feat: attach extra iam policies (#37)

bcha · web-flow · commit 8411cadea20c · 2021-08-24T18:52:43.000-07:00
&gt; adds datadog-core-attach-extras, a simple feature to just allow extra policies to be attached to the core integration role. we've been using this for like over 6 months in a fork with the datadog s3 log archive functionality, which uses the same role as the core integration &amp; requires some extra s3 permissions.

&gt; i'm not personally aware of other similarish cases where the core role would need some extra permissions, but if there are any then this can be used for those too
diff --git a/logs_monitoring.tf b/logs_monitoring.tf
@@ -1,4 +1,4 @@
-resource aws_cloudformation_stack "datadog-forwarder" {
+resource "aws_cloudformation_stack" "datadog-forwarder" {
   name         = "${local.stack_prefix}datadog-forwarder"
   capabilities = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"]
   parameters = {
@@ -18,13 +18,13 @@ resource aws_cloudformation_stack "datadog-forwarder" {
   }
 }
 
-resource aws_secretsmanager_secret "datadog_api_key" {
+resource "aws_secretsmanager_secret" "datadog_api_key" {
   name_prefix = "${local.stack_prefix}datadog-api-key"
   description = "Datadog API Key"
   tags        = local.default_tags
 }
 
-resource aws_secretsmanager_secret_version "datadog_api_key" {
+resource "aws_secretsmanager_secret_version" "datadog_api_key" {
   secret_id     = aws_secretsmanager_secret.datadog_api_key.id
   secret_string = var.datadog_api_key
 }
diff --git a/logs_monitoring_cloudwatch_log.tf b/logs_monitoring_cloudwatch_log.tf
@@ -7,7 +7,7 @@ resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter
   distribution    = "Random"
 }
 
-resource aws_lambda_permission "allow_cloudwatch_logs_to_call_dd_lambda_handler" {
+resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler" {
   count         = length(var.cloudwatch_log_groups)
   statement_id  = "${replace(var.cloudwatch_log_groups[count.index], "/", "_")}-AllowExecutionFromCloudWatchLogs"
   action        = "lambda:InvokeFunction"
diff --git a/main.tf b/main.tf
@@ -141,3 +141,9 @@ resource "aws_iam_role_policy_attachment" "datadog-core-attach" {
   role       = aws_iam_role.datadog-integration[0].name
   policy_arn = aws_iam_policy.datadog-core[0].arn
 }
+
+resource "aws_iam_role_policy_attachment" "datadog-core-attach-extras" {
+  for_each   = toset(var.extra_policy_arns)
+  role       = aws_iam_role.datadog-integration[0].name
+  policy_arn = each.value
+}
diff --git a/vars.tf b/vars.tf
@@ -49,7 +49,7 @@ variable "env" {
 }
 variable "account_specific_namespace_rules" {
   description = "account_specific_namespace_rules argument for datadog_integration_aws resource"
-  type        = map
+  type        = map(any)
   default     = {}
 }
 variable "elb_logs_bucket_prefix" {
@@ -86,3 +86,9 @@ variable "filter_tags" {
   type        = list(string)
   default     = []
 }
+
+variable "extra_policy_arns" {
+  description = "Extra policy arns to attach to the datadog-integration-role"
+  type        = list(string)
+  default     = []
+}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-resource aws_cloudformation_stack "datadog-forwarder" {`
	`1`	`+resource "aws_cloudformation_stack" "datadog-forwarder" {`
`2`	`2`	`name = "${local.stack_prefix}datadog-forwarder"`
`3`	`3`	`capabilities = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"]`
`4`	`4`	`parameters = {`
`@@ -18,13 +18,13 @@ resource aws_cloudformation_stack "datadog-forwarder" {`
`18`	`18`	`}`
`19`	`19`	`}`
`20`	`20`
`21`		`-resource aws_secretsmanager_secret "datadog_api_key" {`
	`21`	`+resource "aws_secretsmanager_secret" "datadog_api_key" {`
`22`	`22`	`name_prefix = "${local.stack_prefix}datadog-api-key"`
`23`	`23`	`description = "Datadog API Key"`
`24`	`24`	`tags = local.default_tags`
`25`	`25`	`}`
`26`	`26`
`27`		`-resource aws_secretsmanager_secret_version "datadog_api_key" {`
	`27`	`+resource "aws_secretsmanager_secret_version" "datadog_api_key" {`
`28`	`28`	`secret_id = aws_secretsmanager_secret.datadog_api_key.id`
`29`	`29`	`secret_string = var.datadog_api_key`
`30`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter`
`7`	`7`	`distribution = "Random"`
`8`	`8`	`}`
`9`	`9`
`10`		`-resource aws_lambda_permission "allow_cloudwatch_logs_to_call_dd_lambda_handler" {`
	`10`	`+resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler" {`
`11`	`11`	`count = length(var.cloudwatch_log_groups)`
`12`	`12`	`statement_id = "${replace(var.cloudwatch_log_groups[count.index], "/", "_")}-AllowExecutionFromCloudWatchLogs"`
`13`	`13`	`action = "lambda:InvokeFunction"`
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ variable "env" {`
`49`	`49`	`}`
`50`	`50`	`variable "account_specific_namespace_rules" {`
`51`	`51`	`description = "account_specific_namespace_rules argument for datadog_integration_aws resource"`
`52`		`- type = map`
	`52`	`+ type = map(any)`
`53`	`53`	`default = {}`
`54`	`54`	`}`
`55`	`55`	`variable "elb_logs_bucket_prefix" {`
`@@ -86,3 +86,9 @@ variable "filter_tags" {`
`86`	`86`	`type = list(string)`
`87`	`87`	`default = []`
`88`	`88`	`}`
	`89`	`+`
	`90`	`+variable "extra_policy_arns" {`
	`91`	`+ description = "Extra policy arns to attach to the datadog-integration-role"`
	`92`	`+ type = list(string)`
	`93`	`+ default = []`
	`94`	`+}`