alicloud_log_audit" "example" { display_name = "tf-audit-test" aliuid = "1379186349****" }
The following table describes the parameters that you must configure.
Parameter
Description
example
The name of the resource. You can specify a custom name.
display_name
The name of the collection configuration. You can specify a custom name.
aliuid
The ID of your Alibaba Cloud account.
Run the following command in the sls directory to initialize the directory:
terraform init
If the command output contains Terraform has been successfully initialized!, the directory is initialized.
Open the terraform.tf file and configure the parameters of Log Audit Service.
The following sample code provides configuration examples. For more information about the parameters, see Terraform-Aliyun Log Audit.
Single-account collection
resource "alicloud_log_audit" "example" { display_name = "tf-audit-test" aliuid = "1379186349****" variable_map = { "actiontrail_enabled" = "true", "actiontrail_ttl" = "180" } }
Multi-account collection
You can configure multi-account collection in custom authentication or resource directory mode. In custom authentication mode, the central account is an Alibaba Cloud account. In resource directory mode, the central account must be the management account of your resource directory or a delegated administrator account. For more information, see Configure multi-account collection.
Custom authentication mode
resource "alicloud_log_audit" "example" { display_name = "tf-audit-test" aliuid = "1379186349****" variable_map = { "actiontrail_enabled" = "true", "actiontrail_ttl" = "180" } multi_account = ["1257918632****", "1324567349****"] }
Resource directory mode (Custom mode)
resource "alicloud_log_audit" "example" { display_name = "tf-audit-test" aliuid = "1379186349****" variable_map = { "actiontrail_enabled" = "true", "actiontrail_ttl" = "180" } multi_account = ["1257918632****", "1324567349****"] resource_directory_type="custom" }
Resource directory mode (All Members mode)
resource "alicloud_log_audit" "example" { display_name = "tf-audit-test" aliuid = "1379186349****" variable_map = { "actiontrail_enabled" = "true", "actiontrail_ttl" = "180" } resource_directory_type="all" }
The following table describes the parameters.
Parameter
Description
multi_account
If you configure multi-account collection in custom authentication or resource directory mode (Custom mode), you must configure the multi_account parameter.
NoteThe custom authentication mode requires complex configurations. We recommend that you configure multi-account collection in resource directory mode.
If you use the custom authentication mode, the resource_directory_type parameter is unavailable. You must set the multi_account parameter to the ID of an Alibaba Cloud account.
If you use the resource directory mode (Custom mode), the resource_directory_type parameter is set to custom. You must set the multi_account parameter to a member in your resource directory.
resource_directory_type
If you configure multi-account collection in resource directory mode, you must configure the resource_directory_type parameter. Valid values:
all: The All Members mode in resource directory mode is used.
custom: The Custom mode in resource directory mode is used.
NoteIf you use the custom authentication mode, you do not need to configure the resource_directory_type parameter.
variable_map
Specifies the objects to collect, whether to collect specific data, and the retention period of the objects. For information about the parameters in the variable_map parameter, see Appendix: Parameters in the variable_map parameter.
Validate the configurations in the terraform.tf file.
Run the following command:
terraform apply
Enter yes.
If the command output contains
Apply complete!
, the configurations take effect, and Log Audit Service collects and stores logs based on the configurations.
What to do next
You can use Terraform to perform the following operations:
Import existing collection configurations.
terraform import alicloud_log_audit.example tf-audit-test
You must replace example and tf-audit-test with the actual values.
After the command is run, you can view the content of the terraform.tfstate file in the Terraform directory. The terraform.tfstate file contains the imported collection configurations.
ImportantIf you want to migrate the imported collection configurations to the terraform.tf file, you must manually copy the configurations and change the format of the configurations to meet the format requirements of the terraform.tf file.
If you have run the terraform apply or terraform import command in the Terraform directory, the terraform import command fails to be run. Before you can rerun the terraform import command, delete the terraform.tfstate file from the directory.
View the current collection configurations.
terraform show
View the differences between the terraform.tf file in the Terraform directory and the collection configurations that are in effect.
terraform plan
Configure Log Audit Service over a virtual private cloud (VPC)
If you want to configure Log Audit Service over a VPC, perform the following steps:
Use Terraform AliCloud Provider V1.214.0 or later.
Use the endpoints argument to specify an actual endpoint. For example, if you want to configure Log Audit Service over a VPC in the China (Beijing) region, specify
cn-beijing-intranet.log.aliyuncs.com
for the argument. For more information, see Endpoints.
Example
The following code shows how to configure Log Audit Service over a VPC in the China (Beijing) region:
terraform {
required_providers {
alicloud = {
version = "1.214.0" // Use Terraform AliCloud Provider V1.214.0 or later.
