The AWS Integration with Terraform
Using Terraform, you can create the Datadog IAM role, policy document, and the Datadog-AWS integration with a single terraform apply
command.
- Configure the Datadog Terraform provider to interact with the Datadog API through a Terraform configuration.
- If you haven’t already, configure
api_url
to your Datadog site’s API URL. - Note: The
datadog_integration_aws_account
resource replaced the datadog_integration_aws
resource in version 3.50.0
of the Datadog Terraform provider. To upgrade from the datadog_integration_aws
resource, see Upgrading from datadog_integration_aws resources.
- Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes:
AWS_PERMISSIONS_LIST
: The IAM policies needed by Datadog AWS integrations. The current list is available in the Datadog AWS integration documentation.AWS_ACCOUNT_ID
: Your AWS account ID.
See the Terraform Registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::464622532012:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "aws_iam_policy_document" "datadog_aws_integration" {
statement {
actions = [<AWS_PERMISSIONS_LIST>]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
name = "DatadogAWSIntegrationPolicy"
policy = data.aws_iam_policy_document.datadog_aws_integration.json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration.arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under resources_config
, set cloud_security_posture_management_collection = true
.
- Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes:
AWS_PERMISSIONS_LIST
: The IAM policies needed by Datadog AWS integrations. The current list is available in the Datadog AWS integration documentation.AWS_ACCOUNT_ID
: Your AWS account ID.
See the Terraform Registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::417141415827:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "aws_iam_policy_document" "datadog_aws_integration" {
statement {
actions = [<AWS_PERMISSIONS_LIST>]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
name = "DatadogAWSIntegrationPolicy"
policy = data.aws_iam_policy_document.datadog_aws_integration.json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration.arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
# Optionally, specify services to include for X-Ray tracing
traces_config {
xray_services {
}
}
# Optionally, specify the ARN of the Datadog Forwarder Lambda function and sources to enable for automatic log collection
logs_config {
lambda_forwarder {
}
}
# Optionally, specify namespaces to exclude from metric collection
metrics_config {
namespace_filters {
}
}
}
By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under resources_config
, set cloud_security_posture_management_collection = true
.
- Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes:
AWS_PERMISSIONS_LIST
: The IAM policies needed by Datadog AWS integrations. The current list is available in the Datadog AWS integration documentation.AWS_ACCOUNT_ID
: Your AWS account ID.
See the Terraform Registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::412381753143:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "aws_iam_policy_document" "datadog_aws_integration" {
statement {
actions = [<AWS_PERMISSIONS_LIST>]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
name = "DatadogAWSIntegrationPolicy"
policy = data.aws_iam_policy_document.datadog_aws_integration.json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration.arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under resources_config
, set cloud_security_posture_management_collection = true
.
- Select the tab for your AWS account type, and then use the example below as a base template to set up your Terraform configuration file. Ensure to update the following parameters before you apply the changes:
AWS_PERMISSIONS_LIST
: The IAM policies needed by Datadog AWS integrations. The current list is available in the Datadog AWS integration documentation.AWS_ACCOUNT_ID
: Your AWS account ID.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::392588925713:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "aws_iam_policy_document" "datadog_aws_integration" {
statement {
actions = [<AWS_PERMISSIONS_LIST>]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
name = "DatadogAWSIntegrationPolicy"
policy = data.aws_iam_policy_document.datadog_aws_integration.json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration.arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::065115117704:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "aws_iam_policy_document" "datadog_aws_integration" {
statement {
actions = [<AWS_PERMISSIONS_LIST>]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
name = "DatadogAWSIntegrationPolicy"
policy = data.aws_iam_policy_document.datadog_aws_integration.json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration.arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws-us-gov"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
See the Terraform Registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.
By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under resources_config
, set cloud_security_posture_management_collection = true
.
- Run
terraform apply
. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS overview dashboard to see metrics sent by your AWS services and infrastructure.
Additional helpful documentation, links, and articles:
Further Reading
Additional helpful documentation, links, and articles: