Merge pull request #127 from dxw/datadog

DrizzlyOwl · web-flow · commit 12dc58b17373 · 2024-10-18T14:15:16.000+01:00
Datadog AWS integration
diff --git a/README.md b/README.md
@@ -15,6 +15,7 @@ for dxw's Dalmatian hosting platform.
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.3 |
 | <a name="requirement_archive"></a> [archive](#requirement\_archive) | >= 2.4.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.11.0 |
+| <a name="requirement_datadog"></a> [datadog](#requirement\_datadog) | >= 3.46.0 |
 
 ## Providers
 
@@ -23,6 +24,7 @@ for dxw's Dalmatian hosting platform.
 | <a name="provider_archive"></a> [archive](#provider\_archive) | 2.6.0 |
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 5.70.0 |
 | <a name="provider_aws.useast1"></a> [aws.useast1](#provider\_aws.useast1) | 5.70.0 |
+| <a name="provider_datadog"></a> [datadog](#provider\_datadog) | >= 3.46.0 |
 
 ## Modules
 
@@ -46,17 +48,23 @@ for dxw's Dalmatian hosting platform.
 | [aws_iam_policy.cloudtrail_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cloudwatch_slack_alerts_logs_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.datadog_aws_integration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.datadog_aws_integration_resource_collection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.delete_default_resources_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.delete_default_resources_vpc_delete_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_dhmc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.cloudtrail_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cloudwatch_slack_alerts_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.datadog_aws_integration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.delete_default_resources_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.ssm_dhmc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.cloudtrail_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.cloudwatch_slack_alerts_logs_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.datadog_aws_integration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.datadog_aws_integration_resource_collection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.datadog_aws_integration_security_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.delete_default_resources_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.delete_default_resources_vpc_delete_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ssm_dhmc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -106,9 +114,11 @@ for dxw's Dalmatian hosting platform.
 | [aws_sns_topic_subscription.cloudwatch_opsgenie_alerts_subscription_us_east_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 | [aws_sns_topic_subscription.cloudwatch_slack_alerts_lambda_subscription](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
 | [aws_ssm_service_setting.ssm_dhmc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_service_setting) | resource |
+| [datadog_integration_aws.aws](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws) | resource |
 | [archive_file.cloudwatch_slack_alerts_lambda](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
 | [archive_file.delete_default_resources_lambda](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
 
 ## Inputs
 
@@ -130,11 +140,15 @@ for dxw's Dalmatian hosting platform.
 | <a name="input_cloudwatch_slack_alerts_log_retention"></a> [cloudwatch\_slack\_alerts\_log\_retention](#input\_cloudwatch\_slack\_alerts\_log\_retention) | Cloudwatch Slack Alerts log retention. Set to 0 to keep all logs | `number` | n/a | yes |
 | <a name="input_codestar_connections"></a> [codestar\_connections](#input\_codestar\_connections) | CodeStar connections to create | <pre>map(<br/>    object({<br/>      provider_type = string,<br/>    })<br/>  )</pre> | n/a | yes |
 | <a name="input_custom_iam_roles"></a> [custom\_iam\_roles](#input\_custom\_iam\_roles) | Configure custom IAM roles/policies | <pre>map(object({<br/>    description = string<br/>    policies = map(object({<br/>      description = string<br/>      Version     = string<br/>      Statement = list(object({<br/>        Action   = list(string)<br/>        Effect   = string<br/>        Resource = string<br/>      }))<br/>    }))<br/>    assume_role_policy = object({<br/>      Version = string<br/>      Statement = list(object({<br/>        Action    = list(string)<br/>        Effect    = string<br/>        Principal = map(string)<br/>      }))<br/>    })<br/>  }))</pre> | n/a | yes |
+| <a name="input_datadog_api_key"></a> [datadog\_api\_key](#input\_datadog\_api\_key) | Datadog API key | `string` | n/a | yes |
+| <a name="input_datadog_app_key"></a> [datadog\_app\_key](#input\_datadog\_app\_key) | Datadog App key | `string` | n/a | yes |
+| <a name="input_datadog_region"></a> [datadog\_region](#input\_datadog\_region) | Datadog region | `string` | n/a | yes |
 | <a name="input_delete_default_resources_lambda_kms_encryption"></a> [delete\_default\_resources\_lambda\_kms\_encryption](#input\_delete\_default\_resources\_lambda\_kms\_encryption) | Conditionally encrypt the Delete Default Resources Lambda logs with KMS | `bool` | n/a | yes |
 | <a name="input_delete_default_resources_log_retention"></a> [delete\_default\_resources\_log\_retention](#input\_delete\_default\_resources\_log\_retention) | Log retention for the Delete Default Resources Lambda | `number` | n/a | yes |
 | <a name="input_enable_cloudtrail"></a> [enable\_cloudtrail](#input\_enable\_cloudtrail) | Enable Cloudtrail | `bool` | n/a | yes |
 | <a name="input_enable_cloudwatch_opsgenie_alerts"></a> [enable\_cloudwatch\_opsgenie\_alerts](#input\_enable\_cloudwatch\_opsgenie\_alerts) | Enable CloudWatch Opsgenie alerts. This creates an SNS topic to which alerts and pipelines can send messages, which are then sent to the Opsgenie SNS endpoint. | `bool` | n/a | yes |
 | <a name="input_enable_cloudwatch_slack_alerts"></a> [enable\_cloudwatch\_slack\_alerts](#input\_enable\_cloudwatch\_slack\_alerts) | Enable CloudWatch Slack alerts. This creates an SNS topic to which alerts and pipelines can send messages, which are then picked up by a Lambda function that forwards them to a Slack webhook. | `bool` | n/a | yes |
+| <a name="input_enable_datadog_aws_integration"></a> [enable\_datadog\_aws\_integration](#input\_enable\_datadog\_aws\_integration) | Conditionally create the datadog AWS integration role (https://docs.datadoghq.com/integrations/guide/aws-terraform-setup/) and configure the datadog integration | `bool` | n/a | yes |
 | <a name="input_enable_delete_default_resources"></a> [enable\_delete\_default\_resources](#input\_enable\_delete\_default\_resources) | Creates a Lambda function which deletes all default VPCs and resources within them. This only needs to be ran once, either through the AWS console or via the AWS CLI | `bool` | n/a | yes |
 | <a name="input_enable_route53_root_hosted_zone"></a> [enable\_route53\_root\_hosted\_zone](#input\_enable\_route53\_root\_hosted\_zone) | Conditionally create Route53 hosted zone, which will contain the DNS records for resources launched within the account. | `bool` | n/a | yes |
 | <a name="input_enable_s3_tfvars"></a> [enable\_s3\_tfvars](#input\_enable\_s3\_tfvars) | enable\_s3\_tfvars | `bool` | n/a | yes |
diff --git a/data.tf b/data.tf
@@ -1 +1,5 @@
 data "aws_caller_identity" "current" {}
+
+data "aws_regions" "current" {
+  all_regions = true
+}
diff --git a/datadog-aws-integration.tf b/datadog-aws-integration.tf
@@ -0,0 +1,59 @@
+resource "aws_iam_role" "datadog_aws_integration" {
+  count = local.enable_datadog_aws_integration ? 1 : 0
+
+  name        = "${local.project_name_hash}-datadog-aws-integration"
+  description = "${local.project_name}-datadog-aws-integration"
+  assume_role_policy = templatefile(
+    "${path.root}/policies/assume-roles/external-id.json.tpl", {
+      iam_arns    = jsonencode(["arn:aws:iam::464622532012:root"]),
+      external_id = datadog_integration_aws.aws[0].external_id
+    }
+  )
+}
+
+resource "aws_iam_policy" "datadog_aws_integration" {
+  count = local.enable_datadog_aws_integration ? 1 : 0
+
+  name = "${local.project_name}-datadog-aws-integration"
+  policy = templatefile(
+    "${path.root}/policies/datadog-integration.json.tpl", {}
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
+  count = local.enable_datadog_aws_integration ? 1 : 0
+
+  role       = aws_iam_role.datadog_aws_integration[0].name
+  policy_arn = aws_iam_policy.datadog_aws_integration[0].arn
+}
+
+resource "aws_iam_policy" "datadog_aws_integration_resource_collection" {
+  count = local.enable_datadog_aws_integration ? 1 : 0
+
+  name = "${local.project_name}-datadog-aws-integration-resource-collection"
+  policy = templatefile(
+    "${path.root}/policies/datadog-integration-resource-collection.json.tpl", {}
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "datadog_aws_integration_resource_collection" {
+  count = local.enable_datadog_aws_integration ? 1 : 0
+
+  role       = aws_iam_role.datadog_aws_integration[0].name
+  policy_arn = aws_iam_policy.datadog_aws_integration_resource_collection[0].arn
+}
+
+resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
+  count = local.enable_datadog_aws_integration ? 1 : 0
+
+  role       = aws_iam_role.datadog_aws_integration[0].name
+  policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
+}
+
+resource "datadog_integration_aws" "aws" {
+  count = local.enable_datadog_aws_integration ? 1 : 0
+
+  account_id       = local.aws_account_id
+  role_name        = "${local.project_name_hash}-datadog-aws-integration"
+  excluded_regions = local.datadog_resource_collection_excluded_regions
+}
diff --git a/locals.tf b/locals.tf
@@ -62,6 +62,20 @@ locals {
   cloudwatch_opsgenie_alerts_sns_kms_encryption = var.cloudwatch_opsgenie_alerts_sns_kms_encryption && local.enable_cloudwatch_opsgenie_alerts
   cloudwatch_opsgenie_alerts_sns_endpoint       = var.cloudwatch_opsgenie_alerts_sns_endpoint
 
+  datadog_api_key = var.datadog_api_key
+  datadog_app_key = var.datadog_app_key
+  datadog_region  = var.datadog_region
+  datadog_api_url = local.datadog_region != "" ? {
+    "US1"     = "https://api.datadoghq.com/",
+    "US3"     = "https://api.us3.datadoghq.com/",
+    "US5"     = "https://api.us5.datadoghq.com/",
+    "EU1"     = "https://api.datadoghq.eu/",
+    "US1-FED" = "https://api.ddog-gov.com/",
+    "AP1"     = "https://api.ap1.datadoghq.com/"
+  }[local.datadog_region] : "https://api.datadoghq.com/"
+  enable_datadog_aws_integration               = var.enable_datadog_aws_integration
+  datadog_resource_collection_excluded_regions = setsubtract(data.aws_regions.current.names, [local.aws_region, "us-east-1"])
+
   codestar_connections = var.codestar_connections
 
   enable_ssm_dhmc = var.enable_ssm_dhmc
diff --git a/policies/assume-roles/external-id.json.tpl b/policies/assume-roles/external-id.json.tpl
@@ -0,0 +1,18 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": ${iam_arns}
+      },
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${external_id}"
+        }
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
diff --git a/policies/datadog-integration-resource-collection.json.tpl b/policies/datadog-integration-resource-collection.json.tpl
@@ -0,0 +1,30 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "backup:ListRecoveryPointsByBackupVault",
+                "bcm-data-exports:GetExport",
+                "bcm-data-exports:ListExports",
+                "cassandra:Select",
+                "cur:DescribeReportDefinitions",
+                "ec2:GetSnapshotBlockPublicAccessState",
+                "glacier:GetVaultNotifications",
+                "glue:ListRegistries",
+                "lightsail:GetInstancePortStates",
+                "savingsplans:DescribeSavingsPlanRates",
+                "savingsplans:DescribeSavingsPlans",
+                "timestream:DescribeEndpoints",
+                "waf-regional:ListRuleGroups",
+                "waf-regional:ListRules",
+                "waf:ListRuleGroups",
+                "waf:ListRules",
+                "wafv2:GetIPSet",
+                "wafv2:GetRegexPatternSet",
+                "wafv2:GetRuleGroup"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ]
+}
diff --git a/policies/datadog-integration.json.tpl b/policies/datadog-integration.json.tpl
@@ -0,0 +1,92 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "apigateway:GET",
+                "autoscaling:Describe*",
+                "backup:List*",
+                "budgets:ViewBudget",
+                "cloudfront:GetDistributionConfig",
+                "cloudfront:ListDistributions",
+                "cloudtrail:DescribeTrails",
+                "cloudtrail:GetTrailStatus",
+                "cloudtrail:LookupEvents",
+                "cloudwatch:Describe*",
+                "cloudwatch:Get*",
+                "cloudwatch:List*",
+                "codedeploy:List*",
+                "codedeploy:BatchGet*",
+                "directconnect:Describe*",
+                "dynamodb:List*",
+                "dynamodb:Describe*",
+                "ec2:Describe*",
+                "ec2:GetTransitGatewayPrefixListReferences",
+                "ec2:SearchTransitGatewayRoutes",
+                "ecs:Describe*",
+                "ecs:List*",
+                "elasticache:Describe*",
+                "elasticache:List*",
+                "elasticfilesystem:DescribeFileSystems",
+                "elasticfilesystem:DescribeTags",
+                "elasticfilesystem:DescribeAccessPoints",
+                "elasticloadbalancing:Describe*",
+                "elasticmapreduce:List*",
+                "elasticmapreduce:Describe*",
+                "es:ListTags",
+                "es:ListDomainNames",
+                "es:DescribeElasticsearchDomains",
+                "events:CreateEventBus",
+                "fsx:DescribeFileSystems",
+                "fsx:ListTagsForResource",
+                "health:DescribeEvents",
+                "health:DescribeEventDetails",
+                "health:DescribeAffectedEntities",
+                "kinesis:List*",
+                "kinesis:Describe*",
+                "lambda:GetPolicy",
+                "lambda:List*",
+                "logs:DeleteSubscriptionFilter",
+                "logs:DescribeLogGroups",
+                "logs:DescribeLogStreams",
+                "logs:DescribeSubscriptionFilters",
+                "logs:FilterLogEvents",
+                "logs:PutSubscriptionFilter",
+                "logs:TestMetricFilter",
+                "oam:ListSinks",
+                "oam:ListAttachedLinks",
+                "organizations:Describe*",
+                "organizations:List*",
+                "rds:Describe*",
+                "rds:List*",
+                "redshift:DescribeClusters",
+                "redshift:DescribeLoggingStatus",
+                "route53:List*",
+                "s3:GetBucketLogging",
+                "s3:GetBucketLocation",
+                "s3:GetBucketNotification",
+                "s3:GetBucketTagging",
+                "s3:ListAllMyBuckets",
+                "s3:PutBucketNotification",
+                "ses:Get*",
+                "sns:List*",
+                "sns:Publish",
+                "sns:GetSubscriptionAttributes",
+                "sqs:ListQueues",
+                "states:ListStateMachines",
+                "states:DescribeStateMachine",
+                "support:DescribeTrustedAdvisor*",
+                "support:RefreshTrustedAdvisorCheck",
+                "tag:GetResources",
+                "tag:GetTagKeys",
+                "tag:GetTagValues",
+                "wafv2:ListLoggingConfigurations",
+                "wafv2:GetLoggingConfiguration",
+                "xray:BatchGetTraces",
+                "xray:GetTraceSummaries"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ]
+}
diff --git a/providers.tf b/providers.tf
@@ -14,3 +14,10 @@ provider "aws" {
     tags = local.default_tags
   }
 }
+
+provider "datadog" {
+  api_key  = local.datadog_api_key
+  app_key  = local.datadog_app_key
+  validate = local.datadog_api_key != "" && local.datadog_app_key != ""
+  api_url  = local.datadog_api_url
+}
diff --git a/variables.tf b/variables.tf
@@ -167,6 +167,28 @@ variable "logging_bucket_retention" {
   type        = number
 }
 
