diff --git a/.gitignore b/.gitignore old mode 100644 new mode 100755 diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100755 index 0000000..282b7d4 --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,23 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/datadog/datadog" { + version = "3.2.0" + constraints = "3.2.0" + hashes = [ + "h1:nfbkvIrUHhsI0cx7IfYDdwdn+C7nBaDvqp3lsZ2BcQw=", + "zh:0973526974954263941cc4bc4a4bbd5a56726c09ebd118a513b0106d2164863d", + "zh:0e89a0254f65951da832f73822592c46758e168a1ea3f7fa7eb6c79fe1e13a5d", + "zh:35145207a6b585e51775079eb6c114d7d555c4f8a928361915374cb28b2cbe46", + "zh:3fdf4e1d184fbad0aed31e851cd8465d9be9e7481fcfcd1b5c0da7a1eb582048", + "zh:42dfbf4ecd8779346fa4764ce9db99b993fe3c8aefb6eea32d293f9a0bc5cab0", + "zh:4e172436bdcbfb2e41fa43a58bc89a1d1e47178e7011d99ff87885c65ef3966c", + "zh:72d77a750399ec7ff51c38894d54e54c178f16aab726b36caf0094501124f918", + "zh:72e112c8d008418f40677533e855a8b79061892fb42b8296ea69e8246d6205f9", + "zh:753d154fb6fb32f064469d3a2e2c657b7d8d19c674189480dae2d2f3b93d524b", + "zh:b8dfdcc4402856c043a08e4befe39b042203d616ffb370b54c64a7b3def6ca55", + "zh:be523a10cb95220cb52375ac71e03d8f0f48b0d8f3534075aa22d37b5d335d86", + "zh:eb9f11a30d9303b422eea27b5d11a716a290c81b8c09e5457292fb378386f66c", + "zh:fce91b84c90ce97b7acc6e4ec2cb6f9f4518ae070e00d7ca8973edd585d0ea14", + ] +} diff --git a/README.md b/README.md old mode 100644 new mode 100755 index 7a7708e..6051d26 --- a/README.md +++ b/README.md @@ -1,47 +1,179 @@ -[![CircleCI](https://circleci.com/gh/devops-workflow/terraform-datadog-users.svg?style=svg)](https://circleci.com/gh/devops-workflow/terraform-datadog-users) +# Terraform Datadog Users Module -terraform-datadog-users -======================= +## Overview -Terraform module for managing Datadog users +This Terraform module manages individual Datadog user accounts with role-based access control, supporting both standard users and administrators. + +## Features + +- **Role-Based Access**: Standard users vs. administrators +- **Conditional Creation**: Admin flag determines user type +- **Data Source Lookups**: Fetches role IDs from Datadog +- **Reusable Module**: Easy user provisioning via module calls + +## Resources Created + +- `datadog_user` (add_datadog_user): Standard user with sl-techops-role +- `datadog_user` (add_datadog_admin_user): Admin user with Datadog Admin Role + +## Data Sources + +The module queries Datadog for available roles: +- Standard Role +- Datadog Admin Role +- sl-techops-role (custom role) + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 0.12 | +| datadog | >= 3.2.0 | + +## Usage + +### Create Standard User ```hcl -module "datadog-users" { - source = "devops-workflow/users/datadog" - version = "1.0.0" +module "standard_user" { + source = "./terraform-datadog-users" - users = [ - { - name = "user1" - handle = "user1@example.com" - }, - { - name = "admin1" - handle = "admin1@example.com" - admin = "true" - disabled = "false" - }, - { - name = "dis1" - handle = "dis1@example.com" - email = "disy1@example.com" - disabled = "true" - role = "ro" - }, - ] + admin = false + name = "John Doe" + email = "john.doe@example.com" + handle = "john.doe@example.com" + roles = "normal" + datadog_api_key = var.datadog_api_key + datadog_app_key = var.datadog_app_key } ``` -User data structure is a list of maps. +### Create Admin User -#### User field mappings +```hcl +module "admin_user" { + source = "./terraform-datadog-users" -| User Field | Default | Datadog Provider Field | Description | -|:-----------|:---------:|:-----------------------|:------------| -| admin | `false` | is_admin | Make user an admin? | -| disabled | `false` | disabled | Disable user | -| email | `handle` | email | User email. Needed when user's email changed after account creation. Will default to `handle` if not provided | -| handle | __REQUIRED__ | handle | email handle of user | -| name | __REQUIRED__ | name | User name | -| role | `st` | role | User role. Options are `st` standard, `adm` admin, `ro` read-only | -# terraform-datadog-users + admin = true + name = "Jane Admin" + email = "jane.admin@example.com" + handle = "jane.admin@example.com" + roles = "admin" + datadog_api_key = var.datadog_api_key + datadog_app_key = var.datadog_app_key +} +``` + +## Inputs + +| Name | Description | Type | Required | Default | +|------|-------------|------|----------|---------| +| `admin` | Is user an admin? | `bool` | no | `false` | +| `name` | Full name of user | `string` | no | `""` | +| `email` | Email address | `string` | no | `""` | +| `handle` | Handle/username | `string` | no | `""` | +| `roles` | Role assignment | `string` | no | `"normal"` | +| `datadog_api_key` | Datadog API key | `string` | yes | - | +| `datadog_app_key` | Datadog APP key | `string` | yes | - | + +## Outputs + +Currently, all outputs are commented out. No outputs are exported. + +## Role Types + +### Standard User (admin = false) + +- **Role**: sl-techops-role +- **Permissions**: Limited read/write access +- **Use Case**: Regular team members, developers, operators + +### Admin User (admin = true) + +- **Role**: Datadog Admin Role +- **Permissions**: Full access to all Datadog features +- **Use Case**: Platform administrators, team leads + +## Conditional Resource Creation + +The module uses conditional `count` to create only one user type: +- If `admin = false`: Creates standard user +- If `admin = true`: Creates admin user + +This ensures clean resource management and prevents duplicate user creation. + +## Data Source Usage + +The module uses data sources to lookup role IDs: +```hcl +data "datadog_role" "standard_role" { + filter = "Datadog Standard Role" +} + +data "datadog_role" "admin_role" { + filter = "Datadog Admin Role" +} + +data "datadog_role" "techops_role" { + filter = "sl-techops-role" +} +``` + +## Best Practices + +1. **Email as Handle**: Use email address as handle for consistency +2. **Role Selection**: Choose appropriate role based on user responsibilities +3. **Module Calls**: Use module calls for each user (see terraform-datadog-users-sanoma) +4. **Centralized Management**: Keep all user definitions in one place + +## Example: Multiple Users + +```hcl +module "user_1" { + source = "./terraform-datadog-users" + admin = false + name = "Alice Developer" + email = "alice@example.com" + handle = "alice@example.com" +} + +module "user_2" { + source = "./terraform-datadog-users" + admin = true + name = "Bob Admin" + email = "bob@example.com" + handle = "bob@example.com" +} +``` + +## Notes + +- The handle field typically should match the email address +- Custom roles (like sl-techops-role) must exist in Datadog before use +- Role data sources fetch IDs dynamically at plan/apply time +- Outputs are currently disabled (commented out in outputs.tf) +- Module supports only two role tiers: standard and admin + +## Limitations + +- Fixed role assignments (standard vs admin only) +- No support for custom role assignment beyond sl-techops-role +- No team or group assignments +- Outputs are not available (commented out) + +## Future Enhancements + +Potential improvements: +- Support for multiple custom roles +- Team assignments +- Group memberships +- User permissions customization +- Output user IDs and metadata + +## License + +Internal use only - Sanoma/WeBuildYourCloud + +## Authors + +Created and maintained by the Platform Engineering team. diff --git a/main.tf b/main.tf old mode 100644 new mode 100755 diff --git a/outputs.tf b/outputs.tf old mode 100644 new mode 100755 diff --git a/provider.tf b/provider.tf old mode 100644 new mode 100755 diff --git a/variables.tf b/variables.tf old mode 100644 new mode 100755 diff --git a/versions.tf b/versions.tf old mode 100644 new mode 100755