Terraform changes required to convert existing IBM Cloud Logs alerts

IBM® Cloud Logs changed the configuration and processing of alerts and how alert priorities are defined. These changes might impact any automation that is configured by using Terraform for your environment.

The ibm_logs_alert_definition and ibm_logs_alert resource providers offer similar functions for IBM® Cloud Logs alerts, but are accessed by using different API methods. The ibm_logs_alert_definition resource extends the capabilities of the traditional ibm_logs_alert resource by supporting advanced configurations, such as:

To be compatibility with the current alerting configuration, you want to update your Terraform from using ibm_logs_alert to ibm_logs_alert_definition.

The Alert Definition API is fully compatible with the Alerts API. All alerts that were created by using the Alerts API can be accessed and managed by using the Alert Definition API.

To reconfigure existing alerts, use the ibm_logs_alert_definition resource to import them. With the ibm_logs_alert_definition resource, you can continue managing existing alerts by using the updated resource structure.

Import your `ibm_logs_alert` and create an `ibm_logs_alert_definition` resource

Get the alert ID of the existing alert

First, you need to get the alert ID of the existing alert to import the alert definition into the new ibm_logs_alert_definition resource.

Get the alert ID by using the UI

To get the alert ID by using the UI:

Open the IBM Cloud Logs dashboard for your logging instance.
Click the Alerts icon .
Click Alerts management.
Select the alert to be imported.
Find Alert unique identifier: in the History section.

Get the alert ID by using the CLI

To get the alert ID by using the CLI:

Log in to the CLI and set the configuration by following these steps
List the alerts by running the ibmcloud logs alert-definitions command.
Find the ID of the alert to be imported in the ID column of the CLI command response.

Get the alert ID by using Terraform

To get the alert ID by using Terraform:

Create a main.tf file with the following data source. This data source lists all the alerts in the instance.

    data "ibm_logs_alert_definitions" "alerts" {
        instance_id = "guid-of-logs-instance"
        region      = "region-of-logs-instance"
    }

    locals {
        alertdefs  = data.ibm_logs_alert_definitions.alerts.alert_definitions
        alertids   = [for adf in local.alertdefs : "${data.ibm_logs_alert_definitions.alerts.region}/${data.ibm_logs_alert_definitions.alerts.instance_id}/${adf.id}"]
        alertnames = [for adf in local.alertdefs : adf.name]
    }
    output "alertids" {
        value = local.alertids
    }
    output "alertnames" {
        value = local.alertnames
    }

Run terraform apply.

The alert IDs and names are returned as output. Identify the ID of the alert that you want to import from the output.

Creating the constructed alert ID

The ibm_logs_alert_definition resource can be imported by using a constructed alert ID. The constructed alert ID is a combination of the IBM Cloud Logs region, the instance_id, and the retrieved unique alert_id. For more information, see the ibm_logs_alert_definition Terraform documentation.

You need to create a constructed alert ID in the following format: <region>/<instance_id><alert_id>. This constructed alert ID is used in the import steps.

Importing and converting your alert to an `ibm_logs_alert_definition` resource on a local system

Use these steps to import and convert an existing alert by running the steps on a local system, console, or virtual machine.

For this example, an alert that is named alert-managed-by-tf is managed by Terraform.

Edit your main.tf file.

resource "ibm_logs_alert" "alert_managed_by_tf" {
  instance_id = "d58f8c45-f781-4aca-b18d-71ad17825867"
  region      = "eu-es"
  name        = "alert-managed-by-tf"
  is_active   = true
  severity    = "info_or_unspecified"
  description = "alert managed by tf"

  notification_groups {
    notifications {
      retriggering_period_seconds = 3600
      notify_on                   = "triggered_and_resolved"
      integration_id              = "27"
    }
  }
  incident_settings {
    retriggering_period_seconds  = 3600
    notify_on                    = "triggered_and_resolved"
    use_as_notification_settings = false
  }

  condition {
    less_than {
      parameters {
        threshold          = 1
        timeframe          = "timeframe_1_h"
        relative_timeframe = "hour_or_unspecified"
    cardinality_fields = []
      }
    }
  }
  filters {
    filter_type = "text_or_unspecified"
    text        = "action:tf"
    severities  = ["info"]
  }
}

Add a resource block to your main.tf file.

resource "ibm_logs_alert_definition" "alert_managed_by_tf" {
    instance_id = "d58f8c45-f781-4aca-b18d-71ad17825867"
    region      = "eu-es"
}

Run the following command with the <constructed_alert_ID> for the alert to be converted.
```
terraform import ibm_logs_alert_definition.alert_managed_by_tf <constructed_alert_ID>
```
The state is imported for ibm_logs_alert_definition.alert_managed_by_tf resource.

Run the following command to see the state of imported resource.

terraform state show ibm_logs_alert_definition.alert_managed_by_tf

Copy the necessary contents from the terraform state show output to your ibm_logs_alert_definition resource block.

The updated resource block would be similar to the following example:

    resource "ibm_logs_alert_definition" "alert_managed_by_tf" {
        deleted      = false
        description  = "alert managed by tf"
        enabled      = true
        instance_id  = "d58f8c45-f781-4aca-b18d-71ad17825867"
        name         = "alert-managed-by-tf"
        phantom_mode = false
        priority     = "p5_or_unspecified"
        region       = "eu-es"
        type         = "logs_threshold"
        incidents_settings {
            minutes   = 60
            notify_on = "triggered_and_resolved"
        }
        logs_threshold {
            condition_type              = "less_than"
            evaluation_delay_ms         = 0
            notification_payload_filter = []
            logs_filter {
                simple_filter {
                    lucene_query = "action:tf"
                     label_filters {
                        severities = [
                            "info",
                        ]
                    }
                }
            }
            rules {
                condition {
                    threshold = 1

                    time_window {
                        logs_time_window_specific_value = "hour_1"
                    }
                }
                override {
                    priority = "p5_or_unspecified"
                }
            }
            undetected_values_management {
                auto_retire_timeframe     = "never_or_unspecified"
                trigger_undetected_values = true
            }
        }
        notification_group {
            group_by_keys = []
            webhooks {
                minutes   = 60
                notify_on = "triggered_and_resolved"
                integration {
                    integration_id = 27
                }
            }
        }
    }

Remove all references of the ibm_logs_alert.alert_managed_by_tf resource from your main.tf file.
Remove all references of the ibm_logs_alert.alert_managed_by_tf resource from the state by running terraform state rm ibm_logs_alert.alert_managed_by_tf.
Run terraform plan to generate a Terraform execution plan to preview the proposed actions.
```
terraform plan
```
Run terraform apply to create the resources that are defined in the plan.
```
terraform apply
```

The output says No infrastructure changes. Your alert-managed-by-tf alert can now be managed by using the ibm_logs_alert_definition resource.

Importing and converting your alert to an `ibm_logs_alert_definition` resource in IBM Cloud Schematics

Use these steps to import and convert an existing alert that is managed by Terraform in Schematics.

For this example, an alert that is named alert-managed-by-tf is converted.

Edit your main.tf file.

resource "ibm_logs_alert" "alert_managed_by_tf" {
  instance_id = "d58f8c45-f781-4aca-b18d-71ad17825867"
  region      = "eu-es"
  name        = "alert-managed-by-tf"
  is_active   = true
  severity    = "info_or_unspecified"
  description = "alert managed by tf"

  notification_groups {
    notifications {
      retriggering_period_seconds = 3600
      notify_on                   = "triggered_and_resolved"
      integration_id              = "27"
    }
  }
  incident_settings {
    retriggering_period_seconds  = 3600
    notify_on                    = "triggered_and_resolved"
    use_as_notification_settings = false
  }

  condition {
    less_than {
      parameters {
        threshold          = 1
        timeframe          = "timeframe_1_h"
        relative_timeframe = "hour_or_unspecified"
        cardinality_fields = []
      }
    }
  }
  filters {
    filter_type = "text_or_unspecified"
    text        = "action:tf"
    severities  = ["info"]
  }
}

Add the new resource block to your main.tf file and push the file to your GitHub repo.

resource "ibm_logs_alert_definition" "alert_managed_by_tf" {
    instance_id = "d58f8c45-f781-4aca-b18d-71ad17825867"
    region      = "eu-es"
}

Log in to the Schematics CLI.
Run the Schematics workspace update command to pull latest code into your workspace.

Run the Schematics workspace import command with the <constructed_alert_ID> for the alert to import your resource:

ibmcloud schematics workspace get --id <schematics workspace id> --address ibm_logs_alert_definition.alert_managed_by_tf --resourceID <constructed_alert_ID>

Run the Schematics workspace state show command:

ibmcloud schematics workspace state show --id <schematics workspace id>  --address ibm_logs_alert_definition.alert_managed_by_tf`

Copy the necessary content from Schematics workspace state show command output to your ibm_logs_alert_definition resource block.