fix: use AWS Secrets Manager instead of supplying API Key parameter

- Avoids always reapplying changes due to this bug: hashicorp/terraform-provider-aws#55
scribd · Apr 14, 2020 · 647e8e9 · 647e8e9
1 parent fa93d8b
commit 647e8e9
Show file tree

Hide file tree

Showing 2 changed files with 636 additions and 2 deletions.
diff --git a/logs_monitoring.tf b/logs_monitoring.tf
@@ -1,11 +1,27 @@
+data "local_file" "template_yaml" {
+  filename = "${path.module}/logs_monitoring_template.yaml"
+}
+
 resource "aws_cloudformation_stack" "datadog-forwarder" {
   name         = "datadog-forwarder"
   capabilities = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"]
   parameters = {
-    DdApiKey       = var.datadog_api_key
+    DdApiKeySecret = aws_secretsmanager_secret.datadog_api_key.arn
     DdTags         = "namespace:${var.namespace},env:${var.env}"
     ExcludeAtMatch = var.log_exclude_at_match
     FunctionName   = "datadog-forwarder"
   }
-  template_url = "https://datadog-cloudformation-template.s3.amazonaws.com/aws/forwarder/3.6.0.yaml"
+  #template_url = "https://datadog-cloudformation-template.s3.amazonaws.com/aws/forwarder/3.6.0.yaml"
+  template_body = data.local_file.template_yaml.content
+
+}
+
+resource "aws_secretsmanager_secret" "datadog_api_key" {
+  name        = "datadog_api_key"
+  description = "Datadog API Key"
+}
+
+resource "aws_secretsmanager_secret_version" "datadog_api_key" {
+  secret_id     = aws_secretsmanager_secret.datadog_api_key.id
+  secret_string = var.datadog_api_key
 }