docs: low quality example for IBM Cloud Monitoring

[sean-freeman]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Working example below, including missing IAM Policy for S2S.

variable "ibmcloud_region_name" {}

variable "ibmcloud_resource_group_name" {}

variable "resource_prefix" {}


data "ibm_resource_group" "target" {
  name = var.ibmcloud_resource_group_name
}


# IBM Cloud Monitoring service instance
resource "ibm_resource_instance" "monitoring_service_instance" {
  name       = "${var.resource_prefix}-cloud-monitor"
  resource_group_id = data.ibm_resource_group.target.id
  service    = "sysdig-monitor"
  plan       = "graduated-tier"
  location   = var.ibmcloud_region_name
  parameters = {
    default_receiver = true
    # workload_protection_connected_instance = "crn_value"
    external_api_auth = "ANY" # ANY, IAM_ONLY, API_AUTH
  }
}

# Required on first provision to set the metadata location, otherwise cannot proceed
# https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/metrics_router_settings
resource "ibm_metrics_router_settings" "metrics_router_settings_instance" {
  primary_metadata_region   = var.ibmcloud_region_name
  # backup_metadata_region    = "us-east"
  permitted_target_regions  = ["us-south", "eu-de", "eu-gb", "eu-es", "jp-osa", "br-sao", "au-syd", "au-syd", "jp-tok", "ca-tor", "us-east"]
  private_api_endpoint_only = false # Altering to true may cause an update IBM Cloud Metrics Routing settings for the account
  # default_targets { id = id_value } # Requires ibm_metrics_router_target, which conflicts with need to first define the metadata location
  lifecycle {
    ignore_changes = [
      backup_metadata_region
    ]
  }
}

# Service authorization is required to allow IBM Cloud Metrics Routing to communicate with IBM Cloud Monitoring
# IAM service authorization policy scoped to all resources in this account
resource "ibm_iam_authorization_policy" "s2s_metrics_to_monitoring" {
  source_service_name  = "metrics-router"
  target_service_name  = "sysdig-monitor"
  roles                = ["Supertenant Metrics Publisher"]
}

# https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/metrics_router_target
resource "ibm_metrics_router_target" "metrics_router_target_instance" {
  name            = "${var.resource_prefix}-cloud-monitor-target"
  region          = "us-south"
  destination_crn = ibm_resource_instance.monitoring_service_instance.crn
}

# https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/metrics_router_route
resource "ibm_metrics_router_route" "metrics_router_route_default" {
  name     = "${var.resource_prefix}-cloud-monitor-route-default"
  rules {
    action = "send"
    targets {
      id = ibm_metrics_router_target.metrics_router_target_instance.id
    }
    inclusion_filters {
      operand = "location" # location, service_name, service_instance, resource_type, resource
      operator = "in" # is, in
      values = [ "global", "us-south", "eu-de", "eu-gb", "eu-es", "jp-osa", "br-sao", "au-syd", "au-syd", "jp-tok", "ca-tor", "us-east" ]
    }
  }
}