Collect Terraform Enterprise logs

This document explains how to ingest Terraform Enterprise logs to Google Security Operations using Google Cloud Storage V2.

Terraform Enterprise (TFE) is a self-hosted infrastructure as code platform that generates application logs containing audit events for workspace operations, policy checks, state changes, and user activity. Audit events are embedded within the TFE application logs and marked with the [Audit Log] tag. Because TFE stores these logs locally on the application server, you must export them to a Google Cloud Storage (GCS) bucket and then configure a Google SecOps feed to ingest them.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance
• A Google Cloud project with Cloud Storage API enabled
• Permissions to create and manage GCS buckets
• Permissions to manage IAM policies on GCS buckets
• Administrative access to the Terraform Enterprise server (SSH or console access)
• Access to TFE application logs on the server file system (typically at /var/log/terraform-enterprise/ or accessible via replicatedctl app logs)

Create a Google Cloud Storage bucket

1. Go to the Google Cloud Console.
2. Select your project or create a new one.
3. In the navigation menu, go to Cloud Storage > Buckets.
4. Click Create bucket.

5. Provide the following configuration details:

   Setting	Value
   Name your bucket	Enter a globally unique name (for example, terraform-enterprise-logs)
   Location type	Choose based on your needs (Region, Dual-region, Multi-region)
   Location	Select the location closest to your Google SecOps instance (for example, us-central1)
   Storage class	Standard (recommended for frequently accessed logs)
   Access control	Uniform (recommended)
   Protection tools	Optional: Enable object versioning or retention policy

6. Click Create.

Configure automated export of TFE application logs to GCS

Terraform Enterprise embeds audit log entries within its application logs. Audit events are marked with the [Audit Log] string and can be filtered from the application log output. Choose one of the following approaches to automate the export.

Option 1: TFE log forwarding with Fluent Bit to GCS (recommended)

Terraform Enterprise supports external log forwarding using a built-in Fluent Bit-based mechanism. You can configure TFE to forward application logs to a GCS bucket.

1. Access the TFE administration console.
2. Go to Settings > Logging.
3. Enable External Logging.

4. Configure the Fluent Bit output to use the GCS plugin:

   [OUTPUT]
       Name                       gcs
       Match                      *
       Bucket                     terraform-enterprise-logs
       Object_key_format          audit-logs/tfe_logs_%Y%m%d_%H%M%S.json
       Content_Type               application/json
   

5. Save the configuration and restart the TFE services if prompted.

Option 2: Compute Engine VM with cron (for direct log collection)

If the TFE server runs on Google Compute Engine or has network connectivity to GCP, configure a cron job on the TFE server to export filtered audit logs to GCS.

1. Install the Google Cloud CLI on the TFE server.

2. Create a service account for the export:

   1. In the GCP Console, go to IAM & Admin > Service Accounts.
   2. Click Create Service Account.
   3. Provide the following configuration details:
      • Service account name: Enter tfe-log-export-sa
      • Service account description: Enter Service account for TFE log export to GCS
   4. Click Create and Continue.
   5. Add the Storage Object Admin role.
   6. Click Done.
   7. Download a JSON key for the service account and copy it to the TFE server.

3. Create an export script on the TFE server (/opt/tfe-export/export_logs.sh):

   #!/usr/bin/env bash
   set -euo pipefail
   
   BUCKET="terraform-enterprise-logs"
   PREFIX="audit-logs"
   LOG_DIR="/var/log/terraform-enterprise"
   EXPORT_DIR="/tmp/tfe-export"
   TIMESTAMP=$(date -u +%Y%m%d_%H%M%S)
   
   mkdir -p "$EXPORT_DIR"
   
   # Filter audit log entries from TFE application logs
   grep '\[Audit Log\]' "$LOG_DIR"/*.log > "$EXPORT_DIR/tfe_audit_${TIMESTAMP}.json" 2>/dev/null || true
   
   if [ -s "$EXPORT_DIR/tfe_audit_${TIMESTAMP}.json" ]; then
       gcloud storage cp "$EXPORT_DIR/tfe_audit_${TIMESTAMP}.json" \
           "gs://${BUCKET}/${PREFIX}/"
       echo "Uploaded tfe_audit_${TIMESTAMP}.json to gs://${BUCKET}/${PREFIX}/"
   else
       echo "No audit log entries found."
   fi
   
   rm -rf "$EXPORT_DIR"
   

4. Make the script executable and schedule it with cron:

   chmod +x /opt/tfe-export/export_logs.sh
   (crontab -l ; echo "0 * * * * /opt/tfe-export/export_logs.sh >> /var/log/tfe-export.log 2>&1") | crontab -
   

Option 3: Storage Transfer Service (for file-based log collection)

If TFE logs are written to a file system accessible via a Storage Transfer Agent, use Storage Transfer Service to move them to GCS.

1. In the GCP Console, go to Storage Transfer Service.
2. Click Create transfer job.
3. Select POSIX filesystem as the source.
4. Follow the instructions to install the Storage Transfer Agent on the TFE server or a machine with access to the TFE log directory.

5. Configure the transfer job:

   Setting	Value
   Source directory	Path to TFE log directory (for example, /var/log/terraform-enterprise/)
   Destination bucket	terraform-enterprise-logs
   Destination path	audit-logs/
   Schedule	Set a recurring schedule (for example, every hour)

6. Click Create.

Retrieve the Google SecOps service account

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. Click Configure a single feed.
4. In the Feed name field, enter a name for the feed (for example, Terraform Enterprise Logs).
5. Select Google Cloud Storage V2 as the Source type.
6. Select Terraform Enterprise Audit as the Log type.

7. Click Get Service Account. A unique service account email will be displayed, for example:

   chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com
   

8. Copy this email address for use in the next step.

Grant IAM permissions to the Google SecOps service account

The Google SecOps service account needs Storage Object Viewer role on your GCS bucket.

1. Go to Cloud Storage > Buckets.
2. Click on your bucket name (for example, terraform-enterprise-logs).
3. Go to the Permissions tab.
4. Click Grant access.
5. Provide the following configuration details:
   • Add principals: Paste the Google SecOps service account email (for example, chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com).
   • Assign roles: Select Storage Object Viewer.

6. Click Save.

Configure the Google SecOps feed

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. Click Configure a single feed.
4. In the Feed name field, enter a name for the feed (for example, Terraform Enterprise Logs).
5. Select Google Cloud Storage V2 as the Source type.
6. Select Terraform Enterprise Audit as the Log type.
7. Click Next.

8. Specify values for the following input parameters:

   • Storage bucket URL: Enter the GCS bucket URI:

     gs://terraform-enterprise-logs/audit-logs/
     

     • Replace terraform-enterprise-logs with your GCS bucket name.
     • Replace audit-logs with your configured prefix path.

   • Source deletion option: Select the deletion option according to your preference:

     • Never: Never deletes any files after transfers (recommended for testing).

     • Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.

   • Maximum File Age: Include files modified in the last number of days (default is 180 days).

   • Asset namespace: The asset namespace.

   • Ingestion labels: The label to be applied to the events from this feed.

9. Click Next.

10. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM mapping table

Need more help? Get answers from Community members and Google SecOps professionals.