From b2c768cc3cc78bb483a1a56708e7f62efacf00c0 Mon Sep 17 00:00:00 2001 From: EamonBrady1 Date: Fri, 27 Feb 2026 17:07:42 -0500 Subject: [PATCH 1/6] Support tag defaults in TF Onboarding --- datadog-terraform-onboarding/data.tf | 11 +++++ datadog-terraform-onboarding/locals.tf | 8 ++++ datadog-terraform-onboarding/main.tf | 3 ++ .../modules/auth/main.tf | 19 +++++++++ .../modules/auth/variables.tf | 6 +++ .../modules/compartment/main.tf | 1 + .../modules/compartment/variables.tf | 6 +++ .../modules/kms/main.tf | 3 ++ .../modules/kms/variables.tf | 6 +++ .../modules/regional-stacks/locals.tf | 4 +- .../modules/regional-stacks/main.tf | 30 +++++++++---- .../modules/regional-stacks/variables.tf | 6 +++ .../regional_stack.tf | 42 +++++++++++++++++++ 13 files changed, 136 insertions(+), 9 deletions(-) diff --git a/datadog-terraform-onboarding/data.tf b/datadog-terraform-onboarding/data.tf index a2104ab..3c7c708 100644 --- a/datadog-terraform-onboarding/data.tf +++ b/datadog-terraform-onboarding/data.tf @@ -38,3 +38,14 @@ data "oci_identity_domains_groups" "existing_group_in_domain" { data "oci_identity_domain" "domain" { domain_id = local.matching_domain_id } + +# Defined tags: auto-discovered from compartment tag defaults (not user-configurable) +data "oci_identity_tag_defaults" "compartment" { + compartment_id = coalesce(var.resource_compartment_ocid, var.tenancy_ocid) +} + +data "oci_identity_tag_namespaces" "tenancy" { + compartment_id = var.tenancy_ocid + include_subcompartments = true + state = "ACTIVE" +} diff --git a/datadog-terraform-onboarding/locals.tf b/datadog-terraform-onboarding/locals.tf index b1398ed..466ea5b 100644 --- a/datadog-terraform-onboarding/locals.tf +++ b/datadog-terraform-onboarding/locals.tf @@ -3,6 +3,14 @@ locals { ownedby = "datadog" } + # Resolve tag_namespace_id -> name from list (no CLI) + tag_defaults_namespace_names = { for ns in data.oci_identity_tag_namespaces.tenancy.tag_namespaces : ns.id => ns.name } + # Defined tags: auto-collected from compartment tag defaults only (not a user input) + defined_tags = { + for td in data.oci_identity_tag_defaults.compartment.tag_defaults : + "${local.tag_defaults_namespace_names[td.tag_namespace_id]}.${td.tag_definition_name}" => td.value + } + home_region_name = [ for region in data.oci_identity_region_subscriptions.subscribed_regions.region_subscriptions : region.region_name if region.is_home_region diff --git a/datadog-terraform-onboarding/main.tf b/datadog-terraform-onboarding/main.tf index 2264877..9cbaeda 100644 --- a/datadog-terraform-onboarding/main.tf +++ b/datadog-terraform-onboarding/main.tf @@ -179,6 +179,7 @@ module "compartment" { new_compartment_name = local.new_compartment_name parent_compartment_id = var.tenancy_ocid tags = local.tags + defined_tags = local.defined_tags } module "kms" { @@ -192,6 +193,7 @@ module "kms" { compartment_id = module.compartment.id datadog_api_key = var.datadog_api_key tags = local.tags + defined_tags = local.defined_tags } module "auth" { @@ -201,6 +203,7 @@ module "auth" { user_email = local.user_email tenancy_id = var.tenancy_ocid tags = local.tags + defined_tags = local.defined_tags current_user_id = var.current_user_ocid compartment_id = module.compartment.id idcs_endpoint = local.idcs_endpoint diff --git a/datadog-terraform-onboarding/modules/auth/main.tf b/datadog-terraform-onboarding/modules/auth/main.tf index cf62684..3bdcc96 100644 --- a/datadog-terraform-onboarding/modules/auth/main.tf +++ b/datadog-terraform-onboarding/modules/auth/main.tf @@ -141,6 +141,14 @@ resource "oci_identity_domains_user" "dd_auth" { value = freeform_tags.value } } + dynamic "defined_tags" { + for_each = var.defined_tags + content { + namespace = split(".", defined_tags.key)[0] + key = join(".", slice(split(".", defined_tags.key), 1, length(split(".", defined_tags.key)))) + value = defined_tags.value + } + } } } @@ -165,6 +173,14 @@ resource "oci_identity_domains_group" "dd_auth" { value = freeform_tags.value } } + dynamic "defined_tags" { + for_each = var.defined_tags + content { + namespace = split(".", defined_tags.key)[0] + key = join(".", slice(split(".", defined_tags.key), 1, length(split(".", defined_tags.key)))) + value = defined_tags.value + } + } } } @@ -176,11 +192,13 @@ resource "oci_identity_policy" "dd_auth" { statements = [ "Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq", "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to read all-resources in tenancy", + "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to use tag-namespaces in tenancy", "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage serviceconnectors in compartment id ${var.compartment_id}", "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage functions-family in compartment id ${var.compartment_id} where ANY {request.permission = 'FN_FUNCTION_UPDATE', request.permission = 'FN_FUNCTION_LIST', request.permission = 'FN_APP_LIST'}", "Endorse group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to read objects in tenancy usage-report" ] freeform_tags = var.tags + defined_tags = var.defined_tags } resource "oci_identity_domains_dynamic_resource_group" "service_connector" { @@ -214,4 +232,5 @@ resource "oci_identity_policy" "dynamic_group" { "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to read secret-bundles in compartment id ${var.compartment_id}" ] freeform_tags = var.tags + defined_tags = var.defined_tags } diff --git a/datadog-terraform-onboarding/modules/auth/variables.tf b/datadog-terraform-onboarding/modules/auth/variables.tf index 675ef02..ea77ede 100644 --- a/datadog-terraform-onboarding/modules/auth/variables.tf +++ b/datadog-terraform-onboarding/modules/auth/variables.tf @@ -16,6 +16,12 @@ variable "tags" { default = {} } +variable "defined_tags" { + description = "Defined tags (flat map: Namespace.TagKey = value) for policies and Identity Domain resources" + type = map(string) + default = {} +} + variable "tenancy_id" { type = string description = "OCI tenant OCID, more details can be found at https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#five" diff --git a/datadog-terraform-onboarding/modules/compartment/main.tf b/datadog-terraform-onboarding/modules/compartment/main.tf index 892701f..070bd92 100644 --- a/datadog-terraform-onboarding/modules/compartment/main.tf +++ b/datadog-terraform-onboarding/modules/compartment/main.tf @@ -21,4 +21,5 @@ resource "oci_identity_compartment" "new" { description = "Compartment for Datadog generated resources" compartment_id = var.parent_compartment_id freeform_tags = var.tags + defined_tags = var.defined_tags } diff --git a/datadog-terraform-onboarding/modules/compartment/variables.tf b/datadog-terraform-onboarding/modules/compartment/variables.tf index 59978f2..5b3943b 100644 --- a/datadog-terraform-onboarding/modules/compartment/variables.tf +++ b/datadog-terraform-onboarding/modules/compartment/variables.tf @@ -19,4 +19,10 @@ variable "new_compartment_name" { description = "The name of the new compartment to create, if no compartment_id is provided" type = string default = "Datadog" +} + +variable "defined_tags" { + description = "Defined tags to assign to the compartment" + type = map(string) + default = {} } \ No newline at end of file diff --git a/datadog-terraform-onboarding/modules/kms/main.tf b/datadog-terraform-onboarding/modules/kms/main.tf index d1b9af5..8efac43 100644 --- a/datadog-terraform-onboarding/modules/kms/main.tf +++ b/datadog-terraform-onboarding/modules/kms/main.tf @@ -14,6 +14,7 @@ resource "oci_kms_vault" "datadog_vault" { display_name = "datadog-vault" vault_type = "DEFAULT" freeform_tags = var.tags + defined_tags = var.defined_tags timeouts { create = "60m" @@ -31,6 +32,7 @@ resource "oci_kms_key" "datadog_key" { } management_endpoint = oci_kms_vault.datadog_vault.management_endpoint freeform_tags = var.tags + defined_tags = var.defined_tags timeouts { create = "60m" @@ -49,6 +51,7 @@ resource "oci_vault_secret" "api_key" { content = base64encode(var.datadog_api_key) } freeform_tags = var.tags + defined_tags = var.defined_tags timeouts { create = "60m" diff --git a/datadog-terraform-onboarding/modules/kms/variables.tf b/datadog-terraform-onboarding/modules/kms/variables.tf index 5a91bbb..c209e10 100644 --- a/datadog-terraform-onboarding/modules/kms/variables.tf +++ b/datadog-terraform-onboarding/modules/kms/variables.tf @@ -14,3 +14,9 @@ variable "datadog_api_key" { description = "The API key for sending message to datadog endpoints" sensitive = true } + +variable "defined_tags" { + type = map(string) + description = "Defined tags to assign to resources" + default = {} +} diff --git a/datadog-terraform-onboarding/modules/regional-stacks/locals.tf b/datadog-terraform-onboarding/modules/regional-stacks/locals.tf index 3856f40..aafd683 100644 --- a/datadog-terraform-onboarding/modules/regional-stacks/locals.tf +++ b/datadog-terraform-onboarding/modules/regional-stacks/locals.tf @@ -38,6 +38,6 @@ locals { upper(local.subnet_region_from_ocid) == var.region_key ) - # Simple subnet selection logic: use provided OCID or create new - subnet_id = var.subnet_ocid != "" ? var.subnet_ocid : module.vcn[0].subnet_id[local.subnet] + # Simple subnet selection logic: use provided OCID or create new (subnet from our subnet submodule when we create VCN) + subnet_id = var.subnet_ocid != "" ? var.subnet_ocid : module.subnet[0].subnet_id[local.subnet] } diff --git a/datadog-terraform-onboarding/modules/regional-stacks/main.tf b/datadog-terraform-onboarding/modules/regional-stacks/main.tf index d0c1c6d..8fbb7c0 100644 --- a/datadog-terraform-onboarding/modules/regional-stacks/main.tf +++ b/datadog-terraform-onboarding/modules/regional-stacks/main.tf @@ -20,9 +20,9 @@ resource "oci_functions_function" "logs_function" { display_name = "dd-logs-forwarder" memory_in_mbs = "1024" freeform_tags = var.tags + defined_tags = var.defined_tags image = local.logs_image_path image_digest = length(local.image_sha_logs) > 0 ? local.image_sha_logs : null - } resource "oci_functions_function" "metrics_function" { @@ -30,6 +30,7 @@ resource "oci_functions_function" "metrics_function" { display_name = "dd-metrics-forwarder" memory_in_mbs = "512" freeform_tags = var.tags + defined_tags = var.defined_tags image = local.metrics_image_path image_digest = length(local.image_sha_metrics) > 0 ? local.image_sha_metrics : null } @@ -40,11 +41,28 @@ module "vcn" { version = ">= 3.6.0" compartment_id = var.compartment_ocid freeform_tags = var.tags + defined_tags = var.defined_tags vcn_cidrs = ["10.0.0.0/16"] vcn_dns_label = "ddvcnmodule" vcn_name = local.vcn_name - lockdown_default_seclist = false + lockdown_default_seclist = false + subnets = {} + + create_nat_gateway = true + nat_gateway_display_name = local.nat_gateway + create_service_gateway = true + service_gateway_display_name = local.service_gateway +} +# Subnet submodule so we can pass defined_tags (upstream VCN module does not pass them to subnets). +module "subnet" { + count = var.subnet_ocid == "" ? 