Fluentbit log configuration (#6)

Author: gabedos

examples/ecs_fargate/main.tf

@@ -6,27 +6,35 @@ module "ecs_task" {
   source = "../../modules/ecs_fargate"
 
   # Configure Datadog
-  dd_api_key = var.dd_api_key
-  dd_api_key_secret_arn = var.dd_api_key_secret_arn
-  dd_site    = var.dd_site
-  dd_service = var.dd_service
+  dd_api_key                       = var.dd_api_key
+  dd_api_key_secret_arn            = var.dd_api_key_secret_arn
+  dd_site                          = var.dd_site
+  dd_service                       = var.dd_service
+  dd_tags                          = "team:cont-p, owner:container-monitoring"
+  dd_essential                     = true
+  dd_is_datadog_dependency_enabled = true
 
   dd_environment = [
     {
-      name  = "DD_TAGS",
-      value = "team:cont-p, owner:container-monitoring"
+      name  = "DD_CUSTOM_ENV_VAR",
+      value = "custom_value",
     },
   ]
 
   dd_dogstatsd = {
-    dogstatsd_cardinality = "high",
+    dogstatsd_cardinality    = "high",
     origin_detection_enabled = true,
   }
 
   dd_apm = {
     enabled = true,
   }
 
+  dd_log_collection = {
+    enabled                          = true,
+    is_log_router_dependency_enabled = true,
+  }
+
   # Configure Task Definition
   family = "datadog-terraform-app"
   container_definitions = {

examples/ecs_fargate/outputs.tf

@@ -0,0 +1,3 @@
+output "example_module" {
+  value = module.ecs_task
+}

modules/ecs_fargate/datadog.tf

@@ -1,6 +1,34 @@
 locals {
+  # Datadog Firelens log configuration
+  dd_firelens_log_configuration = var.dd_log_collection.enabled ? merge(
+    {
+      logDriver = "awsfirelens"
+      options = merge(
+        {
+          provider    = "ecs"
+          Name        = "datadog"
+          Host        = "http-intake.logs.datadoghq.com"
+          TLS         = "on"
+          retry_limit = "2"
+        },
+        var.dd_log_collection.log_driver_configuration.service_name != null ? { dd_service = var.dd_log_collection.log_driver_configuration.service_name } : {},
+        var.dd_log_collection.log_driver_configuration.source_name != null ? { dd_source = var.dd_log_collection.log_driver_configuration.source_name } : {},
+        var.dd_tags != null ? { dd_tags = var.dd_tags } : {},
+        var.dd_api_key != null ? { apikey = var.dd_api_key } : {}
+      )
+    },
+    var.dd_api_key_secret_arn != null ? {
+      secretOptions = [
+        {
+          name      = "apikey"
+          valueFrom = var.dd_api_key_secret_arn
+        }
+      ]
+    } : {}
+  ) : null
+
   # Application container modifications
-  is_linux = var.runtime_platform == null || var.runtime_platform.operating_system_family == null || var.runtime_platform.operating_system_family == "LINUX"
+  is_linux            = var.runtime_platform == null || var.runtime_platform.operating_system_family == null || var.runtime_platform.operating_system_family == "LINUX"
   is_apm_socket_mount = var.dd_apm.enabled && var.dd_apm.socket_enabled && local.is_linux
   is_dsd_socket_mount = var.dd_dogstatsd.enabled && var.dd_dogstatsd.socket_enabled && local.is_linux
   is_apm_dsd_volume   = local.is_apm_socket_mount || local.is_dsd_socket_mount
@@ -34,6 +62,20 @@ locals {
     }
   ] : []
 
+  agent_dependency = var.dd_is_datadog_dependency_enabled && var.dd_health_check.command != null ? [
+    {
+      containerName = "datadog-agent"
+      condition     = "HEALTHY"
+    }
+  ] : []
+
+  log_router_dependency = var.dd_log_collection.is_log_router_dependency_enabled && var.dd_log_collection.log_router_health_check.command != null && local.dd_firelens_log_configuration != null ? [
+    {
+      containerName = "datadog-log-router"
+      condition     = "HEALTHY"
+    }
+  ] : []
+
   modified_container_definitions = [
     for container in var.container_definitions : merge(
       container,
@@ -50,7 +92,14 @@ locals {
           lookup(container, "mountPoints", []),
           local.apm_dsd_mount
         )
-      }
+        dependsOn = concat(
+          lookup(container, "dependsOn", []),
+          local.agent_dependency,
+          local.log_router_dependency,
+        )
+      },
+      # Only override the log configuration if the Datadog firelens configuration exists
+      local.dd_firelens_log_configuration != null ? { logConfiguration = local.dd_firelens_log_configuration } : {}
     )
   ]
 
@@ -74,8 +123,9 @@ locals {
       { key = "DD_SERVICE", value = var.dd_service },
       { key = "DD_ENV", value = var.dd_env },
       { key = "DD_VERSION", value = var.dd_version },
-      { key = "DD_DOGSTATSD_TAG_CARDINALITY", value = var.dd_dogstatsd.dogstatsd_cardinality }
-      # TODO: clusterName, ddTags, etc.
+      { key = "DD_DOGSTATSD_TAG_CARDINALITY", value = var.dd_dogstatsd.dogstatsd_cardinality },
+      { key = "DD_TAGS", value = var.dd_tags },
+      { key = "DD_CLUSTER_NAME", value = var.dd_cluster_name }
     ] : { name = pair.key, value = pair.value } if pair.value != null
   ]
 
@@ -97,28 +147,74 @@ locals {
   )
 
   # Datadog Agent container definition
-  dd_agent_container = {
-    name        = "datadog-agent"
-    image       = "${var.dd_registry}:${var.dd_image_version}"
-    environment = local.dd_agent_env
-    secrets = var.dd_api_key_secret_arn != null ? [
+  dd_agent_container = [
+    merge(
       {
-        name      = "DD_API_KEY"
-        valueFrom = var.dd_api_key_secret_arn
+        name        = "datadog-agent"
+        image       = "${var.dd_registry}:${var.dd_image_version}"
+        essential   = var.dd_essential
+        environment = local.dd_agent_env
+        secrets = var.dd_api_key_secret_arn != null ? [
+          {
+            name      = "DD_API_KEY"
+            valueFrom = var.dd_api_key_secret_arn
+          }
+        ] : []
+        portMappings = [
+          {
+            containerPort = 8125
+            hostPort      = 8125
+            protocol      = "udp"
+          },
+          {
+            containerPort = 8126
+            hostPort      = 8126
+            protocol      = "tcp"
+          }
+        ],
+        mountPoints      = local.apm_dsd_mount,
+        logConfiguration = local.dd_firelens_log_configuration,
+        dependsOn        = var.dd_log_collection.is_log_router_dependency_enabled && local.dd_firelens_log_configuration != null ? local.log_router_dependency : [],
+      },
+      var.dd_health_check.command == null ? {} : {
+        healthCheck = {
+          command     = var.dd_health_check.command
+          interval    = var.dd_health_check.interval
+          timeout     = var.dd_health_check.timeout
+          retries     = var.dd_health_check.retries
+          startPeriod = var.dd_health_check.start_period
+        }
       }
-    ] : []
-    portMappings = [
+    )
+  ]
+
+  # Datadog log router container definition
+  dd_log_container = var.dd_log_collection.enabled ? [
+    merge(
       {
-        containerPort = 8125
-        hostPort      = 8125
-        protocol      = "udp"
+        name      = "datadog-log-router"
+        image     = "${var.dd_log_collection.registry}:${var.dd_log_collection.image_version}"
+        essential = var.dd_log_collection.is_log_router_essential
+        firelensConfiguration = {
+          type = "fluentbit"
+          options = {
+            enable-ecs-log-metadata = "true"
+          }
+        }
+        cpu              = var.dd_log_collection.cpu
+        memory_limit_mib = var.dd_log_collection.memory_limit_mib
+        user             = "0"
       },
-      {
-        containerPort = 8126
-        hostPort      = 8126
-        protocol      = "tcp"
+      var.dd_log_collection.log_router_health_check.command == null ? {} : {
+        healthCheck = {
+          command     = var.dd_log_collection.log_router_health_check.command
+          interval    = var.dd_log_collection.log_router_health_check.interval
+          timeout     = var.dd_log_collection.log_router_health_check.timeout
+          retries     = var.dd_log_collection.log_router_health_check.retries
+          startPeriod = var.dd_log_collection.log_router_health_check.start_period
+        }
       }
-    ],
-    mountPoints = local.apm_dsd_mount
-  }
+    )
+  ] : []
+
 }

modules/ecs_fargate/iam.tf

@@ -84,8 +84,8 @@ resource "aws_iam_role_policy_attachment" "new_role_dd_secret" {
 # in order to add permissions for the ecs_fargate check
 
 locals {
-  edit_task_role    = var.task_role_arn != null
-  create_task_role  = var.task_role_arn == null
+  edit_task_role   = var.task_role_arn != null
+  create_task_role = var.task_role_arn == null
 }
 
 # ==============================

modules/ecs_fargate/main.tf

@@ -6,7 +6,8 @@ resource "aws_ecs_task_definition" "this" {
 
   container_definitions = jsonencode(
     concat(
-      [local.dd_agent_container],
+      local.dd_agent_container,
+      local.dd_log_container,
       [for k, v in local.modified_container_definitions : v],
     )
   )
@@ -26,7 +27,7 @@ resource "aws_ecs_task_definition" "this" {
   # Prioritize the user-provided task execution role over the one created by the module
   execution_role_arn = var.execution_role_arn != null ? var.execution_role_arn : (length(aws_iam_role.new_ecs_task_execution_role) > 0 ? aws_iam_role.new_ecs_task_execution_role[0].arn : null)
 
-  family             = var.family
+  family = var.family
 
   # Fargate incompatible parameter
   dynamic "inference_accelerator" {
@@ -74,7 +75,7 @@ resource "aws_ecs_task_definition" "this" {
     }
   }
 
-  skip_destroy  = var.skip_destroy
+  skip_destroy = var.skip_destroy
   # Prioritize the user-provided task role over the one created by the module
   task_role_arn = var.task_role_arn != null ? var.task_role_arn : (length(aws_iam_role.new_ecs_task_role) > 0 ? aws_iam_role.new_ecs_task_role[0].arn : null)
 

modules/ecs_fargate/variables.tf

@@ -26,6 +26,36 @@ variable "dd_image_version" {
   default     = "latest"
 }
 
+variable "dd_essential" {
+  description = "Whether the Datadog Agent container is essential"
+  type        = bool
+  default     = false
+}
+
+variable "dd_is_datadog_dependency_enabled" {
+  description = "Whether the Datadog Agent container is a dependency for other containers"
+  type        = bool
+  default     = false
+}
+
+variable "dd_health_check" {
+  description = "Datadog Agent health check configuration"
+  type = object({
+    command      = optional(list(string))
+    interval     = optional(number)
+    retries      = optional(number)
+    start_period = optional(number)
+    timeout      = optional(number)
+  })
+  default = {
+    command      = ["CMD-SHELL", "/probe.sh"]
+    interval     = 15
+    retries      = 3
+    start_period = 60
+    timeout      = 5
+  }
+}
+
 variable "dd_site" {
   description = "Datadog Site"
   type        = string
@@ -38,6 +68,18 @@ variable "dd_environment" {
   default     = [{}]
 }
 
+variable "dd_tags" {
+  description = "Datadog Agent global tags (eg. `key1:value1, key2:value2`)"
+  type        = string
+  default     = null
+}
+
+variable "dd_cluster_name" {
+  description = "Datadog cluster name."
+  type        = string
+  default     = null
+}
+
 variable "dd_service" {
   description = "The task service name. Used for tagging (UST)"
   type        = string
@@ -75,7 +117,7 @@ variable "dd_dogstatsd" {
     error_message = "The Datadog Dogstatsd configuration must be defined."
   }
   validation {
-    condition = var.dd_dogstatsd.dogstatsd_cardinality == "low" || var.dd_dogstatsd.dogstatsd_cardinality == "orchestrator" || var.dd_dogstatsd.dogstatsd_cardinality == "high"
+    condition     = var.dd_dogstatsd.dogstatsd_cardinality == "low" || var.dd_dogstatsd.dogstatsd_cardinality == "orchestrator" || var.dd_dogstatsd.dogstatsd_cardinality == "high"
     error_message = "The Datadog Dogstatsd cardinality must be one of 'low', 'orchestrator', or 'high'."
   }
 }
@@ -96,6 +138,65 @@ variable "dd_apm" {
   }
 }
 
+variable "dd_log_collection" {
+  description = "Configuration for Datadog Log Collection"
+  type = object({
+    enabled                          = optional(bool, true)
+    registry                         = optional(string, "public.ecr.aws/aws-observability/aws-for-fluent-bit")
+    image_version                    = optional(string, "stable")
+    cpu                              = optional(number)
+    memory_limit_mib                 = optional(number)
+    is_log_router_essential          = optional(bool, false)
+    is_log_router_dependency_enabled = optional(bool, false)
+    log_router_health_check = optional(object({
+      command      = optional(list(string))
+      interval     = optional(number)
+      retries      = optional(number)
+      start_period = optional(number)
+      timeout      = optional(number)
+      }),
+      {
+        command      = ["CMD-SHELL", "exit 0"]
+        interval     = 5
+        retries      = 3
+        start_period = 15
+        timeout      = 5
+      }
+    )
+    log_driver_configuration = optional(object({
+      host_endpoint = optional(string, "http-intake.logs.datadoghq.com")
+      tls           = optional(bool)
+      compress      = optional(string)
+      service_name  = optional(string)
+      source_name   = optional(string)
+      message_key   = optional(string)
+      }),
+      {
+        host_endpoint = "http-intake.logs.datadoghq.com"
+      }
+    )
+  })
+  default = {
+    enabled                 = false
+    is_log_router_essential = false
+    log_driver_configuration = {
+      host_endpoint = "http-intake.logs.datadoghq.com"
+    }
+  }
+  validation {
+    condition     = var.dd_log_collection != null
+    error_message = "The Datadog Log Collection configuration must be defined."
+  }
+  validation {
+    condition     = var.dd_log_collection.log_driver_configuration != null
+    error_message = "The Datadog Log Collection log driver configuration must be defined."
+  }
+  validation {
+    condition     = var.dd_log_collection.log_driver_configuration.host_endpoint != null
+    error_message = "The Datadog Log Collection log driver configuration host endpoint must be defined."
+  }
+}
+
 ################################################################################
 # Task Definition
 ################################################################################