Pulumi documentation for AWS integration

[megacier]

Hello Datadog team.

I couldn't find documentation about how to integrate AWS to Datadog using Pulumi on your website while it is possible using the pulumi doc and taking inspiration from the terraform documentation.

Here is the Pulumi file I use in production (slightly modified). Hopefully, you'll be able to integrate it to your documentation.

Pulumi Typescript source code

```typescript import * as aws from "@pulumi/aws"; import * as datadog from "@pulumi/datadog"; const permissionsList = [ "apigateway:GET", "autoscaling:Describe*", "backup:List*", "budgets:ViewBudget", "cloudfront:GetDistributionConfig", "cloudfront:ListDistributions", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents", "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*", "codedeploy:List*", "codedeploy:BatchGet*", "directconnect:Describe*", "dynamodb:List*", "dynamodb:Describe*", "ec2:Describe*", "ecs:Describe*", "ecs:List*", "elasticache:Describe*", "elasticache:List*", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeTags", "elasticfilesystem:DescribeAccessPoints", "elasticloadbalancing:Describe*", "elasticmapreduce:List*", "elasticmapreduce:Describe*", "es:ListTags", "es:ListDomainNames", "es:DescribeElasticsearchDomains", "events:CreateEventBus", "fsx:DescribeFileSystems", "fsx:ListTagsForResource", "health:DescribeEvents", "health:DescribeEventDetails", "health:DescribeAffectedEntities", "kinesis:List*", "kinesis:Describe*", "lambda:GetPolicy", "lambda:List*", "logs:DeleteSubscriptionFilter", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:DescribeSubscriptionFilters", "logs:FilterLogEvents", "logs:PutSubscriptionFilter", "logs:TestMetricFilter", "organizations:Describe*", "organizations:List*", "rds:Describe*", "rds:List*", "redshift:DescribeClusters", "redshift:DescribeLoggingStatus", "route53:List*", "s3:GetBucketLogging", "s3:GetBucketLocation", "s3:GetBucketNotification", "s3:GetBucketTagging", "s3:ListAllMyBuckets", "s3:PutBucketNotification", "ses:Get*", "sns:List*", "sns:Publish", "sqs:ListQueues", "states:ListStateMachines", "states:DescribeStateMachine", "support:DescribeTrustedAdvisor*", "support:RefreshTrustedAdvisorCheck", "tag:GetResources", "tag:GetTagKeys", "tag:GetTagValues", "xray:BatchGetTraces", "xray:GetTraceSummaries" ] // We get apiKey and appKey from argument. When "@pulumi/datadog" library is loaded and the projet is named "datadog", // the config keys starting with "datadog:" are not correctly evaluated export const awsLogCollection = async () => { const apiKey = config.requireSecret("apikey"); const appKey = config.requireSecret("appkey"); const datadogProvider = new datadog.Provider("datadog-provider", { apiKey, appKey, apiUrl: 'https://api.datadoghq.eu/' }) const roleName = `DatadogAWSIntegrationRole` const awsCallerIdentity = await aws.getCallerIdentity({}); const datadogIntegrationAws = new datadog.aws.Integration("datadog_integration", { accountId: awsCallerIdentity.accountId, accountSpecificNamespaceRules: { api_gateway: false, application_elb: false, apprunner: false, appstream: false, appsync: false, athena: false, auto_scaling: false, backup: false, billing: false, budgeting: false, certificatemanager: false, cloudfront: true, cloudhsm: false, cloudsearch: false, cloudwatch_events: false, cloudwatch_logs: false, codebuild: false, cognito: false, collect_custom_metrics: false, connect: false, crawl_alarms: false, directconnect: false, dms: false, documentdb: false, dynamodb: false, dynamodbaccelerator: false, ebs: false, ec2: true, ec2api: false, ec2spot: false, ecr: false, ecs: false, efs: false, elasticache: true, elasticbeanstalk: false, elasticinference: false, elastictranscoder: false, elb: false, emr: false, es: false, firehose: false, fsx: false, gamelift: false, glue: false, inspector: false, iot: false, keyspaces: false, kinesis: false, kinesis_analytics: false, kms: false, lambda: true, lex: false, mediaconnect: false, mediaconvert: false, medialive: false, mediapackage: false, mediastore: false, mediatailor: false, ml: false, mq: false, msk: false, mwaa: false, nat_gateway: false, neptune: false, network_elb: false, networkfirewall: false, opsworks: false, polly: false, privatelinkendpoints: false, privatelinkservices: false, rds: true, rdsproxy: false, redshift: false, rekognition: false, route53: false, route53resolver: false, s3: false, s3storagelens: false, sagemaker: false, sagemakerendpoints: false, sagemakerlabelingjobs: false, sagemakermodelbuildingpipeline: false, sagemakerprocessingjobs: false, sagemakertrainingjobs: false, sagemakertransformjobs: false, sagemakerworkteam: false, service_quotas: false, ses: false, shield: false, sns: false, sqs: false, step_functions: false, storage_gateway: false, swf: false, textract: false, transitgateway: false, translate: false, trusted_advisor: false, usage: false, vpn: false, waf: false, wafv2: false, workspaces: false, xray: false, }, metricsCollectionEnabled: "true", // oddly this is a string resourceCollectionEnabled: "false", // oddly this is a string cspmResourceCollectionEnabled: "false", // oddly this is a string roleName, }, { provider: datadogProvider }) datadogIntegrationAws.externalId.apply((externalId) => { const datadogAwsIntegrationAssumeRole = aws.iam.getPolicyDocument({ statements: [{ actions: ["sts:AssumeRole"], principals: [{ type: "AWS", identifiers: ["arn:aws:iam::464622532012:root"], }], conditions: [{ test: "StringEquals", variable: "sts:ExternalId", values: [externalId] }] }] }) const awsIamPolicyDocument = aws.iam.getPolicyDocument({ statements: [{ actions: permissionsList, resources: ["*"] }] }) const datadogAwsIntegrationPolicy = new aws.iam.Policy("datadog_aws_integration", { namePrefix: "DatadogAWSIntegrationPolicy", policy: awsIamPolicyDocument.then(policyDocument => policyDocument.json) }) const datadogAwsIntegrationRole = new aws.iam.Role("datadog_aws_integration", { name: roleName, description: "Role for Datadog AWS Integration", assumeRolePolicy: datadogAwsIntegrationAssumeRole.then(role => role.json) }) const datadogAwsIntegrationPolicyAttachment = new aws.iam.RolePolicyAttachment("datadog_aws_integration", { role: datadogAwsIntegrationRole.name, policyArn: datadogAwsIntegrationPolicy.arn }) }) } awsLogCollection().then() ```

[buraizu]

Hi @megacier, thanks for reaching out and providing that example file! I'm currently following up internally about this and will update you here with any feedback from the team.

[buraizu]

Hi @megacier, just reaching out with a quick update. We're currently looking into including this on the community integrations page, and I'll follow up with any additional questions or updates around that. Thanks again for reaching out with this contribution!

[buraizu]

Hi @megacier, thanks for your patience. In order to add this to our community integrations page, could you reach out to the email listed below? opensource@datadoghq.com Thanks again, and let me know if you have any questions.

[buraizu]

Hi @megacier thanks again for reaching out. Pulumi has been added to the list of community integrations and I'll close this issue for now.