-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathvariables.tf
More file actions
523 lines (437 loc) · 21 KB
/
Copy pathvariables.tf
File metadata and controls
523 lines (437 loc) · 21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
# Required variables
variable "dd_api_key" {
type = string
default = null
description = <<-EOT
The Datadog API key, which can be found from the APIs page (/account/settings#api).
When provided, the module will automatically create and manage a Secrets Manager secret.
NOTE: Do not use this with dd_api_key_secret_arn or dd_api_key_ssm_parameter_name.
Choose ONE approach for API key management.
EOT
sensitive = true
}
variable "dd_allowed_kms_keys" {
type = list(string)
description = "KMS key arns which can be used to decrypt data, default is all"
default = ["*"]
validation {
condition = alltrue([
for arn in var.dd_allowed_kms_keys : arn == "*" || can(regex("^arn:aws:kms:[a-z0-9-]+:[0-9]{12}:key/[a-f0-9-]{36}$", arn))
])
error_message = "All KMS key ARNs must be valid ARNs in the format 'arn:aws:kms:region:account:key/key-id' or '*' for all keys."
}
}
variable "dd_s3_log_bucket_arns" {
type = list(string)
description = "List of S3 ARN patterns the forwarder is allowed to read logs from (e.g. [\"arn:aws:s3:::my-bucket/*\", \"arn:aws:s3:::other-bucket/prefix/*\"]). Defaults to [\"*\"] (all buckets). WARNING: Restricting this may break Datadog's automatic log subscription setup and the forwarder execution for buckets not included in this list."
default = ["*"]
validation {
condition = alltrue([
for arn in var.dd_s3_log_bucket_arns : arn == "*" || can(regex("^arn:aws[a-z-]*:s3:::", arn))
])
error_message = "All S3 log bucket ARNs must be valid S3 ARNs (starting with 'arn:aws:s3:::') or '*' for all buckets."
}
}
variable "dd_api_key_secret_arn" {
type = string
default = null
description = <<-EOT
The ARN of an existing secret storing the Datadog API key in AWS Secrets Manager.
The secret must be stored as plaintext, not as a key-value pair.
If the secret is created in the same Terraform plan, set create_dd_api_key_secret = false
so the module knows not to create its own secret.
NOTE: Do not use this with dd_api_key or dd_api_key_ssm_parameter_name.
EOT
validation {
condition = var.dd_api_key_secret_arn == null || can(regex("^arn:.*:secretsmanager:.*", var.dd_api_key_secret_arn))
error_message = "dd_api_key_secret_arn must be a valid Secrets Manager ARN."
}
}
variable "dd_api_key_ssm_parameter_name" {
type = string
default = null
description = <<-EOT
The name of an existing SSM Parameter Store parameter containing the Datadog API key.
If the parameter is created in the same Terraform plan, set create_dd_api_key_secret = false
so the module knows not to create its own secret.
NOTE: Do not use this with dd_api_key or dd_api_key_secret_arn.
When set, this takes precedence over secret-based configuration.
EOT
validation {
condition = var.dd_api_key_ssm_parameter_name == null || can(regex("^/[a-zA-Z0-9/_.-]*$", var.dd_api_key_ssm_parameter_name))
error_message = "dd_api_key_ssm_parameter_name must match the pattern ^/[a-zA-Z0-9/_.-]*$."
}
}
variable "create_dd_api_key_secret" {
type = bool
default = null
description = <<-EOT
Controls whether the module creates a Secrets Manager secret for the Datadog API key.
- true: Force creation of secret (requires dd_api_key to be set)
- false: Do not create secret (requires dd_api_key_secret_arn or dd_api_key_ssm_parameter_name)
- null (default): Automatic behavior - create secret only if neither dd_api_key_secret_arn nor dd_api_key_ssm_parameter_name is provided
Set this to false when using secrets or parameters created in the same Terraform plan.
EOT
validation {
condition = var.create_dd_api_key_secret != true || var.dd_api_key != null
error_message = "When create_dd_api_key_secret is true, dd_api_key must be provided."
}
validation {
condition = var.create_dd_api_key_secret != false || (var.dd_api_key_secret_arn != null || var.dd_api_key_ssm_parameter_name != null)
error_message = "When create_dd_api_key_secret is false, either dd_api_key_secret_arn or dd_api_key_ssm_parameter_name must be provided."
}
}
variable "skip_dd_site_validation" {
type = bool
default = false
description = "Skip validation of dd_site value. For internal use only."
}
variable "dd_site" {
type = string
default = "datadoghq.com"
description = "Define your Datadog Site to send data to."
validation {
condition = var.skip_dd_site_validation || contains(["datadoghq.com", "datadoghq.eu", "us3.datadoghq.com", "us5.datadoghq.com", "ap1.datadoghq.com", "ap2.datadoghq.com", "ddog-gov.com"], var.dd_site)
error_message = "dd_site must be one of: datadoghq.com, datadoghq.eu, us3.datadoghq.com, us5.datadoghq.com, ap1.datadoghq.com, ap2.datadoghq.com, ddog-gov.com."
}
}
# Lambda function configuration
variable "function_name" {
type = string
default = "DatadogForwarder"
description = "The Datadog Forwarder Lambda function name. DO NOT change when updating an existing CloudFormation stack, otherwise the current forwarder function will be replaced and all the triggers will be lost."
}
variable "memory_size" {
type = number
default = 1024
description = "Memory size for the Datadog Forwarder Lambda function"
validation {
condition = var.memory_size >= 128 && var.memory_size <= 3008
error_message = "memory_size must be between 128 and 3008."
}
}
variable "timeout" {
type = number
default = 120
description = "Timeout for the Datadog Forwarder Lambda function"
}
variable "existing_iam_role_arn" {
type = string
default = null
description = "ARN of existing IAM role to use for the Lambda function. If not provided, a new IAM role will be created. When using an existing role, you are responsible for ensuring it has the necessary permissions for any resources the module creates (S3 bucket, CloudWatch Logs, etc.). Use the module outputs (forwarder_bucket_arn, forwarder_log_group_arn) to configure your IAM role policies."
validation {
condition = var.existing_iam_role_arn == null || (
var.dd_api_key_ssm_parameter_name != null || var.dd_api_key_secret_arn != null
)
error_message = "When using existing_iam_role_arn, you must also specify either dd_api_key_ssm_parameter_name or dd_api_key_secret_arn, since the module cannot grant your existing role access to a newly created secret."
}
}
variable "tags_cache_ttl_seconds" {
type = number
default = 300
description = "TTL (in seconds) for the Datadog tags cache"
}
variable "reserved_concurrency" {
type = string
default = null
description = "Reserved concurrency for the Datadog Forwarder Lambda function. If not set, use unreserved account concurrency. We recommend using at least 10 reserved concurrency, but default to 0 as you may need to increase your limits for this. If using unreserved account concurrency you may limit other lambda functions in your environment."
validation {
condition = var.reserved_concurrency == null || can(tonumber(var.reserved_concurrency))
error_message = "reserved_concurrency must be a valid integer number."
}
}
variable "log_retention_in_days" {
type = number
default = 90
description = "CloudWatch log retention for logs generated by the Datadog Forwarder Lambda function"
}
variable "layer_version" {
type = string
default = "latest"
description = "Version of the Datadog Forwarder Lambda layer. Use 'latest' to automatically fetch the latest version from GitHub releases or specify a version like '89'."
}
variable "layer_arn" {
type = string
default = null
description = "ARN for the layer containing the forwarder code. If empty, the script will use the version of the layer the forwarder was published with."
}
variable "additional_layers" {
type = list(string)
default = []
description = "Additional Lambda layers to attach to the forwarder function (e.g., Datadog Lambda Extension)."
}
variable "additional_environment_variables" {
type = map(string)
default = {}
description = "Additional environment variables to set on the forwarder Lambda function (e.g., DD_TRACE_SAMPLING_RULES for the Datadog Lambda Extension). Merged after all built-in variables, so these take precedence on conflict."
}
# Datadog configuration
variable "dd_tags" {
type = string
default = null
description = "Add custom tags to forwarded logs. Comma-delimited string without trailing comma, e.g., env:prod,stack:classic"
}
variable "dd_source" {
type = string
default = null
description = "Override the source attribute for all logs forwarded by Lambda Forwarder. By default, the Forwarder automatically detects the source based on the log origin (e.g., lambda, s3, cloudwatch, rds). When set, all logs will use the specified source value instead, and a source_overridden:true tag will be added to the logs."
}
variable "dd_enrich_s3_tags" {
type = bool
default = null
description = "Instructs the Datadog backend to automatically enrich logs originating from S3 buckets with the tags associated with those buckets. This approach offers the same tag enrichment as `dd_fetch_s3_tags` but defers the operation after log ingestion, reducing Forwarder overhead. Requires Resource Collection to be enabled in your AWS integration. Require Lambda Forwarder v5."
validation {
condition = !coalesce(var.dd_enrich_s3_tags, false) || !coalesce(var.dd_fetch_s3_tags, false)
error_message = "S3 Tag enrichment cannot be enabled along side S3 Tag fetch from the forwarder"
}
}
variable "dd_enrich_cloudwatch_tags" {
type = bool
default = null
description = "Instructs the Datadog backend to automatically enrich logs originating from CloudWatch LogGroups with the tags associated with those log groups. This approach offers the same tag enrichment as `dd_fetch_log_group_tags` but defers the operation after log ingestion, reducing Forwarder overhead. Requires Resource Collection to be enabled in your AWS integration. Require Lambda Forwarder v5."
validation {
condition = !coalesce(var.dd_enrich_cloudwatch_tags, false) || !coalesce(var.dd_fetch_log_group_tags, false)
error_message = "Cloudwatch Tag enrichment cannot be enabled along side LogGroup Tag fetch from the forwarder"
}
}
variable "dd_fetch_lambda_tags" {
type = bool
default = null
description = "Let the forwarder fetch Lambda tags using GetResources API calls and apply them to logs, metrics and traces. If set to true, permission tag:GetResources will be automatically added to the Lambda execution IAM role."
}
variable "dd_fetch_log_group_tags" {
type = bool
default = null
description = "(deprecated in favor of dd_enrich_cloudwatch_tags) Let the forwarder fetch Log Group tags using ListTagsForResource and apply them to logs, metrics and traces. If set to true, permission logs:ListTagsForResource will be automatically added to the Lambda execution IAM role."
}
variable "dd_fetch_step_functions_tags" {
type = bool
default = null
description = "Let the forwarder fetch Step Functions tags using GetResources API calls and apply them to logs, metrics and traces. If set to true, permission tag:GetResources will be automatically added to the Lambda execution IAM role."
}
variable "dd_fetch_s3_tags" {
type = bool
default = null
description = "(deprecated in favor of dd_enrich_s3_tags) Let the forwarder fetch S3 buckets tags using GetResources API calls and apply them to S3 based logs. If set to true, permission tag:GetResources will be automatically added to the Lambda execution IAM role."
}
# Network configuration
variable "dd_no_ssl" {
type = string
default = null
description = "Disable SSL when forwarding logs, set to 'true' when forwarding logs through a proxy."
}
variable "dd_url" {
type = string
default = null
description = "The endpoint URL to forward the logs to, useful for forwarding logs through a proxy"
}
variable "dd_port" {
type = string
default = null
description = "The endpoint port to forward the logs to, useful for forwarding logs through a proxy"
}
variable "dd_skip_ssl_validation" {
type = bool
default = null
description = "Send logs over HTTPS, while NOT validating the certificate provided by the endpoint. This will still encrypt the traffic between the forwarder and the log intake endpoint, but will not verify if the destination SSL certificate is valid. Set to true to skip SSL validation."
}
# Log processing
variable "redact_ip" {
type = bool
default = null
description = "Replace text matching \\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3} with xxx.xxx.xxx.xxx. Set to 'true' to enable."
}
variable "redact_email" {
type = bool
default = null
description = "Replace text matching [a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+ with xxxxx@xxxxx.com. Set to 'true' to enable."
}
variable "dd_scrubbing_rule" {
type = string
default = null
description = "Replace text matching the supplied regular expression with xxxxx (default) or dd_scrubbing_rule_replacement (if supplied). Log scrubbing rule is applied to the full JSON-formatted log, including any metadata that is automatically added by the Lambda function."
}
variable "dd_scrubbing_rule_replacement" {
type = string
default = null
description = "Replace text matching dd_scrubbing_rule with the supplied text"
}
variable "exclude_at_match" {
type = string
default = null
description = "DO NOT send logs matching the supplied regular expression. If a log matches both the exclude_at_match and include_at_match, it is excluded. Filtering rules are applied to the full JSON-formatted log, including any metadata that is automatically added by the function."
}
variable "include_at_match" {
type = string
default = null
description = "Only send logs matching the supplied regular expression and not excluded by exclude_at_match."
}
variable "dd_multiline_log_regex_pattern" {
type = string
default = null
description = "Use the supplied regular expression to detect for a new log line for multiline logs from S3, e.g., use expression \"\\d{2}\\/\\d{2}\\/\\d{4}\" for multiline logs beginning with pattern \"11/10/2014\"."
}
variable "dd_forward_log" {
type = bool
default = null
description = "Set to false to disable log forwarding, while continuing to forward other observability data, such as metrics and traces from Lambda functions."
}
variable "dd_step_functions_trace_enabled" {
type = bool
default = null
description = "Set to true to enable tracing for all Step Functions."
}
variable "dd_use_compression" {
type = bool
default = null
description = "Set to false to disable log compression. Only valid when sending logs over HTTP."
}
variable "dd_enhanced_metrics" {
type = bool
default = false
description = "Set to true to enable enhanced Lambda metrics. This will generate additional custom metrics for Lambda functions, including cold starts, estimated AWS costs, and custom tags. Default is false."
}
# VPC configuration
variable "dd_use_vpc" {
type = bool
default = false
description = "Set to true to deploy the Forwarder to a VPC and send logs, metrics, and traces via a proxy. When set to true, must also set vpc_security_group_ids and vpc_subnet_ids."
}
variable "dd_http_proxy_url" {
type = string
default = null
description = "Sets the standard web proxy environment variables HTTP_PROXY and HTTPS_PROXY. These are the url endpoints your proxy server exposes. Make sure to also set dd_skip_ssl_validation to true."
}
variable "dd_no_proxy" {
type = string
default = null
description = "Sets the standard web proxy environment variable NO_PROXY. It is a comma-separated list of domain names that should be excluded from the web proxy."
}
variable "vpc_security_group_ids" {
type = list(string)
default = []
description = "List of VPC Security Group IDs. Used when dd_use_vpc is enabled."
validation {
condition = var.dd_use_vpc == false || length(var.vpc_security_group_ids) > 0
error_message = "vpc_security_group_ids must be specified when dd_use_vpc is true."
}
}
variable "vpc_subnet_ids" {
type = list(string)
default = []
description = "List of VPC Subnet IDs. Used when dd_use_vpc is enabled."
validation {
condition = var.dd_use_vpc == false || length(var.vpc_subnet_ids) > 0
error_message = "vpc_subnet_ids must be specified when dd_use_vpc is true."
