-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlambda-log.tf
156 lines (127 loc) · 5.74 KB
/
lambda-log.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# The principal Lambda forwarder for DD that is implemented here
# https://github.com/DataDog/datadog-serverless-functions/blob/master/aws/logs_monitoring/lambda_function.py
# can scrape logs from S3 from specific services (not all s3 logs are supported)
# Refer to the table here https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/?tab=awsconsole#automatically-set-up-triggers
locals {
s3_logs_enabled = local.lambda_enabled && var.s3_buckets != null && var.forwarder_log_enabled ? true : false
forwarder_log_artifact_url = var.forwarder_log_artifact_url != null ? var.forwarder_log_artifact_url : "https://github.com/DataDog/datadog-serverless-functions/releases/download/aws-dd-forwarder-${var.dd_forwarder_version}/aws-dd-forwarder-${var.dd_forwarder_version}.zip"
}
module "forwarder_log_label" {
count = local.lambda_enabled && var.forwarder_log_enabled ? 1 : 0
source = "cloudposse/label/null"
version = "0.24.1" # requires Terraform >= 0.13.0
attributes = ["forwarder-log"]
context = module.this.context
}
module "forwarder_log_artifact" {
count = local.lambda_enabled && var.forwarder_log_enabled ? 1 : 0
source = "cloudposse/module-artifact/external"
version = "0.7.0"
filename = "forwarder-log.zip"
module_name = var.dd_module_name
module_path = path.module
url = local.forwarder_log_artifact_url
}
######################################################################
## Create lambda function
resource "aws_lambda_function" "forwarder_log" {
count = local.lambda_enabled && var.forwarder_log_enabled ? 1 : 0
#checkov:skip=BC_AWS_GENERAL_64: (Pertaining to Lambda DLQ) Vendor lambda does not have a means to reprocess failed events.
description = "Datadog forwarder for log forwarding."
filename = module.forwarder_log_artifact[0].file
function_name = module.forwarder_log_label[0].id
role = aws_iam_role.lambda[0].arn
handler = "lambda_function.lambda_handler"
source_code_hash = module.forwarder_log_artifact[0].base64sha256
runtime = var.lambda_runtime
reserved_concurrent_executions = var.lambda_reserved_concurrent_executions
tags = module.forwarder_log_label[0].tags
dynamic "vpc_config" {
for_each = try(length(var.subnet_ids), 0) > 0 && try(length(var.security_group_ids), 0) > 0 ? [true] : []
content {
security_group_ids = var.security_group_ids
subnet_ids = var.subnet_ids
}
}
environment {
variables = local.lambda_env
}
tracing_config {
mode = var.tracing_config_mode
}
}
resource "aws_lambda_permission" "allow_s3_bucket" {
for_each = local.s3_logs_enabled ? toset(var.s3_buckets) : []
statement_id = "AllowS3ToInvokeLambda"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.forwarder_log[0].arn
principal = "s3.amazonaws.com"
source_arn = "${local.arn_format}:s3:::${each.value}"
}
resource "aws_s3_bucket_notification" "s3_bucket_notification" {
for_each = local.s3_logs_enabled ? toset(var.s3_buckets) : []
bucket = each.key
lambda_function {
lambda_function_arn = aws_lambda_function.forwarder_log[0].arn
events = ["s3:ObjectCreated:*"]
}
depends_on = [aws_lambda_permission.allow_s3_bucket]
}
data "aws_iam_policy_document" "s3_log_bucket" {
count = local.s3_logs_enabled ? 1 : 0
statement {
effect = "Allow"
actions = [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListObjects",
]
resources = concat(formatlist("%s:s3:::%s", local.arn_format, var.s3_buckets), formatlist("%s:s3:::%s/*", local.arn_format, var.s3_buckets))
}
dynamic "statement" {
for_each = try(length(var.s3_bucket_kms_arns), 0) > 0 ? [true] : []
content {
effect = "Allow"
actions = [
"kms:Decrypt"
]
resources = var.s3_bucket_kms_arns
}
}
}
resource "aws_iam_policy" "datadog_s3" {
count = local.s3_logs_enabled ? 1 : 0
name = module.forwarder_log_label[0].id
description = "Policy for Datadog S3 integration"
policy = join("", data.aws_iam_policy_document.s3_log_bucket.*.json)
}
resource "aws_iam_role_policy_attachment" "datadog_s3" {
count = local.s3_logs_enabled ? 1 : 0
role = join("", aws_iam_role.lambda.*.name)
policy_arn = join("", aws_iam_policy.datadog_s3.*.arn)
}
# Lambda Forwarder logs
resource "aws_cloudwatch_log_group" "forwarder_log" {
count = local.lambda_enabled && var.forwarder_log_enabled ? 1 : 0
name = "/aws/lambda/${aws_lambda_function.forwarder_log[0].function_name}"
retention_in_days = var.forwarder_log_retention_days
kms_key_id = var.kms_key_id
tags = module.forwarder_log_label[0].tags
}
# Cloudwatch Log Groups
resource "aws_lambda_permission" "cloudwatch_groups" {
for_each = local.lambda_enabled && var.forwarder_log_enabled ? var.cloudwatch_forwarder_log_groups : {}
statement_id = "datadog-forwarder-${each.key}-permission"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.forwarder_log[0].function_name
principal = "logs.${local.aws_region}.amazonaws.com"
source_arn = "${local.arn_format}:logs:${local.aws_region}:${local.aws_account_id}:log-group:${each.value}:*"
}
resource "aws_cloudwatch_log_subscription_filter" "cloudwatch_log_subscription_filter" {
for_each = local.lambda_enabled && var.forwarder_log_enabled ? var.cloudwatch_forwarder_log_groups : {}
name = module.forwarder_log_label[0].id
log_group_name = each.value
destination_arn = aws_lambda_function.forwarder_log[0].arn
filter_pattern = ""
}