Config as Code: Terraform & Monaco

Config as Code: Terraform & Monaco

Both Terraform and Monaco work with Gen3, but there are important differences in how they authenticate and which resources they manage.

Authentication Changes

GEN2                                    GEN3
──────────────────────────────────────  ──────────────────────────────────────
API Token only                          API Token + OAuth (some resources need OAuth)
DT_ENV_URL + DT_API_TOKEN               + DT_CLIENT_ID + DT_CLIENT_SECRET + DT_ACCOUNT_ID
One auth mode                           3 auth modes depending on resource

Terraform Provider Auth Modes

Resource Type                           Auth Required
──────────────────────────────────────  ──────────────────────────────────────
Settings 2.0 (alerts, tags, etc.)       API Token
Dashboards (Document API)               OAuth
Workflows                               OAuth
SLOs (Platform SLO API)                 OAuth
IAM (users, groups, policies)           OAuth (account-level)
Anomaly detectors                       OAuth
OpenPipeline                            OAuth (+ DYNATRACE_HTTP_OAUTH_PREFERENCE=true)

Terraform Example

provider "dynatrace" {
  dt_env_url   = var.dt_env_url
  dt_api_token = var.dt_api_token
  # OAuth vars needed for workflows, dashboards, SLOs:
  # DT_CLIENT_ID, DT_CLIENT_SECRET, DT_ACCOUNT_ID as env vars
}

resource "dynatrace_davis_anomaly_detectors" "cpu" {
  title   = "[P1] High CPU"
  enabled = true
  analyzer_input_field { key = "query"     value = "timeseries avg(dt.host.cpu.usage), interval:1m" }
  analyzer_input_field { key = "threshold" value = "90" }
}

Monaco CLI

# Download all configs from environment
monaco download --environment env.yaml --output-folder backup/

# Deploy configs
monaco deploy manifest.yaml --environment env.yaml

# Note: --token expects env var NAME, not the value
monaco deploy manifest.yaml --token DT_API_TOKEN

dtctl — The New CLI

Gen3 also introduces dtctl — a kubectl-style CLI:

dtctl auth login --context prod --environment "https://abc.apps.dynatrace.com"
dtctl get workflows
dtctl get dashboards -o json
dtctl apply -f workflow.yaml --set env=prod
dtctl query "fetch logs | limit 10"
dtctl exec workflow <id>

Migration Strategy

1. Export Gen2 configs with Monaco download
2. Review exported configs — some schemas changed
3. Update auth to include OAuth for Gen3 resources
4. Test deploy to a non-production Gen3 environment
5. Iterate until all configs deploy cleanly