fix: Vendor all archives and update versions to latest

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.1
+    rev: v1.88.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
@@ -23,7 +23,7 @@ repos:
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer

README.md

@@ -164,7 +164,7 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | <a name="input_log_forwarder_timeout"></a> [log\_forwarder\_timeout](#input\_log\_forwarder\_timeout) | The amount of time the log forwarder lambda has to execute in seconds | `number` | `120` | no |
 | <a name="input_log_forwarder_use_policy_name_prefix"></a> [log\_forwarder\_use\_policy\_name\_prefix](#input\_log\_forwarder\_use\_policy\_name\_prefix) | Whether to use unique name beginning with the specified `policy_name` for the log forwarder policy | `bool` | `false` | no |
 | <a name="input_log_forwarder_use_role_name_prefix"></a> [log\_forwarder\_use\_role\_name\_prefix](#input\_log\_forwarder\_use\_role\_name\_prefix) | Whether to use unique name beginning with the specified `role_name` for the log forwarder role | `bool` | `false` | no |
-| <a name="input_log_forwarder_version"></a> [log\_forwarder\_version](#input\_log\_forwarder\_version) | Forwarder version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.73.0"` | no |
+| <a name="input_log_forwarder_version"></a> [log\_forwarder\_version](#input\_log\_forwarder\_version) | Forwarder version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.103.0"` | no |
 | <a name="input_log_forwarder_vpce_policy"></a> [log\_forwarder\_vpce\_policy](#input\_log\_forwarder\_vpce\_policy) | Policy to attach to the log forwarder endpoint that controls access to the service. Defaults to full access | `any` | `null` | no |
 | <a name="input_log_forwarder_vpce_security_group_ids"></a> [log\_forwarder\_vpce\_security\_group\_ids](#input\_log\_forwarder\_vpce\_security\_group\_ids) | IDs of security groups to attach to log forwarder endpoint | `list(string)` | `[]` | no |
 | <a name="input_log_forwarder_vpce_subnet_ids"></a> [log\_forwarder\_vpce\_subnet\_ids](#input\_log\_forwarder\_vpce\_subnet\_ids) | IDs of subnets to associate with log forwarder endpoint | `list(string)` | `[]` | no |
@@ -204,7 +204,7 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | <a name="input_rds_em_forwarder_timeout"></a> [rds\_em\_forwarder\_timeout](#input\_rds\_em\_forwarder\_timeout) | The amount of time the RDS enhanced monitoring forwarder lambda has to execute in seconds | `number` | `10` | no |
 | <a name="input_rds_em_forwarder_use_policy_name_prefix"></a> [rds\_em\_forwarder\_use\_policy\_name\_prefix](#input\_rds\_em\_forwarder\_use\_policy\_name\_prefix) | Whether to use unique name beginning with the specified `rds_em_forwarder_policy_name` for the RDS enhanced monitoring forwarder role | `bool` | `false` | no |
 | <a name="input_rds_em_forwarder_use_role_name_prefix"></a> [rds\_em\_forwarder\_use\_role\_name\_prefix](#input\_rds\_em\_forwarder\_use\_role\_name\_prefix) | Whether to use unique name beginning with the specified `rds_em_forwarder_role_name` for the RDS enhanced monitoring forwarder role | `bool` | `false` | no |
-| <a name="input_rds_em_forwarder_version"></a> [rds\_em\_forwarder\_version](#input\_rds\_em\_forwarder\_version) | RDS enhanced monitoring lambda version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.73.0"` | no |
+| <a name="input_rds_em_forwarder_version"></a> [rds\_em\_forwarder\_version](#input\_rds\_em\_forwarder\_version) | RDS enhanced monitoring lambda version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.103.0"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to use on all resources | `map(string)` | `{}` | no |
 | <a name="input_traces_vpce_policy"></a> [traces\_vpce\_policy](#input\_traces\_vpce\_policy) | Policy to attach to the traces endpoint that controls access to the service. Defaults to full access | `any` | `null` | no |
 | <a name="input_traces_vpce_security_group_ids"></a> [traces\_vpce\_security\_group\_ids](#input\_traces\_vpce\_security\_group\_ids) | IDs of security groups to attach to traces endpoint | `list(string)` | `[]` | no |
@@ -239,7 +239,7 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | <a name="input_vpc_fl_forwarder_timeout"></a> [vpc\_fl\_forwarder\_timeout](#input\_vpc\_fl\_forwarder\_timeout) | The amount of time the VPC flow log forwarder lambda has to execute in seconds | `number` | `10` | no |
 | <a name="input_vpc_fl_forwarder_use_policy_name_prefix"></a> [vpc\_fl\_forwarder\_use\_policy\_name\_prefix](#input\_vpc\_fl\_forwarder\_use\_policy\_name\_prefix) | Whether to use unique name beginning with the specified `vpc_fl_forwarder_policy_name` for the VPC flow log forwarder role | `bool` | `false` | no |
 | <a name="input_vpc_fl_forwarder_use_role_name_prefix"></a> [vpc\_fl\_forwarder\_use\_role\_name\_prefix](#input\_vpc\_fl\_forwarder\_use\_role\_name\_prefix) | Whether to use unique name beginning with the specified `vpc_fl_forwarder_role_name` for the VPC flow log forwarder role | `bool` | `false` | no |
-| <a name="input_vpc_fl_forwarder_version"></a> [vpc\_fl\_forwarder\_version](#input\_vpc\_fl\_forwarder\_version) | VPC flow log lambda version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.73.0"` | no |
+| <a name="input_vpc_fl_forwarder_version"></a> [vpc\_fl\_forwarder\_version](#input\_vpc\_fl\_forwarder\_version) | VPC flow log lambda version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.103.0"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of VPC to provision endpoints within | `string` | `null` | no |
 
 ## Outputs

examples/complete/README.md

@@ -41,9 +41,9 @@ Note that this example may create resources which will incur monetary charges on
 | <a name="module_default"></a> [default](#module\_default) | ../../ | n/a |
 | <a name="module_log_bucket_1"></a> [log\_bucket\_1](#module\_log\_bucket\_1) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
 | <a name="module_log_bucket_2"></a> [log\_bucket\_2](#module\_log\_bucket\_2) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
-| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
-| <a name="module_vpc_endpoints"></a> [vpc\_endpoints](#module\_vpc\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | ~> 3.0 |
+| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc_endpoints"></a> [vpc\_endpoints](#module\_vpc\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | ~> 5.0 |
 
 ## Resources
 
@@ -53,6 +53,7 @@ Note that this example may create resources which will incur monetary charges on
 | [aws_kms_alias.datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_key.datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.datadog_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

examples/complete/main.tf

@@ -2,14 +2,20 @@ provider "aws" {
   region = local.region
 }
 
+data "aws_caller_identity" "current" {}
+data "aws_availability_zones" "available" {}
+
 locals {
   region = "us-east-1"
-  name   = "datadog-fwd-ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "datadog-fwd-ex-${basename(path.cwd)}"
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
 
   tags = {
-    Name       = local.name
     Example    = local.name
-    Repository = "https://github.com/terraform-aws-modules/terraform-aws-datadog-forwarders"
+    GithubRepo = "terraform-aws-datadog-forwarders"
+    GithubOrg  = "terraform-aws-modules"
   }
 }
 
@@ -19,61 +25,10 @@ data "aws_secretsmanager_secret" "datadog_api_key" {
   name = "datadog/api_key"
 }
 
-data "aws_caller_identity" "current" {}
-
 ################################################################################
 # Module
 ################################################################################
 
-data "aws_iam_policy_document" "custom" {
-  statement {
-    sid = "AnyResourceAccess"
-    actions = [
-      "logs:CreateLogGroup",
-      "logs:CreateLogStream",
-      "tag:GetResources",
-      "logs:PutLogEvents",
-      "ec2:CreateNetworkInterface",
-      "ec2:DescribeNetworkInterfaces",
-      "ec2:DeleteNetworkInterface"
-    ]
-    resources = ["*"]
-  }
-
-  statement {
-    sid = "DatadogBucketFullAccess"
-    actions = [
-      "s3:GetObject",
-      "s3:PutObject",
-      "s3:DeleteObject",
-      "s3:ListBucket",
-    ]
-    resources = [
-      module.log_bucket_1.s3_bucket_arn,
-      "${module.log_bucket_1.s3_bucket_arn}/*"
-    ]
-  }
-
-  statement {
-    sid = "GetApiKeySecret"
-    actions = [
-      "secretsmanager:GetSecretValue",
-    ]
-    resources = [
-      data.aws_secretsmanager_secret.datadog_api_key.arn
-    ]
-  }
-}
-
-resource "aws_iam_policy" "custom" {
-  name        = "custom-datadog-log-forwarder"
-  path        = "/"
-  description = "Lambda function to push logs, metrics, and traces to Datadog"
-  policy      = data.aws_iam_policy_document.custom.json
-
-  tags = local.tags
-}
-
 module "default" {
   source = "../../"
 
@@ -200,6 +155,55 @@ module "default" {
 # Supporting Resources
 ################################################################################
 
+data "aws_iam_policy_document" "custom" {
+  statement {
+    sid = "AnyResourceAccess"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "tag:GetResources",
+      "logs:PutLogEvents",
+      "ec2:CreateNetworkInterface",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DeleteNetworkInterface"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "DatadogBucketFullAccess"
+    actions = [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:DeleteObject",
+      "s3:ListBucket",
+    ]
+    resources = [
+      module.log_bucket_1.s3_bucket_arn,
+      "${module.log_bucket_1.s3_bucket_arn}/*"
+    ]
+  }
+
+  statement {
+    sid = "GetApiKeySecret"
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+    resources = [
+      data.aws_secretsmanager_secret.datadog_api_key.arn
+    ]
+  }
+}
+
+resource "aws_iam_policy" "custom" {
+  name        = "custom-datadog-log-forwarder"
+  path        = "/"
+  description = "Lambda function to push logs, metrics, and traces to Datadog"
+  policy      = data.aws_iam_policy_document.custom.json
+
+  tags = local.tags
+}
+
 resource "random_pet" "this" {
   length = 2
 }
@@ -233,40 +237,23 @@ resource "aws_kms_alias" "datadog" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = "~> 5.0"
 
   name = local.name
-  cidr = "10.0.0.0/16"
-
-  azs             = ["us-east-1a", "us-east-1c", "us-east-1d"]
-  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+  cidr = local.vpc_cidr
 
-  enable_nat_gateway      = false # not required, using private VPC endpoint
-  single_nat_gateway      = true
-  map_public_ip_on_launch = false
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
 
-  manage_default_security_group  = true
-  default_security_group_ingress = []
-  default_security_group_egress  = []
-
-  enable_flow_log                      = true
-  flow_log_destination_type            = "cloud-watch-logs"
-  create_flow_log_cloudwatch_log_group = true
-  create_flow_log_cloudwatch_iam_role  = true
-  flow_log_max_aggregation_interval    = 60
-  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
-
-  # Required for VPC Endpoints
-  enable_dns_hostnames = true
-  enable_dns_support   = true
+  enable_nat_gateway = false
 
   tags = local.tags
 }
 
 module "vpc_endpoints" {
   source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
-  version = "~> 3.0"
+  version = "~> 5.0"
 
   vpc_id             = module.vpc.vpc_id
   security_group_ids = [module.security_group.security_group_id]
@@ -287,7 +274,7 @@ module "vpc_endpoints" {
 
 module "security_group" {
   source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
+  version = "~> 5.0"
 
   name        = local.name
   description = "Example security group"

examples/simple/main.tf

@@ -2,14 +2,16 @@ provider "aws" {
   region = local.region
 }
 
+data "aws_caller_identity" "current" {}
+
 locals {
   region = "us-east-1"
-  name   = "datadog-fwd-ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "datadog-fwd-ex-${basename(path.cwd)}"
 
   tags = {
-    Name       = local.name
     Example    = local.name
-    Repository = "https://github.com/terraform-aws-modules/terraform-aws-datadog-forwarders"
+    GithubRepo = "terraform-aws-datadog-forwarders"
+    GithubOrg  = "terraform-aws-modules"
   }
 }
 
@@ -19,8 +21,6 @@ data "aws_secretsmanager_secret" "datadog_api_key" {
   name = "datadog/api_key"
 }
 
-data "aws_caller_identity" "current" {}
-
 ################################################################################
 # Module
 ################################################################################

modules/log_forwarder/README.md

@@ -92,7 +92,7 @@ module "datadog_log_forwarder" {
 | <a name="input_dd_api_key_secret_arn"></a> [dd\_api\_key\_secret\_arn](#input\_dd\_api\_key\_secret\_arn) | The ARN of the Secrets Manager secret storing the Datadog API key, if you already have it stored in Secrets Manager | `string` | `""` | no |
 | <a name="input_dd_site"></a> [dd\_site](#input\_dd\_site) | Define your Datadog Site to send data to. For the Datadog EU site, set to datadoghq.eu | `string` | `"datadoghq.com"` | no |
 | <a name="input_environment_variables"></a> [environment\_variables](#input\_environment\_variables) | A map of environment variables for the forwarder lambda function | `map(string)` | `{}` | no |
-| <a name="input_forwarder_version"></a> [forwarder\_version](#input\_forwarder\_version) | Forwarder version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.73.0"` | no |
+| <a name="input_forwarder_version"></a> [forwarder\_version](#input\_forwarder\_version) | Forwarder version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.103.0"` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | `string` | `null` | no |
 | <a name="input_lambda_tags"></a> [lambda\_tags](#input\_lambda\_tags) | A map of tags to apply to the forwarder lambda function | `map(string)` | `{}` | no |
 | <a name="input_layers"></a> [layers](#input\_layers) | List of Lambda Layer Version ARNs (maximum of 5) to attach to the forwarder lambda | `list(string)` | `[]` | no |

modules/rds_enhanced_monitoring_forwarder/README.md

@@ -68,7 +68,7 @@ No modules.
 | <a name="input_dd_api_key_secret_arn"></a> [dd\_api\_key\_secret\_arn](#input\_dd\_api\_key\_secret\_arn) | The ARN of the Secrets Manager secret storing the Datadog API key, if you already have it stored in Secrets Manager | `string` | `""` | no |
 | <a name="input_dd_site"></a> [dd\_site](#input\_dd\_site) | Define your Datadog Site to send data to. For the Datadog EU site, set to datadoghq.eu | `string` | `"datadoghq.com"` | no |
 | <a name="input_environment_variables"></a> [environment\_variables](#input\_environment\_variables) | A map of environment variables for the forwarder lambda function | `map(string)` | `{}` | no |
-| <a name="input_forwarder_version"></a> [forwarder\_version](#input\_forwarder\_version) | Forwarder version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.73.0"` | no |
+| <a name="input_forwarder_version"></a> [forwarder\_version](#input\_forwarder\_version) | Forwarder version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.103.0"` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | `string` | `null` | no |
 | <a name="input_lambda_tags"></a> [lambda\_tags](#input\_lambda\_tags) | A map of tags to apply to the forwarder lambda function | `map(string)` | `{}` | no |
 | <a name="input_layers"></a> [layers](#input\_layers) | List of Lambda Layer Version ARNs (maximum of 5) to attach to the forwarder lambda | `list(string)` | `[]` | no |

modules/rds_enhanced_monitoring_forwarder/variables.tf

@@ -112,7 +112,7 @@ variable "policy_path" {
 variable "forwarder_version" {
   description = "Forwarder version - see https://github.com/DataDog/datadog-serverless-functions/releases"
   type        = string
-  default     = "3.73.0"
+  default     = "3.103.0"
 }
 
 variable "name" {

modules/vpc_flow_log_forwarder/README.md

@@ -72,7 +72,7 @@ No modules.
 | <a name="input_dd_app_key"></a> [dd\_app\_key](#input\_dd\_app\_key) | The Datadog application key associated with the user account that created it, which can be found from the APIs page | `string` | `""` | no |
 | <a name="input_dd_site"></a> [dd\_site](#input\_dd\_site) | Define your Datadog Site to send data to. For the Datadog EU site, set to datadoghq.eu | `string` | `"datadoghq.com"` | no |
 | <a name="input_environment_variables"></a> [environment\_variables](#input\_environment\_variables) | A map of environment variables for the forwarder lambda function | `map(string)` | `{}` | no |
-| <a name="input_forwarder_version"></a> [forwarder\_version](#input\_forwarder\_version) | VPC flow log monitoring version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.73.0"` | no |
+| <a name="input_forwarder_version"></a> [forwarder\_version](#input\_forwarder\_version) | VPC flow log monitoring version - see https://github.com/DataDog/datadog-serverless-functions/releases | `string` | `"3.103.0"` | no |
 | <a name="input_kms_alias"></a> [kms\_alias](#input\_kms\_alias) | Alias of KMS key used to encrypt the Datadog API keys - must start with `alias/` | `string` | n/a | yes |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key | `string` | `null` | no |
 | <a name="input_lambda_tags"></a> [lambda\_tags](#input\_lambda\_tags) | A map of tags to apply to the forwarder lambda function | `map(string)` | `{}` | no |