kylefuhrmanncalm
commented
2 months ago I think you're running into an issue I saw as well.
You're using api_key_ssm_arn which doesn't automatically set the dd_api_key_resource, which is required for the lambda_default policy actions.
The policy actions calls local.dd_api_key_iam_actions which does a lookup using local.dd_api_key_resource, otherwise it sets it as "" which isn't a valid action.
From documentation it seems like setting api_key_ssm_arn makes it seem like you shouldn't need to set dd_api_key_source, but it seems it still needs it.
After setting that, I was able to create the policy. However, I'm now running into an issue that my functions in other regions still aren't able to GetParameter on my api key ARN because of a python client error:
[ERROR] ClientError: An error occurred (ValidationException) when calling the GetParameter operation: Incorrect region in: ARN_REMOVED_FOR_SECURITY
I haven't figured that one out yet.
Edit: For better or worse, I ended up using the KMS setup so that I didn't have to create the secret in every region. Would still love to be able to figure out how to use api_key_ssm_arn without getting an error from the lambda function, but maybe that's on the datadog side.
Describe the Bug
While create lambda log forwarder receiving error of malformed policy document.
Expected Behavior
It should not fail.
Some code issue over here. Ideally it should role document https://github.com/cloudposse/terraform-aws-datadog-lambda-forwarder/blob/373367a1338ac20706ef95c04a7ce173ebcc70e3/main.tf#L52C7-L52C30
Steps to Reproduce
Create log forwarder with following syntax:
module "datadog_lambda_forwarder" { depends_on = [module.pipe] source = "cloudposse/datadog-lambda-forwarder/aws" forwarder_log_enabled = true api_key_ssm_arn = var.SSM_DATADOG_ARN enabled = true cloudwatch_forwarder_log_groups = { pipe = { name = module.pipe.aws_log_group_name filter_pattern = "" }, } stage = var.ENVIRONMENT }
Screenshots
No response
Environment
No response
Additional Context
No response