Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle encryption field for S3 destinations for Logs Archives #2740

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
+31 −0
Draft

Handle encryption field for S3 destinations for Logs Archives #2740

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0b3fc25
Add encryption to logs archives
michelledeng30 Dec 20, 2024
1d97952
Encryption settings are optional
michelledeng30 Jan 3, 2025
a9766fa
Encryption_type is not required
michelledeng30 Jan 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions datadog/resource_datadog_logs_archive.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@
ValidateDiagFunc: validators.ValidateAWSAccountID,
},
"role_name": {Description: "Your AWS role name", Type: schema.TypeString, Required: true},
"encryption_type": {Description: "The type of encryption on your archive.", Type: schema.TypeString, Required: false},
"encryption_key": {Description: "The AWS KMS encryption key.", Type: schema.TypeString, Required: false},
},
},
},
Expand Down Expand Up @@ -253,10 +255,13 @@
func buildS3Map(destination datadogV2.LogsArchiveDestinationS3) map[string]interface{} {
result := make(map[string]interface{})
integration := destination.GetIntegration()
encryption := destination.GetEncryption()
result["account_id"] = integration.GetAccountId()
result["role_name"] = integration.GetRoleName()
result["bucket"] = destination.GetBucket()
result["path"] = destination.GetPath()
result["encryption_type"] = encryption.GetType();
result["encryption_key"] = encryption.GetKey();
return result
}

Expand Down Expand Up @@ -421,9 +426,32 @@
if !ok {
path = ""
}

var datadogV2.LogsArchiveEncryptionS3 encryption

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test-tofu 

syntax error: unexpected ., expected type

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test-tofu 

syntax error: unexpected ., expected type

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / linter-checks 

syntax error: unexpected ., expected type

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test (0.14.11, ubuntu-latest) 

expected type, found '.'

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test (0.14.11, ubuntu-latest) 

syntax error: unexpected ., expected type

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test (0.14.11, ubuntu-latest) 

syntax error: unexpected ., expected type

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test (0.15.5, ubuntu-latest) 

expected type, found '.'

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test (0.15.5, ubuntu-latest) 

syntax error: unexpected ., expected type

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test (0.15.5, ubuntu-latest) 

syntax error: unexpected ., expected type

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test (1.1.2, ubuntu-latest) 

expected type, found '.'

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test (1.1.2, ubuntu-latest) 

syntax error: unexpected ., expected type

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test (1.1.2, ubuntu-latest) 

syntax error: unexpected ., expected type

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test (1.5.3, ubuntu-latest) 

expected type, found '.'

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test (1.5.3, ubuntu-latest) 

syntax error: unexpected ., expected type

Check failure on line 430 in datadog/resource_datadog_logs_archive.go

View workflow job for this annotation

GitHub Actions / test (1.5.3, ubuntu-latest) 

syntax error: unexpected ., expected type

encryptionType, ok := d["encryption_type"]
if !ok {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume from reading the code that if the user sets SSE_KMS as the encryption type but doesn't provide an encryption key we do not want to handle this error here and just pass the values along is that correct?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes that's right, technically setting SSE_KMS with no encryption key is also a valid method (just not done very commonly)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, I didn't know that. Thanks for explaining!

encryption = datadogV2.NewLogsArchiveEncryptionS3(
"NO_OVERRIDE",
)
} else {
encryptionKey, ok := d["encryption_key"]
if !ok {
encryption = datadogV2.NewLogsArchiveEncryptionS3(
encryptionType.(string),
)
} else {
encryption = datadogV2.NewLogsArchiveEncryptionS3(
encryptionType.(string),
encryptionKey.(string),
)
}
}

destination := datadogV2.NewLogsArchiveDestinationS3(
bucket.(string),
*integration,
*encryption,
datadogV2.LOGSARCHIVEDESTINATIONS3TYPE_S3,
)
destination.Path = datadog.PtrString(path.(string))
Expand Down
3 changes: 3 additions & 0 deletions docs/resources/logs_archive.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ resource "datadog_logs_archive" "my_s3_archive" {
path = "/path/foo"
account_id = "001234567888"
role_name = "my-role-name"
encryption_type = "SSE_S3"
}
}
```
Expand Down Expand Up @@ -87,6 +88,8 @@ Required:
Optional:

- `path` (String) Path where the archive is stored.
- `encryption_type` (String) The type of server-side encryption to use when uploading data to your S3 bucket. `NO_OVERRIDE`, `SSE_S3`, and `SSE_KMS` are the possible types. `NO_OVERRIDE` is used most commonly, because users can rely on default encryption on their S3 buckets instead of specifically uploading objects with encryption information.
- `encryption_key` (String) The key ARN used to identify your customer managed key for AWS KMS encryption. Only set this value if the `encryption_type` is set to `SSE_KMS`.

## Import

Expand Down
Loading