From c5914947c7840c6814d37d9520a235ce0579c1b1 Mon Sep 17 00:00:00 2001
From: Brandon Metcalf <brandon.metcalf@umbra.space>
Date: Tue, 31 Aug 2021 14:49:49 -0500
Subject: [PATCH 1/5] Fix arn partition

---
 lambda-log.tf      | 6 +++---
 lambda-rds.tf      | 2 +-
 lambda-vpc-logs.tf | 2 +-
 main.tf            | 5 +++++
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/lambda-log.tf b/lambda-log.tf
index 422f1289..0ce8b978 100644
--- a/lambda-log.tf
+++ b/lambda-log.tf
@@ -68,7 +68,7 @@ resource "aws_lambda_permission" "allow_s3_bucket" {
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.forwarder_log[0].arn
   principal     = "s3.amazonaws.com"
-  source_arn    = "arn:aws:s3:::${each.value}"
+  source_arn    = "${local.arn_format}:s3:::${each.value}"
 }
 
 resource "aws_s3_bucket_notification" "s3_bucket_notification" {
@@ -95,7 +95,7 @@ data "aws_iam_policy_document" "s3_log_bucket" {
       "s3:ListBucket",
       "s3:ListObjects",
     ]
-    resources = concat(formatlist("arn:aws:s3:::%s", var.s3_buckets), formatlist("arn:aws:s3:::%s/*", var.s3_buckets))
+    resources = concat(formatlist("%s:s3:::%s", local.arn_format, var.s3_buckets), formatlist("%s:s3:::%s/*", local.arn_format, var.s3_buckets))
   }
 
   dynamic "statement" {
@@ -144,7 +144,7 @@ resource "aws_lambda_permission" "cloudwatch_groups" {
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.forwarder_log[0].function_name
   principal     = "logs.${local.aws_region}.amazonaws.com"
-  source_arn    = "arn:aws:logs:${local.aws_region}:${local.aws_account_id}:log-group:${each.value}:*"
+  source_arn    = "${local.arn_format}:logs:${local.aws_region}:${local.aws_account_id}:log-group:${each.value}:*"
 }
 
 resource "aws_cloudwatch_log_subscription_filter" "cloudwatch_log_subscription_filter" {
diff --git a/lambda-rds.tf b/lambda-rds.tf
index b10797de..17d99ce4 100644
--- a/lambda-rds.tf
+++ b/lambda-rds.tf
@@ -75,7 +75,7 @@ resource "aws_lambda_permission" "cloudwatch_enhance_rds" {
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.forwarder_rds[0].function_name
   principal     = "logs.amazonaws.com"
-  source_arn    = "arn:aws:logs:${local.aws_region}:${local.aws_account_id}:log-group:RDSOSMetrics:*"
+  source_arn    = "${local.arn_format}:logs:${local.aws_region}:${local.aws_account_id}:log-group:RDSOSMetrics:*"
 }
 
 resource "aws_cloudwatch_log_subscription_filter" "datadog_log_subscription_filter_rds" {
diff --git a/lambda-vpc-logs.tf b/lambda-vpc-logs.tf
index e73d5273..420177f3 100644
--- a/lambda-vpc-logs.tf
+++ b/lambda-vpc-logs.tf
@@ -76,7 +76,7 @@ resource "aws_lambda_permission" "cloudwatch_vpclogs" {
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.forwarder_vpclogs[0].function_name
   principal     = "logs.amazonaws.com"
-  source_arn    = "arn:aws:logs:${local.aws_region}:${local.aws_account_id}:log-group:${var.vpclogs_cloudwatch_log_group}:*"
+  source_arn    = "${local.arn_format}:logs:${local.aws_region}:${local.aws_account_id}:log-group:${var.vpclogs_cloudwatch_log_group}:*"
 }
 
 resource "aws_cloudwatch_log_subscription_filter" "datadog_log_subscription_filter_vpclogs" {
diff --git a/main.tf b/main.tf
index 28487eb8..6850eb01 100644
--- a/main.tf
+++ b/main.tf
@@ -2,12 +2,17 @@ data "aws_caller_identity" "current" {
   count = local.enabled ? 1 : 0
 }
 
+data "aws_partition" "current" {
+  count = local.enabled ? 1 : 0
+}
+
 data "aws_region" "current" {
   count = local.enabled ? 1 : 0
 }
 
 locals {
   enabled               = module.this.enabled
+  arn_format            = "arn:${data.aws_partition.current[0].partition}"
   aws_account_id        = join("", data.aws_caller_identity.current.*.account_id)
   aws_region            = join("", data.aws_region.current.*.name)
   lambda_enabled        = local.enabled

From 0693c4dc03ce6fffeaebc0a2da737f075034fbf5 Mon Sep 17 00:00:00 2001
From: Brandon Metcalf <brandon.metcalf@umbra.space>
Date: Wed, 1 Sep 2021 07:34:22 -0500
Subject: [PATCH 2/5] Add ability to pass in extra iam policy for lambda role.

