180 lines
4.5 KiB
Markdown
Executable File
180 lines
4.5 KiB
Markdown
Executable File
# Terraform Datadog Users Module
|
|
|
|
## Overview
|
|
|
|
This Terraform module manages individual Datadog user accounts with role-based access control, supporting both standard users and administrators.
|
|
|
|
## Features
|
|
|
|
- **Role-Based Access**: Standard users vs. administrators
|
|
- **Conditional Creation**: Admin flag determines user type
|
|
- **Data Source Lookups**: Fetches role IDs from Datadog
|
|
- **Reusable Module**: Easy user provisioning via module calls
|
|
|
|
## Resources Created
|
|
|
|
- `datadog_user` (add_datadog_user): Standard user with sl-techops-role
|
|
- `datadog_user` (add_datadog_admin_user): Admin user with Datadog Admin Role
|
|
|
|
## Data Sources
|
|
|
|
The module queries Datadog for available roles:
|
|
- Standard Role
|
|
- Datadog Admin Role
|
|
- sl-techops-role (custom role)
|
|
|
|
## Requirements
|
|
|
|
| Name | Version |
|
|
|------|---------|
|
|
| terraform | >= 0.12 |
|
|
| datadog | >= 3.2.0 |
|
|
|
|
## Usage
|
|
|
|
### Create Standard User
|
|
|
|
```hcl
|
|
module "standard_user" {
|
|
source = "./terraform-datadog-users"
|
|
|
|
admin = false
|
|
name = "John Doe"
|
|
email = "john.doe@example.com"
|
|
handle = "john.doe@example.com"
|
|
roles = "normal"
|
|
datadog_api_key = var.datadog_api_key
|
|
datadog_app_key = var.datadog_app_key
|
|
}
|
|
```
|
|
|
|
### Create Admin User
|
|
|
|
```hcl
|
|
module "admin_user" {
|
|
source = "./terraform-datadog-users"
|
|
|
|
admin = true
|
|
name = "Jane Admin"
|
|
email = "jane.admin@example.com"
|
|
handle = "jane.admin@example.com"
|
|
roles = "admin"
|
|
datadog_api_key = var.datadog_api_key
|
|
datadog_app_key = var.datadog_app_key
|
|
}
|
|
```
|
|
|
|
## Inputs
|
|
|
|
| Name | Description | Type | Required | Default |
|
|
|------|-------------|------|----------|---------|
|
|
| `admin` | Is user an admin? | `bool` | no | `false` |
|
|
| `name` | Full name of user | `string` | no | `""` |
|
|
| `email` | Email address | `string` | no | `""` |
|
|
| `handle` | Handle/username | `string` | no | `""` |
|
|
| `roles` | Role assignment | `string` | no | `"normal"` |
|
|
| `datadog_api_key` | Datadog API key | `string` | yes | - |
|
|
| `datadog_app_key` | Datadog APP key | `string` | yes | - |
|
|
|
|
## Outputs
|
|
|
|
Currently, all outputs are commented out. No outputs are exported.
|
|
|
|
## Role Types
|
|
|
|
### Standard User (admin = false)
|
|
|
|
- **Role**: sl-techops-role
|
|
- **Permissions**: Limited read/write access
|
|
- **Use Case**: Regular team members, developers, operators
|
|
|
|
### Admin User (admin = true)
|
|
|
|
- **Role**: Datadog Admin Role
|
|
- **Permissions**: Full access to all Datadog features
|
|
- **Use Case**: Platform administrators, team leads
|
|
|
|
## Conditional Resource Creation
|
|
|
|
The module uses conditional `count` to create only one user type:
|
|
- If `admin = false`: Creates standard user
|
|
- If `admin = true`: Creates admin user
|
|
|
|
This ensures clean resource management and prevents duplicate user creation.
|
|
|
|
## Data Source Usage
|
|
|
|
The module uses data sources to lookup role IDs:
|
|
```hcl
|
|
data "datadog_role" "standard_role" {
|
|
filter = "Datadog Standard Role"
|
|
}
|
|
|
|
data "datadog_role" "admin_role" {
|
|
filter = "Datadog Admin Role"
|
|
}
|
|
|
|
data "datadog_role" "techops_role" {
|
|
filter = "sl-techops-role"
|
|
}
|
|
```
|
|
|
|
## Best Practices
|
|
|
|
1. **Email as Handle**: Use email address as handle for consistency
|
|
2. **Role Selection**: Choose appropriate role based on user responsibilities
|
|
3. **Module Calls**: Use module calls for each user (see terraform-datadog-users-sanoma)
|
|
4. **Centralized Management**: Keep all user definitions in one place
|
|
|
|
## Example: Multiple Users
|
|
|
|
```hcl
|
|
module "user_1" {
|
|
source = "./terraform-datadog-users"
|
|
admin = false
|
|
name = "Alice Developer"
|
|
email = "alice@example.com"
|
|
handle = "alice@example.com"
|
|
}
|
|
|
|
module "user_2" {
|
|
source = "./terraform-datadog-users"
|
|
admin = true
|
|
name = "Bob Admin"
|
|
email = "bob@example.com"
|
|
handle = "bob@example.com"
|
|
}
|
|
```
|
|
|
|
## Notes
|
|
|
|
- The handle field typically should match the email address
|
|
- Custom roles (like sl-techops-role) must exist in Datadog before use
|
|
- Role data sources fetch IDs dynamically at plan/apply time
|
|
- Outputs are currently disabled (commented out in outputs.tf)
|
|
- Module supports only two role tiers: standard and admin
|
|
|
|
## Limitations
|
|
|
|
- Fixed role assignments (standard vs admin only)
|
|
- No support for custom role assignment beyond sl-techops-role
|
|
- No team or group assignments
|
|
- Outputs are not available (commented out)
|
|
|
|
## Future Enhancements
|
|
|
|
Potential improvements:
|
|
- Support for multiple custom roles
|
|
- Team assignments
|
|
- Group memberships
|
|
- User permissions customization
|
|
- Output user IDs and metadata
|
|
|
|
## License
|
|
|
|
Internal use only - Sanoma/WeBuildYourCloud
|
|
|
|
## Authors
|
|
|
|
Created and maintained by the Platform Engineering team.
|