wbyc/terraform-aws-datadog
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
terraform-aws-datadog/README.md

4.9 KiB
Raw Blame History

Terraform AWS Datadog Integration Module

Overview

The terraform-aws-datadog module is a wrapper around the CloudPosse datadog-integration/aws module that automates the setup of AWS-Datadog integration. It establishes secure bidirectional communication between AWS and Datadog to enable monitoring, logging, and metrics collection from AWS services.

Features

  • Automated AWS-Datadog integration setup
  • Multi-account support through for_each iteration
  • IAM role and policy management for Datadog access
  • Secure cross-account role assumption using external IDs
  • Support for both EU and US Datadog endpoints
  • Comprehensive AWS service monitoring

Resources Created

This module creates the following resources:

AWS Resources

  • IAM Role - Service role for Datadog to assume in AWS
  • IAM Policy - Permissions policy allowing Datadog to access AWS resources
  • IAM Policy Attachment - Attaches the policy to the role

Datadog Resources

  • Datadog AWS Integration - Creates the integration connection with:
    • External ID for security
    • Role name association
    • Account ID mapping
    • Region configuration
    • Tag filtering support

Usage

module "datadog_integration" {
  source = "path/to/terraform-aws-datadog"

  region       = "eu-west-1"
  api_key      = var.datadog_api_key      # Store securely!
  app_key      = var.datadog_app_key      # Store securely!
  datadog_site = "https://api.datadoghq.eu/"
  aws_profile  = "your-aws-profile"

  aws_accounts = {
    "production" = {
      aws_account_id = "123456789012"
      namespace      = "datadog"
      environment    = "prd"
      prefix_slug    = "mycompany"
      region         = "eu-west-1"
      team           = "platform"
    },
    "staging" = {
      aws_account_id = "987654321098"
      namespace      = "datadog"
      environment    = "stg"
      prefix_slug    = "mycompany"
      region         = "eu-west-1"
      team           = "platform"
    }
  }
}

Variables

Variable Type Required Default Description
region string Yes - AWS region where resources to monitor reside
api_key string Yes - Datadog API key for sending logs, metrics, and traces
app_key string Yes - Datadog application key for API manipulation
datadog_site string No https://api.datadoghq.eu/ Datadog API endpoint (EU or US)
aws_profile string Yes - AWS profile to use for authentication
aws_accounts map(object) Yes - Map of AWS accounts with configuration details

AWS Accounts Object Structure

Each entry in aws_accounts should contain:

{
  aws_account_id = "AWS Account ID to monitor"
  namespace      = "Namespace label (e.g., 'datadog')"
  environment    = "Environment stage (e.g., 'prd', 'stg', 'dev')"
  prefix_slug    = "Resource naming prefix"
  region         = "AWS region for the account"
  team           = "Team identifier for naming"
}

Outputs

Output Description
aws_account_id The AWS account ID integrated with Datadog
aws_role_name Name of the IAM role created for Datadog integration
datadog_external_id External ID used for secure role assumption

Dependencies

External Modules

  • CloudPosse Datadog Integration AWS Module v0.11.0
    • Source: cloudposse/datadog-integration/aws

Provider Requirements

  • Datadog Provider (tested with v3.1.2)
  • AWS Provider

Prerequisites

  • Valid Datadog account with admin access
  • Valid AWS account(s) to be monitored
  • Datadog API key and app key with appropriate permissions
  • AWS profile configured with credentials

Required Permissions

AWS Permissions:

  • IAM permissions to create roles, policies, and attachments

Datadog Permissions:

  • Account admin or integration admin permissions

Security Considerations

  • Sensitive Data: API keys and app keys should be stored in secure vaults (Terraform Cloud, AWS Secrets Manager, HashiCorp Vault) and never committed to version control
  • External ID: The module uses Datadog-generated external IDs for secure cross-account role assumption
  • IAM Best Practices: Follow principle of least privilege when configuring IAM permissions

Multi-Account Support

The module uses a for_each loop to support multiple AWS accounts in a single Terraform run. Each integration can have its own namespace and naming convention through the configuration map.

Monitored Services

When configured with "all" integrations (default), the module enables monitoring for:

  • EC2
  • RDS
  • ELB/ALB/NLB
  • Lambda
  • S3
  • CloudWatch
  • And many more AWS services

Notes

  • Originally forked from Bitbucket (sl-technology/terraform-aws-datadog)
  • Currently configured for all integrations
  • Supports both EU and US Datadog endpoints

License

See project license file.

Authors

Maintained by WebBuildYourCloud team.