feat(aws): rework AWS integration for Datadog

Author: BzSpi

cloud/aws/README.md

@@ -7,24 +7,27 @@ module "datadog-integrations-cloud-aws" {
   source      = "claranet/integrations/datadog//cloud/aws"
   version     = "{revision}"
 
-  aws_account = var.aws_account
+  aws_account_id = var.aws_account
+  env            = var.environment
 }
 
 ```
 
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.31 |
-| <a name="requirement_datadog"></a> [datadog](#requirement\_datadog) | >= 3.0.0 |
+| terraform | >= 1.11 |
+| aws | >= 6.0.0 |
+| datadog | >= 3.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
-| <a name="provider_datadog"></a> [datadog](#provider\_datadog) | >= 3.0.0 |
+| aws | >= 6.0.0 |
+| datadog | >= 3.0.0 |
 
 ## Modules
 
@@ -37,59 +40,26 @@ No modules.
 | [aws_iam_policy.dd_integration_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy_attachment.allow_dd_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
 | [aws_iam_role.dd_integration_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [datadog_integration_aws.datadog_integration_aws](https://registry.terraform.io/providers/Datadog/datadog/latest/docs/resources/integration_aws) | resource |
+| [datadog_integration_aws_account.main](https://registry.terraform.io/providers/Datadog/datadog/latest/docs/resources/integration_aws_account) | resource |
 | [aws_iam_policy_document.datadog_integration_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.dd_trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [datadog_integration_aws_external_id.main](https://registry.terraform.io/providers/Datadog/datadog/latest/docs/data-sources/integration_aws_external_id) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_specific_namespace_rules"></a> [account\_specific\_namespace\_rules](#input\_account\_specific\_namespace\_rules) | Namespaces to limit metric collection for datadog aws integration | `map` | `{}` | no |
-| <a name="input_aws_account"></a> [aws\_account](#input\_aws\_account) | n/a | `any` | n/a | yes |
-| <a name="input_datadog_aws_account_id"></a> [datadog\_aws\_account\_id](#input\_datadog\_aws\_account\_id) | AWS account\_id of Datadog | `string` | `"464622532012"` | no |
-| <a name="input_filter_tags"></a> [filter\_tags](#input\_filter\_tags) | Filters tags to limit metrics collection on EC2 for datadog aws integration | `list` | <pre>[<br>  "dd_monitoring:enabled"<br>]</pre> | no |
-| <a name="input_host_tags"></a> [host\_tags](#input\_host\_tags) | Tags to add all metrics retrieved from the datadog aws integration | `list` | `[]` | no |
+| aws\_account\_id | AWS account configuration for Datadog integration | `string` | n/a | yes |
+| aws\_iam\_role\_enabled | Enable IAM role deployment for Datadog AWS integration | `bool` | `false` | no |
+| datadog\_aws\_account\_id | AWS account\_id of Datadog | `string` | `"464622532012"` | no |
+| env | Environment configuration for Datadog integration | `string` | n/a | yes |
+| metrics\_config | Metrics configuration for Datadog AWS integration | <pre>object({<br>    automute_enabled : optional(bool, true),<br>    collect_cloudwatch_alarms : optional(bool, false),<br>    collect_custom_metrics : optional(bool, false),<br>    enabled : optional(bool, true),<br>    namespace_filters : optional(object({<br>      exclude_only : optional(list(string), null),<br>      include_only : optional(list(string), null),<br>      }), {<br>      exclude_only = ["AWS/ElasticMapReduce", "AWS/SQS", "AWS/Usage"]<br>    }),<br>    tag_filters : optional(object({<br>      namespace : string,<br>      tags : list(string),<br>      }), {<br>      namespace = "AWS/EC2"<br>      tags      = ["dd_monitored:true"]<br>    }),<br>  })</pre> | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_aws_role_arn"></a> [aws\_role\_arn](#output\_aws\_role\_arn) | The role ARN of the DataDog integration |
-| <a name="output_aws_role_name"></a> [aws\_role\_name](#output\_aws\_role\_name) | The IAM role name of the DataDog integration |
-## Related documentation
-
-DataDog documentation: [https://docs.datadoghq.com/integrations/amazon_web_services/#setup](https://docs.datadoghq.com/integrations/amazon_web_services/#setup)
-
-## Requirements
-
-You need to configure you AWS provider.
-Credentials could be set in your `terraform.tfvars`.
-
-```
-variable "aws_region" {
-  type = string
-}
-
-variable "aws_account" {
-  type = string
-}
-
-variable "aws_access_key" {
-}
-
-variable "aws_secret_key" {
-}
-
-variable "aws_token" {
-}
-
-provider "aws" {
-  region     = var.aws_region
-  access_key = var.aws_access_key
-  secret_key = var.aws_secret_key
-  token      = var.aws_token
-}
-
-```
-
+| aws\_integration\_id | The ID of the DataDog AWS integration |
+| aws\_role\_arn | The role ARN of the DataDog integration |
+| aws\_role\_name | The IAM role name of the DataDog integration |
+<!-- END_TF_DOCS -->

cloud/aws/inputs.tf

@@ -1,4 +1,3 @@
 locals {
   role_name = "DatadogAWSIntegrationRole"
 }
-

cloud/aws/integrations-aws.tf

@@ -1,10 +1,14 @@
 output "aws_role_arn" {
   description = "The role ARN of the DataDog integration"
-  value       = aws_iam_role.dd_integration_role.arn
+  value       = try(aws_iam_role.dd_integration_role.arn, null)
 }
 
 output "aws_role_name" {
   description = "The IAM role name of the DataDog integration"
-  value       = aws_iam_role.dd_integration_role.name
+  value       = try(aws_iam_role.dd_integration_role.name, null)
 }
 
+output "aws_integration_id" {
+  description = "The ID of the DataDog AWS integration"
+  value       = datadog_integration_aws_account.main.id
+}

cloud/aws/locals.tf

@@ -1,9 +1,68 @@
+data "datadog_integration_aws_external_id" "main" {
+  aws_account_id = var.aws_account_id
+
+  lifecycle {
+    enabled = var.aws_iam_role_enabled
+  }
+}
+
+resource "aws_iam_role" "dd_integration_role" {
+  name        = local.role_name
+  description = "Datadog AWS Integration Role according to https://docs.datadoghq.com/integrations/aws"
+
+  assume_role_policy = data.aws_iam_policy_document.dd_trust_relationship.json
+
+  lifecycle {
+    enabled = var.aws_iam_role_enabled
+  }
+}
+
+data "aws_iam_policy_document" "dd_trust_relationship" {
+  statement {
+    sid     = "DatadogAWSTrustRelationship"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "arn:aws:iam::${var.datadog_aws_account_id}:root",
+      ]
+    }
+
+    condition {
+      test     = "StringEquals"
+      values   = [data.datadog_integration_aws_external_id.main.external_id]
+      variable = "sts:ExternalId"
+    }
+  }
+
+  lifecycle {
+    enabled = var.aws_iam_role_enabled
+  }
+}
+
+resource "aws_iam_policy_attachment" "allow_dd_role" {
+  name       = "Allow Datadog PolicyAccess via Role"
+  roles      = [aws_iam_role.dd_integration_role.name]
+  policy_arn = aws_iam_policy.dd_integration_policy.arn
+
+  lifecycle {
+    enabled = var.aws_iam_role_enabled
+  }
+}
+
 resource "aws_iam_policy" "dd_integration_policy" {
   name        = "DatadogAWSIntegrationPolicy"
   path        = "/"
   description = "Datadog integration policy according to https://docs.datadoghq.com/integrations/aws/"
 
   policy = data.aws_iam_policy_document.datadog_integration_policy.json
+
+  lifecycle {
+    enabled = var.aws_iam_role_enabled
+  }
 }
 
 data "aws_iam_policy_document" "datadog_integration_policy" {
@@ -12,6 +71,7 @@ data "aws_iam_policy_document" "datadog_integration_policy" {
     effect = "Allow"
 
     actions = [
+      "account:GetAccountInformation",
       "apigateway:GET",
       "autoscaling:Describe*",
       "budgets:ViewBudget",
@@ -84,5 +144,8 @@ data "aws_iam_policy_document" "datadog_integration_policy" {
 
     resources = ["*"]
   }
-}
 
+  lifecycle {
+    enabled = var.aws_iam_role_enabled
+  }
+}

cloud/aws/outputs.tf

@@ -0,0 +1,44 @@
+resource "datadog_integration_aws_account" "main" {
+  account_tags   = ["env:${var.env}"]
+  aws_account_id = var.aws_account_id
+  aws_partition  = "aws"
+
+  aws_regions {
+    include_all = true
+  }
+
+  auth_config {
+    aws_auth_config_role {
+      role_name = local.role_name
+    }
+  }
+
+  metrics_config {
+    automute_enabled          = var.metrics_config.automute_enabled
+    collect_cloudwatch_alarms = var.metrics_config.collect_cloudwatch_alarms
+    collect_custom_metrics    = var.metrics_config.collect_custom_metrics
+    enabled                   = var.metrics_config.enabled
+    namespace_filters {
+      exclude_only = var.metrics_config.namespace_filters.exclude_only
+      include_only = var.metrics_config.namespace_filters.include_only
+    }
+    dynamic "tag_filters" {
+      for_each = var.metrics_config.tag_filters[*]
+      content {
+        namespace = tag_filters.value.namespace
+        tags      = tag_filters.value.tags
+      }
+    }
+  }
+
+  resources_config {
+    extended_collection = false
+  }
+
+  logs_config {
+    lambda_forwarder {}
+  }
+  traces_config {
+    xray_services {}
+  }
+}

cloud/aws/policy.tf cloud/aws/r-aws-iam.tfcloud/aws/policy.tf renamed to cloud/aws/r-aws-iam.tf

@@ -0,0 +1,45 @@
+variable "aws_account_id" {
+  description = "AWS account configuration for Datadog integration"
+  type        = string
+}
+
+variable "env" {
+  description = "Environment configuration for Datadog integration"
+  type        = string
+}
+
+variable "datadog_aws_account_id" {
+  description = "AWS account_id of Datadog"
+  type        = string
+  default     = "464622532012"
+}
+
+variable "metrics_config" {
+  description = "Metrics configuration for Datadog AWS integration"
+  type = object({
+    automute_enabled : optional(bool, true),
+    collect_cloudwatch_alarms : optional(bool, false),
+    collect_custom_metrics : optional(bool, false),
+    enabled : optional(bool, true),
+    namespace_filters : optional(object({
+      exclude_only : optional(list(string), null),
+      include_only : optional(list(string), null),
+      }), {
+      exclude_only = ["AWS/ElasticMapReduce", "AWS/SQS", "AWS/Usage"]
+    }),
+    tag_filters : optional(object({
+      namespace : string,
+      tags : list(string),
+      }), {
+      namespace = "AWS/EC2"
+      tags      = ["dd_monitored:true"]
+    }),
+  })
+  default = {}
+}
+
+variable "aws_iam_role_enabled" {
+  description = "Enable IAM role deployment for Datadog AWS integration"
+  type        = bool
+  default     = false
+}