# Terraform Datadog Users Sanoma Module ## Overview Organization-specific user management module for Sanoma that uses the terraform-datadog-users base module for creating and managing Datadog user accounts. ## Features - **Module Composition**: Uses terraform-datadog-users as a base module - **Organization-Specific**: Configured for Sanoma email domains and structure - **Scalable**: Easy to add new users via module calls - **Standardized Roles**: All users assigned standard roles - **EU Instance**: Configured for EU Datadog API ## Resources Created Multiple `datadog_user` resources created via module calls to terraform-datadog-users. ## Requirements | Name | Version | |------|---------| | terraform | >= 0.12 | | datadog | >= 3.2.0 | ## Usage This module is designed to be called from a root module with Sanoma-specific variables: ```hcl module "sanoma_users" { source = "./terraform-datadog-users-sanoma" datadog_api_key = var.datadog_api_key datadog_app_key = var.datadog_app_key api_url = "https://api.datadoghq.eu" } ``` ## Inputs | Name | Description | Type | Required | Default | |------|-------------|------|----------|---------| | `admin` | Is user an admin? | `bool` | no | `false` | | `name` | Full name | `string` | no | `""` | | `email` | Email address | `string` | no | `""` | | `handle` | Handle/username | `string` | no | `""` | | `roles` | Role type | `string` | no | `"standard"` | | `datadog_api_key` | Datadog API key | `string` | yes | - | | `datadog_app_key` | Datadog APP key | `string` | yes | - | | `api_url` | Datadog API endpoint | `string` | no | `"https://api.datadoghq.eu"` | | `http_client_retry_enabled` | Enable HTTP retries | `bool` | no | `true` | | `http_client_retry_timeout` | HTTP retry timeout | `string` | no | `""` | | `validate` | Validate credentials | `bool` | no | `true` | ## Outputs Currently, all outputs are commented out. No outputs are exported. ## User Accounts ### Current Users (Configured) The module includes user definitions for: - Michiel van Wambeke - David Kerremans - Lukasz Mycek ### Work in Progress Additional user groups defined in separate files: - `user-accounts-vanin.tf`: Vanin CFA users - `user-accounts-nowaera.tf`: NoWaEra CFA users ## Module Structure ``` terraform-datadog-users-sanoma/ ├── provider.tf # Datadog provider configuration ├── backend.tf # Terraform state backend ├── versions.tf # Provider version constraints ├── variables.tf # Input variables ├── outputs.tf # Outputs (commented out) ├── user-accounts-vanin.tf # Vanin user definitions (WIP) ├── user-accounts-nowaera.tf # NoWaEra user definitions (WIP) └── old-account-structure.tf # Legacy account definitions ``` ## Adding New Users To add a new user, create a module call in the appropriate file: ```hcl module "new_user" { source = "../terraform-datadog-users" admin = false name = "New User" email = "new.user@sanoma.com" handle = "new.user@sanoma.com" roles = "standard" datadog_api_key = var.datadog_api_key datadog_app_key = var.datadog_app_key } ``` ## Provider Configuration ### EU Datadog Instance - **API URL**: `https://api.datadoghq.eu` - **Reason**: GDPR compliance for European data - **Retry Enabled**: Yes (handles 429 and 5xx errors) - **Validation**: API/APP keys validated on initialization ## Organization Structure The module supports multiple CFAs (Customer Facing Applications): - **Vanin**: Educational publishing - **NoWaEra**: Digital platforms Each CFA has separate user account files for organization. ## Best Practices 1. **Email Format**: Use Sanoma email domain (@sanoma.com) 2. **File Organization**: Group users by CFA or team 3. **Standard Roles**: Default to standard roles unless admin access required 4. **Handle Convention**: Use email as handle for consistency ## Example User Definitions ```hcl # Standard user module "developer" { source = "../terraform-datadog-users" admin = false name = "John Developer" email = "john.developer@sanoma.com" handle = "john.developer@sanoma.com" roles = "standard" datadog_api_key = var.datadog_api_key datadog_app_key = var.datadog_app_key } # Admin user module "team_lead" { source = "../terraform-datadog-users" admin = true name = "Jane Lead" email = "jane.lead@sanoma.com" handle = "jane.lead@sanoma.com" roles = "admin" datadog_api_key = var.datadog_api_key datadog_app_key = var.datadog_app_key } ``` ## State Management - Uses remote backend configuration (backend.tf) - State should be stored securely (S3, Terraform Cloud, etc.) - Enables team collaboration on user management ## Migration from Old Structure The `old-account-structure.tf` file contains legacy user definitions. These should be: 1. Reviewed for current relevance 2. Migrated to new structure if still active 3. Removed if users are no longer with organization ## Notes - All outputs are currently disabled (commented out in outputs.tf) - Uses module composition pattern for DRY principles - EU API endpoint for GDPR compliance - HTTP retry enabled for reliability - Credentials validated on provider initialization ## Maintenance Regular tasks: - Review and update user lists quarterly - Remove users who have left the organization - Audit role assignments - Update to latest terraform-datadog-users module version ## Security Considerations - API keys should be stored in secure variable storage - Never commit API keys to version control - Use Terraform variable files or environment variables - Consider using Terraform Cloud for secure variable management ## License Internal use only - Sanoma/WeBuildYourCloud ## Authors Created and maintained by the Platform Engineering team at Sanoma.