La integración de AWS con Terraform
Mediante el uso de Terraform, puedes crear el rol IAM de Datadog, el documento de política y la integración Datadog-AWS con un único comando terraform apply.
- Configura el proveedor de Terraform en Datadog]2 para interactuar con la API de Datadog a través de una configuración de Terraform.
- Si aún no lo has hecho, configura
api_url con la URL de la API de tu sitio Datadog. - Nota: El recurso
datadog_integration_aws_account sustituyó al recurso datadog_integration_aws en la versión 3.50.0 del proveedor de Datadog Terraform. Para actualizar desde el recurso datadog_integration_aws, consulta Actualización desde recursos de datadog_integration_aws.
- Configura tu archivo de ajustes de Terraform utilizando el siguiente ejemplo como plantilla base. Asegúrate de actualizar los siguientes parámetros antes de aplicar los cambios:
AWS_ACCOUNT_ID: El ID de tu cuenta de AWS.
Consulta el registro de Terraform para obtener más ejemplos de uso y la lista completa de parámetros opcionales, así como recursos adicionales de Datadog.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::464622532012:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
Por defecto, la configuración anterior no incluye Cloud Security. Para habilitar Cloud Security, en resources_config, establece cloud_security_posture_management_collection = true.
- Configura tu archivo de ajustes de Terraform utilizando el siguiente ejemplo como plantilla base. Asegúrate de actualizar los siguientes parámetros antes de aplicar los cambios:
AWS_ACCOUNT_ID: El ID de tu cuenta de AWS.
Consulta el registro de Terraform para obtener más ejemplos de uso y la lista completa de parámetros opcionales, así como recursos adicionales de Datadog.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::417141415827:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
# Optionally, specify services to include for X-Ray tracing
traces_config {
xray_services {
}
}
# Optionally, specify the ARN of the Datadog Forwarder Lambda function and sources to enable for automatic log collection
logs_config {
lambda_forwarder {
}
}
# Optionally, specify namespaces to exclude from metric collection
metrics_config {
namespace_filters {
}
}
}
Por defecto, la configuración anterior no incluye Cloud Security. Para habilitar Cloud Security, en resources_config, establece cloud_security_posture_management_collection = true.
- Configura tu archivo de ajustes de Terraform utilizando el siguiente ejemplo como plantilla base. Asegúrate de actualizar los siguientes parámetros antes de aplicar los cambios:
AWS_ACCOUNT_ID: El ID de tu cuenta de AWS.
Consulta el registro de Terraform para obtener más ejemplos de uso y la lista completa de parámetros opcionales, así como recursos adicionales de Datadog.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::412381753143:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
Por defecto, la configuración anterior no incluye Cloud Security. Para habilitar Cloud Security, en resources_config, establece cloud_security_posture_management_collection = true.
- Selecciona la pestaña correspondiente a tu tipo de cuenta de AWS y, a continuación, utiliza el ejemplo siguiente como plantilla base para configurar tu archivo de configuración de Terraform. Asegúrate de actualizar los siguientes parámetros antes de aplicar los cambios:
AWS_ACCOUNT_ID: El ID de tu cuenta de AWS.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::392588925713:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws-us-gov:iam::065115117704:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws-us-gov:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws-us-gov"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
Consulta el registro de Terraform para obtener más ejemplos de uso y la lista completa de parámetros opcionales, así como recursos adicionales de Datadog.
Por defecto, la configuración anterior no incluye Cloud Security. Para habilitar Cloud Security, en resources_config, establece cloud_security_posture_management_collection = true.
- Ejecuta
terraform apply. Espera hasta 10 minutos para que los datos comiencen a recopilarse y, a continuación, consulta el dashboard de información general de AWS para ver métricas enviadas por tus servicios e infraestructura de AWS.
Más enlaces, artículos y documentación útiles:
