B2B Engineering Insights & Architectural Teardowns
Contact us

Datadog Terraform Provider v4: Predictable Access Rights and AWS Integration Unification

by

The provider update shifts the focus from convenience to predictability of behavior. This is critical when Terraform becomes the source of truth for observability configuration.

The problem manifests at the state management level. In large installations, Terraform must deterministically control access and integrations. In previous versions, the behavior of monitor permissions could be non-obvious, especially during updates. In parallel, the AWS integration was split across multiple resources, complicating management and increasing the likelihood of drift. A separate risk involved handling application keys: there were paths through which keys could be extracted via Terraform.

The solution in v4 is tightening the contracts. Monitor permissions become “sticky”: if restrictions are set, they persist until explicitly changed. This removes implicit side effects during an apply. For AWS, a single datadog_integration_aws_account resource is introduced instead of four disparate ones. On the security front, mechanisms allowing the reading of existing application keys via a data source have been removed. This is a trade-off: less flexibility, but higher predictability and control.

The implementation affects several layers.

  • restricted_roles now requires explicit clearing ([]) to remove restrictions.
  • access control is standardized via restriction_policy; the locked field has been removed.
  • simultaneous use of restricted_roles and restriction_policy can cause conflicts—this must be accounted for during migration.
  • AWS integrations are consolidated into a single resource, while the APIs remain the same, reducing risk at the backend level.
  • the datadog_application_key data source and the import of existing keys have been removed—this alters pipelines where keys were pulled from external sources.
  • the provider migrates to the Terraform Plugin Framework (protocol v6), simplifying the evolution of schemas and validations.

The result is a stricter and more predictable management model. Terraform better maintains its role as the source of truth for access rights and integrations. The AWS configuration structure is simplified. Key management security is enhanced by reducing the channels for reading them. Quantitative metrics for the improvements are not provided, but the changes are aimed at reducing configuration errors and implicit changes during deployment.

Source

×

🚀 Deploy the Blocks

Controls: ← → to move, ↑ to rotate, ↓ to drop.
Mobile: use buttons below.