Manage Your Splunk Infrastructure as Code Using Terraform

Splunk is happy to announce that we now have a HashiCorp verified Terraform Provider for Splunk. The provider is publicly available in the Terraform Registry and can be used by referencing it in your Terraform configuration file and simply executing terraform init.

If you're new to Terraform and Providers, the latest version of Terraform is available here. You will need to download the appropriate binaries and have Terraform installed before using the provider.

What Can the Provider Do for Your Splunk Environment?

HashiCorp's Terraform is a popular tool to help manage organizations' infrastructure as code using HCL (HashiCorp Configuration Language). The Terraform Provider for Splunk uses all the great capabilities of Terraform to manage your Splunk infrastructure.

Most Splunk configurations can be set up using Splunk UI, but managing configurations at scale can become challenging. The provider can not only help create Splunk resources such as Splunk users and roles, indexes, data inputs and outputs, conf files, app installs, saved searches, etc. but also perform state management, import and update existing resources, version (using git or other SCM tools) and also port configuration easier. The provider uses Splunk's REST API endpoints to communicate with Splunk instances to generate new and read existing configuration information. The provider will also benefit users who already rely on Terraform to manage other services’ configurations (ex: AWS) by keeping them all in one place, one format, and versioned.

How Can You Get Started with the Provider?

While creating a configuration file, you can simply reference the Splunk provider under the required_providers block and don't have to download the provider itself. Terraform will take care of pulling the latest version of the provider from the Terraform Registry.

// Terraform 0.13
terraform {
required_providers {
  splunk = {
    source = "splunk/splunk"
    version = "1.0.0"
  }
}
}

You then have to give the provider access to the Splunk instance that needs to be configured. And for that, you can either specify the instance details such as url, username, password and insecure_skip_verify in your configuration file under the provider splunk resource block (like in the main.tf example configuration file below) or set them as environment variables.

SPLUNK_URL=localhost:8089
SPLUNK_USERNAME=admin
SPLUNK_PASSWORD=********

You can then create and manage any number of resources by adding the appropriate resource blocks. 

Now let us start with an example configuration file that performs the following operations:

• Creates a new Splunk user and role
• Creates a new Splunk index to send the events
• Enables global HEC configuration and creates a new HEC token
• Creates a new saved search to search for events received in the new index with above token as source and sends an email alert to the user
   

# main.tf

terraform {
  required_providers {
    splunk = {
      source = "splunk/splunk"
      version = "1.0.0"
    }
  }
}

provider "splunk" {
  url                  = "localhost:8089"
  username             = "admin"
  password             = "********"
  insecure_skip_verify = true
}

resource "splunk_authorization_roles" "role01" {
  name           = "terraform-user01-role"
  default_app    = "search"
  imported_roles = ["power", "user"]
  capabilities   = ["accelerate_datamodel", "change_authentication", "restart_splunkd"]
}

resource "splunk_authentication_users" "user01" {
  name              = "user01"
  email             = "user01@example.com"
  password          = "password01"
  force_change_pass = false
  roles             = ["terraform-user01-role"]
  depends_on = [
    splunk_authorization_roles.role01
  ]
}

resource "splunk_indexes" "user01-index" {
  name                   = "user01-index"
  max_hot_buckets        = 6
  max_total_data_size_mb = 1000000
}

resource "splunk_global_http_event_collector" "http" {
  disabled   = false
  enable_ssl = true
  port       = 8088
}

resource "splunk_inputs_http_event_collector" "hec-token-01" {
  name       = "hec-token-01"
  index      = "user01-index"
  indexes    = ["user01-index", "history", "summary"]
  source     = "new:source"
  sourcetype = "new:sourcetype"
  disabled   = false
  use_ack    = false
  acl {
    owner   = "user01"
    sharing = "global"
    read    = ["admin"]
    write   = ["admin"]
  }
  depends_on = [
    splunk_indexes.user01-index,
    splunk_authentication_users.user01,
    splunk_global_http_event_collector.http,
  ]
}

resource "splunk_saved_searches" "new-search-01" {
  actions                   = "email"
  action_email_format       = "table"
  action_email_max_time     = "5m"
  action_email_send_results = false
  action_email_subject      = "Splunk Alert: $name$"
  action_email_to           = "user01@splunk.com"
  action_email_track_alert  = true
  description               = "New search for user01"
  dispatch_earliest_time    = "rt-15m"
  dispatch_latest_time      = "rt-0m"
  cron_schedule             = "*/15 * * * *"
  name                      = "new-search-01"
  search                    = "index=user01-index source=http:hec-token-01"

  acl {
    app     = "search"
    owner   = "user01"
    sharing = "user"
  }
  depends_on = [
    splunk_authentication_users.user01,
    splunk_indexes.user01-index
  ]
}

_{NOTE: Certain Splunk resources like saved searches use ACL configuration to restrict access and implement namespaces. You can find documentations here about resources that support ACL configurations.}

The configuration can be applied to any Splunk instance by executing these simple Terraform commands.

terraform plan
terraform apply

The above example configuration can also be updated by making changes to the same main.tf file and then running Terraform plan and apply commands. The terraform plan command will show the diff between the current and desired state so you know what configuration changes are about to happen when you run the apply command.

For instance, you can add a new resource object to the above main.tf to install apps on the same Splunk instance using the provider

resource "splunk_apps_local" "amazon_connect_app" {
  filename = true
  name = "/usr/home/amazon_connect_app_for_splunk-0.0.1.tar.gz"
  explicit_appname = "amazon_connect_app_for_splunk"
}

Terraform can also help to import existing resources and to continue managing them using Terraform. The below example imports the TCP output configuration and creates a state for the resource so it can be managed later using Terraform

terraform import splunk_outputs_tcp_default.foo "tcpout"

_{NOTE: All required parameters for a resource need to be added to the imported configuration before the resource can be completely managed by Terraform.}

You can also see the current state of resources by running commands such as below

terraform state list
terraform state show <resource>

To destroy all configurations managed by Terraform use the destroy command.

terraform destroy

Documentation for resources supported by the provider can be found here. Additional notes and troubleshooting tips can also be found in the repo README. We promise to keep it updated. We welcome you to add suggestions and report any issues with the provider on our repo in Github. We will continue to add support for new resources and polish the existing ones as we work towards a stable and robust provider.

We are also excited to share that Splunk and HashiCorp teamed up to release an Terraform Cloud for Splunk app. This app integrates with HashiCorp’s newly released Business Tier for HashiCorp’s Terraform Provider Cloud. The Terraform Cloud for Splunk app integrates Terraform Cloud’s Business Tier audit logging feature with customers’ existing Splunk Cloud or Splunk Enterprise implementations. You can read more about the HashiCorp Terraform Cloud Audit Logging with Splunk here.

Thank you for reading and we hope the new Terraform Provider for Splunk helps you and your organization move towards managing all your infrastructure as code!