Viewing docs for Datadog v5.2.0
published on Thursday, May 21, 2026 by Pulumi
published on Thursday, May 21, 2026 by Pulumi
Viewing docs for Datadog v5.2.0
published on Thursday, May 21, 2026 by Pulumi
published on Thursday, May 21, 2026 by Pulumi
Provides a Datadog Org Group Policy Override resource. An override exempts a specific organization from a policy applied at the org group level.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as datadog from "@pulumi/datadog";
const prod = new datadog.OrgGroup("prod", {name: "Production Environments"});
const exemptOrg = new datadog.OrgGroupMembership("exempt_org", {
orgGroupId: prod.id,
orgUuid: "ff4a8255-6931-58d1-add0-a6b3602d5421",
});
const widgetCopyPaste = new datadog.OrgGroupPolicy("widget_copy_paste", {
orgGroupId: prod.id,
policyName: "is_widget_copy_paste_enabled",
content: JSON.stringify({
org_config: false,
}),
enforcementTier: "DEFAULT",
});
// Exempts the given organization from the widget_copy_paste policy.
// The org keeps its current value for is_widget_copy_paste_enabled regardless
// of the policy. The resource must target a policy whose tier is not ENFORCE.
const example = new datadog.OrgGroupPolicyOverride("example", {
orgGroupId: prod.id,
policyId: widgetCopyPaste.id,
orgUuid: "ff4a8255-6931-58d1-add0-a6b3602d5421",
orgSite: "us1",
}, {
dependsOn: [exemptOrg],
});
import pulumi
import json
import pulumi_datadog as datadog
prod = datadog.OrgGroup("prod", name="Production Environments")
exempt_org = datadog.OrgGroupMembership("exempt_org",
org_group_id=prod.id,
org_uuid="ff4a8255-6931-58d1-add0-a6b3602d5421")
widget_copy_paste = datadog.OrgGroupPolicy("widget_copy_paste",
org_group_id=prod.id,
policy_name="is_widget_copy_paste_enabled",
content=json.dumps({
"org_config": False,
}),
enforcement_tier="DEFAULT")
# Exempts the given organization from the widget_copy_paste policy.
# The org keeps its current value for is_widget_copy_paste_enabled regardless
# of the policy. The resource must target a policy whose tier is not ENFORCE.
example = datadog.OrgGroupPolicyOverride("example",
org_group_id=prod.id,
policy_id=widget_copy_paste.id,
org_uuid="ff4a8255-6931-58d1-add0-a6b3602d5421",
org_site="us1",
opts = pulumi.ResourceOptions(depends_on=[exempt_org]))
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-datadog/sdk/v5/go/datadog"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
prod, err := datadog.NewOrgGroup(ctx, "prod", &datadog.OrgGroupArgs{
Name: pulumi.String("Production Environments"),
})
if err != nil {
return err
}
exemptOrg, err := datadog.NewOrgGroupMembership(ctx, "exempt_org", &datadog.OrgGroupMembershipArgs{
OrgGroupId: prod.ID(),
OrgUuid: pulumi.String("ff4a8255-6931-58d1-add0-a6b3602d5421"),
})
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"org_config": false,
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
widgetCopyPaste, err := datadog.NewOrgGroupPolicy(ctx, "widget_copy_paste", &datadog.OrgGroupPolicyArgs{
OrgGroupId: prod.ID(),
PolicyName: pulumi.String("is_widget_copy_paste_enabled"),
Content: pulumi.String(pulumi.String(json0)),
EnforcementTier: pulumi.String("DEFAULT"),
})
if err != nil {
return err
}
// Exempts the given organization from the widget_copy_paste policy.
// The org keeps its current value for is_widget_copy_paste_enabled regardless
// of the policy. The resource must target a policy whose tier is not ENFORCE.
_, err = datadog.NewOrgGroupPolicyOverride(ctx, "example", &datadog.OrgGroupPolicyOverrideArgs{
OrgGroupId: prod.ID(),
PolicyId: widgetCopyPaste.ID(),
OrgUuid: pulumi.String("ff4a8255-6931-58d1-add0-a6b3602d5421"),
OrgSite: pulumi.String("us1"),
}, pulumi.DependsOn([]pulumi.Resource{
exemptOrg,
}))
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Datadog = Pulumi.Datadog;
return await Deployment.RunAsync(() =>
{
var prod = new Datadog.OrgGroup("prod", new()
{
Name = "Production Environments",
});
var exemptOrg = new Datadog.OrgGroupMembership("exempt_org", new()
{
OrgGroupId = prod.Id,
OrgUuid = "ff4a8255-6931-58d1-add0-a6b3602d5421",
});
var widgetCopyPaste = new Datadog.OrgGroupPolicy("widget_copy_paste", new()
{
OrgGroupId = prod.Id,
PolicyName = "is_widget_copy_paste_enabled",
Content = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["org_config"] = false,
}),
EnforcementTier = "DEFAULT",
});
// Exempts the given organization from the widget_copy_paste policy.
// The org keeps its current value for is_widget_copy_paste_enabled regardless
// of the policy. The resource must target a policy whose tier is not ENFORCE.
var example = new Datadog.OrgGroupPolicyOverride("example", new()
{
OrgGroupId = prod.Id,
PolicyId = widgetCopyPaste.Id,
OrgUuid = "ff4a8255-6931-58d1-add0-a6b3602d5421",
OrgSite = "us1",
}, new CustomResourceOptions
{
DependsOn =
{
exemptOrg,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.datadog.OrgGroup;
import com.pulumi.datadog.OrgGroupArgs;
import com.pulumi.datadog.OrgGroupMembership;
import com.pulumi.datadog.OrgGroupMembershipArgs;
import com.pulumi.datadog.OrgGroupPolicy;
import com.pulumi.datadog.OrgGroupPolicyArgs;
import com.pulumi.datadog.OrgGroupPolicyOverride;
import com.pulumi.datadog.OrgGroupPolicyOverrideArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import com.pulumi.resources.CustomResourceOptions;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var prod = new OrgGroup("prod", OrgGroupArgs.builder()
.name("Production Environments")
.build());
var exemptOrg = new OrgGroupMembership("exemptOrg", OrgGroupMembershipArgs.builder()
.orgGroupId(prod.id())
.orgUuid("ff4a8255-6931-58d1-add0-a6b3602d5421")
.build());
var widgetCopyPaste = new OrgGroupPolicy("widgetCopyPaste", OrgGroupPolicyArgs.builder()
.orgGroupId(prod.id())
.policyName("is_widget_copy_paste_enabled")
.content(serializeJson(
jsonObject(
jsonProperty("org_config", false)
)))
.enforcementTier("DEFAULT")
.build());
// Exempts the given organization from the widget_copy_paste policy.
// The org keeps its current value for is_widget_copy_paste_enabled regardless
// of the policy. The resource must target a policy whose tier is not ENFORCE.
var example = new OrgGroupPolicyOverride("example", OrgGroupPolicyOverrideArgs.builder()
.orgGroupId(prod.id())
.policyId(widgetCopyPaste.id())
.orgUuid("ff4a8255-6931-58d1-add0-a6b3602d5421")
.orgSite("us1")
.build(), CustomResourceOptions.builder()
.dependsOn(exemptOrg)
.build());
}
}
resources:
prod:
type: datadog:OrgGroup
properties:
name: Production Environments
exemptOrg:
type: datadog:OrgGroupMembership
name: exempt_org
properties:
orgGroupId: ${prod.id}
orgUuid: ff4a8255-6931-58d1-add0-a6b3602d5421
widgetCopyPaste:
type: datadog:OrgGroupPolicy
name: widget_copy_paste
properties:
orgGroupId: ${prod.id}
policyName: is_widget_copy_paste_enabled
content:
fn::toJSON:
org_config: false
enforcementTier: DEFAULT
# Exempts the given organization from the widget_copy_paste policy.
# The org keeps its current value for is_widget_copy_paste_enabled regardless
# of the policy. The resource must target a policy whose tier is not ENFORCE.
example:
type: datadog:OrgGroupPolicyOverride
properties:
orgGroupId: ${prod.id}
policyId: ${widgetCopyPaste.id}
orgUuid: ff4a8255-6931-58d1-add0-a6b3602d5421
orgSite: us1
options:
dependsOn:
- ${exemptOrg}
Example coming soon!
Behavior notes
Server-side auto-creation
Overrides are also created automatically by the server when an org’s existing config differs from a policy’s value. Two triggers:
- Membership change: When an org is moved into an org group, the server compares that org’s current config to each non-
ENFORCEpolicy in the group. Any mismatch produces an auto-created override that records the org’s existing value. - Policy create/update with a non-
ENFORCEtier: The server performs the same comparison across every member org at policy apply time, creating overrides for orgs whose config doesn’t match the new policy value.
Auto-created and user-declared overrides are indistinguishable at the API level. They can be adopted into Terraform via pulumi import or by iterating the datadog.getOrgGroupPolicyOverrides data source with forEach + import blocks.
Delete behavior
Removing an override does not just remove the exemption marker. The target org’s config value is also reset to match the parent policy’s current value. The server treats override deletion as “re-apply the policy to this org” and propagates the policy value accordingly.
If you want to stop managing an override without changing the org’s value, use terraform state rm instead of removing the resource block.
