hashicorp · modular-magician · Apr 22, 2024 · Apr 22, 2024
diff --git a/google/services/logging/resource_logging_folder_sink.go b/google/services/logging/resource_logging_folder_sink.go
@@ -36,10 +36,15 @@ func ResourceLoggingFolderSink() *schema.Resource {
 	schm.Schema["include_children"] = &schema.Schema{
 		Type:        schema.TypeBool,
 		Optional:    true,
-		ForceNew:    true,
 		Default:     false,
 		Description: `Whether or not to include children folders in the sink export. If true, logs associated with child projects are also exported; otherwise only logs relating to the provided folder are included.`,
 	}
+	schm.Schema["intercept_children"] = &schema.Schema{
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Default:     false,
+		Description: `Whether or not to intercept logs from child projects. If true, matching logs will not match with sinks in child resources, except _Required sinks. This sink will be visible to child resources when listing sinks.`,
+	}
 
 	return schm
 }
@@ -54,6 +59,7 @@ func resourceLoggingFolderSinkCreate(d *schema.ResourceData, meta interface{}) e
 	folder := resourcemanager.ParseFolderId(d.Get("folder"))
 	id, sink := expandResourceLoggingSink(d, "folders", folder)
 	sink.IncludeChildren = d.Get("include_children").(bool)
+	sink.InterceptChildren = d.Get("intercept_children").(bool)
 
 	// The API will reject any requests that don't explicitly set 'uniqueWriterIdentity' to true.
 	_, err = config.NewLoggingClient(userAgent).Folders.Sinks.Create(id.parent(), sink).UniqueWriterIdentity(true).Do()
@@ -85,6 +91,10 @@ func resourceLoggingFolderSinkRead(d *schema.ResourceData, meta interface{}) err
 		return fmt.Errorf("Error setting include_children: %s", err)
 	}
 
+	if err := d.Set("intercept_children", sink.InterceptChildren); err != nil {
+		return fmt.Errorf("Error setting intercept_children: %s", err)
+	}
+
 	return nil
 }
 
@@ -96,10 +106,6 @@ func resourceLoggingFolderSinkUpdate(d *schema.ResourceData, meta interface{}) e
 	}
 
 	sink, updateMask := expandResourceLoggingSinkForUpdate(d)
-	// It seems the API might actually accept an update for include_children; this is not in the list of updatable
-	// properties though and might break in the future. Always include the value to prevent it changing.
-	sink.IncludeChildren = d.Get("include_children").(bool)
-	sink.ForceSendFields = append(sink.ForceSendFields, "IncludeChildren")
 
 	// The API will reject any requests that don't explicitly set 'uniqueWriterIdentity' to true.
 	_, err = config.NewLoggingClient(userAgent).Folders.Sinks.Patch(d.Id(), sink).

diff --git a/google/services/logging/resource_logging_folder_sink_test.go b/google/services/logging/resource_logging_folder_sink_test.go
@@ -337,10 +337,53 @@ func testAccCheckLoggingFolderSink(sink *logging.LogSink, n string) resource.Tes
 			return fmt.Errorf("mismatch on include_children: api has %v but client has %v", sink.IncludeChildren, includeChildren)
 		}
 
+		interceptChildren := false
+		if attributes["intercept_children"] != "" {
+			includeChildren, err = strconv.ParseBool(attributes["intercept_children"])
+			if err != nil {
+				return err
+			}
+		}
+		if sink.InterceptChildren != interceptChildren {
+			return fmt.Errorf("mismatch on intercept_children: api has %v but client has %v", sink.InterceptChildren, interceptChildren)
+		}
+
 		return nil
 	}
 }
 
+func TestAccLoggingFolderSink_updateInterceptChildren(t *testing.T) {
+	t.Parallel()
+
+	sinkName := "tf-test-sink-" + acctest.RandString(t, 10)
+	folderName := "intercepting-sink-folder"
+	folderParent := "organizations/" + envvar.GetTestOrgFromEnv(t)
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckLoggingFolderSinkDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLoggingFolderSink_intercept_updated(sinkName, true, folderName, folderParent),
+			},
+			{
+				ResourceName:      "google_logging_folder_sink.intercept_update",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccLoggingFolderSink_intercept_updated(sinkName, false, folderName, folderParent),
+			},
+			{
+				ResourceName:      "google_logging_folder_sink.intercept_update",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccLoggingFolderSink_basic(sinkName, bucketName, folderName, folderParent string) string {
 	return fmt.Sprintf(`
 resource "google_logging_folder_sink" "basic" {
@@ -527,3 +570,21 @@ resource "google_folder" "my-folder" {
   parent       = "%s"
 }`, sinkName, envvar.GetTestProjectFromEnv(), envvar.GetTestProjectFromEnv(), bqDatasetID, folderName, folderParent)
 }
+
+func testAccLoggingFolderSink_intercept_updated(sinkName string, intercept_children bool, folderName string, folderParent string) string {
+	return fmt.Sprintf(`
+resource "google_logging_folder_sink" "intercept_update" {
+  name             = "%s"
+  folder           = "${google_folder.intercept_folder.folder_id}"
+  destination      = "logging.googleapis.com/projects/%s"
+  filter           = "logName=\"projects/%s/logs/compute.googleapis.com%%2Factivity_log\" AND severity>=ERROR"
+  include_children = true
+  intercept_children = %t
+}
+
+resource "google_folder" "intercept_folder" {
+  display_name = "%s"
+  parent       = "%s"
+}
+`, sinkName, envvar.GetTestProjectFromEnv(), envvar.GetTestProjectFromEnv(), intercept_children, folderName, folderParent)
+}
diff --git a/google/services/logging/resource_logging_organization_sink.go b/google/services/logging/resource_logging_organization_sink.go
@@ -34,10 +34,15 @@ func ResourceLoggingOrganizationSink() *schema.Resource {
 	schm.Schema["include_children"] = &schema.Schema{
 		Type:        schema.TypeBool,
 		Optional:    true,
-		ForceNew:    true,
 		Default:     false,
 		Description: `Whether or not to include children organizations in the sink export. If true, logs associated with child projects are also exported; otherwise only logs relating to the provided organization are included.`,
 	}
+	schm.Schema["intercept_children"] = &schema.Schema{
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Default:     false,
+		Description: `Whether or not to intercept logs from child projects. If true, matching logs will not match with sinks in child resources, except _Required sinks. This sink will be visible to child resources when listing sinks.`,
+	}
 
 	return schm
 }
@@ -52,6 +57,7 @@ func resourceLoggingOrganizationSinkCreate(d *schema.ResourceData, meta interfac
 	org := d.Get("org_id").(string)
 	id, sink := expandResourceLoggingSink(d, "organizations", org)
 	sink.IncludeChildren = d.Get("include_children").(bool)
+	sink.InterceptChildren = d.Get("intercept_children").(bool)
 
 	// Must use a unique writer, since all destinations are in projects.
 	// The API will reject any requests that don't explicitly set 'uniqueWriterIdentity' to true.
@@ -84,6 +90,10 @@ func resourceLoggingOrganizationSinkRead(d *schema.ResourceData, meta interface{
 		return fmt.Errorf("Error setting include_children: %s", err)
 	}
 
+	if err := d.Set("intercept_children", sink.InterceptChildren); err != nil {
+		return fmt.Errorf("Error setting intercept_children: %s", err)
+	}
+
 	return nil
 }
 
@@ -95,10 +105,6 @@ func resourceLoggingOrganizationSinkUpdate(d *schema.ResourceData, meta interfac
 	}
 
 	sink, updateMask := expandResourceLoggingSinkForUpdate(d)
-	// It seems the API might actually accept an update for include_children; this is not in the list of updatable
-	// properties though and might break in the future. Always include the value to prevent it changing.
-	sink.IncludeChildren = d.Get("include_children").(bool)
-	sink.ForceSendFields = append(sink.ForceSendFields, "IncludeChildren")
 
 	// The API will reject any requests that don't explicitly set 'uniqueWriterIdentity' to true.
 	_, err = config.NewLoggingClient(userAgent).Organizations.Sinks.Patch(d.Id(), sink).

diff --git a/google/services/logging/resource_logging_organization_sink_test.go b/google/services/logging/resource_logging_organization_sink_test.go
@@ -266,10 +266,52 @@ func testAccCheckLoggingOrganizationSink(sink *logging.LogSink, n string) resour
 			return fmt.Errorf("mismatch on include_children: api has %v but client has %v", sink.IncludeChildren, includeChildren)
 		}
 
+		interceptChildren := false
+		if attributes["intercept_children"] != "" {
+			includeChildren, err = strconv.ParseBool(attributes["intercept_children"])
+			if err != nil {
+				return err
+			}
+		}
+		if sink.InterceptChildren != interceptChildren {
+			return fmt.Errorf("mismatch on intercept_children: api has %v but client has %v", sink.InterceptChildren, interceptChildren)
+		}
+
 		return nil
 	}
 }
 
+func TestAccLoggingOrganizationSink_updateInterceptChildren(t *testing.T) {
+	t.Parallel()
+
+	orgId := envvar.GetTestOrgFromEnv(t)
+	sinkName := "tf-test-sink-" + acctest.RandString(t, 10)
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckLoggingOrganizationSinkDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLoggingOrganizationSink_intercept_updated(sinkName, orgId, true),
+			},
+			{
+				ResourceName:      "google_logging_organization_sink.intercept_update",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccLoggingOrganizationSink_intercept_updated(sinkName, orgId, false),
+			},
+			{
+				ResourceName:      "google_logging_organization_sink.intercept_update",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccLoggingOrganizationSink_basic(sinkName, bucketName, orgId string) string {
 	return fmt.Sprintf(`
 resource "google_logging_organization_sink" "basic" {
@@ -398,3 +440,15 @@ resource "google_bigquery_dataset" "logging_sink" {
   description = "Log sink (generated during acc test of terraform-provider-google(-beta))."
 }`, sinkName, orgId, envvar.GetTestProjectFromEnv(), envvar.GetTestProjectFromEnv(), bqDatasetID)
 }
+
+func testAccLoggingOrganizationSink_intercept_updated(sinkName, orgId string, intercept_children bool) string {
+	return fmt.Sprintf(`
+resource "google_logging_organization_sink" "intercept_update" {
+  name             = "%s"
+  org_id           = "%s"
+  destination      = "logging.googleapis.com/projects/%s"
+  filter           = "logName=\"projects/%s/logs/compute.googleapis.com%%2Factivity_log\" AND severity>=ERROR"
+  include_children = true
+  intercept_children = %t
+}`, sinkName, orgId, envvar.GetTestProjectFromEnv(), envvar.GetTestProjectFromEnv(), intercept_children)
+}
diff --git a/google/services/logging/resource_logging_sink.go b/google/services/logging/resource_logging_sink.go
@@ -178,6 +178,12 @@ func expandResourceLoggingSinkForUpdate(d *schema.ResourceData) (sink *logging.L
 		sink.BigqueryOptions = expandLoggingSinkBigqueryOptions(d.Get("bigquery_options"))
 		updateFields = append(updateFields, "bigqueryOptions")
 	}
+	if d.HasChange("include_children") {
+		updateFields = append(updateFields, "includeChildren")
+	}
+	if d.HasChange("intercept_children") {
+		updateFields = append(updateFields, "interceptChildren")
+	}
 	updateMask = strings.Join(updateFields, ",")
 	return
 }