Initial commit with README and module files

.gitignore

@@ -1,9 +1,7 @@
 *.tfstate
 *.tfstate.backup
 .terraform
-provider.tf
 *.tfvars
 **/*.tfvars
-provider.tf
 .github
 .circleci

.terraform.lock.hcl

@@ -0,0 +1,23 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/datadog/datadog" {
+  version     = "3.2.0"
+  constraints = "3.2.0"
+  hashes = [
+    "h1:nfbkvIrUHhsI0cx7IfYDdwdn+C7nBaDvqp3lsZ2BcQw=",
+    "zh:0973526974954263941cc4bc4a4bbd5a56726c09ebd118a513b0106d2164863d",
+    "zh:0e89a0254f65951da832f73822592c46758e168a1ea3f7fa7eb6c79fe1e13a5d",
+    "zh:35145207a6b585e51775079eb6c114d7d555c4f8a928361915374cb28b2cbe46",
+    "zh:3fdf4e1d184fbad0aed31e851cd8465d9be9e7481fcfcd1b5c0da7a1eb582048",
+    "zh:42dfbf4ecd8779346fa4764ce9db99b993fe3c8aefb6eea32d293f9a0bc5cab0",
+    "zh:4e172436bdcbfb2e41fa43a58bc89a1d1e47178e7011d99ff87885c65ef3966c",
+    "zh:72d77a750399ec7ff51c38894d54e54c178f16aab726b36caf0094501124f918",
+    "zh:72e112c8d008418f40677533e855a8b79061892fb42b8296ea69e8246d6205f9",
+    "zh:753d154fb6fb32f064469d3a2e2c657b7d8d19c674189480dae2d2f3b93d524b",
+    "zh:b8dfdcc4402856c043a08e4befe39b042203d616ffb370b54c64a7b3def6ca55",
+    "zh:be523a10cb95220cb52375ac71e03d8f0f48b0d8f3534075aa22d37b5d335d86",
+    "zh:eb9f11a30d9303b422eea27b5d11a716a290c81b8c09e5457292fb378386f66c",
+    "zh:fce91b84c90ce97b7acc6e4ec2cb6f9f4518ae070e00d7ca8973edd585d0ea14",
+  ]
+}

README.md

@@ -1,47 +1,179 @@
-[![CircleCI](https://circleci.com/gh/devops-workflow/terraform-datadog-users.svg?style=svg)](https://circleci.com/gh/devops-workflow/terraform-datadog-users)
+# Terraform Datadog Users Module
 
-terraform-datadog-users
-=======================
+## Overview
 
-Terraform module for managing Datadog users
+This Terraform module manages individual Datadog user accounts with role-based access control, supporting both standard users and administrators.
+
+## Features
+
+- **Role-Based Access**: Standard users vs. administrators
+- **Conditional Creation**: Admin flag determines user type
+- **Data Source Lookups**: Fetches role IDs from Datadog
+- **Reusable Module**: Easy user provisioning via module calls
+
+## Resources Created
+
+- `datadog_user` (add_datadog_user): Standard user with sl-techops-role
+- `datadog_user` (add_datadog_admin_user): Admin user with Datadog Admin Role
+
+## Data Sources
+
+The module queries Datadog for available roles:
+- Standard Role
+- Datadog Admin Role
+- sl-techops-role (custom role)
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 0.12 |
+| datadog | >= 3.2.0 |
+
+## Usage
+
+### Create Standard User
 
 ```hcl
-module "datadog-users" {
-  source  = "devops-workflow/users/datadog"
-  version = "1.0.0"
+module "standard_user" {
+  source = "./terraform-datadog-users"
 
-  users = [
-    {
-      name   = "user1"
-      handle = "user1@example.com"
-    },
-    {
-      name     = "admin1"
-      handle   = "admin1@example.com"
-      admin    = "true"
-      disabled = "false"
-    },
-    {
-      name     = "dis1"
-      handle   = "dis1@example.com"
-      email    = "disy1@example.com"
-      disabled = "true"
-      role     = "ro"
-    },
-  ]
+  admin           = false
+  name            = "John Doe"
+  email           = "john.doe@example.com"
+  handle          = "john.doe@example.com"
+  roles           = "normal"
+  datadog_api_key = var.datadog_api_key
+  datadog_app_key = var.datadog_app_key
 }
 ```
 
-User data structure is a list of maps.
+### Create Admin User
 
-#### User field mappings
+```hcl
+module "admin_user" {
+  source = "./terraform-datadog-users"
 
-| User Field |  Default  | Datadog Provider Field | Description |
-|:-----------|:---------:|:-----------------------|:------------|
-| admin      | `false`   | is_admin  | Make user an admin? |
-| disabled   | `false`   | disabled  | Disable user |
-| email      | `handle`  | email     | User email. Needed when user's email changed after account creation. Will default to `handle` if not provided |
-| handle     | __REQUIRED__ | handle | email handle of user |
-| name       | __REQUIRED__ | name   | User name |
-| role       | `st`      | role      | User role. Options are `st` standard, `adm` admin, `ro` read-only |
-# terraform-datadog-users
+  admin           = true
+  name            = "Jane Admin"
+  email           = "jane.admin@example.com"
+  handle          = "jane.admin@example.com"
+  roles           = "admin"
+  datadog_api_key = var.datadog_api_key
+  datadog_app_key = var.datadog_app_key
+}
+```
+
+## Inputs
+
+| Name | Description | Type | Required | Default |
+|------|-------------|------|----------|---------|
+| `admin` | Is user an admin? | `bool` | no | `false` |
+| `name` | Full name of user | `string` | no | `""` |
+| `email` | Email address | `string` | no | `""` |
+| `handle` | Handle/username | `string` | no | `""` |
+| `roles` | Role assignment | `string` | no | `"normal"` |
+| `datadog_api_key` | Datadog API key | `string` | yes | - |
+| `datadog_app_key` | Datadog APP key | `string` | yes | - |
+
+## Outputs
+
+Currently, all outputs are commented out. No outputs are exported.
+
+## Role Types
+
+### Standard User (admin = false)
+
+- **Role**: sl-techops-role
+- **Permissions**: Limited read/write access
+- **Use Case**: Regular team members, developers, operators
+
+### Admin User (admin = true)
+
+- **Role**: Datadog Admin Role
+- **Permissions**: Full access to all Datadog features
+- **Use Case**: Platform administrators, team leads
+
+## Conditional Resource Creation
+
+The module uses conditional `count` to create only one user type:
+- If `admin = false`: Creates standard user
+- If `admin = true`: Creates admin user
+
+This ensures clean resource management and prevents duplicate user creation.
+
+## Data Source Usage
+
+The module uses data sources to lookup role IDs:
+```hcl
+data "datadog_role" "standard_role" {
+  filter = "Datadog Standard Role"
+}
+
+data "datadog_role" "admin_role" {
+  filter = "Datadog Admin Role"
+}
+
+data "datadog_role" "techops_role" {
+  filter = "sl-techops-role"
+}
+```
+
+## Best Practices
+
+1. **Email as Handle**: Use email address as handle for consistency
+2. **Role Selection**: Choose appropriate role based on user responsibilities
+3. **Module Calls**: Use module calls for each user (see terraform-datadog-users-sanoma)
+4. **Centralized Management**: Keep all user definitions in one place
+
+## Example: Multiple Users
+
+```hcl
+module "user_1" {
+  source = "./terraform-datadog-users"
+  admin  = false
+  name   = "Alice Developer"
+  email  = "alice@example.com"
+  handle = "alice@example.com"
+}
+
+module "user_2" {
+  source = "./terraform-datadog-users"
+  admin  = true
+  name   = "Bob Admin"
+  email  = "bob@example.com"
+  handle = "bob@example.com"
+}
+```
+
+## Notes
+
+- The handle field typically should match the email address
+- Custom roles (like sl-techops-role) must exist in Datadog before use
+- Role data sources fetch IDs dynamically at plan/apply time
+- Outputs are currently disabled (commented out in outputs.tf)
+- Module supports only two role tiers: standard and admin
+
+## Limitations
+
+- Fixed role assignments (standard vs admin only)
+- No support for custom role assignment beyond sl-techops-role
+- No team or group assignments
+- Outputs are not available (commented out)
+
+## Future Enhancements
+
+Potential improvements:
+- Support for multiple custom roles
+- Team assignments
+- Group memberships
+- User permissions customization
+- Output user IDs and metadata
+
+## License
+
+Internal use only - Sanoma/WeBuildYourCloud
+
+## Authors
+
+Created and maintained by the Platform Engineering team.

main.tf

@@ -1,24 +1,47 @@
-module "enabled" {
-  source = "git::git@github.com:webuildyourcloud/terraform-local-boolean.git"
-  value  = var.enabled
+locals {
+  email  = var.email
+  #handle = var.handle
+  name   = var.name
+  roles  = var.roles
+  admin  = var.admin
 }
 
-data "null_data_source" "this" {
-  count = "module.enabled.value ? length(var.users) : 0"
-
-  inputs {
-    handle = lookup(var.users[count.index], "handle")
-    email  = lookup(var.users[count.index], "email", lookup(var.users[count.index], "handle"))
-    name   = lookup(var.users[count.index], "name")
-  }
+data "datadog_role" "standard_role" {
+  filter = "Datadog Standard Role"
 }
 
-resource "datadog_user" "this" {
-  count    = "module.enabled.value ? length(var.users) : 0"
-  disabled = lookup(var.users[count.index], "disabled", false)
-  email    = lookup(var.users[count.index], "email", lookup(var.users[count.index], "handle"))
-  handle   = lookup(var.users[count.index], "handle")
-  is_admin = lookup(var.users[count.index], "is_admin", false)
-  name     = lookup(var.users[count.index], "name")
-  role     = lookup(var.users[count.index], "role", "st")
+data "datadog_role" "admin_role" {
+  count  = var.admin ? 1 : 0
+  filter = "Datadog Admin Role"
 }
+
+#data "datadog_role" "readonly_role" {
+#  count  = var.admin ? 0 : 1
+#  filter = "Datadog Read Only Role"
+#}
+
+data "datadog_role" "sl-techops-role" {
+  count  = var.admin ? 0 : 1
+  filter = "sl-techops-role"
+}
+
+#resource "datadog_user" "add_datadog_user" {
+#  email  = local.email
+#  name   = local.name
+#  roles  = [data.datadog_role.sl-techops-role.id]
+#}
+
+resource "datadog_user" "add_datadog_user" {
+  count  = var.admin ? 0 : 1
+  email  = local.email
+  name   = local.name
+  roles  = [data.datadog_role.sl-techops-role[0].id]
+}
+
+resource "datadog_user" "add_datadog_admin_user" {
+  count  = var.admin ? 1 : 0
+  email  = local.email
+  name   = local.name
+  roles  = [data.datadog_role.admin_role[0].id]
+}
+

outputs.tf

@@ -1,33 +1,33 @@
-output "disabled" {
-  description = "List of user disabled status"
-  value       = compact(concat(datadog_user.this.*.disabled, list("")))
-}
-
-output "ids" {
-  description = "List of user IDs"
-  value       = compact(concat(datadog_user.this.*.id, list("")))
-}
-
-output "verified" {
-  description = "List of user verified status"
-  value       = compact(concat(datadog_user.this.*.verified, list("")))
-}
-
-output "emails" {
-  description = "List of user emails"
-  value       = compact(concat(data.null_data_source.this.*.outputs.email, list("")))
-}
-
-output "handles" {
-  description = "List of user handles"
-  value       = compact(concat(data.null_data_source.this.*.outputs.handle, list("")))
-}
-
-output "names" {
-  description = "List of user names"
-  value       = compact(concat(data.null_data_source.this.*.outputs.name, list("")))
-}
-
-output "users" {
-  value = "var.users"
-}
+#output "disabled" {
+#  description = "List of user disabled status"
+#  value       = compact(concat(datadog_user.this.*.disabled, list("")))
+#}
+#
+#output "ids" {
+#  description = "List of user IDs"
+#  value       = compact(concat(datadog_user.this.*.id, list("")))
+#}
+#
+#output "verified" {
+#  description = "List of user verified status"
+#  value       = compact(concat(datadog_user.this.*.verified, list("")))
+#}
+#
+#output "emails" {
+#  description = "List of user emails"
+#  value       = compact(concat(data.null_data_source.this.*.outputs.email, list("")))
+#}
+#
+#output "handles" {
+#  description = "List of user handles"
+#  value       = compact(concat(data.null_data_source.this.*.outputs.handle, list("")))
+#}
+#
+#output "names" {
+#  description = "List of user names"
+#  value       = compact(concat(data.null_data_source.this.*.outputs.name, list("")))
+#}
+#
+#output "users" {
+#  value = "var.users"
+#}

plaap/plaap.tf

@@ -1,23 +0,0 @@
-module "datadog-users" {
-  source = "git::git@github.com:webuildyourcloud/terraform-datadog-users.git"
-
-  users = [
-    {
-      name   = "user1"
-      handle = "user1@example.com"
-    },
-    {
-      name     = "admin1"
-      handle   = "admin1@example.com"
-      admin    = "true"
-      disabled = "false"
-    },
-    {
-      name     = "dis1"
-      handle   = "dis1@example.com"
-      email    = "disy1@example.com"
-      disabled = "true"
-      role     = "ro"
-    },
-  ]
-}

plaap/variables.tf

@@ -1,43 +0,0 @@
-variable "enabled" {
-  description = "Set to false to prevent the module from creating anything"
-  default     = true
-}
-
-variable "users" {
-  description = "List of Datadog user maps to manage"
-  type        = list(string)
-}
-
-variable "datadog_api_key" {
-  description = "The datadog API key"
-  type        = string
-}
-
-variable "datadog_app_key" {
-  description = "The datadog APP key"
-  type        = string
-}
-
-#variable "api_url" {
-#  description   = "Which API to Connect to, we are using the EU one for GDPR compliance"
-#  type          = string
-#  default       = "https://api.datadoghq.eu"
-#}
-#
-#variable "http_client_retry_enabled" {
-#  description   = "Enables Request retries on HTTP status codes 429 and 5xx"
-#  type          = bool
-#  default       = true
-#}
-#
-#variable "http_client_retry_timeout" {
-#  description   = "Sets the number of HTTP request retry timeout period"
-#  type          = string
-#  default       = ""
-#}
-#
-#variable "validate" {
-#  description   = "Validates the provided APP and API keys during provider initialization"
-#  type          = bool
-#  default       = true
-#}

plaap/versions.tf

@@ -1,3 +0,0 @@
-terraform {
-  required_version = ">= 0.13"
-}

provider.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    datadog = {
+      source  = "datadog/datadog"
+      version = "3.2.0"
+    }
+  }
+}

variables.tf

@@ -1,33 +1,43 @@
-variable "enabled" {
-  description = "Set to false to prevent the module from creating anything"
-  default     = true
+variable "admin" {
+  description = "Boolean to set if user is an admin or not"
+  default     = false
 }
 
-variable "users" {
-  description = "List of Datadog user maps to manage"
-  type        = list(string)
-
-#  users = [
-#  {
-#    name   = "user1"
-#    handle = "user1@example.com"
-#  },
-#  {
-#    name     = "admin1"
-#    handle   = "admin1@example.com"
-#    admin    = "true"
-#    disabled = "false"
-#  },
-#  {
-#    name     = "dis1"
-#    handle   = "dis1@example.com"
-#    email    = "disy1@example.com"
-#    disabled = "true"
-#    role     = "ro"
-#  },
-# ]
+variable "name" {
+  description = "Name of the User"
+  type        = string
+  default     = ""
 }
 
+variable "email" {
+  description = "Email address of the user"
+  type        = string
+  default     = ""
+}
+
+variable "handle" {
+  description = "Handle of the user (usualy the email address)"
+  type        = string
+  default     = ""
+}
+
+variable "roles" {
+  description = "Role can be ro normal and admin, default is normal"
+  type        = string
+  default     = "normal"
+}
+
+#variable "user" {
+#  description = "List of Datadog user maps to manage"
+#  type        = map(string)
+#  default = {
+#    name   = ""
+#    email  = ""
+#    hanlde = ""
+#    role   = ""
+#  }
+#}
+
 variable "datadog_api_key" {
   description = "The datadog API key"
   type        = string
@@ -37,27 +47,3 @@ variable "datadog_app_key" {
   description = "The datadog APP key"
   type        = string
 }
-
-#variable "api_url" {
-#  description   = "Which API to Connect to, we are using the EU one for GDPR compliance"
-#  type          = string
-#  default       = "https://api.datadoghq.eu"
-#}
-#
-#variable "http_client_retry_enabled" {
-#  description   = "Enables Request retries on HTTP status codes 429 and 5xx"
-#  type          = bool
-#  default       = true
-#}
-#
-#variable "http_client_retry_timeout" {
-#  description   = "Sets the number of HTTP request retry timeout period"
-#  type          = string
-#  default       = ""
-#}
-#
-#variable "validate" {
-#  description   = "Validates the provided APP and API keys during provider initialization"
-#  type          = bool
-#  default       = true
-#}