The AWS Integration with Terraform
Using Terraform, you can create the Datadog IAM role, policy document, and the Datadog-AWS integration with a single terraform apply command.
- Configure the Datadog Terraform provider to interact with the Datadog API through a Terraform configuration.
Note: The datadog_integration_aws_account resource replaced the datadog_integration_aws resource in version 3.50.0 of the Datadog Terraform provider. To upgrade from the datadog_integration_aws resource, see Upgrading from datadog_integration_aws resources.
- Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes:
AWS_PERMISSIONS_LIST: The IAM policies needed by Datadog AWS integrations. The current list is available in the Datadog AWS integration documentation.AWS_ACCOUNT_ID: Your AWS account ID.
See the Terraform Registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::464622532012:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "aws_iam_policy_document" "datadog_aws_integration" {
statement {
actions = [<AWS_PERMISSIONS_LIST>]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
name = "DatadogAWSIntegrationPolicy"
policy = data.aws_iam_policy_document.datadog_aws_integration.json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration.arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = true
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
- Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes:
AWS_PERMISSIONS_LIST: The IAM policies needed by Datadog AWS integrations. The current list is available in the Datadog AWS integration documentation.AWS_ACCOUNT_ID: Your AWS account ID.
See the Terraform Registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::417141415827:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "aws_iam_policy_document" "datadog_aws_integration" {
statement {
actions = [<AWS_PERMISSIONS_LIST>]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
name = "DatadogAWSIntegrationPolicy"
policy = data.aws_iam_policy_document.datadog_aws_integration.json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration.arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = true
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
- Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes:
AWS_PERMISSIONS_LIST: The IAM policies needed by Datadog AWS integrations. The current list is available in the Datadog AWS integration documentation.AWS_ACCOUNT_ID: Your AWS account ID.
See the Terraform Registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::065115117704:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "aws_iam_policy_document" "datadog_aws_integration" {
statement {
actions = [<AWS_PERMISSIONS_LIST>]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
name = "DatadogAWSIntegrationPolicy"
policy = data.aws_iam_policy_document.datadog_aws_integration.json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration.arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = true
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
- Run
terraform apply. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS overview dashboard to see metrics sent by your AWS services and infrastructure.
Additional helpful documentation, links, and articles:
