DataDog
Setting `restricted_roles` in `datadog_synthetics_test` leaves access unrestricted
Datadog Terraform Provider Version
v3.44.1
Terraform Version
v1.9.5
What resources or data sources are affected?
datadog_synthetics_test
Terraform Configuration Files
resource "datadog_synthetics_test" "test" {
name = "Jenkins login page is unreachable"
type = "api"
subtype = "http"
status = "live"
message = "@[email protected]"
locations = ["pl:*******"]
tags = ["team:my", "env:prod"]
request_definition {
method = "GET"
url = "https://jenkins.mydomain.com/login"
}
request_headers = {
Content-Type = "application/json"
}
assertion {
type = "statusCode"
operator = "is"
target = "200"
}
options_list {
tick_every = 3600
restricted_roles = ["4549****-****-****-****-************"]
retry {
count = 2
interval = 300
}
}
}
Relevant debug or panic output
No response
Expected Behavior
When role ID is specified in the restricted_roles argument in datadog_synthetics_test, the Terraform should restrict the access to the test to this role.
Actual Behavior
The provider just prints the plan with the role but does not apply it to the test:
+ options_list {
+ http_version = "any"
+ min_location_failed = 1
+ restricted_roles = [
+ "4549****-****-****-****-************",
]
+ tick_every = 3600
+ retry {
+ count = 2
+ interval = 300
}
}
Steps to Reproduce
terraform applya synthetic test with a restricted role defined- Find the created test in Datadog Synthetics and open to edit
- Scroll down to Set permissions and see that the access is Unrestricted (specified role is not set)
- Add any role manually and run
terraform applyagain - it shows no changes
Important Factoids
No response
References
No response
I'm seeing the same behavior with datadog_synthetics_private_location as well.
After looking with the synthetics team, there are indeed some important issues with restricted_roles . As it is a deprecated feature at Datadog in favor of an unified Granular Access that will be progressively available for a majority of objects, we are recommending to use datadog_restriction_policy resource . We are currently updating the documentation to encourage people to use datadog_restriction_policy for synthetics resources. The documentation has been merged but will be available on registry.terraform.io in the next terraform provider release
Example for datadog_synthetics_private_location
resource "datadog_synthetics_private_location" "private_location" {
name = "First private location"
description = "Description of the private location"
tags = ["foo:bar", "env:test"]
}
resource "datadog_restriction_policy" "foo" {
resource_id = "synthetics-private-location:${resource.datadog_synthetics_private_location.private_location.id}"
bindings {
principals = ["user:${data.datadog_user.user1.id}"]
relation = "editor"
}
}
data "datadog_user" "user1" {
filter = "[email protected]"
}
Example for datadog_synthetics_test :
resource "datadog_synthetics_test" "test_uptime" {
name = "An Uptime test on example.org"
type = "api"
subtype = "http"
[...]
}
resource "datadog_restriction_policy" "test-api" {
resource_id = "synthetics-test:${resource.datadog_synthetics_test.test_uptime.id}"
bindings {
principals = ["user:${data.datadog_user.user1.id}"]
relation = "editor"
}
}
data "datadog_user" "user1" {
filter = "[email protected]"
}
Warning : for mobile tests, don't use binding configuration in // of restriction_policy
restricted_roles is officially deprecated (and documented as such)
The recommended way is using datadog_restriction_policy resource that is the new method to handle granual access control for datadog resources : https://docs.datadoghq.com/account_management/rbac/granular_access/