Open grealish opened 2 years ago
I was able to get things working by using an API Key and an Application Key (not to be confused with the Application Key Id). That said, I agree the wording and layout could be clearer.
I'm having this issue as well "Invalid or missing credentials provided to the Datadog Provider. Please confirm your API and APP keys are valid and are for the correct region". I am using the "KEY" value and not the "KEY_ID" for this. I've tried passing them in with .auto.tfvars as well as DD_API_KEY, DD_APP_KEY env variables but keep coming back with this error. The region part is throwing me as there is nothing mentioned in creating/fetching the API & APP keys about region nor is there a config for it in the provider.
Also of note I was unable to use the environment variables DD_API_KEY, DD_APP_KEY as suggested in the docs. Elsewhere I saw mention of using DATADOG_API_KEY, DATADOG_APP_KEY which did work as environment variables as long as I didn't try to pass it in as a var to the provider block. So that might be wrong in documentation here? This validated to me that I have the right API, APP keys at least. Here's my providers block in providers.tf:
terraform {
required_providers {
datadog = {
source = "DataDog/datadog"
version = "3.16.0"
}
}
}
provider "datadog" {
api_key = var.DATADOG_API_KEY
app_key = var.DATADOG_APP_KEY
}
and variables.tf:
variable "DATADOG_API_KEY" {
type = string
description = "Datadog API Key"
}
variable "DATADOG_APP_KEY" {
type = string
description = "Datadog Application Key"
}
lastly my .auto.tfvars making sure to use the keys not the key ids:
DATADOG_API_KEY = "myAPIkey"
DATADOG_APP_KEY = "myAPPkey"
Fixed my issue... my API key got truncated even though it's stored properly when copied from the UI. The environment variable thing is still an issue. Wasn't able to get it to work with DD_API|APP_KEY. When was using ENV variables I verified I had the full key string for both after finding the issue. I did test it again just in case. It only worked with DATADOG_API|APP_KEY ENV vars for me. Could it be related to how you define the name for the VARs?
Also of note I was unable to use the environment variables DD_API_KEY, DD_APP_KEY as suggested in the docs. Elsewhere I saw mention of using DATADOG_API_KEY, DATADOG_APP_KEY which did work as environment variables as long as I didn't try to pass it in as a var to the provider block. So that might be wrong in documentation here? This validated to me that I have the right API, APP keys at least. Here's my providers block in providers.tf:
terraform { required_providers { datadog = { source = "DataDog/datadog" version = "3.16.0" } } } provider "datadog" { api_key = var.DATADOG_API_KEY app_key = var.DATADOG_APP_KEY }
and variables.tf:
variable "DATADOG_API_KEY" { type = string description = "Datadog API Key" } variable "DATADOG_APP_KEY" { type = string description = "Datadog Application Key" }
lastly my .auto.tfvars making sure to use the keys not the key ids:
DATADOG_API_KEY = "myAPIkey" DATADOG_APP_KEY = "myAPPkey"
Greetings dear sir,
I see what you doing here but hardcoding both API and APP key values is not good security practice. Have you managed to find a way to reference it from "Action Secrets" or "AWS Secret Manager" ?
I had a similar issue and solved it by adding api_url
to the provider
provider "datadog" {
api_key = var.datadog_api_key
app_key = var.datadog_app_key
api_url = var.datadog_api_url
}
@amarynets Same for me. Once I added the api_url to variables it started working for me.
for anyone that comes across this post these are the facts I found out.
per code you can either use DD_API_KEY or DATADOG_API_KEY. the code will look for both. the order it will look for is api_key
from your provider, DD_API_KEY from env vars, DATADOG_API_KEY from env vars. DD_HOST or DD_SITE has no effect on this part. you need a value for both DD_API_KEY and DD_APP_KEY for it to work. if you give bad values, terraform will throw a 403 error.
the following code does not work:
DD_API_KEY=xxx
DD_APP_KEY=yyy
terraform plan
the reason being that you forgot to use export. this one will work:
export DD_API_KEY=xxx
export DD_APP_KEY=yyy
terraform plan
alternative way of calling is:
DD_API_KEY=xxx DD_APP_KEY=yyy terraform plan
DD_API_KEY comes from https://app.datadoghq.com/organization-settings/api-keys under key
(not key id
)
DD_APP_KEY comes from https://app.datadoghq.com/organization-settings/application-keys under key
(not key id
)
one last fact, DD_APP_KEY is not needed for the most part, but a valid DD_API_KEY is required during planning.
How do we store and retriew the DD API and DD APP key in AWS Secret Manager ?
Documentation and how Application Keys/ API keys are presented and document are not clear anymore as the UI of DataDog has changed, Take this example: Obtaining the API/Application Keys for the DataDog Provider:
This is how we are presented with the "Application Keys"
We have the Application Key (Secret Key) and we have KeyID with the "-" For DD_API_KEY, DD_APP_KEY we are expected to populate that in a format without the "-" and if we are operating in EU or US, update DD_HOST with the DataDog API https://<api.datadoghq.eu/
But this does not work consistently and not documented well, take this page for example: https://learn.hashicorp.com/tutorials/terraform/datadog-provider
Terraform Version
Affected Resource(s)
All, Terraform DataDog Provider
Debug Output