rds_enhanced_monitoring_forwarder

AWS Datadog RDS Enhanced Monitoring Forwarder Terraform module

Terraform module which process a RDS enhanced monitoring DATA_MESSAGE, coming from CloudWatch logs and forwards to Datadog.

Usage

# Note: you will need to create this secret manually prior to running
# This avoids having to pass the key to Terraform in plaintext
data "aws_secretsmanager_secret" "datadog_api_key" {
  name = "datadog/api_key"
}

module "datadog_rds_enhanced_monitoring_forwarder" {
  source  = "terraform-aws-modules/datadog-forwarders/aws//modules/rds_enhanced_monitoring_forwarder"

  kms_alias             = "alias/datadog" # KMS key will need to be created outside of module
  dd_api_key_secret_arn = data.aws_secretsmanager_secret.datadog_api_key.arn

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Requirements

Name	Version
terraform	>= 1.5.7
aws	>= 6.28

Providers

Name	Version
aws	>= 6.28

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_log_group.this	resource
aws_iam_policy.this	resource
aws_iam_role.this	resource
aws_iam_role_policy_attachment.this	resource
aws_lambda_function.this	resource
aws_lambda_permission.cloudwatch	resource
aws_caller_identity.current	data source
aws_iam_policy_document.this	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
architectures	Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"]. Default is ["arm64"]	list(string)	[ "arm64" ]	no
create	Controls whether the forwarder resources should be created	bool	true	no
create_role	Controls whether an IAM role is created for the forwarder	bool	true	no
create_role_policy	Controls whether an IAM role policy is created for the forwarder	bool	true	no
dd_api_key	The Datadog API key, which can be found from the APIs page (/account/settings#api). It will be stored in AWS Secrets Manager securely	string	""	no
dd_api_key_secret_arn	The ARN of the Secrets Manager secret storing the Datadog API key, if you already have it stored in Secrets Manager	string	""	no
dd_site	Define your Datadog Site to send data to. For the Datadog EU site, set to datadoghq.eu	string	"datadoghq.com"	no
environment_variables	A map of environment variables for the forwarder lambda function	map(string)	{}	no
forwarder_version	Forwarder version - see https://github.com/DataDog/datadog-serverless-functions/releases	string	"4.12.0"	no
kms_key_arn	KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key	string	null	no
lambda_tags	A map of tags to apply to the forwarder lambda function	map(string)	{}	no
layers	List of Lambda Layer Version ARNs (maximum of 5) to attach to the forwarder lambda	list(string)	[]	no
log_kms_key_id	The AWS KMS Key ARN to use for CloudWatch log group encryption	string	null	no
log_retention_days	Forwarder CloudWatch log group retention in days	number	7	no
memory_size	Memory size for the forwarder lambda function	number	256	no
name	Forwarder lambda name	string	"datadog-rds-enhanced-monitoring-forwarder"	no
policy_arn	IAM policy arn for forwarder lambda function to utilize	string	null	no
policy_name	Forwarder policy name	string	""	no
policy_path	Forwarder policy path	string	null	no
publish	Whether to publish creation/change as a new Lambda Function Version	bool	false	no
reserved_concurrent_executions	The amount of reserved concurrent executions for the forwarder lambda function	number	10	no
role_arn	IAM role arn for forwarder lambda function to utilize	string	null	no
role_max_session_duration	The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours	number	null	no
role_name	Forwarder role name	string	""	no
role_path	Forwarder role path	string	null	no
role_permissions_boundary	The ARN of the policy that is used to set the permissions boundary for the forwarder role	string	null	no
role_tags	A map of tags to apply to the forwarder role	map(string)	{}	no
runtime	Lambda function runtime	string	"python3.12"	no
security_group_ids	List of security group ids when Lambda Function should run in the VPC	list(string)	null	no
subnet_ids	List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets	list(string)	null	no
tags	A map of tags to use on all resources	map(string)	{}	no
timeout	The amount of time the forwarder lambda has to execute in seconds	number	10	no
use_policy_name_prefix	Whether to use unique name beginning with the specified policy_name for the forwarder policy	bool	false	no
use_role_name_prefix	Whether to use unique name beginning with the specified role_name for the forwarder role	bool	false	no

Outputs

Name	Description
cloudwatch_log_group_arn	The ARN of the forwarder lambda function CloudWatch log group
lambda_arn	The ARN of the forwarder lambda function
lambda_kms_key_arn	(Optional) The ARN for the KMS encryption key for the forwarder lambda function
lambda_qualified_arn	The ARN of the forwarder lambda function (if versioning is enabled via publish = true)
lambda_source_code_hash	Base64-encoded representation of raw SHA-256 sum of the zip file, provided either via filename or s3_* parameters
lambda_version	Latest published version of the forwarder lambda function
role_arn	The forwarder lambda role arn
role_id	The forwarder lambda role id
role_name	The forwarder lambda role name
role_policy_arn	The ARN of the forwarder lambda role policy
role_policy_id	The ID of the forwarder lambda role policy
role_policy_name	The name of the forwarder lambda role policy
role_unique_id	The stable and unique string identifying the forwarder lambda role

License

Apache-2.0 Licensed. See LICENSE.