From 4559eb17f6862ffd2b8c2ed7f685e61e1064f04d Mon Sep 17 00:00:00 2001
From: Georgi <georgi.ajaeiya@datadoghq.com>
Date: Fri, 5 Apr 2024 18:27:21 +0200
Subject: [PATCH] Update function's Cloud Formation template to allow using an
 existing S3 bucket (#766)

---
 aws/logs_monitoring/template.yaml | 73 ++++++++++++++++++++++---------
 1 file changed, 52 insertions(+), 21 deletions(-)

diff --git a/aws/logs_monitoring/template.yaml b/aws/logs_monitoring/template.yaml
index d349dd7c..f664fb9c 100644
--- a/aws/logs_monitoring/template.yaml
+++ b/aws/logs_monitoring/template.yaml
@@ -229,6 +229,10 @@ Parameters:
     Type: String
     Default: ""
     Description: The name of the forwarder bucket to create. If not provided, AWS will generate a unique name.
+  DdForwarderExistingBucketName:
+    Type: String
+    Default: ""
+    Description: The name of an existing s3 bucket to use. If not provided, a new bucket will be created.
 Conditions:
   IsAWSChina:
     Fn::Equals:
@@ -335,14 +339,18 @@ Conditions:
     Fn::Equals:
       - Ref: DdFetchStepFunctionsTags
       - true
-  CreateS3BucketForTags:
-    Fn::Or:
+  CreateS3Bucket:
+    Fn::And:
+      - Fn::Or:
+        - Fn::Equals:
+            - Ref: DdFetchLogGroupTags
+            - true
+        - Fn::Equals:
+            - Ref: DdFetchLambdaTags
+            - true
       - Fn::Equals:
-          - Ref: DdFetchLogGroupTags
-          - true
-      - Fn::Equals:
-          - Ref: DdFetchLambdaTags
-          - true
+          - Ref: DdForwarderExistingBucketName
+          - ""
   SetDdUsePrivateLink:
     Fn::Equals:
       - Ref: DdUsePrivateLink
@@ -466,7 +474,11 @@ Resources:
       Code:
         Fn::If:
           - UseZipCopier
-          - S3Bucket: !Ref ForwarderBucket
+          - S3Bucket:
+              Fn::If:
+                - CreateS3Bucket
+                - Ref: ForwarderBucket
+                - Ref: DdForwarderExistingBucketName
             S3Key:
               Fn::Sub:
                 - "aws-dd-forwarder-${DdForwarderVersion}.zip"
@@ -494,9 +506,9 @@ Resources:
               - Ref: DdApiKeySecretArn
           DD_S3_BUCKET_NAME:
             Fn::If:
-              - CreateS3BucketForTags
+              - CreateS3Bucket
               - Ref: ForwarderBucket
-              - Ref: AWS::NoValue
+              - Ref: DdForwarderExistingBucketName
           DD_SITE:
             Ref: DdSite
           DD_TAGS:
@@ -687,10 +699,13 @@ Resources:
                   - s3:DeleteObject
                   - s3:ListBucket
                 Resource:
-                  - Fn::Join:
-                      - "/"
-                      - - Fn::GetAtt: ForwarderBucket.Arn
-                        - "*"
+                  - Fn::If:
+                    - CreateS3Bucket
+                    - Fn::Join:
+                        - "/"
+                        - - Fn::GetAtt: ForwarderBucket.Arn
+                          - "*"
+                    - Fn::Sub: "arn:aws:s3:::${DdForwarderExistingBucketName}/*"
                 Effect: Allow
               # Get the actual log content from the s3 bucket based on the received s3 event.
               # Use PermissionsBoundaryArn to limit (allow/deny) access if needed.
@@ -817,6 +832,7 @@ Resources:
   # A s3 bucket used by the Forwarder as a datastore
   ForwarderBucket:
     Type: AWS::S3::Bucket
+    Condition: CreateS3Bucket 
     Properties:
       BucketName:
         Fn::If:
@@ -834,6 +850,7 @@ Resources:
         RestrictPublicBuckets: true
   ForwarderBucketPolicy:
     Type: "AWS::S3::BucketPolicy"
+    Condition: CreateS3Bucket
     Properties:
       Bucket: !Ref ForwarderBucket
       PolicyDocument:
@@ -855,7 +872,11 @@ Resources:
     Condition: UseZipCopier
     Properties:
       ServiceToken: !GetAtt "ForwarderZipCopier.Arn"
-      DestZipsBucket: !Ref "ForwarderBucket"
+      DestZipsBucket:
+        Fn::If:
+          - CreateS3Bucket
+          - Ref: ForwarderBucket
+          - Ref: DdForwarderExistingBucketName
       SourceZipUrl:
         Fn::If:
           - SetSourceZipUrl
@@ -981,15 +1002,21 @@ Resources:
                   - s3:PutObject
                   - s3:DeleteObject
                 Resource:
-                  - Fn::Join:
-                      - "/"
-                      - - Fn::GetAtt: "ForwarderBucket.Arn"
-                        - "*"
+                  - Fn::If:
+                    - CreateS3Bucket
+                    - Fn::Join:
+                        - "/"
+                        - - Fn::GetAtt: "ForwarderBucket.Arn"
+                          - "*"
+                    - Fn::Sub: "arn:aws:s3:::${DdForwarderExistingBucketName}/*"
               - Effect: Allow
                 Action:
                   - s3:ListBucket
                 Resource:
-                  - Fn::GetAtt: "ForwarderBucket.Arn"
+                  - Fn::If:
+                    - CreateS3Bucket
+                    - Fn::GetAtt: "ForwarderBucket.Arn"
+                    - Fn::Sub: "arn:aws:s3:::${DdForwarderExistingBucketName}"
               - !If
                 - SetS3SourceZip
                 - Effect: Allow
@@ -1022,7 +1049,10 @@ Outputs:
   ForwarderBucketName:
     Description: Name of the S3 bucket used by the Forwarder
     Value:
-      Ref: ForwarderBucket
+      Fn::If:
+        - CreateS3Bucket
+        - Ref: ForwarderBucket
+        - Ref: DdForwarderExistingBucketName
     Export:
       Name:
         Fn::Sub: ${AWS::StackName}-ForwarderBucketName
@@ -1089,6 +1119,7 @@ Metadata:
           - DdApiUrl
           - DdTraceIntakeUrl
           - AdditionalTargetLambdaArns
+          - DdForwarderExistingBucketName
           - DdForwarderBucketName
     ParameterLabels:
       DdApiKey: