AWS Datadog Forwarders Terraform module

January 8, 2026 · View on GitHub

Terraform module which creates resources to forward logs and metrics to Datadog on AWS.

The following resources are supported:

Please refer to the official Datadog datadog-serverless-functions for further information on the forwarder lambda functions, configuraion via environment variables, and integration with PrivateLink endpoints.

Security

There are several factors to keep in mind when working with and/or using this module that largely revolve around the decisions made based on security implications.

Based on the functionality provided by the Datadog team at datadog-serverless-functions, the recommended approach for providing your Datadog API key is through AWS Secrets Manager. The creation of this secret is not facilitated by this module and should be created manually (or through some other means where the secret is not passed as plain text into Terraform as input).
- Note: even though this is not the recommended approach, the pattern used in the past of providing the DD_API_KEY as an environment variable is still supported by the module. Users are able to provde any and all environment variables to the forwarders through inputs (i.e. - log_forwarder_environment_variables) to configure the forwarders as desired. See settings.py for more details on what environment variables are supported to configure the forwarders.
The use of a KMS key to encrypt/decrypt API and APP keys is required by the rds_enhanced_monitoring_forwarder and vpc_flow_log_forwarder modules/functions per the upstream source at datadog-serverless-functions. The creation of a KMS key has been left out of this module so that users are able to better manage their KMS CMK key (and therefore the policies and usage of said key) as they see fit without over-complicating this module.
The roles and their permissions created by this module have several built in conditional checks in order to provide permission sets that allow the desired functionality while following the recommended approach of least privelege access. Nearly all attributes for the IAM roles and their permissions are accessible via inputs - even allowing users to provide their own IAM roles and/or policies to meet their organizational requirements.

Vendored Artifacts

Due to Terraform not dealing with dynamically created files, especially in ephemeral environments like CI/CD pipelines, the decision was made to vendor the Lambda function artifacts within the VPC Flow Log and RDS Enhanced Monitoring modules to avoid issues. When the upstream artifacts are hosted as zipped archives available on GitHub, similar to the Log Forwarder, then this vendoring hack will be removed in favor of pulling directly from the project. Ref Issue #374

Usage

See examples directory for working examples to reference:

# Note: you will need to create this secret manually prior to running
# This avoids having to pass the key to Terraform in plaintext
data "aws_secretsmanager_secret" "datadog_api_key" {
  name = "datadog/api_key"
}

module "datadog_forwarders" {
  source  = "terraform-aws-modules/datadog-forwarders/aws"

  kms_alias             = "alias/datadog" # KMS key will need to be created outside of module
  dd_api_key_secret_arn = data.aws_secretsmanager_secret.datadog_api_key.arn

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module(s). If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Requirements

Name	Version
terraform	>= 1.5.7
aws	>= 6.28

Providers

Name	Version
aws	>= 6.28

Modules

Name	Source	Version
log_forwarder	./modules/log_forwarder	n/a
rds_enhanced_monitoring_forwarder	./modules/rds_enhanced_monitoring_forwarder	n/a
vpc_flow_log_forwarder	./modules/vpc_flow_log_forwarder	n/a

Resources

Name	Type
aws_vpc_endpoint.agent	resource
aws_vpc_endpoint.api	resource
aws_vpc_endpoint.log_forwarder	resource
aws_vpc_endpoint.metrics	resource
aws_vpc_endpoint.processes	resource
aws_vpc_endpoint.traces	resource

