Skip to main content
Apply policies to logs, metrics, and traces emitted by your Lambda functions before they reach Datadog.
Looking to filter AWS service logs (CloudWatch, S3, etc.)? See the Lambda Forwarder instead.

How it works

The Tero Datadog Lambda Extension is a fork of the Datadog Lambda Extension with policy-based telemetry filtering. It runs as a Lambda layer alongside your function, evaluating each telemetry item against your policies before forwarding to Datadog. We maintain this fork to release within two weeks of upstream Datadog releases.
FIPS compliance is not currently supported. Reach out to Tero Support if this is required for your environment.

Prerequisites

Connect

1

Create an Edge API key

Open your terminal and run:
tero
Navigate to EdgeAPI KeysCreate. Name your key (e.g., “Lambda production”). Copy the key when shown—it’s only displayed once.
2

Add the Lambda layer

Replace the standard Datadog extension layer with the Tero version.ARM64:
arn:aws:lambda:us-east-1:242046726909:layer:Tero-Datadog-Extension-ARM:<version>
AMD64:
arn:aws:lambda:us-east-1:242046726909:layer:Tero-Datadog-Extension:<version>
Replace <version> with the latest version number. Check the releases for current versions.
3

Configure environment variables

Add these environment variables to your Lambda function:
DD_POLICY_ENABLED=true
DD_POLICY_PROVIDERS='[{"id":"tero","type":"http","url":"https://sync.usetero.com/v1/policy/sync","headers":[{"name":"Authorization","value":"Bearer YOUR_TERO_API_KEY"}],"poll_interval_secs":60}]'
This assumes DD_API_KEY and DD_EXTENSION_ENABLED=true are already configured from your existing Datadog setup.
Replace YOUR_TERO_API_KEY with the API key you created in step 1. The extension will fail to sync policies without a valid bearer token.
4

Verify

Invoke your Lambda function and check CloudWatch logs for extension startup:
[tero] Extension started, policies loaded: 5
Confirm telemetry reaches Datadog with policies applied.

Policy providers

The extension fetches policies from configured providers. Set DD_POLICY_PROVIDERS to a JSON array of provider configurations.

HTTP provider

Recommended for production. Fetches policies from a remote endpoint and polls for updates. 
DD_POLICY_PROVIDERS='[{"id":"tero","type":"http","url":"https://sync.usetero.com/v1/policy/sync","headers":[{"name":"Authorization","value":"Bearer YOUR_API_KEY"}],"poll_interval_secs":60}]'

File provider

For local testing. Reads policies from a file bundled with your Lambda deployment. 
DD_POLICY_PROVIDERS='[{"id":"local","type":"file","path":"/var/task/policies.json"}]'

Provider options

FieldTypeRequiredDescription
idstringYesUnique identifier for this provider
typestringYeshttp or file
urlstringhttp onlyURL to fetch policies from
pathstringfile onlyPath to local policy JSON file
headersarrayNoHTTP headers for authentication
poll_interval_secsnumberNoPolling interval in seconds (default: 60)

Deployment examples

resource "aws_lambda_function" "example" {
  function_name = "my-function"
  runtime       = "python3.12"
  architectures = ["arm64"]

  layers = [
    "arn:aws:lambda:us-east-1:242046726909:layer:Tero-Datadog-Extension-ARM:1"
  ]

  environment {
    variables = {
      DD_API_KEY           = var.datadog_api_key
      DD_EXTENSION_ENABLED = "true"
      DD_POLICY_ENABLED    = "true"
      DD_POLICY_PROVIDERS  = jsonencode([
        {
          id   = "tero"
          type = "http"
          url  = "https://sync.usetero.com/v1/policy/sync"
          headers = [
            { name = "Authorization", value = "Bearer ${var.tero_api_key}" }
          ]
          poll_interval_secs = 60
        }
      ])
    }
  }
}

How policy filtering works

When DD_POLICY_ENABLED=true:
  1. The extension fetches policies from configured providers on startup
  2. HTTP providers poll for updates at the configured interval
  3. Each telemetry item (logs, traces, metrics) is evaluated against policies
  4. Based on policy rules, items are either kept, dropped, sampled, or rate limited
If no policy matches an item, it is kept (fail-open behavior). See Policy Reference for filtering options.

Troubleshooting

Extension not loading Verify the layer ARN matches your Lambda architecture (ARM64 vs x86_64). Check CloudWatch logs for extension startup errors. Policies not applying
  • Ensure DD_POLICY_ENABLED=true is set
  • Verify DD_POLICY_PROVIDERS is valid JSON
  • Check that your policy provider URL is accessible from the Lambda VPC
Authentication errors
  • Verify the Authorization header value is correct
  • Ensure your Tero API key is valid and not revoked