DataDog · EamonBrady1 · Feb 27, 2026
diff --git a/datadog-terraform-onboarding/data.tf b/datadog-terraform-onboarding/data.tf
@@ -38,3 +38,14 @@ data "oci_identity_domains_groups" "existing_group_in_domain" {
 data "oci_identity_domain" "domain" {
   domain_id = local.matching_domain_id
 }
+
+# Defined tags: auto-discovered from compartment tag defaults (not user-configurable)
+data "oci_identity_tag_defaults" "compartment" {
+  compartment_id = coalesce(var.resource_compartment_ocid, var.tenancy_ocid)
+}
+
+data "oci_identity_tag_namespaces" "tenancy" {
+  compartment_id          = var.tenancy_ocid
+  include_subcompartments = true
+  state                   = "ACTIVE"
+}
diff --git a/datadog-terraform-onboarding/locals.tf b/datadog-terraform-onboarding/locals.tf
@@ -3,6 +3,14 @@ locals {
     ownedby = "datadog"
   }
 
+  # Resolve tag_namespace_id -> name from list (no CLI)
+  tag_defaults_namespace_names = { for ns in data.oci_identity_tag_namespaces.tenancy.tag_namespaces : ns.id => ns.name }
+  # Defined tags: auto-collected from compartment tag defaults only (not a user input)
+  defined_tags = {
+    for td in data.oci_identity_tag_defaults.compartment.tag_defaults :
+    "${local.tag_defaults_namespace_names[td.tag_namespace_id]}.${td.tag_definition_name}" => td.value
+  }
+
   home_region_name = [
     for region in data.oci_identity_region_subscriptions.subscribed_regions.region_subscriptions : region.region_name
     if region.is_home_region

diff --git a/datadog-terraform-onboarding/main.tf b/datadog-terraform-onboarding/main.tf
@@ -179,6 +179,7 @@ module "compartment" {
   new_compartment_name  = local.new_compartment_name
   parent_compartment_id = var.tenancy_ocid
   tags                  = local.tags
+  defined_tags          = local.defined_tags
 }
 
 module "kms" {
@@ -192,6 +193,7 @@ module "kms" {
   compartment_id  = module.compartment.id
   datadog_api_key = var.datadog_api_key
   tags            = local.tags
+  defined_tags    = local.defined_tags
 }
 
 module "auth" {
@@ -201,6 +203,7 @@ module "auth" {
   user_email        = local.user_email
   tenancy_id        = var.tenancy_ocid
   tags              = local.tags
+  defined_tags      = local.defined_tags
   current_user_id   = var.current_user_ocid
   compartment_id    = module.compartment.id
   idcs_endpoint     = local.idcs_endpoint

diff --git a/datadog-terraform-onboarding/modules/auth/main.tf b/datadog-terraform-onboarding/modules/auth/main.tf
@@ -141,6 +141,14 @@ resource "oci_identity_domains_user" "dd_auth" {
         value = freeform_tags.value
       }
     }
+    dynamic "defined_tags" {
+      for_each = var.defined_tags
+      content {
+        namespace = split(".", defined_tags.key)[0]
+        key       = join(".", slice(split(".", defined_tags.key), 1, length(split(".", defined_tags.key))))
+        value     = defined_tags.value
+      }
+    }
   }
 }
 
@@ -165,6 +173,14 @@ resource "oci_identity_domains_group" "dd_auth" {
         value = freeform_tags.value
       }
     }
+    dynamic "defined_tags" {
+      for_each = var.defined_tags
+      content {
+        namespace = split(".", defined_tags.key)[0]
+        key       = join(".", slice(split(".", defined_tags.key), 1, length(split(".", defined_tags.key))))
+        value     = defined_tags.value
+      }
+    }
   }
 }
 
@@ -176,11 +192,13 @@ resource "oci_identity_policy" "dd_auth" {
   statements = [
     "Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq",
     "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to read all-resources in tenancy",
+    "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to use tag-namespaces in tenancy",
     "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage serviceconnectors in compartment id ${var.compartment_id}",
     "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage functions-family in compartment id ${var.compartment_id} where ANY {request.permission = 'FN_FUNCTION_UPDATE', request.permission = 'FN_FUNCTION_LIST', request.permission = 'FN_APP_LIST'}",
     "Endorse group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to read objects in tenancy usage-report"
   ]
   freeform_tags = var.tags
+  defined_tags  = var.defined_tags
 }
 
 resource "oci_identity_domains_dynamic_resource_group" "service_connector" {
@@ -214,4 +232,5 @@ resource "oci_identity_policy" "dynamic_group" {
     "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to read secret-bundles in compartment id ${var.compartment_id}"
   ]
   freeform_tags = var.tags
+  defined_tags  = var.defined_tags
 }
diff --git a/datadog-terraform-onboarding/modules/auth/variables.tf b/datadog-terraform-onboarding/modules/auth/variables.tf
@@ -16,6 +16,12 @@ variable "tags" {
   default     = {}
 }
 
+variable "defined_tags" {
+  description = "Defined tags (flat map: Namespace.TagKey = value) for policies and Identity Domain resources"
+  type        = map(string)
+  default     = {}
+}
+
 variable "tenancy_id" {
   type        = string
   description = "OCI tenant OCID, more details can be found at https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#five"

diff --git a/datadog-terraform-onboarding/modules/compartment/main.tf b/datadog-terraform-onboarding/modules/compartment/main.tf
@@ -21,4 +21,5 @@ resource "oci_identity_compartment" "new" {
   description    = "Compartment for Datadog generated resources"
   compartment_id = var.parent_compartment_id
   freeform_tags  = var.tags
+  defined_tags   = var.defined_tags
 }
diff --git a/datadog-terraform-onboarding/modules/compartment/variables.tf b/datadog-terraform-onboarding/modules/compartment/variables.tf
@@ -19,4 +19,10 @@ variable "new_compartment_name" {
   description = "The name of the new compartment to create, if no compartment_id is provided"
   type        = string
   default     = "Datadog"
+}
+
+variable "defined_tags" {
+  description = "Defined tags to assign to the compartment"
+  type        = map(string)
+  default     = {}
 }
diff --git a/datadog-terraform-onboarding/modules/kms/main.tf b/datadog-terraform-onboarding/modules/kms/main.tf
@@ -14,6 +14,7 @@ resource "oci_kms_vault" "datadog_vault" {
   display_name   = "datadog-vault"
   vault_type     = "DEFAULT"
   freeform_tags  = var.tags
+  defined_tags   = var.defined_tags
 
   timeouts {
     create = "60m"
@@ -31,6 +32,7 @@ resource "oci_kms_key" "datadog_key" {
   }
   management_endpoint = oci_kms_vault.datadog_vault.management_endpoint
   freeform_tags       = var.tags
+  defined_tags        = var.defined_tags
 
   timeouts {
     create = "60m"
@@ -49,6 +51,7 @@ resource "oci_vault_secret" "api_key" {
     content      = base64encode(var.datadog_api_key)
   }
   freeform_tags = var.tags
+  defined_tags  = var.defined_tags
 
   timeouts {
     create = "60m"

diff --git a/datadog-terraform-onboarding/modules/kms/variables.tf b/datadog-terraform-onboarding/modules/kms/variables.tf
@@ -14,3 +14,9 @@ variable "datadog_api_key" {
   description = "The API key for sending message to datadog endpoints"
   sensitive   = true
 }
+
+variable "defined_tags" {
+  type        = map(string)
+  description = "Defined tags to assign to resources"
+  default     = {}
+}
diff --git a/datadog-terraform-onboarding/modules/regional-stacks/locals.tf b/datadog-terraform-onboarding/modules/regional-stacks/locals.tf
@@ -38,6 +38,6 @@ locals {
     upper(local.subnet_region_from_ocid) == var.region_key
   )
 
