From 93e15c709e788ca3ff2ab47b49eff370e0fab2b5 Mon Sep 17 00:00:00 2001 From: Chris Wright Date: Thu, 10 Oct 2024 14:56:10 +0100 Subject: [PATCH] Datadog integration * Adds the datadog provider * Conditionally launch a Datadog Agent in the ECS cluster --- .terraform.lock.hcl | 68 +++- README.md | 30 +- buildspecs/dalmatian-datadog.yml | 24 ++ container-definitions/app.json.tpl | 3 + ...er-infrastructure-datadog-agent-api-key.tf | 13 + ...luster-infrastructure-datadog-agent-ecr.tf | 17 + ...structure-datadog-agent-image-codebuild.tf | 142 ++++++++ ...er-infrastructure-datadog-agent-service.tf | 320 ++++++++++++++++++ ...cluster-infrastructure-logspout-service.tf | 1 + ...r-infrastructure-service-scheduled-task.tf | 1 + ecs-cluster-infrastructure-service.tf | 1 + kms-infrastructure.tf | 5 + locals.tf | 20 ++ providers.tf | 6 + ...frastructure-s3-backups-task-definition.tf | 1 + variables.tf | 16 + versions.tf | 4 + 17 files changed, 669 insertions(+), 3 deletions(-) create mode 100644 buildspecs/dalmatian-datadog.yml create mode 100644 ecs-cluster-infrastructure-datadog-agent-api-key.tf create mode 100644 ecs-cluster-infrastructure-datadog-agent-ecr.tf create mode 100644 ecs-cluster-infrastructure-datadog-agent-image-codebuild.tf create mode 100644 ecs-cluster-infrastructure-datadog-agent-service.tf diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index 937682d..036371e 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -1,8 +1,31 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/datadog/datadog" { + version = "3.46.0" + constraints = ">= 3.46.0" + hashes = [ + "h1:CFLkXTHKZCELLlttTfN/n3mjwsJMhDu+Hf5Tg4rpiKQ=", + "zh:14d7b6f2641107111c7b7c021c55db320c44acfb6bf6857359ec4780e2e70870", + "zh:192ebc32b08a38657d7acfff0fb6cbd0e8d8066e207c3f08929966b7e37fd3a4", + "zh:1b51b6ceb80ec90dc4830c7f0c4d7ec5d4315345942d498104bbb01ef7af0392", + "zh:24c5044a79eef22b0876aa75d23fe530a63923a3607c1e52ca4f994e18b054de", + "zh:2c85b675374a599b0fa598205dd3a01bfc5773adc960f3c120417e92417eb34f", + "zh:2ef64060f9378953cf876c1c03fa6b9dde4d34e440548438d261d4d5658b121d", + "zh:3000885923b118d5b2c3b5df2030267f9d88d8cf6cf125ee5ba2906e822bae27", + "zh:3e2101e4fe45f969f006dabb4e8c3798ee212f594e3edc0a0ce093f89191d36b", + "zh:6f778f330a207927f3f0b6fe0d0ed75fa8101233c3e37e4a8d6aed96e39e969a", + "zh:b0afb28a9d176803a668ae07247de098c4a5b9b060feb8c19fcb7a6087cc8d58", + "zh:b889103adae1f962cfca4003893e12364640e89449396a6df3baaef2d2bd6a42", + "zh:cd9bbff5cc7220232520904e977c5b4dafc735dbdcb142f292d67cbdb58dca4b", + "zh:d247fbac1d81a26d0a97428da6f1bbc77a0cc5c1532701c3a4be75221d318ed8", + "zh:ff50be8d703ff49a1548b0061338058c712d21353e38c4aeecdca934a371607d", + ] +} + provider "registry.terraform.io/hashicorp/archive" { - version = "2.6.0" + version = "2.6.0" + constraints = ">= 2.4.1" hashes = [ "h1:+zEa/PTvfv/sec7rrLcUmZTZ6Sm3sBw3ezWhjcRfUPU=", "h1:1uwk2nqRVsVaUvcC3MoNDFVWcX5WEresqaG5wFV7ydQ=", @@ -67,7 +90,8 @@ provider "registry.terraform.io/hashicorp/aws" { } provider "registry.terraform.io/hashicorp/external" { - version = "2.3.4" + version = "2.3.4" + constraints = ">= 2.3.2" hashes = [ "h1:+vGNrgIvJPzMpvFu83JJinMdkhIuvhEZ19GXZhbrnZ8=", "h1:6GqYfx2rlvNWemfIrN9FywbRCsCdyS95GWP1qX9BUZw=", @@ -94,3 +118,43 @@ provider "registry.terraform.io/hashicorp/external" { "zh:f31982f29f12834e5d21e010856eddd19d59cd8f449adf470655bfd19354377e", ] } + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + constraints = ">= 3.2.2" + hashes = [ + "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.3" + constraints = ">= 3.6.0" + hashes = [ + "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=", + "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451", + "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8", + "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe", + "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1", + "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36", + "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30", + "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615", + "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad", + "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556", + "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0", + ] +} diff --git a/README.md b/README.md index 13d9669..fe32450 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,7 @@ This project creates and manages resources within an AWS account for infrastruct | [terraform](#requirement\_terraform) | >= 1.6.5 | | [archive](#requirement\_archive) | >= 2.4.1 | | [aws](#requirement\_aws) | >= 5.30.0 | +| [datadog](#requirement\_datadog) | >= 3.46.0 | | [external](#requirement\_external) | >= 2.3.2 | | [null](#requirement\_null) | >= 3.2.2 | | [random](#requirement\_random) | >= 3.6.0 | @@ -26,7 +27,7 @@ This project creates and manages resources within an AWS account for infrastruct | [aws.awsroute53root](#provider\_aws.awsroute53root) | 5.70.0 | | [aws.useast1](#provider\_aws.useast1) | 5.70.0 | | [external](#provider\_external) | 2.3.4 | -| [random](#provider\_random) | >= 3.6.0 | +| [random](#provider\_random) | 3.6.3 | | [terraform](#provider\_terraform) | n/a | ## Resources @@ -62,6 +63,7 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_cloudfront_origin_access_control.custom_s3_buckets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource | | [aws_cloudwatch_event_rule.ecs_cluster_infrastructure_ecs_asg_diff_metric_1_min_cron](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | | [aws_cloudwatch_event_rule.ecs_cluster_infrastructure_pending_task_metric_1_min_cron](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_rule.infrastructure_ecs_cluster_datadog_agent_image_build_trigger_codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | | [aws_cloudwatch_event_rule.infrastructure_ecs_cluster_logspout_image_build_trigger_codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | | [aws_cloudwatch_event_rule.infrastructure_ecs_cluster_service_ecr_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | | [aws_cloudwatch_event_rule.infrastructure_ecs_cluster_service_scheduled_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | @@ -70,6 +72,7 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_cloudwatch_event_target.ecr_scan_event_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | | [aws_cloudwatch_event_target.ecs_cluster_infrastructure_ecs_asg_diff_metric_1_min_cron](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | | [aws_cloudwatch_event_target.ecs_cluster_infrastructure_pending_task_metric_1_min_cron](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_event_target.infrastructure_ecs_cluster_datadog_agent_image_build_trigger_codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | | [aws_cloudwatch_event_target.infrastructure_ecs_cluster_logspout_image_build_trigger_codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | | [aws_cloudwatch_event_target.infrastructure_ecs_cluster_service_scheduled_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | | [aws_cloudwatch_event_target.infrastructure_rds_s3_backups_image_build_trigger_codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | @@ -77,6 +80,7 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_cloudwatch_log_group.ecs_cluster_infrastructure_draining_lambda_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_cloudwatch_log_group.ecs_cluster_infrastructure_ecs_asg_diff_metric_lambda_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_cloudwatch_log_group.ecs_cluster_infrastructure_pending_task_metric_lambda_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.infrastructure_ecs_cluster_datadog_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_cloudwatch_log_group.infrastructure_ecs_cluster_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_cloudwatch_log_group.infrastructure_rds_exports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_cloudwatch_log_group.infrastructure_rds_s3_backups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | @@ -84,6 +88,7 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_cloudwatch_metric_alarm.infrastructure_ecs_cluster_asg_cpu](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | | [aws_cloudwatch_metric_alarm.infrastructure_ecs_cluster_ecs_asg_diff](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | | [aws_cloudwatch_metric_alarm.infrastructure_ecs_cluster_pending_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_codebuild_project.infrastructure_ecs_cluster_datadog_agent_image_build](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | | [aws_codebuild_project.infrastructure_ecs_cluster_logspout_image_build](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | | [aws_codebuild_project.infrastructure_ecs_cluster_service_build](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | | [aws_codebuild_project.infrastructure_rds_s3_backups_image_build](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | @@ -96,13 +101,16 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_db_parameter_group.infrastructure_rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group) | resource | | [aws_db_subnet_group.infrastructure_rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | | [aws_default_network_acl.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource | +| [aws_ecr_repository.infrastructure_ecs_cluster_datadog_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource | | [aws_ecr_repository.infrastructure_ecs_cluster_logspout](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource | | [aws_ecr_repository.infrastructure_ecs_cluster_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource | | [aws_ecr_repository.infrastructure_rds_s3_backups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource | | [aws_ecs_cluster.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource | | [aws_ecs_cluster.infrastrucutre_rds_tooling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource | +| [aws_ecs_service.infrastructure_ecs_cluster_datadog_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource | | [aws_ecs_service.infrastructure_ecs_cluster_logspout](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource | | [aws_ecs_service.infrastructure_ecs_cluster_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource | +| [aws_ecs_task_definition.infrastructure_ecs_cluster_datadog_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource | | [aws_ecs_task_definition.infrastructure_ecs_cluster_logspout](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource | | [aws_ecs_task_definition.infrastructure_ecs_cluster_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource | | [aws_ecs_task_definition.infrastructure_ecs_cluster_service_scheduled_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource | @@ -145,6 +153,12 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_iam_policy.ecs_cluster_infrastructure_pending_task_metric_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_ecs_cluster_autoscaling_lifecycle_termination_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_ecs_cluster_autoscaling_lifecycle_termination_sns_publish](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_image_codebuild_allow_builds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_image_codebuild_cloudwatch_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_image_codebuild_ecr_push](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_task_execution_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_task_execution_ecr_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_task_execution_get_secret_value](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_ecs_cluster_ec2_ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_ecs_cluster_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.infrastructure_ecs_cluster_logspout_image_codebuild_allow_builds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | @@ -189,6 +203,8 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_iam_role.ecs_cluster_infrastructure_pending_task_metric_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.infrastructure_ecs_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.infrastructure_ecs_cluster_autoscaling_lifecycle_termination](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.infrastructure_ecs_cluster_datadog_agent_image_codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.infrastructure_ecs_cluster_datadog_agent_task_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.infrastructure_ecs_cluster_logspout_image_codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.infrastructure_ecs_cluster_service_blue_green_codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.infrastructure_ecs_cluster_service_codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | @@ -218,6 +234,12 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_iam_role_policy_attachment.ecs_cluster_infrastructure_pending_task_metric_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_autoscaling_lifecycle_termination_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_autoscaling_lifecycle_termination_sns_publish](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_image_codebuild_allow_builds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_image_codebuild_cloudwatch_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_image_codebuild_ecr_push](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_task_execution_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_task_execution_ecr_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_task_execution_get_secret_value](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_ec2_ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_kms_encrypt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_logspout_image_codebuild_allow_builds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -370,7 +392,9 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_s3_bucket_versioning.infrastructure_rds_s3_backups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [aws_s3_bucket_versioning.infrastructure_vpc_transfer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [aws_s3_object.infrastructure_ecs_cluster_service_build_pipeline_buildspec_store_files](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | +| [aws_secretsmanager_secret.infrastructure_ecs_cluster_datadog_agent_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | | [aws_secretsmanager_secret.infrastructure_rds_root_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret_version.infrastructure_ecs_cluster_datadog_agent_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | | [aws_secretsmanager_secret_version.infrastructure_rds_root_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | | [aws_security_group.infrastructure_ec2_bastion_host](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.infrastructure_ecs_cluster_container_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | @@ -422,6 +446,7 @@ This project creates and manages resources within an AWS account for infrastruct | [aws_wafv2_web_acl.infrastructure_ecs_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) | resource | | [random_password.infrastructure_ecs_cluster_service_cloudfront_bypass_protection_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | | [random_password.infrastructure_rds_root](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | +| [terraform_data.infrastructure_ecs_cluster_datadog_agent_image_build_trigger_codebuild](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | | [terraform_data.infrastructure_ecs_cluster_logspout_image_build_trigger_codebuild](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | | [terraform_data.infrastructure_ecs_cluster_service_blue_green_create_codedeploy_deployment](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | | [terraform_data.infrastructure_ecs_cluster_service_env_file](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | @@ -459,6 +484,7 @@ This project creates and manages resources within an AWS account for infrastruct | [enable\_infrastructure\_bastion\_host](#input\_enable\_infrastructure\_bastion\_host) | Enable Infrastructure Bastion host. This launches a t3.micro AL2023 instance within the VPC that can be accessed via Session Manager | `bool` | n/a | yes | | [enable\_infrastructure\_ecs\_cluster](#input\_enable\_infrastructure\_ecs\_cluster) | Enable creation of infrastructure ECS cluster, to place ECS services | `bool` | n/a | yes | | [enable\_infrastructure\_ecs\_cluster\_asg\_cpu\_alert](#input\_enable\_infrastructure\_ecs\_cluster\_asg\_cpu\_alert) | Enable a CPU alert for the ECS cluster's Autoscaling Group | `bool` | n/a | yes | +| [enable\_infrastructure\_ecs\_cluster\_datadog\_agent](#input\_enable\_infrastructure\_ecs\_cluster\_datadog\_agent) | Conditionally launch Datadog agent containers on the ECS cluster | `bool` | n/a | yes | | [enable\_infrastructure\_ecs\_cluster\_ecs\_asg\_diff\_alert](#input\_enable\_infrastructure\_ecs\_cluster\_ecs\_asg\_diff\_alert) | Enable the ECS Cluster Container Instance / ASG instance diff alert | `bool` | n/a | yes | | [enable\_infrastructure\_ecs\_cluster\_efs](#input\_enable\_infrastructure\_ecs\_cluster\_efs) | Conditionally create and mount EFS to the ECS cluster instances | `bool` | n/a | yes | | [enable\_infrastructure\_ecs\_cluster\_pending\_task\_alert](#input\_enable\_infrastructure\_ecs\_cluster\_pending\_task\_alert) | Enable the ECS Cluster pending task alert | `bool` | n/a | yes | @@ -468,6 +494,8 @@ This project creates and manages resources within an AWS account for infrastruct | [enable\_infrastructure\_vpc\_transfer\_s3\_bucket](#input\_enable\_infrastructure\_vpc\_transfer\_s3\_bucket) | Enable VPC transfer S3 bucket. This allows uploading/downloading files from resources within the infrastructure VPC | `bool` | n/a | yes | | [environment](#input\_environment) | The environment name to be used as part of the resource prefix | `string` | n/a | yes | | [infrastructure\_bastion\_host\_custom\_security\_group\_rules](#input\_infrastructure\_bastion\_host\_custom\_security\_group\_rules) | Map of custom security group rules to add to the Infrastructure EC2 Bastion Host security group (eg. { rule-name = {type = "egress", ... } }) |
map(object({
description = string
type = string
from_port = number
to_port = number
protocol = string
source_security_group_id = optional(string, "")
cidr_blocks = optional(list(string), [])
}))
| n/a | yes | +| [infrastructure\_datadog\_api\_key](#input\_infrastructure\_datadog\_api\_key) | Datadog API key | `string` | n/a | yes | +| [infrastructure\_datadog\_region](#input\_infrastructure\_datadog\_region) | Datadog region | `string` | n/a | yes | | [infrastructure\_dockerhub\_email](#input\_infrastructure\_dockerhub\_email) | Dockerhub email | `string` | n/a | yes | | [infrastructure\_dockerhub\_token](#input\_infrastructure\_dockerhub\_token) | Dockerhub token which has permissions to pull images | `string` | n/a | yes | | [infrastructure\_dockerhub\_username](#input\_infrastructure\_dockerhub\_username) | Dockerhub username | `string` | n/a | yes | diff --git a/buildspecs/dalmatian-datadog.yml b/buildspecs/dalmatian-datadog.yml new file mode 100644 index 0000000..37d5580 --- /dev/null +++ b/buildspecs/dalmatian-datadog.yml @@ -0,0 +1,24 @@ +version: 0.2 + +phases: + pre_build: + commands: + - echo "Build started on $(date)" + - echo "Logging in to Amazon ECR..." + - aws ecr get-login-password --region "$AWS_DEFAULT_REGION" | docker login --username AWS --password-stdin "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com" + - | + if [ -n "$DOCKERHUB_USERNAME" ] && [ -n "DOCKERHUB_TOKEN" ]; + then + echo "Logging into Dockerhub ..."; + echo "$DOCKERHUB_TOKEN" | docker login --username "$DOCKERHUB_USERNAME" --password-stdin; + fi; + - echo Pulling datadog image from Dockerhub ... + - docker pull datadog/agent:latest + build: + commands: + - echo Adding ECR repo tag... + - docker tag datadog/agent:latest "$REPOSITORY_URI:latest" + post_build: + commands: + - echo Pushing the Docker image... + - docker push "$REPOSITORY_URI:latest" diff --git a/container-definitions/app.json.tpl b/container-definitions/app.json.tpl index f374777..f885d68 100644 --- a/container-definitions/app.json.tpl +++ b/container-definitions/app.json.tpl @@ -60,6 +60,9 @@ %{ if linux_parameters != "{}" } "linuxParameters": ${linux_parameters}, %{ endif } + %{ if security_options != "[]" } + "dockerSecurityOptions": ${security_options}, + %{ endif } %{if entrypoint != "[]"} "entrypoint": ${entrypoint}, %{ endif } diff --git a/ecs-cluster-infrastructure-datadog-agent-api-key.tf b/ecs-cluster-infrastructure-datadog-agent-api-key.tf new file mode 100644 index 0000000..8657a1d --- /dev/null +++ b/ecs-cluster-infrastructure-datadog-agent-api-key.tf @@ -0,0 +1,13 @@ +#tfsec:ignore:aws-ssm-secret-use-customer-key +resource "aws_secretsmanager_secret" "infrastructure_ecs_cluster_datadog_agent_api_key" { + count = local.enable_infrastructure_ecs_cluster_datadog_agent ? 1 : 0 + + name = "${local.resource_prefix_hash}/ecs/datadog-agent/DD_API_KEY" +} + +resource "aws_secretsmanager_secret_version" "infrastructure_ecs_cluster_datadog_agent_api_key" { + count = local.enable_infrastructure_ecs_cluster_datadog_agent ? 1 : 0 + + secret_id = aws_secretsmanager_secret.infrastructure_ecs_cluster_datadog_agent_api_key[0].id + secret_string = local.infrastructure_datadog_api_key +} diff --git a/ecs-cluster-infrastructure-datadog-agent-ecr.tf b/ecs-cluster-infrastructure-datadog-agent-ecr.tf new file mode 100644 index 0000000..492285c --- /dev/null +++ b/ecs-cluster-infrastructure-datadog-agent-ecr.tf @@ -0,0 +1,17 @@ +resource "aws_ecr_repository" "infrastructure_ecs_cluster_datadog_agent" { + count = local.enable_infrastructure_ecs_cluster_datadog_agent ? 