---
 main.tf      | 33 ++++++++++++++++++---------------
 variables.tf |  6 ++++++
 2 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/main.tf b/main.tf
index 6850eb01..a79b3589 100644
--- a/main.tf
+++ b/main.tf
@@ -11,21 +11,22 @@ data "aws_region" "current" {
 }
 
 locals {
-  enabled               = module.this.enabled
-  arn_format            = "arn:${data.aws_partition.current[0].partition}"
-  aws_account_id        = join("", data.aws_caller_identity.current.*.account_id)
-  aws_region            = join("", data.aws_region.current.*.name)
-  lambda_enabled        = local.enabled
-  dd_api_key_resource   = var.dd_api_key_source.resource
-  dd_api_key_identifier = var.dd_api_key_source.identifier
-  dd_api_key_arn        = local.dd_api_key_resource == "ssm" ? join("", data.aws_ssm_parameter.api_key.*.arn) : local.dd_api_key_identifier
-
-  dd_api_key_iam_actions = [lookup({ kms = "kms:Decrypt", asm = "secretsmanager:GetSecretValue", ssm = "ssm:GetParameter" }, local.dd_api_key_resource, "")]
-  dd_api_key_kms         = local.dd_api_key_resource == "kms" ? { DD_KMS_API_KEY = var.dd_api_key_kms_ciphertext_blob } : {}
-  dd_api_key_asm         = local.dd_api_key_resource == "asm" ? { DD_API_KEY_SECRET_ARN = local.dd_api_key_identifier } : {}
-  dd_api_key_ssm         = local.dd_api_key_resource == "ssm" ? { DD_API_KEY_SSM_NAME = local.dd_api_key_identifier } : {}
-  lambda_debug           = var.forwarder_lambda_debug_enabled ? { DD_LOG_LEVEL = "debug" } : {}
-  lambda_env             = merge(local.dd_api_key_kms, local.dd_api_key_asm, local.dd_api_key_ssm, local.lambda_debug)
+  enabled                   = module.this.enabled
+  arn_format                = "arn:${data.aws_partition.current[0].partition}"
+  aws_account_id            = join("", data.aws_caller_identity.current.*.account_id)
+  aws_region                = join("", data.aws_region.current.*.name)
+  lambda_enabled            = local.enabled
+  dd_api_key_resource       = var.dd_api_key_source.resource
+  dd_api_key_identifier     = var.dd_api_key_source.identifier
+  dd_api_key_arn            = local.dd_api_key_resource == "ssm" ? join("", data.aws_ssm_parameter.api_key.*.arn) : local.dd_api_key_identifier
+
+  dd_api_key_iam_actions    = [lookup({ kms = "kms:Decrypt", asm = "secretsmanager:GetSecretValue", ssm = "ssm:GetParameter" }, local.dd_api_key_resource, "")]
+  dd_api_key_kms            = local.dd_api_key_resource == "kms" ? { DD_KMS_API_KEY = var.dd_api_key_kms_ciphertext_blob } : {}
+  dd_api_key_asm            = local.dd_api_key_resource == "asm" ? { DD_API_KEY_SECRET_ARN = local.dd_api_key_identifier } : {}
+  dd_api_key_ssm            = local.dd_api_key_resource == "ssm" ? { DD_API_KEY_SSM_NAME = local.dd_api_key_identifier } : {}
+  lambda_debug              = var.forwarder_lambda_debug_enabled ? { DD_LOG_LEVEL = "debug" } : {}
+  lambda_env                = merge(local.dd_api_key_kms, local.dd_api_key_asm, local.dd_api_key_ssm, local.lambda_debug)
+  lambda_policy_source_json = var.lambda_policy_source_json
 }
 
 # Log Forwarder, RDS Enhanced Forwarder, VPC Flow Log Forwarder
@@ -79,6 +80,8 @@ data "aws_iam_policy_document" "lambda" {
 
   # #checkov:skip=BC_AWS_IAM_57: (Pertaining to contstraining IAM write access) This policy has not write access and is restricted to one specific ARN.
 
+  source_json = var.lambda_policy_source_json 
+
   statement {
     sid = "AllowWriteLogs"
 
diff --git a/variables.tf b/variables.tf
index 720cf2cd..d603e7de 100644
--- a/variables.tf
+++ b/variables.tf
@@ -169,3 +169,9 @@ variable "forwarder_log_artifact_url" {
   description = "The url for the code of the Datadog forwarder Log, it can be a local file, url or git repo"
   default     = null
 }
+
+variable "lambda_policy_source_json" {
+  type        = string
+  description = "Additional IAM policy document that can optionally be passed and merged with exported document"
+  default     = ""
+}

From f9f92b3e1ba04bf0d136739d4e70c12671a8b762 Mon Sep 17 00:00:00 2001
From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>
Date: Wed, 1 Sep 2021 12:37:13 +0000
Subject: [PATCH 3/5] Auto Format

---
 README.md         |  1 +
 docs/terraform.md |  1 +
 main.tf           | 18 +++++++++---------
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 01556519..a645ff92 100644
--- a/README.md
+++ b/README.md
@@ -259,6 +259,7 @@ Available targets:
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
+| <a name="input_lambda_policy_source_json"></a> [lambda\_policy\_source\_json](#input\_lambda\_policy\_source\_json) | Additional IAM policy document that can optionally be passed and merged with exported document | `string` | `""` | no |
 | <a name="input_lambda_reserved_concurrent_executions"></a> [lambda\_reserved\_concurrent\_executions](#input\_lambda\_reserved\_concurrent\_executions) | Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. | `number` | `-1` | no |
 | <a name="input_lambda_runtime"></a> [lambda\_runtime](#input\_lambda\_runtime) | Runtime environment for Datadog Lambda | `string` | `"python3.7"` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 62315a41..b60303dd 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -93,6 +93,7 @@
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
+| <a name="input_lambda_policy_source_json"></a> [lambda\_policy\_source\_json](#input\_lambda\_policy\_source\_json) | Additional IAM policy document that can optionally be passed and merged with exported document | `string` | `""` | no |
 | <a name="input_lambda_reserved_concurrent_executions"></a> [lambda\_reserved\_concurrent\_executions](#input\_lambda\_reserved\_concurrent\_executions) | Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. | `number` | `-1` | no |
 | <a name="input_lambda_runtime"></a> [lambda\_runtime](#input\_lambda\_runtime) | Runtime environment for Datadog Lambda | `string` | `"python3.7"` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
diff --git a/main.tf b/main.tf
index a79b3589..c9576d5a 100644
--- a/main.tf
+++ b/main.tf
@@ -11,14 +11,14 @@ data "aws_region" "current" {
 }
 
 locals {
-  enabled                   = module.this.enabled
-  arn_format                = "arn:${data.aws_partition.current[0].partition}"
-  aws_account_id            = join("", data.aws_caller_identity.current.*.account_id)
-  aws_region                = join("", data.aws_region.current.*.name)
-  lambda_enabled            = local.enabled
-  dd_api_key_resource       = var.dd_api_key_source.resource
-  dd_api_key_identifier     = var.dd_api_key_source.identifier
-  dd_api_key_arn            = local.dd_api_key_resource == "ssm" ? join("", data.aws_ssm_parameter.api_key.*.arn) : local.dd_api_key_identifier
+  enabled               = module.this.enabled
+  arn_format            = "arn:${data.aws_partition.current[0].partition}"
+  aws_account_id        = join("", data.aws_caller_identity.current.*.account_id)
+  aws_region            = join("", data.aws_region.current.*.name)
+  lambda_enabled        = local.enabled
+  dd_api_key_resource   = var.dd_api_key_source.resource
+  dd_api_key_identifier = var.dd_api_key_source.identifier
+  dd_api_key_arn        = local.dd_api_key_resource == "ssm" ? join("", data.aws_ssm_parameter.api_key.*.arn) : local.dd_api_key_identifier
 
   dd_api_key_iam_actions    = [lookup({ kms = "kms:Decrypt", asm = "secretsmanager:GetSecretValue", ssm = "ssm:GetParameter" }, local.dd_api_key_resource, "")]
   dd_api_key_kms            = local.dd_api_key_resource == "kms" ? { DD_KMS_API_KEY = var.dd_api_key_kms_ciphertext_blob } : {}
@@ -80,7 +80,7 @@ data "aws_iam_policy_document" "lambda" {
 
   # #checkov:skip=BC_AWS_IAM_57: (Pertaining to contstraining IAM write access) This policy has not write access and is restricted to one specific ARN.
 
-  source_json = var.lambda_policy_source_json 
+  source_json = var.lambda_policy_source_json
 
   statement {
     sid = "AllowWriteLogs"

From 42666845f13115c1611d01423d9b5e880e044cc8 Mon Sep 17 00:00:00 2001
From: nitrocode <nitrocode@users.noreply.github.com>
Date: Wed, 1 Sep 2021 13:07:20 -0400
Subject: [PATCH 4/5] Update main.tf

---
 main.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/main.tf b/main.tf
index c9576d5a..f9cfde38 100644
--- a/main.tf
+++ b/main.tf
@@ -26,7 +26,6 @@ locals {
   dd_api_key_ssm            = local.dd_api_key_resource == "ssm" ? { DD_API_KEY_SSM_NAME = local.dd_api_key_identifier } : {}
   lambda_debug              = var.forwarder_lambda_debug_enabled ? { DD_LOG_LEVEL = "debug" } : {}
   lambda_env                = merge(local.dd_api_key_kms, local.dd_api_key_asm, local.dd_api_key_ssm, local.lambda_debug)
-  lambda_policy_source_json = var.lambda_policy_source_json
 }
 
 # Log Forwarder, RDS Enhanced Forwarder, VPC Flow Log Forwarder

From 4348b0f8afc8900bb0ed457d7e1dd142e0fa946e Mon Sep 17 00:00:00 2001
From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>
Date: Wed, 1 Sep 2021 17:07:49 +0000
Subject: [PATCH 5/5] Auto Format

---
 main.tf | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/main.tf b/main.tf
index f9cfde38..4fdf4c9c 100644
--- a/main.tf
+++ b/main.tf
@@ -20,12 +20,12 @@ locals {
   dd_api_key_identifier = var.dd_api_key_source.identifier
   dd_api_key_arn        = local.dd_api_key_resource == "ssm" ? join("", data.aws_ssm_parameter.api_key.*.arn) : local.dd_api_key_identifier
 
-  dd_api_key_iam_actions    = [lookup({ kms = "kms:Decrypt", asm = "secretsmanager:GetSecretValue", ssm = "ssm:GetParameter" }, local.dd_api_key_resource, "")]
-  dd_api_key_kms            = local.dd_api_key_resource == "kms" ? { DD_KMS_API_KEY = var.dd_api_key_kms_ciphertext_blob } : {}
-  dd_api_key_asm            = local.dd_api_key_resource == "asm" ? { DD_API_KEY_SECRET_ARN = local.dd_api_key_identifier } : {}
-  dd_api_key_ssm            = local.dd_api_key_resource == "ssm" ? { DD_API_KEY_SSM_NAME = local.dd_api_key_identifier } : {}
-  lambda_debug              = var.forwarder_lambda_debug_enabled ? { DD_LOG_LEVEL = "debug" } : {}
-  lambda_env                = merge(local.dd_api_key_kms, local.dd_api_key_asm, local.dd_api_key_ssm, local.lambda_debug)
+  dd_api_key_iam_actions = [lookup({ kms = "kms:Decrypt", asm = "secretsmanager:GetSecretValue", ssm = "ssm:GetParameter" }, local.dd_api_key_resource, "")]
+  dd_api_key_kms         = local.dd_api_key_resource == "kms" ? { DD_KMS_API_KEY = var.dd_api_key_kms_ciphertext_blob } : {}
+  dd_api_key_asm         = local.dd_api_key_resource == "asm" ? { DD_API_KEY_SECRET_ARN = local.dd_api_key_identifier } : {}
+  dd_api_key_ssm         = local.dd_api_key_resource == "ssm" ? { DD_API_KEY_SSM_NAME = local.dd_api_key_identifier } : {}
+  lambda_debug           = var.forwarder_lambda_debug_enabled ? { DD_LOG_LEVEL = "debug" } : {}
+  lambda_env             = merge(local.dd_api_key_kms, local.dd_api_key_asm, local.dd_api_key_ssm, local.lambda_debug)
 }
 
 # Log Forwarder, RDS Enhanced Forwarder, VPC Flow Log Forwarder