Syntax
A google_logging_project_sink
is used to test a Google ProjectSink resource
Examples
describe google_logging_project_sink(project: 'chef-gcp-inspec', name: 'inspec-gcp-org-sink') do
it { should exist }
its('filter') { should cmp 'resource.type = gce_instance AND severity = DEBUG' }
end
describe google_logging_project_sink(project: 'chef-gcp-inspec', name: 'nonexistent') do
it { should_not exist }
end
Test that a GCP project logging sink destination is correct
describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do
its('destination') { should eq 'storage.googleapis.com/gcp-inspec-logging-bucket' }
end
Test that a GCP project logging sink filter is correct
describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do
its('filter') { should eq "resource.type = gce_instance AND resource.labels.instance_id = \"12345678910123123\"" }
end
Test a GCP project logging sink output version format
describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do
its('output_version_format') { should eq "V2" }
end
Test a GCP project logging sink writer identity is as expected
describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do
its('writer_identity') { should eq "serviceAccount:my-logging-service-account.iam.gserviceaccount.com" }
end
Properties
Properties that can be accessed from the google_logging_project_sink
resource:
project
: Id of the project that this sink belongs to.name
: Name of the log sink.filter
: An advanced logs filter. The only exported log entries are those that are in the resource owning the sink and that match the filter.destination
: The export destination.writer_identity
: An IAM identity—a service account or group—under which Logging writes the exported log entries to the sink’s destination. This field is set by sinks.create and sinks.update based on the value of uniqueWriterIdentity in those methods.include_children
: If the field is false, the default, only the logs owned by the sink’s parent resource are available for export. If the field is true, then logs from all the projects, folders, and billing accounts contained in the sink’s parent resource are also available for export. Whether a particular log entry from the children is exported depends on the sink’s filter expression.
GCP Permissions
Ensure the Stackdriver Logging API is enabled for the current project.