Skip to content

Latest commit

 

History

History

vpc_flow_log_forwarder

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 

AWS Datadog VPC Flow Log Monitoring Terraform module

Terraform module which process a VPC flow log monitoring DATA_MESSAGE, coming from CloudWatch logs.

Usage

# Note: you will need to create this secret manually prior to running
# This avoids having to pass the key to Terraform in plaintext
data "aws_secretsmanager_secret" "datadog_api_key" {
  name = "datadog/api_key"
}

module "datadog_vpc_flow_log_forwarder" {
  source  = "terraform-aws-modules/datadog-forwarders/aws//modules/vpc_flow_log_forwarder"

  kms_alias             = "alias/datadog" # KMS key will need to be created outside of module
  dd_api_key_secret_arn = data.aws_secretsmanager_secret.datadog_api_key.arn

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Requirements

Name Version
terraform >= 1.3
aws >= 5.0

Providers

Name Version
aws >= 5.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.this resource
aws_iam_policy.this resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.this resource
aws_kms_ciphertext.this resource
aws_lambda_function.this resource
aws_lambda_permission.cloudwatch resource
aws_lambda_permission.s3 resource
aws_caller_identity.current data source
aws_iam_policy_document.this data source
aws_kms_key.this data source
aws_region.current data source
aws_secretsmanager_secret_version.datadog_api_key data source

Inputs

Name Description Type Default Required
architectures Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"]. Default is ["x86_64"] list(string)
[
"x86_64"
]
no
create Controls whether the forwarder resources should be created bool true no
create_role Controls whether an IAM role is created for the forwarder bool true no
create_role_policy Controls whether an IAM role policy is created for the forwarder bool true no
dd_api_key_secret_arn The ARN of the Secrets Manager secret storing the Datadog API key, if you already have it stored in Secrets Manager string "" no
dd_app_key The Datadog application key associated with the user account that created it, which can be found from the APIs page string "" no
dd_site Define your Datadog Site to send data to. For the Datadog EU site, set to datadoghq.eu string "datadoghq.com" no
environment_variables A map of environment variables for the forwarder lambda function map(string) {} no
forwarder_version VPC flow log monitoring version - see https://github.com/DataDog/datadog-serverless-functions/releases string "3.130.0" no
kms_alias Alias of KMS key used to encrypt the Datadog API keys - must start with alias/ string n/a yes
kms_key_arn KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key string null no
lambda_tags A map of tags to apply to the forwarder lambda function map(string) {} no
layers List of Lambda Layer Version ARNs (maximum of 5) to attach to the forwarder lambda list(string) [] no
log_kms_key_id The AWS KMS Key ARN to use for CloudWatch log group encryption string null no
log_retention_days Forwarder CloudWatch log group retention in days number 7 no
memory_size Memory size for the forwarder lambda function number 256 no
name Forwarder lambda name string "datadog-vpc-flow-log-forwarder" no
policy_arn IAM policy arn for forwarder lambda function to utilize string null no
policy_name Forwarder policy name string "" no
policy_path Forwarder policy path string null no
publish Whether to publish creation/change as a new Lambda Function Version bool false no
read_cloudwatch_logs Whether the forwarder will read CloudWatch log groups for VPC flow logs bool false no
reserved_concurrent_executions The amount of reserved concurrent executions for the forwarder lambda function number 10 no
role_arn IAM role arn for forwarder lambda function to utilize string null no
role_max_session_duration The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours number null no
role_name Forwarder role name string "" no
role_path Forwarder role path string null no
role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the forwarder role string null no
role_tags A map of tags to apply to the forwarder role map(string) {} no
runtime Lambda function runtime string "python3.11" no
s3_log_bucket_arns S3 log buckets for forwarder to read and forward VPC flow logs to Datadog list(string) [] no
security_group_ids List of security group ids when Lambda Function should run in the VPC list(string) null no
subnet_ids List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets list(string) null no
tags A map of tags to use on all resources map(string) {} no
timeout The amount of time the forwarder lambda has to execute in seconds number 10 no
use_policy_name_prefix Whether to use unique name beginning with the specified policy_name for the forwarder policy bool false no
use_role_name_prefix Whether to use unique name beginning with the specified role_name for the forwarder role bool false no

Outputs

Name Description
cloudwatch_log_group_arn The ARN of the forwarder lambda function CloudWatch log group
lambda_arn The ARN of the forwarder lambda function
lambda_kms_key_arn (Optional) The ARN for the KMS encryption key for the forwarder lambda function
lambda_qualified_arn The ARN of the forwarder lambda function (if versioning is enabled via publish = true)
lambda_source_code_hash Base64-encoded representation of raw SHA-256 sum of the zip file, provided either via filename or s3_* parameters
lambda_version Latest published version of the forwarder lambda function
role_arn The forwarder lambda role arn
role_id The forwarder lambda role id
role_name The forwarder lambda role name
role_policy_arn The ARN of the forwarder lambda role policy
role_policy_id The ID of the forwarder lambda role policy
role_policy_name The name of the forwarder lambda role policy
role_unique_id The stable and unique string identifying the forwarder lambda role

Apache-2.0 Licensed. See LICENSE.