From f0f201fc4fb37213c97d988f23f9b83a93f2f913 Mon Sep 17 00:00:00 2001
From: Marwin Baumann <56264798+marwinbaumannsbp@users.noreply.github.com>
Date: Thu, 8 Aug 2024 09:31:20 +0200
Subject: [PATCH] feature: upgrade the datadog integration module, exposing the
 latest settings (#207)

feature: upgrade the datadog integration module, exposing the latest settings
---
 README.md    |  8 ++++----
 datadog.tf   | 57 +++++++++++++++++++++++++++++++++-------------------
 variables.tf | 15 +++++++++-----
 3 files changed, 50 insertions(+), 30 deletions(-)

diff --git a/README.md b/README.md
index 5ca546e..fe58bfc 100644
--- a/README.md
+++ b/README.md
@@ -443,9 +443,9 @@ module "landing_zone" {
 | <a name="module_audit_manager_reports"></a> [audit\_manager\_reports](#module\_audit\_manager\_reports) | schubergphilis/mcaf-s3/aws | 0.12.1 |
 | <a name="module_aws_config_s3"></a> [aws\_config\_s3](#module\_aws\_config\_s3) | github.com/schubergphilis/terraform-aws-mcaf-s3 | v0.8.0 |
 | <a name="module_aws_sso_permission_sets"></a> [aws\_sso\_permission\_sets](#module\_aws\_sso\_permission\_sets) | ./modules/permission-set | n/a |
-| <a name="module_datadog_audit"></a> [datadog\_audit](#module\_datadog\_audit) | github.com/schubergphilis/terraform-aws-mcaf-datadog | v0.3.12 |
-| <a name="module_datadog_logging"></a> [datadog\_logging](#module\_datadog\_logging) | github.com/schubergphilis/terraform-aws-mcaf-datadog | v0.3.12 |
-| <a name="module_datadog_master"></a> [datadog\_master](#module\_datadog\_master) | github.com/schubergphilis/terraform-aws-mcaf-datadog | v0.3.12 |
+| <a name="module_datadog_audit"></a> [datadog\_audit](#module\_datadog\_audit) | github.com/schubergphilis/terraform-aws-mcaf-datadog | v0.7.0 |
+| <a name="module_datadog_logging"></a> [datadog\_logging](#module\_datadog\_logging) | github.com/schubergphilis/terraform-aws-mcaf-datadog | v0.7.0 |
+| <a name="module_datadog_master"></a> [datadog\_master](#module\_datadog\_master) | github.com/schubergphilis/terraform-aws-mcaf-datadog | v0.7.0 |
 | <a name="module_kms_key"></a> [kms\_key](#module\_kms\_key) | github.com/schubergphilis/terraform-aws-mcaf-kms | v0.3.0 |
 | <a name="module_kms_key_audit"></a> [kms\_key\_audit](#module\_kms\_key\_audit) | github.com/schubergphilis/terraform-aws-mcaf-kms | v0.3.0 |
 | <a name="module_kms_key_logging"></a> [kms\_key\_logging](#module\_kms\_key\_logging) | github.com/schubergphilis/terraform-aws-mcaf-kms | v0.3.0 |
@@ -553,7 +553,7 @@ module "landing_zone" {
 | <a name="input_aws_security_hub_sns_subscription"></a> [aws\_security\_hub\_sns\_subscription](#input\_aws\_security\_hub\_sns\_subscription) | Subscription options for the LandingZone-SecurityHubFindings SNS topic | <pre>map(object({<br>    endpoint = string<br>    protocol = string<br>  }))</pre> | `{}` | no |
 | <a name="input_aws_service_control_policies"></a> [aws\_service\_control\_policies](#input\_aws\_service\_control\_policies) | AWS SCP's parameters to disable required/denied policies, set a list of allowed AWS regions, and set principals that are exempt from the restriction | <pre>object({<br>    allowed_regions                 = optional(list(string), [])<br>    aws_deny_disabling_security_hub = optional(bool, true)<br>    aws_deny_leaving_org            = optional(bool, true)<br>    aws_deny_root_user_ous          = optional(list(string), [])<br>    aws_require_imdsv2              = optional(bool, true)<br>    principal_exceptions            = optional(list(string), [])<br>  })</pre> | `{}` | no |
 | <a name="input_aws_sso_permission_sets"></a> [aws\_sso\_permission\_sets](#input\_aws\_sso\_permission\_sets) | Map of AWS IAM Identity Center permission sets with AWS accounts and group names that should be granted access to each account | <pre>map(object({<br>    assignments         = list(map(list(string)))<br>    inline_policy       = optional(string, null)<br>    managed_policy_arns = optional(list(string), [])<br>    session_duration    = optional(string, "PT4H")<br>  }))</pre> | `{}` | no |
-| <a name="input_datadog"></a> [datadog](#input\_datadog) | Datadog integration options for the core accounts | <pre>object({<br>    api_key                 = string<br>    enable_integration      = bool<br>    install_log_forwarder   = optional(bool, false)<br>    log_collection_services = optional(list(string), [])<br>    site_url                = string<br>  })</pre> | `null` | no |
+| <a name="input_datadog"></a> [datadog](#input\_datadog) | Datadog integration options for the core accounts | <pre>object({<br>    api_key                              = string<br>    cspm_resource_collection_enabled     = optional(bool, false)<br>    enable_integration                   = bool<br>    extended_resource_collection_enabled = optional(bool, false)<br>    install_log_forwarder                = optional(bool, false)<br>    log_collection_services              = optional(list(string), [])<br>    log_forwarder_version                = optional(string)<br>    metric_tag_filters                   = optional(map(string), {})<br>    namespace_rules                      = optional(list(string), [])<br>    site_url                             = string<br>  })</pre> | `null` | no |
 | <a name="input_datadog_excluded_regions"></a> [datadog\_excluded\_regions](#input\_datadog\_excluded\_regions) | List of regions where metrics collection will be disabled. | `list(string)` | `[]` | no |
 | <a name="input_kms_key_policy"></a> [kms\_key\_policy](#input\_kms\_key\_policy) | A list of valid KMS key policy JSON documents | `list(string)` | `[]` | no |
 | <a name="input_kms_key_policy_audit"></a> [kms\_key\_policy\_audit](#input\_kms\_key\_policy\_audit) | A list of valid KMS key policy JSON document for use with audit KMS key | `list(string)` | `[]` | no |
diff --git a/datadog.tf b/datadog.tf
index cce9ca6..5c9cddb 100644
--- a/datadog.tf
+++ b/datadog.tf
@@ -3,26 +3,36 @@ module "datadog_audit" {
   count     = try(var.datadog.enable_integration, false) == true ? 1 : 0
   providers = { aws = aws.audit }
 
-  source                  = "github.com/schubergphilis/terraform-aws-mcaf-datadog?ref=v0.3.12"
-  api_key                 = try(var.datadog.api_key, null)
-  excluded_regions        = var.datadog_excluded_regions
-  install_log_forwarder   = var.datadog.install_log_forwarder
-  log_collection_services = var.datadog.log_collection_services
-  site_url                = try(var.datadog.site_url, null)
-  tags                    = var.tags
+  source                               = "github.com/schubergphilis/terraform-aws-mcaf-datadog?ref=v0.7.0"
+  api_key                              = try(var.datadog.api_key, null)
+  cspm_resource_collection_enabled     = var.datadog.cspm_resource_collection_enabled
+  excluded_regions                     = var.datadog_excluded_regions
+  extended_resource_collection_enabled = var.datadog.extended_resource_collection_enabled
+  install_log_forwarder                = var.datadog.install_log_forwarder
+  log_collection_services              = var.datadog.log_collection_services
+  log_forwarder_version                = var.datadog.log_forwarder_version
+  metric_tag_filters                   = var.datadog.metric_tag_filters
+  namespace_rules                      = var.datadog.namespace_rules
+  site_url                             = try(var.datadog.site_url, null)
+  tags                                 = var.tags
 }
 
 module "datadog_master" {
   #checkov:skip=CKV_AWS_124: since this is managed by terraform, we reason that this already provides feedback and a seperate SNS topic is therefore not required
   count = try(var.datadog.enable_integration, false) == true ? 1 : 0
 
