[ECI-1615] Add IAM for the Datadog group to manage the events forwarding pipeline (#125)

Grant the Datadog user group and the runtime dynamic groups the permissions
needed to stand up the full event-forwarding pipeline out-of-band when the
customer opts in via the Datadog UI:

  - oci_identity_tag_namespace.datadog_managed and oci_identity_tag.marker
    (DatadogManaged.marker) — applied to the events rule so the IAM grant
    below can scope to only Datadog-owned rules.

  - dd_auth (Datadog group manages the pipeline):
      * manage cloudevents-rules in tenancy with where-any on EVENTRULE_CREATE
        plus the DatadogManaged.marker target tag (CREATE unconditional,
        UPDATE/DELETE/READ scoped to tagged rules).
      * manage streams in compartment with the same where-any shape on
        STREAM_CREATE plus the DatadogManaged.marker target tag.

  - dynamic_group (runtime data path):
      * service_connector use stream-pull on streams with DatadogManaged.marker —
        the connector hub consumes from the events stream.
      * any-user use stream-push where principal.type = 'eventrule' AND target
        carries DatadogManaged.marker — OCI Events Service publishes only to
        Datadog-managed streams.

The pipeline resources themselves (events function, events rule, stream) are
not created by this stack — they are managed at runtime. This PR only adds
the IAM so that flow works.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: yuhuyoyo

datadog-integration/modules/auth/main.tf

@@ -180,8 +180,22 @@ resource "oci_identity_domains_group" "dd_auth" {
   }
 }
 
+resource "oci_identity_tag_namespace" "datadog_managed" {
+  compartment_id = var.compartment_id
+  name           = "DatadogManaged"
+  description    = "[DO NOT REMOVE] Marker namespace for Datadog-managed resources. Removing this breaks the IAM grant scoping for the events rule."
+  freeform_tags  = var.tags
+  defined_tags   = var.defined_tags
+}
+
+resource "oci_identity_tag" "marker" {
+  tag_namespace_id = oci_identity_tag_namespace.datadog_managed.id
+  name             = "marker"
+  description      = "[DO NOT REMOVE] Applied to resources that the Datadog group is allowed to manage (e.g. the events rule). Removing this breaks the scoped IAM grant."
+}
+
 resource "oci_identity_policy" "dd_auth" {
-  depends_on     = [null_resource.user_group_variable_validation, oci_identity_domains_group.dd_auth]
+  depends_on     = [null_resource.user_group_variable_validation, oci_identity_domains_group.dd_auth, oci_identity_tag_namespace.datadog_managed]
   compartment_id = var.tenancy_id
   description    = "[DO NOT REMOVE] Policies required by Datadog User"
   name           = var.user_policy_name
@@ -194,7 +208,9 @@ resource "oci_identity_policy" "dd_auth" {
     "Allow group id ${local.dd_group_ocid} to manage buckets in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/",
     "Allow group id ${local.dd_group_ocid} to manage object-family in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/",
     "Allow group id ${local.dd_group_ocid} to use fn-invocation in compartment id ${var.compartment_id}",
-    "Endorse group id ${local.dd_group_ocid} to read objects in tenancy usage-report"
+    "Endorse group id ${local.dd_group_ocid} to read objects in tenancy usage-report",
+    "Allow group id ${local.dd_group_ocid} to manage cloudevents-rules in tenancy where any {request.permission = 'EVENTRULE_CREATE', target.resource.tag.DatadogManaged.marker = 'true'}",
+    "Allow group id ${local.dd_group_ocid} to manage streams in compartment id ${var.compartment_id} where any {request.permission = 'STREAM_CREATE', target.resource.tag.DatadogManaged.marker = 'true'}",
   ]
   freeform_tags = var.tags
   defined_tags  = var.defined_tags
@@ -229,7 +245,9 @@ resource "oci_identity_policy" "dynamic_group" {
     "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to use fn-function in compartment id ${var.compartment_id}",
     "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to use fn-invocation in compartment id ${var.compartment_id}",
     "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to read secret-bundles in compartment id ${var.compartment_id}",
-    "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to manage object-family in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/"
+    "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to manage object-family in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/",
+    "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to use stream-pull in compartment id ${var.compartment_id} where target.resource.tag.DatadogManaged.marker = 'true'",
+    "Allow any-user to use stream-push in compartment id ${var.compartment_id} where all {request.principal.type = 'eventrule', target.resource.tag.DatadogManaged.marker = 'true'}"
   ]
   freeform_tags = var.tags
   defined_tags  = var.defined_tags

datadog-terraform-onboarding/modules/auth/main.tf

@@ -184,8 +184,22 @@ resource "oci_identity_domains_group" "dd_auth" {
   }
 }
 
+resource "oci_identity_tag_namespace" "datadog_managed" {
+  compartment_id = var.compartment_id
+  name           = "DatadogManaged"
+  description    = "[DO NOT REMOVE] Marker namespace for Datadog-managed resources. Removing this breaks the IAM grant scoping for the events rule."
+  freeform_tags  = var.tags
+  defined_tags   = var.defined_tags
+}
+
+resource "oci_identity_tag" "marker" {
+  tag_namespace_id = oci_identity_tag_namespace.datadog_managed.id
+  name             = "marker"
+  description      = "[DO NOT REMOVE] Applied to resources that the Datadog group is allowed to manage (e.g. the events rule). Removing this breaks the scoped IAM grant."
+}
+
 resource "oci_identity_policy" "dd_auth" {
-  depends_on     = [null_resource.user_group_variable_validation, oci_identity_domains_group.dd_auth]
+  depends_on     = [null_resource.user_group_variable_validation, oci_identity_domains_group.dd_auth, oci_identity_tag_namespace.datadog_managed]
   compartment_id = var.tenancy_id
   description    = "[DO NOT REMOVE] Policies required by Datadog User"
   name           = var.user_policy_name
@@ -198,7 +212,9 @@ resource "oci_identity_policy" "dd_auth" {
     "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage buckets in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/",
     "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage object-family in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/",
     "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to use fn-invocation in compartment id ${var.compartment_id}",
-    "Endorse group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to read objects in tenancy usage-report"
+    "Endorse group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to read objects in tenancy usage-report",
+    "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage cloudevents-rules in tenancy where any {request.permission = 'EVENTRULE_CREATE', target.resource.tag.DatadogManaged.marker = 'true'}",
+    "Allow group id ${var.existing_group_id != null && var.existing_group_id != "" ? var.existing_group_id : oci_identity_domains_group.dd_auth[0].ocid} to manage streams in compartment id ${var.compartment_id} where any {request.permission = 'STREAM_CREATE', target.resource.tag.DatadogManaged.marker = 'true'}",
   ]
   freeform_tags = var.tags
   defined_tags  = var.defined_tags
@@ -233,7 +249,9 @@ resource "oci_identity_policy" "dynamic_group" {
     "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to use fn-function in compartment id ${var.compartment_id}",
     "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to use fn-invocation in compartment id ${var.compartment_id}",
     "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to read secret-bundles in compartment id ${var.compartment_id}",
-    "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to manage object-family in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/"
+    "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.forwarding_function.ocid} to manage object-family in compartment id ${var.compartment_id} where target.bucket.name=/dd-*/",
+    "Allow dynamic-group id ${oci_identity_domains_dynamic_resource_group.service_connector.ocid} to use stream-pull in compartment id ${var.compartment_id} where target.resource.tag.DatadogManaged.marker = 'true'",
+    "Allow any-user to use stream-push in compartment id ${var.compartment_id} where all {request.principal.type = 'eventrule', target.resource.tag.DatadogManaged.marker = 'true'}"
   ]
   freeform_tags = var.tags
   defined_tags  = var.defined_tags