From 37817df9623bca292971ed1b2b5655f5bb528fca Mon Sep 17 00:00:00 2001
From: vmankonda <vmankonda@newrelic.com>
Date: Thu, 30 Jan 2025 14:43:42 +0530
Subject: [PATCH 1/3] Added condition support for US GOV cloud

---
 examples/modules/cloud-integrations/aws/main.tf      | 4 ++--
 examples/modules/cloud-integrations/aws/variables.tf | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/examples/modules/cloud-integrations/aws/main.tf b/examples/modules/cloud-integrations/aws/main.tf
index 7e5776756..8338b27e7 100644
--- a/examples/modules/cloud-integrations/aws/main.tf
+++ b/examples/modules/cloud-integrations/aws/main.tf
@@ -5,7 +5,7 @@ data "aws_iam_policy_document" "newrelic_assume_policy" {
     principals {
       type = "AWS"
       // This is the unique identifier for New Relic account on AWS, there is no need to change this
-      identifiers = [754728514883]
+      identifiers = var.newrelic_account_region == "US_GOV" ? [266471868085] : [754728514883]
     }
 
     condition {
@@ -125,7 +125,7 @@ resource "aws_kinesis_firehose_delivery_stream" "newrelic_firehose_stream" {
   name        = "newrelic_firehose_stream_${var.name}"
   destination = "http_endpoint"
   http_endpoint_configuration {
-    url                = var.newrelic_account_region == "US" ? "https://aws-api.newrelic.com/cloudwatch-metrics/v1" : "https://aws-api.eu01.nr-data.net/cloudwatch-metrics/v1"
+    url                = var.newrelic_account_region == "US_GOV" ? "https://gov-aws-api.newrelic.com/cloudwatch-metrics/v1" : (var.newrelic_account_region == "US" ? "https://aws-api.newrelic.com/cloudwatch-metrics/v1" : "https://aws-api.eu01.nr-data.net/cloudwatch-metrics/v1)"
     name               = "New Relic ${var.name}"
     access_key         = newrelic_api_access_key.newrelic_aws_access_key.key
     buffering_size     = 1
diff --git a/examples/modules/cloud-integrations/aws/variables.tf b/examples/modules/cloud-integrations/aws/variables.tf
index 378af7083..d3fc88402 100644
--- a/examples/modules/cloud-integrations/aws/variables.tf
+++ b/examples/modules/cloud-integrations/aws/variables.tf
@@ -7,7 +7,7 @@ variable "newrelic_account_region" {
   default = "US"
 
   validation {
-    condition     = contains(["US", "EU"], var.newrelic_account_region)
+    condition     = contains(["US", "EU", "US_GOV"], var.newrelic_account_region)
     error_message = "Valid values for region are 'US' or 'EU'."
   }
 }

From 105f034d4f5b9c4c85ddf71fb97db61748d99f6e Mon Sep 17 00:00:00 2001
From: vmankonda <vmankonda@newrelic.com>
Date: Thu, 30 Jan 2025 16:08:34 +0530
Subject: [PATCH 2/3] Revert "Added condition support for US GOV cloud"

This reverts commit 37817df9623bca292971ed1b2b5655f5bb528fca.
---
 examples/modules/cloud-integrations/aws/main.tf      | 4 ++--
 examples/modules/cloud-integrations/aws/variables.tf | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/examples/modules/cloud-integrations/aws/main.tf b/examples/modules/cloud-integrations/aws/main.tf
index 8338b27e7..7e5776756 100644
--- a/examples/modules/cloud-integrations/aws/main.tf
+++ b/examples/modules/cloud-integrations/aws/main.tf
@@ -5,7 +5,7 @@ data "aws_iam_policy_document" "newrelic_assume_policy" {
     principals {
       type = "AWS"
       // This is the unique identifier for New Relic account on AWS, there is no need to change this
-      identifiers = var.newrelic_account_region == "US_GOV" ? [266471868085] : [754728514883]
+      identifiers = [754728514883]
     }
 
     condition {
@@ -125,7 +125,7 @@ resource "aws_kinesis_firehose_delivery_stream" "newrelic_firehose_stream" {
   name        = "newrelic_firehose_stream_${var.name}"
   destination = "http_endpoint"
   http_endpoint_configuration {
-    url                = var.newrelic_account_region == "US_GOV" ? "https://gov-aws-api.newrelic.com/cloudwatch-metrics/v1" : (var.newrelic_account_region == "US" ? "https://aws-api.newrelic.com/cloudwatch-metrics/v1" : "https://aws-api.eu01.nr-data.net/cloudwatch-metrics/v1)"
+    url                = var.newrelic_account_region == "US" ? "https://aws-api.newrelic.com/cloudwatch-metrics/v1" : "https://aws-api.eu01.nr-data.net/cloudwatch-metrics/v1"
     name               = "New Relic ${var.name}"
     access_key         = newrelic_api_access_key.newrelic_aws_access_key.key
     buffering_size     = 1
diff --git a/examples/modules/cloud-integrations/aws/variables.tf b/examples/modules/cloud-integrations/aws/variables.tf
index d3fc88402..378af7083 100644
--- a/examples/modules/cloud-integrations/aws/variables.tf
+++ b/examples/modules/cloud-integrations/aws/variables.tf
@@ -7,7 +7,7 @@ variable "newrelic_account_region" {
   default = "US"
 
   validation {
-    condition     = contains(["US", "EU", "US_GOV"], var.newrelic_account_region)
+    condition     = contains(["US", "EU"], var.newrelic_account_region)
     error_message = "Valid values for region are 'US' or 'EU'."
   }
 }

From 18442cd5fc461cdb69d29dc915cf9b3504379239 Mon Sep 17 00:00:00 2001
From: vmankonda <vmankonda@newrelic.com>
Date: Thu, 30 Jan 2025 17:17:47 +0530
Subject: [PATCH 3/3] US GOV Terraform Support

1. Created separate configurations for gov cloud.
2. applied correct resources assigned for gov cloud
3. removed aws resources for which gov cloud permissions do not allow integrations. check https://docs.newrelic.com/docs/infrastructure/amazon-integrations/connect/connect-aws-govcloud-new-relic/
---
 .../cloud-integrations/aws_us_gov/main.tf     | 320 ++++++++++++++++++
 .../aws_us_gov/providers.tf                   |  10 +
 .../aws_us_gov/variables.tf                   |  20 ++
 3 files changed, 350 insertions(+)
 create mode 100644 examples/modules/cloud-integrations/aws_us_gov/main.tf
 create mode 100644 examples/modules/cloud-integrations/aws_us_gov/providers.tf
 create mode 100644 examples/modules/cloud-integrations/aws_us_gov/variables.tf

diff --git a/examples/modules/cloud-integrations/aws_us_gov/main.tf b/examples/modules/cloud-integrations/aws_us_gov/main.tf
new file mode 100644
index 000000000..c7dbd83f7
--- /dev/null
+++ b/examples/modules/cloud-integrations/aws_us_gov/main.tf
@@ -0,0 +1,320 @@
+data "aws_iam_policy_document" "newrelic_assume_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type = "AWS"
+      // This is the unique identifier for New Relic account on AWS, there is no need to change this
+      identifiers = [266471868085]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "sts:ExternalId"
+      values   = [var.newrelic_account_id]
+    }
+  }
+}
+
+resource "aws_iam_role" "newrelic_aws_role" {
+  name               = "NewRelicInfrastructure-Integrations-${var.name}"
+  description        = "New Relic Cloud integration role"
+  assume_role_policy = data.aws_iam_policy_document.newrelic_assume_policy.json
+}
+
+resource "aws_iam_policy" "newrelic_aws_permissions" {
+  name        = "NewRelicCloudStreamReadPermissions-${var.name}"
+  description = ""
+  policy      = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "budgets:ViewBudget",
+        "cloudtrail:LookupEvents",
+        "config:BatchGetResourceConfig",
+        "config:ListDiscoveredResources",
+        "ec2:DescribeInternetGateways",
+        "ec2:DescribeVpcs",
+        "ec2:DescribeNatGateways",
+        "ec2:DescribeVpcEndpoints",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeNetworkAcls",
+        "ec2:DescribeVpcAttribute",
+        "ec2:DescribeRouteTables",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeVpcPeeringConnections",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeVpnConnections",
+        "health:DescribeAffectedEntities",
+        "health:DescribeEventDetails",
+        "health:DescribeEvents",
+        "tag:GetResources",
+        "xray:BatchGet*",
+        "xray:Get*"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "newrelic_aws_policy_attach" {
+  role       = aws_iam_role.newrelic_aws_role.name
+  policy_arn = aws_iam_policy.newrelic_aws_permissions.arn
+}
+
+resource "newrelic_cloud_aws_govcloud_link_account" "newrelic_cloud_integration_push" {
+  account_id             = var.newrelic_account_id
+  metric_collection_mode = "PUSH"
+  name                   = "${var.name} metric stream"
+  depends_on             = [aws_iam_role_policy_attachment.newrelic_aws_policy_attach]
+  access_key_id          = newrelic_api_access_key.newrelic_aws_access_key.key
+  secret_access_key      = newrelic_api_access_key.newrelic_aws_access_key.key
+  aws_account_id         = "266471868085"
+}
+
+resource "newrelic_api_access_key" "newrelic_aws_access_key" {
+  account_id  = var.newrelic_account_id
+  key_type    = "INGEST"
+  ingest_type = "LICENSE"
+  name        = "Metric Stream Key for ${var.name}"
+  notes       = "AWS Cloud Integrations Metric Stream Key"
+}
+
+resource "aws_iam_role" "firehose_newrelic_role" {
+  name = "firehose_newrelic_role_${var.name}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "firehose.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "random_string" "s3-bucket-name" {
+  length  = 8
+  special = false
+  upper   = false
+}
+
+resource "aws_s3_bucket" "newrelic_aws_bucket" {
+  bucket        = "newrelic-aws-bucket-${random_string.s3-bucket-name.id}"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_ownership_controls" "newrelic_ownership_controls" {
+  bucket = aws_s3_bucket.newrelic_aws_bucket.id
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "newrelic_firehose_stream" {
+  name        = "newrelic_firehose_stream_${var.name}"
+  destination = "http_endpoint"
+  http_endpoint_configuration {
+    url                = "https://gov-aws-api.newrelic.com/cloudwatch-metrics/v1"
+    name               = "New Relic ${var.name}"
+    access_key         = newrelic_api_access_key.newrelic_aws_access_key.key
+    buffering_size     = 1
+    buffering_interval = 60
+    role_arn           = aws_iam_role.firehose_newrelic_role.arn
+    s3_backup_mode     = "FailedDataOnly"
+    s3_configuration {
+      role_arn           = aws_iam_role.firehose_newrelic_role.arn
+      bucket_arn         = aws_s3_bucket.newrelic_aws_bucket.arn
+      buffering_size     = 10
+      buffering_interval = 400
+      compression_format = "GZIP"
+    }
+    request_configuration {
+      content_encoding = "GZIP"
+    }
+  }
+}
+
+resource "aws_iam_role" "metric_stream_to_firehose" {
+  name = "newrelic_metric_stream_to_firehose_role_${var.name}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "streams.metrics.cloudwatch.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "metric_stream_to_firehose" {
+  name = "default"
+  role = aws_iam_role.metric_stream_to_firehose.id
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "firehose:PutRecord",
+                "firehose:PutRecordBatch"
+            ],
+            "Resource": "${aws_kinesis_firehose_delivery_stream.newrelic_firehose_stream.arn}"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_cloudwatch_metric_stream" "newrelic_metric_stream" {
+  name          = "newrelic-metric-stream-${var.name}"
+  role_arn      = aws_iam_role.metric_stream_to_firehose.arn
+  firehose_arn  = aws_kinesis_firehose_delivery_stream.newrelic_firehose_stream.arn
+  output_format = "opentelemetry0.7"
+
+  dynamic "exclude_filter" {
+    for_each = var.exclude_metric_filters
+
+    content {
+      namespace    = exclude_filter.key
+      metric_names = exclude_filter.value
+    }
+  }
+
+  dynamic "include_filter" {
+    for_each = var.include_metric_filters
+
+    content {
+      namespace    = include_filter.key
+      metric_names = include_filter.value
+    }
+  }
+}
+
+resource "newrelic_cloud_aws_govcloud_link_account" "newrelic_cloud_integration_pull" {
+  account_id             = var.newrelic_account_id
+  metric_collection_mode = "PULL"
+  name                   = "${var.name} pull"
+  depends_on             = [aws_iam_role_policy_attachment.newrelic_aws_policy_attach]
+  access_key_id          = newrelic_api_access_key.newrelic_aws_access_key.key
+  secret_access_key      = newrelic_api_access_key.newrelic_aws_access_key.key
+  aws_account_id         = "266471868085"
+}
+
+resource "newrelic_cloud_aws_govcloud_integrations" "newrelic_cloud_integration_pull" {
+  account_id        = var.newrelic_account_id
+  linked_account_id = newrelic_cloud_aws_govcloud_link_account.newrelic_cloud_integration_pull.id
+  cloudtrail {}
+  s3 {}
+  sqs {}
+  ebs {}
+  alb {}
+  api_gateway {}
+  auto_scaling {}
+  aws_direct_connect {}
+  aws_states {}
+   dynamo_db {}
+  ec2 {}
+  elastic_search {}
+  elb {}
+  emr {}
+  iam {}
+  lambda {}
+  rds {}
+  red_shift {}
+  route53 {}
+  sns {}
+}
+
+resource "aws_s3_bucket" "newrelic_configuration_recorder_s3" {
+  bucket        = "newrelic-configuration-recorder-${random_string.s3-bucket-name.id}"
+  force_destroy = true
+}
+
+resource "aws_iam_role" "newrelic_configuration_recorder" {
+  name               = "newrelic_configuration_recorder-${var.name}"
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+                "Service": "config.amazonaws.com"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+      ]
+    }
+EOF
+}
+
+resource "aws_iam_role_policy" "newrelic_configuration_recorder_s3" {
+  name = "newrelic-configuration-recorder-s3-${var.name}"
+  role = aws_iam_role.newrelic_configuration_recorder.id
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:*"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "${aws_s3_bucket.newrelic_configuration_recorder_s3.arn}",
+        "${aws_s3_bucket.newrelic_configuration_recorder_s3.arn}/*"
+      ]
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "newrelic_configuration_recorder" {
+  role       = aws_iam_role.newrelic_configuration_recorder.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
+}
+
+resource "aws_config_configuration_recorder" "newrelic_recorder" {
+  name     = "newrelic_configuration_recorder-${var.name}"
+  role_arn = aws_iam_role.newrelic_configuration_recorder.arn
+}
+
+resource "aws_config_configuration_recorder_status" "newrelic_recorder_status" {
+  name       = aws_config_configuration_recorder.newrelic_recorder.name
+  is_enabled = true
+  depends_on = [aws_config_delivery_channel.newrelic_recorder_delivery]
+}
+
+resource "aws_config_delivery_channel" "newrelic_recorder_delivery" {
+  name           = "newrelic_configuration_recorder-${var.name}"
+  s3_bucket_name = aws_s3_bucket.newrelic_configuration_recorder_s3.bucket
+  depends_on = [
+    aws_config_configuration_recorder.newrelic_recorder
+  ]
+}
diff --git a/examples/modules/cloud-integrations/aws_us_gov/providers.tf b/examples/modules/cloud-integrations/aws_us_gov/providers.tf
new file mode 100644
index 000000000..628185e5f
--- /dev/null
+++ b/examples/modules/cloud-integrations/aws_us_gov/providers.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+    newrelic = {
+      source = "newrelic/newrelic"
+    }
+  }
+}
diff --git a/examples/modules/cloud-integrations/aws_us_gov/variables.tf b/examples/modules/cloud-integrations/aws_us_gov/variables.tf
new file mode 100644
index 000000000..a2c72e471
--- /dev/null
+++ b/examples/modules/cloud-integrations/aws_us_gov/variables.tf
@@ -0,0 +1,20 @@
+variable "newrelic_account_id" {
+  type = string
+}
+
+variable "name" {
+  type    = string
+  default = "production"
+}
+
+variable "exclude_metric_filters" {
+  description = "Map of exclusive metric filters. Use the namespace as the key and the list of metric names as the value."
+  type        = map(list(string))
+  default     = {}
+}
+
+variable "include_metric_filters" {
+  description = "Map of inclusive metric filters. Use the namespace as the key and the list of metric names as the value."
+  type        = map(list(string))
+  default     = {}
+}