chore: use datadog cloudfront method to deploy Forwarder

COREINF-1665

Author: jim80net

files/aws-dd-forwarder-3.5.0.zip

@@ -1,106 +1,11 @@
-resource "aws_iam_policy" "datadog-logshipping" {
-  name        = "${local.stack_prefix}datadog-logshipping-integration"
-  path        = "/"
-  description = "This IAM policy allows for logshipping aws logs. See https://docs.datadoghq.com/integrations/amazon_web_services/?tab=allpermissions#manually-setup-triggers"
-
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-          "Action": [
-            "cloudfront:GetDistributionConfig",
-            "cloudfront:ListDistributions",
-            "elasticloadbalancing:DescribeLoadBalancers",
-            "elasticloadbalancing:DescribeLoadBalancerAttributes",
-            "lambda:AddPermission",
-            "lambda:GetPolicy",
-            "lambda:RemovePermission",
-            "redshift:DescribeClusters",
-            "redshift:DescribeLoggingStatus",
-            "s3:GetBucketLogging",
-            "s3:GetBucketLocation",
-            "s3:GetBucketNotification",
-            "s3:ListAllMyBuckets",
-            "s3:PutBucketNotification",
-            "s3:GetObject",
-            "logs:PutSubscriptionFilter",
-            "logs:DeleteSubscriptionFilter",
-            "logs:DescribeSubscriptionFilters"
-          ],
-          "Resource": "*",
-          "Effect": "Allow"
-        }
-    ]
-}
-EOF
-}
-
-# Create a lambda function that will export CT logs to DD
-resource "aws_iam_role" "dd-log-lambda" {
-  name = "${local.stack_prefix}dd_log_lambda"
-
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "lambda.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-
-  tags = local.default_tags
-}
-
-resource "aws_iam_role_policy_attachment" "datadog-logshipping-lambda-attach" {
-  role       = aws_iam_role.dd-log-lambda.name
-  policy_arn = aws_iam_policy.datadog-logshipping.arn
-}
-
-resource "aws_iam_role_policy_attachment" "datadog-logshipping-lambda-attach2" {
-  role       = aws_iam_role.dd-log-lambda.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-}
-
-resource "aws_iam_role_policy_attachment" "datadog-logshipping-lambda-attach3" {
-  role       = aws_iam_role.dd-log-lambda.name
-  policy_arn = "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess"
-}
-
-resource "aws_lambda_function" "dd-log" {
-  filename      = "${path.module}/files/aws-dd-forwarder-3.5.0.zip"
-  function_name = "${local.stack_prefix}DatadogLambdaFunction"
-  role          = aws_iam_role.dd-log-lambda.arn
-  handler       = "lambda_function.lambda_handler"
-  description   = "This lambda function will export logs to our orgs Datadog events"
-
-  source_code_hash = filebase64sha256("${path.module}/files/aws-dd-forwarder-3.5.0.zip")
-
-  runtime     = "python3.7"
-  memory_size = "1024"
-  timeout     = "120"
-
-  # This brings in requirements for the lambda to run (imports modules)
-  # This allows the dd_log_lambda.zip to be very small https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html
-  # This specific layer is: https://github.com/DataDog/datadog-lambda-layer-python
-  layers = [
-    "arn:aws:lambda:${var.aws_region}:464622532012:layer:Datadog-Python27:11",
-    "arn:aws:lambda:${var.aws_region}:464622532012:layer:Datadog-Trace-Forwarder-Python37:5"
-  ]
-
-  environment {
-    variables = {
-      DD_API_KEY          = var.datadog_api_key
-      DD_ENHANCED_METRICS = "false"
-      DD_TAGS             = "namespace:${var.namespace},env:${var.env}"
-      EXCLUDE_AT_MATCH    = var.log_exclude_at_match
-    }
+resource "aws_cloudformation_stack" "datadog-forwarder" {
+  name         = "datadog-forwarder"
+  capabilities = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"]
+  parameters = {
+    DdApiKey       = var.datadog_api_key
+    DdTags         = "namespace:${var.namespace},env:${var.env}"
+    ExcludeAtMatch = var.log_exclude_at_match
+    FunctionName   = "datadog-forwarder"
   }
+  template_url = "https://datadog-cloudformation-template.s3.amazonaws.com/aws/forwarder/latest.yaml"
 }

logshipping.tf

@@ -3,7 +3,7 @@ resource "aws_lambda_permission" "allow-ctbucket-trigger" {
   count         = var.cloudtrail_bucket_id != "" ? 1 : 0
   statement_id  = "AllowExecutionFromCTBucket"
   action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.dd-log.arn
+  function_name = aws_cloudformation_stack.datadog-forwarder.outputs.DatadogForwarderArn
   principal     = "s3.amazonaws.com"
   source_arn    = var.cloudtrail_bucket_arn
 }
@@ -14,7 +14,7 @@ resource "aws_s3_bucket_notification" "ctbucket-notification-dd-log" {
   bucket = var.cloudtrail_bucket_id
 
   lambda_function {
-    lambda_function_arn = aws_lambda_function.dd-log.arn
+    lambda_function_arn = aws_cloudformation_stack.datadog-forwarder.outputs.DatadogForwarderArn
     events              = ["s3:ObjectCreated:*"]
   }
 }

logshipping_cloudtrail.tf

@@ -3,15 +3,15 @@ resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter
   name            = "${var.cloudwatch_log_groups[count.index]}-filter"
   log_group_name  = var.cloudwatch_log_groups[count.index]
   filter_pattern  = ""
-  destination_arn = aws_lambda_function.dd-log.arn
+  destination_arn = aws_cloudformation_stack.datadog-forwarder.outputs.DatadogForwarderArn
   distribution    = "Random"
 }
 
 resource aws_lambda_permission "allow_cloudwatch_logs_to_call_dd_lambda_handler" {
   count         = length(var.cloudwatch_log_groups)
   statement_id  = "${replace(var.cloudwatch_log_groups[count.index], "/", "_")}-AllowExecutionFromCloudWatchLogs"
   action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.dd-log.function_name
+  function_name = aws_cloudformation_stack.datadog-forwarder.outputs.DatadogForwarderArn
   principal     = "logs.${var.aws_region}.amazonaws.com"
   source_arn    = "arn:aws:logs:${var.aws_region}:${var.aws_account_id}:log-group:${var.cloudwatch_log_groups[count.index]}:*"
 }

logshipping_cloudwatch_log.tf

@@ -3,7 +3,7 @@ resource "aws_lambda_permission" "allow-elblog-trigger" {
   count         = var.create_elb_logs_bucket ? 1 : 0
   statement_id  = "AllowExecutionFromELBLogBucket"
   action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.dd-log.arn
+  function_name = aws_cloudformation_stack.datadog-forwarder.outputs.DatadogForwarderArn
   principal     = "s3.amazonaws.com"
   source_arn    = aws_s3_bucket.elb_logs[0].arn
 }
@@ -14,7 +14,7 @@ resource "aws_s3_bucket_notification" "elblog-notification-dd-log" {
   bucket = aws_s3_bucket.elb_logs[0].id
 
   lambda_function {
-    lambda_function_arn = aws_lambda_function.dd-log.arn
+    lambda_function_arn = aws_cloudformation_stack.datadog-forwarder.outputs.DatadogForwarderArn
     events              = ["s3:ObjectCreated:*"]
   }
 }

logshipping_elb.tf

@@ -1,5 +1,5 @@
 output "datadog_log_shipping_lambda_function_name" {
-  value = aws_lambda_function.dd-log.function_name
+  value = aws_cloudformation_stack.datadog-forwarder.outputs.DatadogForwarderArn
 }
 output "datadog_iam_role" {
   value = var.enable_datadog_aws_integration ? aws_iam_role.datadog-integration[0].name : ""