refactor(rds_enhanced_monitoring_forwarder): replace usage of KMS encrypted environment variable with SecretsManager secret ARN like the log_forwarder

BREAKING CHANGE: `var.kms_alias` removed and `var.dd_api_key` added to `rds_enhanced_monitoring_forwarder` to support changes in v3.28.0 release

Author: bryantbiggs

.gitignore

@@ -1,6 +1,9 @@
 # Local .terraform directories
 **/.terraform/*
 
+# Terraform lockfile
+.terraform.lock.hcl
+
 # .tfstate files
 *.tfstate
 *.tfstate.*

examples/complete/main.tf

@@ -147,7 +147,6 @@ module "default" {
   create_rds_em_forwarder = true
   create_vpc_fl_forwarder = true
 
-  log_forwarder_version                        = "3.20.0"
   log_forwarder_name                           = "complete-datadog-log-forwarder"
   log_forwarder_memory_size                    = 512
   log_forwarder_timeout                        = 60
@@ -180,7 +179,6 @@ module "default" {
   log_forwarder_s3_log_bucket_arns            = [module.log_bucket_1.this_s3_bucket_arn, module.log_bucket_2.this_s3_bucket_arn]
   log_forwarder_tags                          = { LogForwarder = true }
 
-  rds_em_forwarder_version                        = "3.19.0"
   rds_em_forwarder_name                           = "complete-datadog-rds-forwarder"
   rds_em_forwarder_memory_size                    = 512
   rds_em_forwarder_timeout                        = 60
@@ -200,7 +198,6 @@ module "default" {
   rds_em_forwarder_policy_path                    = "/datadog/"
   rds_em_forwarder_tags                           = { RdsForwarder = true }
 
-  vpc_fl_forwarder_version                        = "3.18.0"
   vpc_fl_forwarder_name                           = "complete-datadog-vpc-forwarder"
   vpc_fl_forwarder_memory_size                    = 512
   vpc_fl_forwarder_timeout                        = 60

main.tf

@@ -61,10 +61,9 @@ module "rds_enhanced_monitoring_forwarder" {
   create = var.create_rds_em_forwarder
 
   forwarder_version     = var.rds_em_forwarder_version
+  dd_api_key            = var.dd_api_key
   dd_api_key_secret_arn = var.dd_api_key_secret_arn
-  dd_app_key            = var.dd_app_key
   dd_site               = var.dd_site
-  kms_alias             = var.kms_alias
 
   name                           = var.rds_em_forwarder_name
   runtime                        = var.rds_em_forwarder_runtime

modules/log_forwarder/main.tf

@@ -16,7 +16,6 @@ locals {
 }
 
 data "aws_caller_identity" "current" {}
-
 data "aws_region" "current" {}
 
 ################################################################################

modules/rds_enhanced_monitoring_forwarder/README.md

@@ -49,12 +49,11 @@ module "datadog_rds_enhanced_monitoring_forwarder" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | create | Controls whether the forwarder resources should be created | `bool` | `true` | no |
+| dd\_api\_key | The Datadog API key, which can be found from the APIs page (/account/settings#api). It will be stored in AWS Secrets Manager securely | `string` | `""` | no |
 | dd\_api\_key\_secret\_arn | The ARN of the Secrets Manager secret storing the Datadog API key, if you already have it stored in Secrets Manager | `string` | `""` | no |
-| dd\_app\_key | The Datadog application key associated with the user account that created it, which can be found from the APIs page | `string` | `""` | no |
 | dd\_site | Define your Datadog Site to send data to. For the Datadog EU site, set to datadoghq.eu | `string` | `"datadoghq.com"` | no |
 | environment\_variables | A map of environment variables for the forwarder lambda function | `map(string)` | `{}` | no |
 | forwarder\_version | Forwarder version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.28.0"` | no |
-| kms\_alias | Alias of KMS key used to encrypt the Datadog API keys - must start with `alias/` | `string` | n/a | yes |
 | kms\_key\_arn | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | `string` | `null` | no |
 | lambda\_tags | A map of tags to apply to the forwarder lambda function | `map(string)` | `{}` | no |
 | layers | List of Lambda Layer Version ARNs (maximum of 5) to attach to the forwarder lambda | `list(string)` | `[]` | no |

modules/rds_enhanced_monitoring_forwarder/main.tf

@@ -1,18 +1,12 @@
 locals {
+  dd_api_key            = var.dd_api_key != "" ? { DD_API_KEY = var.dd_api_key } : {}
+  dd_api_key_secret_arn = var.dd_api_key_secret_arn != "" ? { DD_API_KEY_SECRET_ARN = var.dd_api_key_secret_arn } : {}
+
   description = "Lambda function to push RDS Enhanced metrics to Datadog"
   version_tag = { DD_FORWARDER_VERSION = var.forwarder_version }
 
   role_name   = coalesce(var.role_name, var.name)
   policy_name = coalesce(var.policy_name, var.name)
-
-  dd_api_key  = try(data.aws_secretsmanager_secret_version.datadog_api_key[0].secret_string, "")
-  api_app_key = <<EOF
-{"api_key":"${local.dd_api_key}", "app_key":"${var.dd_app_key}"}
-EOF
-
-  api_key = <<EOF
-{"api_key":"${local.dd_api_key}"}
-EOF
 }
 
 data "aws_caller_identity" "current" {}
@@ -62,8 +56,8 @@ resource "aws_iam_policy" "this" {
   policy = templatefile(
     "${path.module}/policy.tmpl",
     {
-      vpc_check = var.subnet_ids != null
-      kms_arn   = data.aws_kms_key.this[0].arn
+      vpc_check             = var.subnet_ids != null
+      dd_api_key_secret_arn = var.dd_api_key_secret_arn
     }
   )
 }
@@ -107,9 +101,10 @@ resource "aws_lambda_function" "this" {
 
   environment {
     variables = merge(
+      local.dd_api_key,
+      local.dd_api_key_secret_arn,
       {
-        DD_SITE          = var.dd_site
-        kmsEncryptedKeys = aws_kms_ciphertext.this[0].ciphertext_blob
+        DD_SITE = var.dd_site
       },
       var.environment_variables,
       local.version_tag
@@ -137,23 +132,3 @@ resource "aws_cloudwatch_log_group" "this" {
 
   tags = var.tags
 }
-
-data "aws_kms_key" "this" {
-  count = var.create ? 1 : 0
-
-  key_id = var.kms_alias
-}
-
-data "aws_secretsmanager_secret_version" "datadog_api_key" {
-  count = var.create ? 1 : 0
-
-  secret_id = var.dd_api_key_secret_arn
-}
-
-resource "aws_kms_ciphertext" "this" {
-  count = var.create ? 1 : 0
-
-  key_id    = data.aws_kms_key.this[0].id
-  plaintext = var.dd_app_key != "" ? local.api_app_key : local.api_key
-  context   = { LambdaFunctionName = var.name }
-}

modules/rds_enhanced_monitoring_forwarder/policy.tmpl

@@ -12,12 +12,12 @@
       "Effect": "Allow",
       "Resource": "*",
       "Sid": "WriteLogs"
-    }%{ if kms_arn != "" },
+    }%{ if dd_api_key_secret_arn != "" },
     {
-      "Action": "kms:Decrypt",
+      "Action": "secretsmanager:GetSecretValue",
       "Effect": "Allow",
-      "Resource": "${kms_arn}",
-      "Sid": "DecryptKeys"
+      "Resource": "${dd_api_key_secret_arn}",
+      "Sid": "GetApiKeySecret"
     }%{ endif }
   ]
 }

modules/rds_enhanced_monitoring_forwarder/variables.tf

@@ -11,8 +11,8 @@ variable "tags" {
 }
 
 # Datadog environment Variables
-variable "dd_app_key" {
-  description = "The Datadog application key associated with the user account that created it, which can be found from the APIs page"
+variable "dd_api_key" {
+  description = "The Datadog API key, which can be found from the APIs page (/account/settings#api). It will be stored in AWS Secrets Manager securely"
   type        = string
   default     = ""
 }
@@ -29,11 +29,6 @@ variable "dd_site" {
   default     = "datadoghq.com"
 }
 
-variable "kms_alias" {
-  description = "Alias of KMS key used to encrypt the Datadog API keys - must start with `alias/`"
-  type        = string
-}
-
 # Forwarder IAM Role
 variable "role_arn" {
   description = "IAM role arn for forwarder lambda function to utilize"