How do you handle logging and monitoring of IaC-generated infrastructure?

Infrastructure logging and monitoring generated by IaC must achieve automation and consistency to avoid observation breakpoints caused by dynamic resource creation. Its importance lies in ensuring auditability, rapid troubleshooting, and compliance, with wide applications in cloud environments and containerized deployments. The core principle is to manage logging configurations as part of the code.

Core practices include: explicitly defining resource log outputs and metric collection (such as AWS CloudWatch Logs configurations, GCP Cloud Monitoring metrics) in IaC templates (e.g., Terraform/CloudFormation). Injecting unified metadata through resource tags (Tags/Labels) to achieve automatic association between logs and resources. Deploying log agents (e.g., Fluentd, Filebeat) or using cloud platform native agents (e.g., AWS CloudWatch Agent), and configuring log aggregation systems (e.g., ELK, Loki) or cloud services (e.g., CloudWatch, Stackdriver) to receive log streams. Monitoring alarm rules are also defined and deployed through IaC.

Implementation steps: 1) Declare resource log output destinations and retention policies in IaC; 2) Standardize resource tags to identify environments/applications; 3) Deploy log collection agents or enable cloud service integration via IaC; 4) Configure data sources for the central logging platform; 5) Implement dashboards and alarm rules as IaC. Example: Define an AWS Lambda function in Terraform and specify a CloudWatch Logs group, while configuring a Metric Alarm. The value lies in automating full-stack observability and improving operational efficiency.