}
}
}
provider "alicloud" {
endpoints {
log = "cn-beijing-intranet.log.aliyuncs.com"// Replace the value with an actual endpoint.
}
}
resource "alicloud_log_audit" "example" {
display_name = "tf-audit-test"
aliuid = "148*******3782"
variable_map = {
"actiontrail_enabled" = "true",
"actiontrail_ttl" ="30"
}
}
Upgrade
Terraform AliCloud Provider
.terraform init --upgrade
Apply application configurations.
terraform apply
Examples
If you use Terraform to configure collection policies in Log Audit Service, take note of the configurations of special character escapes and multi-line policies. For example, if you want to collect logs from only VPCs whose tag variable env exactly matches test, you can configure the following collection policy:
accept tag.env == "test"
drop "*"
A collection policy consists of multi-line statements and contains special characters such as double quotation marks ("). If you configure a collection policy in Log Audit Service in the Simple Log Service console, the system automatically escapes special characters in the policy. However, if you use Terraform to configure a collection policy, you must manually escape special characters and wrap lines. You can use one of the following methods to complete the configurations:
Use EOF. For more information, see Configuration Syntax.
variable vpcflow_policy { type = string default = <<EOF accept tag.env == \"test\" drop \"*\" EOF } resource "alicloud_log_audit" "example" { display_name = "tf-audit-test" aliuid = "1234************" variable_map = { "vpc_flow_enabled" = "true", "vpc_flow_ttl" = "7", "vpc_sync_enabled" = "true", "vpc_sync_ttl" = "180" "vpc_flow_collection_policy" = var.vpcflow_policy } #if using rd custom mode for multi-account multi_account = ["1235************","1236************"] resource_directory_type="custom" }
Escape backslashes (\) and double quotation marks ("), and wrap lines based on \n. For more information, see Built-in Functions.
resource "alicloud_log_audit" "example" { display_name = "tf-audit-test" aliuid = "1234************" variable_map = { "vpc_flow_enabled" = "true", "vpc_flow_ttl" = "7", "vpc_sync_enabled" = "true", "vpc_sync_ttl" = "180" "vpc_flow_collection_policy" = "accept tag.env == \\\"test\\\"\\ndrop \\\"*\\\"" } #if using rd custom mode for multi-account multi_account = ["1235************","1236************"] resource_directory_type="custom" }
Appendix: Parameters in the variable_map parameter
Parameter | Description | Default value |
actiontrail_enabled | Specifies whether to collect ActionTrail logs. Valid values:
| false |
actiontrail_ttl | The retention period of ActionTrail logs in the central Logstore. Unit: days. | 180 |
cloudconfig_change_enabled | Specifies whether to collect Cloud Config change logs. Valid values:
| false |
cloudconfig_change_ttl | The retention period of Cloud Config change logs in the central Logstore. Unit: days. | 180 |
cloudconfig_noncom_enabled | Specifies whether to collect Cloud Config non-compliance events. Valid values:
| false |
cloudconfig_noncom_ttl | The retention period of Cloud Config non-compliance events in the central Logstore. Unit: days. | 180 |
oss_access_enabled | Specifies whether to collect Object Storage Service (OSS) access logs. Valid values:
| false |
oss_access_ttl | The retention period of OSS access logs in the regional Logstore. Unit: days. | 7 |
oss_sync_enabled | Specifies whether to synchronize OSS access logs to the central project. Valid values:
| true |
oss_sync_ttl | The retention period of OSS access logs in the central Logstore. Unit: days. | 180 |
oss_metering_enabled | Specifies whether to collect OSS metering logs. Valid values:
| false |
oss_metering_ttl | The retention period of OSS metering logs in the central Logstore. Unit: days. | 180 |
rds_enabled | Specifies whether to collect ApsaraDB RDS for MySQL audit logs. Valid values:
| false |
rds_audit_collection_policy | The collection policy for ApsaraDB RDS for MySQL audit logs. | "" |
rds_ttl | The retention period of ApsaraDB RDS for MySQL audit logs in the central Logstore. Unit: days. | 180 |
rds_slow_enabled | Specifies whether to collect ApsaraDB RDS for MySQL slow query logs. Valid values:
| false |
rds_slow_collection_policy | The collection policy for ApsaraDB RDS for MySQL slow query logs. | "" |
rds_slow_ttl | The retention period of ApsaraDB RDS for MySQL slow query logs in the central Logstore. Unit: days. | 180 |
rds_error_enabled | Specifies whether to collect ApsaraDB RDS for MySQL error logs. Valid values:
| false |
rds_error_collection_policy | The collection policy for ApsaraDB RDS for MySQL error logs. | "" |
rds_error_ttl | The retention period of ApsaraDB RDS for MySQL error logs in the central Logstore. Unit: days. | 180 |
rds_perf_enabled | Specifies whether to collect ApsaraDB RDS for MySQL performance logs. Valid values:
| false |
rds_perf_collection_policy | The collection policy for ApsaraDB RDS for MySQL performance logs. | "" |
rds_perf_ttl | The retention period of ApsaraDB RDS for MySQL performance logs in the central Logstore. Unit: days. | 180 |
vpc_flow_enabled | Specifies whether to collect VPC flow logs. Valid values:
| false |
vpc_flow_ttl | The retention period of VPC flow logs in the regional Logstore. Unit: days. | 7 |
vpc_flow_collection_policy | The collection policy for VPC flow logs. | "" |
vpc_sync_enabled | Specifies whether to synchronize VPC flow logs to the central project. Valid values:
| true |
vpc_sync_ttl | The retention period of VPC flow logs in the central Logstore. Unit: days. | 180 |
dns_intranet_enabled | Specifies whether to collect intranet Alibaba Cloud DNS (DNS) logs. Valid values:
| false |
dns_intranet_ttl | The retention period of intranet DNS logs in the regional Logstore. Unit: days. | 7 |
dns_intranet_collection_policy | The collection policy for intranet DNS logs. | None |
dns_sync_enabled | Specifies whether to synchronize intranet DNS logs to the central project. Valid values:
| true |
dns_sync_ttl | The retention period of intranet DNS logs in the central Logstore. Unit: days. | 180 |
polardb_enabled | Specifies whether to collect PolarDB for MySQL audit logs. Valid values:
| false |
polardb_audit_collection_policy | The collection policy for PolarDB for MySQL audit logs. | "" |
polardb_ttl | The retention period of PolarDB for MySQL audit logs in the central Logstore. Unit: days. | 180 |
polardb_slow_enabled | Specifies whether to collect PolarDB for MySQL slow query logs. Valid values:
| false |
polardb_slow_collection_policy | The collection policy for PolarDB for MySQL slow query logs. | "" |
polardb_slow_ttl | The retention period of PolarDB for MySQL slow query logs in the central Logstore. Unit: days. | 180 |
polardb_error_enabled | Specifies whether to collect PolarDB for MySQL error logs. Valid values:
| false |
polardb_error_collection_policy | The collection policy for PolarDB for MySQL error logs. | "" |
polardb_error_ttl | The retention period of PolarDB for MySQL error logs in the central Logstore. Unit: days. | 180 |
polardb_perf_enabled | Specifies whether to collect PolarDB for MySQL performance logs. Valid values:
| false |
polardb_perf_collection_policy | The collection policy for PolarDB for MySQL performance logs. | "" |
polardb_perf_ttl | The retention period of PolarDB for MySQL performance logs in the central Logstore. Unit: days. | 180 |
drds_audit_enabled | Specifies whether to collect PolarDB-X 1.0 audit logs. Valid values:
| false |
drds_audit_collection_policy | The collection policy for PolarDB-X 1.0 audit logs. | "" |
drds_audit_ttl | The retention period of PolarDB-X 1.0 audit logs in the regional Logstore. Unit: days. | 7 |
drds_sync_enabled | Specifies whether to synchronize PolarDB-X 1.0 audit logs to the central project. Valid values:
| true |
drds_sync_ttl | The retention period of PolarDB-X 1.0 audit logs in the central Logstore. Unit: days. | 180 |
slb_access_enabled | Specifies whether to collect Server Load Balancer (SLB) access logs. Valid values:
| false |
slb_access_collection_policy | The collection policy for SLB access logs. | "" |
slb_access_ttl | The retention period of SLB access logs in the regional Logstore. Unit: days. | 7 |
slb_sync_enabled | Specifies whether to synchronize SLB access logs to the central project. Valid values:
| true |
slb_sync_ttl | The retention period of SLB access logs in the central Logstore. Unit: days. | 180 |
alb_access_enabled | Specifies whether to collect Application Load Balancer (ALB) access logs. Valid values:
| false |
alb_access_collection_policy | The collection policy for ALB access logs. | "" |
alb_access_ttl | The retention period of ALB access logs in the regional Logstore. Unit: days. | 7 |
alb_sync_enabled | Specifies whether to synchronize ALB access logs to the central project. Valid values:
| true |
alb_sync_ttl | The retention period of ALB access logs in the central Logstore. Unit: days. | 180 |
bastion_enabled | Specifies whether to collect Bastionhost operation logs. Valid values:
| false |
bastion_ttl | The retention period of Bastionhost operation logs in the central Logstore. Unit: days. | 180 |
waf_enabled | Specifies whether to collect Web Application Firewall (WAF) access logs. Valid values:
| false |
waf_ttl | The retention period of WAF access logs in the central Logstore. Unit: days. | 180 |
cloudfirewall_enabled | Specifies whether to collect Internet firewall traffic logs from Cloud Firewall. Valid values:
| false |
cloudfirewall_ttl | The retention period of Cloud Firewall Internet firewall traffic logs in the central Logstore. Unit: days. | 180 |
cloudfirewall_vpc_enabled | Specifies whether to collect VPC firewall traffic logs from Cloud Firewall. Valid values:
| false |
cloudfirewall_vpc_ttl | The retention period of Cloud Firewall VPC firewall traffic logs in the central Logstore. Unit: days. | 180 |
ddos_coo_access_enabled | Specifies whether to collect Anti-DDoS Pro access logs. Valid values:
| false |
ddos_coo_access_ttl | The retention period of Anti-DDoS Pro access logs in the central Logstore. Unit: days. | 180 |
ddos_bgp_access_enabled | Specifies whether to collect Anti-DDoS Origin access logs. Valid values:
| false |
ddos_bgp_access_ttl | The retention period of Anti-DDoS Origin access logs in the central Logstore. Unit: days. | 180 |
ddos_dip_access_enabled | Specifies whether to collect Anti-DDoS Premium access logs. Valid values:
| false |
ddos_dip_access_ttl | The retention period of Anti-DDoS Premium access logs in the central Logstore. Unit: days. | 180 |
sas_ttl | The retention period of Security Center (SAS) logs in the central Logstore. Unit: days. | 180 |
sas_process_enabled | Specifies whether to collect SAS process startup logs. Valid values:
| false |
sas_network_enabled | Specifies whether to collect SAS network connection logs. Valid values:
| false |
sas_login_enabled | Specifies whether to collect SAS logon logs. Valid values:
| false |
sas_crack_enabled | Specifies whether to collect SAS brute-force attack logs. Valid values:
| false |
sas_snapshot_process_enabled | Specifies whether to collect SAS process snapshot logs. Valid values:
| false |
sas_snapshot_account_enabled | Specifies whether to collect SAS account snapshot logs. Valid values:
| false |
sas_snapshot_port_enabled | Specifies whether to collect SAS port snapshot logs. Valid values:
| false |
sas_dns_enabled | Specifies whether to collect SAS DNS logs. Valid values:
| false |
sas_local_dns_enabled | Specifies whether to collect SAS local DNS logs. Valid values:
| false |
sas_session_enabled | Specifies whether to collect SAS network session logs. Valid values:
| false |
sas_http_enabled | Specifies whether to collect SAS web access logs. Valid values:
| false |
sas_security_vul_enabled | Specifies whether to collect SAS vulnerability logs. Valid values:
| false |
sas_security_hc_enabled | Specifies whether to collect SAS baseline logs. Valid values:
| false |
sas_security_alert_enabled | Specifies whether to collect SAS security alert logs. Valid values:
| false |
sas_dns_query_enabled | Specifies whether to collect SAS DNS request logs. Valid values:
| false |
apigateway_enabled | Specifies whether to collect API Gateway access logs. Valid values:
| false |
apigateway_ttl | The retention period of API Gateway access logs in the central Logstore. Unit: days. | 180 |
nas_enabled | Specifies whether to collect Apsara File Storage NAS (NAS) access logs. Valid values:
| false |
nas_ttl | The retention period of NAS access logs in the central Logstore. Unit: days. | 180 |
appconnect_enabled | Specifies whether to collect Cloud Service Bus (CSB) App Connect logs. Valid values:
| false |
appconnect_ttl | The retention period of CSB App Connect logs in the central Logstore. Unit: days. | 180 |
cps_enabled | Specifies whether to collect Alibaba Cloud Mobile Push logs. Valid values:
| false |
cps_ttl | The retention period of Alibaba Cloud Mobile Push logs in the central Logstore. Unit: days. | 180 |
k8s_audit_enabled | Specifies whether to collect Kubernetes audit logs. Valid values:
| false |
k8s_audit_collection_policy | The collection policy for Kubernetes audit logs. | "" |
k8s_audit_ttl | The retention period of Kubernetes audit logs in the central Logstore. Unit: days. | 180 |
k8s_event_enabled | Specifies whether to collect Kubernetes event logs. Valid values:
| false |
k8s_event_collection_policy | The collection policy for Kubernetes event logs. | "" |
k8s_event_ttl | The retention period of Kubernetes event logs in the central Logstore. Unit: days. | 180 |
k8s_ingress_enabled | Specifies whether to collect Kubernetes Ingress access logs. Valid values:
| false |
k8s_ingress_collection_policy | The collection policy for Kubernetes Ingress access logs. | "" |
k8s_ingress_ttl | The retention period of Kubernetes Ingress access logs in the central Logstore. Unit: days. | 180 |