La integración de AWS con Terraform
To find out if this integration is available in your organization, see your Datadog Integrations page or ask your organization administrator.
To initiate an exception request to enable this integration for your organization, email support@ddog-gov.com.
Mediante el uso de Terraform, puedes crear el rol IAM de Datadog, el documento de política y la integración Datadog-AWS con un único comando terraform apply.
- Configura el proveedor de Terraform en Datadog]2 para interactuar con la API de Datadog a través de una configuración de Terraform.
- Si aún no lo has hecho, configura
api_url con la URL de la API de tu sitio Datadog. - Nota: El recurso
datadog_integration_aws_account sustituyó al recurso datadog_integration_aws en la versión 3.50.0 del proveedor de Datadog Terraform. Para actualizar desde el recurso datadog_integration_aws, consulta Actualización desde recursos de datadog_integration_aws.
- Configura tu archivo de ajustes de Terraform utilizando el siguiente ejemplo como plantilla base. Asegúrate de actualizar los siguientes parámetros antes de aplicar los cambios:
AWS_ACCOUNT_ID: El ID de tu cuenta de AWS.
Consulta el registro de Terraform para obtener más ejemplos de uso y la lista completa de parámetros opcionales, así como recursos adicionales de Datadog.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::464622532012:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
Por defecto, la configuración anterior no incluye Cloud Security. Para habilitar Cloud Security, en resources_config, establece cloud_security_posture_management_collection = true.
- Configura tu archivo de ajustes de Terraform utilizando el siguiente ejemplo como plantilla base. Asegúrate de actualizar los siguientes parámetros antes de aplicar los cambios:
AWS_ACCOUNT_ID: El ID de tu cuenta de AWS.
Consulta el registro de Terraform para obtener más ejemplos de uso y la lista completa de parámetros opcionales, así como recursos adicionales de Datadog.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::417141415827:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
# Optionally, specify services to include for X-Ray tracing
traces_config {
xray_services {
}
}
# Optionally, specify the ARN of the Datadog Forwarder Lambda function and sources to enable for automatic log collection
logs_config {
lambda_forwarder {
}
}
# Optionally, specify namespaces to exclude from metric collection
metrics_config {
namespace_filters {
}
}
}
Por defecto, la configuración anterior no incluye Cloud Security. Para habilitar Cloud Security, en resources_config, establece cloud_security_posture_management_collection = true.
- Configura tu archivo de ajustes de Terraform utilizando el siguiente ejemplo como plantilla base. Asegúrate de actualizar los siguientes parámetros antes de aplicar los cambios:
AWS_ACCOUNT_ID: El ID de tu cuenta de AWS.
Consulta el registro de Terraform para obtener más ejemplos de uso y la lista completa de parámetros opcionales, así como recursos adicionales de Datadog.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::412381753143:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
Por defecto, la configuración anterior no incluye Cloud Security. Para habilitar Cloud Security, en resources_config, establece cloud_security_posture_management_collection = true.
- Selecciona la pestaña correspondiente a tu tipo de cuenta de AWS y, a continuación, utiliza el ejemplo siguiente como plantilla base para configurar tu archivo de configuración de Terraform. Asegúrate de actualizar los siguientes parámetros antes de aplicar los cambios:
AWS_ACCOUNT_ID: El ID de tu cuenta de AWS.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::392588925713:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws-us-gov:iam::065115117704:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws-us-gov:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws-us-gov"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
Consulta el registro de Terraform para obtener más ejemplos de uso y la lista completa de parámetros opcionales, así como recursos adicionales de Datadog.
Por defecto, la configuración anterior no incluye Cloud Security. Para habilitar Cloud Security, en resources_config, establece cloud_security_posture_management_collection = true.
- Ejecuta
terraform apply. Espera hasta 10 minutos para que los datos comiencen a recopilarse y, a continuación, consulta el dashboard de información general de AWS para ver métricas enviadas por tus servicios e infraestructura de AWS.
Más enlaces, artículos y documentación útiles:
