Merge pull request #6 from Jno21/feat/region

feat: add support for multi region using new region field from aws provider v6

Author: ktmq

README.md

@@ -45,6 +45,11 @@ For complete usage examples demonstrating different configuration scenarios, see
 - `dd_api_key_secret_arn` - ARN of existing Secrets Manager secret containing the API key
 - `dd_api_key_ssm_parameter_name` - Name of SSM Parameter containing the API key
 
+### AWS Configuration
+| Name | Description | Type | Default |
+|------|-------------|------|---------|
+| region | AWS region to deploy the Datadog Forwarder to. If empty, the forwarder will be deployed to the region set by the provider. | `string` | `null` |
+
 ### Lambda Configuration
 
 | Name | Description | Type | Default |
@@ -201,30 +206,27 @@ When deploying the forwarder across multiple AWS regions, you have two options:
 The simplest approach is to let the module create all resources in each region:
 
 ```hcl
+provider "aws" {
+  region = "us-east-1"
+}
+
 # us-east-1 deployment
 module "datadog_forwarder_us_east_1" {
   source = "path/to/this/module"
 
   function_name = "DatadogForwarder"
   dd_api_key    = var.datadog_api_key
   dd_site       = "datadoghq.com"
-
-  providers = {
-    aws = aws.us_east_1
-  }
 }
 
 # us-west-2 deployment
 module "datadog_forwarder_us_west_2" {
   source = "path/to/this/module"
+  region = "us-west-2"
 
   function_name = "DatadogForwarder"
   dd_api_key    = var.datadog_api_key
   dd_site       = "datadoghq.com"
-
-  providers = {
-    aws = aws.us_west_2
-  }
 }
 ```
 
@@ -235,30 +237,27 @@ The module automatically includes the region in IAM resource names to prevent gl
 For advanced use cases where you want to manage IAM roles centrally, you must provide **all** external resources to avoid cross-region conflicts:
 
 ```hcl
+provider "aws" {
+  region = "us-east-1"
+}
+
 module "datadog_forwarder_us_east_1" {
   source = "path/to/this/module"
 
   function_name                      = "DatadogForwarder"
   existing_iam_role_arn              = "arn:aws:iam::123456789012:role/DatadogForwarderRole"
   dd_forwarder_existing_bucket_name  = "my-global-datadog-bucket"
   dd_api_key_secret_arn              = "arn:aws:secretsmanager:us-east-1:123456789012:secret:datadog-api-key-abc123"
-
-  providers = {
-    aws = aws.us_east_1
-  }
 }
 
 module "datadog_forwarder_us_west_2" {
   source = "path/to/this/module"
+  region = "us-west-2"
 
   function_name                      = "DatadogForwarder"
   existing_iam_role_arn              = "arn:aws:iam::123456789012:role/DatadogForwarderRole"
   dd_forwarder_existing_bucket_name  = "my-global-datadog-bucket"
   dd_api_key_secret_arn              = "arn:aws:secretsmanager:us-west-2:123456789012:secret:datadog-api-key-def456"
-
-  providers = {
-    aws = aws.us_west_2
-  }
 }
 ```
 

data.tf

@@ -21,9 +21,6 @@ locals {
   # Determine if we need to create an S3 bucket for caching and failed events storage
   create_s3_bucket = (coalesce(var.dd_fetch_log_group_tags, false) || coalesce(var.dd_fetch_lambda_tags, false) || coalesce(var.dd_fetch_s3_tags, false) || coalesce(var.dd_store_failed_events, false)) && var.dd_forwarder_existing_bucket_name == null
 
-  # Default layer ARN based on partition and region
-  default_layer_arn = "arn:${data.aws_partition.current.partition}:lambda:${data.aws_region.current.region}:${local.dd_account_id}:layer:Datadog-Forwarder:${local.layer_version}"
-
   # Account ID varies by partition
   dd_account_id = data.aws_partition.current.partition == "aws-us-gov" ? "002406178527" : "464622532012"
 
@@ -32,4 +29,11 @@ locals {
 
   # IAM role ARN - use module output if created, otherwise use provided ARN
   iam_role_arn = var.existing_iam_role_arn == null ? module.iam[0].iam_role_arn : var.existing_iam_role_arn
+
+  # AWS Region
+  region = coalesce(var.region, data.aws_region.current.region)
+
+  # Default layer ARN based on partition and region
+  default_layer_arn = "arn:${data.aws_partition.current.partition}:lambda:${local.region}:${local.dd_account_id}:layer:Datadog-Forwarder:${local.layer_version}"
+
 }

examples/multi-region/main.tf

@@ -10,14 +10,10 @@ terraform {
 }
 
 provider "aws" {
-  alias  = "us_east_1"
   region = "us-east-1"
 }
-provider "aws" {
-  alias  = "us_east_2"
-  region = "us-east-2"
-}
 
+# The region is not specified, so it will default to us-east-1
 module "datadog_forwarder_us_east_1" {
   source = "../../"
 
@@ -36,13 +32,14 @@ module "datadog_forwarder_us_east_1" {
     terraform         = "true"
     dd_forwarder_name = var.function_name
   }
-  providers = {
-    aws = aws.us_east_1
-  }
 }
+
 module "datadog_forwarder_us_east_2" {
   source = "../../"
 
+  # Specify the region
+  region = "us-east-2"
+
   # Required - API key will be stored in Secrets Manager
   # Alternatively, use dd_api_key_secret_arn to reference an existing Secrets Manager secret
   # Or use dd_api_key_ssm_parameter_name to reference an existing SSM Parameter
@@ -58,7 +55,4 @@ module "datadog_forwarder_us_east_2" {
     terraform         = "true"
     dd_forwarder_name = var.function_name
   }
-  providers = {
-    aws = aws.us_east_2
-  }
 }

main.tf

@@ -8,7 +8,7 @@ module "iam" {
   iam_role_path                     = var.iam_role_path
   permissions_boundary_arn          = var.permissions_boundary_arn
   partition                         = data.aws_partition.current.partition
-  region                            = data.aws_region.current.region
+  region                            = local.region
   tags                              = var.tags
   s3_bucket_permissions             = var.dd_forwarder_existing_bucket_name != null || local.create_s3_bucket
   forwarder_bucket_arn              = local.create_s3_bucket ? aws_s3_bucket.forwarder_bucket[0].arn : null
@@ -27,6 +27,8 @@ module "iam" {
 resource "aws_secretsmanager_secret" "dd_api_key_secret" {
   count = var.dd_api_key_secret_arn == null && var.dd_api_key_ssm_parameter_name == null ? 1 : 0
 
+  region = local.region
+
   name_prefix = "DatadogAPIKey-${var.function_name}"
 
   description = "Datadog API Key"
@@ -37,6 +39,8 @@ resource "aws_secretsmanager_secret" "dd_api_key_secret" {
 resource "aws_secretsmanager_secret_version" "dd_api_key_secret_version" {
   count = var.dd_api_key_secret_arn == null && var.dd_api_key_ssm_parameter_name == null ? 1 : 0
 
+  region = local.region
+
   secret_id     = aws_secretsmanager_secret.dd_api_key_secret[0].id
   secret_string = var.dd_api_key
 }
@@ -45,6 +49,8 @@ resource "aws_secretsmanager_secret_version" "dd_api_key_secret_version" {
 resource "aws_s3_bucket" "forwarder_bucket" {
   count = local.create_s3_bucket ? 1 : 0
 
+  region = local.region
+
   bucket = var.dd_forwarder_bucket_name != null ? var.dd_forwarder_bucket_name : null
 
   force_destroy = true
@@ -55,6 +61,8 @@ resource "aws_s3_bucket" "forwarder_bucket" {
 resource "aws_s3_bucket_server_side_encryption_configuration" "forwarder_bucket_encryption" {
   count = local.create_s3_bucket ? 1 : 0
 
+  region = local.region
+
   bucket = aws_s3_bucket.forwarder_bucket[0].id
 
   rule {
@@ -68,6 +76,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "forwarder_bucket_
 resource "aws_s3_bucket_public_access_block" "forwarder_bucket_pab" {
   count = local.create_s3_bucket ? 1 : 0
 
+  region = local.region
+
   bucket = aws_s3_bucket.forwarder_bucket[0].id
 
   block_public_acls       = true
@@ -79,6 +89,8 @@ resource "aws_s3_bucket_public_access_block" "forwarder_bucket_pab" {
 resource "aws_s3_bucket_logging" "forwarder_bucket_logging" {
   count = var.dd_forwarder_buckets_access_logs_target != null ? 1 : 0
 
+  region = local.region
+
   bucket = aws_s3_bucket.forwarder_bucket[0].id
 
   target_bucket = var.dd_forwarder_buckets_access_logs_target
@@ -88,6 +100,8 @@ resource "aws_s3_bucket_logging" "forwarder_bucket_logging" {
 resource "aws_s3_bucket_lifecycle_configuration" "forwarder_bucket_lifecycle" {
   count = local.create_s3_bucket ? 1 : 0
 
+  region = local.region
+
   bucket = aws_s3_bucket.forwarder_bucket[0].id
 
   rule {
@@ -108,6 +122,8 @@ resource "aws_s3_bucket_lifecycle_configuration" "forwarder_bucket_lifecycle" {
 resource "aws_s3_bucket_policy" "forwarder_bucket_policy" {
   count = local.create_s3_bucket ? 1 : 0
 
+  region = local.region
+
   bucket = aws_s3_bucket.forwarder_bucket[0].id
 
   policy = jsonencode({
@@ -134,6 +150,7 @@ resource "aws_s3_bucket_policy" "forwarder_bucket_policy" {
 
 # Lambda function
 resource "aws_lambda_function" "forwarder" {
+  region = local.region
 
   function_name = var.function_name
   description   = "Pushes logs, metrics and traces from AWS to Datadog."
@@ -222,15 +239,19 @@ resource "aws_lambda_function" "forwarder" {
 
 # Lambda permissions
 resource "aws_lambda_permission" "cloudwatch_logs_invoke" {
+  region = local.region
+
   statement_id   = "CloudWatchLogsInvokePermission"
   action         = "lambda:InvokeFunction"
   function_name  = aws_lambda_function.forwarder.function_name
   principal      = data.aws_partition.current.partition == "aws-cn" ? "logs.amazonaws.com.cn" : "logs.amazonaws.com"
   source_account = data.aws_caller_identity.current.account_id
-  source_arn     = "arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:*:*"
+  source_arn     = "arn:${data.aws_partition.current.partition}:logs:${local.region}:${data.aws_caller_identity.current.account_id}:log-group:*:*"
 }
 
 resource "aws_lambda_permission" "s3_invoke" {
+  region = local.region
+
   statement_id   = "S3Permission"
   action         = "lambda:InvokeFunction"
   function_name  = aws_lambda_function.forwarder.function_name
@@ -239,6 +260,8 @@ resource "aws_lambda_permission" "s3_invoke" {
 }
 
 resource "aws_lambda_permission" "sns_invoke" {
+  region = local.region
+
   statement_id   = "SNSPermission"
   action         = "lambda:InvokeFunction"
   function_name  = aws_lambda_function.forwarder.function_name
@@ -247,6 +270,8 @@ resource "aws_lambda_permission" "sns_invoke" {
 }
 
 resource "aws_lambda_permission" "eventbridge_invoke" {
+  region = local.region
+
   statement_id   = "CloudWatchEventsPermission"
   action         = "lambda:InvokeFunction"
   function_name  = aws_lambda_function.forwarder.function_name
@@ -256,6 +281,8 @@ resource "aws_lambda_permission" "eventbridge_invoke" {
 
 # CloudWatch Log Group
 resource "aws_cloudwatch_log_group" "forwarder_log_group" {
+  region = local.region
+
   name              = "/aws/lambda/${aws_lambda_function.forwarder.function_name}"
   retention_in_days = var.log_retention_in_days
 

tests/multi_region.tftest.hcl

@@ -0,0 +1,46 @@
+# Test multi-region support
+provider "aws" {
+  region = "us-east-1"
+}
+
+variables {
+  dd_api_key = "test-api-key-value"
+  dd_site    = "datadoghq.com"
+}
+
+run "multi_region_us_east_1" {
+  command = plan
+
+  # Test default region is set to the provider region (us-east-1)
+  assert {
+    condition     = local.region == "us-east-1"
+    error_message = "The region should be us-east-1"
+  }
+}
+
+run "multi_region_us_east_2" {
+  command = plan
+
+  variables {
+    region = "us-east-2"
+  }
+
+  # Test that the region is overridden to us-east-2
+  assert {
+    condition     = local.region == "us-east-2"
+    error_message = "The region should be us-east-2"
+  }
+}
+
+# Simulate the creation of resources in us-east-1 and us-east-2 to make sure resources name do not conflict (IAM roles, etc.)
+run "multi_region_us_east_1_existing_resources" {
+  command = apply
+}
+
+run "multi_region_us_east_2_existing_resources" {
+  command = plan
+
+  variables {
+    region = "us-east-2"
+  }
+}

variables.tf

@@ -380,3 +380,9 @@ variable "tags" {
   default     = {}
   description = "A map of tags to assign to all AWS resources created by this module that support tagging."
 }
+
+variable "region" {
+  type        = string
+  description = "AWS region to deploy the Datadog Forwarder to. If empty, the forwarder will be deployed to the region set by the provider."
+  default     = null
+}