From a870a45f07ce241726dd305deca7b03873631bde Mon Sep 17 00:00:00 2001 From: Laurent Piroelle Date: Mon, 5 Jan 2026 16:48:11 +0100 Subject: [PATCH 1/7] feat(aws): rework AWS integration for Datadog --- cloud/aws/README.md | 68 ++++++++------------------- cloud/aws/inputs.tf | 24 ---------- cloud/aws/integrations-aws.tf | 8 ---- cloud/aws/locals.tf | 1 - cloud/aws/outputs.tf | 8 +++- cloud/aws/{policy.tf => r-aws-iam.tf} | 65 ++++++++++++++++++++++++- cloud/aws/r-integration.tf | 44 +++++++++++++++++ cloud/aws/role.tf | 35 -------------- cloud/aws/test.tf.ci | 20 -------- cloud/aws/variables.tf | 45 ++++++++++++++++++ cloud/aws/versions.tf | 6 +-- 11 files changed, 181 insertions(+), 143 deletions(-) delete mode 100644 cloud/aws/inputs.tf delete mode 100644 cloud/aws/integrations-aws.tf rename cloud/aws/{policy.tf => r-aws-iam.tf} (63%) create mode 100644 cloud/aws/r-integration.tf delete mode 100644 cloud/aws/role.tf delete mode 100644 cloud/aws/test.tf.ci create mode 100644 cloud/aws/variables.tf diff --git a/cloud/aws/README.md b/cloud/aws/README.md index f867cce..bba1a0c 100644 --- a/cloud/aws/README.md +++ b/cloud/aws/README.md @@ -7,24 +7,27 @@ module "datadog-integrations-cloud-aws" { source = "claranet/integrations/datadog//cloud/aws" version = "{revision}" - aws_account = var.aws_account + aws_account_id = var.aws_account + env = var.environment } ``` + ## Requirements | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.31 | -| [datadog](#requirement\_datadog) | >= 3.0.0 | +| terraform | >= 1.11 | +| aws | >= 6.0.0 | +| datadog | >= 3.0.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | n/a | -| [datadog](#provider\_datadog) | >= 3.0.0 | +| aws | >= 6.0.0 | +| datadog | >= 3.0.0 | ## Modules @@ -37,59 +40,26 @@ No modules. | [aws_iam_policy.dd_integration_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy_attachment.allow_dd_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | | [aws_iam_role.dd_integration_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [datadog_integration_aws.datadog_integration_aws](https://registry.terraform.io/providers/Datadog/datadog/latest/docs/resources/integration_aws) | resource | +| [datadog_integration_aws_account.main](https://registry.terraform.io/providers/Datadog/datadog/latest/docs/resources/integration_aws_account) | resource | | [aws_iam_policy_document.datadog_integration_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.dd_trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [datadog_integration_aws_external_id.main](https://registry.terraform.io/providers/Datadog/datadog/latest/docs/data-sources/integration_aws_external_id) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [account\_specific\_namespace\_rules](#input\_account\_specific\_namespace\_rules) | Namespaces to limit metric collection for datadog aws integration | `map` | `{}` | no | -| [aws\_account](#input\_aws\_account) | n/a | `any` | n/a | yes | -| [datadog\_aws\_account\_id](#input\_datadog\_aws\_account\_id) | AWS account\_id of Datadog | `string` | `"464622532012"` | no | -| [filter\_tags](#input\_filter\_tags) | Filters tags to limit metrics collection on EC2 for datadog aws integration | `list` | 
[
  "dd_monitoring:enabled"
]
| no | -| [host\_tags](#input\_host\_tags) | Tags to add all metrics retrieved from the datadog aws integration | `list` | `[]` | no | +| aws\_account\_id | AWS account configuration for Datadog integration | `string` | n/a | yes | +| aws\_iam\_role\_enabled | Enable IAM role deployment for Datadog AWS integration | `bool` | `false` | no | +| datadog\_aws\_account\_id | AWS account\_id of Datadog | `string` | `"464622532012"` | no | +| env | Environment configuration for Datadog integration | `string` | n/a | yes | +| metrics\_config | Metrics configuration for Datadog AWS integration | 
object({
    automute_enabled : optional(bool, true),
    collect_cloudwatch_alarms : optional(bool, false),
    collect_custom_metrics : optional(bool, false),
    enabled : optional(bool, true),
    namespace_filters : optional(object({
      exclude_only : optional(list(string), null),
      include_only : optional(list(string), null),
      }), {
      exclude_only = ["AWS/ElasticMapReduce", "AWS/SQS", "AWS/Usage"]