Inputs

Name	Description	Type	Default	Required
agent_vpce_policy	Policy to attach to the agent endpoint that controls access to the service. Defaults to full access	`any`	`null`	no
agent_vpce_security_group_ids	IDs of security groups to attach to agent endpoint	`list(string)`	`[]`	no
agent_vpce_subnet_ids	IDs of subnets to associate with agent endpoint	`list(string)`	`[]`	no
agent_vpce_tags	A map of tags to apply to the Datadog agent endpoint	`map(string)`	`{}`	no
api_vpce_policy	Policy to attach to the API endpoint that controls access to the service. Defaults to full access	`any`	`null`	no
api_vpce_security_group_ids	IDs of security groups to attach to API endpoint	`list(string)`	`[]`	no
api_vpce_subnet_ids	IDs of subnets to associate with API endpoint	`list(string)`	`[]`	no
api_vpce_tags	A map of tags to apply to the API endpoint	`map(string)`	`{}`	no
bucket_attach_deny_insecure_transport_policy	Controls if S3 bucket should have deny non-SSL transport policy attacheds	`bool`	`true`	no
bucket_encryption_settings	S3 bucket server side encryption settings	`map(string)`	{ "sse_algorithm": "AES256" }	no
bucket_name	Lambda artifact S3 bucket name	`string`	`""`	no
create_agent_vpce	Controls whether an agent endpoint should be created	`bool`	`false`	no
create_api_vpce	Controls whether a API endpoint should be created	`bool`	`false`	no
create_bucket	Controls whether an S3 artifact bucket should be created. this is used for the zip archive as well as caching tags	`bool`	`true`	no
create_log_forwarder	Controls whether log forwarder resources should be created	`bool`	`true`	no
create_log_forwarder_role	Controls whether an IAM role is created for the log forwarder	`bool`	`true`	no
create_log_forwarder_role_policy	Controls whether an IAM role policy is created for the log forwarder	`bool`	`true`	no
create_log_forwarder_vpce	Controls whether a log forwarder endpoint should be created	`bool`	`false`	no
create_metrics_vpce	Controls whether a metrics VPC endpoint should be created	`bool`	`false`	no
create_processes_vpce	Controls whether a processes endpoint should be created	`bool`	`false`	no
create_rds_em_forwarder	Controls whether RDS enhanced monitoring forwarder resources should be created	`bool`	`true`	no
create_rds_em_forwarder_role	Controls whether an IAM role is created for the RDS enhanced monitoring forwarder	`bool`	`true`	no
create_rds_em_forwarder_role_policy	Controls whether an IAM role policy is created for the RDS enhanced monitoring forwarder	`bool`	`true`	no
create_traces_vpce	Controls whether a traces endpoint should be created	`bool`	`false`	no
create_vpc_fl_forwarder	Controls whether VPC flow log forwarder resources should be created	`bool`	`true`	no
create_vpc_fl_forwarder_role	Controls whether an IAM role is created for the VPC flow log forwarder	`bool`	`true`	no
create_vpc_fl_forwarder_role_policy	Controls whether an IAM role policy is created for the VPC flow log forwarder	`bool`	`true`	no
dd_api_key	The Datadog API key, which can be found from the APIs page (/account/settings#api). It will be stored in AWS Secrets Manager securely. If DdApiKeySecretArn is also set, this value will not be used. This value must still be set, however	`string`	`""`	no
dd_api_key_secret_arn	The ARN of the Secrets Manager secret storing the Datadog API key, if you already have it stored in Secrets Manager. You still need to set a dummy value for `dd_api_key` to satisfy the requirement, though that value won't be used	`string`	`""`	no
dd_app_key	The Datadog application key associated with the user account that created it, which can be found from the APIs page	`string`	`""`	no
dd_site	Define your Datadog Site to send data to. For the Datadog EU site, set to datadoghq.eu	`string`	`"datadoghq.com"`	no
kms_alias	Alias of KMS key used to encrypt the Datadog API keys - must start with `alias/`	`string`	n/a	yes
log_forwarder_architectures	Instruction set architecture for your Lambda function. Valid values are `["x86_64"]` and `["arm64"]`. Default is `["arm64"]`	`list(string)`	[ "arm64" ]	no
log_forwarder_bucket_prefix	S3 object key prefix to prepend to zip archive name	`string`	`""`	no
log_forwarder_bucket_tags	A map of tags to apply to the log forwarder bucket	`map(any)`	`{}`	no
log_forwarder_environment_variables	A map of environment variables for the log forwarder lambda function	`map(string)`	`{}`	no
log_forwarder_kms_key_arn	KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key	`string`	`null`	no
log_forwarder_lambda_tags	A map of tags to apply to the log forwarder lambda function	`map(string)`	`{}`	no
log_forwarder_layers	List of Lambda Layer Version ARNs (maximum of 5) to attach to the log forwarder lambda	`list(string)`	`[]`	no
log_forwarder_log_kms_key_id	The AWS KMS Key ARN to use for CloudWatch log group encryption	`string`	`null`	no
log_forwarder_log_retention_days	Log forwarder CloudWatch log group retention in days	`number`	`7`	no
log_forwarder_memory_size	Memory size for the log forwarder lambda function	`number`	`1024`	no
log_forwarder_name	Log forwarder lambda name	`string`	`"datadog-log-forwarder"`	no
log_forwarder_policy_arn	IAM policy arn for log forwarder lambda function to utilize	`string`	`null`	no
log_forwarder_policy_name	Log forwarder policy name	`string`	`""`	no
log_forwarder_policy_path	Log forwarder policy path	`string`	`null`	no
log_forwarder_publish	Whether to publish creation/change as a new Lambda Function Version	`bool`	`false`	no
log_forwarder_reserved_concurrent_executions	The amount of reserved concurrent executions for the log forwarder lambda function	`number`	`100`	no
log_forwarder_role_arn	IAM role arn for log forwarder lambda function to utilize	`string`	`null`	no
log_forwarder_role_max_session_duration	The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours	`number`	`null`	no
log_forwarder_role_name	Log forwarder role name	`string`	`""`	no
log_forwarder_role_path	Log forwarder role path	`string`	`null`	no
log_forwarder_role_permissions_boundary	The ARN of the policy that is used to set the permissions boundary for the log forwarder role	`string`	`null`	no
log_forwarder_role_tags	A map of tags to apply to the log forwarder role	`map(string)`	`{}`	no
log_forwarder_runtime	Lambda function runtime	`string`	`"python3.12"`	no
log_forwarder_s3_log_bucket_arns	S3 log buckets for forwarder to read and forward logs to Datadog	`list(string)`	`[]`	no
log_forwarder_s3_zip_kms_key_id	The AWS KMS Key ARN to use for object encryption	`string`	`null`	no
log_forwarder_s3_zip_metadata	A map of keys/values to provision metadata (will be automatically prefixed by `x-amz-meta-`	`map(string)`	`{}`	no
log_forwarder_s3_zip_server_side_encryption	Server-side encryption of the zip object in S3. Valid values are `AES256` and `aws:kms`	`string`	`null`	no
log_forwarder_s3_zip_storage_class	Specifies the desired Storage Class for the zip object. Can be either `STANDARD`, `REDUCED_REDUNDANCY`, `ONEZONE_IA`, `INTELLIGENT_TIERING`, or `STANDARD_IA`	`string`	`null`	no
log_forwarder_s3_zip_tags	A map of tags to apply to the zip archive in S3	`map(string)`	`{}`	no
log_forwarder_s3_zip_tags_only	Set to true to not merge `var.tags` with `log_forwarder_s3_zip_tags`. Useful to avoid breaching S3 Object 10 tag limit	`bool`	`false`	no
log_forwarder_security_group_ids	List of security group ids when forwarder lambda function should run in the VPC	`list(string)`	`null`	no
log_forwarder_subnet_ids	List of subnet ids when forwarder lambda function should run in the VPC. Usually private or intra subnets	`list(string)`	`null`	no
log_forwarder_tags	A map of tags to apply to the log forwarder resources	`map(string)`	`{}`	no
log_forwarder_timeout	The amount of time the log forwarder lambda has to execute in seconds	`number`	`120`	no
log_forwarder_use_policy_name_prefix	Whether to use unique name beginning with the specified `policy_name` for the log forwarder policy	`bool`	`false`	no
log_forwarder_use_role_name_prefix	Whether to use unique name beginning with the specified `role_name` for the log forwarder role	`bool`	`false`	no
log_forwarder_version	Forwarder version - see https://github.com/DataDog/datadog-serverless-functions/releases	`string`	`"4.12.0"`	no
log_forwarder_vpce_policy	Policy to attach to the log forwarder endpoint that controls access to the service. Defaults to full access	`any`	`null`	no
log_forwarder_vpce_security_group_ids	IDs of security groups to attach to log forwarder endpoint	`list(string)`	`[]`	no
log_forwarder_vpce_subnet_ids	IDs of subnets to associate with log forwarder endpoint	`list(string)`	`[]`	no
log_forwarder_vpce_tags	A map of tags to apply to the log forwarder endpoint	`map(string)`	`{}`	no
metrics_vpce_policy	Policy to attach to the metrics endpoint that controls access to the service. Defaults to full access	`any`	`null`	no
metrics_vpce_security_group_ids	IDs of security groups to attach to metrics endpoint	`list(string)`	`[]`	no
metrics_vpce_subnet_ids	IDs of subnets to associate with metrics endpoint	`list(string)`	`[]`	no
metrics_vpce_tags	A map of tags to apply to the metrics endpoint	`map(string)`	`{}`	no
processes_vpce_policy	Policy to attach to the processes endpoint that controls access to the service. Defaults to full access	`any`	`null`	no
processes_vpce_security_group_ids	IDs of security groups to attach to processes endpoint	`list(string)`	`[]`	no
processes_vpce_subnet_ids	IDs of subnets to associate with processes endpoint	`list(string)`	`[]`	no
processes_vpce_tags	A map of tags to apply to the processes endpoint	`map(string)`	`{}`	no
rds_em_forwarder_architectures	Instruction set architecture for your Lambda function. Valid values are `["x86_64"]` and `["arm64"]`. Default is `["arm64"]`	`list(string)`	[ "arm64" ]	no
rds_em_forwarder_environment_variables	A map of environment variables for the RDS enhanced monitoring forwarder lambda function	`map(string)`	`{}`	no
rds_em_forwarder_kms_key_arn	KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key	`string`	`null`	no
rds_em_forwarder_lambda_tags	A map of tags to apply to the RDS enhanced monitoring forwarder lambda function	`map(string)`	`{}`	no
rds_em_forwarder_layers	List of Lambda Layer Version ARNs (maximum of 5) to attach to the RDS enhanced monitoring forwarder lambda	`list(string)`	`[]`	no
rds_em_forwarder_log_kms_key_id	The AWS KMS Key ARN to use for CloudWatch log group encryption	`string`	`null`	no
rds_em_forwarder_log_retention_days	RDS enhanced monitoring forwarder CloudWatch log group retention in days	`number`	`7`	no
rds_em_forwarder_memory_size	Memory size for the RDS enhanced monitoring forwarder lambda function	`number`	`256`	no
rds_em_forwarder_name	RDS enhanced monitoring forwarder lambda name	`string`	`"datadog-rds-enhanced-monitoring-forwarder"`	no
rds_em_forwarder_policy_arn	IAM policy arn for RDS enhanced monitoring forwarder lambda function to utilize	`string`	`null`	no
rds_em_forwarder_policy_name	RDS enhanced monitoring forwarder policy name	`string`	`""`	no
rds_em_forwarder_policy_path	RDS enhanced monitoring forwarder policy path	`string`	`null`	no
rds_em_forwarder_publish	Whether to publish creation/change as a new fambda function Version	`bool`	`false`	no
rds_em_forwarder_reserved_concurrent_executions	The amount of reserved concurrent executions for the RDS enhanced monitoring forwarder lambda function	`number`	`10`	no
rds_em_forwarder_role_arn	IAM role arn for RDS enhanced monitoring forwarder lambda function to utilize	`string`	`null`	no
rds_em_forwarder_role_max_session_duration	The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours	`number`	`null`	no
rds_em_forwarder_role_name	RDS enhanced monitoring forwarder role name	`string`	`""`	no
rds_em_forwarder_role_path	RDS enhanced monitoring forwarder role path	`string`	`null`	no
rds_em_forwarder_role_permissions_boundary	The ARN of the policy that is used to set the permissions boundary for the RDS enhanced monitoring forwarder role	`string`	`null`	no
rds_em_forwarder_role_tags	A map of tags to apply to the RDS enhanced monitoring forwarder role	`map(string)`	`{}`	no
rds_em_forwarder_runtime	Lambda function runtime	`string`	`"python3.12"`	no
rds_em_forwarder_security_group_ids	List of security group ids when forwarder lambda function should run in the VPC	`list(string)`	`null`	no
rds_em_forwarder_subnet_ids	List of subnet ids when forwarder lambda function should run in the VPC. Usually private or intra subnets	`list(string)`	`null`	no
rds_em_forwarder_tags	A map of tags to apply to the RDS enhanced monitoring forwarder resources	`map(string)`	`{}`	no
rds_em_forwarder_timeout	The amount of time the RDS enhanced monitoring forwarder lambda has to execute in seconds	`number`	`10`	no
rds_em_forwarder_use_policy_name_prefix	Whether to use unique name beginning with the specified `rds_em_forwarder_policy_name` for the RDS enhanced monitoring forwarder role	`bool`	`false`	no
rds_em_forwarder_use_role_name_prefix	Whether to use unique name beginning with the specified `rds_em_forwarder_role_name` for the RDS enhanced monitoring forwarder role	`bool`	`false`	no
