Add support for DataDog metrics extension/lambdajs wrapper (#20)

araqnid · web-flow · commit ae39420deb28 · 2025-11-04T10:32:51.000Z
* Add support for DataDog metrics extension/lambdajs wrapper

* Provide API key even when datadog_metrics is set to 'extension'

* Take DataDog layers from the region that the lambda is being installed into
diff --git a/iam.tf b/iam.tf
@@ -34,3 +34,22 @@ resource "aws_iam_role_policy_attachment" "vpc_permissions" {
 
   count = length(var.subnet_ids) != 0 ? 1 : 0
 }
+
+resource "aws_iam_role_policy" "read_datadog_api_key" {
+  count = local.datadog_install_extension ? 1 : 0
+  role = aws_iam_role.iam_for_lambda.id
+  name = "read_datadog_api_key"
+  policy = data.aws_iam_policy_document.read_datadog_api_key.json
+}
+
+data "aws_iam_policy_document" "read_datadog_api_key" {
+  statement {
+    sid = "ReadSecrets"
+    actions = [
+      "secretsmanager:GetSecretValue"
+    ]
+    resources = [
+      data.aws_secretsmanager_secret.datadog_api_key.arn,
+    ]
+  }
+}
diff --git a/main.tf b/main.tf
@@ -1,49 +1,76 @@
 locals {
   security_group_ids = var.use_default_security_group == false ? var.security_group_ids : [data.aws_security_group.default[0].id]
+
+  datadog_extension_layers_available = {
+    x86_64 = "arn:aws:lambda:${data.aws_region.current.region}:464622532012:layer:Datadog-Extension:${var.datadog_extension_layer_version}"
+    arm64  = "arn:aws:lambda:${data.aws_region.current.region}:464622532012:layer:Datadog-Extension-ARM:${var.datadog_extension_layer_version}"
+  }
+  datadog_lambdajs_layers_available = {
+    "nodejs18.x" = "arn:aws:lambda:${data.aws_region.current.region}:464622532012:layer:Datadog-Node18-x:${var.datadog_lambdajs_layer_version}"
+    "nodejs20.x" = "arn:aws:lambda:${data.aws_region.current.region}:464622532012:layer:Datadog-Node20-x:${var.datadog_lambdajs_layer_version}"
+    "nodejs22.x" = "arn:aws:lambda:${data.aws_region.current.region}:464622532012:layer:Datadog-Node22-x:${var.datadog_lambdajs_layer_version}"
+  }
+  datadog_install_extension = var.datadog_metrics != "none"
+  datadog_install_lambdajs  = var.datadog_metrics == "lambdajs"
+  datadog_extension_layer   = local.datadog_install_extension ? [local.datadog_extension_layers_available[var.architectures[0]]] : []
+  datadog_extension_env = local.datadog_install_extension ? {
+    DD_SITE               = "datadoghq.com"
+    DD_API_KEY_SECRET_ARN = data.aws_secretsmanager_secret.datadog_api_key.arn
+  } : {}
+  datadog_lambdajs_layer = local.datadog_install_lambdajs ? [local.datadog_lambdajs_layers_available[var.runtime]] : []
+  datadog_lambdajs_env = local.datadog_install_lambdajs ? {
+    DD_LAMBDA_HANDLER = var.handler
+  } : {}
+}
+
+data "aws_region" "current" {
 }
 
 data "aws_security_group" "default" {
-  count = var.use_default_security_group == true ? 1 : 0
-  name = "${terraform.workspace}-default-lambda-sg"
+  count  = var.use_default_security_group == true ? 1 : 0
+  name   = "${terraform.workspace}-default-lambda-sg"
   vpc_id = var.vpc_id
 }
 
+data "aws_secretsmanager_secret" "datadog_api_key" {
+  name = "${terraform.workspace == "live" ? "live" : "dev"}/datadog-agent-service"
+}
 
 resource "aws_lambda_function" "lambda_function" {
-  image_uri                       = var.image_uri
-  s3_bucket                       = var.s3_bucket
-  s3_key                          = var.s3_key
-  function_name                   = var.function_name
-  role                            = aws_iam_role.iam_for_lambda.arn
-  handler                         = var.handler
-  runtime                         = var.runtime
-  timeout                         = var.timeout
-  memory_size                     = var.memory_size
-  reserved_concurrent_executions  = var.reserved_concurrent_executions
-  tags                            = var.tags
-  package_type                    = var.image_uri != null ? "Image" : "Zip"
-  layers                          = var.layers
-  architectures                   = var.architectures
+  image_uri                      = var.image_uri
+  s3_bucket                      = var.s3_bucket
+  s3_key                         = var.s3_key
+  function_name                  = var.function_name
+  role                           = aws_iam_role.iam_for_lambda.arn
+  handler                        = local.datadog_install_lambdajs ? "/opt/nodejs/node_modules/datadog-lambda-js/handler.handler" : var.handler
+  runtime                        = var.runtime
+  timeout                        = var.timeout
+  memory_size                    = var.memory_size
+  reserved_concurrent_executions = var.reserved_concurrent_executions
+  tags                           = var.tags
+  package_type                   = var.image_uri != null ? "Image" : "Zip"
+  layers                         = concat(var.layers, local.datadog_lambdajs_layer, local.datadog_extension_layer)
+  architectures                  = var.architectures
 
   dynamic "image_config" {
     for_each = var.image_uri != null ? [1] : []
-    content  {
-        command = var.image_config_command
-        entry_point = var.image_config_entry_point
-        working_directory = var.image_config_working_directory
+    content {
+      command           = var.image_config_command
+      entry_point       = var.image_config_entry_point
+      working_directory = var.image_config_working_directory
     }
   }
 
-   dynamic vpc_config {
-    for_each = local.security_group_ids != null ? [1] : [] 
-      content {
-        subnet_ids = var.subnet_ids
-        security_group_ids = local.security_group_ids
-      }
+  dynamic "vpc_config" {
+    for_each = local.security_group_ids != null ? [1] : []
+    content {
+      subnet_ids         = var.subnet_ids
+      security_group_ids = local.security_group_ids
+    }
   }
 
   environment {
-    variables = var.lambda_env
+    variables = merge(var.lambda_env, local.datadog_extension_env, local.datadog_lambdajs_env)
   }
 
   tracing_config {
diff --git a/variables.tf b/variables.tf
@@ -154,4 +154,22 @@ variable "tracing_mode" {
   type        = string
   description = "Tracing mode for the Lambda. Valid options: PassThrough (default) and Active."
   default = "PassThrough"
-}
+}
+
+variable "datadog_extension_layer_version" {
+  type = number
+  description = "Version number of DataDog extension layer to add"
+  default = 88
+}
+
+variable "datadog_lambdajs_layer_version" {
+  type = number
+  description = "Version number of DataDog NodeJS lambda layer to add"
+  default = 130
+}
+
+variable "datadog_metrics" {
+  type = string
+  description = "Add DataDog metrics extension ('extension') and optional NodeJS handler wrapper ('lambdajs')"
+  default = "none"
+}
