Last active
August 12, 2019 19:38
-
-
Save miketheman/72197ec28bd527137e196054b3ab6dec to your computer and use it in GitHub Desktop.
Datadog AWS Integration Automated Setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Read more about variables and how to override them here: | |
# https://www.terraform.io/docs/configuration/variables.html | |
variable "aws_region" { | |
type = "string" | |
default = "us-east-1" | |
} | |
variable "shared_secret" { | |
type = "string" | |
default = "SOOPERSEKRET" | |
} | |
provider "aws" { | |
region = "${var.aws_region}" | |
} | |
resource "aws_iam_policy" "dd_integration_policy" { | |
name = "DatadogAWSIntegrationPolicy" | |
path = "/" | |
description = "DatadogAWSIntegrationPolicy" | |
policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": [ | |
"autoscaling:Describe*", | |
"cloudtrail:DescribeTrails", | |
"cloudtrail:GetTrailStatus", | |
"cloudwatch:Describe*", | |
"cloudwatch:Get*", | |
"cloudwatch:List*", | |
"ec2:Describe*", | |
"ec2:Get*", | |
"ecs:Describe*", | |
"ecs:List*", | |
"elasticache:Describe*", | |
"elasticache:List*", | |
"elasticloadbalancing:Describe*", | |
"elasticmapreduce:List*", | |
"iam:Get*", | |
"iam:List*", | |
"kinesis:Get*", | |
"kinesis:List*", | |
"kinesis:Describe*", | |
"logs:Get*", | |
"logs:Describe*", | |
"logs:TestMetricFilter", | |
"rds:Describe*", | |
"rds:List*", | |
"route53:List*", | |
"s3:GetBucketTagging", | |
"ses:Get*", | |
"ses:List*", | |
"sns:List*", | |
"sns:Publish", | |
"sqs:GetQueueAttributes", | |
"sqs:ListQueues", | |
"sqs:ReceiveMessage" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
} | |
] | |
} | |
EOF | |
} | |
resource "aws_iam_role" "dd_integration_role" { | |
name = "DatadogAWSIntegrationRole" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": { | |
"Effect": "Allow", | |
"Principal": { "AWS": "arn:aws:iam::464622532012:root" }, | |
"Action": "sts:AssumeRole", | |
"Condition": { "StringEquals": { "sts:ExternalId": "${var.shared_secret}" } } | |
} | |
} | |
EOF | |
} | |
resource "aws_iam_policy_attachment" "allow_dd_role" { | |
name = "Allow Datadog PolicyAccess via Role" | |
roles = ["${aws_iam_role.dd_integration_role.name}"] | |
policy_arn = "${aws_iam_policy.dd_integration_policy.arn}" | |
} | |
output "AWS Account ID" { | |
value = "${aws_iam_role.dd_integration_role.arn}" | |
} | |
output "AWS Role Name" { | |
value = "${aws_iam_role.dd_integration_role.name}" | |
} | |
output "AWS External ID" { | |
value = "${var.shared_secret}" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ TF_VAR_shared_secret=some-complex-generated-shared-secret terraform apply | |
... <snip> ... | |
Apply complete! Resources: 3 added, 0 changed, 0 destroyed. | |
The state of your infrastructure has been saved to the path | |
below. This state is required to modify and destroy your | |
infrastructure, so keep it safe. To inspect the complete state | |
use the `terraform show` command. | |
State path: terraform.tfstate | |
Outputs: | |
AWS Account ID = arn:aws:iam::123456789012:role/DatadogAWSIntegrationRole | |
AWS External ID = some-complex-generated-shared-secret | |
AWS Role Name = DatadogAWSIntegrationRole |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
👍