feat: Support FIPS-compliant extension layer #30
Conversation
variables.tf
Outdated
| @@ -32,6 +32,12 @@ variable "datadog_python_layer_version" { | |||
| default = 106 | |||
| } | |||
|
|
|||
| variable "datadog_enable_fips" { | |||
There was a problem hiding this comment.
Could you rename it as datadog_is_fips_enabled to be consistent with Serverless Plugin?
DataDog/serverless-plugin-datadog#598 (comment)
There was a problem hiding this comment.
Done! I see that there was also a change in that PR to make FIPS the default when in GovCloud. Would you prefer that behavior here as well? I'd just need to move that logic into the locals block.
There was a problem hiding this comment.
Yes, please go ahead. Thanks for helping with this change!
There was a problem hiding this comment.
Apologies for the late response! So in the serverless plugin site is a proper parameter, whereas here it's just a DD_SITE entry in an environment_variables map. That plus the fact that TF doesn't support conditional variable defaults (iirc) might make the implementation a bit sloppy.
I went ahead and gave it a go, but I'm also happy to revert it if it's a little too magical. Changing the default behavior might also be considered a breaking change.
| @@ -55,7 +56,7 @@ locals { | |||
|
|
|||
| locals { | |||
| datadog_extension_layer_arn = "${local.datadog_layer_name_base}:Datadog-Extension${local.datadog_extension_layer_suffix}:${var.datadog_extension_layer_version}" | |||
| datadog_extension_layer_suffix = local.datadog_layer_suffix | |||
| datadog_extension_layer_suffix = "${local.datadog_layer_suffix}${local.fips_suffix}" | |||
There was a problem hiding this comment.
what are we using the existing "datadog_layer_suffix" bit for? can we reuse it for fips?
There was a problem hiding this comment.
Looks like it's a lookup on the architectures variable and determines the suffix for both the layer for the Datadog Lambda Library and the layer for the Lambda Extension.
From what I've gathered from the docs, the Extension has FIPS-compatible layers, but the Lambda Library does not. So the suffixes are related, but do actually need to be different in this case.
Reference: #29