terraform-aws-datadog

Creates and manages a Datadog AWS integration. This module performs the necessary integrations in both Datadog and AWS and thus uses providers for each. Supported features include:

• AWS Health event forwarding
• CloudTrail log forwarding
• Cost and Usage report configuration
• GuardDuty finding forwarding
• Main log index configuration
• RDS enhanced monitoring
• Usage anomaly detection

Requirements

• DataDog provider
• DataDog API key

Example

This configures a DataDog integration with the log forwarder installed and configured for Lambda only.

provider "datadog" {
  api_key = var.datadog_api_key
  app_key = var.datadog_app_key
}

module "datadog" {
  source = "rhythmictech/datadog/aws"

  name                  = "datadog-integration"
  install_log_forwarder = true
  log_forwarder_sources = ["lambda"]
}

About

By default it installs the DataDog log forwarder. Can also optionally install the RDS Enhanced metrics forwarder.

RDS Metrics

RDS Metric Capture requires an additional Lambda. We pull that Lambda directly from the Datadog repo it is actively developed in. You can specify the version of the forwarder but the module is tested against the default version.

Example adding RDS metrics forwarding and logging:

import {
  to = aws_cloudwatch_log_group.rds_group
  id = "/aws/rds/instance/production-db/postgresql"
}

resource "aws_cloudwatch_log_group" "rds_group" {
  name              = "/aws/rds/instance/production-db/postgresql"
  retention_in_days = 14
}

resource "aws_lambda_permission" "cloudwatch" {

  statement_id  = "datadog-forwarder-RDSCloudWatchLogsPermission"
  action        = "lambda:InvokeFunction"
  function_name = reverse(split(":", module.datadog.lambda_arn_forwarder))[0]
  principal     = "logs.amazonaws.com"
  source_arn    = "arn:aws:logs:us-east-1:0123456789012:log-group:/aws/rds/instance/production-db/postgresql:*"
}

resource "aws_cloudwatch_log_subscription_filter" "rds_log_forwarding" {
  name            = "production-db"
  log_group_name  = "/aws/rds/instance/production-db/postgresql"
  filter_pattern  = ""
  destination_arn = module.datadog.lambda_arn_forwarder
}

module "datadog" {
  source  = "rhythmictech/datadog/aws"

  name                                          = "datadog-integration"
  enable_cspm_resource_collection               = true
  install_log_forwarder                         = true
  install_rds_enhanced_monitoring_lambda        = true
  log_forwarder_sources                         = ["lambda"]
  tags                                          = local.tags
}

Requirements

Name	Version
terraform	~> 1.5
archive	>= 2.2.0
aws	>= 4.62
datadog	>= 3.37
http	>= 3.4
null	>= 3.1.0
time	>= 0.12

Providers

Name	Version
archive	2.4.2
aws	5.39.1
datadog	3.37.0
http	3.4.2
null	3.2.2
time	0.12.1

Modules

Name	Source	Version
tags	rhythmictech/tags/terraform	~> 1.1

Resources

Name	Type
aws_cloudformation_stack.datadog_forwarder	resource
aws_cloudwatch_event_rule.awshealth	resource
aws_cloudwatch_event_rule.guardduty	resource
aws_cloudwatch_event_rule.securityhub_to_datadog	resource
aws_cloudwatch_event_target.awshealth	resource
aws_cloudwatch_event_target.guardduty	resource
aws_cloudwatch_event_target.securityhub_to_datadog	resource
aws_cloudwatch_log_subscription_filter.cloudwatch_logs	resource
aws_cloudwatch_log_subscription_filter.rds_enhanced_monitoring	resource
aws_cur_report_definition.cur	resource
aws_iam_access_key.datadog	resource
aws_iam_policy.datadog	resource
aws_iam_policy.datadog_cost_policy	resource
aws_iam_policy.rds_enhanced_monitoring	resource
aws_iam_role.datadog	resource
aws_iam_role.rds_enhanced_monitoring	resource
aws_iam_role_policy_attachment.cspm	resource
aws_iam_role_policy_attachment.datadog	resource
aws_iam_role_policy_attachment.datadog_cost_policy	resource
aws_iam_role_policy_attachment.rds_enhanced_monitoring	resource
aws_iam_user.datadog	resource
aws_iam_user_policy_attachment.cspm_user	resource
aws_iam_user_policy_attachment.datadog	resource
aws_lambda_function.rds_enhanced_monitoring	resource
aws_lambda_permission.awshealth_trigger	resource
aws_lambda_permission.bucket_trigger	resource
aws_lambda_permission.cloudwatch_logs	resource
aws_lambda_permission.guardduty_trigger	resource
aws_lambda_permission.securityhub_trigger	resource
aws_s3_bucket.local_cur	resource
aws_s3_bucket_lifecycle_configuration.local_cur	resource
aws_s3_bucket_notification.bucket_notification	resource
aws_s3_bucket_policy.local_cur	resource
aws_s3_bucket_public_access_block.local_cur	resource
aws_s3_bucket_server_side_encryption_configuration.local_cur	resource
aws_s3_bucket_versioning.local_cur	resource
aws_secretsmanager_secret.datadog	resource
aws_secretsmanager_secret_version.datadog	resource
datadog_api_key.datadog	resource
datadog_integration_aws.datadog	resource
datadog_integration_aws_lambda_arn.datadog_forwarder	resource
datadog_integration_aws_log_collection.datadog_forwarder	resource
datadog_logs_custom_pipeline.health	resource
datadog_logs_index.main	resource
datadog_monitor.anomaly_usage	resource
datadog_monitor.forecast_usage	resource
null_resource.rds_enhanced_monitoring	resource
time_sleep.wait_datadog_forwarder	resource
archive_file.rds_enhanced_monitoring	data source
aws_caller_identity.current	data source
aws_iam_policy_document.assume	data source
aws_iam_policy_document.datadog_cost_policy	data source
aws_iam_policy_document.local_cur	data source
aws_iam_policy_document.rds_enhanced_monitoring	data source
aws_iam_policy_document.rds_enhanced_monitoring_assume	data source
aws_partition.current	data source
aws_region.current	data source
http_http.rds_enhanced_monitoring	data source

Inputs

Name	Description	Type	Default	Required
access_method	Access method to use for Datadog integration (recommended not to change unless using GovCloud or China regions, must be either user or role)	string	"role"	no
cur_bucket_suffix	Suffix to append to the CUR bucket name ([ACCOUNT_ID]-[REGION]-[cur_bucket_suffix])	string	"datadog-cur-data"	no
datadog_account_id	DataDog AWS account ID (should not need changed)	string	"464622532012"	no
datadog_site_name	DataDog site (e.g., datadoghq.com)	string	"datadoghq.com"	no
enable_cspm_resource_collection	Whether Datadog collects cloud security posture management resources from your AWS account. This includes additional resources not covered under the general resource_collection.	bool	false	no
enable_cur_collection	Configure a Cost and Usage Reporting export (uses legacy CUR) suitable for ingestion by Datadog. This does not fully configure Datadog due to lack of Terraform support but does do everything on the AWS side to prepare for enabling cost monitoring in Datadog.	bool	false	no
enable_estimated_usage_detection	Enable estimated usage anomaly and forecast monitoring	bool	false	no
enable_guardduty_notifications	Send GuardDuty notifications to Datadog (install_log_forwarder must be true). This routes GuardDuty events to the log forwarder. GuardDuty events can also be received as a Datadog Event through Cloud Security Monitoring.	bool	true	no
enable_health_notifications	Send AWS health notifications to Datadog (install_log_forwarder must be true). This routes AWS Health events to the log forwarder. Health events can also be received as a Datadog Event through the AWS Health integration.	bool	true	no
enable_rds_enhanced_monitoring_lambda	Install the RDS Enhanced Monitoring Lambda	bool	false	no
enable_resource_collection	Enable or disable resource collection	bool	true	no
enable_securityhub_notifications	Send Security Hub notifications to Datadog (install_log_forwarder must be true). This routes Security Hub events to the log forwarder.	bool	false	no
estimated_usage_anomaly_message	Message for usage anomaly alerts	string	"Datadog usage anomaly detected"	no
estimated_usage_detection_config	Map of usage types to monitor.	map(any)	{}	no
estimated_usage_detection_default_config	Map of default usage monitoring settings for each metric type. All are disabled by default. Use usage_anomaly_services to enable services and alternately override default settings	map(object({ anomaly_enabled = bool anomaly_span = string anomaly_threshold = number anomaly_window = string anomaly_deviations = number anomaly_seasonality = string anomaly_rollup = number forecast_enabled = bool forecast_deviations = number forecast_rollup_type = string forecast_rollup_value = number forecast_threshold = number }))	{ "hosts": { "anomaly_deviations": 1, "anomaly_enabled": false, "anomaly_rollup": 600, "anomaly_seasonality": "daily", "anomaly_span": "last_1d", "anomaly_threshold": 0.15, "anomaly_window": "last_1h", "forecast_deviations": 1, "forecast_enabled": false, "forecast_rollup_type": "avg", "forecast_rollup_value": 300, "forecast_threshold": 1000 }, "logs_indexed": { "anomaly_deviations": 2, "anomaly_enabled": false, "anomaly_rollup": 60, "anomaly_seasonality": "hourly", "anomaly_span": "last_1d", "anomaly_threshold": 0.15, "anomaly_window": "last_1h", "forecast_deviations": 1, "forecast_enabled": false, "forecast_rollup_type": "sum", "forecast_rollup_value": 86400, "forecast_threshold": 1000 }, "logs_ingested": { "anomaly_deviations": 2, "anomaly_enabled": false, "anomaly_rollup": 60, "anomaly_seasonality": "hourly", "anomaly_span": "last_1d", "anomaly_threshold": 0.15, "anomaly_window": "last_1h", "forecast_deviations": 1, "forecast_enabled": false, "forecast_rollup_type": "sum", "forecast_rollup_value": 86400, "forecast_threshold": 1000 } }	no
forward_buckets	Bucket(s) to collect logs from (using object notifications)	list(string)	[]	no
forward_log_groups	CloudWatch Log Group names to collect logs from (using filter subscriptions)	list(string)	[]	no
install_log_forwarder	controls whether log forwarder lambda should be installed	bool	true	no
integration_default_namespace_rules	Set all services to disabled by default.	map(bool)	{ "api_gateway": false, "application_elb": false, "apprunner": false, "appstream": false, "appsync": false, "athena": false, "auto_scaling": false, "backup": false, "bedrock": false, "billing": false, "budgeting": false, "certificatemanager": false, "cloudfront": false, "cloudhsm": false, "cloudsearch": false, "cloudwatch_events": false, "cloudwatch_logs": false, "codebuild": false, "codewhisperer": false, "cognito": false, "collect_custom_metrics": false, "connect": false, "crawl_alarms": false, "directconnect": false, "dms": false, "documentdb": false, "dynamodb": false, "dynamodbaccelerator": false, "ebs": false, "ec2": false, "ec2api": false, "ec2spot": false, "ecr": false, "ecs": false, "efs": false, "elasticache": false, "elasticbeanstalk": false, "elasticinference": false, "elastictranscoder": false, "elb": false, "emr": false, "es": false, "firehose": false, "fsx": false, "gamelift": false, "globalaccelerator": false, "glue": false, "inspector": false, "iot": false, "keyspaces": false, "kinesis": false, "kinesis_analytics": false, "kms": false, "lambda": false, "lex": false, "mediaconnect": false, "mediaconvert": false, "medialive": false, "mediapackage": false, "mediastore": false, "mediatailor": false, "memorydb": false, "ml": false, "mq": false, "msk": false, "mwaa": false, "nat_gateway": false, "neptune": false, "network_elb": false, "networkfirewall": false, "networkmonitor": false, "opsworks": false, "polly": false, "privatelinkendpoints": false, "privatelinkservices": false, "rds": false, "rdsproxy": false, "redshift": false, "rekognition": false, "route53": false, "route53resolver": false, "s3": false, "s3storagelens": false, "sagemaker": false, "sagemakerendpoints": false, "sagemakerlabelingjobs": false, "sagemakermodelbuildingpipeline": false, "sagemakerprocessingjobs": false, "sagemakertrainingjobs": false, "sagemakertransformjobs": false, "sagemakerworkteam": false, "service_quotas": false, "ses": false, "shield": false, "sns": false, "sqs": false, "step_functions": false, "storage_gateway": false, "swf": false, "textract": false, "transitgateway": false, "translate": false, "trusted_advisor": false, "usage": false, "vpn": false, "waf": false, "wafv2": false, "workspaces": false, "xray": false }	no
integration_excluded_regions	Regions to exclude from DataDog monitoring	list(string)	[]	no
integration_filter_tags	Tags to filter EC2 instances on (see https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws)	list(string)	[]	no
integration_host_tags	Tags to apply to instances (see https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws)	list(string)	[]	no
integration_namespace_rules	Map of AWS services to allow in the integration. Defaults to none.	map(bool)	{}	no
log_forwarder_sources	List of services to automatically ingest all logs from (see https://docs.datadoghq.com/api/latest/aws-logs-integration/#get-list-of-aws-log-ready-services)	list(string)	[]	no
logs_main_index_daily_limit	Daily log limit for the main index (only used if logs_manage_main_index == true)	number	null	no
logs_main_index_daily_limit_reset_offset	The reset time timezone offset for the daily limit of the main logs index (specify as +HH:MM or -HH:MM)	string	"+00:00"	no
logs_main_index_daily_limit_reset_time	The reset time for the daily limit of the main logs index (specify as HH:MM)	string	"00:00"	no
logs_main_index_daily_limit_warn_threshold	Warning threshold for daily log volume for the main index (only used if logs_manage_main_index == true)	number	0.9	no
logs_main_index_exclusion_filters	A list of maps defining exclusion filters for the main index	list(object({ name = string is_enabled = bool filter = object({ query = string sample_rate = number }) }))	[]	no
logs_main_index_retention_days	The number of days to retain logs in the main index (only used if logs_manage_main_index == true)	number	15	no
logs_manage_main_index	A boolean flag to manage the main Datadog logs index	bool	false	no
name	Moniker to apply to all resources in the module	string	n/a	yes
rds_enhanced_monitoring_forwarder_version	Version of the Datadog RDS enhanced monitoring lambda to use (module is only tested against the default version)	string	"3.103.0"	no
tags	User-Defined tags	map(string)	{}	no
use_full_permissions	Controls whether DataDog is given full permissions or core permissions. Generally you want full.	bool	true	no

Outputs

Name	Description
iam_role_datadog	IAM role assumed by Datadog resources
iam_user_datadog	IAM user accessed by Datadog resources (when access_method == user)
lambda_arn_forwarder	DataDog Lambda Forwarder ARN