The AWS Integration with Terraform
Using Terraform, you can create the Datadog IAM role, policy document, and the Datadog-AWS integration with a single terraform apply command.
- Configure the Datadog Terraform provider to interact with the Datadog API through a Terraform configuration.
- If you haven’t already, configure
api_url to your Datadog site’s API URL. - Note: The
datadog_integration_aws_account resource replaced the datadog_integration_aws resource in version 3.50.0 of the Datadog Terraform provider. To upgrade from the datadog_integration_aws resource, see Upgrading from datadog_integration_aws resources.
- Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes:
AWS_ACCOUNT_ID: Your AWS account ID.
See the Terraform Registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::464622532012:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under resources_config, set cloud_security_posture_management_collection = true.
- Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes:
AWS_ACCOUNT_ID: Your AWS account ID.
See the Terraform Registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::417141415827:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
# Optionally, specify services to include for X-Ray tracing
traces_config {
xray_services {
}
}
# Optionally, specify the ARN of the Datadog Forwarder Lambda function and sources to enable for automatic log collection
logs_config {
lambda_forwarder {
}
}
# Optionally, specify namespaces to exclude from metric collection
metrics_config {
namespace_filters {
}
}
}
By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under resources_config, set cloud_security_posture_management_collection = true.
- Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes:
AWS_ACCOUNT_ID: Your AWS account ID.
See the Terraform Registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::412381753143:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under resources_config, set cloud_security_posture_management_collection = true.
- Select the tab for your AWS account type, and then use the example below as a base template to set up your Terraform configuration file. Ensure to update the following parameters before you apply the changes:
AWS_ACCOUNT_ID: Your AWS account ID.
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::392588925713:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = ["arn:aws-us-gov:iam::065115117704:root"]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [
"${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}"
]
}
}
}
data "datadog_integration_aws_iam_permissions" "datadog_permissions" {}
locals {
all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions
max_policy_size = 6144
target_chunk_size = 5900
permission_sizes = [
for perm in local.all_permissions :
length(perm) + 3
]
cumulative_sizes = [
for i in range(length(local.permission_sizes)) :
sum(slice(local.permission_sizes, 0, i + 1))
]
chunk_assignments = [
for cumulative_size in local.cumulative_sizes :
floor(cumulative_size / local.target_chunk_size)
]
chunk_numbers = distinct(local.chunk_assignments)
permission_chunks = [
for chunk_num in local.chunk_numbers : [
for i, perm in local.all_permissions :
perm if local.chunk_assignments[i] == chunk_num
]
]
}
data "aws_iam_policy_document" "datadog_aws_integration" {
count = length(local.permission_chunks)
statement {
actions = local.permission_chunks[count.index]
resources = ["*"]
}
}
resource "aws_iam_policy" "datadog_aws_integration" {
count = length(local.permission_chunks)
name = "DatadogAWSIntegrationPolicy-${count.index + 1}"
policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json
}
resource "aws_iam_role" "datadog_aws_integration" {
name = "DatadogIntegrationRole"
description = "Role for Datadog AWS Integration"
assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
count = length(local.permission_chunks)
role = aws_iam_role.datadog_aws_integration.name
policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn
}
resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
role = aws_iam_role.datadog_aws_integration.name
policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
}
resource "datadog_integration_aws_account" "datadog_integration" {
account_tags = []
aws_account_id = "<ACCOUNT_ID>"
aws_partition = "aws-us-gov"
aws_regions {
include_all = true
}
auth_config {
aws_auth_config_role {
role_name = "DatadogIntegrationRole"
}
}
resources_config {
cloud_security_posture_management_collection = false
extended_collection = true
}
traces_config {
xray_services {
}
}
logs_config {
lambda_forwarder {
}
}
metrics_config {
namespace_filters {
}
}
}
See the Terraform Registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.
By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under resources_config, set cloud_security_posture_management_collection = true.
- Run
terraform apply. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS overview dashboard to see metrics sent by your AWS services and infrastructure.
Additional helpful documentation, links, and articles:
