# Terraform Datadog Users Module ## Overview This Terraform module manages individual Datadog user accounts with role-based access control, supporting both standard users and administrators. ## Features - **Role-Based Access**: Standard users vs. administrators - **Conditional Creation**: Admin flag determines user type - **Data Source Lookups**: Fetches role IDs from Datadog - **Reusable Module**: Easy user provisioning via module calls ## Resources Created - `datadog_user` (add_datadog_user): Standard user with sl-techops-role - `datadog_user` (add_datadog_admin_user): Admin user with Datadog Admin Role ## Data Sources The module queries Datadog for available roles: - Standard Role - Datadog Admin Role - sl-techops-role (custom role) ## Requirements | Name | Version | |------|---------| | terraform | >= 0.12 | | datadog | >= 3.2.0 | ## Usage ### Create Standard User ```hcl module "standard_user" { source = "./terraform-datadog-users" admin = false name = "John Doe" email = "john.doe@example.com" handle = "john.doe@example.com" roles = "normal" datadog_api_key = var.datadog_api_key datadog_app_key = var.datadog_app_key } ``` ### Create Admin User ```hcl module "admin_user" { source = "./terraform-datadog-users" admin = true name = "Jane Admin" email = "jane.admin@example.com" handle = "jane.admin@example.com" roles = "admin" datadog_api_key = var.datadog_api_key datadog_app_key = var.datadog_app_key } ``` ## Inputs | Name | Description | Type | Required | Default | |------|-------------|------|----------|---------| | `admin` | Is user an admin? | `bool` | no | `false` | | `name` | Full name of user | `string` | no | `""` | | `email` | Email address | `string` | no | `""` | | `handle` | Handle/username | `string` | no | `""` | | `roles` | Role assignment | `string` | no | `"normal"` | | `datadog_api_key` | Datadog API key | `string` | yes | - | | `datadog_app_key` | Datadog APP key | `string` | yes | - | ## Outputs Currently, all outputs are commented out. No outputs are exported. ## Role Types ### Standard User (admin = false) - **Role**: sl-techops-role - **Permissions**: Limited read/write access - **Use Case**: Regular team members, developers, operators ### Admin User (admin = true) - **Role**: Datadog Admin Role - **Permissions**: Full access to all Datadog features - **Use Case**: Platform administrators, team leads ## Conditional Resource Creation The module uses conditional `count` to create only one user type: - If `admin = false`: Creates standard user - If `admin = true`: Creates admin user This ensures clean resource management and prevents duplicate user creation. ## Data Source Usage The module uses data sources to lookup role IDs: ```hcl data "datadog_role" "standard_role" { filter = "Datadog Standard Role" } data "datadog_role" "admin_role" { filter = "Datadog Admin Role" } data "datadog_role" "techops_role" { filter = "sl-techops-role" } ``` ## Best Practices 1. **Email as Handle**: Use email address as handle for consistency 2. **Role Selection**: Choose appropriate role based on user responsibilities 3. **Module Calls**: Use module calls for each user (see terraform-datadog-users-sanoma) 4. **Centralized Management**: Keep all user definitions in one place ## Example: Multiple Users ```hcl module "user_1" { source = "./terraform-datadog-users" admin = false name = "Alice Developer" email = "alice@example.com" handle = "alice@example.com" } module "user_2" { source = "./terraform-datadog-users" admin = true name = "Bob Admin" email = "bob@example.com" handle = "bob@example.com" } ``` ## Notes - The handle field typically should match the email address - Custom roles (like sl-techops-role) must exist in Datadog before use - Role data sources fetch IDs dynamically at plan/apply time - Outputs are currently disabled (commented out in outputs.tf) - Module supports only two role tiers: standard and admin ## Limitations - Fixed role assignments (standard vs admin only) - No support for custom role assignment beyond sl-techops-role - No team or group assignments - Outputs are not available (commented out) ## Future Enhancements Potential improvements: - Support for multiple custom roles - Team assignments - Group memberships - User permissions customization - Output user IDs and metadata ## License Internal use only - Sanoma/WeBuildYourCloud ## Authors Created and maintained by the Platform Engineering team.