feat: Add support for CloudWatch log group KMS key (#31)

michemache · bryantbiggs · web-flow · commit 63e0576fdf68 · 2023-04-21T16:44:30.000-04:00
Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -135,6 +135,7 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | <a name="input_log_forwarder_kms_key_arn"></a> [log\_forwarder\_kms\_key\_arn](#input\_log\_forwarder\_kms\_key\_arn) | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | `string` | `null` | no |
 | <a name="input_log_forwarder_lambda_tags"></a> [log\_forwarder\_lambda\_tags](#input\_log\_forwarder\_lambda\_tags) | A map of tags to apply to the log forwarder lambda function | `map(string)` | `{}` | no |
 | <a name="input_log_forwarder_layers"></a> [log\_forwarder\_layers](#input\_log\_forwarder\_layers) | List of Lambda Layer Version ARNs (maximum of 5) to attach to the log forwarder lambda | `list(string)` | `[]` | no |
+| <a name="input_log_forwarder_log_kms_key_id"></a> [log\_forwarder\_log\_kms\_key\_id](#input\_log\_forwarder\_log\_kms\_key\_id) | The AWS KMS Key ARN to use for CloudWatch log group encryption | `string` | `null` | no |
 | <a name="input_log_forwarder_log_retention_days"></a> [log\_forwarder\_log\_retention\_days](#input\_log\_forwarder\_log\_retention\_days) | Log forwarder CloudWatch log group retention in days | `number` | `7` | no |
 | <a name="input_log_forwarder_memory_size"></a> [log\_forwarder\_memory\_size](#input\_log\_forwarder\_memory\_size) | Memory size for the log forwarder lambda function | `number` | `1024` | no |
 | <a name="input_log_forwarder_name"></a> [log\_forwarder\_name](#input\_log\_forwarder\_name) | Log forwarder lambda name | `string` | `"datadog-log-forwarder"` | no |
@@ -181,6 +182,7 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | <a name="input_rds_em_forwarder_kms_key_arn"></a> [rds\_em\_forwarder\_kms\_key\_arn](#input\_rds\_em\_forwarder\_kms\_key\_arn) | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | `string` | `null` | no |
 | <a name="input_rds_em_forwarder_lambda_tags"></a> [rds\_em\_forwarder\_lambda\_tags](#input\_rds\_em\_forwarder\_lambda\_tags) | A map of tags to apply to the RDS enhanced monitoring forwarder lambda function | `map(string)` | `{}` | no |
 | <a name="input_rds_em_forwarder_layers"></a> [rds\_em\_forwarder\_layers](#input\_rds\_em\_forwarder\_layers) | List of Lambda Layer Version ARNs (maximum of 5) to attach to the RDS enhanced monitoring forwarder lambda | `list(string)` | `[]` | no |
+| <a name="input_rds_em_forwarder_log_kms_key_id"></a> [rds\_em\_forwarder\_log\_kms\_key\_id](#input\_rds\_em\_forwarder\_log\_kms\_key\_id) | The AWS KMS Key ARN to use for CloudWatch log group encryption | `string` | `null` | no |
 | <a name="input_rds_em_forwarder_log_retention_days"></a> [rds\_em\_forwarder\_log\_retention\_days](#input\_rds\_em\_forwarder\_log\_retention\_days) | RDS enhanced monitoring forwarder CloudWatch log group retention in days | `number` | `7` | no |
 | <a name="input_rds_em_forwarder_memory_size"></a> [rds\_em\_forwarder\_memory\_size](#input\_rds\_em\_forwarder\_memory\_size) | Memory size for the RDS enhanced monitoring forwarder lambda function | `number` | `256` | no |
 | <a name="input_rds_em_forwarder_name"></a> [rds\_em\_forwarder\_name](#input\_rds\_em\_forwarder\_name) | RDS enhanced monitoring forwarder lambda name | `string` | `"datadog-rds-enhanced-monitoring-forwarder"` | no |
@@ -213,6 +215,7 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | <a name="input_vpc_fl_forwarder_kms_key_arn"></a> [vpc\_fl\_forwarder\_kms\_key\_arn](#input\_vpc\_fl\_forwarder\_kms\_key\_arn) | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | `string` | `null` | no |
 | <a name="input_vpc_fl_forwarder_lambda_tags"></a> [vpc\_fl\_forwarder\_lambda\_tags](#input\_vpc\_fl\_forwarder\_lambda\_tags) | A map of tags to apply to the VPC flow log forwarder lambda function | `map(string)` | `{}` | no |
 | <a name="input_vpc_fl_forwarder_layers"></a> [vpc\_fl\_forwarder\_layers](#input\_vpc\_fl\_forwarder\_layers) | List of Lambda Layer Version ARNs (maximum of 5) to attach to the VPC flow log forwarder lambda | `list(string)` | `[]` | no |
+| <a name="input_vpc_fl_forwarder_log_kms_key_id"></a> [vpc\_fl\_forwarder\_log\_kms\_key\_id](#input\_vpc\_fl\_forwarder\_log\_kms\_key\_id) | The AWS KMS Key ARN to use for CloudWatch log group encryption | `string` | `null` | no |
 | <a name="input_vpc_fl_forwarder_log_retention_days"></a> [vpc\_fl\_forwarder\_log\_retention\_days](#input\_vpc\_fl\_forwarder\_log\_retention\_days) | VPC flow log forwarder CloudWatch log group retention in days | `number` | `7` | no |
 | <a name="input_vpc_fl_forwarder_memory_size"></a> [vpc\_fl\_forwarder\_memory\_size](#input\_vpc\_fl\_forwarder\_memory\_size) | Memory size for the VPC flow log forwarder lambda function | `number` | `256` | no |
 | <a name="input_vpc_fl_forwarder_name"></a> [vpc\_fl\_forwarder\_name](#input\_vpc\_fl\_forwarder\_name) | VPC flow log forwarder lambda name | `string` | `"datadog-vpc-flow-log-forwarder"` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -106,6 +106,7 @@ module "default" {
     DD_URL                        = "api-pvtlink.logs.datadoghq.com" # log forwarder
   }
   log_forwarder_lambda_tags                   = { LogForwarderLambda = true }
+  log_forwarder_log_kms_key_id                = aws_kms_alias.datadog.target_key_arn
   log_forwarder_log_retention_days            = 3
   log_forwarder_bucket_prefix                 = "logforwarder"
   log_forwarder_s3_zip_server_side_encryption = "AES256"
@@ -129,6 +130,7 @@ module "default" {
   rds_em_forwarder_security_group_ids             = [module.security_group.security_group_id]
   rds_em_forwarder_environment_variables          = {}
   rds_em_forwarder_lambda_tags                    = { RdsForwarderLambda = true }
+  rds_em_forwarder_log_kms_key_id                 = aws_kms_alias.datadog.target_key_arn
   rds_em_forwarder_log_retention_days             = 3
   rds_em_forwarder_use_role_name_prefix           = true
   rds_em_forwarder_role_path                      = "/datadog/"
@@ -149,6 +151,7 @@ module "default" {
   vpc_fl_forwarder_security_group_ids             = [module.security_group.security_group_id]
   vpc_fl_forwarder_environment_variables          = {}
   vpc_fl_forwarder_lambda_tags                    = { VpcForwarderLambda = true }
+  vpc_fl_forwarder_log_kms_key_id                 = aws_kms_alias.datadog.target_key_arn
   vpc_fl_forwarder_log_retention_days             = 3
   vpc_fl_forwarder_use_role_name_prefix           = true
   vpc_fl_forwarder_role_path                      = "/datadog/"
diff --git a/main.tf b/main.tf
@@ -26,6 +26,7 @@ module "log_forwarder" {
   environment_variables          = var.log_forwarder_environment_variables
   lambda_tags                    = var.log_forwarder_lambda_tags
   log_retention_days             = var.log_forwarder_log_retention_days
+  log_kms_key_id                 = var.log_forwarder_log_kms_key_id
 
   create_bucket                                = var.create_bucket
   bucket_name                                  = var.bucket_name
@@ -86,6 +87,7 @@ module "rds_enhanced_monitoring_forwarder" {
   environment_variables          = var.rds_em_forwarder_environment_variables
   lambda_tags                    = var.rds_em_forwarder_lambda_tags
   log_retention_days             = var.rds_em_forwarder_log_retention_days
+  log_kms_key_id                 = var.rds_em_forwarder_log_kms_key_id
 
   create_role               = var.create_rds_em_forwarder_role
   role_arn                  = var.rds_em_forwarder_role_arn
@@ -133,6 +135,7 @@ module "vpc_flow_log_forwarder" {
   environment_variables          = var.vpc_fl_forwarder_environment_variables
   lambda_tags                    = var.vpc_fl_forwarder_lambda_tags
   log_retention_days             = var.vpc_fl_forwarder_log_retention_days
+  log_kms_key_id                 = var.vpc_fl_forwarder_log_kms_key_id
 
   create_role               = var.create_vpc_fl_forwarder_role
   role_arn                  = var.vpc_fl_forwarder_role_arn
diff --git a/modules/log_forwarder/README.md b/modules/log_forwarder/README.md
@@ -96,6 +96,7 @@ module "datadog_log_forwarder" {
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | `string` | `null` | no |
 | <a name="input_lambda_tags"></a> [lambda\_tags](#input\_lambda\_tags) | A map of tags to apply to the forwarder lambda function | `map(string)` | `{}` | no |
 | <a name="input_layers"></a> [layers](#input\_layers) | List of Lambda Layer Version ARNs (maximum of 5) to attach to the forwarder lambda | `list(string)` | `[]` | no |
+| <a name="input_log_kms_key_id"></a> [log\_kms\_key\_id](#input\_log\_kms\_key\_id) | The AWS KMS Key ARN to use for CloudWatch log group encryption | `string` | `null` | no |
 | <a name="input_log_retention_days"></a> [log\_retention\_days](#input\_log\_retention\_days) | Forwarder CloudWatch log group retention in days | `number` | `7` | no |
 | <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | Memory size for the forwarder lambda function | `number` | `1024` | no |
 | <a name="input_name"></a> [name](#input\_name) | Forwarder lambda name | `string` | `"datadog-log-forwarder"` | no |
diff --git a/modules/log_forwarder/main.tf b/modules/log_forwarder/main.tf
@@ -224,6 +224,7 @@ resource "aws_cloudwatch_log_group" "this" {
 
   name              = "/aws/lambda/${aws_lambda_function.this[0].function_name}"
   retention_in_days = var.log_retention_days
+  kms_key_id        = var.log_kms_key_id
 
   tags = var.tags
 }
diff --git a/modules/log_forwarder/variables.tf b/modules/log_forwarder/variables.tf
@@ -274,3 +274,9 @@ variable "log_retention_days" {
   type        = number
   default     = 7
 }
+
+variable "log_kms_key_id" {
+  description = "The AWS KMS Key ARN to use for CloudWatch log group encryption"
+  type        = string
+  default     = null
+}
diff --git a/modules/rds_enhanced_monitoring_forwarder/README.md b/modules/rds_enhanced_monitoring_forwarder/README.md
@@ -72,6 +72,7 @@ No modules.
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | `string` | `null` | no |
 | <a name="input_lambda_tags"></a> [lambda\_tags](#input\_lambda\_tags) | A map of tags to apply to the forwarder lambda function | `map(string)` | `{}` | no |
 | <a name="input_layers"></a> [layers](#input\_layers) | List of Lambda Layer Version ARNs (maximum of 5) to attach to the forwarder lambda | `list(string)` | `[]` | no |
+| <a name="input_log_kms_key_id"></a> [log\_kms\_key\_id](#input\_log\_kms\_key\_id) | The AWS KMS Key ARN to use for CloudWatch log group encryption | `string` | `null` | no |
 | <a name="input_log_retention_days"></a> [log\_retention\_days](#input\_log\_retention\_days) | Forwarder CloudWatch log group retention in days | `number` | `7` | no |
 | <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | Memory size for the forwarder lambda function | `number` | `256` | no |
 | <a name="input_name"></a> [name](#input\_name) | Forwarder lambda name | `string` | `"datadog-rds-enhanced-monitoring-forwarder"` | no |
diff --git a/modules/rds_enhanced_monitoring_forwarder/main.tf b/modules/rds_enhanced_monitoring_forwarder/main.tf
@@ -132,6 +132,7 @@ resource "aws_cloudwatch_log_group" "this" {
 
   name              = "/aws/lambda/${aws_lambda_function.this[0].function_name}"
   retention_in_days = var.log_retention_days
+  kms_key_id        = var.log_kms_key_id
 