rds_em_forwarder_version	RDS enhanced monitoring lambda version - see https://github.com/DataDog/datadog-serverless-functions/releases	`string`	`"4.12.0"`	no
tags	A map of tags to use on all resources	`map(string)`	`{}`	no
traces_vpce_policy	Policy to attach to the traces endpoint that controls access to the service. Defaults to full access	`any`	`null`	no
traces_vpce_security_group_ids	IDs of security groups to attach to traces endpoint	`list(string)`	`[]`	no
traces_vpce_subnet_ids	IDs of subnets to associate with traces endpoint	`list(string)`	`[]`	no
traces_vpce_tags	A map of tags to apply to the traces endpoint	`map(string)`	`{}`	no
vpc_fl_forwarder_architectures	Instruction set architecture for your Lambda function. Valid values are `["x86_64"]` and `["arm64"]`. Default is `["arm64"]`	`list(string)`	[ "arm64" ]	no
vpc_fl_forwarder_environment_variables	A map of environment variables for the VPC flow log forwarder lambda function	`map(string)`	`{}`	no
vpc_fl_forwarder_kms_key_arn	KMS key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key	`string`	`null`	no
vpc_fl_forwarder_lambda_tags	A map of tags to apply to the VPC flow log forwarder lambda function	`map(string)`	`{}`	no
vpc_fl_forwarder_layers	List of Lambda Layer Version ARNs (maximum of 5) to attach to the VPC flow log forwarder lambda	`list(string)`	`[]`	no
vpc_fl_forwarder_log_kms_key_id	The AWS KMS Key ARN to use for CloudWatch log group encryption	`string`	`null`	no
vpc_fl_forwarder_log_retention_days	VPC flow log forwarder CloudWatch log group retention in days	`number`	`7`	no
vpc_fl_forwarder_memory_size	Memory size for the VPC flow log forwarder lambda function	`number`	`256`	no
vpc_fl_forwarder_name	VPC flow log forwarder lambda name	`string`	`"datadog-vpc-flow-log-forwarder"`	no
vpc_fl_forwarder_policy_arn	IAM policy arn for VPC flow log forwarder lambda function to utilize	`string`	`null`	no
vpc_fl_forwarder_policy_name	VPC flow log forwarder policy name	`string`	`""`	no
vpc_fl_forwarder_policy_path	VPC flow log forwarder policy path	`string`	`null`	no
vpc_fl_forwarder_publish	Whether to publish creation/change as a new fambda function Version	`bool`	`false`	no
vpc_fl_forwarder_read_cloudwatch_logs	Whether the VPC flow log forwarder will read CloudWatch log groups for VPC flow logs	`bool`	`false`	no
vpc_fl_forwarder_reserved_concurrent_executions	The amount of reserved concurrent executions for the VPC flow log forwarder lambda function	`number`	`10`	no
vpc_fl_forwarder_role_arn	IAM role arn for VPC flow log forwarder lambda function to utilize	`string`	`null`	no
vpc_fl_forwarder_role_max_session_duration	The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours	`number`	`null`	no
vpc_fl_forwarder_role_name	VPC flow log forwarder role name	`string`	`""`	no
vpc_fl_forwarder_role_path	VPC flow log forwarder role path	`string`	`null`	no
vpc_fl_forwarder_role_permissions_boundary	The ARN of the policy that is used to set the permissions boundary for the VPC flow log forwarder role	`string`	`null`	no
vpc_fl_forwarder_role_tags	A map of tags to apply to the VPC flow log forwarder role	`map(string)`	`{}`	no
vpc_fl_forwarder_runtime	Lambda function runtime	`string`	`"python3.12"`	no
vpc_fl_forwarder_s3_log_bucket_arns	S3 log buckets for VPC flow log forwarder to read and forward to Datadog	`list(string)`	`[]`	no
vpc_fl_forwarder_security_group_ids	List of security group ids when forwarder lambda function should run in the VPC	`list(string)`	`null`	no
vpc_fl_forwarder_subnet_ids	List of subnet ids when forwarder lambda function should run in the VPC. Usually private or intra subnets	`list(string)`	`null`	no
vpc_fl_forwarder_tags	A map of tags to apply to the VPC flow log forwarder resources	`map(string)`	`{}`	no
vpc_fl_forwarder_timeout	The amount of time the VPC flow log forwarder lambda has to execute in seconds	`number`	`10`	no
vpc_fl_forwarder_use_policy_name_prefix	Whether to use unique name beginning with the specified `vpc_fl_forwarder_policy_name` for the VPC flow log forwarder role	`bool`	`false`	no
vpc_fl_forwarder_use_role_name_prefix	Whether to use unique name beginning with the specified `vpc_fl_forwarder_role_name` for the VPC flow log forwarder role	`bool`	`false`	no
vpc_fl_forwarder_version	VPC flow log lambda version - see https://github.com/DataDog/datadog-serverless-functions/releases	`string`	`"4.12.0"`	no
vpc_id	ID of VPC to provision endpoints within	`string`	`null`	no

Outputs

Name	Description
agent_endpoint_arn	ARN of the agent VPC endpoint
agent_endpoint_dns_entry	DNS entries of the agent VPC endpoint
agent_endpoint_id	ID of the agent VPC endpoint
agent_endpoint_network_interface_ids	One or more network interfaces for the agent VPC endpoint
agent_endpoint_owner_id	The ID of the AWS account that owns the agent VPC endpoint
agent_endpoint_state	The state of the agent VPC endpoint
api_endpoint_arn	ARN of the API VPC endpoint
api_endpoint_dns_entry	DNS entries of the API VPC endpoint
api_endpoint_id	ID of the API VPC endpoint
api_endpoint_network_interface_ids	One or more network interfaces for API api VPC endpoint
api_endpoint_owner_id	The ID of the AWS account that owns the API VPC endpoint
api_endpoint_state	The state of the API VPC endpoint
log_forwarder_cloudwatch_log_group_arn	The ARN of the log forwarder lambda function CloudWatch log group
log_forwarder_endpoint_arn	ARN of the log forwarder VPC endpoint
log_forwarder_endpoint_dns_entry	DNS entries of the log forwarder VPC endpoint
log_forwarder_endpoint_id	ID of the log forwarder VPC endpoint
log_forwarder_endpoint_network_interface_ids	One or more network interfaces for the log forwarder VPC endpoint
log_forwarder_endpoint_owner_id	The ID of the AWS account that owns the log forwarder VPC endpoint
log_forwarder_endpoint_state	The state of the log forwarder VPC endpoint
log_forwarder_lambda_arn	The ARN of the log forwarder lambda function
log_forwarder_lambda_kms_key_arn	(Optional) The ARN for the KMS encryption key for the log forwarder lambda function
log_forwarder_lambda_qualified_arn	The ARN of the log forwarder lambda function (if versioning is enabled via publish = true)
log_forwarder_lambda_source_code_hash	Base64-encoded representation of raw SHA-256 sum of the log forwarder zip file, provided either via filename or s3_* parameters
log_forwarder_lambda_version	Latest published version of the log forwarder lambda function
log_forwarder_role_arn	The log forwarder lambda role arn
log_forwarder_role_id	The log forwarder lambda role id
log_forwarder_role_name	The log forwarder lambda role name
log_forwarder_role_policy_arn	The ARN of the log forwarder lambda role policy
log_forwarder_role_policy_id	The ID of the log forwarder lambda role policy
log_forwarder_role_policy_name	The name of the log forwarder lambda role policy
log_forwarder_role_unique_id	The stable and unique string identifying the log forwarder lambda role
log_forwarder_s3_bucket_arn	The ARN of the log forwarder bucket. Will be of format arn:aws:s3:::bucketname
log_forwarder_s3_bucket_domain_name	The log forwarder bucket domain name. Will be of format bucketname.s3.amazonaws.com
log_forwarder_s3_bucket_id	The name of the log forwarder bucket
log_forwarder_s3_bucket_regional_domain_name	The log forwarder bucket region-specific domain name. The bucket domain name including the region name
log_forwarder_s3_object_etag	The ETag generated for the log forwarder lambda zip object (an MD5 sum of the object content)
log_forwarder_s3_object_id	The `key` of the log forwarder lambda zip archive
log_forwarder_s3_object_version	A unique version ID value for the log forwarder lambda zip object, if bucket versioning is enabled
metrics_endpoint_arn	ARN of the metrics VPC endpoint
metrics_endpoint_dns_entry	DNS entries of the metrics VPC endpoint
metrics_endpoint_id	ID of the metrics VPC endpoint
metrics_endpoint_network_interface_ids	One or more network interfaces for the metrics VPC endpoint
metrics_endpoint_owner_id	The ID of the AWS account that owns the metrics VPC endpoint
metrics_endpoint_state	The state of the metrics VPC endpoint
processes_endpoint_arn	ARN of the processes VPC endpoint
processes_endpoint_dns_entry	DNS entries of the processes VPC endpoint
processes_endpoint_id	ID of the processes VPC endpoint
processes_endpoint_network_interface_ids	One or more network interfaces for the processes VPC endpoint
processes_endpoint_owner_id	The ID of the AWS account that owns the processes VPC endpoint
processes_endpoint_state	The state of the processes VPC endpoint
rds_em_forwarder_cloudwatch_log_group_arn	The ARN of the RDS enhanced monitoring forwarder lambda function CloudWatch log group
rds_em_forwarder_lambda_arn	The ARN of the RDS enhanced monitoring forwarder lambda function
rds_em_forwarder_lambda_kms_key_arn	(Optional) The ARN for the KMS encryption key for the RDS enhanced monitoring forwarder lambda function
rds_em_forwarder_lambda_qualified_arn	The ARN of the RDS enhanced monitoring forwarder lambda function (if versioning is enabled via publish = true)
rds_em_forwarder_lambda_source_code_hash	Base64-encoded representation of raw SHA-256 sum of the RDS enhanced monitoring lambda forwarder zip file, provided either via filename or s3_* parameters
rds_em_forwarder_lambda_version	Latest published version of the RDS enhanced monitoring forwarder lambda function
rds_em_forwarder_role_arn	The RDS enhanced monitoring forwarder lambda role arn
rds_em_forwarder_role_id	The RDS enhanced monitoring forwarder lambda role id
rds_em_forwarder_role_name	The RDS enhanced monitoring forwarder lambda role name
rds_em_forwarder_role_policy_arn	The ARN of the RDS enhanced monitoring forwarder lambda role policy
rds_em_forwarder_role_policy_id	The ID of the RDS enhanced monitoring forwarder lambda role policy
rds_em_forwarder_role_policy_name	The name of the RDS enhanced monitoring forwarder lambda role policy
rds_em_forwarder_role_unique_id	The stable and unique string identifying the RDS enhanced monitoring forwarder lambda role.
traces_endpoint_arn	ARN of the traces VPC endpoint
traces_endpoint_dns_entry	DNS entries of the traces VPC endpoint
traces_endpoint_id	ID of the traces VPC endpoint
traces_endpoint_network_interface_ids	One or more network interfaces for the traces VPC endpoint
traces_endpoint_owner_id	The ID of the AWS account that owns the traces VPC endpoint
traces_endpoint_state	The state of the traces VPC endpoint
vpc_fl_forwarder_cloudwatch_log_group_arn	The ARN of the VPC flow log forwarder lambda function CloudWatch log group
vpc_fl_forwarder_lambda_arn	The ARN of the VPC flow log forwarder lambda function
vpc_fl_forwarder_lambda_kms_key_arn	(Optional) The ARN for the KMS encryption key for the VPC flow log forwarder lambda function
vpc_fl_forwarder_lambda_qualified_arn	The ARN of the VPC flow log forwarder lambda function (if versioning is enabled via publish = true)
vpc_fl_forwarder_lambda_source_code_hash	Base64-encoded representation of raw SHA-256 sum of the VPC flow log forwarder lambda zip file, provided either via filename or s3_* parameters
vpc_fl_forwarder_lambda_version	Latest published version of the VPC flow log forwarder lambda function
vpc_fl_forwarder_role_arn	The VPC flow log forwarder lambda role arn
vpc_fl_forwarder_role_id	The VPC flow log forwarder lambda role id
vpc_fl_forwarder_role_name	The VPC flow log forwarder lambda role name
vpc_fl_forwarder_role_policy_arn	The ARN of the VPC flow log forwarder lambda role policy
vpc_fl_forwarder_role_policy_id	The ID of the VPC flow log forwarder lambda role policy
vpc_fl_forwarder_role_policy_name	The name of the VPC flow log forwarder lambda role policy
vpc_fl_forwarder_role_unique_id	The stable and unique string identifying the VPC flow log forwarder lambda role.

License

Apache-2.0 Licensed. See LICENSE.