From 51288c4760038b914bd5386e30f98d946868a5d6 Mon Sep 17 00:00:00 2001
From: Robert Shepley <84053550+ShepleySound@users.noreply.github.com>
Date: Fri, 30 May 2025 13:06:15 -0700
Subject: [PATCH 1/3] feat: Support FIPS-compliant extension layer

---
 main.tf      | 3 ++-
 variables.tf | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index bc18755..607cb4d 100644
--- a/main.tf
+++ b/main.tf
@@ -6,6 +6,7 @@ locals {
     x86_64 = "",
     arm64  = "-ARM"
   }
+  fips_suffix = var.datadog_enable_fips ? "-FIPS" : ""
   runtime_base = regex("[a-z]+", var.runtime)
   runtime_base_environment_variable_map = {
     dotnet = {
@@ -55,7 +56,7 @@ locals {
 
 locals {
   datadog_extension_layer_arn    = "${local.datadog_layer_name_base}:Datadog-Extension${local.datadog_extension_layer_suffix}:${var.datadog_extension_layer_version}"
-  datadog_extension_layer_suffix = local.datadog_layer_suffix
+  datadog_extension_layer_suffix = "${local.datadog_layer_suffix}${local.fips_suffix}"
 
   datadog_lambda_layer_arn     = "${local.datadog_layer_name_base}:${local.datadog_lambda_layer_runtime}${local.datadog_lambda_layer_suffix}:${local.datadog_lambda_layer_version}"
   datadog_lambda_layer_suffix  = contains(["java", "nodejs"], local.runtime_base) ? "" : local.datadog_layer_suffix # java and nodejs don't have separate layers for ARM
diff --git a/variables.tf b/variables.tf
index 7a2f449..85dfd97 100644
--- a/variables.tf
+++ b/variables.tf
@@ -32,6 +32,12 @@ variable "datadog_python_layer_version" {
   default     = 106
 }
 
+variable "datadog_enable_fips" {
+  description = "Enable FIPS compliant extension layers"
+  type        = bool
+  default     = false
+}
+
 
 ###################
 # Lambda Function

From 526e1afc65d913dc2e83012b15e6803c8ec2bf40 Mon Sep 17 00:00:00 2001
From: Robert Shepley <84053550+ShepleySound@users.noreply.github.com>
Date: Fri, 6 Jun 2025 17:57:21 -0700
Subject: [PATCH 2/3] Rename variable to datadog_is_fips_enabled

---
 main.tf      | 2 +-
 variables.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/main.tf b/main.tf
index 607cb4d..2e950be 100644
--- a/main.tf
+++ b/main.tf
@@ -6,7 +6,7 @@ locals {
     x86_64 = "",
     arm64  = "-ARM"
   }
-  fips_suffix = var.datadog_enable_fips ? "-FIPS" : ""
+  fips_suffix = var.datadog_is_fips_enabled ? "-FIPS" : ""
   runtime_base = regex("[a-z]+", var.runtime)
   runtime_base_environment_variable_map = {
     dotnet = {
diff --git a/variables.tf b/variables.tf
index 85dfd97..24bf87d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -32,7 +32,7 @@ variable "datadog_python_layer_version" {
   default     = 106
 }
 
-variable "datadog_enable_fips" {
+variable "datadog_is_fips_enabled" {
   description = "Enable FIPS compliant extension layers"
   type        = bool
   default     = false

From 7910dbe11a59853c8fa86622c36c70b9124b3579 Mon Sep 17 00:00:00 2001
From: Robert Shepley <84053550+ShepleySound@users.noreply.github.com>
Date: Tue, 17 Jun 2025 19:00:35 -0700
Subject: [PATCH 3/3] Add FIPS-compliance as the default for GovCloud

---
 main.tf      | 7 ++++++-
 variables.tf | 4 ++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index 2e950be..3cf3469 100644
--- a/main.tf
+++ b/main.tf
@@ -6,7 +6,7 @@ locals {
     x86_64 = "",
     arm64  = "-ARM"
   }
-  fips_suffix = var.datadog_is_fips_enabled ? "-FIPS" : ""
+  fips_suffix = local.is_fips_enabled ? "-FIPS" : ""
   runtime_base = regex("[a-z]+", var.runtime)
   runtime_base_environment_variable_map = {
     dotnet = {
@@ -52,6 +52,11 @@ locals {
     "python3.12" = "Datadog-Python312"
     "python3.13" = "Datadog-Python313"
   }
+  is_fips_enabled = (
+    var.datadog_is_fips_enabled != null
+    ? var.datadog_is_fips_enabled
+    : (lookup(var.environment_variables, "DD_SITE", "") == "ddog-gov.com")
+  )
 }
 
 locals {
diff --git a/variables.tf b/variables.tf
index 24bf87d..b98ab27 100644
--- a/variables.tf
+++ b/variables.tf
@@ -33,9 +33,9 @@ variable "datadog_python_layer_version" {
 }
 
 variable "datadog_is_fips_enabled" {
-  description = "Enable FIPS compliant extension layers"
+  description = "When set to true, a FIPS-compliant Lambda extension layer is used. Defaults to `true` if the DD_SITE environment variable is ddog-gov.com. Otherwise, defaults to `false`."
   type        = bool
-  default     = false
+  default     = null
 }