data "aws_region" "current" {} locals { env_compact = replace(var.env, "_", "") bucket = "humand-logs-${local.env_compact}" dd_environment = { DD_APM_ENABLED = "true" DD_REMOTE_CONFIG_ENABLED = "false" DD_APM_REPLACE_TAGS = "" DD_CLOUD_PROVIDER_METADATA = "aws" DD_CONTAINER_EXCLUDE = "image:public.ecr.aws/aws-observability/aws-for-fluent-bit image:public.ecr.aws/datadog/agent" DD_DOGSTATSD_NON_LOCAL_TRAFFIC = "true" DD_DOGSTATSD_TAG_CARDINALITY = "orchestrator" DD_HEALTH_PORT = "5555" DD_LOG_LEVEL = "debug" DD_LOGS_CONFIG_USE_HTTP = "true" DD_PROCESS_AGENT_CONTAINER_SOURCE = "ecs_fargate" DD_PROCESS_AGENT_ENABLED = "true" DD_SITE = "us5.datadoghq.com" ECS_FARGATE = "true" } dd_port_mappings = [ [5000, 5000, "tcp"], [5001, 5001, "tcp"], [5002, 5002, "tcp"], [5555, 5555, "tcp"], [8125, 8125, "udp"], [8126, 8126, "tcp"] ] log_configuration = { logDriver = "awsfirelens" options = {} } log-router = { essential = true image = "amazon/aws-for-fluent-bit:init-latest" readonlyRootFilesystem = false firelensConfiguration = { type = "fluentbit" } create_cloudwatch_log_group = false logConfiguration = { logDriver = "awslogs", options = { awslogs-region = data.aws_region.current.name, awslogs-group = aws_cloudwatch_log_group.this.name, awslogs-stream-prefix = "firelens" }, } environment = [ { name = "aws_fluent_bit_init_s3_1", value = "arn:aws:s3:::${aws_s3_object.fluentbit_config.bucket}/${aws_s3_object.fluentbit_config.key}" }, { name = "DD_SERVICE", value = var.service }, { name = "DD_SOURCE", value = var.dd_source }, { name = "ENV", value = var.env }, { name = "BUCKET", value = local.bucket } ] secrets = [ { name = "DD_APIKEY", valueFrom = "arn:aws:ssm:us-east-1:${var.aws_account}:parameter/common/datadog-api-key" } ] healthCheck = { command = [ "CMD-SHELL", "curl -s localhost:2020/api/v1/health | grep ok || exit 1" ], interval = 30 timeout = 5 retries = 5 startPeriod = 60 } } datadog-agent = { essential = true, image = "public.ecr.aws/datadog/agent:latest" readonlyRootFilesystem = false portMappings = [ for p in local.dd_port_mappings : { containerPort = p[0], hostPort = p[1], protocol = p[2] } ] environment = [ for k, v in local.dd_environment : { name = k, value = v } ] secrets = [{ name = "DD_API_KEY", valueFrom = "arn:aws:ssm:us-east-1:${var.aws_account}:parameter/common/datadog-api-key" } ] create_cloudwatch_log_group = false logConfiguration = { logDriver = "awslogs", options = { awslogs-region = data.aws_region.current.name, awslogs-group = aws_cloudwatch_log_group.this.name, awslogs-stream-prefix = "datadog-agent" }, } healthCheck = { command = [ "CMD-SHELL", "agent health" ], interval = 30, timeout = 5, retries = 5, startPeriod = 5 } } } resource "aws_s3_object" "fluentbit_config" { bucket = "humand-config-${local.env_compact}" key = "${var.service}/fluentbit/extra.conf" source = "${path.module}/extra.conf" etag = filemd5("${path.module}/extra.conf") } resource "aws_cloudwatch_log_group" "this" { name = "/ecs/${var.service}/sidecar" retention_in_days = 7 } # IAM Policy Document for Datadog Logging data "aws_iam_policy_document" "logging_policy" { # Read access to fluentbit config object statement { sid = "ReadFluentbitConfig" actions = [ "s3:GetObject" ] resources = [ "arn:aws:s3:::${aws_s3_object.fluentbit_config.bucket}/${aws_s3_object.fluentbit_config.key}" ] } statement { sid = "GetBucketLocation" actions = [ "s3:GetBucketLocation" ] resources = [ "arn:aws:s3:::${aws_s3_object.fluentbit_config.bucket}" ] } # Write access to logs bucket with specific path statement { sid = "WriteLogsToS3" actions = [ "s3:PutObject" ] resources = [ "arn:aws:s3:::${local.bucket}/ECS/*/${var.service}/*" ] } } # IAM Policy Resource resource "aws_iam_policy" "logging_policy" { name = "${var.service}-logging-policy" description = "IAM policy for logging with read access to fluentbit config and write access to logs bucket" policy = data.aws_iam_policy_document.logging_policy.json }