--- title: The AWS Integration with Terraform description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Integrations > Integration Guides > The AWS Integration with Terraform --- # The AWS Integration with Terraform Using [Terraform](https://www.terraform.io), you can create the Datadog IAM role, policy document, and the Datadog-AWS integration with a single `terraform apply` command. 1. Configure the [Datadog Terraform provider](https://registry.terraform.io/providers/DataDog/datadog/latest/docs) to interact with the Datadog API through a Terraform configuration. - If you haven't already, configure `api_url` to your Datadog site's API URL. - **Note**: The `datadog_integration_aws_account` resource replaced the `datadog_integration_aws` resource in version `3.50.0` of the Datadog Terraform provider. To upgrade from the `datadog_integration_aws` resource, see [Upgrading from datadog_integration_aws resources](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws_account#upgrading-from-datadog_integration_aws-resources). {% callout %} # Important note for users on the following Datadog sites: app.datadoghq.com, us3.datadoghq.com, us5.datadoghq.com, app.datadoghq.eu Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes: - `AWS_ACCOUNT_ID`: Your AWS account ID. See the [Terraform Registry](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws_account) for further example usage and the full list of optional parameters, as well as additional Datadog resources. ```hcl data "aws_iam_policy_document" "datadog_aws_integration_assume_role" { statement { actions = ["sts:AssumeRole"] principals { type = "AWS" identifiers = ["arn:aws:iam::464622532012:root"] } condition { test = "StringEquals" variable = "sts:ExternalId" values = [ "${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}" ] } } } data "datadog_integration_aws_iam_permissions" "datadog_permissions" {} locals { all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions max_policy_size = 6144 target_chunk_size = 5900 permission_sizes = [ for perm in local.all_permissions : length(perm) + 3 ] cumulative_sizes = [ for i in range(length(local.permission_sizes)) : sum(slice(local.permission_sizes, 0, i + 1)) ] chunk_assignments = [ for cumulative_size in local.cumulative_sizes : floor(cumulative_size / local.target_chunk_size) ] chunk_numbers = distinct(local.chunk_assignments) permission_chunks = [ for chunk_num in local.chunk_numbers : [ for i, perm in local.all_permissions : perm if local.chunk_assignments[i] == chunk_num ] ] } data "aws_iam_policy_document" "datadog_aws_integration" { count = length(local.permission_chunks) statement { actions = local.permission_chunks[count.index] resources = ["*"] } } resource "aws_iam_policy" "datadog_aws_integration" { count = length(local.permission_chunks) name = "DatadogAWSIntegrationPolicy-${count.index + 1}" policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json } resource "aws_iam_role" "datadog_aws_integration" { name = "DatadogIntegrationRole" description = "Role for Datadog AWS Integration" assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json } resource "aws_iam_role_policy_attachment" "datadog_aws_integration" { count = length(local.permission_chunks) role = aws_iam_role.datadog_aws_integration.name policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn } resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" { role = aws_iam_role.datadog_aws_integration.name policy_arn = "arn:aws:iam::aws:policy/SecurityAudit" } resource "datadog_integration_aws_account" "datadog_integration" { account_tags = [] aws_account_id = "" aws_partition = "aws" aws_regions { include_all = true } auth_config { aws_auth_config_role { role_name = "DatadogIntegrationRole" } } resources_config { cloud_security_posture_management_collection = false extended_collection = true } traces_config { xray_services { } } logs_config { lambda_forwarder { } } metrics_config { namespace_filters { } } } ``` {% alert level="info" %} By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under `resources_config`, set `cloud_security_posture_management_collection = true`. {% /alert %} {% /callout %} {% callout %} # Important note for users on the following Datadog sites: ap1.datadoghq.com Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes: - `AWS_ACCOUNT_ID`: Your AWS account ID. See the [Terraform Registry](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws) for further example usage and the full list of optional parameters, as well as additional Datadog resources. ```hcl data "aws_iam_policy_document" "datadog_aws_integration_assume_role" { statement { actions = ["sts:AssumeRole"] principals { type = "AWS" identifiers = ["arn:aws:iam::417141415827:root"] } condition { test = "StringEquals" variable = "sts:ExternalId" values = [ "${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}" ] } } } data "datadog_integration_aws_iam_permissions" "datadog_permissions" {} locals { all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions max_policy_size = 6144 target_chunk_size = 5900 permission_sizes = [ for perm in local.all_permissions : length(perm) + 3 ] cumulative_sizes = [ for i in range(length(local.permission_sizes)) : sum(slice(local.permission_sizes, 0, i + 1)) ] chunk_assignments = [ for cumulative_size in local.cumulative_sizes : floor(cumulative_size / local.target_chunk_size) ] chunk_numbers = distinct(local.chunk_assignments) permission_chunks = [ for chunk_num in local.chunk_numbers : [ for i, perm in local.all_permissions : perm if local.chunk_assignments[i] == chunk_num ] ] } data "aws_iam_policy_document" "datadog_aws_integration" { count = length(local.permission_chunks) statement { actions = local.permission_chunks[count.index] resources = ["*"] } } resource "aws_iam_policy" "datadog_aws_integration" { count = length(local.permission_chunks) name = "DatadogAWSIntegrationPolicy-${count.index + 1}" policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json } resource "aws_iam_role" "datadog_aws_integration" { name = "DatadogIntegrationRole" description = "Role for Datadog AWS Integration" assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json } resource "aws_iam_role_policy_attachment" "datadog_aws_integration" { count = length(local.permission_chunks) role = aws_iam_role.datadog_aws_integration.name policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn } resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" { role = aws_iam_role.datadog_aws_integration.name policy_arn = "arn:aws:iam::aws:policy/SecurityAudit" } resource "datadog_integration_aws_account" "datadog_integration" { account_tags = [] aws_account_id = "" aws_partition = "aws" aws_regions { include_all = true } auth_config { aws_auth_config_role { role_name = "DatadogIntegrationRole" } } resources_config { cloud_security_posture_management_collection = false extended_collection = true } # Optionally, specify services to include for X-Ray tracing traces_config { xray_services { } } # Optionally, specify the ARN of the Datadog Forwarder Lambda function and sources to enable for automatic log collection logs_config { lambda_forwarder { } } # Optionally, specify namespaces to exclude from metric collection metrics_config { namespace_filters { } } } ``` {% alert level="info" %} By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under `resources_config`, set `cloud_security_posture_management_collection = true`. {% /alert %} {% /callout %} {% callout %} # Important note for users on the following Datadog sites: ap2.datadoghq.com Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes: - `AWS_ACCOUNT_ID`: Your AWS account ID. See the [Terraform Registry](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws) for further example usage and the full list of optional parameters, as well as additional Datadog resources. ```hcl data "aws_iam_policy_document" "datadog_aws_integration_assume_role" { statement { actions = ["sts:AssumeRole"] principals { type = "AWS" identifiers = ["arn:aws:iam::412381753143:root"] } condition { test = "StringEquals" variable = "sts:ExternalId" values = [ "${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}" ] } } } data "datadog_integration_aws_iam_permissions" "datadog_permissions" {} locals { all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions max_policy_size = 6144 target_chunk_size = 5900 permission_sizes = [ for perm in local.all_permissions : length(perm) + 3 ] cumulative_sizes = [ for i in range(length(local.permission_sizes)) : sum(slice(local.permission_sizes, 0, i + 1)) ] chunk_assignments = [ for cumulative_size in local.cumulative_sizes : floor(cumulative_size / local.target_chunk_size) ] chunk_numbers = distinct(local.chunk_assignments) permission_chunks = [ for chunk_num in local.chunk_numbers : [ for i, perm in local.all_permissions : perm if local.chunk_assignments[i] == chunk_num ] ] } data "aws_iam_policy_document" "datadog_aws_integration" { count = length(local.permission_chunks) statement { actions = local.permission_chunks[count.index] resources = ["*"] } } resource "aws_iam_policy" "datadog_aws_integration" { count = length(local.permission_chunks) name = "DatadogAWSIntegrationPolicy-${count.index + 1}" policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json } resource "aws_iam_role" "datadog_aws_integration" { name = "DatadogIntegrationRole" description = "Role for Datadog AWS Integration" assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json } resource "aws_iam_role_policy_attachment" "datadog_aws_integration" { count = length(local.permission_chunks) role = aws_iam_role.datadog_aws_integration.name policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn } resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" { role = aws_iam_role.datadog_aws_integration.name policy_arn = "arn:aws:iam::aws:policy/SecurityAudit" } resource "datadog_integration_aws_account" "datadog_integration" { account_tags = [] aws_account_id = "" aws_partition = "aws" aws_regions { include_all = true } auth_config { aws_auth_config_role { role_name = "DatadogIntegrationRole" } } resources_config { cloud_security_posture_management_collection = false extended_collection = true } traces_config { xray_services { } } logs_config { lambda_forwarder { } } metrics_config { namespace_filters { } } } ``` {% alert level="info" %} By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under `resources_config`, set `cloud_security_posture_management_collection = true`. {% /alert %} {% /callout %} {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com Select the tab for your AWS account type, and then use the example below as a base template to set up your Terraform configuration file. Ensure to update the following parameters before you apply the changes: - `AWS_ACCOUNT_ID`: Your AWS account ID. {% tab title="AWS Commercial Cloud" %} ```hcl data "aws_iam_policy_document" "datadog_aws_integration_assume_role" { statement { actions = ["sts:AssumeRole"] principals { type = "AWS" identifiers = ["arn:aws:iam::392588925713:root"] } condition { test = "StringEquals" variable = "sts:ExternalId" values = [ "${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}" ] } } } data "datadog_integration_aws_iam_permissions" "datadog_permissions" {} locals { all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions max_policy_size = 6144 target_chunk_size = 5900 permission_sizes = [ for perm in local.all_permissions : length(perm) + 3 ] cumulative_sizes = [ for i in range(length(local.permission_sizes)) : sum(slice(local.permission_sizes, 0, i + 1)) ] chunk_assignments = [ for cumulative_size in local.cumulative_sizes : floor(cumulative_size / local.target_chunk_size) ] chunk_numbers = distinct(local.chunk_assignments) permission_chunks = [ for chunk_num in local.chunk_numbers : [ for i, perm in local.all_permissions : perm if local.chunk_assignments[i] == chunk_num ] ] } data "aws_iam_policy_document" "datadog_aws_integration" { count = length(local.permission_chunks) statement { actions = local.permission_chunks[count.index] resources = ["*"] } } resource "aws_iam_policy" "datadog_aws_integration" { count = length(local.permission_chunks) name = "DatadogAWSIntegrationPolicy-${count.index + 1}" policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json } resource "aws_iam_role" "datadog_aws_integration" { name = "DatadogIntegrationRole" description = "Role for Datadog AWS Integration" assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json } resource "aws_iam_role_policy_attachment" "datadog_aws_integration" { count = length(local.permission_chunks) role = aws_iam_role.datadog_aws_integration.name policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn } resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" { role = aws_iam_role.datadog_aws_integration.name policy_arn = "arn:aws:iam::aws:policy/SecurityAudit" } resource "datadog_integration_aws_account" "datadog_integration" { account_tags = [] aws_account_id = "" aws_partition = "aws" aws_regions { include_all = true } auth_config { aws_auth_config_role { role_name = "DatadogIntegrationRole" } } resources_config { cloud_security_posture_management_collection = false extended_collection = true } traces_config { xray_services { } } logs_config { lambda_forwarder { } } metrics_config { namespace_filters { } } } ``` {% /tab %} {% tab title="AWS GovCloud" %} ```hcl data "aws_iam_policy_document" "datadog_aws_integration_assume_role" { statement { actions = ["sts:AssumeRole"] principals { type = "AWS" identifiers = ["arn:aws-us-gov:iam::065115117704:root"] } condition { test = "StringEquals" variable = "sts:ExternalId" values = [ "${datadog_integration_aws_account.datadog_integration.auth_config.aws_auth_config_role.external_id}" ] } } } data "datadog_integration_aws_iam_permissions" "datadog_permissions" {} locals { all_permissions = data.datadog_integration_aws_iam_permissions.datadog_permissions.iam_permissions max_policy_size = 6144 target_chunk_size = 5900 permission_sizes = [ for perm in local.all_permissions : length(perm) + 3 ] cumulative_sizes = [ for i in range(length(local.permission_sizes)) : sum(slice(local.permission_sizes, 0, i + 1)) ] chunk_assignments = [ for cumulative_size in local.cumulative_sizes : floor(cumulative_size / local.target_chunk_size) ] chunk_numbers = distinct(local.chunk_assignments) permission_chunks = [ for chunk_num in local.chunk_numbers : [ for i, perm in local.all_permissions : perm if local.chunk_assignments[i] == chunk_num ] ] } data "aws_iam_policy_document" "datadog_aws_integration" { count = length(local.permission_chunks) statement { actions = local.permission_chunks[count.index] resources = ["*"] } } resource "aws_iam_policy" "datadog_aws_integration" { count = length(local.permission_chunks) name = "DatadogAWSIntegrationPolicy-${count.index + 1}" policy = data.aws_iam_policy_document.datadog_aws_integration[count.index].json } resource "aws_iam_role" "datadog_aws_integration" { name = "DatadogIntegrationRole" description = "Role for Datadog AWS Integration" assume_role_policy = data.aws_iam_policy_document.datadog_aws_integration_assume_role.json } resource "aws_iam_role_policy_attachment" "datadog_aws_integration" { count = length(local.permission_chunks) role = aws_iam_role.datadog_aws_integration.name policy_arn = aws_iam_policy.datadog_aws_integration[count.index].arn } resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" { role = aws_iam_role.datadog_aws_integration.name policy_arn = "arn:aws-us-gov:iam::aws:policy/SecurityAudit" } resource "datadog_integration_aws_account" "datadog_integration" { account_tags = [] aws_account_id = "" aws_partition = "aws-us-gov" aws_regions { include_all = true } auth_config { aws_auth_config_role { role_name = "DatadogIntegrationRole" } } resources_config { cloud_security_posture_management_collection = false extended_collection = true } traces_config { xray_services { } } logs_config { lambda_forwarder { } } metrics_config { namespace_filters { } } } ``` {% /tab %} See the [Terraform Registry](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_aws) for further example usage and the full list of optional parameters, as well as additional Datadog resources. {% alert level="info" %} By default, the above configuration doesn't include Cloud Security. To enable Cloud Security, under `resources_config`, set `cloud_security_posture_management_collection = true`. {% /alert %} {% /callout %} Run `terraform apply`. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box [AWS overview dashboard](https://app.datadoghq.com/screen/integration/7/aws-overview) to see metrics sent by your AWS services and infrastructure. - [Managing Datadog with Terraform](https://www.datadoghq.com/blog/managing-datadog-with-terraform/)