setup datadog agent on each host.

- set agent version to 7

ansible-5/roles/datadog.datadog/tasks/_apt-key-import.yml

@@ -0,0 +1,83 @@
+# We allow users to specify a file from which to import keys, so we expect
+# that to be a binary keyring; at the same time, we have ascii armored
+# individual keys at keys.datadoghq.com that we import. The below procedure
+# can be called for a URL pointing to a keyring or an ascii armored file
+# and extract and import a specific key from it (we specialcase the
+# DATADOG_APT_KEY_CURRENT value, which we always expect to be ascii
+# armored individual key).
+
+# NOTE: we use 'noqa risky-shell-pipe' throughout this file, because Debian's
+# default shell is /bin/sh which doesn't have a pipefail option and the
+# presence of a different shell isn't guaranteed.
+
+# NOTE: in order to display Ansible's `changed: [hostname]` properly throughout
+# tasks in this file, we added `changed_when: false` to a lot of them, even if
+# they actually run every time (e.g. importing the CURRENT key). The reason is
+# that they operate inside a temporary directory and they don't have a
+# permanent effect on the host (nothing will actually change on the host
+# whether these tasks run or not) except the last one - the actual import of
+# the key to `datadog_apt_usr_share_keyring`.
+
+- name: "Set local variables for processed key {{ item.key }}"
+  set_fact:
+    key_fingerprint: "{{ item.key }}"
+    keyring_url: "{{ item.value }}"
+
+- name: "Find out whether key {{ key_fingerprint }} is already imported"
+  shell: "gpg --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --list-keys --with-fingerprint --with-colons | grep {{ key_fingerprint }}"  # noqa risky-shell-pipe
+  register: key_exists_result
+  failed_when: false  # we expect the command to fail when the key is not found; we never want this task to fail
+  changed_when: key_exists_result.rc != 0
+  when: key_fingerprint != datadog_apt_key_current_name  # we always want to import the CURRENT key
+
+- name: "Set local helper variable for determining key import (when not {{ datadog_apt_key_current_name }})"
+  set_fact:
+    key_needs_import: "{{ 'false' if key_exists_result.rc == 0 else 'true' }}"
+  when: key_fingerprint != datadog_apt_key_current_name
+
+- name: "Set local helper variable for determining key import (when {{ datadog_apt_key_current_name }})"
+  set_fact:
+    key_needs_import: "true"
+  when: key_fingerprint == datadog_apt_key_current_name
+
+- name: "Create temporary directory for key manipulation"
+  tempfile:
+    state: directory
+    suffix: keys
+  register: tempdir
+  when: key_needs_import
+  changed_when: false
+
+- name: "Download {{ keyring_url }} to import key {{ key_fingerprint }}"
+  get_url:
+    url: "{{ keyring_url }}"
+    dest: "{{ tempdir.path }}/{{ key_fingerprint }}"
+    force: yes
+  when: key_needs_import
+  changed_when: false
+
+# gpg --dearmor called on a binary keyring does nothing
+- name: "Ensure downloaded file for {{ key_fingerprint }} is a binary keyring"
+  shell: "cat {{ tempdir.path }}/{{ key_fingerprint }} | gpg --dearmor > {{ tempdir.path }}/binary.gpg"  # noqa risky-shell-pipe
+  when: key_needs_import
+  changed_when: false
+
+- name: "Extract the required key from the binary keyring (when not {{ datadog_apt_key_current_name }})"
+  shell: "gpg --no-default-keyring --keyring {{ tempdir.path }}/binary.gpg --export {{ key_fingerprint }} > {{ tempdir.path }}/single.gpg"
+  when: key_fingerprint != datadog_apt_key_current_name and key_needs_import
+  changed_when: false
+
+- name: "Extract the required key from the binary keyring (when {{ datadog_apt_key_current_name }})"
+  copy:
+    src: "{{ tempdir.path }}/binary.gpg"
+    dest: "{{ tempdir.path }}/single.gpg"
+    mode: "0600"
+    remote_src: yes
+  when: key_fingerprint == datadog_apt_key_current_name and key_needs_import
+  changed_when: false
+
+- name: "Import key {{ key_fingerprint }} to {{ datadog_apt_usr_share_keyring }} keyring"
+  shell: "cat {{ tempdir.path }}/single.gpg | gpg --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --import --batch"  # noqa risky-shell-pipe
+  when: key_needs_import
+  register: key_import_result
+  changed_when: '"imported: 1" in key_import_result.stderr'

ansible-5/roles/datadog.datadog/tasks/agent-linux.yml

@@ -0,0 +1,198 @@
+---
+- name: Populate service facts
+  service_facts:
+
+- name: Set before 6/7.24.1 flag
+  set_fact:
+    datadog_before_7241: "{{ datadog_major is defined and datadog_minor is defined and datadog_bugfix is defined
+      and datadog_major | int < 8
+      and (datadog_minor | int < 24 or (datadog_minor | int == 24 and datadog_bugfix | int < 1)) }}"
+
+- name: Set before 6/7.18.0 flag
+  set_fact:
+    datadog_before_7180: "{{ datadog_major is defined and datadog_minor is defined
+      and datadog_major | int < 8 and datadog_minor | int < 18 }}"
+
+- name: Add "{{ datadog_user }}" user to additional groups
+  user: name="{{ datadog_user }}" groups="{{ datadog_additional_groups }}" append=yes
+  when: datadog_additional_groups | default([], true) | length > 0
+  notify: restart datadog-agent
+
+- name: Create Datadog agent config directory
+  file:
+    dest: /etc/datadog-agent
+    state: directory
+    mode: 0755
+  when: datadog_manage_config
+
+- name: Create main Datadog agent configuration file
+  template:
+    src: datadog.yaml.j2
+    dest: /etc/datadog-agent/datadog.yaml
+    mode: 0640
+    owner: "{{ datadog_user }}"
+    group: "{{ datadog_group }}"
+  when: datadog_manage_config
+  notify: restart datadog-agent
+
+- name: Register all checks directories present in datadog
+  find:
+    paths: /etc/datadog-agent/conf.d/
+    patterns:
+    - "*.d"
+    file_type: directory
+  register: datadog_conf_directories
+  when: datadog_manage_config and (datadog_disable_untracked_checks or datadog_disable_default_checks)
+
+- name: Delete checks not present in datadog_tracked_checks
+  file:
+    path: "/etc/datadog-agent/conf.d/{{ item }}.d/conf.yaml"
+    state: absent
+  loop: "{{ datadog_conf_directories.files | map(attribute='path') | list | map('basename') | list | map('regex_replace', '^(.*).d$', '\\1') | list }}"
+  when: datadog_manage_config and datadog_disable_untracked_checks and item not in datadog_tracked_checks
+  notify: restart datadog-agent
+
+- name: Delete all default checks
+  file:
+    path: "/etc/datadog-agent/conf.d/{{ item }}.d/conf.yaml.default"
+    state: absent
+  loop: "{{ datadog_conf_directories.files | map(attribute='path') | list | map('basename') | list | map('regex_replace', '^(.*).d$', '\\1') | list }}"
+  when: datadog_manage_config and datadog_disable_default_checks and item not in datadog_tracked_checks
+  notify: restart datadog-agent
+
+- name: Ensure configuration directories are present for each Datadog check
+  file:
+    dest: "/etc/datadog-agent/conf.d/{{ item }}.d"
+    state: directory
+    owner: "{{ datadog_user }}"
+    group: "{{ datadog_group }}"
+    mode: 0755
+  with_items: '{{ datadog_checks|list }}'
+  when: datadog_manage_config
+
+- name: Create a configuration file for each Datadog check
+  template:
+    src: checks.yaml.j2
+    dest: "/etc/datadog-agent/conf.d/{{ item }}.d/conf.yaml"
+    mode: 0640
+    owner: "{{ datadog_user }}"
+    group: "{{ datadog_group }}"
+  with_items: "{{ datadog_checks|list }}"
+  when: datadog_manage_config
+  notify: restart datadog-agent
+
+- name: Remove old configuration file for each Datadog check
+  file:
+    dest: "/etc/datadog-agent/conf.d/{{ item }}.yaml"
+    state: absent
+  with_items: "{{ datadog_checks|list }}"
+  when: datadog_manage_config
+  notify: restart datadog-agent
+
+- name: Create system-probe configuration file
+  template:
+    src: system-probe.yaml.j2
+    dest: /etc/datadog-agent/system-probe.yaml
+    mode: 0640
+    owner: "root"
+    group: "{{ datadog_group }}"
+  when: datadog_manage_config
+  notify:
+    "{% if datadog_before_7180 %}restart datadog-agent-sysprobe{% else %}restart datadog-agent{% endif %}"
+
+- name: Set system probe installed
+  set_fact:
+    datadog_sysprobe_installed: "{{ ansible_facts.services['datadog-agent-sysprobe'] is defined
+      or ansible_facts.services['datadog-agent-sysprobe.service'] is defined }}"
+  when: not datadog_skip_running_check
+
+# Before 6/7.24.1, system_probe_config controls the system-probe service
+# datadog_minor is only defined when a specific Agent version is given
+# (see tasks/parse-version.yml)
+- name: Set system probe enabled (before 6/7.24.1)
+  set_fact:
+    datadog_sysprobe_enabled: "{{ system_probe_config is defined
+      and 'enabled' in (system_probe_config | default({}, true))
+      and system_probe_config['enabled']
+      and datadog_sysprobe_installed }}"
+  when: not datadog_skip_running_check
+    and datadog_before_7241
+
+# Since 6/7.24.1, setting enabled: true in network_config is enough to start the system-probe service:
+# https://docs.datadoghq.com/network_monitoring/performance/setup/?tab=agent#setup
+- name: Set system probe enabled (since 6/7.24.1)
+  set_fact:
+    datadog_sysprobe_enabled: "{{
+      ((system_probe_config is defined
+      and 'enabled' in (system_probe_config | default({}, true))
+      and system_probe_config['enabled'])
+      or (network_config is defined
+      and 'enabled' in (network_config | default({}, true))
+      and network_config['enabled']))
+      and datadog_sysprobe_installed }}"
+  when: not datadog_skip_running_check
+    and (not datadog_before_7241)
+
+- name: Ensure datadog-agent is running
+  service:
+    name: datadog-agent
+    state: started
+    enabled: yes
+  when: not datadog_skip_running_check and datadog_enabled and not ansible_check_mode
+
+- name: Ensure datadog-agent-sysprobe is running if enabled and installed
+  service:
+    name: datadog-agent-sysprobe
+    state: started
+    enabled: yes
+  when: not datadog_skip_running_check and datadog_enabled and not ansible_check_mode and datadog_sysprobe_enabled
+
+- name: Ensure datadog-agent, datadog-agent-process and datadog-agent-trace are not running
+  service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+  when: not datadog_skip_running_check and not datadog_enabled
+  with_list:
+    - datadog-agent
+    - datadog-agent-process
+    - datadog-agent-trace
+
+# Stop system-probe manually on Agent versions < 6/7.18, as it was not tied
+# to the main Agent service: https://github.com/DataDog/datadog-agent/pull/4883
+- name: Ensure datadog-agent-sysprobe is stopped if disabled or not installed (before 6/7.18.0)
+  service:
+    name: datadog-agent-sysprobe
+    state: stopped
+    enabled: no
+  when: not datadog_skip_running_check
+    and (not datadog_enabled or not datadog_sysprobe_enabled)
+    and datadog_before_7180
+    and datadog_sysprobe_installed
+
+- name: Ensure datadog-agent-security is not running
+  service:
+    name: datadog-agent-security
+    state: stopped
+    enabled: no
+  when: not datadog_skip_running_check and not datadog_enabled
+  ignore_errors: yes # Since older versions of the Agent don't include the security agent
+
+- name: Create security-agent configuration file
+  template:
+    src: security-agent.yaml.j2
+    dest: /etc/datadog-agent/security-agent.yaml
+    mode: 0640
+    owner: "root"
+    group: "{{ datadog_group }}"
+  when: datadog_manage_config
+  notify:
+    "{% if datadog_before_7180 %}restart datadog-agent-sysprobe{% else %}restart datadog-agent{% endif %}"
+
+- name: Create installation information file
+  template:
+    src: install_info.j2
+    dest: /etc/datadog-agent/install_info
+    owner: "{{ datadog_user }}"
+    group: "{{ datadog_group }}"
+    mode: 0644

ansible-5/roles/datadog.datadog/tasks/agent-win.yml

@@ -0,0 +1,96 @@
+---
+- name: Create main Datadog agent configuration file
+  win_template:
+    #FIXME: should have permissions set to only be readable by ddagentuser
+    src: datadog.yaml.j2
+    dest: "{{ datadog_windows_config_root }}\\datadog.yaml"
+  when: datadog_manage_config
+  notify: restart datadog-agent-win
+
+- name: Register all checks directories present in datadog
+  win_find:
+    paths: "{{ ansible_facts.env['ProgramData'] }}\\Datadog\\conf.d"
+    patterns:
+    - "*.d"
+    file_type: directory
+  register: datadog_conf_directories
+  when: datadog_manage_config and (datadog_disable_untracked_checks or datadog_disable_default_checks)
+
+- name: Delete checks not present in datadog_tracked_checks
+  win_file:
+    path: "{{ ansible_facts.env['ProgramData'] }}\\Datadog\\conf.d\\{{ item }}.d\\conf.yaml"
+    state: absent
+  loop: "{{ datadog_conf_directories.files | map(attribute='path') | list | map('win_basename') | list | map('regex_replace', '^(.*).d$', '\\1') | list }}"
+  when: datadog_manage_config and datadog_disable_untracked_checks and item not in datadog_tracked_checks
+  notify: restart datadog-agent-win
+
+- name: Delete default checks
+  win_file:
+    path: "{{ ansible_facts.env['ProgramData'] }}\\Datadog\\conf.d\\{{ item }}.d\\conf.yaml.default"
+    state: absent
+  loop: "{{ datadog_conf_directories.files | map(attribute='path') | list | map('win_basename') | list | map('regex_replace', '^(.*).d$', '\\1') | list }}"
+  when: datadog_manage_config and datadog_disable_default_checks and item not in datadog_tracked_checks
+  notify: restart datadog-agent-win
+
+- name: Ensure configuration directories are present for each Datadog check
+  win_file:
+    path: "{{ datadog_windows_config_root }}\\conf.d\\{{ item }}.d"
+    state: directory
+  with_items: '{{ datadog_checks|list }}'
+  when: datadog_manage_config
+
+- name: Create a configuration file for each Datadog check
+  win_template:
+    src: checks.yaml.j2
+    dest: "{{ datadog_windows_config_root }}\\conf.d\\{{ item }}.d\\conf.yaml"
+  with_items: "{{ datadog_checks|list }}"
+  when: datadog_manage_config
+  notify: restart datadog-agent-win
+
+- name: Remove old configuration file for each Datadog check
+  win_file:
+    path: "{{ datadog_windows_config_root }}\\conf.d\\{{ item }}.yaml"
+    state: absent
+  with_items: "{{ datadog_checks|list }}"
+  when: datadog_manage_config
+  notify: restart datadog-agent-win
+
+- name: Ensure datadog-trace-agent and datadog-process-agent are not disabled
+  win_service:
+    name: "{{ item }}"
+    start_mode: manual
+  when: not datadog_skip_running_check and datadog_enabled and not ansible_check_mode
+  with_list:
+    - datadog-trace-agent
+    - datadog-process-agent
+
+- name: Create system-probe configuration file
+  win_template:
+    src: system-probe.yaml.j2
+    dest: "{{ datadog_windows_config_root }}\\system-probe.yaml"
+  when: datadog_manage_config
+  notify: restart datadog-agent-win
+
+- name: Ensure datadog-agent is running
+  win_service:
+    name: datadogagent
+    state: started
+    start_mode: auto
+  when: not datadog_skip_running_check and datadog_enabled and not ansible_check_mode
+
+- name: Ensure datadog-agent is disabled
+  win_service:
+    name: "{{ item }}"
+    state: stopped
+    start_mode: disabled
+  when: not datadog_skip_running_check and not datadog_enabled
+  with_list:
+    - datadog-trace-agent
+    - datadog-process-agent
+    - datadogagent    
+
+- name: Create installation information file
+  template:
+    src: install_info.j2
+    dest: "{{ datadog_windows_config_root }}\\install_info"
+    mode: 0644

ansible-5/roles/datadog.datadog/tasks/agent5-linux.yml

@@ -0,0 +1,77 @@
+---
+- name: (agent5) Create Datadog agent config directory
+  file:
+    dest: /etc/dd-agent
+    state: directory
+    mode: 0755
+  when: datadog_manage_config
+
+- name: (agent5) Create main Datadog agent configuration file
+  template:
+    src: datadog.conf.j2
+    dest: /etc/dd-agent/datadog.conf
+    owner: "{{ datadog_user }}"
+    group: "{{ datadog_group }}"
+    mode: 0644 #FIXME: should have permissions set to only be readable by owner
+  when: datadog_manage_config
+  notify: restart datadog-agent
+
+- name: (agent5) Ensure datadog-agent is running
+  service:
+    name: datadog-agent
+    state: started
+    enabled: yes
+  when: not datadog_skip_running_check and datadog_enabled and not ansible_check_mode
+
+- name: (agent5) Ensure datadog-agent is not running
+  service:
+    name: datadog-agent
+    state: stopped
+    enabled: no
+  when: not datadog_skip_running_check and not datadog_enabled
+
+- name: Register all checks files present in datadog
+  find:
+    paths: /etc/dd-agent/conf.d/
+    patterns:
+    - "*.yaml"
+    file_type: file
+  register: datadog_conf_files
+  when: datadog_manage_config and datadog_disable_untracked_checks
+
+- name: Register all checks files present in datadog
+  find:
+    paths: /etc/dd-agent/conf.d/
+    patterns:
+    - "*.yaml.default"
+    file_type: file
+  register: datadog_conf_files_default
+  when: datadog_manage_config and datadog_disable_default_checks
+
+- name: Delete checks not present in datadog_tracked_checks
+  file:
+    path: "/etc/dd-agent/conf.d/{{ item }}.yaml"
+    state: absent
+  loop: "{{ datadog_conf_files.files | map(attribute='path') | list | map('basename') | list | map('regex_replace', '^(.*).yaml$', '\\1') | list }}"
+  when: datadog_manage_config and datadog_disable_untracked_checks and item not in datadog_tracked_checks
+  notify: restart datadog-agent
+
+- name: Delete default checks
+  file:
+    path: "/etc/dd-agent/conf.d/{{ item }}.yaml.default"
+    state: absent
+  loop: "{{ datadog_conf_files_default.files | map(attribute='path') | list
+             | map('basename') | list | map('regex_replace', '^(.*).yaml.default$', '\\1') | list }}"
+  when: datadog_manage_config and datadog_disable_default_checks and item not in datadog_tracked_checks
+  notify: restart datadog-agent
+
+- name: (agent5) Create a configuration file for each Datadog check
+  template:
+    src: checks.yaml.j2
+    dest: "/etc/dd-agent/conf.d/{{ item }}.yaml"
+    owner: "{{ datadog_user }}"
+    group: "{{ datadog_group }}"
+    mode: 0644 #FIXME: should have permissions set to only be readable by owner
+  with_items: "{{ datadog_checks|list }}"
+  when: datadog_manage_config
+  notify: restart datadog-agent

ansible-5/roles/datadog.datadog/tasks/facts-ansible10.yml

@@ -0,0 +1,3 @@
+---
+- name: Gather Ansible Facts
+  ansible.builtin.setup: # If the full prefix isn't specified in Ansible 2.10+, we might end up running `ansible.windows.setup` instead.

ansible-5/roles/datadog.datadog/tasks/facts-ansible9.yml

@@ -0,0 +1,3 @@
+---
+- name: Gather Ansible Facts
+  setup:

ansible-5/roles/datadog.datadog/tasks/integration.yml

@@ -0,0 +1,67 @@
+---
+- name: set agent binary path (windows)
+  set_fact:
+    datadog_agent_binary_path: "{{ datadog_agent_binary_path_windows }}"
+  when: ansible_facts.os_family == "Windows"
+
+- name: set agent binary path (unix)
+  set_fact:
+    datadog_agent_binary_path: "{{ datadog_agent_binary_path_linux }}"
+  when: ansible_facts.os_family != "Windows"
+
+- name: set agent user for integration commmand (windows)
+  set_fact:
+    integration_command_user: "{{ integration_command_user_windows }}"
+  when: ansible_facts.os_family == "Windows"
+
+- name: set agent agent binary path (unix)
+  set_fact:
+    integration_command_user: "{{ integration_command_user_linux }}"
+  when: ansible_facts.os_family != "Windows"
+
+- name: Validate integrations actions
+  fail:
+    msg: "Unkown action '{{ item.value.action }}' for integration command ({{ item.key }}). Valid actions are 'install' and 'remove'"
+  when: item.value.action != "install" and item.value.action != "remove"
+  loop: "{{ datadog_integration|dict2items }}"
+
+# Remove Integrations
+
+- name: Removing integrations (Unix)
+  command:
+    argv:
+      - "{{ datadog_agent_binary_path }}"
+      - integration
+      - remove
+      - "{{ item.key }}"
+  become: yes
+  become_user: "{{ integration_command_user }}"
+  loop: "{{ datadog_integration|dict2items }}"
+  when: item.value.action == "remove" and ansible_facts.os_family != "Windows"
+
+- name: Removing integrations (Windows)
+  win_command: "\"{{ datadog_agent_binary_path }}\" integration remove {{ item.key }}"
+  become: yes
+  become_user: "{{ integration_command_user }}"
+  loop: "{{ datadog_integration|dict2items }}"
+  when: item.value.action == "remove" and ansible_facts.os_family == "Windows"
+
+# Install integrations
+
+- name: Install pinned version of integrations (Unix)
+  command: "{{ datadog_agent_binary_path }} integration install {{ third_party }} {{ item.key }}=={{ item.value.version }}"
+  become: yes
+  become_user: "{{ integration_command_user }}"
+  vars:
+    third_party: "{% if 'third_party' in item.value and item.value.third_party | bool %}--third-party{% endif %}"
+  loop: "{{ datadog_integration|dict2items }}"
+  when: item.value.action == "install" and ansible_facts.os_family != "Windows"
+
+- name: Install pinned version of integrations (Windows)
+  win_command: "\"{{ datadog_agent_binary_path }}\" integration install {{ third_party }} {{ item.key }}=={{ item.value.version }}"
+  become: yes
+  vars:
+    third_party: "{% if 'third_party' in item.value and item.value.third_party | bool %}--third-party{% endif %}"
+  become_user: "{{ integration_command_user }}"
+  loop: "{{ datadog_integration|dict2items }}"
+  when: item.value.action == "install" and ansible_facts.os_family == "Windows"

ansible-5/roles/datadog.datadog/tasks/main.yml

@@ -0,0 +1,52 @@
+---
+- name: Include Gather Ansible Facts task on Ansible >= 2.10
+  include_tasks: facts-ansible10.yml
+  when: ansible_version.major >= 2 and ansible_version.minor >= 10
+
+- name: Include Gather Ansible Facts task on Ansible < 2.10
+  include_tasks: facts-ansible9.yml
+  when: ansible_version.major == 2 and ansible_version.minor < 10
+
+- name: Check if OS is supported
+  include_tasks: os-check.yml
+
+- name: Resolve datadog_tracked_checks later to defend against variable presidence issues arising from dynamically included null datadog_checks 
+  include_tasks: sanitize-checks.yml
+
+# Also sets datadog_skip_install
+- name: Set Facts for Datadog Agent Major Version
+  include_tasks: set-parse-version.yml
+
+- name: Debian Install Tasks
+  include_tasks: pkg-debian.yml
+  when: ansible_facts.os_family == "Debian" and not datadog_skip_install
+
+- name: RedHat Install Tasks
+  include_tasks: pkg-redhat.yml
+  when: ansible_facts.os_family == "RedHat" and not datadog_skip_install
+
+- name: Suse Install Tasks
+  include_tasks: pkg-suse.yml
+  when: ansible_facts.os_family == "Suse" and not datadog_skip_install
+
+# Note we don't check datadog_skip_install variable value for windows here,
+# because some tasks in pkg-windows.yml are carried out regardless of its value.
+- name: Windows Install Tasks
+  include_tasks: pkg-windows.yml
+  when: ansible_facts.os_family == "Windows"
+
+- name: Linux Configuration Tasks (Agent 5)
+  include_tasks: agent5-linux.yml
+  when: datadog_agent_major_version | int == 5 and ansible_facts.os_family != "Windows"
+
+- name: Linux Configuration Tasks
+  include_tasks: agent-linux.yml
+  when: datadog_agent_major_version | int > 5 and ansible_facts.os_family != "Windows"
+
+- name: Windows Configuration Tasks
+  include_tasks: agent-win.yml
+  when: datadog_agent_major_version | int > 5 and ansible_facts.os_family == "Windows"
+
+- name: Integrations Tasks
+  include_tasks: integration.yml
+  when: datadog_integration is defined

ansible-5/roles/datadog.datadog/tasks/os-check.yml

@@ -0,0 +1,5 @@
+---
+- name: Fail if OS is not supported
+  fail:
+    msg: "The Datadog Ansible role does not support your OS yet. Please email support@datadoghq.com to open a feature request."
+  when: ansible_facts.os_family not in ["RedHat", "Debian", "Suse", "Windows"]

ansible-5/roles/datadog.datadog/tasks/parse-version.yml

@@ -0,0 +1,96 @@
+---
+- name: Parse Agent version
+  set_fact:
+    agent_version: "{{ datadog_agent_version | regex_search(regexp, '\\g<epoch>', '\\g<major>', '\\g<minor>', '\\g<bugfix>', '\\g<suffix>', '\\g<release>') }}"
+  vars:
+    regexp: '(?:(?P<epoch>[0-9]+):)?(?P<major>[0-9]+)\.(?P<minor>[0-9]+)\.(?P<bugfix>[0-9]+)(?P<suffix>(?:~|-)[^0-9\s-]+[^-\s]*)?(?:-(?P<release>[0-9]+))?'
+
+- name: Set version vars
+  set_fact:
+    datadog_epoch: "{{ agent_version.0 }}"
+    datadog_major: "{{ agent_version.1 }}"
+    datadog_minor: "{{ agent_version.2 }}"
+    datadog_bugfix: "{{ agent_version.3 }}"
+    datadog_suffix: "{{ agent_version.4 }}"
+    datadog_release: "{{ agent_version.5 }}"
+
+- name: Fill empty version epoch with default
+  set_fact:
+    datadog_epoch: "1"
+  when: datadog_epoch | length == 0
+
+- name: Fill empty version release with default
+  set_fact:
+    datadog_release: "1"
+  when: datadog_release | length == 0
+
+- name: Stop play if datadog_agent_version and datadog_agent_major_version are not compatible
+  fail:
+    msg: "The provided major version {{ datadog_agent_major_version }} is not compatible with the
+      version {{ datadog_major }} deduced from datadog_agent_version ({{ datadog_agent_version }}).
+      Aborting play."
+  when: datadog_agent_major_version | length > 0 and datadog_major != datadog_agent_major_version
+
+- name: Set datadog_agent_major_version to deduced value from datadog_agent_version
+  set_fact:
+    datadog_agent_major_version: "{{ datadog_major }}"
+
+- name: Set OS-specific versions
+  # NOTE: if changing these, make sure the format correspond with values in datadog_version_finding_cmds below
+  set_fact:
+    datadog_agent_debian_version: "{{ datadog_epoch }}:{{ datadog_major }}.{{ datadog_minor }}.{{ datadog_bugfix }}{{ datadog_suffix }}-{{ datadog_release }}"
+    datadog_agent_redhat_version: "{{ datadog_major }}.{{ datadog_minor }}.{{ datadog_bugfix }}{{ datadog_suffix }}-{{ datadog_release }}"
+    datadog_agent_suse_version: "{{ datadog_epoch }}:{{ datadog_major }}.{{ datadog_minor }}.{{ datadog_bugfix }}{{ datadog_suffix }}-{{ datadog_release }}"
+    datadog_agent_windows_version: "{{ datadog_major }}.{{ datadog_minor }}.{{ datadog_bugfix }}{{ datadog_suffix }}"
+
+- name: Construct commands to find Agent version
+  set_fact:
+    datadog_version_finding_cmds:
+      Debian: "dpkg -s {{ datadog_agent_flavor }} | grep '^Version:' | awk '{print $2}'"
+      RedHat: "rpm -q --qf '%{VERSION}-%{RELEASE}' {{ datadog_agent_flavor }}"
+      Suse: "rpm -q --qf '%{EPOCH}:%{VERSION}-%{RELEASE}' {{ datadog_agent_flavor }}"
+
+- name: Create OS-specific version dict
+  set_fact:
+    datadog_agent_os2version:
+      Debian: "{{ datadog_agent_debian_version }}"
+      RedHat: "{{ datadog_agent_redhat_version }}"
+      Suse: "{{ datadog_agent_suse_version }}"
+      Windows: "{{ datadog_agent_windows_version }}"
+
+- name: Get Linux Agent version
+  shell: "{{ datadog_version_finding_cmds[ansible_facts.os_family] }}"  # noqa 305 - Ansible lint thinks we could use command, but we need shell because some of the cmds have pipes
+  register: datadog_version_check_linux
+  changed_when: false
+  failed_when: false
+  check_mode: no
+  when: ansible_facts.system is defined and ansible_facts.system == "Linux"
+
+# NOTE: This won't work with rc / beta builds.
+- name: Get Windows Agent version
+  win_shell: |
+    $product_name = "Datadog Agent"
+    $query = "Select Name,IdentifyingNumber,InstallDate,InstallLocation,ProductID,Version FROM Win32_Product where Name like '$product_name%'"
+    $installs = Get-WmiObject -query $query
+
+    if (!$installs -or ($installs.Count -eq 0) -or ($installs.Count -gt 1)) {
+      Write-Host ""
+    } else {
+      $ddmaj, $ddmin, $ddpatch, $ddbuild = $installs.Version.split(".")
+      Write-Host "$($ddmaj).$($ddmin).$($ddpatch)"
+    }
+  register: datadog_version_check_win
+  changed_when: false
+  failed_when: false
+  check_mode: no
+  when: ansible_facts.os_family == "Windows"
+
+- name: Set skip install flag if version already installed (Linux)
+  set_fact:
+    datadog_skip_install: "{{ datadog_version_check_linux.stdout | trim == datadog_agent_os2version[ansible_facts.os_family] }}"
+  when: ansible_facts.system is defined and ansible_facts.system == "Linux"
+
+- name: Set skip install flag if version already installed (Windows)
+  set_fact:
+    datadog_skip_install: "{{ datadog_version_check_win.stdout | trim == datadog_agent_os2version[ansible_facts.os_family] }}"
+  when: ansible_facts.os_family == "Windows"

ansible-5/roles/datadog.datadog/tasks/pkg-debian.yml

@@ -0,0 +1,127 @@
+---
+- name: Install apt-transport-https
+  apt:
+    update_cache: yes
+    name: apt-transport-https
+    state: present
+  when: not ansible_check_mode
+
+- name: Install gnupg
+  apt:
+    update_cache: yes
+    name: gnupg
+    state: present
+  when: not ansible_check_mode
+
+- name: "Check if {{ datadog_apt_usr_share_keyring }} exists with correct mode"
+  stat:
+    path: "{{ datadog_apt_usr_share_keyring }}"
+  register: apt_keyring_file
+
+- name: "Ensure {{ datadog_apt_usr_share_keyring }} exists"
+  file:
+    path: "{{ datadog_apt_usr_share_keyring }}"
+    owner: root
+    group: root
+    mode: "0644"
+    state: touch
+  when: not ansible_check_mode and (not apt_keyring_file.stat.exists or not apt_keyring_file.stat.mode == "0644")
+
+- name: Install apt keys from default URLs
+  include_tasks: _apt-key-import.yml
+  with_items:
+    "{{ datadog_apt_default_keys }}"
+  when: datadog_apt_key_url_new is not defined and not ansible_check_mode
+
+- name: Install apt keys from custom URL
+  include_tasks: _apt-key-import.yml
+  with_items:
+    - key: A2923DFF56EDA6E76E55E492D3A80E30382E94DE
+      value: "{{ datadog_apt_key_url_new }}"
+    - key: D75CEA17048B9ACBF186794B32637D44F14F620E
+      value: "{{ datadog_apt_key_url_new }}"
+  when: datadog_apt_key_url_new is defined and not ansible_check_mode
+
+- name: "Ensure {{ datadog_apt_trusted_d_keyring }} exists with same contents as {{ datadog_apt_usr_share_keyring }} for older distro versions"
+  copy:
+    src: "{{ datadog_apt_usr_share_keyring }}"
+    dest: "{{ datadog_apt_trusted_d_keyring }}"
+    mode: "0644"
+    remote_src: yes
+  when: ((ansible_distribution == 'Debian' and ansible_distribution_major_version|int < 9) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int < 16)) and not ansible_check_mode
+
+- name: Ensure Datadog non-https repositories and repositories not using signed-by option are deprecated
+  apt_repository:
+    repo: "{{ item }}"
+    state: "absent"
+    update_cache: yes
+  with_items:
+    - "deb http://apt.datadoghq.com/ stable main"
+    - "deb http://apt.datadoghq.com/ stable 6"
+    - "deb http://apt.datadoghq.com/ stable 7"
+    - "deb https://apt.datadoghq.com/ stable main"
+    - "deb https://apt.datadoghq.com/ stable 6"
+    - "deb https://apt.datadoghq.com/ stable 7"
+  when: not ansible_check_mode
+
+- name: Ensure Datadog repository is up-to-date
+  apt_repository:
+    filename: "ansible_datadog_{{ item.key }}"
+    repo: "{{ item.value }}"
+    state: "{% if item.key == datadog_agent_major_version|int and datadog_apt_repo | length == 0 %}present{% else %}absent{% endif %}"
+    update_cache: yes
+  when: (not ansible_check_mode)
+  with_dict:
+    5: '{{ datadog_agent5_apt_repo }}'
+    6: '{{ datadog_agent6_apt_repo }}'
+    7: '{{ datadog_agent7_apt_repo }}'
+
+- name: Initialize custom repo file deletion flag to False
+  set_fact:
+    datadog_remove_custom_repo_file: "False"
+
+- name: Check if custom repository file exists
+  stat:
+    path: /etc/apt/sources.list.d/ansible_datadog_custom.list
+  register: datadog_custom_repo_file
+
+- name: Fetch custom repository file
+  slurp:
+    src: /etc/apt/sources.list.d/ansible_datadog_custom.list
+  register: datadog_custom_repo_file_contents
+  when: datadog_custom_repo_file.stat.exists
+
+- name: Flag custom repository file for deletion if different from current repository config
+  set_fact:
+    datadog_remove_custom_repo_file: "{{ datadog_repo_file_contents != datadog_apt_repo }}"
+  vars:
+    datadog_repo_file_contents: "{{ datadog_custom_repo_file_contents['content'] | b64decode | trim }}"
+  when: datadog_custom_repo_file.stat.exists
+
+- name: (Custom) Remove Datadog custom repository file when not set or updated
+  file:
+    path: /etc/apt/sources.list.d/ansible_datadog_custom.list
+    state: absent
+  when: (datadog_apt_repo | length == 0) or datadog_remove_custom_repo_file and (not ansible_check_mode)
+
+- name: (Custom) Ensure Datadog repository is up-to-date
+  apt_repository:
+    filename: ansible_datadog_custom
+    repo: "{{ datadog_apt_repo }}"
+    state: present
+    update_cache: yes
+  when: (datadog_apt_repo | length > 0) and (not ansible_check_mode)
+
+- include_tasks: pkg-debian/install-pinned.yml
+  when: datadog_agent_debian_version is defined
+
+- include_tasks: pkg-debian/install-latest.yml
+  when: datadog_agent_debian_version is not defined
+
+- name: Install latest datadog-signing-keys package
+  apt:
+    name: datadog-signing-keys
+    state: latest  # noqa 403
+    # we don't use update_cache: yes, as that was just done by the install-pinned/install-latest
+  register: datadog_signing_keys_install
+  when: not ansible_check_mode

ansible-5/roles/datadog.datadog/tasks/pkg-debian/install-latest.yml

@@ -0,0 +1,9 @@
+---
+- name: Install latest datadog-agent package
+  apt:
+    name: "{{ datadog_agent_flavor }}"
+    state: latest  # noqa 403
+    update_cache: yes
+    cache_valid_time: "{{ datadog_apt_cache_valid_time }}"
+  register: datadog_agent_install
+  when: not ansible_check_mode

ansible-5/roles/datadog.datadog/tasks/pkg-debian/install-pinned.yml

@@ -0,0 +1,10 @@
+---
+- name: Install pinned datadog-agent package
+  apt:
+    name: "{{ datadog_agent_flavor }}={{ datadog_agent_debian_version }}"
+    state: present
+    force: "{{ datadog_agent_allow_downgrade }}"
+    update_cache: yes
+    cache_valid_time: "{{ datadog_apt_cache_valid_time }}"
+  register: datadog_agent_install
+  when: not ansible_check_mode

ansible-5/roles/datadog.datadog/tasks/pkg-redhat.yml

@@ -0,0 +1,142 @@
+---
+- name: Fail early if Python 3 is used on CentOS / RHEL < 8
+  fail:
+    msg: "The installation of the Agent on CentOS / RHEL versions < 8 requires the 'yum' module, which is not compatible with Python 3.
+          To run this role, use a Python 2 interpreter on hosts running CentOS / RHEL < 8."
+  when: (not datadog_ignore_old_centos_python3_error)
+        and (ansible_facts.distribution_major_version | int <= 7)
+        and (ansible_facts.python.version.major | int >= 3)
+
+- name: Find out whether to set repo_gpgcheck or not
+  # We turn off repo_gpgcheck on custom repos and on RHEL/CentOS 8.1 because
+  # of https://bugzilla.redhat.com/show_bug.cgi?id=1792506
+  set_fact:
+    do_yum_repo_gpgcheck: >-
+      {{ datadog_yum_repo_gpgcheck if datadog_yum_repo_gpgcheck != '' else (
+        'no' if (
+          ansible_facts.distribution_version.startswith('8.1.') or ansible_facts.distribution_version == '8.1' or
+          datadog_yum_repo != ''
+        ) else 'yes'
+      ) }}
+
+- name: Download current RPM key
+  get_url:
+    url: "{{ datadog_yum_gpgkey_current }}"
+    dest: /tmp/DATADOG_RPM_KEY_CURRENT.public
+    force: yes
+
+- name: Import current RPM key
+  rpm_key:
+    key: /tmp/DATADOG_RPM_KEY_CURRENT.public
+    state: present
+  when: not ansible_check_mode
+
+- name: Download new RPM key (Expires in 2022)
+  get_url:
+    url: "{{ datadog_yum_gpgkey_e09422b3 }}"
+    dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
+    checksum: "sha256:{{ datadog_yum_gpgkey_e09422b3_sha256sum }}"
+
+- name: Import new RPM key (Expires in 2022)
+  rpm_key:
+    key: /tmp/DATADOG_RPM_KEY_E09422B3.public
+    state: present
+  when: not ansible_check_mode
+
+- name: Download new RPM key (Expires in 2024)
+  get_url:
+    url: "{{ datadog_yum_gpgkey_20200908 }}"
+    dest: /tmp/DATADOG_RPM_KEY_20200908.public
+    checksum: "sha256:{{ datadog_yum_gpgkey_20200908_sha256sum }}"
+
+- name: Import new RPM key (Expires in 2024)
+  rpm_key:
+    key: /tmp/DATADOG_RPM_KEY_20200908.public
+    state: present
+  when: not ansible_check_mode
+
+- name: Install Datadog Agent 5 yum repo
+  yum_repository:
+    name: datadog
+    description: Datadog, Inc.
+    baseurl: "{{ datadog_agent5_yum_repo }}"
+    enabled: yes
+    repo_gpgcheck: no  # we don't sign Agent 5 repodata
+    gpgcheck: "{{ datadog_yum_gpgcheck }}"
+    gpgkey: [
+      "{{ datadog_yum_gpgkey_current }}",
+      "{{ datadog_yum_gpgkey_20200908 }}",
+      "{{ datadog_yum_gpgkey_e09422b3 }}",
+      "{{ datadog_yum_gpgkey }}",
+    ]
+  register: repofile5
+  when: (datadog_agent_major_version|int == 5) and (datadog_yum_repo | length == 0) and (not ansible_check_mode)
+
+- name: Install Datadog Agent 6 yum repo
+  yum_repository:
+    name: datadog
+    description: Datadog, Inc.
+    baseurl: "{{ datadog_agent6_yum_repo }}"
+    enabled: yes
+    repo_gpgcheck: "{{ do_yum_repo_gpgcheck }}"
+    gpgcheck: "{{ datadog_yum_gpgcheck }}"
+    gpgkey: [
+      "{{ datadog_yum_gpgkey_current }}",
+      "{{ datadog_yum_gpgkey_20200908 }}",
+      "{{ datadog_yum_gpgkey_e09422b3 }}",
+      "{{ datadog_yum_gpgkey }}",
+    ]
+  register: repofile6
+  when: (datadog_agent_major_version|int == 6) and (datadog_yum_repo | length == 0) and (not ansible_check_mode)
+
+- name: Install Datadog Agent 7 yum repo
+  yum_repository:
+    name: datadog
+    description: Datadog, Inc.
+    baseurl: "{{ datadog_agent7_yum_repo }}"
+    enabled: yes
+    repo_gpgcheck: "{{ do_yum_repo_gpgcheck }}"
+    gpgcheck: "{{ datadog_yum_gpgcheck }}"
+    gpgkey: [
+      "{{ datadog_yum_gpgkey_current }}",
+      "{{ datadog_yum_gpgkey_20200908 }}",
+      "{{ datadog_yum_gpgkey_e09422b3 }}",
+    ]
+  register: repofile7
+  when: (datadog_agent_major_version|int == 7) and (datadog_yum_repo | length == 0) and (not ansible_check_mode)
+
+- name: Install Datadog Custom yum repo
+  yum_repository:
+    name: datadog
+    description: Datadog, Inc.
+    baseurl: "{{ datadog_yum_repo }}"
+    enabled: yes
+    repo_gpgcheck: "{{ do_yum_repo_gpgcheck }}"
+    gpgcheck: "{{ datadog_yum_gpgcheck }}"
+    gpgkey: [
+      "{{ datadog_yum_gpgkey_current }}",
+      "{{ datadog_yum_gpgkey_20200908 }}",
+      "{{ datadog_yum_gpgkey_e09422b3 }}",
+      "{{ datadog_yum_gpgkey }}",
+    ]
+  register: repofilecustom
+  when: (datadog_yum_repo | length > 0) and (not ansible_check_mode)
+
+- name: Clean repo metadata if repo changed # noqa 503
+  command: yum clean metadata --disablerepo="*" --enablerepo=datadog
+  ignore_errors: yes # Cleaning the metadata is only needed when downgrading a major version of the Agent, don't fail because of this
+  args:
+    warn: no
+  when: repofile5.changed or repofile6.changed or repofile7.changed or repofilecustom.changed
+
+- name: Remove old yum repo files
+  yum_repository:
+    name: "ansible_datadog_{{ item }}"
+    state: absent
+  with_items: [ 5, 6, 7, "custom" ]
+
+- include_tasks: pkg-redhat/install-pinned.yml
+  when: datadog_agent_redhat_version is defined
+
+- include_tasks: pkg-redhat/install-latest.yml
+  when: datadog_agent_redhat_version is not defined

ansible-5/roles/datadog.datadog/tasks/pkg-redhat/install-latest.yml

@@ -0,0 +1,18 @@
+---
+- name: Install latest datadog-agent package (dnf)
+  dnf:
+    name: "{{ datadog_agent_flavor }}"
+    update_cache: yes
+    state: latest  # noqa 403
+  register: datadog_agent_install
+  when: not ansible_check_mode and ansible_facts.python.version.major | int >= 3
+  notify: restart datadog-agent
+
+- name: Install latest datadog-agent package (yum)
+  yum:
+    name: "{{ datadog_agent_flavor }}"
+    update_cache: yes
+    state: latest  # noqa 403
+  register: datadog_agent_install
+  when: not ansible_check_mode and ansible_facts.python.version.major | int < 3
+  notify: restart datadog-agent

ansible-5/roles/datadog.datadog/tasks/pkg-redhat/install-pinned.yml

@@ -0,0 +1,20 @@
+---
+- name: Install pinned datadog-agent package (dnf)
+  dnf:
+    name: "{{ datadog_agent_flavor }}-{{ datadog_agent_redhat_version }}"
+    update_cache: yes
+    state: present
+    allow_downgrade: "{{ datadog_agent_allow_downgrade }}"
+  register: datadog_agent_install
+  when: not ansible_check_mode and ansible_facts.python.version.major | int >= 3
+  notify: restart datadog-agent
+
+- name: Install pinned datadog-agent package (yum)
+  yum:
+    name: "{{ datadog_agent_flavor }}-{{ datadog_agent_redhat_version }}"
+    update_cache: yes
+    state: present
+    allow_downgrade: "{{ datadog_agent_allow_downgrade }}"
+  register: datadog_agent_install
+  when: not ansible_check_mode and ansible_facts.python.version.major | int < 3
+  notify: restart datadog-agent

ansible-5/roles/datadog.datadog/tasks/pkg-suse.yml

@@ -0,0 +1,133 @@
+---
+- name: Find out whether to set repo_gpgcheck or not
+  set_fact:
+    do_zypper_repo_gpgcheck: >-
+      {{ datadog_zypper_repo_gpgcheck if datadog_zypper_repo_gpgcheck != '' else (
+        'yes' if datadog_zypper_repo == '' and datadog_agent_major_version|int != 5 else 'no'
+      ) }}
+
+- block:  # Work around due to SNI check for SLES11
+  - name: Stat if current RPM key already exists
+    stat:
+      path: /tmp/DATADOG_RPM_KEY_CURRENT.public
+    register: ddkeycurrent
+  - name: Download current RPM key (SLES11)
+    get_url:
+      url: "{{ datadog_zypper_gpgkey_current }}"
+      dest: /tmp/DATADOG_RPM_KEY_CURRENT.public
+      force: yes
+    when: not ddkeycurrent.stat.exists
+  when: ansible_distribution_version|int == 11
+
+- name: Download current RPM key
+  get_url:
+    url: "{{ datadog_zypper_gpgkey_current }}"
+    dest: /tmp/DATADOG_RPM_KEY_CURRENT.public
+    force: yes
+  when: ansible_distribution_version|int >= 12
+
+- name: Import current RPM key
+  rpm_key:
+    key: /tmp/DATADOG_RPM_KEY_CURRENT.public
+    state: present
+  when: not ansible_check_mode
+
+# Do not import old key if installing Agent 7, as all Agent 7 packages are signed with the new key
+- block:  # Work around due to SNI check for SLES11
+  - name: Stat if RPM key already exists
+    stat:
+      path: /tmp/DATADOG_RPM_KEY.public
+    register: ddkey
+  - name: Download RPM key (SLES11)
+    get_url:
+      url: "{{ datadog_zypper_gpgkey }}"
+      dest: /tmp/DATADOG_RPM_KEY.public
+    when: not ddkey.stat.exists
+  when: datadog_agent_major_version|int < 7 and ansible_distribution_version|int == 11
+
+# Do not import old key if installing Agent 7, as all Agent 7 packages are signed with the new key
+- name: Download RPM key
+  get_url:
+    url: "{{ datadog_zypper_gpgkey }}"
+    dest: /tmp/DATADOG_RPM_KEY.public
+    checksum: "sha256:{{ datadog_zypper_gpgkey_sha256sum }}"
+  when: datadog_agent_major_version|int < 7 and ansible_distribution_version|int >= 12
+
+- name: Import RPM key
+  rpm_key:
+    key: /tmp/DATADOG_RPM_KEY.public
+    state: present
+  when: datadog_agent_major_version|int < 7 and not ansible_check_mode
+
+- block:  # Work around due to SNI check for SLES11
+  - name: Stat if E09422B3 key (Expires 2022) RPM key already exists
+    stat:
+      path: /tmp/DATADOG_RPM_KEY_E09422B3.public
+    register: ddnewkey
+  - name: Download E09422B3 key (Expires 2022) RPM key (SLES11)
+    get_url:
+      url: "{{ datadog_zypper_gpgkey_e09422b3 }}"
+      dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
+    when: not ddnewkey.stat.exists
+  when: ansible_distribution_version|int == 11
+
+- name: Download E09422B3 key (Expires 2022) RPM key
+  get_url:
+    url: "{{ datadog_zypper_gpgkey_e09422b3 }}"
+    dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
+    checksum: "sha256:{{ datadog_zypper_gpgkey_e09422b3_sha256sum }}"
+  when: ansible_distribution_version|int >= 12
+
+- name: Import E09422B3 key (Expires 2022) RPM key
+  rpm_key:
+    key: /tmp/DATADOG_RPM_KEY_E09422B3.public
+    state: present
+  when: not ansible_check_mode
+
+- block:  # Work around due to SNI check for SLES11
+  - name: Stat if 20200908 key (Expires 2024) RPM key already exists
+    stat:
+      path: /tmp/DATADOG_RPM_KEY_20200908.public
+    register: ddnewkey_20200908
+  - name: Download 20200908 key (Expires 2024) RPM key (SLES11)
+    get_url:
+      url: "{{ datadog_zypper_gpgkey_20200908 }}"
+      dest: /tmp/DATADOG_RPM_KEY_20200908.public
+    when: not  ddnewkey_20200908.stat.exists
+  when: ansible_distribution_version|int == 11
+
+- name: Download 20200908 key (Expires 2024) RPM key
+  get_url:
+    url: "{{ datadog_zypper_gpgkey_20200908 }}"
+    dest: /tmp/DATADOG_RPM_KEY_20200908.public
+    checksum: "sha256:{{ datadog_zypper_gpgkey_20200908_sha256sum }}"
+  when: ansible_distribution_version|int >= 12
+
+- name: Import 20200908 key (Expires 2024) RPM key
+  rpm_key:
+    key: /tmp/DATADOG_RPM_KEY_20200908.public
+    state: present
+  when: not ansible_check_mode
+
+# ansible don't allow repo_gpgcheck to be set, we have to create the repo file manually
+- name: Install DataDog zypper repo
+  template:
+    src: zypper.repo.j2
+    dest: /etc/zypp/repos.d/datadog.repo
+    owner: "root"
+    group: "root"
+    mode: 0644
+  register: datadog_zypper_repo
+
+# refresh zypper repos only if the template changed
+- name: refresh Datadog zypper_repos  # noqa 503
+  command: zypper refresh datadog
+  when: datadog_zypper_repo.changed and not ansible_check_mode
+  args:
+    warn: false  # silence warning about using zypper directly
+
+- include_tasks: pkg-suse/install-pinned.yml
+  when: datadog_agent_suse_version is defined
+
+- include_tasks: pkg-suse/install-latest.yml
+  when: datadog_agent_suse_version is not defined

ansible-5/roles/datadog.datadog/tasks/pkg-suse/install-latest.yml

@@ -0,0 +1,8 @@
+---
+- name: Ensure Datadog agent is installed
+  zypper:
+    name: datadog-agent
+    state: latest  # noqa 403
+  register: datadog_agent_install
+  when: not ansible_check_mode
+  notify: restart datadog-agent

ansible-5/roles/datadog.datadog/tasks/pkg-suse/install-pinned.yml

@@ -0,0 +1,9 @@
+---
+- name: Install pinned datadog-agent package
+  zypper:
+    name: "datadog-agent={{ datadog_agent_suse_version }}"
+    state: present
+    oldpackage: "{{ datadog_agent_allow_downgrade }}"
+  register: datadog_agent_install
+  when: not ansible_check_mode
+  notify: restart datadog-agent

ansible-5/roles/datadog.datadog/tasks/pkg-windows-opts.yml

@@ -0,0 +1,94 @@
+- name: Set DD Username Arg
+  set_fact:
+    win_install_args: "{{ win_install_args }} DDAGENTUSER_NAME={{ datadog_windows_ddagentuser_name }}"
+  when: datadog_windows_ddagentuser_name | default('', true) | length > 0
+
+- name: Set DD Password Arg
+  set_fact:
+    win_install_args: "{{ win_install_args }} DDAGENTUSER_PASSWORD={{ datadog_windows_ddagentuser_password }}"
+  when: datadog_windows_ddagentuser_password | default('', true) | length > 0
+
+# check the registry. On upgrade, the location of the config file root will 
+# be set here.  
+- name: Check existing config file Directory
+  win_reg_stat:
+    path: HKLM:\SOFTWARE\Datadog\Datadog Agent
+    name: ConfigRoot
+  register: config_root_from_registry
+
+# check the registry. On upgrade, the location of the installation root directory will
+# be set here.  
+
+- name: Check existing installPath Directory
+  win_reg_stat:
+    path: HKLM:\SOFTWARE\Datadog\Datadog Agent
+    name: InstallPath
+  register: install_path_from_registry
+
+## validate the config path.  Only necessary if it's set in the registry alread (i.e. upgrade)
+## Will fail the install if the caller has set the config root to a non-standard root, and that
+## root is different than what's already present.
+- name: Validate config path
+  fail:
+    msg: "Incompatible configuration option {{ config_root_from_registry.value }} != {{ datadog_windows_config_files_dir }}"
+  when: ( (config_root_from_registry.exists) and
+          (datadog_windows_config_files_dir | length > 0 ) and
+          (config_root_from_registry.value | regex_replace('\\\\$','') | lower != datadog_windows_config_files_dir | lower ) )
+
+- name: Validated config path
+  debug:
+    msg: "Allowing configuration option {{ config_root_from_registry.value }} == {{ datadog_windows_config_files_dir }}"
+  when: ( (config_root_from_registry.exists) and
+          (datadog_windows_config_files_dir | length > 0 ) and
+          (config_root_from_registry.value | regex_replace('\\\\$','') | lower == datadog_windows_config_files_dir | lower ) )
+
+## validate the binary install path.  Only necessary if it's set in the registry alread (i.e. upgrade)
+## Will fail the install if the caller has set the binary install path to a non-standard root, and that
+## root is different than what's already present.
+- name: Validate install path
+  fail:
+    msg: "Incompatible configuration option {{ install_path_from_registry.value }} != {{ datadog_windows_program_files_dir }}"
+  when: ( (install_path_from_registry.exists) and
+          (datadog_windows_program_files_dir | length > 0 ) and
+          (install_path_from_registry.value | regex_replace('\\\\$','') | lower != datadog_windows_program_files_dir | lower ) )
+
+- name: Validated install path
+  debug:
+    msg: "Allowing configuration option {{ install_path_from_registry.value }} == {{ datadog_windows_program_files_dir }}"
+  when: ( (install_path_from_registry.exists) and
+          (datadog_windows_program_files_dir | length > 0 ) and
+          (install_path_from_registry.value | regex_replace('\\\\$','') | lower == datadog_windows_program_files_dir | lower ) )
+
+
+- name: Set Program Files Target Directory
+  set_fact:
+    win_install_args: "{{ win_install_args }} PROJECTLOCATION=\"{{ datadog_windows_program_files_dir }}\" "
+  when: datadog_windows_program_files_dir | length > 0
+
+- name: Set Config Files Target Directory
+  set_fact:
+    win_install_args: "{{ win_install_args }} APPLICATIONDATADIRECTORY=\"{{ datadog_windows_config_files_dir }}\" "
+  when: datadog_windows_config_files_dir | length > 0
+
+# if the current installation was set to a non-standard config root, and that config root is not
+# presented here, then update accordingly, so that any config file modifications will be made
+# in the right place
+- name: Set config root for config Files
+  set_fact:
+    datadog_windows_config_root: "{{ datadog_windows_config_files_dir }}"
+  when: ((datadog_windows_config_files_dir | length > 0) and (not config_root_from_registry.exists))
+
+- name: Set config root for config files from current location
+  set_fact:
+    datadog_windows_config_root: "{{ config_root_from_registry.value | regex_replace('\\\\$','') }}"
+  when: config_root_from_registry.exists
+
+- name: Set Test
+  set_fact:
+    win_install_args: "{{ win_install_args }}"
+
+# Add the installation arguments to install Windows NPM.
+- name: Set Windows NPM flag
+  set_fact:
+    win_install_args: "{{ win_install_args }} ADDLOCAL=MainApplication,NPM"
+  when: datadog_sysprobe_enabled

ansible-5/roles/datadog.datadog/tasks/pkg-windows.yml

@@ -0,0 +1,81 @@
+---
+- name: Fail if Agent 5
+  fail:
+    msg: "The Datadog ansible role does not currently support Agent 5"
+  when: datadog_agent_major_version|int == 5
+
+- name: Download windows datadog agent 614 fix script
+  win_get_url:
+    url: "{{ datadog_windows_614_fix_script_url }}"
+    dest: '%TEMP%\fix_6_14.ps1'
+  when: not datadog_skip_install and datadog_apply_windows_614_fix
+
+- name: Run 6.14.0/1 PowerShell fix
+  win_shell: |
+    Set-ExecutionPolicy Bypass -Scope Process -Force
+    &$env:temp\fix_6_14.ps1
+  when: not datadog_skip_install and datadog_apply_windows_614_fix
+
+- include_tasks: win_agent_latest.yml
+  when: (not datadog_skip_install) and (datadog_agent_windows_version is not defined)
+
+- include_tasks: win_agent_version.yml
+  when: (not datadog_skip_install) and (datadog_agent_windows_version is defined)
+
+- name: show URL var
+  debug:
+    var: dd_download_url
+  when: not datadog_skip_install
+
+## must be prior to `pkg-windows-opts.yml`, because the variable is used inside
+- name: Set windows NPM installed
+  set_fact:
+    datadog_sysprobe_enabled: "{{ network_config is defined and 'enabled' in (network_config | default({}, true)) and network_config['enabled'] }}"
+- include_tasks: pkg-windows-opts.yml
+
+- name: pre-Delete temporary msi
+  win_file:
+    path: '%TEMP%\ddagent.msi'
+    state: absent
+  when: not datadog_skip_install
+
+- name: Download windows datadog agent
+  win_get_url:
+    url: "{{ dd_download_url }}"
+    dest: '%TEMP%\ddagent.msi'
+  register: download_msi_result
+  when: (not datadog_skip_install) and (not ansible_check_mode)
+
+- name: Create Binary directory root (if not default)
+  win_file:
+    path: "{{ datadog_windows_program_files_dir }}"
+    state: directory
+  when: datadog_windows_program_files_dir | length > 0
+
+- name: Set default permissions on binary directory root (if not default)
+  win_acl:
+    path: "{{ datadog_windows_program_files_dir }}"
+    inherit: ContainerInherit,ObjectInherit
+    user: "BUILTIN\\USERS"
+    rights: ReadAndExecute
+    type: allow
+    state: present
+    propagation: None
+  when: datadog_windows_program_files_dir | length > 0
+
+- name: Show installation flags
+  debug:
+    var: win_install_args
+
+- name: Install downloaded agent
+  win_package:
+    path: "{{ download_msi_result.dest }}"
+    arguments: "{{ win_install_args }}"
+  register: datadog_agent_install
+  when: (not datadog_skip_install) and (not ansible_check_mode)
+
+- name: Delete temporary msi
+  win_file:
+    path: "{{ download_msi_result.dest }}"
+    state: absent
+  when: (not datadog_skip_install) and (not ansible_check_mode) and (download_msi_result.status_code == 200)

ansible-5/roles/datadog.datadog/tasks/sanitize-checks.yml

@@ -0,0 +1,12 @@
+- name: Defend against defined but null datadog_checks variable
+  set_fact:
+      datadog_checks: "{{ datadog_checks | default({}, true) }}"
+
+- name: Resolve datadog_tracked_checks
+  set_fact:
+    datadog_tracked_checks: "{{ datadog_checks | list + datadog_additional_checks | default([], true) }}"
+
+- name: Check that datadog_checks is a mapping
+  assert:
+    that:
+      - datadog_checks is mapping

ansible-5/roles/datadog.datadog/tasks/set-parse-version.yml

@@ -0,0 +1,16 @@
+---
+- name: Convert datadog_agent_major_version to string
+  set_fact:
+    datadog_agent_major_version: "{{ datadog_agent_major_version | default('', true) | string }}"
+
+- name: Initialize skip install flag to false
+  set_fact:
+    datadog_skip_install: no
+
+- include_tasks: parse-version.yml
+  when: datadog_agent_version | default('', true) | length > 0
+
+- name: Set Agent default major version
+  set_fact:
+    datadog_agent_major_version: "7"
+  when: datadog_agent_major_version | length == 0

ansible-5/roles/datadog.datadog/tasks/win_agent_latest.yml

@@ -0,0 +1,12 @@
+---
+
+- name: (Custom) Set agent download filename to latest
+  set_fact:
+    dd_download_url: "{{ datadog_windows_download_url }}"
+  when: datadog_windows_download_url | default('', true) | length > 0
+
+- name: Set agent download filename to latest
+  set_fact:
+    dd_download_url: "{% if datadog_agent_major_version|int == 7 %}{{ datadog_windows_agent7_latest_url }}
+      {% else %}{{ datadog_windows_agent6_latest_url }}{% endif %}"
+  when: datadog_windows_download_url | default('', true) | length == 0

ansible-5/roles/datadog.datadog/tasks/win_agent_version.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Check agent pinned version on Windows
+  fail:
+    msg: "The Agent versions you pinned (6.14.0 or 6.14.1) have been blacklisted, please use 6.14.2 instead. See https://dtdg.co/win-614-fix."
+  when: datadog_agent_version == "6.14.0" or datadog_agent_version == "6.14.1"
+
+- name: set agent download filename to a specific version
+  set_fact:
+    dd_download_url: "{{ datadog_windows_versioned_url }}-{{ datadog_agent_windows_version }}.msi"