}
}
# Advanced configuration
variable "dd_compression_level" {
type = string
default = null
nullable = true
description = "Set the compression level from 0 (no compression) to 9 (best compression) when sending logs."
validation {
condition = var.dd_compression_level == null ? true : (
can(tonumber(var.dd_compression_level)) &&
tonumber(var.dd_compression_level) >= 0 &&
tonumber(var.dd_compression_level) <= 9
)
error_message = "dd_compression_level must be a number between 0 and 9."
}
}
variable "dd_max_workers" {
type = string
default = null
description = "Set the max number of workers sending logs concurrently."
}
variable "iam_role_path" {
type = string
default = "/"
description = "The path for the IAM roles."
}
variable "permissions_boundary_arn" {
type = string
default = null
description = "ARN for the Permissions Boundary Policy"
}
variable "additional_target_lambda_arns" {
type = string
default = null
description = "Comma-separated list of lambda ARNs that get invoked asynchronously with the same input event"
}
variable "dd_api_url" {
type = string
default = null
description = "The endpoint URL to forward the metrics to, useful for forwarding metrics through a proxy"
}
variable "dd_trace_intake_url" {
type = string
default = null
description = "The endpoint URL to forward the traces to, useful for forwarding traces through a proxy"
}
# S3 bucket configuration
variable "dd_forwarder_bucket_name" {
type = string
default = null
description = "The name of the forwarder bucket to create. If not provided, AWS will generate a unique name."
}
variable "dd_forwarder_buckets_access_logs_target" {
type = string
default = null
description = "(Optional) The name of the S3 bucket to store access logs. Leave empty if access logging is not needed."
}
variable "dd_store_failed_events" {
type = bool
default = null
description = "Set to true to enable the forwarder to store events that failed to send to Datadog."
}
variable "dd_sqs_queue_url" {
type = string
default = null
description = "URL of an existing SQS queue for failed event storage. When set, the forwarder uses SQS instead of S3 for retry storage, and DD_STORE_FAILED_EVENTS is automatically enabled. The queue must already exist. Requires forwarder layer version >= 97. Format: https://sqs.{region}.amazonaws.com/{account_id}/{queue_name}"
validation {
condition = var.dd_sqs_queue_url == null || can(regex("^https://sqs\\.[a-z0-9-]+\\.amazonaws\\.com[a-z.]*/[0-9]{12}/[a-zA-Z0-9_.-]+$", var.dd_sqs_queue_url))
error_message = "dd_sqs_queue_url must be a valid SQS queue URL (e.g. https://sqs.us-east-1.amazonaws.com/123456789012/my-queue)."
}
}
variable "dd_schedule_retry_failed_events" {
type = bool
default = null
description = "Set to true to enable a scheduled forwarder invocation (via AWS EventBridge) to process stored failed events."
}
variable "dd_schedule_retry_interval" {
type = number
default = 6
description = "Interval in hours for scheduled forwarder invocation (via AWS EventBridge)."
}
variable "dd_forwarder_existing_bucket_name" {
type = string
default = null
description = "The name of an existing s3 bucket to use. If not provided, a new bucket will be created."
}
variable "dd_log_level" {
type = string
default = null
nullable = true
description = "Set the log level for the forwarder. Valid values are DEBUG, INFO, WARN, ERROR, CRITICAL. If not set, default is WARN."
validation {
condition = var.dd_log_level == null ? true : contains(["DEBUG", "INFO", "WARN", "ERROR", "CRITICAL"], var.dd_log_level)
error_message = "dd_log_level must be one of: DEBUG, INFO, WARN, ERROR, CRITICAL."
}
}
variable "dd_trace_enabled" {
type = bool
default = true
description = "Set to false to disable trace forwarding."
}
variable "tags" {
type = map(string)
default = {}
description = "A map of tags to assign to all AWS resources created by this module that support tagging."
}
variable "region" {
type = string
description = "AWS region to deploy the Datadog Forwarder to. If empty, the forwarder will be deployed to the region set by the provider."
default = null
}