google_project_iam_audit_config doesn't allow multiple log_type settings to be configured

[dijitali]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

$ terraform -v  
# Terraform v0.12.19
# + provider.google v3.4.0

Affected Resource(s)

• google_project_iam_audit_config

Terraform Configuration Files

provider "google" {
  version = "~> 3.4.0"
  region  = "my-project-id"
}

resource "google_project_iam_audit_config" "iap-audit-logging" {
  service = "iap.googleapis.com"
  audit_log_config {
    log_type = ["ADMIN_READ","DATA_READ","DATA_WRITE"]
  }
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

I'd expect log_type to accept an array of values rather than a single string, so that more than one of DATA_READ,DATA_WRITE and ADMIN_READ can be specified.

Actual Behavior

$ terraform validate
# Error: Incorrect attribute value type
# 
#   on main.tf line 9, in resource "google_project_iam_audit_config" "iap-audit-logging":
#    9:     log_type = ["ADMIN_READ", "DATA_READ", "DATA_WRITE"]
# 
# Inappropriate value for attribute "log_type": string required.

Steps to Reproduce

1. terraform validate

Important Factoids

This is the recommended setting for IAP Audit Logging per Security & Identity Products > Identity-Aware Proxy > Documentation > Guides > Enabling Cloud Audit Logs using Cloud SDK

2. Edit the policy.yaml file you downloaded by adding an auditConfigs section as follows. Make sure you don't change any etag values.

   auditConfigs:
   - auditLogConfigs:
     - logType: ADMIN_READ
     - logType: DATA_READ
     - logType: DATA_WRITE
     service: iap.googleapis.com

The are also multiple logType elements in the example given in the API documentation, Security & Identity Products > Cloud IAM > Documentation > Reference > AuditConfig

I have also tried adding 3 separate google_project_iam_audit_config resources for each log_type setting in the hope they would merge but they then overwrite each other:

provider "google" {
  version = "~> 3.4.0"
  project = "my-project-id"
}

resource "google_project_iam_audit_config" "iap-audit-logging-admin-read" {
  service = "iap.googleapis.com"
  audit_log_config {
    log_type = "ADMIN_READ"
  }
}

resource "google_project_iam_audit_config" "iap-audit-logging-data-read" {
  service = "iap.googleapis.com"
  audit_log_config {
    log_type = "DATA_READ"
  }
}

resource "google_project_iam_audit_config" "iap-audit-logging-data-write" {
  service = "iap.googleapis.com"
  audit_log_config {
    log_type = "DATA_WRITE"
  }
}

Terraform will perform the following actions:

  # google_project_iam_audit_config.iap-audit-logging-admin-read will be updated in-place
  ~ resource "google_project_iam_audit_config" "iap-audit-logging-admin-read" {
        etag    = "BwWcpVl1p8E="
        id      = "my-project-id/audit_config/iap.googleapis.com"
        project = "my-project-id"
        service = "iap.googleapis.com"

      + audit_log_config {
          + exempted_members = []
          + log_type         = "ADMIN_READ"
        }
      - audit_log_config {
          - exempted_members = [] -> null
          - log_type         = "DATA_READ" -> null
        }
    }

  # google_project_iam_audit_config.iap-audit-logging-data-write will be updated in-place
  ~ resource "google_project_iam_audit_config" "iap-audit-logging-data-write" {
        etag    = "BwWcpVl1p8E="
        id      = "my-project-id/audit_config/iap.googleapis.com"
        project = "my-project-id"
        service = "iap.googleapis.com"

      - audit_log_config {
          - exempted_members = [] -> null
          - log_type         = "DATA_READ" -> null
        }
      + audit_log_config {
          + exempted_members = []
          + log_type         = "DATA_WRITE"
        }
    }

Plan: 0 to add, 2 to change, 0 to destroy.

References

N/A

[edwardmedia]

@dijitali you might want to try

resource "google_project_iam_audit_config" "iap-audit-logging" {
  service = "iap.googleapis.com"
  audit_log_config {
    log_type = "ADMIN_READ"
  }
  audit_log_config {
    log_type = "DATA_WRITE"
  }
  audit_log_config {
    log_type = "DATA_READ"
  }
}

Let me know if you still have questions.

[edwardmedia]

@dijitali I am closing this issue. If you still encounter problems or want to further discussion, you may reopen the issue. Thanks

[dijitali]

@edwardmedia - many thanks for taking the time to help and it's even documented like that:

audit_log_config - (Required) The configuration for logging of each type of permission. This can be specified multiple times.

Had a brain fart. Apologies for not RTFM here!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!