Link AWS accounts with Terraform
If you manage your AWS infrastructure as code, you can link your AWS accounts to the DoiT platform using the Terraform module doit-cloudconnect.
The module requires the following Terraform and provider versions:
-
Terraform:
>= 1.3 -
AWS provider (
hashicorp/aws):~> 6.50 -
DoiT Terraform provider (
doitintl/doit):>= 1.5.0 -
Time provider (
hashicorp/time):~> 0.13
Before you begin
Prepare the following values:
-
Your AWS account ID: The 12-digit ID of the AWS account you want to link.
-
Your External ID: A unique identifier DoiT uses in the role's trust policy.
-
Sign in to the DoiT console, select Data ingestion and integrations > AWS from the top navigation mega menu.
-
Select Link new account, then Create a role manually.
-
Note the value of Your External ID.
-
-
DoiT API key: Required by the DoiT provider to register the account. You can generate an API key from your profile page in the DoiT console.
Provide the API key through the
DOIT_API_TOKENenvironment variable. Do not pass the API key to the module as a variable or hard-code it in your configuration.export DOIT_API_TOKEN="<your-doit-api-key>"
Configure the providers
Add the required providers to your Terraform configuration:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 6.50"
}
doit = {
source = "doitintl/doit"
version = ">= 1.5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
# Reads the API key from the DOIT_API_TOKEN environment variable
provider "doit" {}
Link new account
Add the module
Add the doit-cloudconnect module to your configuration and provide the required inputs. Make sure to replace the placeholders with the required values.
For details about supported features, input variables, and output, refer to Terraform Registry: doit-cloudconnect.
- Read-only (Core)
- With write features
- With real-time anomalies
This links the account with the Core read-only permissions.
module "doit_cloudconnect" {
source = "github.com/doitintl/terraform-aws-doit-cloudconnect"
external_id = var.doit_external_id
account_id = "<YOUR-AWS-ACCOUNT-ID>"
}
To enable features that require write permissions, list them in additional_features.
module "doit_cloudconnect" {
source = "github.com/doitintl/terraform-aws-doit-cloudconnect"
external_id = var.doit_external_id
account_id = "<YOUR-AWS-ACCOUNT-ID>"
additional_features = [
"PerfectScale for Spot",
"Kubernetes auto connect clusters"
]
}
Real-time anomaly detection requires you to specify the CloudTrail S3 bucket through feature_config.
module "doit_cloudconnect" {
source = "github.com/doitintl/terraform-aws-doit-cloudconnect"
external_id = var.doit_external_id
account_id = "<YOUR-AWS-ACCOUNT-ID>"
additional_features = ["Real-time anomalies"]
feature_config = {
real-time-data = {
bucket_name = "<YOUR-CLOUDTRAIL-BUCKET-NAME>"
bucket_region = "us-east-1"
}
}
}
In addition to the IAM policy, real-time anomalies requires an S3 event notification on the CloudTrail bucket targeting DoiT's SNS account. See Enable real-time anomaly on AWS accounts for details.
Define the doit_external_id variable and supply its value (for example, through a terraform.tfvars file or the TF_VAR_doit_external_id environment variable):
variable "doit_external_id" {
type = string
description = "External ID from the DoiT console for the role trust policy"
}
Apply the configuration
Run Terraform from the directory that contains your configuration:
terraform init
terraform plan
terraform apply
After the apply succeeds, the account is registered with DoiT. It can take up to 30 seconds for the account to link. If successful, your linked AWS account shows a Healthy status in the DoiT console.
Update features
To add or remove a feature, update the additional_features list (and feature_config if needed), then run terraform apply.
Unlink an account
To unlink an account, run terraform destroy or remove the module block and apply. This removes the IAM role and unregisters the account from DoiT.