# Terraform AWS Datadog Integration Module

## Overview

The `terraform-aws-datadog` module is a wrapper around the CloudPosse `datadog-integration/aws` module that automates the setup of AWS-Datadog integration. It establishes secure bidirectional communication between AWS and Datadog to enable monitoring, logging, and metrics collection from AWS services.

## Features

- Automated AWS-Datadog integration setup
- Multi-account support through `for_each` iteration
- IAM role and policy management for Datadog access
- Secure cross-account role assumption using external IDs
- Support for both EU and US Datadog endpoints
- Comprehensive AWS service monitoring

## Resources Created

This module creates the following resources:

### AWS Resources
- **IAM Role** - Service role for Datadog to assume in AWS
- **IAM Policy** - Permissions policy allowing Datadog to access AWS resources
- **IAM Policy Attachment** - Attaches the policy to the role

### Datadog Resources
- **Datadog AWS Integration** - Creates the integration connection with:
  - External ID for security
  - Role name association
  - Account ID mapping
  - Region configuration
  - Tag filtering support

## Usage

```hcl
module "datadog_integration" {
  source = "path/to/terraform-aws-datadog"

  region       = "eu-west-1"
  api_key      = var.datadog_api_key      # Store securely!
  app_key      = var.datadog_app_key      # Store securely!
  datadog_site = "https://api.datadoghq.eu/"
  aws_profile  = "your-aws-profile"

  aws_accounts = {
    "production" = {
      aws_account_id = "123456789012"
      namespace      = "datadog"
      environment    = "prd"
      prefix_slug    = "mycompany"
      region         = "eu-west-1"
      team           = "platform"
    },
    "staging" = {
      aws_account_id = "987654321098"
      namespace      = "datadog"
      environment    = "stg"
      prefix_slug    = "mycompany"
      region         = "eu-west-1"
      team           = "platform"
    }
  }
}
```

## Variables

| Variable | Type | Required | Default | Description |
|----------|------|----------|---------|-------------|
| `region` | string | Yes | - | AWS region where resources to monitor reside |
| `api_key` | string | Yes | - | Datadog API key for sending logs, metrics, and traces |
| `app_key` | string | Yes | - | Datadog application key for API manipulation |
| `datadog_site` | string | No | `https://api.datadoghq.eu/` | Datadog API endpoint (EU or US) |
| `aws_profile` | string | Yes | - | AWS profile to use for authentication |
| `aws_accounts` | map(object) | Yes | - | Map of AWS accounts with configuration details |

### AWS Accounts Object Structure

Each entry in `aws_accounts` should contain:

```hcl
{
  aws_account_id = "AWS Account ID to monitor"
  namespace      = "Namespace label (e.g., 'datadog')"
  environment    = "Environment stage (e.g., 'prd', 'stg', 'dev')"
  prefix_slug    = "Resource naming prefix"
  region         = "AWS region for the account"
  team           = "Team identifier for naming"
}
```

## Outputs

| Output | Description |
|--------|-------------|
| `aws_account_id` | The AWS account ID integrated with Datadog |
| `aws_role_name` | Name of the IAM role created for Datadog integration |
| `datadog_external_id` | External ID used for secure role assumption |

## Dependencies

### External Modules
- **CloudPosse Datadog Integration AWS Module** v0.11.0
  - Source: `cloudposse/datadog-integration/aws`

### Provider Requirements
- Datadog Provider (tested with v3.1.2)
- AWS Provider

### Prerequisites
- Valid Datadog account with admin access
- Valid AWS account(s) to be monitored
- Datadog API key and app key with appropriate permissions
- AWS profile configured with credentials

### Required Permissions

**AWS Permissions:**
- IAM permissions to create roles, policies, and attachments

**Datadog Permissions:**
- Account admin or integration admin permissions

## Security Considerations

- **Sensitive Data**: API keys and app keys should be stored in secure vaults (Terraform Cloud, AWS Secrets Manager, HashiCorp Vault) and never committed to version control
- **External ID**: The module uses Datadog-generated external IDs for secure cross-account role assumption
- **IAM Best Practices**: Follow principle of least privilege when configuring IAM permissions

## Multi-Account Support

The module uses a `for_each` loop to support multiple AWS accounts in a single Terraform run. Each integration can have its own namespace and naming convention through the configuration map.

## Monitored Services

When configured with "all" integrations (default), the module enables monitoring for:
- EC2
- RDS
- ELB/ALB/NLB
- Lambda
- S3
- CloudWatch
- And many more AWS services

## Notes

- Originally forked from Bitbucket (sl-technology/terraform-aws-datadog)
- Currently configured for all integrations
- Supports both EU and US Datadog endpoints

## License

See project license file.

## Authors

Maintained by WebBuildYourCloud team.