1 : 0 + + name = "${local.resource_prefix}-infrastructure-ecs-datadog-agent" + + #tfsec:ignore:aws-ecr-enforce-immutable-repository + image_tag_mutability = "MUTABLE" + + encryption_configuration { + encryption_type = local.infrastructure_kms_encryption ? "KMS" : "AES256" + kms_key = local.infrastructure_kms_encryption ? aws_kms_key.infrastructure[0].arn : null + } + + image_scanning_configuration { + scan_on_push = true + } +} diff --git a/ecs-cluster-infrastructure-datadog-agent-image-codebuild.tf b/ecs-cluster-infrastructure-datadog-agent-image-codebuild.tf new file mode 100644 index 0000000..eb99fe7 --- /dev/null +++ b/ecs-cluster-infrastructure-datadog-agent-image-codebuild.tf @@ -0,0 +1,142 @@ +resource "aws_iam_role" "infrastructure_ecs_cluster_datadog_agent_image_codebuild" { + count = local.enable_infrastructure_ecs_cluster_datadog_agent ? 1 : 0 + + name = "${local.resource_prefix}-${substr(sha512("ecs-cluster-datadog-agent-image-codebuild"), 0, 6)}" + description = "${local.resource_prefix}-ecs-cluster-datadog-agent-image-codebuild" + assume_role_policy = templatefile( + "${path.root}/policies/assume-roles/service-principle-standard.json.tpl", + { services = jsonencode(["codebuild.amazonaws.com", "events.amazonaws.com"]) } + ) +} + +resource "aws_iam_policy" "infrastructure_ecs_cluster_datadog_agent_image_codebuild_cloudwatch_rw" { + count = local.enable_infrastructure_ecs_cluster_datadog_agent ? 1 : 0 + + name = "${local.resource_prefix}-${substr(sha512("ecs-cluster-datadog-agent-image-codebuild-cloudwatch-rw"), 0, 6)}" + description = "${local.resource_prefix}-ecs-cluster-datadog-agent-image-codebuild-cloudwatch-rw" + policy = templatefile("${path.root}/policies/cloudwatch-logs-rw.json.tpl", {}) +} + +resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_datadog_agent_image_codebuild_cloudwatch_rw" { + count = local.enable_infrastructure_ecs_cluster_datadog_agent ? 1 : 0 + + role = aws_iam_role.infrastructure_ecs_cluster_datadog_agent_image_codebuild[0].name + policy_arn = aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_image_codebuild_cloudwatch_rw[0].arn +} + +resource "aws_iam_policy" "infrastructure_ecs_cluster_datadog_agent_image_codebuild_allow_builds" { + count = local.enable_infrastructure_ecs_cluster_datadog_agent ? 1 : 0 + + name = "${local.resource_prefix}-${substr(sha512("ecs-cluster-datadog-agent-image-codebuild-allow-builds"), 0, 6)}" + description = "${local.resource_prefix}-ecs-cluster-datadog-agent-image-codebuild-allow-builds" + policy = templatefile("${path.root}/policies/codebuild-allow-builds.json.tpl", {}) +} + +resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_datadog_agent_image_codebuild_allow_builds" { + count = local.enable_infrastructure_ecs_cluster_datadog_agent ? 1 : 0 + + role = aws_iam_role.infrastructure_ecs_cluster_datadog_agent_image_codebuild[0].name + policy_arn = aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_image_codebuild_allow_builds[0].arn +} + +resource "aws_iam_policy" "infrastructure_ecs_cluster_datadog_agent_image_codebuild_ecr_push" { + count = local.enable_infrastructure_ecs_cluster_datadog_agent ? 1 : 0 + + name = "${local.resource_prefix}-${substr(sha512("ecs-cluster-datadog-agent-image-codebuild-ecr-push"), 0, 6)}" + description = "${local.resource_prefix}-ecs-cluster-datadog-agent-image-codebuild-ecr-push" + policy = templatefile( + "${path.root}/policies/ecr-push.json.tpl", + { ecr_repository_arn = aws_ecr_repository.infrastructure_ecs_cluster_datadog_agent[0].arn } + ) +} + +resource "aws_iam_role_policy_attachment" "infrastructure_ecs_cluster_datadog_agent_image_codebuild_ecr_push" { + count = local.enable_infrastructure_ecs_cluster_datadog_agent ? 1 : 0 + + role = aws_iam_role.infrastructure_ecs_cluster_datadog_agent_image_codebuild[0].name + policy_arn = aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_image_codebuild_ecr_push[0].arn +} + +resource "aws_codebuild_project" "infrastructure_ecs_cluster_datadog_agent_image_build" { + count = local.enable_infrastructure_ecs_cluster_datadog_agent ? 1 : 0 + + name = "${local.resource_prefix}-ecs-cluster-datadog-agent-image-build" + description = "${local.resource_prefix} ECS Cluster Datadog Agent Image Build" + build_timeout = "20" + service_role = aws_iam_role.infrastructure_ecs_cluster_datadog_agent_image_codebuild[0].arn + + artifacts { + type = "NO_ARTIFACTS" + } + + environment { + compute_type = "BUILD_GENERAL1_SMALL" + image = "aws/codebuild/standard:7.0" + type = "LINUX_CONTAINER" + privileged_mode = true + + environment_variable { + name = "AWS_ACCOUNT_ID" + value = local.aws_account_id + } + + environment_variable { + name = "REPOSITORY_URI" + value = aws_ecr_repository.infrastructure_ecs_cluster_datadog_agent[0].repository_url + } + + environment_variable { + name = "DOCKERHUB_USERNAME" + value = local.infrastructure_dockerhub_username + } + + environment_variable { + name = "DOCKERHUB_TOKEN" + value = local.infrastructure_dockerhub_token + } + } + + source { + type = "NO_SOURCE" + buildspec = templatefile("${path.root}/buildspecs/dalmatian-datadog.yml", {}) + } + + depends_on = [ + aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_image_codebuild_cloudwatch_rw, + aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_image_codebuild_allow_builds, + aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_image_codebuild_ecr_push, + ] +} + +resource "terraform_data" "infrastructure_ecs_cluster_datadog_agent_image_build_trigger_codebuild" { + count = local.enable_infrastructure_ecs_cluster_datadog_agent ? 1 : 0 + + triggers_replace = [ + md5(templatefile("${path.root}/buildspecs/dalmatian-datadog.yml", {})), + ] + + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = < 0 + infrastructure_datadog_api_key = var.infrastructure_datadog_api_key + infrastructure_datadog_region = var.infrastructure_datadog_region + infrastructure_datadog_api_url = local.infrastructure_datadog_region != "" ? { + "US1" = "https://api.datadoghq.com/", + "US3" = "https://api.us3.datadoghq.com/", + "US5" = "https://api.us5.datadoghq.com/", + "EU1" = "https://api.datadoghq.eu/", + "US1-FED" = "https://api.ddog-gov.com/", + "AP1" = "https://api.ap1.datadoghq.com/" + }[local.infrastructure_datadog_region] : "https://api.datadoghq.com/" + infrastructure_datadog_site = local.infrastructure_datadog_region != "" ? { + "US1" = "datadoghq.com", + "US3" = "us3.datadoghq.com", + "US5" = "us5.datadoghq.com", + "EU1" = "datadoghq.eu", + "US1-FED" = "ddog-gov.com", + "AP1" = "ap1.datadoghq.com" + }[local.infrastructure_datadog_region] : "datadoghq.com" + enable_infrastructure_ecs_cluster_datadog_agent = local.enable_infrastructure_ecs_cluster && var.enable_infrastructure_ecs_cluster_datadog_agent + infrastructure_vpc = var.infrastructure_vpc infrastructure_vpc_cidr_block = var.infrastructure_vpc_cidr_block infrastructure_vpc_enable_dns_support = var.infrastructure_vpc_enable_dns_support diff --git a/providers.tf b/providers.tf index dec473e..5c1be0f 100644 --- a/providers.tf +++ b/providers.tf @@ -24,3 +24,9 @@ provider "aws" { tags = local.default_tags } } + +provider "datadog" { + api_key = local.infrastructure_datadog_api_key + vaildate = local.infrastructure_datadog_api_key != "" + api_url = local.infrastructure_datadog_api_url +} diff --git a/rds-infrastructure-s3-backups-task-definition.tf b/rds-infrastructure-s3-backups-task-definition.tf index d753efb..9de6eac 100644 --- a/rds-infrastructure-s3-backups-task-definition.tf +++ b/rds-infrastructure-s3-backups-task-definition.tf @@ -168,6 +168,7 @@ resource "aws_ecs_task_definition" "infrastructure_rds_s3_backups_scheduled_task linux_parameters = jsonencode({ initProcessEnabled = false }) + security_options = jsonencode([]) syslog_address = "" syslog_tag = "" cloudwatch_log_group = aws_cloudwatch_log_group.infrastructure_rds_s3_backups[each.key].name diff --git a/variables.tf b/variables.tf index 0411856..86a9318 100644 --- a/variables.tf +++ b/variables.tf @@ -18,6 +18,22 @@ variable "aws_region" { type = string } +variable "infrastructure_datadog_api_key" { + description = "Datadog API key" + type = string + sensitive = true +} + +variable "infrastructure_datadog_region" { + description = "Datadog region" + type = string +} + +variable "enable_infrastructure_ecs_cluster_datadog_agent" { + description = "Conditionally launch Datadog agent containers on the ECS cluster" + type = bool +} + variable "infrastructure_dockerhub_email" { description = "Dockerhub email" type = string diff --git a/versions.tf b/versions.tf index ce4c516..8aacf06 100644 --- a/versions.tf +++ b/versions.tf @@ -9,6 +9,10 @@ terraform { source = "hashicorp/archive" version = ">= 2.4.1" } + datadog = { + source = "DataDog/datadog" + version = ">= 3.46.0" + } external = { source = "hashicorp/external" version = ">= 2.3.2"