Skip to content

fix(cloudwatch-metrics-stream): fix optional variables #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 11, 2025
Merged

fix(cloudwatch-metrics-stream): fix optional variables #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions examples/cloudwatch-metrics-stream-single-account/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,10 +248,10 @@ $ terraform apply
|------------------------------------------------------------------------------------------------------------|-------------|------|---------|:--------:|
| <a name="sysdig_monitor_api_token"></a> [sysdig\_monitor\_api\_token](#input\_sysdig\_monitor\_api\_token) | Your Sysdig API Key | `string` | n/a | yes |
| <a name="sysdig_monitor_url"></a> [sysdig\_monitor\_url](#input\_sysdig\_monitor\_url) | Sysdig input endpoint | `string` | n/a | yes |
| <a name="sysdig_aws_account_id"> </a> [sysdig\_aws\_account\_id](#input\_sysdig\_aws\_account\_id) | Sysdig AWS accountId that will assume MonitoringRole to check status of CloudWatch metric stream | `string` | `""` | no |
| <a name="sysdig_aws_account_id"> </a> [sysdig\_aws\_account\_id](#input\_sysdig\_aws\_account\_id) | Sysdig AWS accountId that will assume MonitoringRole to check status of CloudWatch metric stream. Required only id `create_new_role` is `true` | `string` | `""` | no |
| <a name="monitoring_role_name"></a> [monitoring\_role\_name](#input\_monitoring\_role\_name) | The role name used for delegation over the customer resources towards the Sysdig AWS account. Only for AWS when the authentication mode is role delegation instead of secret key | `string` | `"SysdigCloudwatchIntegrationMonitoringRole"`| no |
| <a name="create_new_role"></a> [create\_new\_role](#input\_create\_new\_role) | Whether the role above already exists or should be created from scratch | `bool` | false | no |
| <a name="sysdig_external_id"></a> [sysdig\_external\_id](#input\_sysdig\_external\_id) | Your Sysdig External ID which will be used when assuming roles in the account | `string` | `""` | no |
| <a name="sysdig_external_id"></a> [sysdig\_external\_id](#input\_sysdig\_external\_id) | Your Sysdig External ID which will be used when assuming roles in the account. Required only id `create_new_role` is `true` | `string` | `""` | no |
| <a name="secret_key"></a> [secret\_key](#input\_secret\_key) | The the secret key for a AWS connection. It must be provided along access_key_id when this auth mode is used | `string` | n/a | no |
| <a name="access_key_id"></a> [access\_key\_id](#input\_access\_key\_id) | The ID for the access key that has the permissions into the Cloud Account. It must be provided along secret_key when this auth mode is used | `string` | n/a | no |
| <a name="include_filters"></a> [include\_filters](#input\_include\_filters) | List of inclusive metric filters. If you specify this parameter, the stream sends only the conditional metric names from the metric namespaces that you specify here. If you don't specify metric names or provide empty metric names whole metric namespace is included. Conflicts with `exclude_filter` | `Object` | n/a | no |
Expand Down
20 changes: 12 additions & 8 deletions examples/cloudwatch-metrics-stream-single-account/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ variable "sysdig_monitor_url" {
variable "sysdig_aws_account_id" {
description = "Sysdig AWS accountId that will assume MonitoringRole to check status of CloudWatch metric stream"
type = string
default = "default"
default = ""
validation {
condition = length(var.sysdig_aws_account_id) > 1
error_message = "Sysdig AWS Account ID is required."
condition = var.create_new_role == false || length(var.sysdig_aws_account_id) > 1
error_message = "Sysdig AWS Account ID is required when create_new_role is true."
}
}

Expand All @@ -46,22 +46,26 @@ variable "create_new_role" {
variable "sysdig_external_id" {
description = "Your Sysdig External ID which will be used when assuming roles in the account"
type = string
default = "default"
default = ""
validation {
condition = length(var.sysdig_external_id) > 1
error_message = "Sysdig external ID is required."
condition = var.create_new_role == false || length(var.sysdig_external_id) > 1
error_message = "Sysdig external ID is required when create_new_role is true."
}
}

variable "secret_key" {
description = "value of the secret key"
description = "Value of the secret key to check status of CloudWatch metric stream"
type = string
sensitive = true
default = ""
validation {
condition = (var.secret_key == "" && var.access_key_id == "") || (var.secret_key != "" && var.access_key_id != "")
error_message = "Secret key and access key id must be both set or both empty."
}
}

variable "access_key_id" {
description = "value of the access key id"
description = "Value of the access key id to check status of CloudWatch metric stream"
type = string
default = ""
}
Expand Down
26 changes: 13 additions & 13 deletions modules/cloud-watch-metrics-stream/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,19 +70,19 @@ No modules.

## Inputs

| Name | Description | Type | Default | Required |
|------------------------------------------------------------------------------------------------------------|-------------|------|---------|:--------:|
| <a name="sysdig_monitor_api_token"></a> [sysdig\_monitor\_api\_token](#input\_sysdig\_monitor\_api\_token) | Your Sysdig API Key | `string` | n/a | yes |
| <a name="sysdig_monitor_url"></a> [sysdig\_monitor\_url](#input\_sysdig\_monitor\_url) | Sysdig input endpoint | `string` | n/a | yes |
| <a name="sysdig_aws_account_id"> </a> [sysdig\_aws\_account\_id](#input\_sysdig\_aws\_account\_id) | Sysdig AWS accountId that will assume MonitoringRole to check status of CloudWatch metric stream | `string` | n/a | yes |
| <a name="monitoring_role_name"></a> [monitoring\_role\_name](#input\_monitoring\_role\_name) | The role name used for delegation over the customer resources towards the Sysdig AWS account. Only for AWS when the authentication mode is role delegation instead of secret key | `string` | `"SysdigCloudwatchIntegrationMonitoringRole"`| no |
| <a name="create_new_role"></a> [create\_new\_role](#input\_create\_new\_role) | Whether the role above already exists or should be created from scratch | `bool` | n/a | no |
| <a name="sysdig_external_id"></a> [sysdig\_external\_id](#input\_sysdig\_external\_id) | Your Sysdig External ID which will be used when assuming roles in the account | `string` | n/a | no |
| <a name="secret_key"></a> [secret\_key](#input\_secret\_key) | The the secret key for a AWS connection. It must be provided along access_key_id when this auth mode is used | `string` | n/a | no |
| <a name="access_key_id"></a> [access\_key\_id](#input\_access\_key\_id) | The ID for the access key that has the permissions into the Cloud Account. It must be provided along secret_key when this auth mode is used | `string` | n/a | no |
| <a name="include_filters"></a> [include\_filters](#input\_include\_filters) | List of inclusive metric filters. If you specify this parameter, the stream sends only the conditional metric names from the metric namespaces that you specify here. If you don't specify metric names or provide empty metric names whole metric namespace is included. Conflicts with `exclude_filter` | `Object` | n/a | no |
| <a name="exclude_filters"></a> [exclude\_filters](#input\_exclude\_filters) | List of exclusive metric filters. If you specify this parameter, the stream sends metrics from all metric namespaces except for the namespaces and the conditional metric names that you specify here. If you don't specify metric names or provide empty metric names whole metric namespace is excluded. Conflicts with `include_filter` | `Object` | n/a | no |
| <a name="tags"></a> [tags](#input\_tags) | Map of tags to apply to resources | `map string` | n/a | no |
| Name | Description | Type | Default | Required |
|------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-----------------------------------------------|:--------:|
| <a name="sysdig_monitor_api_token"></a> [sysdig\_monitor\_api\_token](#input\_sysdig\_monitor\_api\_token) | Your Sysdig API Key | `string` | n/a | yes |
| <a name="sysdig_monitor_url"></a> [sysdig\_monitor\_url](#input\_sysdig\_monitor\_url) | Sysdig input endpoint | `string` | n/a | yes |
| <a name="sysdig_aws_account_id"> </a> [sysdig\_aws\_account\_id](#input\_sysdig\_aws\_account\_id) | Sysdig AWS accountId that will assume MonitoringRole to check status of CloudWatch metric stream. Required only id `create_new_role` is `true` | `string` | n/a | no |
| <a name="monitoring_role_name"></a> [monitoring\_role\_name](#input\_monitoring\_role\_name) | The role name used for delegation over the customer resources towards the Sysdig AWS account. Only for AWS when the authentication mode is role delegation instead of secret key | `string` | `"SysdigCloudwatchIntegrationMonitoringRole"` | no |
| <a name="create_new_role"></a> [create\_new\_role](#input\_create\_new\_role) | Whether the role above already exists or should be created from scratch | `bool` | n/a | no |
| <a name="sysdig_external_id"></a> [sysdig\_external\_id](#input\_sysdig\_external\_id) | Your Sysdig External ID which will be used when assuming roles in the account. Required only id `create_new_role` is `true` | `string` | n/a | no |
| <a name="secret_key"></a> [secret\_key](#input\_secret\_key) | The the secret key for a AWS connection. It must be provided along access_key_id when this auth mode is used | `string` | n/a | no |
| <a name="access_key_id"></a> [access\_key\_id](#input\_access\_key\_id) | The ID for the access key that has the permissions into the Cloud Account. It must be provided along secret_key when this auth mode is used | `string` | n/a | no |
| <a name="include_filters"></a> [include\_filters](#input\_include\_filters) | List of inclusive metric filters. If you specify this parameter, the stream sends only the conditional metric names from the metric namespaces that you specify here. If you don't specify metric names or provide empty metric names whole metric namespace is included. Conflicts with `exclude_filter` | `Object` | n/a | no |
| <a name="exclude_filters"></a> [exclude\_filters](#input\_exclude\_filters) | List of exclusive metric filters. If you specify this parameter, the stream sends metrics from all metric namespaces except for the namespaces and the conditional metric names that you specify here. If you don't specify metric names or provide empty metric names whole metric namespace is excluded. Conflicts with `include_filter` | `Object` | n/a | no |
| <a name="tags"></a> [tags](#input\_tags) | Map of tags to apply to resources | `map string` | n/a | no |