    }),
    tag_filters : optional(object({
      namespace : string,
      tags : list(string),
      }), {
      namespace = "AWS/EC2"
      tags      = ["dd_monitored:true"]
    }),
  })
| `{}` | no | ## Outputs | Name | Description | |------|-------------| -| [aws\_role\_arn](#output\_aws\_role\_arn) | The role ARN of the DataDog integration | -| [aws\_role\_name](#output\_aws\_role\_name) | The IAM role name of the DataDog integration | -## Related documentation - -DataDog documentation: [https://docs.datadoghq.com/integrations/amazon_web_services/#setup](https://docs.datadoghq.com/integrations/amazon_web_services/#setup) - -## Requirements - -You need to configure you AWS provider. -Credentials could be set in your `terraform.tfvars`. - -``` -variable "aws_region" { - type = string -} - -variable "aws_account" { - type = string -} - -variable "aws_access_key" { -} - -variable "aws_secret_key" { -} - -variable "aws_token" { -} - -provider "aws" { - region = var.aws_region - access_key = var.aws_access_key - secret_key = var.aws_secret_key - token = var.aws_token -} - -``` - +| aws\_integration\_id | The ID of the DataDog AWS integration | +| aws\_role\_arn | The role ARN of the DataDog integration | +| aws\_role\_name | The IAM role name of the DataDog integration | + \ No newline at end of file diff --git a/cloud/aws/inputs.tf b/cloud/aws/inputs.tf deleted file mode 100644 index 77279d1..0000000 --- a/cloud/aws/inputs.tf +++ /dev/null @@ -1,24 +0,0 @@ -variable "aws_account" { -} - -variable "datadog_aws_account_id" { - description = "AWS account_id of Datadog" - type = string - default = "464622532012" -} - -variable "filter_tags" { - description = "Filters tags to limit metrics collection on EC2 for datadog aws integration" - default = ["dd_monitoring:enabled"] -} - -variable "host_tags" { - description = "Tags to add all metrics retrieved from the datadog aws integration" - default = [] -} - -variable "account_specific_namespace_rules" { - description = "Namespaces to limit metric collection for datadog aws integration" - default = {} -} - diff --git a/cloud/aws/integrations-aws.tf b/cloud/aws/integrations-aws.tf deleted file mode 100644 index 01f9506..0000000 --- a/cloud/aws/integrations-aws.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "datadog_integration_aws" "datadog_integration_aws" { - account_id = var.aws_account - role_name = local.role_name - filter_tags = var.filter_tags - host_tags = var.host_tags - account_specific_namespace_rules = var.account_specific_namespace_rules -} - diff --git a/cloud/aws/locals.tf b/cloud/aws/locals.tf index a24824a..491a4b7 100644 --- a/cloud/aws/locals.tf +++ b/cloud/aws/locals.tf @@ -1,4 +1,3 @@ locals { role_name = "DatadogAWSIntegrationRole" } - diff --git a/cloud/aws/outputs.tf b/cloud/aws/outputs.tf index 4a3b5de..ea99b93 100644 --- a/cloud/aws/outputs.tf +++ b/cloud/aws/outputs.tf @@ -1,10 +1,14 @@ output "aws_role_arn" { description = "The role ARN of the DataDog integration" - value = aws_iam_role.dd_integration_role.arn + value = try(aws_iam_role.dd_integration_role.arn, null) } output "aws_role_name" { description = "The IAM role name of the DataDog integration" - value = aws_iam_role.dd_integration_role.name + value = try(aws_iam_role.dd_integration_role.name, null) } +output "aws_integration_id" { + description = "The ID of the DataDog AWS integration" + value = datadog_integration_aws_account.main.id +} diff --git a/cloud/aws/policy.tf b/cloud/aws/r-aws-iam.tf similarity index 63% rename from cloud/aws/policy.tf rename to cloud/aws/r-aws-iam.tf index 700e12f..a57b2ed 100644 --- a/cloud/aws/policy.tf +++ b/cloud/aws/r-aws-iam.tf @@ -1,9 +1,68 @@ +data "datadog_integration_aws_external_id" "main" { + aws_account_id = var.aws_account_id + + lifecycle { + enabled = var.aws_iam_role_enabled + } +} + +resource "aws_iam_role" "dd_integration_role" { + name = local.role_name + description = "Datadog AWS Integration Role according to https://docs.datadoghq.com/integrations/aws" + + assume_role_policy = data.aws_iam_policy_document.dd_trust_relationship.json + + lifecycle { + enabled = var.aws_iam_role_enabled + } +} + +data "aws_iam_policy_document" "dd_trust_relationship" { + statement { + sid = "DatadogAWSTrustRelationship" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "AWS" + + identifiers = [ + "arn:aws:iam::${var.datadog_aws_account_id}:root", + ] + } + + condition { + test = "StringEquals" + values = [data.datadog_integration_aws_external_id.main.external_id] + variable = "sts:ExternalId" + } + } + + lifecycle { + enabled = var.aws_iam_role_enabled + } +} + +resource "aws_iam_policy_attachment" "allow_dd_role" { + name = "Allow Datadog PolicyAccess via Role" + roles = [aws_iam_role.dd_integration_role.name] + policy_arn = aws_iam_policy.dd_integration_policy.arn + + lifecycle { + enabled = var.aws_iam_role_enabled + } +} + resource "aws_iam_policy" "dd_integration_policy" { name = "DatadogAWSIntegrationPolicy" path = "/" description = "Datadog integration policy according to https://docs.datadoghq.com/integrations/aws/" policy = data.aws_iam_policy_document.datadog_integration_policy.json + + lifecycle { + enabled = var.aws_iam_role_enabled + } } data "aws_iam_policy_document" "datadog_integration_policy" { @@ -12,6 +71,7 @@ data "aws_iam_policy_document" "datadog_integration_policy" { effect = "Allow" actions = [ + "account:GetAccountInformation", "apigateway:GET", "autoscaling:Describe*", "budgets:ViewBudget", @@ -84,5 +144,8 @@ data "aws_iam_policy_document" "datadog_integration_policy" { resources = ["*"] } -} + lifecycle { + enabled = var.aws_iam_role_enabled + } +} diff --git a/cloud/aws/r-integration.tf b/cloud/aws/r-integration.tf new file mode 100644 index 0000000..49a48b9 --- /dev/null +++ b/cloud/aws/r-integration.tf @@ -0,0 +1,44 @@ +resource "datadog_integration_aws_account" "main" { + account_tags = ["env:${var.env}"] + aws_account_id = var.aws_account_id + aws_partition = "aws" + + aws_regions { + include_all = true + } + + auth_config { + aws_auth_config_role { + role_name = local.role_name + } + } + + metrics_config { + automute_enabled = var.metrics_config.automute_enabled + collect_cloudwatch_alarms = var.metrics_config.collect_cloudwatch_alarms + collect_custom_metrics = var.metrics_config.collect_custom_metrics + enabled = var.metrics_config.enabled + namespace_filters { + exclude_only = var.metrics_config.namespace_filters.exclude_only + include_only = var.metrics_config.namespace_filters.include_only + } + dynamic "tag_filters" { + for_each = var.metrics_config.tag_filters[*] + content { + namespace = tag_filters.value.namespace + tags = tag_filters.value.tags + } + } + } + + resources_config { + extended_collection = false + } + + logs_config { + lambda_forwarder {} + } + traces_config { + xray_services {} + } +} diff --git a/cloud/aws/role.tf b/cloud/aws/role.tf deleted file mode 100644 index 47e22a4..0000000 --- a/cloud/aws/role.tf +++ /dev/null @@ -1,35 +0,0 @@ -resource "aws_iam_role" "dd_integration_role" { - name = local.role_name - description = "Datadog AWS Integration Role according to https://docs.datadoghq.com/integrations/aws" - - assume_role_policy = data.aws_iam_policy_document.dd_trust_relationship.json -} - -data "aws_iam_policy_document" "dd_trust_relationship" { - statement { - sid = "DatadogAWSTrustRelationship" - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "AWS" - - identifiers = [ - "arn:aws:iam::${var.datadog_aws_account_id}:root", - ] - } - - condition { - test = "StringEquals" - values = [datadog_integration_aws.datadog_integration_aws.external_id] - variable = "sts:ExternalId" - } - } -} - -resource "aws_iam_policy_attachment" "allow_dd_role" { - name = "Allow Datadog PolicyAccess via Role" - roles = [aws_iam_role.dd_integration_role.name] - policy_arn = aws_iam_policy.dd_integration_policy.arn -} - diff --git a/cloud/aws/test.tf.ci b/cloud/aws/test.tf.ci deleted file mode 100644 index 0db7bdf..0000000 --- a/cloud/aws/test.tf.ci +++ /dev/null @@ -1,20 +0,0 @@ -variable "aws_region" { - type = string -} - -variable "aws_access_key" { -} - -variable "aws_secret_key" { -} - -variable "aws_token" { -} - -provider "aws" { - region = var.aws_region - access_key = var.aws_access_key - secret_key = var.aws_secret_key - token = var.aws_token -} - diff --git a/cloud/aws/variables.tf b/cloud/aws/variables.tf new file mode 100644 index 0000000..8edad2b --- /dev/null +++ b/cloud/aws/variables.tf @@ -0,0 +1,45 @@ +variable "aws_account_id" { + description = "AWS account configuration for Datadog integration" + type = string +} + +variable "env" { + description = "Environment configuration for Datadog integration" + type = string +} + +variable "datadog_aws_account_id" { + description = "AWS account_id of Datadog" + type = string + default = "464622532012" +} + +variable "metrics_config" { + description = "Metrics configuration for Datadog AWS integration" + type = object({ + automute_enabled : optional(bool, true), + collect_cloudwatch_alarms : optional(bool, false), + collect_custom_metrics : optional(bool, false), + enabled : optional(bool, true), + namespace_filters : optional(object({ + exclude_only : optional(list(string), null), + include_only : optional(list(string), null), + }), { + exclude_only = ["AWS/ElasticMapReduce", "AWS/SQS", "AWS/Usage"] + }), + tag_filters : optional(object({ + namespace : string, + tags : list(string), + }), { + namespace = "AWS/EC2" + tags = ["dd_monitored:true"] + }), + }) + default = {} +} + +variable "aws_iam_role_enabled" { + description = "Enable IAM role deployment for Datadog AWS integration" + type = bool + default = false +} diff --git a/cloud/aws/versions.tf b/cloud/aws/versions.tf index eec8740..6292f89 100644 --- a/cloud/aws/versions.tf +++ b/cloud/aws/versions.tf @@ -1,11 +1,11 @@ terraform { - required_version = ">= 0.12.31" + required_version = ">= 1.11" required_providers { aws = { - source = "hashicorp/aws" + source = "hashicorp/aws" + version = ">= 6.0.0" } - datadog = { source = "Datadog/datadog" version = ">= 3.0.0" From c1d14c87f71e6bbc80182f052e24961ff91de762 Mon Sep 17 00:00:00 2001 From: Laurent Piroelle Date: Tue, 6 Jan 2026 14:15:29 +0100 Subject: [PATCH 2/7] feat(aws): update policy --- cloud/aws/r-aws-iam.tf | 51 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 45 insertions(+), 6 deletions(-) diff --git a/cloud/aws/r-aws-iam.tf b/cloud/aws/r-aws-iam.tf index a57b2ed..1e6754e 100644 --- a/cloud/aws/r-aws-iam.tf +++ b/cloud/aws/r-aws-iam.tf @@ -65,6 +65,7 @@ resource "aws_iam_policy" "dd_integration_policy" { } } +# Required permissions documented at https://docs.datadoghq.com/integrations/amazon-web-services/#aws-iam-permissions data "aws_iam_policy_document" "datadog_integration_policy" { statement { sid = "DatadogAWSIntegration" @@ -72,24 +73,43 @@ data "aws_iam_policy_document" "datadog_integration_policy" { actions = [ "account:GetAccountInformation", + "airflow:GetEnvironment", + "airflow:ListEnvironments", "apigateway:GET", + "appsync:ListGraphqlApis", "autoscaling:Describe*", + "backup:List*", + "batch:DescribeJobDefinitions", + "batch:DescribeJobQueues", + "batch:DescribeJobs", + "batch:ListJobs", + "bcm-data-exports:GetExport", + "bcm-data-exports:ListExports", "budgets:ViewBudget", "cloudfront:GetDistributionConfig", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", + "cloudtrail:GetTrail", "cloudtrail:GetTrailStatus", + "cloudtrail:ListTrails", + "cloudtrail:LookupEvents", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", + "codebuild:BatchGetProjects", + "codebuild:ListProjects", "codedeploy:BatchGet*", "codedeploy:List*", + "cur:DescribeReportDefinitions", "directconnect:Describe*", + "dms:DescribeReplicationInstances", "dynamodb:Describe*", "dynamodb:List*", "ec2:Describe*", "ecs:Describe*", "ecs:List*", + "eks:DescribeCluster", + "eks:ListClusters", "elasticache:Describe*", "elasticache:List*", "elasticfilesystem:DescribeAccessPoints", @@ -101,27 +121,39 @@ data "aws_iam_policy_document" "datadog_integration_policy" { "es:DescribeElasticsearchDomains", "es:ListDomainNames", "es:ListTags", + "events:CreateEventBus", + "fsx:DescribeFileSystems", + "fsx:ListTagsForResource", "health:DescribeAffectedEntities", "health:DescribeEventDetails", "health:DescribeEvents", + "iam:ListAccountAliases", "kinesis:Describe*", "kinesis:List*", - "lambda:AddPermission", - "lambda:GetPolicy", "lambda:List*", - "lambda:RemovePermission", "logs:DeleteSubscriptionFilter", - "logs:Describe*", + "logs:DescribeDeliveries", + "logs:DescribeDeliverySources", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", "logs:DescribeSubscriptionFilters", "logs:FilterLogEvents", - "logs:Get*", + "logs:GetDeliveryDestination", "logs:PutSubscriptionFilter", "logs:TestMetricFilter", + "network-firewall:DescribeLoggingConfiguration", + "network-firewall:ListFirewalls", + "oam:ListAttachedLinks", + "oam:ListSinks", + "organizations:Describe*", + "organizations:List*", "rds:Describe*", "rds:List*", + "redshift-serverless:ListNamespaces", "redshift:DescribeClusters", "redshift:DescribeLoggingStatus", "route53:List*", + "route53resolver:ListResolverQueryLogConfigs", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketNotification", @@ -129,15 +161,22 @@ data "aws_iam_policy_document" "datadog_integration_policy" { "s3:ListAllMyBuckets", "s3:PutBucketNotification", "ses:Get*", + "ses:List*", + "sns:GetSubscriptionAttributes", "sns:List*", "sns:Publish", "sqs:ListQueues", + "ssm:GetServiceSetting", + "ssm:ListCommands", "states:DescribeStateMachine", "states:ListStateMachines", - "support:*", + "support:DescribeTrustedAdvisor*", + "support:RefreshTrustedAdvisorCheck", "tag:GetResources", "tag:GetTagKeys", "tag:GetTagValues", + "timestream:DescribeEndpoints", + "wafv2:ListLoggingConfigurations", "xray:BatchGetTraces", "xray:GetTraceSummaries", ] From 9e85f425c85bbaefe9d10cd8cbe826e5878bad61 Mon Sep 17 00:00:00 2001 From: Laurent Piroelle Date: Tue, 6 Jan 2026 14:31:49 +0100 Subject: [PATCH 3/7] feat(aws): resource collection --- cloud/aws/README.md | 2 ++ cloud/aws/r-aws-iam.tf | 10 ++++++++++ cloud/aws/r-integration.tf | 2 +- cloud/aws/variables.tf | 6 ++++++ 4 files changed, 19 insertions(+), 1 deletion(-) diff --git a/cloud/aws/README.md b/cloud/aws/README.md index bba1a0c..ee9b60a 100644 --- a/cloud/aws/README.md +++ b/cloud/aws/README.md @@ -39,6 +39,7 @@ No modules. |------|------| | [aws_iam_policy.dd_integration_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy_attachment.allow_dd_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [aws_iam_policy_attachment.allow_security_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | | [aws_iam_role.dd_integration_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [datadog_integration_aws_account.main](https://registry.terraform.io/providers/Datadog/datadog/latest/docs/resources/integration_aws_account) | resource | | [aws_iam_policy_document.datadog_integration_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -54,6 +55,7 @@ No modules. | datadog\_aws\_account\_id | AWS account\_id of Datadog | `string` | `"464622532012"` | no | | env | Environment configuration for Datadog integration | `string` | n/a | yes | | metrics\_config | Metrics configuration for Datadog AWS integration | 
object({
    automute_enabled : optional(bool, true),
    collect_cloudwatch_alarms : optional(bool, false),
    collect_custom_metrics : optional(bool, false),
    enabled : optional(bool, true),
    namespace_filters : optional(object({
      exclude_only : optional(list(string), null),
      include_only : optional(list(string), null),
      }), {
      exclude_only = ["AWS/ElasticMapReduce", "AWS/SQS", "AWS/Usage"]
    }),
    tag_filters : optional(object({
      namespace : string,
      tags : list(string),
      }), {
      namespace = "AWS/EC2"
      tags      = ["dd_monitored:true"]
    }),
  })
| `{}` | no | +| resource\_collection\_enabled | Enable resource collection for Datadog AWS integration | `bool` | `true` | no | ## Outputs diff --git a/cloud/aws/r-aws-iam.tf b/cloud/aws/r-aws-iam.tf index 1e6754e..8af0573 100644 --- a/cloud/aws/r-aws-iam.tf +++ b/cloud/aws/r-aws-iam.tf @@ -53,6 +53,16 @@ resource "aws_iam_policy_attachment" "allow_dd_role" { } } +resource "aws_iam_policy_attachment" "allow_security_audit_policy" { + name = "Allow SecurityAudit policy via Role" + roles = [aws_iam_role.dd_integration_role.name] + policy_arn = "arn:aws:iam::aws:policy/SecurityAudit" + + lifecycle { + enabled = var.aws_iam_role_enabled && var.resource_collection_enabled + } +} + resource "aws_iam_policy" "dd_integration_policy" { name = "DatadogAWSIntegrationPolicy" path = "/" diff --git a/cloud/aws/r-integration.tf b/cloud/aws/r-integration.tf index 49a48b9..6c52eca 100644 --- a/cloud/aws/r-integration.tf +++ b/cloud/aws/r-integration.tf @@ -32,7 +32,7 @@ resource "datadog_integration_aws_account" "main" { } resources_config { - extended_collection = false + extended_collection = var.resource_collection_enabled } logs_config { diff --git a/cloud/aws/variables.tf b/cloud/aws/variables.tf index 8edad2b..b64825c 100644 --- a/cloud/aws/variables.tf +++ b/cloud/aws/variables.tf @@ -43,3 +43,9 @@ variable "aws_iam_role_enabled" { type = bool default = false } + +variable "resource_collection_enabled" { + description = "Enable resource collection for Datadog AWS integration" + type = bool + default = true +} From 0041dcf755c569a87b44ca81be9db5606a8a158f Mon Sep 17 00:00:00 2001 From: Laurent Piroelle Date: Thu, 8 Jan 2026 11:24:18 +0100 Subject: [PATCH 4/7] feat(aws): update IAM role and policy names for Datadog integration --- cloud/aws/locals.tf | 3 ++- cloud/aws/r-aws-iam.tf | 2 +- cloud/aws/r-integration.tf | 2 +- cloud/aws/variables.tf | 13 +++++++------ 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/cloud/aws/locals.tf b/cloud/aws/locals.tf index 491a4b7..23661ff 100644 --- a/cloud/aws/locals.tf +++ b/cloud/aws/locals.tf @@ -1,3 +1,4 @@ locals { - role_name = "DatadogAWSIntegrationRole" + policy_name = "claranet-datadog-integration-policy" + role_name = "claranet-datadog-integration-role" } diff --git a/cloud/aws/r-aws-iam.tf b/cloud/aws/r-aws-iam.tf index 8af0573..3a8ce51 100644 --- a/cloud/aws/r-aws-iam.tf +++ b/cloud/aws/r-aws-iam.tf @@ -64,7 +64,7 @@ resource "aws_iam_policy_attachment" "allow_security_audit_policy" { } resource "aws_iam_policy" "dd_integration_policy" { - name = "DatadogAWSIntegrationPolicy" + name = local.policy_name path = "/" description = "Datadog integration policy according to https://docs.datadoghq.com/integrations/aws/" diff --git a/cloud/aws/r-integration.tf b/cloud/aws/r-integration.tf index 6c52eca..eca7c23 100644 --- a/cloud/aws/r-integration.tf +++ b/cloud/aws/r-integration.tf @@ -1,5 +1,5 @@ resource "datadog_integration_aws_account" "main" { - account_tags = ["env:${var.env}"] + account_tags = [for k, v in var.metrics_tags : "${k}:${v}"] aws_account_id = var.aws_account_id aws_partition = "aws" diff --git a/cloud/aws/variables.tf b/cloud/aws/variables.tf index b64825c..70e159c 100644 --- a/cloud/aws/variables.tf +++ b/cloud/aws/variables.tf @@ -3,11 +3,6 @@ variable "aws_account_id" { type = string } -variable "env" { - description = "Environment configuration for Datadog integration" - type = string -} - variable "datadog_aws_account_id" { description = "AWS account_id of Datadog" type = string @@ -41,7 +36,7 @@ variable "metrics_config" { variable "aws_iam_role_enabled" { description = "Enable IAM role deployment for Datadog AWS integration" type = bool - default = false + default = true } variable "resource_collection_enabled" { @@ -49,3 +44,9 @@ variable "resource_collection_enabled" { type = bool default = true } + +variable "metrics_tags" { + description = "Tags to apply to metrics collected from AWS" + type = map(string) + default = {} +} From 767a13c7078f3f5f7bcfa571c442bf17dbb4e5d0 Mon Sep 17 00:00:00 2001 From: Laurent Piroelle Date: Thu, 8 Jan 2026 16:27:42 +0100 Subject: [PATCH 5/7] feat(aws): add aws_partition variable --- cloud/aws/README.md | 5 +++-- cloud/aws/r-integration.tf | 2 +- cloud/aws/variables.tf | 6 ++++++ 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/cloud/aws/README.md b/cloud/aws/README.md index ee9b60a..320205c 100644 --- a/cloud/aws/README.md +++ b/cloud/aws/README.md @@ -51,10 +51,11 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | aws\_account\_id | AWS account configuration for Datadog integration | `string` | n/a | yes | -| aws\_iam\_role\_enabled | Enable IAM role deployment for Datadog AWS integration | `bool` | `false` | no | +| aws\_iam\_role\_enabled | Enable IAM role deployment for Datadog AWS integration | `bool` | `true` | no | +| aws\_partition | AWS partition for Datadog integration | `string` | `"aws"` | no | | datadog\_aws\_account\_id | AWS account\_id of Datadog | `string` | `"464622532012"` | no | -| env | Environment configuration for Datadog integration | `string` | n/a | yes | | metrics\_config | Metrics configuration for Datadog AWS integration | 
object({
    automute_enabled : optional(bool, true),
    collect_cloudwatch_alarms : optional(bool, false),
    collect_custom_metrics : optional(bool, false),
    enabled : optional(bool, true),
    namespace_filters : optional(object({
      exclude_only : optional(list(string), null),
      include_only : optional(list(string), null),
      }), {
      exclude_only = ["AWS/ElasticMapReduce", "AWS/SQS", "AWS/Usage"]
    }),
    tag_filters : optional(object({
      namespace : string,
      tags : list(string),
      }), {
      namespace = "AWS/EC2"
      tags      = ["dd_monitored:true"]
    }),
  })
| `{}` | no | +| metrics\_tags | Tags to apply to metrics collected from AWS | `map(string)` | `{}` | no | | resource\_collection\_enabled | Enable resource collection for Datadog AWS integration | `bool` | `true` | no | ## Outputs diff --git a/cloud/aws/r-integration.tf b/cloud/aws/r-integration.tf index eca7c23..6e45407 100644 --- a/cloud/aws/r-integration.tf +++ b/cloud/aws/r-integration.tf @@ -1,7 +1,7 @@ resource "datadog_integration_aws_account" "main" { account_tags = [for k, v in var.metrics_tags : "${k}:${v}"] aws_account_id = var.aws_account_id - aws_partition = "aws" + aws_partition = var.aws_partition aws_regions { include_all = true diff --git a/cloud/aws/variables.tf b/cloud/aws/variables.tf index 70e159c..f21409b 100644 --- a/cloud/aws/variables.tf +++ b/cloud/aws/variables.tf @@ -3,6 +3,12 @@ variable "aws_account_id" { type = string } +variable "aws_partition" { + description = "AWS partition for Datadog integration" + type = string + default = "aws" +} + variable "datadog_aws_account_id" { description = "AWS account_id of Datadog" type = string From 7734b9caac8ea49f9aeef2a35e301513f29d9f85 Mon Sep 17 00:00:00 2001 From: Laurent Piroelle Date: Fri, 9 Jan 2026 09:03:21 +0100 Subject: [PATCH 6/7] feat(aws): filter lambda, update filtering tag and improve documentation --- cloud/aws/README.md | 43 ++++++++++++++++++++++++++---------------- cloud/aws/variables.tf | 19 +++++++++++++------ 2 files changed, 40 insertions(+), 22 deletions(-) diff --git a/cloud/aws/README.md b/cloud/aws/README.md index 320205c..17854cf 100644 --- a/cloud/aws/README.md +++ b/cloud/aws/README.md @@ -1,5 +1,17 @@ # CLOUD AWS DataDog integrations +This Terraform module sets up the integration between AWS and Datadog monitoring service. +It creates an IAM role and policies in AWS that allow Datadog to access and collect metrics from your AWS resources, +and configures the Datadog AWS integration with customizable metric collection settings. + +Related documentation: [https://docs.datadoghq.com/integrations/amazon-web-services/#setup](https://docs.datadoghq.com/integrations/amazon-web-services/#setup) + +## Default behavior + +- Namespaces related to ElasticMapReduce, SQS, and Usage are excluded from monitoring to reduce noise +- EC2 and Lambda metrics are filtered to only include resources tagged with `claranet_monitored:true` to avoid unexpected costs +- Resource collection is enabled + ## How to use this module ```hcl @@ -8,7 +20,6 @@ module "datadog-integrations-cloud-aws" { version = "{revision}" aws_account_id = var.aws_account - env = var.environment } ``` @@ -18,16 +29,16 @@ module "datadog-integrations-cloud-aws" { | Name | Version | |------|---------| -| terraform | >= 1.11 | -| aws | >= 6.0.0 | -| datadog | >= 3.0.0 | +| [terraform](#requirement\_terraform) | >= 1.11 | +| [aws](#requirement\_aws) | >= 6.0.0 | +| [datadog](#requirement\_datadog) | >= 3.0.0 | ## Providers | Name | Version | |------|---------| -| aws | >= 6.0.0 | -| datadog | >= 3.0.0 | +| [aws](#provider\_aws) | >= 6.0.0 | +| [datadog](#provider\_datadog) | >= 3.0.0 | ## Modules @@ -50,19 +61,19 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| aws\_account\_id | AWS account configuration for Datadog integration | `string` | n/a | yes | -| aws\_iam\_role\_enabled | Enable IAM role deployment for Datadog AWS integration | `bool` | `true` | no | -| aws\_partition | AWS partition for Datadog integration | `string` | `"aws"` | no | -| datadog\_aws\_account\_id | AWS account\_id of Datadog | `string` | `"464622532012"` | no | -| metrics\_config | Metrics configuration for Datadog AWS integration | 
object({
    automute_enabled : optional(bool, true),
    collect_cloudwatch_alarms : optional(bool, false),
    collect_custom_metrics : optional(bool, false),
    enabled : optional(bool, true),
    namespace_filters : optional(object({
      exclude_only : optional(list(string), null),
      include_only : optional(list(string), null),
      }), {
      exclude_only = ["AWS/ElasticMapReduce", "AWS/SQS", "AWS/Usage"]
    }),
    tag_filters : optional(object({
      namespace : string,
      tags : list(string),
      }), {
      namespace = "AWS/EC2"
      tags      = ["dd_monitored:true"]
    }),
  })
| `{}` | no | -| metrics\_tags | Tags to apply to metrics collected from AWS | `map(string)` | `{}` | no | -| resource\_collection\_enabled | Enable resource collection for Datadog AWS integration | `bool` | `true` | no | +| [aws\_account\_id](#input\_aws\_account\_id) | AWS account configuration for Datadog integration | `string` | n/a | yes | +| [aws\_iam\_role\_enabled](#input\_aws\_iam\_role\_enabled) | Enable IAM role deployment for Datadog AWS integration | `bool` | `true` | no | +| [aws\_partition](#input\_aws\_partition) | AWS partition for Datadog integration | `string` | `"aws"` | no | +| [datadog\_aws\_account\_id](#input\_datadog\_aws\_account\_id) | AWS account\_id of Datadog | `string` | `"464622532012"` | no | +| [metrics\_config](#input\_metrics\_config) | Metrics configuration for Datadog AWS integration | 
object({
    automute_enabled : optional(bool, true),
    collect_cloudwatch_alarms : optional(bool, false),
    collect_custom_metrics : optional(bool, false),
    enabled : optional(bool, true),
    namespace_filters : optional(object({
      exclude_only : optional(list(string), null),
      include_only : optional(list(string), null),
      }), {
      exclude_only = ["AWS/ElasticMapReduce", "AWS/SQS", "AWS/Usage"]
    }),
    tag_filters : optional(list(object({
      namespace : string,
      tags : list(string),
    })), [
      {
        namespace = "AWS/EC2"
        tags = ["claranet_monitored:true"]
      }, {
        namespace = "AWS/Lambda"
        tags = [
          "claranet_monitored:true",
        ]
      }
    ],
    )})
| `{}` | no | +| [metrics\_tags](#input\_metrics\_tags) | Tags to apply to metrics collected from AWS | `map(string)` | `{}` | no | +| [resource\_collection\_enabled](#input\_resource\_collection\_enabled) | Enable resource collection for Datadog AWS integration | `bool` | `true` | no | ## Outputs | Name | Description | |------|-------------| -| aws\_integration\_id | The ID of the DataDog AWS integration | -| aws\_role\_arn | The role ARN of the DataDog integration | -| aws\_role\_name | The IAM role name of the DataDog integration | +| [aws\_integration\_id](#output\_aws\_integration\_id) | The ID of the DataDog AWS integration | +| [aws\_role\_arn](#output\_aws\_role\_arn) | The role ARN of the DataDog integration | +| [aws\_role\_name](#output\_aws\_role\_name) | The IAM role name of the DataDog integration | \ No newline at end of file diff --git a/cloud/aws/variables.tf b/cloud/aws/variables.tf index f21409b..68ac4ad 100644 --- a/cloud/aws/variables.tf +++ b/cloud/aws/variables.tf @@ -28,14 +28,21 @@ variable "metrics_config" { }), { exclude_only = ["AWS/ElasticMapReduce", "AWS/SQS", "AWS/Usage"] }), - tag_filters : optional(object({ + tag_filters : optional(list(object({ namespace : string, tags : list(string), - }), { - namespace = "AWS/EC2" - tags = ["dd_monitored:true"] - }), - }) + })), [ + { + namespace = "AWS/EC2" + tags = ["claranet_monitored:true"] + }, { + namespace = "AWS/Lambda" + tags = [ + "claranet_monitored:true", + ] + } + ], + )}) default = {} } From 32bf36d17a35b2e9186d7efaf2a09a9937d7649c Mon Sep 17 00:00:00 2001 From: Laurent Piroelle Date: Fri, 9 Jan 2026 09:33:55 +0100 Subject: [PATCH 7/7] chore(aws): rename --- cloud/aws/{r-integration.tf => r-datadog-integration.tf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cloud/aws/{r-integration.tf => r-datadog-integration.tf} (100%) diff --git a/cloud/aws/r-integration.tf b/cloud/aws/r-datadog-integration.tf similarity index 100% rename from cloud/aws/r-integration.tf rename to cloud/aws/r-datadog-integration.tf