Skip to content

Latest commit

 

History

History
336 lines (304 loc) · 56.2 KB

File metadata and controls

336 lines (304 loc) · 56.2 KB

AWS Datadog Forwarders Terraform module

Terraform module which creates resources to forward logs and metrics to Datadog on AWS.

The following resources are supported:

Please refer to the official Datadog datadog-serverless-functions for further information on the forwarder lambda functions, configuraion via environment variables, and integration with PrivateLink endpoints.

Security

There are several factors to keep in mind when working with and/or using this module that largely revolve around the decisions made based on security implications.

  1. Based on the functionality provided by the Datadog team at datadog-serverless-functions, the recommended approach for providing your Datadog API key is through AWS Secrets Manager. The creation of this secret is not facilitated by this module and should be created manually (or through some other means where the secret is not passed as plain text into Terraform as input).
    • Note: even though this is the recommended approach, the pattern used in the past of providing the DD_API_KEY as an environment variable is still supported by the module. Users are able to provde any and all environment variables to the forwarders through inputs (i.e. - log_forwarder_environment_variables) to configure the forwarders as desired. See settings.py for more details on what environment variables are supported to configure the forwarders.
  2. The use of a KMS key to encrypt/decrypt API and APP keys is required by the rds_enhanced_monitoring_forwarder and vpc_flow_log_forwarder modules/functions per the upstream source at datadog-serverless-functions. The creation of a KMS key has been left out of this module so that users are able to better manage their KMS CMK key (and therefore the policies and usage of said key) as they see fit without over-complicating this module.
  3. The roles and their permissions created by this module have several built in conditional checks in order to provide permission sets that allow the desired functionality while following the recommended approach of least privelege access. Nearly all attributes for the IAM roles and their permissions are accessible via inputs - even allowing users to provide their own IAM roles and/or policies to meet their organizational requirements.

Vendored Artifacts

Due to Terraform not dealing with dynamically created files, especially in ephemeral environments like CI/CD pipelines, the decision was made to vendor the Lambda function artifacts within the VPC Flow Log and RDS Enhanced Monitoring modules to avoid issues. When the upstream artifacts are hosted as zipped archives available on GitHub, similar to the Log Forwarder, then this vendoring hack will be removed in favor of pulling directly from the project. Ref Issue #374

Usage

See examples directory for working examples to reference:

# Note: you will need to create this secret manually prior to running
# This avoids having to pass the key to Terraform in plaintext
data "aws_secretsmanager_secret" "datadog_api_key" {
  name = "datadog/api_key"
}

module "datadog_forwarders" {
  source  = "terraform-aws-modules/datadog-forwarders/aws"

  kms_alias             = "alias/datadog" # KMS key will need to be created outside of module
  dd_api_key_secret_arn = data.aws_secretsmanager_secret.datadog_api_key.arn

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module(s). If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Requirements

Name Version
terraform >= 1.3
aws >= 5.0

Providers

Name Version
aws >= 5.0

Modules

Name Source Version
log_forwarder ./modules/log_forwarder n/a
rds_enhanced_monitoring_forwarder ./modules/rds_enhanced_monitoring_forwarder n/a
vpc_flow_log_forwarder ./modules/vpc_flow_log_forwarder n/a

Resources

Name Type
aws_vpc_endpoint.agent resource
aws_vpc_endpoint.api resource
aws_vpc_endpoint.log_forwarder resource
aws_vpc_endpoint.metrics resource
aws_vpc_endpoint.processes resource
aws_vpc_endpoint.traces resource

Inputs

Name Description Type Default Required
agent_vpce_policy Policy to attach to the agent endpoint that controls access to the service. Defaults to full access any null no
agent_vpce_security_group_ids IDs of security groups to attach to agent endpoint list(string) [] no
agent_vpce_subnet_ids IDs of subnets to associate with agent endpoint list(string) [] no
agent_vpce_tags A map of tags to apply to the Datadog agent endpoint map(string) {} no
api_vpce_policy Policy to attach to the API endpoint that controls access to the service. Defaults to full access any null no
api_vpce_security_group_ids IDs of security groups to attach to API endpoint list(string) [] no
api_vpce_subnet_ids IDs of subnets to associate with API endpoint list(string) [] no
api_vpce_tags A map of tags to apply to the API endpoint map(string) {} no
bucket_attach_deny_insecure_transport_policy Controls if S3 bucket should have deny non-SSL transport policy attacheds bool true no
bucket_encryption_settings S3 bucket server side encryption settings map(string)
{
"sse_algorithm": "AES256"
}
no
bucket_name Lambda artifact S3 bucket name string "" no
create_agent_vpce Controls whether an agent endpoint should be created bool false no
create_api_vpce Controls whether a API endpoint should be created bool false no
create_bucket Controls whether an S3 artifact bucket should be created. this is used for the zip archive as well as caching tags bool true no
create_log_forwarder Controls whether log forwarder resources should be created bool true no
create_log_forwarder_role Controls whether an IAM role is created for the log forwarder bool true no
create_log_forwarder_role_policy Controls whether an IAM role policy is created for the log forwarder bool true no
create_log_forwarder_vpce Controls whether a log forwarder endpoint should be created bool false no
create_metrics_vpce Controls whether a metrics VPC endpoint should be created bool false no
create_processes_vpce Controls whether a processes endpoint should be created bool false no
create_rds_em_forwarder Controls whether RDS enhanced monitoring forwarder resources should be created bool true no
create_rds_em_forwarder_role Controls whether an IAM role is created for the RDS enhanced monitoring forwarder bool true no
create_rds_em_forwarder_role_policy Controls whether an IAM role policy is created for the RDS enhanced monitoring forwarder bool true no
create_traces_vpce Controls whether a traces endpoint should be created bool false no
create_vpc_fl_forwarder Controls whether VPC flow log forwarder resources should be created bool true no
create_vpc_fl_forwarder_role Controls whether an IAM role is created for the VPC flow log forwarder bool true no
create_vpc_fl_forwarder_role_policy Controls whether an IAM role policy is created for the VPC flow log forwarder bool true no
dd_api_key The Datadog API key, which can be found from the APIs page (/account/settings#api). It will be stored in AWS Secrets Manager securely. If DdApiKeySecretArn is also set, this value will not be used. This value must still be set, however string "" no
dd_api_key_secret_arn The ARN of the Secrets Manager secret storing the Datadog API key, if you already have it stored in Secrets Manager. You still need to set a dummy value for dd_api_key to satisfy the requirement, though that value won't be used string "" no
dd_app_key The Datadog application key associated with the user account that created it, which can be found from the APIs page string "" no
dd_site Define your Datadog Site to send data to. For the Datadog EU site, set to datadoghq.eu string "datadoghq.com" no
kms_alias Alias of KMS key used to encrypt the Datadog API keys - must start with alias/ string n/a yes
log_forwarder_architectures Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"]. Default is ["x86_64"] list(string)
[
"x86_64"
]
no
log_forwarder_bucket_prefix S3 object key prefix to prepend to zip archive name string "" no
log_forwarder_bucket_tags A map of tags to apply to the log forwarder bucket map(any) {} no
log_forwarder_environment_variables A map of environment variables for the log forwarder lambda function map(string) {} no
log_forwarder_kms_key_arn KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key string null no
log_forwarder_lambda_tags A map of tags to apply to the log forwarder lambda function map(string) {} no
log_forwarder_layers List of Lambda Layer Version ARNs (maximum of 5) to attach to the log forwarder lambda list(string) [] no
log_forwarder_log_kms_key_id The AWS KMS Key ARN to use for CloudWatch log group encryption string null no
log_forwarder_log_retention_days Log forwarder CloudWatch log group retention in days number 7 no
log_forwarder_memory_size Memory size for the log forwarder lambda function number 1024 no
log_forwarder_name Log forwarder lambda name string "datadog-log-forwarder" no
log_forwarder_policy_arn IAM policy arn for log forwarder lambda function to utilize string null no
log_forwarder_policy_name Log forwarder policy name string "" no
log_forwarder_policy_path Log forwarder policy path string null no
log_forwarder_publish Whether to publish creation/change as a new Lambda Function Version bool false no
log_forwarder_reserved_concurrent_executions The amount of reserved concurrent executions for the log forwarder lambda function number 100 no
log_forwarder_role_arn IAM role arn for log forwarder lambda function to utilize string null no
log_forwarder_role_max_session_duration The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours number null no
log_forwarder_role_name Log forwarder role name string "" no
log_forwarder_role_path Log forwarder role path string null no
log_forwarder_role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the log forwarder role string null no
log_forwarder_role_tags A map of tags to apply to the log forwarder role map(string) {} no
log_forwarder_runtime Lambda function runtime string "python3.11" no
log_forwarder_s3_log_bucket_arns S3 log buckets for forwarder to read and forward logs to Datadog list(string) [] no
log_forwarder_s3_zip_kms_key_id The AWS KMS Key ARN to use for object encryption string null no
log_forwarder_s3_zip_metadata A map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta- map(string) {} no
log_forwarder_s3_zip_server_side_encryption Server-side encryption of the zip object in S3. Valid values are AES256 and aws:kms string null no
log_forwarder_s3_zip_storage_class Specifies the desired Storage Class for the zip object. Can be either STANDARD, REDUCED_REDUNDANCY, ONEZONE_IA, INTELLIGENT_TIERING, or STANDARD_IA string null no
log_forwarder_s3_zip_tags A map of tags to apply to the zip archive in S3 map(string) {} no
log_forwarder_s3_zip_tags_only Set to true to not merge var.tags with log_forwarder_s3_zip_tags. Useful to avoid breaching S3 Object 10 tag limit bool false no
log_forwarder_security_group_ids List of security group ids when forwarder lambda function should run in the VPC list(string) null no
log_forwarder_subnet_ids List of subnet ids when forwarder lambda function should run in the VPC. Usually private or intra subnets list(string) null no
log_forwarder_tags A map of tags to apply to the log forwarder resources map(string) {} no
log_forwarder_timeout The amount of time the log forwarder lambda has to execute in seconds number 120 no
log_forwarder_use_policy_name_prefix Whether to use unique name beginning with the specified policy_name for the log forwarder policy bool false no
log_forwarder_use_role_name_prefix Whether to use unique name beginning with the specified role_name for the log forwarder role bool false no
log_forwarder_version Forwarder version - see https://github.com/DataDog/datadog-serverless-functions/releases string "3.130.0" no
log_forwarder_vpce_policy Policy to attach to the log forwarder endpoint that controls access to the service. Defaults to full access any null no
log_forwarder_vpce_security_group_ids IDs of security groups to attach to log forwarder endpoint list(string) [] no
log_forwarder_vpce_subnet_ids IDs of subnets to associate with log forwarder endpoint list(string) [] no
log_forwarder_vpce_tags A map of tags to apply to the log forwarder endpoint map(string) {} no
metrics_vpce_policy Policy to attach to the metrics endpoint that controls access to the service. Defaults to full access any null no
metrics_vpce_security_group_ids IDs of security groups to attach to metrics endpoint list(string) [] no
metrics_vpce_subnet_ids IDs of subnets to associate with metrics endpoint list(string) [] no
metrics_vpce_tags A map of tags to apply to the metrics endpoint map(string) {} no
processes_vpce_policy Policy to attach to the processes endpoint that controls access to the service. Defaults to full access any null no
processes_vpce_security_group_ids IDs of security groups to attach to processes endpoint list(string) [] no
processes_vpce_subnet_ids IDs of subnets to associate with processes endpoint list(string) [] no
processes_vpce_tags A map of tags to apply to the processes endpoint map(string) {} no
rds_em_forwarder_architectures Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"]. Default is ["x86_64"] list(string)
[
"x86_64"
]
no
rds_em_forwarder_environment_variables A map of environment variables for the RDS enhanced monitoring forwarder lambda function map(string) {} no
rds_em_forwarder_kms_key_arn KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key string null no
rds_em_forwarder_lambda_tags A map of tags to apply to the RDS enhanced monitoring forwarder lambda function map(string) {} no
rds_em_forwarder_layers List of Lambda Layer Version ARNs (maximum of 5) to attach to the RDS enhanced monitoring forwarder lambda list(string) [] no
rds_em_forwarder_log_kms_key_id The AWS KMS Key ARN to use for CloudWatch log group encryption string null no
rds_em_forwarder_log_retention_days RDS enhanced monitoring forwarder CloudWatch log group retention in days number 7 no
rds_em_forwarder_memory_size Memory size for the RDS enhanced monitoring forwarder lambda function number 256 no
rds_em_forwarder_name RDS enhanced monitoring forwarder lambda name string "datadog-rds-enhanced-monitoring-forwarder" no
rds_em_forwarder_policy_arn IAM policy arn for RDS enhanced monitoring forwarder lambda function to utilize string null no
rds_em_forwarder_policy_name RDS enhanced monitoring forwarder policy name string "" no
rds_em_forwarder_policy_path RDS enhanced monitoring forwarder policy path string null no
rds_em_forwarder_publish Whether to publish creation/change as a new fambda function Version bool false no
rds_em_forwarder_reserved_concurrent_executions The amount of reserved concurrent executions for the RDS enhanced monitoring forwarder lambda function number 10 no
rds_em_forwarder_role_arn IAM role arn for RDS enhanced monitoring forwarder lambda function to utilize string null no
rds_em_forwarder_role_max_session_duration The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours number null no
rds_em_forwarder_role_name RDS enhanced monitoring forwarder role name string "" no
rds_em_forwarder_role_path RDS enhanced monitoring forwarder role path string null no
rds_em_forwarder_role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the RDS enhanced monitoring forwarder role string null no
rds_em_forwarder_role_tags A map of tags to apply to the RDS enhanced monitoring forwarder role map(string) {} no
rds_em_forwarder_runtime Lambda function runtime string "python3.8" no
rds_em_forwarder_security_group_ids List of security group ids when forwarder lambda function should run in the VPC list(string) null no
rds_em_forwarder_subnet_ids List of subnet ids when forwarder lambda function should run in the VPC. Usually private or intra subnets list(string) null no
rds_em_forwarder_tags A map of tags to apply to the RDS enhanced monitoring forwarder resources map(string) {} no
rds_em_forwarder_timeout The amount of time the RDS enhanced monitoring forwarder lambda has to execute in seconds number 10 no
rds_em_forwarder_use_policy_name_prefix Whether to use unique name beginning with the specified rds_em_forwarder_policy_name for the RDS enhanced monitoring forwarder role bool false no
rds_em_forwarder_use_role_name_prefix Whether to use unique name beginning with the specified rds_em_forwarder_role_name for the RDS enhanced monitoring forwarder role bool false no
rds_em_forwarder_version RDS enhanced monitoring lambda version - see https://github.com/DataDog/datadog-serverless-functions/releases string "3.130.0" no
tags A map of tags to use on all resources map(string) {} no
traces_vpce_policy Policy to attach to the traces endpoint that controls access to the service. Defaults to full access any null no
traces_vpce_security_group_ids IDs of security groups to attach to traces endpoint list(string) [] no
traces_vpce_subnet_ids IDs of subnets to associate with traces endpoint list(string) [] no
traces_vpce_tags A map of tags to apply to the traces endpoint map(string) {} no
vpc_fl_forwarder_architectures Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"]. Default is ["x86_64"] list(string)
[
"x86_64"
]
no
vpc_fl_forwarder_environment_variables A map of environment variables for the VPC flow log forwarder lambda function map(string) {} no
vpc_fl_forwarder_kms_key_arn KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key string null no
vpc_fl_forwarder_lambda_tags A map of tags to apply to the VPC flow log forwarder lambda function map(string) {} no
vpc_fl_forwarder_layers List of Lambda Layer Version ARNs (maximum of 5) to attach to the VPC flow log forwarder lambda list(string) [] no
vpc_fl_forwarder_log_kms_key_id The AWS KMS Key ARN to use for CloudWatch log group encryption string null no
vpc_fl_forwarder_log_retention_days VPC flow log forwarder CloudWatch log group retention in days number 7 no
vpc_fl_forwarder_memory_size Memory size for the VPC flow log forwarder lambda function number 256 no
vpc_fl_forwarder_name VPC flow log forwarder lambda name string "datadog-vpc-flow-log-forwarder" no
vpc_fl_forwarder_policy_arn IAM policy arn for VPC flow log forwarder lambda function to utilize string null no
vpc_fl_forwarder_policy_name VPC flow log forwarder policy name string "" no
vpc_fl_forwarder_policy_path VPC flow log forwarder policy path string null no
vpc_fl_forwarder_publish Whether to publish creation/change as a new fambda function Version bool false no
vpc_fl_forwarder_read_cloudwatch_logs Whether the VPC flow log forwarder will read CloudWatch log groups for VPC flow logs bool false no
vpc_fl_forwarder_reserved_concurrent_executions The amount of reserved concurrent executions for the VPC flow log forwarder lambda function number 10 no
vpc_fl_forwarder_role_arn IAM role arn for VPC flow log forwarder lambda function to utilize string null no
vpc_fl_forwarder_role_max_session_duration The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours number null no
vpc_fl_forwarder_role_name VPC flow log forwarder role name string "" no
vpc_fl_forwarder_role_path VPC flow log forwarder role path string null no
vpc_fl_forwarder_role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the VPC flow log forwarder role string null no
vpc_fl_forwarder_role_tags A map of tags to apply to the VPC flow log forwarder role map(string) {} no
vpc_fl_forwarder_runtime Lambda function runtime string "python3.8" no
vpc_fl_forwarder_s3_log_bucket_arns S3 log buckets for VPC flow log forwarder to read and forward to Datadog list(string) [] no
vpc_fl_forwarder_security_group_ids List of security group ids when forwarder lambda function should run in the VPC list(string) null no
vpc_fl_forwarder_subnet_ids List of subnet ids when forwarder lambda function should run in the VPC. Usually private or intra subnets list(string) null no
vpc_fl_forwarder_tags A map of tags to apply to the VPC flow log forwarder resources map(string) {} no
vpc_fl_forwarder_timeout The amount of time the VPC flow log forwarder lambda has to execute in seconds number 10 no
vpc_fl_forwarder_use_policy_name_prefix Whether to use unique name beginning with the specified vpc_fl_forwarder_policy_name for the VPC flow log forwarder role bool false no
vpc_fl_forwarder_use_role_name_prefix Whether to use unique name beginning with the specified vpc_fl_forwarder_role_name for the VPC flow log forwarder role bool false no
vpc_fl_forwarder_version VPC flow log lambda version - see https://github.com/DataDog/datadog-serverless-functions/releases string "3.130.0" no
vpc_id ID of VPC to provision endpoints within string null no

