The Datadog Agent Ansible role installs and configures the Datadog Agent and integrations.

Ansible role versus Ansible collection

The Datadog Agent Ansible role is available through 2 different channels:

• As part of the Datadog collection, accessible under the datadog.dd name on Ansible Galaxy (recommended).
• As a standalone role, accessible under the datadog.datadog name on Ansible Galaxy (legacy).

Version 4 of the role and version 5 of the collection install the Datadog Agent v7 by default.

Setup

Note that the install instructions in this document describe installation of the standalone Datadog role. For installation instructions of the Datadog collection, please refer to the collection README file. The configuration variables are the same for both the standalone role as well as the role accessed through the collection.

Requirements

• Requires Ansible v2.6+.

• Supports most Debian and RHEL-based Linux distributions, macOS, and Windows.

• When using with Ansible 2.10+ to manage Windows hosts, requires the ansible.windows collection to be installed:

  ansible-galaxy collection install ansible.windows
  

• When using with Ansible 2.10+ to manage openSUSE/SLES hosts, requires the community.general collection to be installed:

  ansible-galaxy collection install community.general
  

Installation

Install the Datadog role from Ansible Galaxy on your Ansible server:

ansible-galaxy install datadog.datadog

To deploy the Datadog Agent on hosts, add the Datadog role and your API key to your playbook:

- hosts: servers
  roles:
    - { role: datadog.datadog, become: yes }
  vars:
    datadog_api_key: "<YOUR_DD_API_KEY>"

The API key is required and its absence causes the role to fail. If you want to provide it through another way, outside of Ansible’s control, specify a placeholder key and substitute the key at a later point.

Role variables

These variables provide additional configuration during the installation of the Datadog Agent. They should be specified in the vars section of your playbook.

Integrations

To configure a Datadog integration (check), add an entry to the datadog_checks section. The first level key is the name of the check, and the value is the YAML payload to write the configuration file. Examples are provided below.

To install or remove an integration, refer to the datadog_integration paragraph

Process check

To define two instances for the process check use the configuration below. This creates the corresponding configuration files:

• Agent v6 & v7: /etc/datadog-agent/conf.d/process.d/conf.yaml
• Agent v5: /etc/dd-agent/conf.d/process.yaml

    datadog_checks:
      process:
        init_config:
        instances:
          - name: ssh
            search_string: ['ssh', 'sshd']
          - name: syslog
            search_string: ['rsyslog']
            cpu_check_interval: 0.2
            exact_match: true
            ignore_denied_access: true

Custom check

To configure a custom check use the configuration below. This creates the corresponding configuration files:

• Agent v6 & v7: /etc/datadog-agent/conf.d/my_custom_check.d/conf.yaml
• Agent v5: /etc/dd-agent/conf.d/my_custom_check.yaml

    datadog_checks:
      my_custom_check:
        init_config:
        instances:
          - some_data: true

Custom Python Checks

To pass a Python check to the playbook, use the configuration below.

This configuration requires the Datadog play and role to be a part of the larger playbook where the value passed in is the relative file path to the actual task for Linux or Windows.

This is only available for Agent v6 or later.

The key should be the name of the file created in the checks directory checks.d/{{ item }}.py:

    datadog_checks:
      my_custom_check:
        init_config:
        instances:
          - some_data: true
    datadog_custom_checks:
      my_custom_check: '../../../custom_checks/my_custom_check.py'

Autodiscovery

When using Autodiscovery, there is no pre-processing nor post-processing on the YAML. This means every YAML section is added to the final configuration file, including autodiscovery identifiers.

The example below configures the PostgreSQL check through Autodiscovery:

    datadog_checks:
      postgres:
        ad_identifiers:
          - db-master
          - db-slave
        init_config:
        instances:
          - host: %%host%%
            port: %%port%%
            username: username
            password: password

Learn more about Autodiscovery in the Datadog documentation.

Tracing

To enable trace collection with Agent v6 or v7 use the following configuration:

datadog_config:
  apm_config:
    enabled: true

To enable trace collection with Agent v5 use the following configuration:

datadog_config:
  apm_enabled: "true" # has to be a string

Live processes

To enable live process collection with Agent v6 or v7 use the following configuration:

datadog_config:
  process_config:
    enabled: "true" # type: string

The possible values for enabled are: "true", "false" (only container collection), or "disabled" (disable live processes entirely).

Variables

The following variables are available for live processes:

• scrub_args: Enables the scrubbing of sensitive arguments from a process command line (defaults to true).
• custom_sensitive_words: Expands the default list of sensitive words used by the command line scrubber.

System probe

The system probe is configured under the system_probe_config variable. Any variables nested underneath are written to the system-probe.yaml, in the system_probe_config section.

Network Performance Monitoring (NPM) is configured under the network_config variable. Any variables nested underneath are written to the system-probe.yaml, in the network_config section.

Cloud Workload Security is configured under the runtime_security_config variable. Any variables nested underneath are written to the system-probe.yaml and security-agent.yaml, in the runtime_security_config section.

Universal Service Monitoring (USM) is configured under the service_monitoring_config variable. Any variables nested underneath are written to the system-probe.yaml, in the service_monitoring_config section.

Compliance is configured under the compliance_config variable. Any variables nested underneath are written to the security-agent.yaml, in the compliance_config section.

Note for Windows users: NPM is supported on Windows with Agent v6.27+ and v7.27+. It ships as an optional component that is only installed if network_config.enabled is set to true when the Agent is installed or upgraded. Because of this, existing installations might need to do an uninstall and reinstall of the Agent once to install the NPM component, unless the Agent is upgraded at the same time.

Example configuration

datadog_config:
  process_config:
    enabled: "true" # type: string
    scrub_args: true
    custom_sensitive_words: ['consul_token','dd_api_key']
system_probe_config:
  sysprobe_socket: /opt/datadog-agent/run/sysprobe.sock
network_config:
  enabled: true
service_monitoring_config:
  enabled: true
runtime_security_config:
  enabled: true

Note: This configuration works with Agent 6.24.1+ and 7.24.1+. For older Agent versions, see the Network Performance Monitoring documentation on how to enable system-probe.

On Linux, once this modification is complete, follow the steps below if you installed an Agent version older than 6.18.0 or 7.18.0:

1. Start the system-probe: sudo service datadog-agent-sysprobe start Note: If the service wrapper is not available on your system, run this command instead: sudo initctl start datadog-agent-sysprobe.
2. Restart the Agent: sudo service datadog-agent restart.
3. Enable the system-probe to start on boot: sudo service enable datadog-agent-sysprobe.

For manual setup, see the NPM documentation.

Agent v5

To enable live process collection with Agent v5, use the following configuration:

datadog_config:
  process_agent_enabled: true
datadog_config_ex:
  process.config:
    scrub_args: true
    custom_sensitive_words: "<FIRST_WORD>,<SECOND_WORD>"

Versions

By default, the current major version of the Datadog Ansible role installs Agent v7. The variables datadog_agent_version and datadog_agent_major_version are available to control the Agent version installed.

For v4+ of this role, when datadog_agent_version is used to pin a specific Agent version, the role derives per-OS version names to comply with the version naming schemes of the supported operating systems, for example:

• 1:7.16.0-1 for Debian and SUSE based
• 7.16.0-1 for RedHat-based
• 7.16.0-1 for macOS
• 7.16.0 for Windows.

This makes it possible to target hosts running different operating systems in the same Ansible run, for example:

Note: If the version is not provided, the role uses 1 as the epoch and 1 as the release number.

Agent v5 (older version):

The Datadog Ansible role includes support for Datadog Agent v5 for Linux only. To install Agent v5, use datadog_agent_major_version: 5 to install the latest version of Agent v5 or set datadog_agent_version to a specific version of Agent v5. Note: The datadog_agent5 variable is obsolete and has been removed.

Repositories

Linux

When the variables datadog_apt_repo, datadog_yum_repo, and datadog_zypper_repo are not set, the official Datadog repositories for the major version set in datadog_agent_major_version are used:

To override the default behavior, set these variables to something else than an empty string.

If you previously used the Agent v5 variables, use the new variables below with datadog_agent_major_version set to 5 or datadog_agent_version pinned to a specific Agent v5 version.

Since version 4.9.0, the use_apt_backup_keyserver variable has been removed, as APT keys are obtained from https://keys.datadoghq.com.

Windows

When the variable datadog_windows_download_url is not set, the official Windows MSI package corresponding to the datadog_agent_major_version is used:

To override the default behavior, set this variable to something other than an empty string.

macOS

When the variable datadog_macos_download_url is not set, the official macOS DMG package corresponding to the datadog_agent_major_version is used:

To override the default behavior, set this variable to something other than an empty string.

Upgrade

To upgrade from Agent v6 to v7, use datadog_agent_major_version: 7 to install the latest version or set datadog_agent_version to a specific version of Agent v7. Use similar logic to upgrade from Agent v5 to v6.

Integration installation

Available for Agent v6.8+

Use the datadog_integration resource to install a specific version of a Datadog integration. Keep in mind, the Agent comes with the core integrations already installed. This command is useful for upgrading a specific integration without upgrading the whole Agent. For more details, see integration management.

If you want to configure an integration, refer to the datadog_checks paragraph

Available actions:

• install: Installs a specific version of the integration.
• remove: Removes an integration.

Third party integrations

Datadog community and Datadog Marketplace integrations can be installed with the datadog_integration resource. Note: These integrations are considered to be “third party” and thus need third_party: true to be set—see the example below.

Syntax

  datadog_integration:
    <INTEGRATION_NAME>:
      action: <ACTION>
      version: <VERSION_TO_INSTALL>

To install third party integrations, set third_party to true:

  datadog_integration:
    <INTEGRATION_NAME>:
      action: <ACTION>
      version: <VERSION_TO_INSTALL>
      third_party: true

Example

This example installs version 1.11.0 of the ElasticSearch integration and removes the postgres integration.

 datadog_integration:
   datadog-elastic:
     action: install
     version: 1.11.0
   datadog-postgres:
     action: remove

To see the available versions of Datadog integrations, see their CHANGELOG.md file in the integrations-core repository.

Downgrade

To downgrade to a prior version of the Agent:

1. Set datadog_agent_version to a specific version, for example: 5.32.5.
2. Set datadog_agent_allow_downgrade to yes.

Notes:

• Downgrades are not supported for Windows platforms.

Playbooks

Below are some sample playbooks to assist you with using the Datadog Ansible role.

The following example sends data to Datadog US (default), enables logs, NPM, and configures a few checks.

- hosts: servers
  roles:
    - { role: datadog.datadog, become: yes }
  vars:
    datadog_api_key: "<YOUR_DD_API_KEY>"
    datadog_agent_version: "7.16.0"
    datadog_config:
      tags:
        - "<KEY>:<VALUE>"
        - "<KEY>:<VALUE>"
      log_level: INFO
      apm_config:
        enabled: true
      logs_enabled: true  # available with Agent v6 and v7
    datadog_checks:
      process:
        init_config:
        instances:
          - name: ssh
            search_string: ['ssh', 'sshd' ]
          - name: syslog
            search_string: ['rsyslog' ]
            cpu_check_interval: 0.2
            exact_match: true
            ignore_denied_access: true
      ssh_check:
        init_config:
        instances:
          - host: localhost
            port: 22
            username: root
            password: <YOUR_PASSWORD>
            sftp_check: True
            private_key_file:
            add_missing_keys: True
      nginx:
        init_config:
        instances:
          - nginx_status_url: http://example.com/nginx_status/
            tags:
              - "source:nginx"
              - "instance:foo"
          - nginx_status_url: http://example2.com:1234/nginx_status/
            tags:
              - "source:nginx"
              - "<KEY>:<VALUE>"

        #Log collection is available on Agent 6 and 7
        logs:
          - type: file
            path: /var/log/access.log
            service: myapp
            source: nginx
            sourcecategory: http_web_access
          - type: file
            path: /var/log/error.log
            service: nginx
            source: nginx
            sourcecategory: http_web_access
    # datadog_integration is available on Agent 6.8+
    datadog_integration:
      datadog-elastic:
        action: install
        version: 1.11.0
      datadog-postgres:
        action: remove
    network_config:
      enabled: true

Agent v6

This example installs the latest Agent v6:

- hosts: servers
  roles:
    - { role: datadog.datadog, become: yes }
  vars:
    datadog_agent_major_version: 6
    datadog_api_key: "<YOUR_DD_API_KEY>"

Configuring the site

If using a site other than the default datadoghq.com, set the datadog_site var to the appropriate URL (eg: datadoghq.eu, us3.datadoghq.com).

