-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
113 lines (81 loc) · 3.71 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
data "aws_caller_identity" "current" {
count = local.enabled ? 1 : 0
}
data "aws_partition" "current" {
count = local.enabled ? 1 : 0
}
data "aws_region" "current" {
count = local.enabled ? 1 : 0
}
locals {
enabled = module.this.enabled
lambda_enabled = local.enabled
arn_format = local.enabled ? "arn:${data.aws_partition.current[0].partition}" : ""
aws_account_id = join("", data.aws_caller_identity.current[*].account_id)
aws_region = join("", data.aws_region.current[*].name)
dd_api_key_resource = var.dd_api_key_source.resource
dd_api_key_identifier = var.dd_api_key_source.identifier
dd_api_key_arn = local.dd_api_key_resource == "ssm" ? try(coalesce(var.api_key_ssm_arn, join("", data.aws_ssm_parameter.api_key[*].arn)), "") : local.dd_api_key_identifier
dd_api_key_iam_actions = [lookup({ kms = "kms:Decrypt", asm = "secretsmanager:GetSecretValue", ssm = "ssm:GetParameter" }, local.dd_api_key_resource, "")]
dd_api_key_kms = local.dd_api_key_resource == "kms" ? { DD_KMS_API_KEY = var.dd_api_key_kms_ciphertext_blob } : {}
dd_api_key_asm = local.dd_api_key_resource == "asm" ? { DD_API_KEY_SECRET_ARN = local.dd_api_key_identifier } : {}
dd_api_key_ssm = local.dd_api_key_resource == "ssm" ? { DD_API_KEY_SSM_NAME = local.dd_api_key_identifier } : {}
dd_site = { DD_SITE = var.forwarder_lambda_datadog_host }
# If map is supplied, merge map with context, or use only context
# Convert map to dd tags equivalent
dd_tags = length(var.dd_tags_map) > 0 ? [
for tagk, tagv in var.dd_tags_map : (tagv != null ? format("%s:%s", tagk, tagv) : tagk)
] : var.dd_tags
dd_tags_env = { DD_TAGS = join(",", local.dd_tags) }
lambda_debug = var.forwarder_lambda_debug_enabled ? { DD_LOG_LEVEL = "debug" } : {}
lambda_env = merge(local.dd_api_key_kms, local.dd_api_key_asm, local.dd_api_key_ssm, local.dd_site, local.lambda_debug, local.dd_tags_env, var.datadog_forwarder_lambda_environment_variables)
}
# Log Forwarder, RDS Enhanced Forwarder, VPC Flow Log Forwarder
data "aws_ssm_parameter" "api_key" {
count = local.lambda_enabled && local.dd_api_key_resource == "ssm" && var.api_key_ssm_arn == null ? 1 : 0
name = local.dd_api_key_identifier
}
######################################################################
## Create a policy document to allow Lambda to assume role
data "aws_iam_policy_document" "assume_role" {
count = local.lambda_enabled ? 1 : 0
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
actions = [
"sts:AssumeRole"
]
}
}
######################################################################
## Create Lambda policy and attach it to the Lambda role
resource "aws_iam_policy" "datadog_custom_policy" {
count = local.lambda_enabled && length(var.lambda_policy_source_json) > 0 ? 1 : 0
name = var.lambda_custom_policy_name
policy = var.lambda_policy_source_json
tags = module.this.tags
}
data "aws_iam_policy_document" "lambda_default" {
count = local.lambda_enabled ? 1 : 0
# #checkov:skip=BC_AWS_IAM_57: (Pertaining to constraining IAM write access) This policy has not write access and is restricted to one specific ARN.
source_policy_documents = local.lambda_enabled && length(var.lambda_policy_source_json) > 0 ? [aws_iam_policy.datadog_custom_policy[0].policy] : []
statement {
sid = "AllowWriteLogs"
effect = "Allow"
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
resources = ["*"]
}
statement {
sid = "AllowGetOrDecryptApiKey"
effect = "Allow"
actions = local.dd_api_key_iam_actions
resources = [local.dd_api_key_arn]
}
}