+variable "datadog_api_key" {
+  description = "Datadog API key"
+  type        = string
+  sensitive   = true
+}
+
+variable "datadog_app_key" {
+  description = "Datadog App key"
+  type        = string
+  sensitive   = true
+}
+
+variable "datadog_region" {
+  description = "Datadog region"
+  type        = string
+}
+
+variable "enable_datadog_aws_integration" {
+  description = "Conditionally create the datadog AWS integration role (https://docs.datadoghq.com/integrations/guide/aws-terraform-setup/) and configure the datadog integration"
+  type        = bool
+}
+
 variable "custom_iam_roles" {
   type = map(object({
     description = string
diff --git a/versions.tf b/versions.tf
@@ -9,5 +9,9 @@ terraform {
       source  = "hashicorp/archive"
       version = ">= 2.4.0"
     }
+    datadog = {
+      source  = "DataDog/datadog"
+      version = ">= 3.46.0"
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -14,3 +14,10 @@ provider "aws" {`
`14`	`14`	`tags = local.default_tags`
`15`	`15`	`}`
`16`	`16`	`}`
	`17`	`+`
	`18`	`+provider "datadog" {`
	`19`	`+ api_key = local.datadog_api_key`
	`20`	`+ app_key = local.datadog_app_key`
	`21`	`+ validate = local.datadog_api_key != "" && local.datadog_app_key != ""`
	`22`	`+ api_url = local.datadog_api_url`
	`23`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,9 @@ terraform {`
`9`	`9`	`source = "hashicorp/archive"`
`10`	`10`	`version = ">= 2.4.0"`
`11`	`11`	`}`
	`12`	`+ datadog = {`
	`13`	`+ source = "DataDog/datadog"`
	`14`	`+ version = ">= 3.46.0"`
	`15`	`+ }`
`12`	`16`	`}`
`13`	`17`	`}`