The AWS Integration with Terraform

Using Terraform, you can create the Datadog IAM role, policy document, and the Datadog-AWS integration with a single terraform apply command.

  1. Configure the Datadog Terraform provider to interact with the Datadog API through a Terraform configuration.

  1. Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes:

    • AWS_PERMISSIONS_LIST: The IAM policies needed by Datadog AWS integrations. The current list is available in the Datadog AWS integration documentation.
    • AWS_ACCOUNT_ID: Your AWS account ID.

    See the Datadog AWS integration resource page in the Terraform registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.

    data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
       statement {
       actions = ["sts:AssumeRole"]
    
       principals {
          type = "AWS"
          identifiers = ["arn:aws:iam::464622532012:root"]
       }
       condition {
          test = "StringEquals"
          variable = "sts:ExternalId"
    
          values = [
             "${datadog_integration_aws.sandbox.external_id}"
          ]
       }
       }
    }
    
    data "aws_iam_policy_document" "datadog_aws_integration" {
       statement {
       actions = [<AWS_PERMISSIONS_LIST>]
    
       resources = ["*"]
       }
    }
    
    resource "aws_iam_policy" "datadog_aws_integration" {
       name = "DatadogAWSIntegrationPolicy"
       policy = "${data.aws_iam_policy_document.datadog_aws_integration.json}"
    }
    
    resource "aws_iam_role" "datadog_aws_integration" {
       name = "DatadogAWSIntegrationRole"
       description = "Role for Datadog AWS Integration"
       assume_role_policy = "${data.aws_iam_policy_document.datadog_aws_integration_assume_role.json}"
    }
    
    resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
       role = "${aws_iam_role.datadog_aws_integration.name}"
       policy_arn = "${aws_iam_policy.datadog_aws_integration.arn}"
    }
    
    resource "aws_iam_role_policy_attachment" "datadog_aws_integration_security_audit" {
       role = "${aws_iam_role.datadog_aws_integration.name}"
       policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
    }
    
    resource "datadog_integration_aws" "sandbox" {
       account_id  = "<AWS_ACCOUNT_ID>"
       role_name   = "DatadogAWSIntegrationRole"
    }
    

  1. Set up your Terraform configuration file using the example below as a base template. Ensure to update the following parameters before you apply the changes:

    • AWS_PERMISSIONS_LIST: The IAM policies needed by Datadog AWS integrations. The current list is available in the Datadog AWS integration documentation.
    • AWS_ACCOUNT_ID: Your AWS account ID.

    See the Terraform Registry for further example usage and the full list of optional parameters, as well as additional Datadog resources.

    data "aws_iam_policy_document" "datadog_aws_integration_assume_role" {
       statement {
       actions = ["sts:AssumeRole"]
    
       principals {
          type = "AWS"
          identifiers = ["arn:aws:iam::417141415827:root"]
       }
       condition {
          test = "StringEquals"
          variable = "sts:ExternalId"
    
          values = [
             "${datadog_integration_aws.sandbox.external_id}"
          ]
       }
       }
    }
    
    data "aws_iam_policy_document" "datadog_aws_integration" {
       statement {
       actions = [<AWS_PERMISSIONS_LIST>]
    
       resources = ["*"]
       }
    }
    
    resource "aws_iam_policy" "datadog_aws_integration" {
       name = "DatadogAWSIntegrationPolicy"
       policy = "${data.aws_iam_policy_document.datadog_aws_integration.json}"
    }
    
    resource "aws_iam_role" "datadog_aws_integration" {
       name = "DatadogAWSIntegrationRole"
       description = "Role for Datadog AWS Integration"
       assume_role_policy = "${data.aws_iam_policy_document.datadog_aws_integration_assume_role.json}"
    }
    
    resource "aws_iam_role_policy_attachment" "datadog_aws_integration" {
       role = "${aws_iam_role.datadog_aws_integration.name}"
       policy_arn = "${aws_iam_policy.datadog_aws_integration.arn}"
    }
    
    resource "datadog_integration_aws" "sandbox" {
       account_id  = "<AWS_ACCOUNT_ID>"
       role_name   = "DatadogAWSIntegrationRole"
    }
    

  1. If you are using access keys to install the Datadog AWS integration, ensure that you have created an IAM user with the necessary permissions and access key as described in the AWS manual setup guide. Add your access key ID and secret access key to the placeholders in the example below. For information about using Terraform to set up the AWS user and associated access key, see the AWS Provider resources in the Terraform Registry.

    resource "datadog_integration_aws" "sandbox" {
       access_key_id = "<ACCESS_KEY_ID>"
       secret_access_key = "<SECRET_ACCESS_KEY>"
    }
    

  1. Run terraform apply. Wait up to 10 minutes for data to start being collected, and then view the out-of-the-box AWS overview dashboard to see metrics sent by your AWS services and infrastructure.

Additional helpful documentation, links, and articles: