Awesome
AWS Datadog Forwarders Terraform module
Terraform module which creates resources to forward logs and metrics to Datadog on AWS.
The following resources are supported:
- Log Forwarder
- RDS Enhanced Monitoring Forwarder
- VPC Flow Log Forwarder
- Agent PrivateLink VPC Endpoint
- API PrivateLink VPC Endpoint
- Log Forwarder PrivateLink VPC Endpoint
- Metrics PrivateLink VPC Endpoint
- Process PrivateLink VPC Endpoint
- Traces PrivateLink VPC Endpoint
Please refer to the official Datadog datadog-serverless-functions for further information on the forwarder lambda functions, configuraion via environment variables, and integration with PrivateLink endpoints.
Security
There are several factors to keep in mind when working with and/or using this module that largely revolve around the decisions made based on security implications.
- Based on the functionality provided by the Datadog team at
datadog-serverless-functions, the recommended approach for providing your Datadog API key is through AWS Secrets Manager. The creation of this secret is not facilitated by this module and should be created manually (or through some other means where the secret is not passed as plain text into Terraform as input).- Note: even though this is the recommended approach, the pattern used in the past of providing the
DD_API_KEYas an environment variable is still supported by the module. Users are able to provde any and all environment variables to the forwarders through inputs (i.e. -log_forwarder_environment_variables) to configure the forwarders as desired. Seesettings.pyfor more details on what environment variables are supported to configure the forwarders.
- Note: even though this is the recommended approach, the pattern used in the past of providing the
- The use of a KMS key to encrypt/decrypt API and APP keys is required by the
rds_enhanced_monitoring_forwarderandvpc_flow_log_forwardermodules/functions per the uptream source atdatadog-serverless-functions. The creation of a KMS key has been left out of this module so that users are able to better manage their KMS CMK key (and therefore the policies and usage of said key) as they see fit without over-complicating this module. - The roles and their permissions created by this module have several built in conditional checks in order to provide permission sets that allow the desired functionality while following the recommended approach of least privelege access. Nearly all attributes for the IAM roles and their permissions are accessible via inputs - even allowing users to provide their own IAM roles and/or policies to meet their organizational requirements.
Vendored Artifacts
Due to Terraform not dealing with dynamically created files, especially in ephemeral environments like CI/CD pipelines, the decision was made to vendor the Lambda function artifacts within the VPC Flow Log and RDS Enhanced Monitoring modules to avoid issues. When the upstream artifacts are hosted as zipped archives available on GitHub, similar to the Log Forwarder, then this vendoring hack will be removed in favor of pulling directly from the project. Ref Issue #374
Usage
See examples directory for working examples to reference:
# Note: you will need to create this secret manually prior to running
# This avoids having to pass the key to Terraform in plaintext
data "aws_secretsmanager_secret" "datadog_api_key" {
name = "datadog/api_key"
}
module "datadog_forwarders" {
source = "terraform-aws-modules/datadog-forwarders/aws"
kms_alias = "alias/datadog" # KMS key will need to be created outside of module
dd_api_key_secret_arn = data.aws_secretsmanager_secret.datadog_api_key.arn
tags = {
Terraform = "true"
Environment = "dev"
}
}
Examples
Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module(s). If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
Requirements
| Name | Version |
|---|---|
| <a name="requirement_terraform"></a> terraform | >= 1.3 |
| <a name="requirement_aws"></a> aws | >= 5.0 |
Providers
| Name | Version |
|---|---|
| <a name="provider_aws"></a> aws | >= 5.0 |
Modules
| Name | Source | Version |
|---|---|---|
| <a name="module_log_forwarder"></a> log_forwarder | ./modules/log_forwarder | n/a |
| <a name="module_rds_enhanced_monitoring_forwarder"></a> rds_enhanced_monitoring_forwarder | ./modules/rds_enhanced_monitoring_forwarder | n/a |
| <a name="module_vpc_flow_log_forwarder"></a> vpc_flow_log_forwarder | ./modules/vpc_flow_log_forwarder | n/a |
Resources
| Name | Type |
|---|---|
| aws_vpc_endpoint.agent | resource |
| aws_vpc_endpoint.api | resource |
| aws_vpc_endpoint.log_forwarder | resource |
| aws_vpc_endpoint.metrics | resource |
| aws_vpc_endpoint.processes | resource |
| aws_vpc_endpoint.traces | resource |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| <a name="input_agent_vpce_policy"></a> agent_vpce_policy | Policy to attach to the agent endpoint that controls access to the service. Defaults to full access | any | null | no |
| <a name="input_agent_vpce_security_group_ids"></a> agent_vpce_security_group_ids | IDs of security groups to attach to agent endpoint | list(string) | [] | no |
| <a name="input_agent_vpce_subnet_ids"></a> agent_vpce_subnet_ids | IDs of subnets to associate with agent endpoint | list(string) | [] | no |
| <a name="input_agent_vpce_tags"></a> agent_vpce_tags | A map of tags to apply to the Datadog agent endpoint | map(string) | {} | no |
| <a name="input_api_vpce_policy"></a> api_vpce_policy | Policy to attach to the API endpoint that controls access to the service. Defaults to full access | any | null | no |
| <a name="input_api_vpce_security_group_ids"></a> api_vpce_security_group_ids | IDs of security groups to attach to API endpoint | list(string) | [] | no |
| <a name="input_api_vpce_subnet_ids"></a> api_vpce_subnet_ids | IDs of subnets to associate with API endpoint | list(string) | [] | no |
| <a name="input_api_vpce_tags"></a> api_vpce_tags | A map of tags to apply to the API endpoint | map(string) | {} | no |
| <a name="input_bucket_attach_deny_insecure_transport_policy"></a> bucket_attach_deny_insecure_transport_policy | Controls if S3 bucket should have deny non-SSL transport policy attacheds | bool | true | no |
| <a name="input_bucket_encryption_settings"></a> bucket_encryption_settings | S3 bucket server side encryption settings | map(string) | <pre>{<br> "sse_algorithm": "AES256"<br>}</pre> | no |
| <a name="input_bucket_name"></a> bucket_name | Lambda artifact S3 bucket name | string | "" | no |
| <a name="input_create_agent_vpce"></a> create_agent_vpce | Controls whether an agent endpoint should be created | bool | false | no |
| <a name="input_create_api_vpce"></a> create_api_vpce | Controls whether a API endpoint should be created | bool | false | no |
| <a name="input_create_bucket"></a> create_bucket | Controls whether an S3 artifact bucket should be created. this is used for the zip archive as well as caching tags | bool | true | no |
| <a name="input_create_log_forwarder"></a> create_log_forwarder | Controls whether log forwarder resources should be created | bool | true | no |
| <a name="input_create_log_forwarder_role"></a> create_log_forwarder_role | Controls whether an IAM role is created for the log forwarder | bool | true | no |
| <a name="input_create_log_forwarder_role_policy"></a> create_log_forwarder_role_policy | Controls whether an IAM role policy is created for the log forwarder | bool | true | no |
| <a name="input_create_log_forwarder_vpce"></a> create_log_forwarder_vpce | Controls whether a log forwarder endpoint should be created | bool | false | no |
| <a name="input_create_metrics_vpce"></a> create_metrics_vpce | Controls whether a metrics VPC endpoint should be created | bool | false | no |
| <a name="input_create_processes_vpce"></a> create_processes_vpce | Controls whether a processes endpoint should be created | bool | false | no |
| <a name="input_create_rds_em_forwarder"></a> create_rds_em_forwarder | Controls whether RDS enhanced monitoring forwarder resources should be created | bool | true | no |
| <a name="input_create_rds_em_forwarder_role"></a> create_rds_em_forwarder_role | Controls whether an IAM role is created for the RDS enhanced monitoring forwarder | bool | true | no |
| <a name="input_create_rds_em_forwarder_role_policy"></a> create_rds_em_forwarder_role_policy | Controls whether an IAM role policy is created for the RDS enhanced monitoring forwarder | bool | true | no |
| <a name="input_create_traces_vpce"></a> create_traces_vpce | Controls whether a traces endpoint should be created | bool | false | no |
| <a name="input_create_vpc_fl_forwarder"></a> create_vpc_fl_forwarder | Controls whether VPC flow log forwarder resources should be created | bool | true | no |
| <a name="input_create_vpc_fl_forwarder_role"></a> create_vpc_fl_forwarder_role | Controls whether an IAM role is created for the VPC flow log forwarder | bool | true | no |
| <a name="input_create_vpc_fl_forwarder_role_policy"></a> create_vpc_fl_forwarder_role_policy | Controls whether an IAM role policy is created for the VPC flow log forwarder | bool | true | no |
| <a name="input_dd_api_key"></a> dd_api_key | The Datadog API key, which can be found from the APIs page (/account/settings#api). It will be stored in AWS Secrets Manager securely. If DdApiKeySecretArn is also set, this value will not be used. This value must still be set, however | string | "" | no |
| <a name="input_dd_api_key_secret_arn"></a> dd_api_key_secret_arn | The ARN of the Secrets Manager secret storing the Datadog API key, if you already have it stored in Secrets Manager. You still need to set a dummy value for dd_api_key to satisfy the requirement, though that value won't be used | string | "" | no |
| <a name="input_dd_app_key"></a> dd_app_key | The Datadog application key associated with the user account that created it, which can be found from the APIs page | string | "" | no |
| <a name="input_dd_site"></a> dd_site | Define your Datadog Site to send data to. For the Datadog EU site, set to datadoghq.eu | string | "datadoghq.com" | no |
| <a name="input_kms_alias"></a> kms_alias | Alias of KMS key used to encrypt the Datadog API keys - must start with alias/ | string | n/a | yes |
| <a name="input_log_forwarder_architectures"></a> log_forwarder_architectures | Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"]. Default is ["x86_64"] | list(string) | <pre>[<br> "x86_64"<br>]</pre> | no |
| <a name="input_log_forwarder_bucket_prefix"></a> log_forwarder_bucket_prefix | S3 object key prefix to prepend to zip archive name | string | "" | no |
| <a name="input_log_forwarder_bucket_tags"></a> log_forwarder_bucket_tags | A map of tags to apply to the log forwarder bucket | map(any) | {} | no |
| <a name="input_log_forwarder_environment_variables"></a> log_forwarder_environment_variables | A map of environment variables for the log forwarder lambda function | map(string) | {} | no |
| <a name="input_log_forwarder_kms_key_arn"></a> log_forwarder_kms_key_arn | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | string | null | no |
| <a name="input_log_forwarder_lambda_tags"></a> log_forwarder_lambda_tags | A map of tags to apply to the log forwarder lambda function | map(string) | {} | no |
| <a name="input_log_forwarder_layers"></a> log_forwarder_layers | List of Lambda Layer Version ARNs (maximum of 5) to attach to the log forwarder lambda | list(string) | [] | no |
| <a name="input_log_forwarder_log_kms_key_id"></a> log_forwarder_log_kms_key_id | The AWS KMS Key ARN to use for CloudWatch log group encryption | string | null | no |
| <a name="input_log_forwarder_log_retention_days"></a> log_forwarder_log_retention_days | Log forwarder CloudWatch log group retention in days | number | 7 | no |
| <a name="input_log_forwarder_memory_size"></a> log_forwarder_memory_size | Memory size for the log forwarder lambda function | number | 1024 | no |
| <a name="input_log_forwarder_name"></a> log_forwarder_name | Log forwarder lambda name | string | "datadog-log-forwarder" | no |
| <a name="input_log_forwarder_policy_arn"></a> log_forwarder_policy_arn | IAM policy arn for log forwarder lambda function to utilize | string | null | no |
| <a name="input_log_forwarder_policy_name"></a> log_forwarder_policy_name | Log forwarder policy name | string | "" | no |
| <a name="input_log_forwarder_policy_path"></a> log_forwarder_policy_path | Log forwarder policy path | string | null | no |
| <a name="input_log_forwarder_publish"></a> log_forwarder_publish | Whether to publish creation/change as a new Lambda Function Version | bool | false | no |
| <a name="input_log_forwarder_reserved_concurrent_executions"></a> log_forwarder_reserved_concurrent_executions | The amount of reserved concurrent executions for the log forwarder lambda function | number | 100 | no |
| <a name="input_log_forwarder_role_arn"></a> log_forwarder_role_arn | IAM role arn for log forwarder lambda function to utilize | string | null | no |
| <a name="input_log_forwarder_role_max_session_duration"></a> log_forwarder_role_max_session_duration | The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours | number | null | no |
| <a name="input_log_forwarder_role_name"></a> log_forwarder_role_name | Log forwarder role name | string | "" | no |
| <a name="input_log_forwarder_role_path"></a> log_forwarder_role_path | Log forwarder role path | string | null | no |
| <a name="input_log_forwarder_role_permissions_boundary"></a> log_forwarder_role_permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the log forwarder role | string | null | no |
| <a name="input_log_forwarder_role_tags"></a> log_forwarder_role_tags | A map of tags to apply to the log forwarder role | map(string) | {} | no |
| <a name="input_log_forwarder_runtime"></a> log_forwarder_runtime | Lambda function runtime | string | "python3.11" | no |
| <a name="input_log_forwarder_s3_log_bucket_arns"></a> log_forwarder_s3_log_bucket_arns | S3 log buckets for forwarder to read and forward logs to Datadog | list(string) | [] | no |
| <a name="input_log_forwarder_s3_zip_kms_key_id"></a> log_forwarder_s3_zip_kms_key_id | The AWS KMS Key ARN to use for object encryption | string | null | no |
| <a name="input_log_forwarder_s3_zip_metadata"></a> log_forwarder_s3_zip_metadata | A map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta- | map(string) | {} | no |
| <a name="input_log_forwarder_s3_zip_server_side_encryption"></a> log_forwarder_s3_zip_server_side_encryption | Server-side encryption of the zip object in S3. Valid values are AES256 and aws:kms | string | null | no |
| <a name="input_log_forwarder_s3_zip_storage_class"></a> log_forwarder_s3_zip_storage_class | Specifies the desired Storage Class for the zip object. Can be either STANDARD, REDUCED_REDUNDANCY, ONEZONE_IA, INTELLIGENT_TIERING, or STANDARD_IA | string | null | no |
| <a name="input_log_forwarder_s3_zip_tags"></a> log_forwarder_s3_zip_tags | A map of tags to apply to the zip archive in S3 | map(string) | {} | no |
| <a name="input_log_forwarder_s3_zip_tags_only"></a> log_forwarder_s3_zip_tags_only | Set to true to not merge var.tags with log_forwarder_s3_zip_tags. Useful to avoid breaching S3 Object 10 tag limit | bool | false | no |
| <a name="input_log_forwarder_security_group_ids"></a> log_forwarder_security_group_ids | List of security group ids when forwarder lambda function should run in the VPC | list(string) | null | no |
| <a name="input_log_forwarder_subnet_ids"></a> log_forwarder_subnet_ids | List of subnet ids when forwarder lambda function should run in the VPC. Usually private or intra subnets | list(string) | null | no |
| <a name="input_log_forwarder_tags"></a> log_forwarder_tags | A map of tags to apply to the log forwarder resources | map(string) | {} | no |
| <a name="input_log_forwarder_timeout"></a> log_forwarder_timeout | The amount of time the log forwarder lambda has to execute in seconds | number | 120 | no |
| <a name="input_log_forwarder_use_policy_name_prefix"></a> log_forwarder_use_policy_name_prefix | Whether to use unique name beginning with the specified policy_name for the log forwarder policy | bool | false | no |
| <a name="input_log_forwarder_use_role_name_prefix"></a> log_forwarder_use_role_name_prefix | Whether to use unique name beginning with the specified role_name for the log forwarder role | bool | false | no |
| <a name="input_log_forwarder_version"></a> log_forwarder_version | Forwarder version - see https://github.com/DataDog/datadog-serverless-functions/releases | string | "3.103.0" | no |
| <a name="input_log_forwarder_vpce_policy"></a> log_forwarder_vpce_policy | Policy to attach to the log forwarder endpoint that controls access to the service. Defaults to full access | any | null | no |
| <a name="input_log_forwarder_vpce_security_group_ids"></a> log_forwarder_vpce_security_group_ids | IDs of security groups to attach to log forwarder endpoint | list(string) | [] | no |
| <a name="input_log_forwarder_vpce_subnet_ids"></a> log_forwarder_vpce_subnet_ids | IDs of subnets to associate with log forwarder endpoint | list(string) | [] | no |
| <a name="input_log_forwarder_vpce_tags"></a> log_forwarder_vpce_tags | A map of tags to apply to the log forwarder endpoint | map(string) | {} | no |
| <a name="input_metrics_vpce_policy"></a> metrics_vpce_policy | Policy to attach to the metrics endpoint that controls access to the service. Defaults to full access | any | null | no |
| <a name="input_metrics_vpce_security_group_ids"></a> metrics_vpce_security_group_ids | IDs of security groups to attach to metrics endpoint | list(string) | [] | no |
| <a name="input_metrics_vpce_subnet_ids"></a> metrics_vpce_subnet_ids | IDs of subnets to associate with metrics endpoint | list(string) | [] | no |
| <a name="input_metrics_vpce_tags"></a> metrics_vpce_tags | A map of tags to apply to the metrics endpoint | map(string) | {} | no |
| <a name="input_processes_vpce_policy"></a> processes_vpce_policy | Policy to attach to the processes endpoint that controls access to the service. Defaults to full access | any | null | no |
| <a name="input_processes_vpce_security_group_ids"></a> processes_vpce_security_group_ids | IDs of security groups to attach to processes endpoint | list(string) | [] | no |
| <a name="input_processes_vpce_subnet_ids"></a> processes_vpce_subnet_ids | IDs of subnets to associate with processes endpoint | list(string) | [] | no |
| <a name="input_processes_vpce_tags"></a> processes_vpce_tags | A map of tags to apply to the processes endpoint | map(string) | {} | no |
| <a name="input_rds_em_forwarder_architectures"></a> rds_em_forwarder_architectures | Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"]. Default is ["x86_64"] | list(string) | <pre>[<br> "x86_64"<br>]</pre> | no |
| <a name="input_rds_em_forwarder_environment_variables"></a> rds_em_forwarder_environment_variables | A map of environment variables for the RDS enhanced monitoring forwarder lambda function | map(string) | {} | no |
| <a name="input_rds_em_forwarder_kms_key_arn"></a> rds_em_forwarder_kms_key_arn | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | string | null | no |
| <a name="input_rds_em_forwarder_lambda_tags"></a> rds_em_forwarder_lambda_tags | A map of tags to apply to the RDS enhanced monitoring forwarder lambda function | map(string) | {} | no |
| <a name="input_rds_em_forwarder_layers"></a> rds_em_forwarder_layers | List of Lambda Layer Version ARNs (maximum of 5) to attach to the RDS enhanced monitoring forwarder lambda | list(string) | [] | no |
| <a name="input_rds_em_forwarder_log_kms_key_id"></a> rds_em_forwarder_log_kms_key_id | The AWS KMS Key ARN to use for CloudWatch log group encryption | string | null | no |
| <a name="input_rds_em_forwarder_log_retention_days"></a> rds_em_forwarder_log_retention_days | RDS enhanced monitoring forwarder CloudWatch log group retention in days | number | 7 | no |
| <a name="input_rds_em_forwarder_memory_size"></a> rds_em_forwarder_memory_size | Memory size for the RDS enhanced monitoring forwarder lambda function | number | 256 | no |
| <a name="input_rds_em_forwarder_name"></a> rds_em_forwarder_name | RDS enhanced monitoring forwarder lambda name | string | "datadog-rds-enhanced-monitoring-forwarder" | no |
| <a name="input_rds_em_forwarder_policy_arn"></a> rds_em_forwarder_policy_arn | IAM policy arn for RDS enhanced monitoring forwarder lambda function to utilize | string | null | no |
| <a name="input_rds_em_forwarder_policy_name"></a> rds_em_forwarder_policy_name | RDS enhanced monitoring forwarder policy name | string | "" | no |
| <a name="input_rds_em_forwarder_policy_path"></a> rds_em_forwarder_policy_path | RDS enhanced monitoring forwarder policy path | string | null | no |
| <a name="input_rds_em_forwarder_publish"></a> rds_em_forwarder_publish | Whether to publish creation/change as a new fambda function Version | bool | false | no |
| <a name="input_rds_em_forwarder_reserved_concurrent_executions"></a> rds_em_forwarder_reserved_concurrent_executions | The amount of reserved concurrent executions for the RDS enhanced monitoring forwarder lambda function | number | 10 | no |
| <a name="input_rds_em_forwarder_role_arn"></a> rds_em_forwarder_role_arn | IAM role arn for RDS enhanced monitoring forwarder lambda function to utilize | string | null | no |
| <a name="input_rds_em_forwarder_role_max_session_duration"></a> rds_em_forwarder_role_max_session_duration | The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours | number | null | no |
| <a name="input_rds_em_forwarder_role_name"></a> rds_em_forwarder_role_name | RDS enhanced monitoring forwarder role name | string | "" | no |
| <a name="input_rds_em_forwarder_role_path"></a> rds_em_forwarder_role_path | RDS enhanced monitoring forwarder role path | string | null | no |
| <a name="input_rds_em_forwarder_role_permissions_boundary"></a> rds_em_forwarder_role_permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the RDS enhanced monitoring forwarder role | string | null | no |
| <a name="input_rds_em_forwarder_role_tags"></a> rds_em_forwarder_role_tags | A map of tags to apply to the RDS enhanced monitoring forwarder role | map(string) | {} | no |
| <a name="input_rds_em_forwarder_runtime"></a> rds_em_forwarder_runtime | Lambda function runtime | string | "python3.8" | no |
| <a name="input_rds_em_forwarder_security_group_ids"></a> rds_em_forwarder_security_group_ids | List of security group ids when forwarder lambda function should run in the VPC | list(string) | null | no |
| <a name="input_rds_em_forwarder_subnet_ids"></a> rds_em_forwarder_subnet_ids | List of subnet ids when forwarder lambda function should run in the VPC. Usually private or intra subnets | list(string) | null | no |
| <a name="input_rds_em_forwarder_tags"></a> rds_em_forwarder_tags | A map of tags to apply to the RDS enhanced monitoring forwarder resources | map(string) | {} | no |
| <a name="input_rds_em_forwarder_timeout"></a> rds_em_forwarder_timeout | The amount of time the RDS enhanced monitoring forwarder lambda has to execute in seconds | number | 10 | no |
| <a name="input_rds_em_forwarder_use_policy_name_prefix"></a> rds_em_forwarder_use_policy_name_prefix | Whether to use unique name beginning with the specified rds_em_forwarder_policy_name for the RDS enhanced monitoring forwarder role | bool | false | no |
| <a name="input_rds_em_forwarder_use_role_name_prefix"></a> rds_em_forwarder_use_role_name_prefix | Whether to use unique name beginning with the specified rds_em_forwarder_role_name for the RDS enhanced monitoring forwarder role | bool | false | no |
| <a name="input_rds_em_forwarder_version"></a> rds_em_forwarder_version | RDS enhanced monitoring lambda version - see https://github.com/DataDog/datadog-serverless-functions/releases | string | "3.103.0" | no |
| <a name="input_tags"></a> tags | A map of tags to use on all resources | map(string) | {} | no |
| <a name="input_traces_vpce_policy"></a> traces_vpce_policy | Policy to attach to the traces endpoint that controls access to the service. Defaults to full access | any | null | no |
| <a name="input_traces_vpce_security_group_ids"></a> traces_vpce_security_group_ids | IDs of security groups to attach to traces endpoint | list(string) | [] | no |
| <a name="input_traces_vpce_subnet_ids"></a> traces_vpce_subnet_ids | IDs of subnets to associate with traces endpoint | list(string) | [] | no |
| <a name="input_traces_vpce_tags"></a> traces_vpce_tags | A map of tags to apply to the traces endpoint | map(string) | {} | no |
| <a name="input_vpc_fl_forwarder_architectures"></a> vpc_fl_forwarder_architectures | Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"]. Default is ["x86_64"] | list(string) | <pre>[<br> "x86_64"<br>]</pre> | no |
| <a name="input_vpc_fl_forwarder_environment_variables"></a> vpc_fl_forwarder_environment_variables | A map of environment variables for the VPC flow log forwarder lambda function | map(string) | {} | no |
| <a name="input_vpc_fl_forwarder_kms_key_arn"></a> vpc_fl_forwarder_kms_key_arn | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | string | null | no |
| <a name="input_vpc_fl_forwarder_lambda_tags"></a> vpc_fl_forwarder_lambda_tags | A map of tags to apply to the VPC flow log forwarder lambda function | map(string) | {} | no |
| <a name="input_vpc_fl_forwarder_layers"></a> vpc_fl_forwarder_layers | List of Lambda Layer Version ARNs (maximum of 5) to attach to the VPC flow log forwarder lambda | list(string) | [] | no |
| <a name="input_vpc_fl_forwarder_log_kms_key_id"></a> vpc_fl_forwarder_log_kms_key_id | The AWS KMS Key ARN to use for CloudWatch log group encryption | string | null | no |
| <a name="input_vpc_fl_forwarder_log_retention_days"></a> vpc_fl_forwarder_log_retention_days | VPC flow log forwarder CloudWatch log group retention in days | number | 7 | no |
| <a name="input_vpc_fl_forwarder_memory_size"></a> vpc_fl_forwarder_memory_size | Memory size for the VPC flow log forwarder lambda function | number | 256 | no |
| <a name="input_vpc_fl_forwarder_name"></a> vpc_fl_forwarder_name | VPC flow log forwarder lambda name | string | "datadog-vpc-flow-log-forwarder" | no |
| <a name="input_vpc_fl_forwarder_policy_arn"></a> vpc_fl_forwarder_policy_arn | IAM policy arn for VPC flow log forwarder lambda function to utilize | string | null | no |
| <a name="input_vpc_fl_forwarder_policy_name"></a> vpc_fl_forwarder_policy_name | VPC flow log forwarder policy name | string | "" | no |
| <a name="input_vpc_fl_forwarder_policy_path"></a> vpc_fl_forwarder_policy_path | VPC flow log forwarder policy path | string | null | no |
| <a name="input_vpc_fl_forwarder_publish"></a> vpc_fl_forwarder_publish | Whether to publish creation/change as a new fambda function Version | bool | false | no |
| <a name="input_vpc_fl_forwarder_read_cloudwatch_logs"></a> vpc_fl_forwarder_read_cloudwatch_logs | Whether the VPC flow log forwarder will read CloudWatch log groups for VPC flow logs | bool | false | no |
| <a name="input_vpc_fl_forwarder_reserved_concurrent_executions"></a> vpc_fl_forwarder_reserved_concurrent_executions | The amount of reserved concurrent executions for the VPC flow log forwarder lambda function | number | 10 | no |
| <a name="input_vpc_fl_forwarder_role_arn"></a> vpc_fl_forwarder_role_arn | IAM role arn for VPC flow log forwarder lambda function to utilize | string | null | no |
| <a name="input_vpc_fl_forwarder_role_max_session_duration"></a> vpc_fl_forwarder_role_max_session_duration | The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours | number | null | no |
| <a name="input_vpc_fl_forwarder_role_name"></a> vpc_fl_forwarder_role_name | VPC flow log forwarder role name | string | "" | no |
| <a name="input_vpc_fl_forwarder_role_path"></a> vpc_fl_forwarder_role_path | VPC flow log forwarder role path | string | null | no |
| <a name="input_vpc_fl_forwarder_role_permissions_boundary"></a> vpc_fl_forwarder_role_permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the VPC flow log forwarder role | string | null | no |
| <a name="input_vpc_fl_forwarder_role_tags"></a> vpc_fl_forwarder_role_tags | A map of tags to apply to the VPC flow log forwarder role | map(string) | {} | no |
| <a name="input_vpc_fl_forwarder_runtime"></a> vpc_fl_forwarder_runtime | Lambda function runtime | string | "python3.8" | no |
| <a name="input_vpc_fl_forwarder_s3_log_bucket_arns"></a> vpc_fl_forwarder_s3_log_bucket_arns | S3 log buckets for VPC flow log forwarder to read and forward to Datadog | list(string) | [] | no |
| <a name="input_vpc_fl_forwarder_security_group_ids"></a> vpc_fl_forwarder_security_group_ids | List of security group ids when forwarder lambda function should run in the VPC | list(string) | null | no |
| <a name="input_vpc_fl_forwarder_subnet_ids"></a> vpc_fl_forwarder_subnet_ids | List of subnet ids when forwarder lambda function should run in the VPC. Usually private or intra subnets | list(string) | null | no |
| <a name="input_vpc_fl_forwarder_tags"></a> vpc_fl_forwarder_tags | A map of tags to apply to the VPC flow log forwarder resources | map(string) | {} | no |
| <a name="input_vpc_fl_forwarder_timeout"></a> vpc_fl_forwarder_timeout | The amount of time the VPC flow log forwarder lambda has to execute in seconds | number | 10 | no |
| <a name="input_vpc_fl_forwarder_use_policy_name_prefix"></a> vpc_fl_forwarder_use_policy_name_prefix | Whether to use unique name beginning with the specified vpc_fl_forwarder_policy_name for the VPC flow log forwarder role | bool | false | no |
| <a name="input_vpc_fl_forwarder_use_role_name_prefix"></a> vpc_fl_forwarder_use_role_name_prefix | Whether to use unique name beginning with the specified vpc_fl_forwarder_role_name for the VPC flow log forwarder role | bool | false | no |
| <a name="input_vpc_fl_forwarder_version"></a> vpc_fl_forwarder_version | VPC flow log lambda version - see https://github.com/DataDog/datadog-serverless-functions/releases | string | "3.103.0" | no |
| <a name="input_vpc_id"></a> vpc_id | ID of VPC to provision endpoints within | string | null | no |
Outputs
| Name | Description |
|---|---|
| <a name="output_agent_endpoint_arn"></a> agent_endpoint_arn | ARN of the agent VPC endpoint |
| <a name="output_agent_endpoint_dns_entry"></a> agent_endpoint_dns_entry | DNS entries of the agent VPC endpoint |
| <a name="output_agent_endpoint_id"></a> agent_endpoint_id | ID of the agent VPC endpoint |
| <a name="output_agent_endpoint_network_interface_ids"></a> agent_endpoint_network_interface_ids | One or more network interfaces for the agent VPC endpoint |
| <a name="output_agent_endpoint_owner_id"></a> agent_endpoint_owner_id | The ID of the AWS account that owns the agent VPC endpoint |
| <a name="output_agent_endpoint_state"></a> agent_endpoint_state | The state of the agent VPC endpoint |
| <a name="output_api_endpoint_arn"></a> api_endpoint_arn | ARN of the API VPC endpoint |
| <a name="output_api_endpoint_dns_entry"></a> api_endpoint_dns_entry | DNS entries of the API VPC endpoint |
| <a name="output_api_endpoint_id"></a> api_endpoint_id | ID of the API VPC endpoint |
| <a name="output_api_endpoint_network_interface_ids"></a> api_endpoint_network_interface_ids | One or more network interfaces for API api VPC endpoint |
| <a name="output_api_endpoint_owner_id"></a> api_endpoint_owner_id | The ID of the AWS account that owns the API VPC endpoint |
| <a name="output_api_endpoint_state"></a> api_endpoint_state | The state of the API VPC endpoint |
| <a name="output_log_forwarder_cloudwatch_log_group_arn"></a> log_forwarder_cloudwatch_log_group_arn | The ARN of the log forwarder lambda function CloudWatch log group |
| <a name="output_log_forwarder_endpoint_arn"></a> log_forwarder_endpoint_arn | ARN of the log forwarder VPC endpoint |
| <a name="output_log_forwarder_endpoint_dns_entry"></a> log_forwarder_endpoint_dns_entry | DNS entries of the log forwarder VPC endpoint |
| <a name="output_log_forwarder_endpoint_id"></a> log_forwarder_endpoint_id | ID of the log forwarder VPC endpoint |
| <a name="output_log_forwarder_endpoint_network_interface_ids"></a> log_forwarder_endpoint_network_interface_ids | One or more network interfaces for the log forwarder VPC endpoint |
| <a name="output_log_forwarder_endpoint_owner_id"></a> log_forwarder_endpoint_owner_id | The ID of the AWS account that owns the log forwarder VPC endpoint |
| <a name="output_log_forwarder_endpoint_state"></a> log_forwarder_endpoint_state | The state of the log forwarder VPC endpoint |
| <a name="output_log_forwarder_lambda_arn"></a> log_forwarder_lambda_arn | The ARN of the log forwarder lambda function |
| <a name="output_log_forwarder_lambda_kms_key_arn"></a> log_forwarder_lambda_kms_key_arn | (Optional) The ARN for the KMS encryption key for the log forwarder lambda function |
| <a name="output_log_forwarder_lambda_qualified_arn"></a> log_forwarder_lambda_qualified_arn | The ARN of the log forwarder lambda function (if versioning is enabled via publish = true) |
| <a name="output_log_forwarder_lambda_source_code_hash"></a> log_forwarder_lambda_source_code_hash | Base64-encoded representation of raw SHA-256 sum of the log forwarder zip file, provided either via filename or s3_* parameters |
| <a name="output_log_forwarder_lambda_version"></a> log_forwarder_lambda_version | Latest published version of the log forwarder lambda function |
| <a name="output_log_forwarder_role_arn"></a> log_forwarder_role_arn | The log forwarder lambda role arn |
| <a name="output_log_forwarder_role_id"></a> log_forwarder_role_id | The log forwarder lambda role id |
| <a name="output_log_forwarder_role_name"></a> log_forwarder_role_name | The log forwarder lambda role name |
| <a name="output_log_forwarder_role_policy_arn"></a> log_forwarder_role_policy_arn | The ARN of the log forwarder lambda role policy |
| <a name="output_log_forwarder_role_policy_id"></a> log_forwarder_role_policy_id | The ID of the log forwarder lambda role policy |
| <a name="output_log_forwarder_role_policy_name"></a> log_forwarder_role_policy_name | The name of the log forwarder lambda role policy |
| <a name="output_log_forwarder_role_unique_id"></a> log_forwarder_role_unique_id | The stable and unique string identifying the log forwarder lambda role |
| <a name="output_log_forwarder_s3_bucket_arn"></a> log_forwarder_s3_bucket_arn | The ARN of the log forwarder bucket. Will be of format arn:aws:s3:::bucketname |
| <a name="output_log_forwarder_s3_bucket_domain_name"></a> log_forwarder_s3_bucket_domain_name | The log forwarder bucket domain name. Will be of format bucketname.s3.amazonaws.com |
| <a name="output_log_forwarder_s3_bucket_id"></a> log_forwarder_s3_bucket_id | The name of the log forwarder bucket |
| <a name="output_log_forwarder_s3_bucket_regional_domain_name"></a> log_forwarder_s3_bucket_regional_domain_name | The log forwarder bucket region-specific domain name. The bucket domain name including the region name |
| <a name="output_log_forwarder_s3_object_etag"></a> log_forwarder_s3_object_etag | The ETag generated for the log forwarder lambda zip object (an MD5 sum of the object content) |
| <a name="output_log_forwarder_s3_object_id"></a> log_forwarder_s3_object_id | The key of the log forwarder lambda zip archive |
| <a name="output_log_forwarder_s3_object_version"></a> log_forwarder_s3_object_version | A unique version ID value for the log forwarder lambda zip object, if bucket versioning is enabled |
| <a name="output_metrics_endpoint_arn"></a> metrics_endpoint_arn | ARN of the metrics VPC endpoint |
| <a name="output_metrics_endpoint_dns_entry"></a> metrics_endpoint_dns_entry | DNS entries of the metrics VPC endpoint |
| <a name="output_metrics_endpoint_id"></a> metrics_endpoint_id | ID of the metrics VPC endpoint |
| <a name="output_metrics_endpoint_network_interface_ids"></a> metrics_endpoint_network_interface_ids | One or more network interfaces for the metrics VPC endpoint |
| <a name="output_metrics_endpoint_owner_id"></a> metrics_endpoint_owner_id | The ID of the AWS account that owns the metrics VPC endpoint |
| <a name="output_metrics_endpoint_state"></a> metrics_endpoint_state | The state of the metrics VPC endpoint |
| <a name="output_processes_endpoint_arn"></a> processes_endpoint_arn | ARN of the processes VPC endpoint |
| <a name="output_processes_endpoint_dns_entry"></a> processes_endpoint_dns_entry | DNS entries of the processes VPC endpoint |
| <a name="output_processes_endpoint_id"></a> processes_endpoint_id | ID of the processes VPC endpoint |
| <a name="output_processes_endpoint_network_interface_ids"></a> processes_endpoint_network_interface_ids | One or more network interfaces for the processes VPC endpoint |
| <a name="output_processes_endpoint_owner_id"></a> processes_endpoint_owner_id | The ID of the AWS account that owns the processes VPC endpoint |
| <a name="output_processes_endpoint_state"></a> processes_endpoint_state | The state of the processes VPC endpoint |
| <a name="output_rds_em_forwarder_cloudwatch_log_group_arn"></a> rds_em_forwarder_cloudwatch_log_group_arn | The ARN of the RDS enhanced monitoring forwarder lambda function CloudWatch log group |
| <a name="output_rds_em_forwarder_lambda_arn"></a> rds_em_forwarder_lambda_arn | The ARN of the RDS enhanced monitoring forwarder lambda function |
| <a name="output_rds_em_forwarder_lambda_kms_key_arn"></a> rds_em_forwarder_lambda_kms_key_arn | (Optional) The ARN for the KMS encryption key for the RDS enhanced monitoring forwarder lambda function |
| <a name="output_rds_em_forwarder_lambda_qualified_arn"></a> rds_em_forwarder_lambda_qualified_arn | The ARN of the RDS enhanced monitoring forwarder lambda function (if versioning is enabled via publish = true) |
| <a name="output_rds_em_forwarder_lambda_source_code_hash"></a> rds_em_forwarder_lambda_source_code_hash | Base64-encoded representation of raw SHA-256 sum of the RDS enhanced monitoring lambda forwarder zip file, provided either via filename or s3_* parameters |
| <a name="output_rds_em_forwarder_lambda_version"></a> rds_em_forwarder_lambda_version | Latest published version of the RDS enhanced monitoring forwarder lambda function |
| <a name="output_rds_em_forwarder_role_arn"></a> rds_em_forwarder_role_arn | The RDS enhanced monitoring forwarder lambda role arn |
| <a name="output_rds_em_forwarder_role_id"></a> rds_em_forwarder_role_id | The RDS enhanced monitoring forwarder lambda role id |
| <a name="output_rds_em_forwarder_role_name"></a> rds_em_forwarder_role_name | The RDS enhanced monitoring forwarder lambda role name |
| <a name="output_rds_em_forwarder_role_policy_arn"></a> rds_em_forwarder_role_policy_arn | The ARN of the RDS enhanced monitoring forwarder lambda role policy |
| <a name="output_rds_em_forwarder_role_policy_id"></a> rds_em_forwarder_role_policy_id | The ID of the RDS enhanced monitoring forwarder lambda role policy |
| <a name="output_rds_em_forwarder_role_policy_name"></a> rds_em_forwarder_role_policy_name | The name of the RDS enhanced monitoring forwarder lambda role policy |
| <a name="output_rds_em_forwarder_role_unique_id"></a> rds_em_forwarder_role_unique_id | The stable and unique string identifying the RDS enhanced monitoring forwarder lambda role. |
| <a name="output_traces_endpoint_arn"></a> traces_endpoint_arn | ARN of the traces VPC endpoint |
| <a name="output_traces_endpoint_dns_entry"></a> traces_endpoint_dns_entry | DNS entries of the traces VPC endpoint |
| <a name="output_traces_endpoint_id"></a> traces_endpoint_id | ID of the traces VPC endpoint |
| <a name="output_traces_endpoint_network_interface_ids"></a> traces_endpoint_network_interface_ids | One or more network interfaces for the traces VPC endpoint |
| <a name="output_traces_endpoint_owner_id"></a> traces_endpoint_owner_id | The ID of the AWS account that owns the traces VPC endpoint |
| <a name="output_traces_endpoint_state"></a> traces_endpoint_state | The state of the traces VPC endpoint |
| <a name="output_vpc_fl_forwarder_cloudwatch_log_group_arn"></a> vpc_fl_forwarder_cloudwatch_log_group_arn | The ARN of the VPC flow log forwarder lambda function CloudWatch log group |
| <a name="output_vpc_fl_forwarder_lambda_arn"></a> vpc_fl_forwarder_lambda_arn | The ARN of the VPC flow log forwarder lambda function |
| <a name="output_vpc_fl_forwarder_lambda_kms_key_arn"></a> vpc_fl_forwarder_lambda_kms_key_arn | (Optional) The ARN for the KMS encryption key for the VPC flow log forwarder lambda function |
| <a name="output_vpc_fl_forwarder_lambda_qualified_arn"></a> vpc_fl_forwarder_lambda_qualified_arn | The ARN of the VPC flow log forwarder lambda function (if versioning is enabled via publish = true) |
| <a name="output_vpc_fl_forwarder_lambda_source_code_hash"></a> vpc_fl_forwarder_lambda_source_code_hash | Base64-encoded representation of raw SHA-256 sum of the VPC flow log forwarder lambda zip file, provided either via filename or s3_* parameters |
| <a name="output_vpc_fl_forwarder_lambda_version"></a> vpc_fl_forwarder_lambda_version | Latest published version of the VPC flow log forwarder lambda function |
| <a name="output_vpc_fl_forwarder_role_arn"></a> vpc_fl_forwarder_role_arn | The VPC flow log forwarder lambda role arn |
| <a name="output_vpc_fl_forwarder_role_id"></a> vpc_fl_forwarder_role_id | The VPC flow log forwarder lambda role id |
| <a name="output_vpc_fl_forwarder_role_name"></a> vpc_fl_forwarder_role_name | The VPC flow log forwarder lambda role name |
| <a name="output_vpc_fl_forwarder_role_policy_arn"></a> vpc_fl_forwarder_role_policy_arn | The ARN of the VPC flow log forwarder lambda role policy |
| <a name="output_vpc_fl_forwarder_role_policy_id"></a> vpc_fl_forwarder_role_policy_id | The ID of the VPC flow log forwarder lambda role policy |
| <a name="output_vpc_fl_forwarder_role_policy_name"></a> vpc_fl_forwarder_role_policy_name | The name of the VPC flow log forwarder lambda role policy |
| <a name="output_vpc_fl_forwarder_role_unique_id"></a> vpc_fl_forwarder_role_unique_id | The stable and unique string identifying the VPC flow log forwarder lambda role. |
License
Apache-2.0 Licensed. See LICENSE.