Datadog Upstreams and Account Settings (cloudposse/terraform-aws-components#533)

Benbentwo · web-flow · commit 7d4afd7e340e · 2023-01-05T13:19:00.000-08:00
diff --git a/src/README.md b/src/README.md
@@ -41,9 +41,6 @@ components:
           transfer-sftp:
             name: "/aws/transfer/s-xxxxxxxxxxxx"
             filter_pattern: ""
-        dd_api_key_source:
-          resource: "ssm"
-          identifier: "datadog/datadog_api_key"
 ```
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -67,7 +64,7 @@ components:
 |------|--------|---------|
 | <a name="module_datadog-integration"></a> [datadog-integration](#module\_datadog-integration) | cloudposse/stack-config/yaml//modules/remote-state | 1.3.1 |
 | <a name="module_datadog_configuration"></a> [datadog\_configuration](#module\_datadog\_configuration) | ../datadog-configuration/modules/datadog_keys | n/a |
-| <a name="module_datadog_lambda_forwarder"></a> [datadog\_lambda\_forwarder](#module\_datadog\_lambda\_forwarder) | cloudposse/datadog-lambda-forwarder/aws | 1.0.0 |
+| <a name="module_datadog_lambda_forwarder"></a> [datadog\_lambda\_forwarder](#module\_datadog\_lambda\_forwarder) | cloudposse/datadog-lambda-forwarder/aws | 1.1.0 |
 | <a name="module_iam_roles"></a> [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a |
 | <a name="module_log_group_prefix"></a> [log\_group\_prefix](#module\_log\_group\_prefix) | cloudposse/label/null | 0.25.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
@@ -93,7 +90,6 @@ components:
 | <a name="input_context_tags_enabled"></a> [context\_tags\_enabled](#input\_context\_tags\_enabled) | Whether to add context tags to add to each monitor | `bool` | `true` | no |
 | <a name="input_datadog_forwarder_lambda_environment_variables"></a> [datadog\_forwarder\_lambda\_environment\_variables](#input\_datadog\_forwarder\_lambda\_environment\_variables) | Map of environment variables to pass to the Lambda Function | `map(string)` | `{}` | no |
 | <a name="input_dd_api_key_kms_ciphertext_blob"></a> [dd\_api\_key\_kms\_ciphertext\_blob](#input\_dd\_api\_key\_kms\_ciphertext\_blob) | CiphertextBlob stored in environment variable DD\_KMS\_API\_KEY used by the lambda function, along with the KMS key, to decrypt Datadog API key | `string` | `""` | no |
-| <a name="input_dd_api_key_source"></a> [dd\_api\_key\_source](#input\_dd\_api\_key\_source) | One of: ARN for AWS Secrets Manager (asm) to retrieve the Datadog (DD) api key, ARN for the KMS (kms) key used to decrypt the ciphertext\_blob of the api key, or the name of the SSM (ssm) parameter used to retrieve the Datadog API key | <pre>object({<br>    resource   = string<br>    identifier = string<br>  })</pre> | <pre>{<br>  "identifier": "",<br>  "resource": ""<br>}</pre> | no |
 | <a name="input_dd_artifact_filename"></a> [dd\_artifact\_filename](#input\_dd\_artifact\_filename) | The Datadog artifact filename minus extension | `string` | `"aws-dd-forwarder"` | no |
 | <a name="input_dd_forwarder_version"></a> [dd\_forwarder\_version](#input\_dd\_forwarder\_version) | Version tag of Datadog lambdas to use. https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.61.0"` | no |
 | <a name="input_dd_module_name"></a> [dd\_module\_name](#input\_dd\_module\_name) | The Datadog GitHub repository name | `string` | `"datadog-serverless-functions"` | no |
diff --git a/src/main.tf b/src/main.tf
@@ -40,11 +40,14 @@ module "log_group_prefix" {
 
 module "datadog_lambda_forwarder" {
   source  = "cloudposse/datadog-lambda-forwarder/aws"
-  version = "1.0.0"
+  version = "1.1.0"
 
