add optional access logs target bucket Resolves #764 (#779)

DataDog · May 30, 2024 · 7f551c3 · 7f551c3
1 parent 61f1670
commit 7f551c3
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/aws/logs_monitoring/template.yaml b/aws/logs_monitoring/template.yaml
@@ -229,6 +229,10 @@ Parameters:
     Type: String
     Default: ""
     Description: The name of the forwarder bucket to create. If not provided, AWS will generate a unique name.
+  DdForwarderBucketsAccessLogsTarget:
+    Type: String
+    Default: ""
+    Description: (Optional) The name of the S3 bucket to store access logs. Leave empty if access logging is not needed.    
   DdStoreFailedEvents:
     Type: String
     Default: false
@@ -433,6 +437,7 @@ Conditions:
       - Fn::Equals:
           - Ref: ReservedConcurrency
           - ""
+  ShouldUseAccessLogBucket: !Not [!Equals [!Ref DdForwarderBucketsAccessLogsTarget, ""]]          
   SetForwarderBucket:
     Fn::Or:
       - Condition: CreateS3Bucket
@@ -886,6 +891,13 @@ Resources:
         BlockPublicPolicy: true
         IgnorePublicAcls: true
         RestrictPublicBuckets: true
+      LoggingConfiguration:
+        !If
+          - ShouldUseAccessLogBucket
+          -
+            DestinationBucketName: !Ref DdForwarderBucketsAccessLogsTarget
+            LogFilePrefix: "datadog-forwarder/"
+          - !Ref "AWS::NoValue"        
       LifecycleConfiguration:
        Rules:
        - Id: delete-incomplete-mpu-7days