-  source                  = "github.com/schubergphilis/terraform-aws-mcaf-datadog?ref=v0.3.12"
-  api_key                 = try(var.datadog.api_key, null)
-  excluded_regions        = var.datadog_excluded_regions
-  install_log_forwarder   = var.datadog.install_log_forwarder
-  log_collection_services = var.datadog.log_collection_services
-  site_url                = try(var.datadog.site_url, null)
-  tags                    = var.tags
+  source                               = "github.com/schubergphilis/terraform-aws-mcaf-datadog?ref=v0.7.0"
+  api_key                              = try(var.datadog.api_key, null)
+  cspm_resource_collection_enabled     = var.datadog.cspm_resource_collection_enabled
+  excluded_regions                     = var.datadog_excluded_regions
+  extended_resource_collection_enabled = var.datadog.extended_resource_collection_enabled
+  install_log_forwarder                = var.datadog.install_log_forwarder
+  log_collection_services              = var.datadog.log_collection_services
+  log_forwarder_version                = var.datadog.log_forwarder_version
+  metric_tag_filters                   = var.datadog.metric_tag_filters
+  namespace_rules                      = var.datadog.namespace_rules
+  site_url                             = try(var.datadog.site_url, null)
+  tags                                 = var.tags
 }
 
 module "datadog_logging" {
@@ -30,11 +40,16 @@ module "datadog_logging" {
   count     = try(var.datadog.enable_integration, false) == true ? 1 : 0
   providers = { aws = aws.logging }
 
-  source                  = "github.com/schubergphilis/terraform-aws-mcaf-datadog?ref=v0.3.12"
-  api_key                 = try(var.datadog.api_key, null)
-  excluded_regions        = var.datadog_excluded_regions
-  install_log_forwarder   = var.datadog.install_log_forwarder
-  log_collection_services = var.datadog.log_collection_services
-  site_url                = try(var.datadog.site_url, null)
-  tags                    = var.tags
+  source                               = "github.com/schubergphilis/terraform-aws-mcaf-datadog?ref=v0.7.0"
+  api_key                              = try(var.datadog.api_key, null)
+  cspm_resource_collection_enabled     = var.datadog.cspm_resource_collection_enabled
+  excluded_regions                     = var.datadog_excluded_regions
+  extended_resource_collection_enabled = var.datadog.extended_resource_collection_enabled
+  install_log_forwarder                = var.datadog.install_log_forwarder
+  log_collection_services              = var.datadog.log_collection_services
+  log_forwarder_version                = var.datadog.log_forwarder_version
+  metric_tag_filters                   = var.datadog.metric_tag_filters
+  namespace_rules                      = var.datadog.namespace_rules
+  site_url                             = try(var.datadog.site_url, null)
+  tags                                 = var.tags
 }
diff --git a/variables.tf b/variables.tf
index 1ec4352..b244d11 100644
--- a/variables.tf
+++ b/variables.tf
@@ -225,11 +225,16 @@ variable "control_tower_account_ids" {
 
 variable "datadog" {
   type = object({
-    api_key                 = string
-    enable_integration      = bool
-    install_log_forwarder   = optional(bool, false)
-    log_collection_services = optional(list(string), [])
-    site_url                = string
+    api_key                              = string
+    cspm_resource_collection_enabled     = optional(bool, false)
+    enable_integration                   = bool
+    extended_resource_collection_enabled = optional(bool, false)
+    install_log_forwarder                = optional(bool, false)
+    log_collection_services              = optional(list(string), [])
+    log_forwarder_version                = optional(string)
+    metric_tag_filters                   = optional(map(string), {})
+    namespace_rules                      = optional(list(string), [])
+    site_url                             = string
   })
   default     = null
   description = "Datadog integration options for the core accounts"