ENFORCE tier cascade
When the parent datadog.OrgGroupPolicy transitions to enforcementTier = "ENFORCE", the server automatically deletes every override for that policy. Creating an override against an already-ENFORCE-tier policy also fails with a FailedPrecondition error.
If you plan to flip a policy to ENFORCE, remove the datadog.OrgGroupPolicyOverride resource blocks for that policy in the same commit. Otherwise, Terraform’s next apply will try to re-create the server-deleted overrides and fail.
Create OrgGroupPolicyOverride Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new OrgGroupPolicyOverride(name: string, args: OrgGroupPolicyOverrideArgs, opts?: CustomResourceOptions);@overload
def OrgGroupPolicyOverride(resource_name: str,
args: OrgGroupPolicyOverrideArgs,
opts: Optional[ResourceOptions] = None)
@overload
def OrgGroupPolicyOverride(resource_name: str,
opts: Optional[ResourceOptions] = None,
org_group_id: Optional[str] = None,
org_site: Optional[str] = None,
org_uuid: Optional[str] = None,
policy_id: Optional[str] = None)func NewOrgGroupPolicyOverride(ctx *Context, name string, args OrgGroupPolicyOverrideArgs, opts ...ResourceOption) (*OrgGroupPolicyOverride, error)public OrgGroupPolicyOverride(string name, OrgGroupPolicyOverrideArgs args, CustomResourceOptions? opts = null)
public OrgGroupPolicyOverride(String name, OrgGroupPolicyOverrideArgs args)
public OrgGroupPolicyOverride(String name, OrgGroupPolicyOverrideArgs args, CustomResourceOptions options)
type: datadog:OrgGroupPolicyOverride
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
resource "datadog_orggrouppolicyoverride" "name" {
# resource properties
}Parameters
- name string
- The unique name of the resource.
- args OrgGroupPolicyOverrideArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args OrgGroupPolicyOverrideArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args OrgGroupPolicyOverrideArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args OrgGroupPolicyOverrideArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args OrgGroupPolicyOverrideArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var orgGroupPolicyOverrideResource = new Datadog.OrgGroupPolicyOverride("orgGroupPolicyOverrideResource", new()
{
OrgGroupId = "string",
OrgSite = "string",
OrgUuid = "string",
PolicyId = "string",
});
example, err := datadog.NewOrgGroupPolicyOverride(ctx, "orgGroupPolicyOverrideResource", &datadog.OrgGroupPolicyOverrideArgs{
OrgGroupId: pulumi.String("string"),
OrgSite: pulumi.String("string"),
OrgUuid: pulumi.String("string"),
PolicyId: pulumi.String("string"),
})
resource "datadog_orggrouppolicyoverride" "orgGroupPolicyOverrideResource" {
org_group_id = "string"
org_site = "string"
org_uuid = "string"
policy_id = "string"
}
var orgGroupPolicyOverrideResource = new OrgGroupPolicyOverride("orgGroupPolicyOverrideResource", OrgGroupPolicyOverrideArgs.builder()
.orgGroupId("string")
.orgSite("string")
.orgUuid("string")
.policyId("string")
.build());
org_group_policy_override_resource = datadog.OrgGroupPolicyOverride("orgGroupPolicyOverrideResource",
org_group_id="string",
org_site="string",
org_uuid="string",
policy_id="string")
const orgGroupPolicyOverrideResource = new datadog.OrgGroupPolicyOverride("orgGroupPolicyOverrideResource", {
orgGroupId: "string",
orgSite: "string",
orgUuid: "string",
policyId: "string",
});
type: datadog:OrgGroupPolicyOverride
properties:
orgGroupId: string
orgSite: string
orgUuid: string
policyId: string
OrgGroupPolicyOverride Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The OrgGroupPolicyOverride resource accepts the following input properties:
- Org
Group stringId - The UUID of the org group that owns the policy. Must be a valid UUID.
- Org
Site string - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - Org
Uuid string - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- Policy
Id string - The UUID of the org group policy the override applies to. Must be a valid UUID.
- Org
Group stringId - The UUID of the org group that owns the policy. Must be a valid UUID.
- Org
Site string - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - Org
Uuid string - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- Policy
Id string - The UUID of the org group policy the override applies to. Must be a valid UUID.
- org_
group_ stringid - The UUID of the org group that owns the policy. Must be a valid UUID.
- org_
site string - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - org_
uuid string - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- policy_
id string - The UUID of the org group policy the override applies to. Must be a valid UUID.
- org
Group StringId - The UUID of the org group that owns the policy. Must be a valid UUID.
- org
Site String - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - org
Uuid String - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- policy
Id String - The UUID of the org group policy the override applies to. Must be a valid UUID.
- org
Group stringId - The UUID of the org group that owns the policy. Must be a valid UUID.
- org
Site string - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - org
Uuid string - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- policy
Id string - The UUID of the org group policy the override applies to. Must be a valid UUID.
- org_
group_ strid - The UUID of the org group that owns the policy. Must be a valid UUID.
- org_
site str - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - org_
uuid str - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- policy_
id str - The UUID of the org group policy the override applies to. Must be a valid UUID.
- org
Group StringId - The UUID of the org group that owns the policy. Must be a valid UUID.
- org
Site String - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - org
Uuid String - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- policy
Id String - The UUID of the org group policy the override applies to. Must be a valid UUID.
Outputs
All input properties are implicitly available as output properties. Additionally, the OrgGroupPolicyOverride resource produces the following output properties:
Look up Existing OrgGroupPolicyOverride Resource
Get an existing OrgGroupPolicyOverride resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: OrgGroupPolicyOverrideState, opts?: CustomResourceOptions): OrgGroupPolicyOverride@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
content: Optional[str] = None,
org_group_id: Optional[str] = None,
org_site: Optional[str] = None,
org_uuid: Optional[str] = None,
policy_id: Optional[str] = None) -> OrgGroupPolicyOverridefunc GetOrgGroupPolicyOverride(ctx *Context, name string, id IDInput, state *OrgGroupPolicyOverrideState, opts ...ResourceOption) (*OrgGroupPolicyOverride, error)public static OrgGroupPolicyOverride Get(string name, Input<string> id, OrgGroupPolicyOverrideState? state, CustomResourceOptions? opts = null)public static OrgGroupPolicyOverride get(String name, Output<String> id, OrgGroupPolicyOverrideState state, CustomResourceOptions options)resources: _: type: datadog:OrgGroupPolicyOverride get: id: ${id}import {
to = datadog_orggrouppolicyoverride.example
id = "${id}"
}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Content string
- The org's config value at the time the override was created, as a JSON-encoded string. Server-managed.
- Org
Group stringId - The UUID of the org group that owns the policy. Must be a valid UUID.
- Org
Site string - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - Org
Uuid string - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- Policy
Id string - The UUID of the org group policy the override applies to. Must be a valid UUID.
- Content string
- The org's config value at the time the override was created, as a JSON-encoded string. Server-managed.
- Org
Group stringId - The UUID of the org group that owns the policy. Must be a valid UUID.
- Org
Site string - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - Org
Uuid string - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- Policy
Id string - The UUID of the org group policy the override applies to. Must be a valid UUID.
- content string
- The org's config value at the time the override was created, as a JSON-encoded string. Server-managed.
- org_
group_ stringid - The UUID of the org group that owns the policy. Must be a valid UUID.
- org_
site string - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - org_
uuid string - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- policy_
id string - The UUID of the org group policy the override applies to. Must be a valid UUID.
- content String
- The org's config value at the time the override was created, as a JSON-encoded string. Server-managed.
- org
Group StringId - The UUID of the org group that owns the policy. Must be a valid UUID.
- org
Site String - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - org
Uuid String - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- policy
Id String - The UUID of the org group policy the override applies to. Must be a valid UUID.
- content string
- The org's config value at the time the override was created, as a JSON-encoded string. Server-managed.
- org
Group stringId - The UUID of the org group that owns the policy. Must be a valid UUID.
- org
Site string - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - org
Uuid string - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- policy
Id string - The UUID of the org group policy the override applies to. Must be a valid UUID.
- content str
- The org's config value at the time the override was created, as a JSON-encoded string. Server-managed.
- org_
group_ strid - The UUID of the org group that owns the policy. Must be a valid UUID.
- org_
site str - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - org_
uuid str - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- policy_
id str - The UUID of the org group policy the override applies to. Must be a valid UUID.
- content String
- The org's config value at the time the override was created, as a JSON-encoded string. Server-managed.
- org
Group StringId - The UUID of the org group that owns the policy. Must be a valid UUID.
- org
Site String - The short site name of the organization (e.g.,
us1,eu1,us1-fed). Part of the override's server-side identity; changing it replaces the resource. String length must be at least 1. - org
Uuid String - The UUID of the organization being exempted from the policy. Must be a valid UUID.
- policy
Id String - The UUID of the org group policy the override applies to. Must be a valid UUID.
Import
$ pulumi import datadog:index/orgGroupPolicyOverride:OrgGroupPolicyOverride example <override_uuid>
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Datadog pulumi/pulumi-datadog
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
datadogTerraform Provider.
Viewing docs for Datadog v5.2.0
published on Thursday, May 21, 2026 by Pulumi
published on Thursday, May 21, 2026 by Pulumi