This example sends data to the EU site:

- hosts: servers
  roles:
    - { role: datadog.datadog, become: yes }
  vars:
    datadog_site: "datadoghq.eu"
    datadog_api_key: "<YOUR_DD_API_KEY>"

Windows

On Windows, remove the become: yes option so the role does not fail. Below are two methods to make the example playbooks work with Windows hosts:

Inventory file

Using the inventory file is the recommended approach. Set the ansible_become option to no in the inventory file for each Windows host:

[servers]
linux1 ansible_host=127.0.0.1
linux2 ansible_host=127.0.0.2
windows1 ansible_host=127.0.0.3 ansible_become=no
windows2 ansible_host=127.0.0.4 ansible_become=no

To avoid repeating the same configuration for all Windows hosts, group them and set the variable at the group level:

[linux]
linux1 ansible_host=127.0.0.1
linux2 ansible_host=127.0.0.2

[windows]
windows1 ansible_host=127.0.0.3
windows2 ansible_host=127.0.0.4

[windows:vars]
ansible_become=no

Playbook file

Alternatively, if your playbook only runs on Windows hosts, use the following in the playbook file:

- hosts: servers
  roles:
    - { role: datadog.datadog }
  vars:
    ...

Note: This configuration fails on Linux hosts. Only use it if the playbook is specific to Windows hosts. Otherwise, use the inventory file method.

Uninstallation

On Windows it’s possible to uninstall the Agent by using the following code in your Ansible role:

- name: Check If Datadog Agent is installed
  win_shell: |
    (@(Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" -Recurse) | Where {$_.GetValue("DisplayName") -like "Datadog Agent" }).PSChildName    
  register: agent_installed_result
- name: Set Datadog Agent installed fact
  set_fact:
    agent_installed: "{{ agent_installed_result.stdout | trim }}"
- name: Uninstall the Datadog Agent
  win_package:
    product_id: "{{ agent_installed }}"
    state: absent
  when: agent_installed != ""

Troubleshooting

Debian stretch

Note: this information applies to versions of the role prior to 4.9.0. Since 4.9.0, the apt_key module is no longer used by the role.

On Debian Stretch, the apt_key module used by the role requires an additional system dependency to work correctly. The dependency (dirmngr) is not provided by the module. Add the following configuration to your playbooks to make use of the present role:

---
- hosts: all
  pre_tasks:
    - name: Debian Stretch requires the dirmngr package to use apt_key
      become: yes
      apt:
        name: dirmngr
        state: present
  roles:
    - { role: datadog.datadog, become: yes }
  vars:
    datadog_api_key: "<YOUR_DD_API_KEY>"

CentOS 6/7 with Python 3 interpreter and Ansible 2.10.x or below

The yum Python module, which is used in this role to install the Agent on CentOS-based hosts, is only available on Python 2 if Ansible 2.10.x or below is used. In such cases, the dnf package manager would have to be used instead.

However, dnf and the dnf Python module are not installed by default on CentOS-based hosts before CentOS 8. In this case, it is not possible to install the Agent when a Python 3 interpreter is used.

This role fails early when this situation is detected to indicate that Ansible 2.11+ or a Python 2 interpreter is needed when installing the Agent on CentOS / RHEL < 8.

To bypass this early failure detection (for instance, if dnf and the python3-dnf package are available on your host), set the datadog_ignore_old_centos_python3_error variable to true.

Windows

Due to a critical bug in Agent versions 6.14.0 and 6.14.1 on Windows, installation of these versions is blocked (starting with version 3.3.0 of this role).

NOTE: Ansible fails on Windows if datadog_agent_version is set to 6.14.0 or 6.14.1. Use 6.14.2 or above.

If you are updating from 6.14.0 or 6.14.1 on Windows, use the following steps:

1. Upgrade the present datadog.datadog Ansible role to the latest version (>=3.3.0).
2. Set the datadog_agent_version to 6.14.2 or above (defaults to latest).

For more details, see Critical Bug in Uninstaller for Datadog Agent 6.14.0 and 6.14.1 on Windows.

Ubuntu 20.04 broken by service_facts

Running the service_facts module on Ubuntu 20.04 causes the following error:

localhost | FAILED! => {
    "changed": false,
    "msg": "Malformed output discovered from systemd list-unit-files: accounts-daemon.service                    enabled         enabled      "
}

To fix this, update Ansible to v2.9.8 or above.

Missing API key

Starting from role 4.21 the API key is mandatory for the role to proceed.

If you need to install the agent through Ansible but don’t want to specify an API key (if you are baking it into a container/VM image for instance) you can:

• Specify a dummy API key and replace it afterward
• Disable managed_config (datadog_manage_config: false)