158 lines
4.9 KiB
Markdown
158 lines
4.9 KiB
Markdown
# Terraform AWS Datadog Integration Module
|
|
|
|
## Overview
|
|
|
|
The `terraform-aws-datadog` module is a wrapper around the CloudPosse `datadog-integration/aws` module that automates the setup of AWS-Datadog integration. It establishes secure bidirectional communication between AWS and Datadog to enable monitoring, logging, and metrics collection from AWS services.
|
|
|
|
## Features
|
|
|
|
- Automated AWS-Datadog integration setup
|
|
- Multi-account support through `for_each` iteration
|
|
- IAM role and policy management for Datadog access
|
|
- Secure cross-account role assumption using external IDs
|
|
- Support for both EU and US Datadog endpoints
|
|
- Comprehensive AWS service monitoring
|
|
|
|
## Resources Created
|
|
|
|
This module creates the following resources:
|
|
|
|
### AWS Resources
|
|
- **IAM Role** - Service role for Datadog to assume in AWS
|
|
- **IAM Policy** - Permissions policy allowing Datadog to access AWS resources
|
|
- **IAM Policy Attachment** - Attaches the policy to the role
|
|
|
|
### Datadog Resources
|
|
- **Datadog AWS Integration** - Creates the integration connection with:
|
|
- External ID for security
|
|
- Role name association
|
|
- Account ID mapping
|
|
- Region configuration
|
|
- Tag filtering support
|
|
|
|
## Usage
|
|
|
|
```hcl
|
|
module "datadog_integration" {
|
|
source = "path/to/terraform-aws-datadog"
|
|
|
|
region = "eu-west-1"
|
|
api_key = var.datadog_api_key # Store securely!
|
|
app_key = var.datadog_app_key # Store securely!
|
|
datadog_site = "https://api.datadoghq.eu/"
|
|
aws_profile = "your-aws-profile"
|
|
|
|
aws_accounts = {
|
|
"production" = {
|
|
aws_account_id = "123456789012"
|
|
namespace = "datadog"
|
|
environment = "prd"
|
|
prefix_slug = "mycompany"
|
|
region = "eu-west-1"
|
|
team = "platform"
|
|
},
|
|
"staging" = {
|
|
aws_account_id = "987654321098"
|
|
namespace = "datadog"
|
|
environment = "stg"
|
|
prefix_slug = "mycompany"
|
|
region = "eu-west-1"
|
|
team = "platform"
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## Variables
|
|
|
|
| Variable | Type | Required | Default | Description |
|
|
|----------|------|----------|---------|-------------|
|
|
| `region` | string | Yes | - | AWS region where resources to monitor reside |
|
|
| `api_key` | string | Yes | - | Datadog API key for sending logs, metrics, and traces |
|
|
| `app_key` | string | Yes | - | Datadog application key for API manipulation |
|
|
| `datadog_site` | string | No | `https://api.datadoghq.eu/` | Datadog API endpoint (EU or US) |
|
|
| `aws_profile` | string | Yes | - | AWS profile to use for authentication |
|
|
| `aws_accounts` | map(object) | Yes | - | Map of AWS accounts with configuration details |
|
|
|
|
### AWS Accounts Object Structure
|
|
|
|
Each entry in `aws_accounts` should contain:
|
|
|
|
```hcl
|
|
{
|
|
aws_account_id = "AWS Account ID to monitor"
|
|
namespace = "Namespace label (e.g., 'datadog')"
|
|
environment = "Environment stage (e.g., 'prd', 'stg', 'dev')"
|
|
prefix_slug = "Resource naming prefix"
|
|
region = "AWS region for the account"
|
|
team = "Team identifier for naming"
|
|
}
|
|
```
|
|
|
|
## Outputs
|
|
|
|
| Output | Description |
|
|
|--------|-------------|
|
|
| `aws_account_id` | The AWS account ID integrated with Datadog |
|
|
| `aws_role_name` | Name of the IAM role created for Datadog integration |
|
|
| `datadog_external_id` | External ID used for secure role assumption |
|
|
|
|
## Dependencies
|
|
|
|
### External Modules
|
|
- **CloudPosse Datadog Integration AWS Module** v0.11.0
|
|
- Source: `cloudposse/datadog-integration/aws`
|
|
|
|
### Provider Requirements
|
|
- Datadog Provider (tested with v3.1.2)
|
|
- AWS Provider
|
|
|
|
### Prerequisites
|
|
- Valid Datadog account with admin access
|
|
- Valid AWS account(s) to be monitored
|
|
- Datadog API key and app key with appropriate permissions
|
|
- AWS profile configured with credentials
|
|
|
|
### Required Permissions
|
|
|
|
**AWS Permissions:**
|
|
- IAM permissions to create roles, policies, and attachments
|
|
|
|
**Datadog Permissions:**
|
|
- Account admin or integration admin permissions
|
|
|
|
## Security Considerations
|
|
|
|
- **Sensitive Data**: API keys and app keys should be stored in secure vaults (Terraform Cloud, AWS Secrets Manager, HashiCorp Vault) and never committed to version control
|
|
- **External ID**: The module uses Datadog-generated external IDs for secure cross-account role assumption
|
|
- **IAM Best Practices**: Follow principle of least privilege when configuring IAM permissions
|
|
|
|
## Multi-Account Support
|
|
|
|
The module uses a `for_each` loop to support multiple AWS accounts in a single Terraform run. Each integration can have its own namespace and naming convention through the configuration map.
|
|
|
|
## Monitored Services
|
|
|
|
When configured with "all" integrations (default), the module enables monitoring for:
|
|
- EC2
|
|
- RDS
|
|
- ELB/ALB/NLB
|
|
- Lambda
|
|
- S3
|
|
- CloudWatch
|
|
- And many more AWS services
|
|
|
|
## Notes
|
|
|
|
- Originally forked from Bitbucket (sl-technology/terraform-aws-datadog)
|
|
- Currently configured for all integrations
|
|
- Supports both EU and US Datadog endpoints
|
|
|
|
## License
|
|
|
|
See project license file.
|
|
|
|
## Authors
|
|
|
|
Maintained by WebBuildYourCloud team.
|