   tags = var.tags
 }
diff --git a/modules/rds_enhanced_monitoring_forwarder/variables.tf b/modules/rds_enhanced_monitoring_forwarder/variables.tf
@@ -198,3 +198,9 @@ variable "log_retention_days" {
   type        = number
   default     = 7
 }
+
+variable "log_kms_key_id" {
+  description = "The AWS KMS Key ARN to use for CloudWatch log group encryption"
+  type        = string
+  default     = null
+}
diff --git a/modules/vpc_flow_log_forwarder/README.md b/modules/vpc_flow_log_forwarder/README.md
@@ -77,6 +77,7 @@ No modules.
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | `string` | `null` | no |
 | <a name="input_lambda_tags"></a> [lambda\_tags](#input\_lambda\_tags) | A map of tags to apply to the forwarder lambda function | `map(string)` | `{}` | no |
 | <a name="input_layers"></a> [layers](#input\_layers) | List of Lambda Layer Version ARNs (maximum of 5) to attach to the forwarder lambda | `list(string)` | `[]` | no |
+| <a name="input_log_kms_key_id"></a> [log\_kms\_key\_id](#input\_log\_kms\_key\_id) | The AWS KMS Key ARN to use for CloudWatch log group encryption | `string` | `null` | no |
 | <a name="input_log_retention_days"></a> [log\_retention\_days](#input\_log\_retention\_days) | Forwarder CloudWatch log group retention in days | `number` | `7` | no |
 | <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | Memory size for the forwarder lambda function | `number` | `256` | no |
 | <a name="input_name"></a> [name](#input\_name) | Forwarder lambda name | `string` | `"datadog-vpc-flow-log-forwarder"` | no |
diff --git a/modules/vpc_flow_log_forwarder/main.tf b/modules/vpc_flow_log_forwarder/main.tf
@@ -150,6 +150,7 @@ resource "aws_cloudwatch_log_group" "this" {
 
   name              = "/aws/lambda/${aws_lambda_function.this[0].function_name}"
   retention_in_days = var.log_retention_days
+  kms_key_id        = var.log_kms_key_id
 
   tags = var.tags
 }
diff --git a/modules/vpc_flow_log_forwarder/variables.tf b/modules/vpc_flow_log_forwarder/variables.tf
@@ -215,3 +215,9 @@ variable "log_retention_days" {
   type        = number
   default     = 7
 }
+
+variable "log_kms_key_id" {
+  description = "The AWS KMS Key ARN to use for CloudWatch log group encryption"
+  type        = string
+  default     = null
+}
diff --git a/variables.tf b/variables.tf
@@ -292,6 +292,12 @@ variable "log_forwarder_log_retention_days" {
   default     = 7
 }
 
+variable "log_forwarder_log_kms_key_id" {
+  description = "The AWS KMS Key ARN to use for CloudWatch log group encryption"
+  type        = string
+  default     = null
+}
+
 # RDS Enhanced Monitoring Forwarder IAM Role
 variable "create_rds_em_forwarder_role" {
   description = "Controls whether an IAM role is created for the RDS enhanced monitoring forwarder"
@@ -474,6 +480,12 @@ variable "rds_em_forwarder_log_retention_days" {
   default     = 7
 }
 
+variable "rds_em_forwarder_log_kms_key_id" {
+  description = "The AWS KMS Key ARN to use for CloudWatch log group encryption"
+  type        = string
+  default     = null
+}
+
 # VPC Flow Log Forwarder IAM Role
 variable "create_vpc_fl_forwarder_role" {
   description = "Controls whether an IAM role is created for the VPC flow log forwarder"
@@ -668,6 +680,12 @@ variable "vpc_fl_forwarder_log_retention_days" {
   default     = 7
 }
 
+variable "vpc_fl_forwarder_log_kms_key_id" {
+  description = "The AWS KMS Key ARN to use for CloudWatch log group encryption"
+  type        = string
+  default     = null
+}
+
 # PrivateLink / VPC Endpoints
 variable "vpc_id" {
   description = "ID of VPC to provision endpoints within"

Original file line number	Diff line number	Diff line change
`@@ -224,6 +224,7 @@ resource "aws_cloudwatch_log_group" "this" {`
`224`	`224`
`225`	`225`	`name = "/aws/lambda/${aws_lambda_function.this[0].function_name}"`
`226`	`226`	`retention_in_days = var.log_retention_days`
	`227`	`+ kms_key_id = var.log_kms_key_id`
`227`	`228`
`228`	`229`	`tags = var.tags`
`229`	`230`	`}`
Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,7 @@ resource "aws_cloudwatch_log_group" "this" {`
`132`	`132`
`133`	`133`	`name = "/aws/lambda/${aws_lambda_function.this[0].function_name}"`
`134`	`134`	`retention_in_days = var.log_retention_days`
	`135`	`+ kms_key_id = var.log_kms_key_id`
`135`	`136`
`136`	`137`	`tags = var.tags`
`137`	`138`	`}`