1 : 0 + source = "oracle-terraform-modules/vcn/oci//modules/subnet" + version = ">= 3.6.0" + compartment_id = var.compartment_ocid + vcn_id = module.vcn[0].vcn_id + nat_route_id = module.vcn[0].nat_route_id + ig_route_id = module.vcn[0].ig_route_id subnets = { private = { cidr_block = "10.0.0.0/16" @@ -52,17 +70,15 @@ module "vcn" { name = local.subnet } } - - create_nat_gateway = true - nat_gateway_display_name = local.nat_gateway - create_service_gateway = true - service_gateway_display_name = local.service_gateway + freeform_tags = var.tags + defined_tags = var.defined_tags } resource "oci_functions_application" "dd_function_app" { compartment_id = var.compartment_ocid display_name = "dd-function-app" freeform_tags = var.tags + defined_tags = var.defined_tags shape = "GENERIC_X86_ARM" subnet_ids = [ local.subnet_id diff --git a/datadog-terraform-onboarding/modules/regional-stacks/variables.tf b/datadog-terraform-onboarding/modules/regional-stacks/variables.tf index c5ac420..0ccf877 100644 --- a/datadog-terraform-onboarding/modules/regional-stacks/variables.tf +++ b/datadog-terraform-onboarding/modules/regional-stacks/variables.tf @@ -51,3 +51,9 @@ variable "subnet_ocid" { error_message = "If provided, subnet_ocid must be a valid subnet OCID starting with: ocid1.subnet.oc[0-9]." } } + +variable "defined_tags" { + type = map(string) + description = "Defined tags to assign to VCN, subnet, function app and functions." + default = {} +} diff --git a/datadog-terraform-onboarding/regional_stack.tf b/datadog-terraform-onboarding/regional_stack.tf index d56957d..4442522 100644 --- a/datadog-terraform-onboarding/regional_stack.tf +++ b/datadog-terraform-onboarding/regional_stack.tf @@ -23,6 +23,7 @@ module "regional_deployment_af_johannesburg_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -48,6 +49,7 @@ module "regional_deployment_ap_batam_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -73,6 +75,7 @@ module "regional_deployment_ap_chuncheon_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -98,6 +101,7 @@ module "regional_deployment_ap_hyderabad_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -123,6 +127,7 @@ module "regional_deployment_ap_melbourne_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -148,6 +153,7 @@ module "regional_deployment_ap_mumbai_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -173,6 +179,7 @@ module "regional_deployment_ap_osaka_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -198,6 +205,7 @@ module "regional_deployment_ap_seoul_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -223,6 +231,7 @@ module "regional_deployment_ap_singapore_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -248,6 +257,7 @@ module "regional_deployment_ap_singapore_2" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -273,6 +283,7 @@ module "regional_deployment_ap_sydney_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -298,6 +309,7 @@ module "regional_deployment_ap_tokyo_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -323,6 +335,7 @@ module "regional_deployment_ca_montreal_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -348,6 +361,7 @@ module "regional_deployment_ca_toronto_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -373,6 +387,7 @@ module "regional_deployment_eu_amsterdam_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -398,6 +413,7 @@ module "regional_deployment_eu_frankfurt_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -423,6 +439,7 @@ module "regional_deployment_eu_madrid_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -448,6 +465,7 @@ module "regional_deployment_eu_marseille_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -473,6 +491,7 @@ module "regional_deployment_eu_milan_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -498,6 +517,7 @@ module "regional_deployment_eu_paris_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -523,6 +543,7 @@ module "regional_deployment_eu_stockholm_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -548,6 +569,7 @@ module "regional_deployment_eu_zurich_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -573,6 +595,7 @@ module "regional_deployment_il_jerusalem_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -598,6 +621,7 @@ module "regional_deployment_me_abudhabi_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -623,6 +647,7 @@ module "regional_deployment_me_dubai_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -648,6 +673,7 @@ module "regional_deployment_me_jeddah_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -673,6 +699,7 @@ module "regional_deployment_me_riyadh_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -698,6 +725,7 @@ module "regional_deployment_mx_monterrey_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -723,6 +751,7 @@ module "regional_deployment_mx_queretaro_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -748,6 +777,7 @@ module "regional_deployment_sa_bogota_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -773,6 +803,7 @@ module "regional_deployment_sa_santiago_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -798,6 +829,7 @@ module "regional_deployment_sa_saopaulo_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -823,6 +855,7 @@ module "regional_deployment_sa_valparaiso_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -848,6 +881,7 @@ module "regional_deployment_sa_vinhedo_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -873,6 +907,7 @@ module "regional_deployment_uk_cardiff_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -898,6 +933,7 @@ module "regional_deployment_uk_london_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -923,6 +959,7 @@ module "regional_deployment_us_ashburn_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -948,6 +985,7 @@ module "regional_deployment_us_chicago_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -973,6 +1011,7 @@ module "regional_deployment_us_phoenix_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -998,6 +1037,7 @@ module "regional_deployment_us_sanjose_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -1023,6 +1063,7 @@ module "regional_deployment_eu_madrid_3" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, @@ -1048,6 +1089,7 @@ module "regional_deployment_eu_turin_1" { api_key_secret_id = local.api_key_secret_id home_region = local.home_region_name tags = local.tags + defined_tags = local.defined_tags depends_on = [ terraform_data.prechecks_complete, From b9dc87cb109b24005adea04c015fece49dfe076c Mon Sep 17 00:00:00 2001 From: EamonBrady1 Date: Thu, 5 Mar 2026 13:45:05 -0500 Subject: [PATCH 2/6] Take tag defaults as user input --- datadog-terraform-onboarding/data.tf | 10 ---------- datadog-terraform-onboarding/locals.tf | 15 ++++++++++----- datadog-terraform-onboarding/variables.tf | 6 ++++++ 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/datadog-terraform-onboarding/data.tf b/datadog-terraform-onboarding/data.tf index 3c7c708..e2d414f 100644 --- a/datadog-terraform-onboarding/data.tf +++ b/datadog-terraform-onboarding/data.tf @@ -39,13 +39,3 @@ data "oci_identity_domain" "domain" { domain_id = local.matching_domain_id } -# Defined tags: auto-discovered from compartment tag defaults (not user-configurable) -data "oci_identity_tag_defaults" "compartment" { - compartment_id = coalesce(var.resource_compartment_ocid, var.tenancy_ocid) -} - -data "oci_identity_tag_namespaces" "tenancy" { - compartment_id = var.tenancy_ocid - include_subcompartments = true - state = "ACTIVE" -} diff --git a/datadog-terraform-onboarding/locals.tf b/datadog-terraform-onboarding/locals.tf index 466ea5b..15132ad 100644 --- a/datadog-terraform-onboarding/locals.tf +++ b/datadog-terraform-onboarding/locals.tf @@ -3,12 +3,17 @@ locals { ownedby = "datadog" } - # Resolve tag_namespace_id -> name from list (no CLI) - tag_defaults_namespace_names = { for ns in data.oci_identity_tag_namespaces.tenancy.tag_namespaces : ns.id => ns.name } - # Defined tags: auto-collected from compartment tag defaults only (not a user input) + # Defined tags: parsed from user input (multiline namespace.key:value per line) + defined_tags_raw = [ + for line in split("\n", coalesce(var.defined_tags, "")) : + trimspace(line) if trimspace(line) != "" + ] defined_tags = { - for td in data.oci_identity_tag_defaults.compartment.tag_defaults : - "${local.tag_defaults_namespace_names[td.tag_namespace_id]}.