-  cloudwatch_forwarder_log_groups       = local.cloudwatch_forwarder_log_groups
-  dd_api_key_kms_ciphertext_blob        = var.dd_api_key_kms_ciphertext_blob
-  dd_api_key_source                     = var.dd_api_key_source
+  cloudwatch_forwarder_log_groups = local.cloudwatch_forwarder_log_groups
+  dd_api_key_kms_ciphertext_blob  = var.dd_api_key_kms_ciphertext_blob
+  dd_api_key_source = {
+    resource   = lower(module.datadog_configuration.datadog_secrets_store_type)
+    identifier = module.datadog_configuration.datadog_api_key_location
+  }
   dd_artifact_filename                  = var.dd_artifact_filename
   dd_forwarder_version                  = var.dd_forwarder_version
   dd_module_name                        = var.dd_module_name
@@ -76,6 +79,8 @@ module "datadog_lambda_forwarder" {
 
   datadog_forwarder_lambda_environment_variables = var.datadog_forwarder_lambda_environment_variables
 
+  api_key_ssm_arn = module.datadog_configuration.api_key_ssm_arn
+
   context = module.this.context
 }
 
diff --git a/src/variables.tf b/src/variables.tf
@@ -34,43 +34,6 @@ variable "tracing_config_mode" {
   default     = "PassThrough"
 }
 
-variable "dd_api_key_source" {
-  description = "One of: ARN for AWS Secrets Manager (asm) to retrieve the Datadog (DD) api key, ARN for the KMS (kms) key used to decrypt the ciphertext_blob of the api key, or the name of the SSM (ssm) parameter used to retrieve the Datadog API key"
-  type = object({
-    resource   = string
-    identifier = string
-  })
-
-  default = {
-    resource   = ""
-    identifier = ""
-  }
-
-  # Resource can be one of kms, asm, ssm ("" to disable all lambda resources)
-  validation {
-    condition     = can(regex("(kms|asm|ssm)", var.dd_api_key_source.resource)) || var.dd_api_key_source.resource == ""
-    error_message = "Provide one, and only one, ARN for (kms, asm) or name (ssm) to retrieve or decrypt Datadog api key."
-  }
-
-  # Check KMS ARN format
-  validation {
-    condition     = var.dd_api_key_source.resource == "kms" ? can(regex("arn:.*:kms:.*:key/.*", var.dd_api_key_source.identifier)) : true
-    error_message = "ARN for KMS key does not appear to be valid format (example: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab)."
-  }
-
-  # Check ASM ARN format
-  validation {
-    condition     = var.dd_api_key_source.resource == "asm" ? can(regex("arn:.*:secretsmanager:.*:secret:.*", var.dd_api_key_source.identifier)) : true
-    error_message = "ARN for AWS Secrets Manager (asm) does not appear to be valid format (example: arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c)."
-  }
-
-  # Check SSM name format
-  validation {
-    condition     = var.dd_api_key_source.resource == "ssm" ? can(regex("^[a-zA-Z0-9_./-]+$", var.dd_api_key_source.identifier)) : true
-    error_message = "Name for SSM parameter does not appear to be valid format, acceptable characters are `a-zA-Z0-9_.-` and `/` to delineate hierarchies."
-  }
-}
-
 variable "dd_api_key_kms_ciphertext_blob" {
   type        = string
   description = "CiphertextBlob stored in environment variable DD_KMS_API_KEY used by the lambda function, along with the KMS key, to decrypt Datadog API key"
@@ -240,7 +203,7 @@ variable "lambda_arn_enabled" {
 curl -X GET "${DD_API_URL}/api/v1/integration/aws/logs/services" \
 -H "Accept: application/json" \
 -H "DD-API-KEY: ${DD_API_KEY}" \
--H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
+-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" | jq '.[] | .id'
 **/
 variable "log_collection_services" {
   type        = list(string)