-  # Simple subnet selection logic: use provided OCID or create new
-  subnet_id = var.subnet_ocid != "" ? var.subnet_ocid : module.vcn[0].subnet_id[local.subnet]
+  # Simple subnet selection logic: use provided OCID or create new (subnet from our subnet submodule when we create VCN)
+  subnet_id = var.subnet_ocid != "" ? var.subnet_ocid : module.subnet[0].subnet_id[local.subnet]
 }
diff --git a/datadog-terraform-onboarding/modules/regional-stacks/main.tf b/datadog-terraform-onboarding/modules/regional-stacks/main.tf
@@ -20,16 +20,17 @@ resource "oci_functions_function" "logs_function" {
   display_name   = "dd-logs-forwarder"
   memory_in_mbs  = "1024"
   freeform_tags  = var.tags
+  defined_tags   = var.defined_tags
   image          = local.logs_image_path
   image_digest   = length(local.image_sha_logs) > 0 ? local.image_sha_logs : null
-
 }
 
 resource "oci_functions_function" "metrics_function" {
   application_id = oci_functions_application.dd_function_app.id
   display_name   = "dd-metrics-forwarder"
   memory_in_mbs  = "512"
   freeform_tags  = var.tags
+  defined_tags   = var.defined_tags
   image          = local.metrics_image_path
   image_digest   = length(local.image_sha_metrics) > 0 ? local.image_sha_metrics : null
 }
@@ -40,29 +41,44 @@ module "vcn" {
   version                  = ">= 3.6.0"
   compartment_id           = var.compartment_ocid
   freeform_tags            = var.tags
+  defined_tags             = var.defined_tags
   vcn_cidrs                = ["10.0.0.0/16"]
   vcn_dns_label            = "ddvcnmodule"
   vcn_name                 = local.vcn_name
-  lockdown_default_seclist = false
+  lockdown_default_seclist  = false
+  subnets                  = {}
+
+  create_nat_gateway           = true
+  nat_gateway_display_name     = local.nat_gateway
+  create_service_gateway       = true
+  service_gateway_display_name = local.service_gateway
+}
 
+# Subnet submodule so we can pass defined_tags (upstream VCN module does not pass them to subnets).
+module "subnet" {
+  count           = var.subnet_ocid == "" ? 1 : 0
+  source          = "oracle-terraform-modules/vcn/oci//modules/subnet"
+  version         = ">= 3.6.0"
+  compartment_id  = var.compartment_ocid
+  vcn_id          = module.vcn[0].vcn_id
+  nat_route_id    = module.vcn[0].nat_route_id
+  ig_route_id     = module.vcn[0].ig_route_id
   subnets = {
     private = {
       cidr_block = "10.0.0.0/16"
       type       = "private"
       name       = local.subnet
     }
   }
-
-  create_nat_gateway           = true
-  nat_gateway_display_name     = local.nat_gateway
-  create_service_gateway       = true
-  service_gateway_display_name = local.service_gateway
+  freeform_tags = var.tags
+  defined_tags  = var.defined_tags
 }
 
 resource "oci_functions_application" "dd_function_app" {
   compartment_id = var.compartment_ocid
   display_name   = "dd-function-app"
   freeform_tags  = var.tags
+  defined_tags   = var.defined_tags
   shape          = "GENERIC_X86_ARM"
   subnet_ids = [
     local.subnet_id

diff --git a/datadog-terraform-onboarding/modules/regional-stacks/variables.tf b/datadog-terraform-onboarding/modules/regional-stacks/variables.tf
@@ -51,3 +51,9 @@ variable "subnet_ocid" {
     error_message = "If provided, subnet_ocid must be a valid subnet OCID starting with: ocid1.subnet.oc[0-9]."
   }
 }
+
+variable "defined_tags" {
+  type        = map(string)
+  description = "Defined tags to assign to VCN, subnet, function app and functions."
+  default     = {}
+}