${td.tag_definition_name}" => td.value + for line in local.defined_tags_raw : + # Format: namespace.key:value (split on first : so value can contain colons) + (split(":", line)[0]) => ( + length(split(":", line)) > 1 ? join(":", slice(split(":", line), 1, length(split(":", line)))) : "" + ) } home_region_name = [ diff --git a/datadog-terraform-onboarding/variables.tf b/datadog-terraform-onboarding/variables.tf index 7037ba5..b050976 100644 --- a/datadog-terraform-onboarding/variables.tf +++ b/datadog-terraform-onboarding/variables.tf @@ -81,3 +81,9 @@ variable "user_email" { description = "Email address where you want OCI to send you notifications about the created user." default = null } + +variable "defined_tags" { + type = string + description = "Defined tags to apply to all created resources. One entry per line in the format namespace.key:value (e.g. CostCenter.Environment:prod). Leave blank unless your tenancy has mandatory tag defaults." + default = "" +} From bee530b2307559face867ba5d1c24b01e6ccd55c Mon Sep 17 00:00:00 2001 From: EamonBrady1 Date: Thu, 5 Mar 2026 13:58:30 -0500 Subject: [PATCH 3/6] Fix --- datadog-terraform-onboarding/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/datadog-terraform-onboarding/locals.tf b/datadog-terraform-onboarding/locals.tf index 15132ad..46e76ad 100644 --- a/datadog-terraform-onboarding/locals.tf +++ b/datadog-terraform-onboarding/locals.tf @@ -5,7 +5,7 @@ locals { # Defined tags: parsed from user input (multiline namespace.key:value per line) defined_tags_raw = [ - for line in split("\n", coalesce(var.defined_tags, "")) : + for line in split("\n", var.defined_tags != null ? var.defined_tags : "") : trimspace(line) if trimspace(line) != "" ] defined_tags = { From 54f112095303f99d32acf8bc28063723e823dd92 Mon Sep 17 00:00:00 2001 From: EamonBrady1 Date: Thu, 5 Mar 2026 16:25:22 -0500 Subject: [PATCH 4/6] Add to API call to datadog --- datadog-terraform-onboarding/main.tf | 1 + .../modules/integration/locals.tf | 36 ++++++++++--------- .../modules/integration/variables.tf | 6 ++++ 3 files changed, 26 insertions(+), 17 deletions(-) diff --git a/datadog-terraform-onboarding/main.tf b/datadog-terraform-onboarding/main.tf index 9cbaeda..b3a735a 100644 --- a/datadog-terraform-onboarding/main.tf +++ b/datadog-terraform-onboarding/main.tf @@ -242,6 +242,7 @@ module "integration" { subscribed_regions = tolist(local.final_regions_for_stacks) datadog_resource_compartment_id = module.compartment.id logs_enabled = var.logs_enabled + defined_tags = local.defined_tags } diff --git a/datadog-terraform-onboarding/modules/integration/locals.tf b/datadog-terraform-onboarding/modules/integration/locals.tf index c727925..b3ae4df 100644 --- a/datadog-terraform-onboarding/modules/integration/locals.tf +++ b/datadog-terraform-onboarding/modules/integration/locals.tf @@ -1,25 +1,27 @@ locals { config_version = 3 + base_attributes = { + home_region : var.home_region + user_ocid : var.user_ocid + config_version : local.config_version + auth_credentials : { + private_key : var.private_key + }, + regions_config : { + available : var.subscribed_regions + } + dd_compartment_id : var.datadog_resource_compartment_id + logs_config : { + Enabled = var.logs_enabled + } + defined_tags : [for k, v in var.defined_tags : "${k}:${v}"] + } json_object = { data : { - type : "oci_tenancy", - id : var.tenancy_ocid, - attributes : { - home_region : var.home_region - user_ocid : var.user_ocid - config_version : local.config_version - auth_credentials : { - private_key : var.private_key - }, - regions_config : { - available : var.subscribed_regions - } - dd_compartment_id : var.datadog_resource_compartment_id - logs_config : { - Enabled = var.logs_enabled - } - } + type : "oci_tenancy", + id : var.tenancy_ocid, + attributes : local.base_attributes } } request_data = jsonencode(local.json_object) diff --git a/datadog-terraform-onboarding/modules/integration/variables.tf b/datadog-terraform-onboarding/modules/integration/variables.tf index 695eb7e..b3a2c1e 100644 --- a/datadog-terraform-onboarding/modules/integration/variables.tf +++ b/datadog-terraform-onboarding/modules/integration/variables.tf @@ -54,3 +54,9 @@ variable "logs_enabled" { description = "Indicates if logs should be enabled/disabled" default = false } + +variable "defined_tags" { + type = map(string) + description = "OCI defined tags applied to resources (namespace.key -> value). Sent to Datadog for integration config." + default = {} +} From 32d85326782fee79a82f943b95158a5cb6af8099 Mon Sep 17 00:00:00 2001 From: EamonBrady1 Date: Thu, 5 Mar 2026 16:34:06 -0500 Subject: [PATCH 5/6] Cleanup api call --- .../modules/integration/locals.tf | 40 +++++++++---------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/datadog-terraform-onboarding/modules/integration/locals.tf b/datadog-terraform-onboarding/modules/integration/locals.tf index b3ae4df..d2f41b1 100644 --- a/datadog-terraform-onboarding/modules/integration/locals.tf +++ b/datadog-terraform-onboarding/modules/integration/locals.tf @@ -1,27 +1,25 @@ locals { - config_version = 3 - base_attributes = { - home_region : var.home_region - user_ocid : var.user_ocid - config_version : local.config_version - auth_credentials : { - private_key : var.private_key - }, - regions_config : { - available : var.subscribed_regions - } - dd_compartment_id : var.datadog_resource_compartment_id - logs_config : { - Enabled = var.logs_enabled - } - defined_tags : [for k, v in var.defined_tags : "${k}:${v}"] - } json_object = { - data : { - type : "oci_tenancy", - id : var.tenancy_ocid, - attributes : local.base_attributes + data = { + type = "oci_tenancy" + id = var.tenancy_ocid + attributes = { + home_region = var.home_region + user_ocid = var.user_ocid + config_version = local.config_version + auth_credentials = { + private_key = var.private_key + } + regions_config = { + available = var.subscribed_regions + } + dd_compartment_id = var.datadog_resource_compartment_id + logs_config = { + Enabled = var.logs_enabled + } + defined_tags = [for k, v in var.defined_tags : "${k}:${v}"] + } } } request_data = jsonencode(local.json_object) From 44996b404d3f3c38509b4fd8ed47cf324901baa3 Mon Sep 17 00:00:00 2001 From: EamonBrady1 Date: Thu, 5 Mar 2026 16:35:10 -0500 Subject: [PATCH 6/6] Fix --- .../modules/integration/locals.tf | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/datadog-terraform-onboarding/modules/integration/locals.tf b/datadog-terraform-onboarding/modules/integration/locals.tf index d2f41b1..40c4e21 100644 --- a/datadog-terraform-onboarding/modules/integration/locals.tf +++ b/datadog-terraform-onboarding/modules/integration/locals.tf @@ -1,24 +1,24 @@ locals { config_version = 3 json_object = { - data = { - type = "oci_tenancy" - id = var.tenancy_ocid - attributes = { - home_region = var.home_region - user_ocid = var.user_ocid - config_version = local.config_version - auth_credentials = { - private_key = var.private_key + data : { + type : "oci_tenancy", + id : var.tenancy_ocid, + attributes : { + home_region : var.home_region + user_ocid : var.user_ocid + config_version : local.config_version + auth_credentials : { + private_key : var.private_key + }, + regions_config : { + available : var.subscribed_regions } - regions_config = { - available = var.subscribed_regions - } - dd_compartment_id = var.datadog_resource_compartment_id - logs_config = { + dd_compartment_id : var.datadog_resource_compartment_id + logs_config : { Enabled = var.logs_enabled } - defined_tags = [for k, v in var.defined_tags : "${k}:${v}"] + defined_tags : [for k, v in var.defined_tags : "${k}:${v}"] } } }