How do I use Terraform to configure Log Audit Service? - Simple Log Service

This topic describes how to use Terraform and its CLI to configure Log Audit Service.

Prerequisites

Terraform is installed and configured. For more information, see Use Terraform in Cloud Shell and Install and configure Terraform in the local PC.

Background information

Terraform is an open source tool that you can use to preview, configure, and manage cloud infrastructures and resources in a secure and efficient manner. Terraform provides an easy-to-use CLI that allows you to deploy configuration files on Alibaba Cloud or third-party clouds and manage the versions of the configuration files.

Alibaba Cloud supports more than 163 resources and 113 data sources across multiple Alibaba Cloud services in the following categories: computing, storage, networking, Alibaba Cloud CDN (CDN), Container Service for Kubernetes (ACK), middleware, and database. This helps a large number of customers automatically migrate data to the cloud. For more information, see terraform-provider-alicloud.

Benefits of Terraform

Multi-cloud infrastructure deployment
Terraform is suitable for multi-cloud scenarios in which multiple similar infrastructures are deployed across Alibaba Cloud, third-party cloud service providers, and data centers. You can use the same tools and similar configuration files to manage infrastructures across different cloud service providers.
Automated infrastructure management
You can create configuration file templates to define, provision, and configure Elastic Compute Service (ECS) resources in a repeated and predictable manner. This reduces human errors during deployment and management operations. You can use the same template multiple times to create identical development, test, and production environments.
Infrastructure as code (IaC)
Terraform supports the code-based management and maintenance of resources. Terraform stores a copy of the current configurations of your infrastructure. This way, you can track changes made to the components in the IaC system and share infrastructure configurations with other users.
Reduced development costs
You can create development and deployment environments based on your business requirements. This helps you reduce development and deployment costs. You can evaluate development costs before you make changes to your system.

Step 1: Specify the identity information and the region of the central project for Log Audit Service

Use environment variables to specify the identity information and the region of the central project for Log Audit Service.

export ALICLOUD_ACCESS_KEY="AccessKey ID"
export ALICLOUD_SECRET_KEY="AccessKey Secret"
export ALICLOUD_REGION="cn-huhehaote"

Parameter	Description
ALICLOUD_ACCESS_KEY	The AccessKey ID that is used to access Simple Log Service. For more information, see AccessKey pair.
ALICLOUD_SECRET_KEY	The AccessKey secret that is used to access Simple Log Service. For more information, see AccessKey pair.
ALICLOUD_REGION	The region where the central project of Log Audit Service resides. The following regions are supported: Chinese mainland: China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Hong Kong) Outside the Chinese mainland: Singapore, Japan (Tokyo), Germany (Frankfurt), Indonesia (Jakarta), and Malaysia (Kuala Lumpur)

Step 2: Complete RAM authorization

If the AliyunServiceRoleForSLSAudit service-linked role does not exist in the central account, you must create the service-linked role. For more information, see Initially configure Log Audit Service.

For more information about how to configure other members in custom authentication mode and the policies that are used for authorization, see Use a custom policy to authorize Simple Log Service to collect and synchronize logs.

Step 3: Configure Log Audit Service

Create a Terraform directory named sls and create a file named terraform.tf in the directory.

Open the terraform.tf file and add the following content:

resource "alicloud_log_audit" "example" {
  display_name = "tf-audit-test"
  aliuid       = "1379186349****"
}

The following table describes the parameters.

Parameter	Description
example	The name of the resource. You can specify a custom name.
display_name	The name of the collection configuration. You can specify a custom name.
aliuid	The ID of an Alibaba Cloud account.

Run the following command in the sls directory to initialize the directory:
```
terraform init
```
If the command output contains Terraform has been successfully initialized!, the directory is initialized.

Open the terraform.tf file and configure the parameters that are related to Log Audit Service.

The following sample code provides configuration examples. For more information about the parameters, see Terraform-Aliyun Log Audit.

Single-account collection

resource "alicloud_log_audit" "example" {
  display_name = "tf-audit-test"
  aliuid       = "1379186349****"
  variable_map = {
    "actiontrail_enabled" = "true",
    "actiontrail_ttl" = "180"
  }
}

Multi-account collection

You can configure multi-account collection in custom authentication mode or resource directory mode. In custom authentication mode, the central account is an Alibaba Cloud account. In resource directory mode, the central account must be the management account of your resource directory or a delegated administrator account. For more information, see Collect cloud service logs from multiple accounts.

Custom authentication mode

resource "alicloud_log_audit" "example" {
  display_name = "tf-audit-test"
  aliuid     = "1379186349****"
  variable_map = {
    "actiontrail_enabled" = "true",
    "actiontrail_ttl" = "180"
  }
  multi_account = ["1257918632****", "1324567349****"]

}

Resource directory mode (Custom mode)

resource "alicloud_log_audit" "example" {
  display_name = "tf-audit-test"
  aliuid    = "1379186349****"
  variable_map = {
    "actiontrail_enabled" = "true",
    "actiontrail_ttl" = "180"
  }
  multi_account = ["1257918632****", "1324567349****"]
resource_directory_type="custom"
}

Resource directory mode (All Members mode)

resource "alicloud_log_audit" "example" {
  display_name = "tf-audit-test"
  aliuid       = "1379186349****"
  variable_map = {
    "actiontrail_enabled" = "true",
    "actiontrail_ttl" = "180"
  }
resource_directory_type="all"
}

The following table describes the parameters.

Parameter	Description
multi_account	If you configure multi-account collection in custom authentication mode or resource directory mode (Custom mode), you must configure the multi_account parameter. Note The custom authentication mode requires complex configurations. We recommend that you configure multi-account collection in resource directory mode. If you use the custom authentication mode, the resource_directory_type parameter is unavailable. You must set the multi_account parameter to the ID of an Alibaba Cloud account. If you use the resource directory mode (Custom mode), the resource_directory_type parameter is set to custom. You must set the multi_account parameter to a member in your resource directory.
resource_directory_type	If you configure multi-account collection in resource directory mode, you must configure the resource_directory_type parameter. Valid values: `all`: The All Members mode in resource directory mode is used. `custom`: The Custom mode in resource directory mode is used. Note If you use the custom authentication mode, you do not need to configure the resource_directory_type parameter.
variable_map	Specifies the objects to collect, whether to collect specific data, and the retention period of the objects. For more information about the parameters in the variable_map parameter, see Appendix: Parameters in the variable_map parameter.

Apply the configurations in the terraform.tf file.
1. Run the following command:
```
terraform apply
```
2. Enter yes.
  If the command output contains Apply complete!, the configurations take effect, and Log Audit Service collects and stores logs based on the configurations.

What to do next

You can use Terraform to perform the following operations:

Import existing collection configurations.
```
terraform import alicloud_log_audit.example tf-audit-test
```
You must replace example and tf-audit-test with actual values.
After the command is run, you can view the content of the terraform.tfstate file in the Terraform directory. The terraform.tfstate file contains the imported collection configurations.
Important
- If you want to migrate the imported collection configurations to the terraform.tf file, you must manually copy the configurations and adjust the format of the configurations to meet the format requirements of the terraform.tf file.
- If you have run the terraform apply or terraform import command in the Terraform directory, the terraform import command fails to be run. Before you can run the terraform import command again, you must delete the terraform.tfstate file from the directory.
View the current collection configurations.
```
terraform show
```
View the differences between the terraform.tf file in the Terraform directory and the collection configurations that are in effect.
```
terraform plan
```

Configure Log Audit Service for an internal network

If you want to configure Log Audit Service for an internal network, perform the following steps:

Use the Alibaba Cloud provider V1.214.0 or later.
Specify a valid endpoint in the endpoints configuration block. For example, if you want to configure Log Audit Service for an internal network in the China (Beijing) region, specify cn-beijing-intranet.log.aliyuncs.com. For more information, see Endpoints.

Example

The following code provides an example on how to configure Log Audit Service for an internal network in the China (Beijing) region:

terraform {
     required_providers {
          alicloud = { 
               version = "1.214.0" // Use the Alibaba Cloud provider V1.214.0 or later.
          }   
     }   
}
provider "alicloud" {
    endpoints {
        log = "cn-beijing-intranet.log.aliyuncs.com"// Specify an actual endpoint.
    }
}

resource "alicloud_log_audit" "example" {
    display_name = "tf-audit-test"
    aliuid       = "148*******3782"
    variable_map = {
        "actiontrail_enabled" = "true",
        "actiontrail_ttl" ="30"
    }
}

Upgrade the Alibaba Cloud provider.
```
terraform init --upgrade
```
Apply the configuration.
```
terraform apply
```

Examples

If you use Terraform to configure collection policies in Log Audit Service, take note of the configurations of special character escapes and multi-line policies. For example, if you want to collect logs from only virtual private clouds (VPCs) whose tag variable env exactly matches test, you can configure the following collection policy:

accept tag.env == "test"
drop "*"

A collection policy consists of multi-line statements and contains special characters such as double quotation marks ("). If you configure a collection policy in Log Audit Service in the Simple Log Service console, the system automatically escapes special characters in the policy. However, if you use Terraform to configure a collection policy, you must manually escape special characters and wrap lines. You can use one of the following methods to complete the configurations:

Use EOF. For more information, see Configuration Syntax.

variable vpcflow_policy {
  type        = string
  default     = <<EOF
accept tag.env == \"test\"
drop \"*\"
EOF
}

resource "alicloud_log_audit" "example" {
  display_name = "tf-audit-test"
  aliuid       = "1234************"
  variable_map = {
    "vpc_flow_enabled" = "true",
    "vpc_flow_ttl" = "7",
    "vpc_sync_enabled" = "true",
    "vpc_sync_ttl" = "180"
    "vpc_flow_collection_policy" = var.vpcflow_policy
  }
  #if using rd custom mode for multi-account
  multi_account = ["1235************","1236************"]
  resource_directory_type="custom"
}

Escape backslashes (\) and double quotation marks ("), and wrap lines based on \n. For more information, see Built-in Functions.

resource "alicloud_log_audit" "example" {
  display_name = "tf-audit-test"
  aliuid       = "1234************"
  variable_map = {
    "vpc_flow_enabled" = "true",
    "vpc_flow_ttl" = "7",
    "vpc_sync_enabled" = "true",
    "vpc_sync_ttl" = "180"
    "vpc_flow_collection_policy" = "accept tag.env == \\\"test\\\"\\ndrop \\\"*\\\""
  }
  #if using rd custom mode for multi-account
  multi_account = ["1235************","1236************"]
  resource_directory_type="custom"
}

Appendix: Parameters in the variable_map parameter

Parameter	Description	Default value
actiontrail_enabled	Specifies whether to collect ActionTrail logs. Valid values: `true` `false`	false
actiontrail_ttl	The retention period of ActionTrail logs in the central Logstore. Unit: days.	180
cloudconfig_change_enabled	Specifies whether to collect Cloud Config change logs. Valid values: `true` `false`	false
cloudconfig_change_ttl	The retention period of Cloud Config change logs in the central Logstore. Unit: days.	180
cloudconfig_noncom_enabled	Specifies whether to collect Cloud Config non-compliance events. Valid values: `true` `false`	false
cloudconfig_noncom_ttl	The retention period of Cloud Config non-compliance events in the central Logstore. Unit: days.	180
oss_access_enabled	Specifies whether to collect Object Storage Service (OSS) access logs. Valid values: `true` `false`	false
oss_access_ttl	The retention period of OSS access logs in the regional Logstore. Unit: days.	7
oss_sync_enabled	Specifies whether to synchronize OSS access logs to the central project. Valid values: `true` `false`	true
oss_sync_ttl	The retention period of OSS access logs in the central Logstore. Unit: days.	180
oss_metering_enabled	Specifies whether to collect OSS metering logs. Valid values: `true` `false`	false
oss_metering_ttl	The retention period of OSS metering logs in the central Logstore. Unit: days.	180
rds_enabled	Specifies whether to collect ApsaraDB RDS for MySQL audit logs. Valid values: `true` `false`	false
rds_audit_collection_policy	The collection policy for ApsaraDB RDS for MySQL audit logs.	""
rds_ttl	The retention period of ApsaraDB RDS for MySQL audit logs in the central Logstore. Unit: days.	180
rds_slow_enabled	Specifies whether to collect ApsaraDB RDS for MySQL slow query logs. Valid values: `true` `false`	false
rds_slow_collection_policy	The collection policy for ApsaraDB RDS for MySQL slow query logs.	""
rds_slow_ttl	The retention period of ApsaraDB RDS for MySQL slow query logs in the central Logstore. Unit: days.	180
rds_error_enabled	Specifies whether to collect ApsaraDB RDS for MySQL error logs. Valid values: `true` `false`	false
rds_error_collection_policy	The collection policy for ApsaraDB RDS for MySQL error logs.	""
rds_error_ttl	The retention period of ApsaraDB RDS for MySQL error logs in the central Logstore. Unit: days.	180
rds_perf_enabled	Specifies whether to collect ApsaraDB RDS for MySQL performance logs. Valid values: `true` `false`	false
rds_perf_collection_policy	The collection policy for ApsaraDB RDS for MySQL performance logs.	""
rds_perf_ttl	The retention period of ApsaraDB RDS for MySQL performance logs in the central Logstore. Unit: days.	180
vpc_flow_enabled	Specifies whether to collect VPC flow logs. Valid values: `true` `false`	false
vpc_flow_ttl	The retention period of VPC flow logs in the regional Logstore. Unit: days.	7
vpc_flow_collection_policy	The collection policy for VPC flow logs.	""
vpc_sync_enabled	Specifies whether to synchronize VPC flow logs to the central project. Valid values: `true` `false`	true
vpc_sync_ttl	The retention period of VPC flow logs in the central Logstore. Unit: days.	180
dns_gtm_collection_policy	The collection policy for the global traffic manager logs of Alibaba Cloud DNS (DNS).	""
dns_gtm_ttl	The retention period of the global traffic manager logs of DNS. Unit: days.	180
dns_gtm_enabled	Specifies whether to collect the global traffic manager logs of DNS. Valid values: `true` `false`	false
dns_resolve_collection_policy	The collection policy for public DNS resolution logs.	""
dns_resolve_ttl	The retention period of public DNS resolution logs. Unit: days.	180
dns_resolve_enabled	Specifies whether to collect public DNS resolution logs. Valid values: `true` `false`	false
dns_intranet_enabled	Specifies whether to collect intranet private DNS logs. Valid values: `true` `false`	false
dns_intranet_ttl	The retention period of intranet private DNS logs in the regional Logstore. Unit: days.	7
dns_intranet_collection_policy	The collection policy for intranet private DNS logs.	None
dns_sync_enabled	Specifies whether to synchronize intranet private DNS logs to the central project. Valid values: `true` `false`	true
dns_sync_ttl	The retention period of intranet private DNS logs in the central Logstore. Unit: days.	180
polardb_enabled	Specifies whether to collect PolarDB for MySQL audit logs. Valid values: `true` `false`	false
polardb_audit_collection_policy	The collection policy for PolarDB for MySQL audit logs.	""
polardb_ttl	The retention period of PolarDB for MySQL audit logs in the central Logstore. Unit: days.	180
polardb_slow_enabled	Specifies whether to collect PolarDB for MySQL slow query logs. Valid values: `true` `false`	false
polardb_slow_collection_policy	The collection policy for PolarDB for MySQL slow query logs.	""
polardb_slow_ttl	The retention period of PolarDB for MySQL slow query logs in the central Logstore. Unit: days.	180
polardb_error_enabled	Specifies whether to collect PolarDB for MySQL error logs. Valid values: `true` `false`	false
polardb_error_collection_policy	The collection policy for PolarDB for MySQL error logs.	""
polardb_error_ttl	The retention period of PolarDB for MySQL error logs in the central Logstore. Unit: days.	180
polardb_perf_enabled	Specifies whether to collect PolarDB for MySQL performance logs. Valid values: `true` `false`	false
polardb_perf_collection_policy	The collection policy for PolarDB for MySQL performance logs.	""
polardb_perf_ttl	The retention period of PolarDB for MySQL performance logs in the central Logstore. Unit: days.	180
drds_audit_enabled	Specifies whether to collect PolarDB-X 1.0 audit logs. Valid values: `true` `false`	false
drds_audit_collection_policy	The collection policy for PolarDB-X 1.0 audit logs.	""
drds_audit_ttl	The retention period of PolarDB-X 1.0 audit logs in the regional Logstore. Unit: days.	7
drds_sync_enabled	Specifies whether to synchronize PolarDB-X 1.0 audit logs to the central project. Valid values: `true` `false`	true
drds_sync_ttl	The retention period of PolarDB-X 1.0 audit logs in the central Logstore. Unit: days.	180
slb_access_enabled	Specifies whether to collect Server Load Balancer (SLB) access logs. Valid values: `true` `false`	false
slb_access_collection_policy	The collection policy for SLB access logs.	""
slb_access_ttl	The retention period of SLB access logs in the regional Logstore. Unit: days.	7
slb_sync_enabled	Specifies whether to synchronize SLB access logs to the central project. Valid values: `true` `false`	true
slb_sync_ttl	The retention period of SLB access logs in the central Logstore. Unit: days.	180
alb_access_enabled	Specifies whether to collect Application Load Balancer (ALB) access logs. Valid values: `true` `false`	false
alb_access_collection_policy	The collection policy for ALB access logs.	""
alb_access_ttl	The retention period of ALB access logs in the regional Logstore. Unit: days.	7
alb_sync_enabled	Specifies whether to synchronize ALB access logs to the central project. Valid values: `true` `false`	true
alb_sync_ttl	The retention period of ALB access logs in the central Logstore. Unit: days.	180
bastion_enabled	Specifies whether to collect Bastionhost operation logs. Valid values: `true` `false`	false
bastion_ttl	The retention period of Bastionhost operation logs in the central Logstore. Unit: days.	180
waf_enabled	Specifies whether to collect Web Application Firewall (WAF) access logs. Valid values: `true` `false`	false
waf_ttl	The retention period of WAF access logs in the central Logstore. Unit: days.	180
cloudfirewall_enabled	Specifies whether to collect Internet firewall traffic logs from Cloud Firewall. Valid values: `true` `false`	false
cloudfirewall_ttl	The retention period of Cloud Firewall Internet firewall traffic logs in the central Logstore. Unit: days.	180
cloudfirewall_vpc_enabled	Specifies whether to collect VPC firewall traffic logs from Cloud Firewall. Valid values: `true` `false`	false
cloudfirewall_vpc_ttl	The retention period of Cloud Firewall VPC firewall traffic logs in the central Logstore. Unit: days.	180
ddos_coo_access_enabled	Specifies whether to collect Anti-DDoS Proxy (Chinese Mainland) access logs. Valid values: `true` `false`	false
ddos_coo_access_ttl	The retention period of Anti-DDoS Proxy (Chinese Mainland) access logs in the central Logstore. Unit: days.	180
ddos_bgp_access_enabled	Specifies whether to collect Anti-DDoS Origin access logs. Valid values: `true` `false`	false
ddos_bgp_access_ttl	The retention period of Anti-DDoS Origin access logs in the central Logstore. Unit: days.	180
ddos_dip_access_enabled	Specifies whether to collect Anti-DDoS Proxy (Outside Chinese Mainland) access logs. Valid values: `true` `false`	false
ddos_dip_access_ttl	The retention period of Anti-DDoS Proxy (Outside Chinese Mainland) access logs in the central Logstore. Unit: days.	180
sas_file_detect_enabled	Specifies whether to collect the file detection logs of Security Center. Valid values: `true` `false`	false
sas_client_enabled	Specifies whether to collect the client event logs of Security Center. Valid values: `true` `false`	false
sas_net_block_enabled	Specifies whether to collect the network protection logs of Security Center. Valid values: `true` `false`	false
sas_rasp_enabled	Specifies whether to collect the application protection logs of Security Center. Valid values: `true` `false`	false
sas_cspm_enabled	Specifies whether to collect the configuration assessment logs of Security Center. Valid values: `true` `false`	false
sas_ttl	The retention period of Security Center logs in the central Logstore. Unit: days.	180
sas_process_enabled	Specifies whether to collect the process startup logs of Security Center. Valid values: `true` `false`	false
sas_network_enabled	Specifies whether to collect the network connection logs of Security Center. Valid values: `true` `false`	false
sas_login_enabled	Specifies whether to collect the logon logs of Security Center. Valid values: `true` `false`	false
sas_crack_enabled	Specifies whether to collect the brute-force attack logs of Security Center. Valid values: `true` `false`	false
sas_snapshot_process_enabled	Specifies whether to collect the process snapshot logs of Security Center. Valid values: `true` `false`	false
sas_snapshot_account_enabled	Specifies whether to collect the account snapshot logs of Security Center. Valid values: `true` `false`	false
sas_snapshot_port_enabled	Specifies whether to collect the port snapshot logs of Security Center. Valid values: `true` `false`	false
sas_dns_enabled	Specifies whether to collect the DNS logs of Security Center. Valid values: `true` `false`	false
sas_local_dns_enabled	Specifies whether to collect the local DNS logs of Security Center. Valid values: `true` `false`	false
sas_session_enabled	Specifies whether to collect the network session logs of Security Center. Valid values: `true` `false`	false
sas_http_enabled	Specifies whether to collect the web access logs of Security Center. Valid values: `true` `false`	false
sas_security_vul_enabled	Specifies whether to collect the vulnerability logs of Security Center. Valid values: `true` `false`	false
sas_security_hc_enabled	Specifies whether to collect the baseline logs of Security Center. Valid values: `true` `false`	false
sas_security_alert_enabled	Specifies whether to collect the security alert logs of Security Center. Valid values: `true` `false`	false
sas_dns_query_enabled	Specifies whether to collect the DNS request logs of Security Center. Valid values: `true` `false`	false
apigateway_enabled	Specifies whether to collect API Gateway access logs. Valid values: `true` `false`	false
apigateway_ttl	The retention period of API Gateway access logs in the central Logstore. Unit: days.	180
nas_enabled	Specifies whether to collect File Storage NAS access logs. Valid values: `true` `false`	false
nas_ttl	The retention period of NAS access logs in the central Logstore. Unit: days.	180
appconnect_enabled	Specifies whether to collect Cloud Service Bus (CSB) App Connect logs. Valid values: `true` `false`	false
appconnect_ttl	The retention period of CSB App Connect logs in the central Logstore. Unit: days.	180
cps_enabled	Specifies whether to collect Alibaba Cloud Mobile Push logs. Valid values: `true` `false`	false
cps_ttl	The retention period of Alibaba Cloud Mobile Push logs in the central Logstore. Unit: days.	180
k8s_audit_enabled	Specifies whether to collect Kubernetes audit logs. Valid values: `true` `false`	false
k8s_audit_collection_policy	The collection policy for Kubernetes audit logs.	""
k8s_audit_ttl	The retention period of Kubernetes audit logs in the central Logstore. Unit: days.	180
k8s_event_enabled	Specifies whether to collect Kubernetes event logs. Valid values: `true` `false`	false
k8s_event_collection_policy	The collection policy for Kubernetes event logs.	""
k8s_event_ttl	The retention period of Kubernetes event logs in the central Logstore. Unit: days.	180
k8s_ingress_enabled	Specifies whether to collect Kubernetes Ingress access logs. Valid values: `true` `false`	false
k8s_ingress_collection_policy	The collection policy for Kubernetes Ingress access logs.	""
k8s_ingress_ttl	The retention period of Kubernetes Ingress access logs in the central Logstore. Unit: days.	180