feat: attach extra iam policies (#37)

> adds datadog-core-attach-extras, a simple feature to just allow extra policies to be attached to the core integration role. we've been using this for like over 6 months in a fork with the datadog s3 log archive functionality, which uses the same role as the core integration & requires some extra s3 permissions. > i'm not personally aware of other similarish cases where the core role would need some extra permissions, but if there are any then this can be used for those too
scribd · Aug 25, 2021 · 8411cad · 8411cad
1 parent dcd8521
commit 8411cad
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 5 deletions.
diff --git a/logs_monitoring.tf b/logs_monitoring.tf
@@ -1,4 +1,4 @@
-resource aws_cloudformation_stack "datadog-forwarder" {
+resource "aws_cloudformation_stack" "datadog-forwarder" {
   name         = "${local.stack_prefix}datadog-forwarder"
   capabilities = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"]
   parameters = {
@@ -18,13 +18,13 @@ resource aws_cloudformation_stack "datadog-forwarder" {
   }
 }
 
-resource aws_secretsmanager_secret "datadog_api_key" {
+resource "aws_secretsmanager_secret" "datadog_api_key" {
   name_prefix = "${local.stack_prefix}datadog-api-key"
   description = "Datadog API Key"
   tags        = local.default_tags
 }
 
-resource aws_secretsmanager_secret_version "datadog_api_key" {
+resource "aws_secretsmanager_secret_version" "datadog_api_key" {
   secret_id     = aws_secretsmanager_secret.datadog_api_key.id
   secret_string = var.datadog_api_key
 }
diff --git a/logs_monitoring_cloudwatch_log.tf b/logs_monitoring_cloudwatch_log.tf
@@ -7,7 +7,7 @@ resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter
   distribution    = "Random"
 }
 
-resource aws_lambda_permission "allow_cloudwatch_logs_to_call_dd_lambda_handler" {
+resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler" {
   count         = length(var.cloudwatch_log_groups)
   statement_id  = "${replace(var.cloudwatch_log_groups[count.index], "/", "_")}-AllowExecutionFromCloudWatchLogs"
   action        = "lambda:InvokeFunction"

diff --git a/main.tf b/main.tf
@@ -141,3 +141,9 @@ resource "aws_iam_role_policy_attachment" "datadog-core-attach" {
   role       = aws_iam_role.datadog-integration[0].name
   policy_arn = aws_iam_policy.datadog-core[0].arn
 }
+
+resource "aws_iam_role_policy_attachment" "datadog-core-attach-extras" {
+  for_each   = toset(var.extra_policy_arns)
+  role       = aws_iam_role.datadog-integration[0].name
+  policy_arn = each.value
+}
diff --git a/vars.tf b/vars.tf
@@ -49,7 +49,7 @@ variable "env" {
 }
 variable "account_specific_namespace_rules" {
   description = "account_specific_namespace_rules argument for datadog_integration_aws resource"
-  type        = map
+  type        = map(any)
   default     = {}
 }
 variable "elb_logs_bucket_prefix" {
@@ -86,3 +86,9 @@ variable "filter_tags" {
   type        = list(string)
   default     = []
 }
+
+variable "extra_policy_arns" {
+  description = "Extra policy arns to attach to the datadog-integration-role"
+  type        = list(string)
+  default     = []
+}