Awesome

This component is responsible for provisioning Datadog Log Archives. It creates a single log archive pipeline for each AWS account. If the catchall flag is set, it creates a catchall archive within the same S3 bucket.

Each log archive filters for the tag env:$env where $env is the environment/account name (ie sbx, prd, tools, etc), as well as any tags identified in the additional_tags key. The catchall archive, as the name implies, filters for '*'.

A second bucket is created for cloudtrail, and a cloudtrail is configured to monitor the log archive bucket and log activity to the cloudtrail bucket. To forward these cloudtrail logs to datadog, the cloudtrail bucket's id must be added to the s3_buckets key for our datadog-lambda-forwarder component.

Both buckets support object lock, with overridable defaults of COMPLIANCE mode with a duration of 7 days.

Prerequisites

Datadog integration set up in target environment
- We rely on the datadog api and app keys added by our datadog integration component

Issues, Gotchas, Good-to-Knows

Destroy/reprovision process

Because of the protections for S3 buckets, if we want to destroy/replace our bucket, we need to do so in two passes or destroy the bucket manually and then use terraform to clean up the rest. If reprovisioning a recently provisioned bucket, the two-pass process works well. If the bucket has a full day or more of logs, though, deleting it manually first will avoid terraform timeouts, and then the terraform process can be used to clean up everything else.

Two step process to destroy via terraform

first set s3_force_destroy var to true and apply
next set enabled to false and apply or use tf destroy

Usage

Stack Level: Global

Here's an example snippet for how to use this component. It's suggested to apply this component to all accounts from which Datadog receives logs.

components:
  terraform:
    datadog-logs-archive:
      settings:
        spacelift:
          workspace_enabled: true
      vars:
        enabled: true
  #       additional_query_tags:
  #         - "forwardername:*-dev-datadog-lambda-forwarder-logs"
  #         - "account:123456789012"

Requirements

Name	Version
terraform	>= 0.13.0
aws	>= 2.0
datadog	>= 3.3.0
local	>= 1.3

Providers

Name	Version
aws	>= 2.0
datadog	>= 3.7.0
http	>= 2.1.0

Modules

Name	Source	Version
cloudtrail	cloudposse/cloudtrail/aws	0.21.0
cloudtrail_s3_bucket	cloudposse/cloudtrail-s3-bucket/aws	0.23.1
iam_roles	../account-map/modules/iam-roles	n/a
s3_bucket	cloudposse/s3-bucket/aws	0.46.0
this	cloudposse/label/null	0.25.0

Resources

Name	Type
aws_caller_identity.current	data source
aws_partition.current	data source
aws_ssm_parameter.datadog_api_key	data source
aws_ssm_parameter.datadog_app_key	data source
aws_ssm_parameter.datadog_aws_role_name	data source
aws_ssm_parameter.datadog_external_id	data source
datadog_logs_archive.catchall_archive	resource
datadog_logs_archive.logs_archive	resource
http.current_order	data source

Inputs

Name	Description	Type	Default	Required
additional_query_tags	Additional tags to include in query for logs for this archive	`list`	[]	no
catchall	Set to true to enable a catchall for logs unmatched by any queries. This should only be used in one environment/account	`bool`	false	no
datadog_aws_account_id	The AWS account ID Datadog's integration servers use for all integrations	`string`	464622532012	no
enable_glacier_transition	Enable/disable transition to glacier. Has no effect unless `lifecycle_rules_enabled` set to true	`bool`	true	no
glacier_transition_days	Number of days after which to transition objects to glacier storage	`number`	365	no
lifecycle_rules_enabled	Enable/disable lifecycle management rules for s3 objects	`bool`	true	no
object_lock_days_archive	Set duration of archive bucket object lock	`number`	7	yes
object_lock_days_cloudtrail	Set duration of cloudtrail bucket object lock	`number`	7	yes
object_lock_mode_archive	Set mode of archive bucket object lock	`string`	COMPLIANCE	yes
object_lock_mode_cloudtrail	Set mode of cloudtrail bucket object lock	`string`	COMPLIANCE	yes
s3_force_destroy	Set to true to delete non-empty buckets when `enabled` is set to false	`bool`	false	for destroy only

Outputs

Name	Description
archive_id	The ID of the environment-specific log archive
bucket_arn	The ARN of the bucket used for log archive storage
bucket_domain_name	The FQDN of the bucket used for log archive storage
bucket_id	The ID (name) of the bucket used for log archive storage
bucket_region	The region of the bucket used for log archive storage
cloudtrail_bucket_arn	The ARN of the bucket used for cloudtrail log storage
cloudtrail_bucket_domain_name	The FQDN of the bucket used for cloudtrail log storage
cloudtrail_bucket_id	The ID (name) of the bucket used for cloudtrail log storage
catchall_id	The ID of the catchall log archive

References

cloudposse/s3-bucket/aws - Cloud Posse's S3 component
[datadog_logs_archive resource] (https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/logs_archive) - Datadog's provider documentation for the datadog_logs_archive resource

[!NOTE] This project is part of Cloud Posse's comprehensive "SweetOps" approach towards DevOps.
<details><summary>Learn More</summary>
It's 100% Open Source and licensed under the APACHE2.
</details>

Related Projects

Check out these related projects.

Cloud Posse Terraform Modules - Our collection of reusable Terraform modules used by our reference architectures.
Atmos - Atmos is like docker-compose but for your infrastructure

✨ Contributing

This project is under active development, and we encourage contributions from our community. Many thanks to our outstanding contributors:

🐛 Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.

💻 Developing

If you are interested in being a contributor and want to get involved in developing this project or help out with Cloud Posse's other projects, we would love to hear from you! Hit us up in Slack, in the #cloudposse channel.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

Review our Code of Conduct and Contributor Guidelines.
Fork the repo on GitHub
Clone the project to your own machine
Commit changes to your own branch
Push your work back up to your fork
Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

🌎 Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.

📰 Newsletter

Sign up for our newsletter and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know. Dropped straight into your Inbox every week — and usually a 5-minute read.

📆 Office Hours <a href="https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse-terraform-components/aws-datadog-logs-archive&utm_content=office_hours"><img src="https://img.cloudposse.com/fit-in/200x200/https://cloudposse.com/wp-content/uploads/2019/08/Powered-by-Zoom.png" align="right" /></a>

Join us every Wednesday via Zoom for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a live Q&A that you can’t find anywhere else. It's FREE for everyone!

About

This project is maintained by <a href="https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse-terraform-components/aws-datadog-logs-archive&utm_content=">Cloud Posse, LLC</a>. <a href="https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse-terraform-components/aws-datadog-logs-archive&utm_content="><img src="https://cloudposse.com/logo-300x69.svg" align="right" /></a>

We are a DevOps Accelerator for funded startups and enterprises. Use our ready-to-go terraform architecture blueprints for AWS to get up and running quickly. We build it with you. You own everything. Your team wins. Plus, we stick around until you succeed.

Your team can operate like a pro today.

Ensure that your team succeeds by using our proven process and turnkey blueprints. Plus, we stick around until you succeed.

<details> <summary>📚 See What's Included</summary>

Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
Deployment Strategy. You'll have a battle-tested deployment strategy using GitHub Actions that's automated and repeatable.
Site Reliability Engineering. You'll have total visibility into your apps and microservices.
Security Baseline. You'll have built-in governance with accountability and audit logs for all changes.
GitOps. You'll be able to operate your infrastructure via Pull Requests.
Training. You'll receive hands-on training so your team can operate what we build.
Questions. You'll have a direct line of communication between our teams via a Shared Slack channel.
Troubleshooting. You'll get help to triage when things aren't working.
Code Reviews. You'll receive constructive feedback on Pull Requests.
Bug Fixes. We'll rapidly work with you to fix any bugs in our projects.

</details>

License

<details> <summary>Preamble to the Apache License, Version 2.0</summary>

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

</details>

Trademarks

All other trademarks referenced herein are the property of their respective owners.