upstream acm and datadog-integration (cloudposse/terraform-aws-components#666)

Benbentwo · web-flow · commit fb2e3a675fd5 · 2023-05-10T11:35:57.000-07:00
diff --git a/src/README.md b/src/README.md
@@ -1,6 +1,6 @@
 # Component: `datadog-integration`
 
-This component is responsible for provisioning Datadog AWS integrations.
+This component is responsible for provisioning Datadog AWS integrations. 
 
 See Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys) for more information.
 
@@ -32,7 +32,9 @@ components:
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9.0 |
 
 ## Modules
 
@@ -46,7 +48,9 @@ No providers.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_regions.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
 
 ## Inputs
 
@@ -68,6 +72,7 @@ No resources.
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_import_profile_name"></a> [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no |
 | <a name="input_import_role_arn"></a> [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no |
+| <a name="input_included_regions"></a> [included\_regions](#input\_included\_regions) | An array of AWS regions to include in metrics collection | `list(string)` | `[]` | no |
 | <a name="input_integrations"></a> [integrations](#input\_integrations) | List of AWS permission names to apply for different integrations (e.g. 'all', 'core') | `list(string)` | <pre>[<br>  "all"<br>]</pre> | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
@@ -91,49 +96,6 @@ No resources.
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 
-## FAQ:
-
-### Stack Errors (Spacelift):
-
-```
-╷
-│ Error: error creating AWS integration from https://api.datadoghq.com/api/v1/integration/aws: 409 Conflict: {"errors": ["Could not update AWS Integration due to conflicting updates"]}
-│
-│   with module.datadog_integration.datadog_integration_aws.integration[0],
-│   on .terraform/modules/datadog_integration/main.tf line 18, in resource "datadog_integration_aws" "integration":
-│   18: resource "datadog_integration_aws" "integration" {
-│
-╵
-```
-
-This can happen when you apply multiple integrations at the same time. Fix is easy though, re-trigger the stack.
-
-## Enabling Security Audits
-
-To enable the Datadog compliance capabilities, AWS integration to must have the `SecurityAudit` policy attached to the Datadog IAM role. This is handled by our [https://github.com/cloudposse/terraform-aws-datadog-integration](https://github.com/cloudposse/terraform-aws-datadog-integration) module used
-
-the by the `datadog-integration` component.
-
-Attaching the `SecurityAudit` policy allows Datadog to collect information about how AWS resources are configured (used in Datadog Cloud Security Posture Management to read security configuration metadata)
-
-- Datadog Cloud Security Posture Management (CSPM) makes it easier to assess and visualize the current and historic security posture of cloud environments, automate audit evidence collection, and catch misconfigurations that leave your organization vulnerable to attacks
-
-- Cloud Security Posture Management (CSPM) can be accessed at [https://app.datadoghq.com/security/compliance/home](https://app.datadoghq.com/security/compliance/home)
-
-- The process to enable Datadog Cloud Security Posture Management (CSPM) consists of two steps (one automated, the other manual):
-
-- Enable `SecurityAudit` policy and provision it with terraform
-
-- In Datadog UI, perform the following manual steps:
-
-```
-Go to the Datadog AWS integration tile
-Click on the AWS account where you wish to enable resource collection
-Go to the Resource collection section for that account and check the box "Route resource data to the Cloud Security Posture Management product"
-At the bottom left of the tile, click Update Configuration
-
-```
-
 ## References
 * Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys)
 * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/datadog-integration) - Cloud Posse's upstream component
diff --git a/src/main.tf b/src/main.tf
@@ -1,3 +1,13 @@
+locals {
+  use_include_regions      = length(var.included_regions) > 0
+  all_regions              = data.aws_regions.all.names
+  excluded_list_by_include = setsubtract(local.use_include_regions ? local.all_regions : [], var.included_regions)
+}
+
+data "aws_regions" "all" {
+  all_regions = true
+}
+
 module "datadog_integration" {
   source  = "cloudposse/datadog-integration/aws"
   version = "1.0.0"
@@ -8,7 +18,7 @@ module "datadog_integration" {
   integrations                     = var.integrations
   filter_tags                      = local.filter_tags
   host_tags                        = local.host_tags
-  excluded_regions                 = var.excluded_regions
+  excluded_regions                 = concat(var.excluded_regions, tolist(local.excluded_list_by_include))
   account_specific_namespace_rules = var.account_specific_namespace_rules
 
   context = module.this.context
diff --git a/src/variables.tf b/src/variables.tf
@@ -33,6 +33,11 @@ variable "excluded_regions" {
   default     = []
 }
 
+variable "included_regions" {
+  type        = list(string)
+  description = "An array of AWS regions to include in metrics collection"
+  default     = []
+}
 variable "account_specific_namespace_rules" {
   type        = map(string)
   description = "An object, (in the form {\"namespace1\":true/false, \"namespace2\":true/false} ), that enables or disables metric collection for specific AWS namespaces for this AWS account only"
