Merge pull request #273 from DataDog/tian.chu/forwarder-us-gov

tianchu · web-flow · commit 4408b45be96e · 2020-06-05T15:48:13.000-04:00
Ensure the forwarder can be installed to GovCloud
diff --git a/aws/logs_monitoring/template.yaml b/aws/logs_monitoring/template.yaml
@@ -13,7 +13,7 @@ Parameters:
     Description: The Datadog API key, which can be found from the APIs page (/account/settings#api). It will be stored in AWS Secrets Manager securely. If DdApiKeySecretArn is also set, this value will not be used. This value must still be set, however.
   DdApiKeySecretArn:
     Type: String
-    AllowedPattern: "arn:aws:secretsmanager:.*"
+    AllowedPattern: "arn:.*:secretsmanager:.*"
     Default: "arn:aws:secretsmanager:DEFAULT"
     Description: The ARN of the secret storing the Datadog API key, if you already have it stored in Secrets Manager. You still need to set a dummy value for "DdApiKey" to satisfy the requirement, though that value won't be used.
   DdSite:
@@ -161,6 +161,10 @@ Parameters:
     Default: ""
     Description: ARN for the Permissions Boundary Policy
 Conditions:
+  IsAWSChina:
+    Fn::Equals:
+      - Ref: AWS::Partition
+      - "aws-cn"
   CreateDdApiKeySecret:
     Fn::Equals:
       - Ref: DdApiKeySecretArn
@@ -412,7 +416,7 @@ Resources:
             - Effect: Allow
               Action:
                 - s3:GetObject
-              Resource: "arn:aws:s3:::*"
+              Resource: "*"
             - Effect: Allow
               Action:
                 - secretsmanager:GetSecretValue
@@ -442,14 +446,22 @@ Resources:
     Properties:
       FunctionName: !Ref "Forwarder"
       Action: lambda:InvokeFunction
-      Principal: !Sub "logs.${AWS::Region}.amazonaws.com"
+      Principal:
+        Fn::If:
+          - IsAWSChina
+          - !Sub "logs.${AWS::Region}.amazonaws.com.cn"
+          - !Sub "logs.${AWS::Region}.amazonaws.com"
       SourceAccount: !Ref "AWS::AccountId"
   S3Permission:
     Type: AWS::Lambda::Permission
     Properties:
       FunctionName: !Ref "Forwarder"
       Action: lambda:InvokeFunction
-      Principal: "s3.amazonaws.com"
+      Principal:
+        Fn::If:
+          - IsAWSChina
+          - "s3.amazonaws.com.cn"
+          - "s3.amazonaws.com"
       SourceAccount: !Ref "AWS::AccountId"
   LogGroup:
     Type: AWS::Logs::LogGroup
@@ -467,6 +479,16 @@ Resources:
         Ref: DdApiKey
   ForwarderZipsBucket:
     Type: AWS::S3::Bucket
+    Properties:
+      BucketEncryption:
+          ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
   ForwarderZip:
     Type: Custom::ForwarderZip
     Properties:
@@ -582,7 +604,7 @@ Resources:
                 Resource:
                   - Fn::Join:
                       - ""
-                      - - "arn:aws:s3:::"
+                      - - "arn:*:s3:::"
                         - !Select [1, !Split ["s3://", !Ref SourceZipUrl]]
               - Ref: AWS::NoValue
       Environment:
