This guide will walk you through integrating Common Fate with DataStax. By the end of this guide, you’ll have a functioning integration with Common Fate, allowing it to provision access to DataStax Roles.

DataStax Setup

To configure the DataStax integration, follow these steps to create an Application Token in your DataStax console. First, Sign In into DataStax.

A. Create the Role for the API Token:

  1. Browse to Settings > Role
  2. Click Add Custom Role
  3. Enter a name e.g ‘Common Fate Provision Role’
  4. Select the following permissions:
  • Read Audits
  • Write User
  • Write Organization
  • Write Custom Role
  • Read IP Access List
  • Read CMK Key
  • Read External Auth
  • Read Token
  • Read Integrations
  1. Click Create Role

B. Create the API Token:

  1. Browse to Settings > Tokens.
  2. Select the Role you created
  3. Click Generate Token
  4. Save the newly created token somewhere safe for the next steps.

You will need to create a new SecretString in SSM Parameter Store and then use the path when configuring your deployment in Terraform.

You can use the AWS CLI to create a secret in the region you are deploying to. We recommend naming these "/<namespace>/<stage>/<secret name>".

aws ssm put-parameter \
    --name "/common-fate/prod/datastax-api-key" \
    --value "mySecretValue" \
    --type "SecureString"

Configuring Common Fate

Integration with DataStax requires a minimum version v1.20.0 or later of the Common Fate Deployment module.

In this section, you will register the DataStax integration with your Common Fate deployment. At the end of this section you should have Common Fate ready to provision access. You’ll need to have set up the Common Fate Application Configuration repository using our Terraform provider.

Inside your Application Configuration repository, add the following module:

resource "commonfate_datastax_integration" "DataStax" {
  name = "DataStax"
  api_key_secret_path = "/common-fate/prod/datastax-api-key"

Apply the changes. If the apply succeeds, you should see the integration appear on the settings page in the web dashboard.

Provisioning access to DataStax Roles

To grant and revoke access to DataStax Roles, Common Fate uses a service called the Provisioner. The Provisioner is an internal service and is not user-facing. In default deployments, there is a provisioner builtin to the main stack which can be configured using blocks.

To configure the builtin Provisioner for DataStax Roles, add the provisioner_datastax_config config block as per the example below:

module "common-fate-deployment" {
  source = "common-fate/common-fate-deployment/aws"
  version = "1.22.0"

  provisioner_datastax_config = {
    organization_id           = "<Your DataStax Organization ID>"
    api_key_secret_path       = "/common-fate/prod/datastax-api-key"

To obtain your DataStax Organization ID, navigate to Settings. Your DataStax Organization ID will be in the URL, for example: ffaab174-bfd8-4bcc-860d-6c760df53bc9 would be your DataStax Organization ID.

You’ll additionally need to add the following Provisioner registration inside your Application Configuration repository:

resource "commonfate_webhook_provisioner" "prod" {
 url = "http://common-fate-prod-builtin-provisioner.common-fate-prod-builtin.internal:9999"
  capabilities = [
      target_type = "DataStax::Organization"
      role_type   = "DataStax::Role"
      belonging_to = {
        type = "DataStax::Organization"
        id   = "<Your DataStax Organization ID>"

You can now create an access workflow and availabilities:

locals {
  datastax_org_id = <Your DataStax Org ID>

resource "commonfate_access_workflow" "datastax" {
  name                     = "DataStax"
  access_duration_seconds  = 60 * 60 * 2
  try_extend_after_seconds = 60 * 60
  priority                 = 1

resource "commonfate_selector" "datastax_org" {
  id            = "datastax_org"
  resource_type = "DataStax::Organization"
  belonging_to = {
    type = "DataStax::Organization"
    id   = local.datastax_org_id
  when = <<EOT

resource "commonfate_availability_spec" "datastax" {
  workflow_id =
  role = {
    type = "DataStax::Role"
    id   = <Your DataStax Role ID>

  target = {
    type = "Access::Selector"
    id   =
  identity_domain = {
    type = "DataStax::Organization"
    id   = local.datastax_org_id