Outputs

Name Description
agent_endpoint_arn ARN of the agent VPC endpoint
agent_endpoint_dns_entry DNS entries of the agent VPC endpoint
agent_endpoint_id ID of the agent VPC endpoint
agent_endpoint_network_interface_ids One or more network interfaces for the agent VPC endpoint
agent_endpoint_owner_id The ID of the AWS account that owns the agent VPC endpoint
agent_endpoint_state The state of the agent VPC endpoint
api_endpoint_arn ARN of the API VPC endpoint
api_endpoint_dns_entry DNS entries of the API VPC endpoint
api_endpoint_id ID of the API VPC endpoint
api_endpoint_network_interface_ids One or more network interfaces for API api VPC endpoint
api_endpoint_owner_id The ID of the AWS account that owns the API VPC endpoint
api_endpoint_state The state of the API VPC endpoint
log_forwarder_cloudwatch_log_group_arn The ARN of the log forwarder lambda function CloudWatch log group
log_forwarder_endpoint_arn ARN of the log forwarder VPC endpoint
log_forwarder_endpoint_dns_entry DNS entries of the log forwarder VPC endpoint
log_forwarder_endpoint_id ID of the log forwarder VPC endpoint
log_forwarder_endpoint_network_interface_ids One or more network interfaces for the log forwarder VPC endpoint
log_forwarder_endpoint_owner_id The ID of the AWS account that owns the log forwarder VPC endpoint
log_forwarder_endpoint_state The state of the log forwarder VPC endpoint
log_forwarder_lambda_arn The ARN of the log forwarder lambda function
log_forwarder_lambda_kms_key_arn (Optional) The ARN for the KMS encryption key for the log forwarder lambda function
log_forwarder_lambda_qualified_arn The ARN of the log forwarder lambda function (if versioning is enabled via publish = true)
log_forwarder_lambda_source_code_hash Base64-encoded representation of raw SHA-256 sum of the log forwarder zip file, provided either via filename or s3_* parameters
log_forwarder_lambda_version Latest published version of the log forwarder lambda function
log_forwarder_role_arn The log forwarder lambda role arn
log_forwarder_role_id The log forwarder lambda role id
log_forwarder_role_name The log forwarder lambda role name
log_forwarder_role_policy_arn The ARN of the log forwarder lambda role policy
log_forwarder_role_policy_id The ID of the log forwarder lambda role policy
log_forwarder_role_policy_name The name of the log forwarder lambda role policy
log_forwarder_role_unique_id The stable and unique string identifying the log forwarder lambda role
log_forwarder_s3_bucket_arn The ARN of the log forwarder bucket. Will be of format arn:aws:s3:::bucketname
log_forwarder_s3_bucket_domain_name The log forwarder bucket domain name. Will be of format bucketname.s3.amazonaws.com
log_forwarder_s3_bucket_id The name of the log forwarder bucket
log_forwarder_s3_bucket_regional_domain_name The log forwarder bucket region-specific domain name. The bucket domain name including the region name
log_forwarder_s3_object_etag The ETag generated for the log forwarder lambda zip object (an MD5 sum of the object content)
log_forwarder_s3_object_id The key of the log forwarder lambda zip archive
log_forwarder_s3_object_version A unique version ID value for the log forwarder lambda zip object, if bucket versioning is enabled
metrics_endpoint_arn ARN of the metrics VPC endpoint
metrics_endpoint_dns_entry DNS entries of the metrics VPC endpoint
metrics_endpoint_id ID of the metrics VPC endpoint
metrics_endpoint_network_interface_ids One or more network interfaces for the metrics VPC endpoint
metrics_endpoint_owner_id The ID of the AWS account that owns the metrics VPC endpoint
metrics_endpoint_state The state of the metrics VPC endpoint
processes_endpoint_arn ARN of the processes VPC endpoint
