v1.3.0

Add mission action to iam policy all @mfuhrmeisterDM (#53)

what

add

• ec2:GetTransitGatewayPrefixListReferences
• ec2:SearchTransitGatewayRoutes actions to iam policy all.

why

We see error messages in datadog that this is not allowed for datadog-integration.

Sync github @max-lobur (#50)

Rebuild github dir from the template

v1.2.0

• No changes

v1.1.0

Updates to iam policy for iam kms s3 and sns @arcaven (#48)

why

• DatadogAWSIntegration is making calls it is not authorized to perform
• error rate in CloudTrail has increased
• full value of paid Datadog service cannot be realized for those using AWS Integration
• Issue #47

what

• adds undocumented permissions used by DatadogAWSIntegration

references

• closes #47
• DataDog/cloudformation-template#51
• https://docs.datadoghq.com/integrations/amazon_web_services/?tab=roledelegation#aws-iam-permissions

v1.0.0

Update IAM Policy with latest allow all @Benbentwo (#46)

what

• Updates iam_policy_all.tf to use the latest datadog IAM Policy

why

• Latest Update

references

• https://docs.datadoghq.com/integrations/amazon_web_services/?tab=roledelegation#aws-integration-iam-policy

require datadog provider >= 3.9 @bendrucker (#43)

What

• Requires version 3.9.0 or greater of the Datadog provider

Why

• #42 implicitly requires this by setting attributes that were only introduced in 3.9.0. This explicitly sets that requirement earlier on, causing configurations using older versions to fail at terraform init rather than encounter "unexpected attribute" errors at runtime.

References

• #42 added the new attributes

v0.18.0

Grant IAM permission required by S3 Integration @goruha (#44)

what

• Added IAM permission

s3:GetAccountPublicAccessBlock

why

• Required by datadog s3 integration

git.io->cloudposse.tools update @dylanbannon (#41)

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

• DEV-143

v0.17.0

Add `*_collection_enabled` attributes @bendrucker (#42)

What

• The Datadog AWS integration supports toggling metrics, resource, and CSPM (Cloud Security Posture Management) collection for each account. This enables setting those attributes.
• When CSPM collection is enabled, this automatically attaches the required SecurityAudit policy to the role.

Why

• Allows CSPM to be declaratively enabled for AWS accounts.
• Allows metrics to be disabled for accounts.
• Retains backward compatibility by preserving var.security_audit_policy_enabled. In a breaking release, this could be removed in favor of just var.cspm_resource_collection_enabled.

References

• https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws#cspm_resource_collection_enabled

v0.16.1

🚀 Enhancements

Tags and providers @nitrocode (#40)

what

• Add tags
• Bump providers

why

• Tag everything
• Use up to date providers to take advantage of bug fixes

references

N/A

v0.16.0

Update Datadog policies. Allow attaching `SecurityAudit` policy to the Datadog IAM role @aknysh (#38)

what

• Update Datadog policies
• Allow attaching SecurityAudit policy to the Datadog IAM role

why

• Datadog has updated the required permissions for the "All" and 'Core" IAM policy configurations - keep up to date
• Attaching the SecurityAudit policy allows Datadog to collect information about how AWS resources are configured (used in Datadog Cloud Security Posture Management to read security configuration metadata)
• Datadog Cloud Security Posture Management (CSPM) makes it easier to assess and visualize the current and historic security posture of cloud environments, automate audit evidence collection, and catch misconfigurations that leave your organization vulnerable to attacks
• Cloud Security Posture Management (CSPM) can be accessed at https://app.datadoghq.com/security/compliance/home

notes

• The process to enable Datadog Cloud Security Posture Management (CSPM) consists of two steps (one automated, the other manual):

  • Enable SecurityAudit policy and provision it with terraform
  • In Datadog UI, perform the following manual steps:

  Go to the Datadog AWS integration tile
  Click on the AWS account where you wish to enable resource collection
  Go to the Resource collection section for that account and check the box "Route resource data to the Cloud Security Posture Management product"
  At the bottom left of the tile, click Update Configuration
  

references

• https://docs.datadoghq.com/integrations/amazon_web_services/?tab=roledelegation#datadog-aws-iam-policy
• https://docs.datadoghq.com/security_platform/cspm/
• https://docs.datadoghq.com/integrations/amazon_web_services/?tab=roledelegation#resource-collection

v0.15.0

Remove unused variables @bendrucker (#37)

What

Removes unused variables that make it easy for a user to fail to correctly pass API keys to https://github.com/cloudposse/terraform-aws-datadog-lambda-forwarder when switching from v0.13 of this module.

Why

• The variables (and data source) are unused, as confirmed by tflint --enable-rule terraform_unused_declarations
• Their inclusion makes it easy to pass the API key to this module but not https://github.com/cloudposse/terraform-aws-datadog-lambda-forwarder, causing that module to fail at apply time due to malformed (empty) inputs.

References

• This was missed in #31

v0.14.3

🚀 Enhancements

Partition @nitrocode (#35)

what

• Add partition instead of hard coding aws

why

• Allows govcloud

references

N/A