## Outputs

Expand Down
4 changes: 2 additions & 2 deletions modules/cloud-watch-metrics-stream/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ resource "aws_iam_role" "sysdig_cloudwatch_metric_stream_role" {

resource "aws_iam_role" "sysdig_cloudwatch_integration_monitoring_role" {
count = var.create_new_role ? 1 : 0
name = "${var.monitoring_role_name}-${data.aws_caller_identity.me.account_id}"
name = var.create_new_role ? "${var.monitoring_role_name}-${data.aws_caller_identity.me.account_id}" : var.monitoring_role_name
path = "/"
description = "A role to check status of stack creation and metric stream itself"
assume_role_policy = data.aws_iam_policy_document.sysdig_cloudwatch_integration_monitoring_role_assume_role.json
Expand All @@ -34,6 +34,6 @@ resource "aws_iam_role_policy" "cloud_monitoring_policy" {
count = var.create_new_role ? 1 : 0
depends_on = [ aws_iam_role.sysdig_cloudwatch_integration_monitoring_role[0] ]
name = aws_iam_role.sysdig_cloudwatch_integration_monitoring_role[0].id
role = "${var.monitoring_role_name}-${data.aws_caller_identity.me.account_id}"
role = var.create_new_role ? "${var.monitoring_role_name}-${data.aws_caller_identity.me.account_id}" : var.monitoring_role_name
policy = data.aws_iam_policy_document.iam_role_task_policy_cloud_monitoring_policy.json
}
6 changes: 3 additions & 3 deletions modules/cloud-watch-metrics-stream/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,17 +87,17 @@ resource "time_sleep" "wait_60_seconds" {
}

resource "sysdig_monitor_cloud_account" "assume_role_cloud_account" {
count = var.create_new_role ? 1 : 0
count = var.secret_key == "" || var.access_key_id == "" ? 1 : 0
cloud_provider = "AWS"
integration_type = "Metrics Streams"
account_id = "${data.aws_caller_identity.me.account_id}"
role_name = "${var.monitoring_role_name}-${data.aws_caller_identity.me.account_id}"
role_name = var.create_new_role ? "${var.monitoring_role_name}-${data.aws_caller_identity.me.account_id}" : var.monitoring_role_name

depends_on = [ time_sleep.wait_60_seconds[0] ]
}

resource "sysdig_monitor_cloud_account" "secret_key_cloud_account" {
count = var.create_new_role || var.secret_key == "" || var.access_key_id == "" ? 0 : 1
count = var.secret_key == "" || var.access_key_id == "" ? 0 : 1
cloud_provider = "AWS"
integration_type = "Metrics Streams"
secret_key = var.secret_key
Expand Down
20 changes: 12 additions & 8 deletions modules/cloud-watch-metrics-stream/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,10 @@ variable "sysdig_monitor_url" {
variable "sysdig_aws_account_id" {
description = "Sysdig AWS accountId that will assume MonitoringRole to check status of CloudWatch metric stream"
type = string
default = "default"
default = ""
validation {
condition = length(var.sysdig_aws_account_id) > 1
error_message = "Sysdig AWS Account ID is required."
condition = var.create_new_role == false || length(var.sysdig_aws_account_id) > 1
error_message = "Sysdig AWS Account ID is required when create_new_role is true."
}
}

Expand All @@ -46,22 +46,26 @@ variable "create_new_role" {
variable "sysdig_external_id" {
description = "Your Sysdig External ID which will be used when assuming roles in the account"
type = string
default = "default"
default = ""
validation {
condition = length(var.sysdig_external_id) > 1
error_message = "Sysdig external ID is required."
condition = var.create_new_role == false || length(var.sysdig_external_id) > 1
error_message = "Sysdig external ID is required when create_new_role is true."
}
}

variable "secret_key" {
description = "value of the secret key"
description = "Value of the secret key to check status of CloudWatch metric stream"
type = string
sensitive = true
default = ""
validation {
condition = (var.secret_key == "" && var.access_key_id == "") || (var.secret_key != "" && var.access_key_id != "")
error_message = "Secret key and access key id must be both set or both empty."
}
}

variable "access_key_id" {
description = "value of the access key id"
description = "Value of the access key id to check status of CloudWatch metric stream"
type = string
default = ""
}
Expand Down