processes_endpoint_dns_entry DNS entries of the processes VPC endpoint
processes_endpoint_id ID of the processes VPC endpoint
processes_endpoint_network_interface_ids One or more network interfaces for the processes VPC endpoint
processes_endpoint_owner_id The ID of the AWS account that owns the processes VPC endpoint
processes_endpoint_state The state of the processes VPC endpoint
rds_em_forwarder_cloudwatch_log_group_arn The ARN of the RDS enhanced monitoring forwarder lambda function CloudWatch log group
rds_em_forwarder_lambda_arn The ARN of the RDS enhanced monitoring forwarder lambda function
rds_em_forwarder_lambda_kms_key_arn (Optional) The ARN for the KMS encryption key for the RDS enhanced monitoring forwarder lambda function
rds_em_forwarder_lambda_qualified_arn The ARN of the RDS enhanced monitoring forwarder lambda function (if versioning is enabled via publish = true)
rds_em_forwarder_lambda_source_code_hash Base64-encoded representation of raw SHA-256 sum of the RDS enhanced monitoring lambda forwarder zip file, provided either via filename or s3_* parameters
rds_em_forwarder_lambda_version Latest published version of the RDS enhanced monitoring forwarder lambda function
rds_em_forwarder_role_arn The RDS enhanced monitoring forwarder lambda role arn
rds_em_forwarder_role_id The RDS enhanced monitoring forwarder lambda role id
rds_em_forwarder_role_name The RDS enhanced monitoring forwarder lambda role name
rds_em_forwarder_role_policy_arn The ARN of the RDS enhanced monitoring forwarder lambda role policy
rds_em_forwarder_role_policy_id The ID of the RDS enhanced monitoring forwarder lambda role policy
rds_em_forwarder_role_policy_name The name of the RDS enhanced monitoring forwarder lambda role policy
rds_em_forwarder_role_unique_id The stable and unique string identifying the RDS enhanced monitoring forwarder lambda role.
traces_endpoint_arn ARN of the traces VPC endpoint
traces_endpoint_dns_entry DNS entries of the traces VPC endpoint
traces_endpoint_id ID of the traces VPC endpoint
traces_endpoint_network_interface_ids One or more network interfaces for the traces VPC endpoint
traces_endpoint_owner_id The ID of the AWS account that owns the traces VPC endpoint
traces_endpoint_state The state of the traces VPC endpoint
vpc_fl_forwarder_cloudwatch_log_group_arn The ARN of the VPC flow log forwarder lambda function CloudWatch log group
vpc_fl_forwarder_lambda_arn The ARN of the VPC flow log forwarder lambda function
vpc_fl_forwarder_lambda_kms_key_arn (Optional) The ARN for the KMS encryption key for the VPC flow log forwarder lambda function
vpc_fl_forwarder_lambda_qualified_arn The ARN of the VPC flow log forwarder lambda function (if versioning is enabled via publish = true)
vpc_fl_forwarder_lambda_source_code_hash Base64-encoded representation of raw SHA-256 sum of the VPC flow log forwarder lambda zip file, provided either via filename or s3_* parameters
vpc_fl_forwarder_lambda_version Latest published version of the VPC flow log forwarder lambda function
vpc_fl_forwarder_role_arn The VPC flow log forwarder lambda role arn
vpc_fl_forwarder_role_id The VPC flow log forwarder lambda role id
vpc_fl_forwarder_role_name The VPC flow log forwarder lambda role name
vpc_fl_forwarder_role_policy_arn The ARN of the VPC flow log forwarder lambda role policy
vpc_fl_forwarder_role_policy_id The ID of the VPC flow log forwarder lambda role policy
vpc_fl_forwarder_role_policy_name The name of the VPC flow log forwarder lambda role policy
vpc_fl_forwarder_role_unique_id The stable and unique string identifying the VPC flow log forwarder lambda role.

License

Apache-2.0 Licensed. See LICENSE.