cloudposse · Nuru · Aug 17, 2023 · Aug 14, 2023 · Aug 14, 2023 · Aug 14, 2023
@@ -77,7 +77,7 @@ provider "datadog" {
 |------|--------|---------|
 | <a name="module_iam_roles"></a> [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a |
 | <a name="module_iam_roles_datadog_secrets"></a> [iam\_roles\_datadog\_secrets](#module\_iam\_roles\_datadog\_secrets) | ../account-map/modules/iam-roles | n/a |
-| <a name="module_store_write"></a> [store\_write](#module\_store\_write) | cloudposse/ssm-parameter-store/aws | 0.11.0 |
+| <a name="module_store_write"></a> [store\_write](#module\_store\_write) | cloudposse/ssm-parameter-store/aws | 0.10.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources

@@ -4,8 +4,8 @@ locals {
   ssm_enabled = local.enabled && var.datadog_secrets_store_type == "SSM"
 
   # https://docs.datadoghq.com/account_management/api-app-keys/
-  datadog_api_key = var.datadog_secrets_store_type == "ASM" ? data.aws_secretsmanager_secret_version.datadog_api_key[0].secret_string : data.aws_ssm_parameter.datadog_api_key[0].value
-  datadog_app_key = var.datadog_secrets_store_type == "ASM" ? data.aws_secretsmanager_secret_version.datadog_app_key[0].secret_string : data.aws_ssm_parameter.datadog_app_key[0].value
+  datadog_api_key = local.asm_enabled ? data.aws_secretsmanager_secret_version.datadog_api_key[0].secret_string : local.ssm_enabled ? data.aws_ssm_parameter.datadog_api_key[0].value : ""
+  datadog_app_key = local.asm_enabled ? data.aws_secretsmanager_secret_version.datadog_app_key[0].secret_string : local.ssm_enabled ? data.aws_ssm_parameter.datadog_app_key[0].value : ""
 
   datadog_site    = coalesce(var.datadog_site_url, "datadoghq.com")
   datadog_api_url = format("https://api.%s", local.datadog_site)

@@ -63,8 +63,6 @@ provider "datadog" {
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
 | <a name="input_global_environment_name"></a> [global\_environment\_name](#input\_global\_environment\_name) | Global environment name | `string` | `"gbl"` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
-| <a name="input_import_profile_name"></a> [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no |
-| <a name="input_import_role_arn"></a> [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |

@@ -2,12 +2,14 @@ provider "aws" {
   region = module.datadog_configuration.outputs.region
   alias  = "dd_api_keys"
 
-  profile = module.iam_roles.profiles_enabled ? coalesce(var.import_profile_name, module.iam_roles.terraform_profile_name) : null
+  # Profile is deprecated in favor of terraform_role_arn. When profiles are not in use, terraform_profile_name is null.
+  profile = module.iam_roles.terraform_profile_name
 
   dynamic "assume_role" {
-    for_each = module.iam_roles.profiles_enabled ? [] : ["role"]
+    # module.iam_roles.terraform_role_arn may be null, in which case do not assume a role.
+    for_each = compact([module.iam_roles.terraform_role_arn])
     content {
-      role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
+      role_arn = assume_role.value
     }
   }
 }
@@ -16,15 +18,3 @@ module "iam_roles" {
   source  = "../../../account-map/modules/iam-roles"
   context = module.this.context
 }
-
-variable "import_profile_name" {
-  type        = string
-  default     = null
-  description = "AWS Profile name to use when importing a resource"
-}
-
-variable "import_role_arn" {
-  type        = string
-  default     = null
-  description = "IAM Role ARN to use when importing a resource"
-}
@@ -27,7 +27,7 @@ data "aws_ssm_parameter" "datadog_app_key" {
 
 module "store_write" {
   source  = "cloudposse/ssm-parameter-store/aws"
-  version = "0.11.0"
+  version = "0.10.0"
 
   parameter_write = [
     {

@@ -0,0 +1,22 @@
+## PR [#814](https://github.com/cloudposse/terraform-aws-components/pull/814)
+
+### Possible Breaking Change
+
+The `module "datadog_integration"` and `module "store_write"` had been changed
+in an earlier PR from a module without a `count`
+to a module with a `count` of zero or one. This PR changes it back to a module
+without a count. If you were using the module with a `count` of zero or one,
+applying this new version will cause it be destroyed and recreated. This should only
+cause a very brief outage in your Datadog monitoring.
+
+### New Integration Options
+
+This PR adds the following new integration options:
+
+- `cspm_resource_collection_enabled` - Enable Datadog Cloud Security Posture Management scanning of your AWS account. See [announcement](https://www.datadoghq.com/product/cloud-security-management/cloud-security-posture-management/) for details.
+- `metrics_collection_enabled` - When enabled, a metric-by-metric crawl of the CloudWatch API pulls data and sends it
+to Datadog. New metrics are pulled every ten minutes, on average.
+- `resource_collection_enabled` - Some Datadog products leverage information about how your AWS resources (
+such as S3 Buckets, RDS snapshots, and CloudFront distributions) are configured.
+When `resource_collection_enabled` is `true`, Datadog collects this information
+by making read-only API calls into your AWS account.
@@ -1,6 +1,7 @@
 # Component: `datadog-integration`
 
-This component is responsible for provisioning Datadog AWS integrations.
+This component is responsible for provisioning Datadog AWS integrations. It depends on
+the `datadog-configuration` component to get the Datadog API keys.
 
 See Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys) for more information.
 
@@ -41,7 +42,7 @@ components:
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_datadog_configuration"></a> [datadog\_configuration](#module\_datadog\_configuration) | ../datadog-configuration/modules/datadog_keys | n/a |
-| <a name="module_datadog_integration"></a> [datadog\_integration](#module\_datadog\_integration) | cloudposse/datadog-integration/aws | 1.0.0 |
+| <a name="module_datadog_integration"></a> [datadog\_integration](#module\_datadog\_integration) | cloudposse/datadog-integration/aws | 1.2.0 |
 | <a name="module_iam_roles"></a> [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a |
 | <a name="module_store_write"></a> [store\_write](#module\_store\_write) | cloudposse/ssm-parameter-store/aws | 0.11.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
@@ -61,6 +62,7 @@ components:
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
 | <a name="input_context_host_and_filter_tags"></a> [context\_host\_and\_filter\_tags](#input\_context\_host\_and\_filter\_tags) | Automatically add host and filter tags for these context keys | `list(string)` | <pre>[<br>  "namespace",<br>  "tenant",<br>  "stage"<br>]</pre> | no |
+| <a name="input_cspm_resource_collection_enabled"></a> [cspm\_resource\_collection\_enabled](#input\_cspm\_resource\_collection\_enabled) | Enable Datadog Cloud Security Posture Management scanning of your AWS account.<br>See [announcement](https://www.datadoghq.com/product/cloud-security-management/cloud-security-posture-management/) for details. | `bool` | `null` | no |
 | <a name="input_datadog_aws_account_id"></a> [datadog\_aws\_account\_id](#input\_datadog\_aws\_account\_id) | The AWS account ID Datadog's integration servers use for all integrations | `string` | `"464622532012"` | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
@@ -76,10 +78,12 @@ components:
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
+| <a name="input_metrics_collection_enabled"></a> [metrics\_collection\_enabled](#input\_metrics\_collection\_enabled) | When enabled, a metric-by-metric crawl of the CloudWatch API pulls data and sends it<br>to Datadog. New metrics are pulled every ten minutes, on average. | `bool` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS Region | `string` | n/a | yes |
+| <a name="input_resource_collection_enabled"></a> [resource\_collection\_enabled](#input\_resource\_collection\_enabled) | Some Datadog products leverage information about how your AWS resources<br>(such as S3 Buckets, RDS snapshots, and CloudFront distributions) are configured.<br>When `resource_collection_enabled` is `true`, Datadog collects this information<br>by making read-only API calls into your AWS account. | `bool` | `null` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |

@@ -10,16 +10,19 @@ data "aws_regions" "all" {
 
 module "datadog_integration" {
   source  = "cloudposse/datadog-integration/aws"
-  version = "1.0.0"
+  version = "1.2.0"
 
-  count = module.this.enabled && length(var.integrations) > 0 ? 1 : 0
+  enabled = module.this.enabled && length(var.integrations) > 0
 
   datadog_aws_account_id           = var.datadog_aws_account_id
   integrations                     = var.integrations
   filter_tags                      = local.filter_tags
   host_tags                        = local.host_tags
   excluded_regions                 = concat(var.excluded_regions, tolist(local.excluded_list_by_include))
   account_specific_namespace_rules = var.account_specific_namespace_rules
+  cspm_resource_collection_enabled = var.cspm_resource_collection_enabled
+  metrics_collection_enabled       = var.metrics_collection_enabled
+  resource_collection_enabled      = var.resource_collection_enabled
 
   context = module.this.context
 }
@@ -38,9 +41,9 @@ locals {
 }
 
 module "store_write" {
-  count   = local.enabled ? 1 : 0
   source  = "cloudposse/ssm-parameter-store/aws"
   version = "0.11.0"
+
   parameter_write = [
     {
       name        = "/datadog/datadog_external_id"

@@ -49,3 +49,32 @@ variable "context_host_and_filter_tags" {
   description = "Automatically add host and filter tags for these context keys"
   default     = ["namespace", "tenant", "stage"]
 }
+
+variable "cspm_resource_collection_enabled" {
+  type        = bool
+  default     = null
+  description = <<-EOT
+    Enable Datadog Cloud Security Posture Management scanning of your AWS account.
+    See [announcement](https://www.datadoghq.com/product/cloud-security-management/cloud-security-posture-management/) for details.
+    EOT
+}
+
+variable "metrics_collection_enabled" {
+  type        = bool
+  default     = null
+  description = <<-EOT
+    When enabled, a metric-by-metric crawl of the CloudWatch API pulls data and sends it
+    to Datadog. New metrics are pulled every ten minutes, on average.
+    EOT
+}
+
+variable "resource_collection_enabled" {
+  type        = bool
+  default     = null
+  description = <<-EOT
+    Some Datadog products leverage information about how your AWS resources
+    (such as S3 Buckets, RDS snapshots, and CloudFront distributions) are configured.
+    When `resource_collection_enabled` is `true`, Datadog collects this information
+    by making read-only API calls into your AWS account.
+    EOT
+}
@@ -0,0 +1,13 @@
+## PR [#814](https://github.com/cloudposse/terraform-aws-components/pull/814)
+
+### Fix for `enabled = false` or Destroy and Recreate
+
+Previously, when `enabled = false` was set, the component would not necessarily
+function as desired (deleting any existing resources and not creating any new ones).
+Also, previously, when deleting the component, there was a race condition where
+the log group could be deleted before the lambda function was deleted, causing
+the lambda function to trigger automatic recreation of the log group. This
+would result in re-creation failing because Terraform would try to create the
+log group but it already existed.
+
+These issues have been fixed in this PR.