Allow use of DdApiKeySecretArn instead of DDApiKey

[andyshinn]

Expected Behavior

Able to use DdApiKeySecretArn so when Datadog integration is setup via Terraform the plan is idempotent.

Actual Behavior

Only DdApiKey is available to pass to log forwarder.

Related

• https://github.com/DataDog/datadog-serverless-functions/issues/439
• https://github.com/hashicorp/terraform-provider-aws/issues/55

[duncanista]

Hey @andyshinn Thank you for raising the issue, sorry for the delay.

It seems that DdApiKeySecretArn is already supported in the template. If you are creating a new one you can just set a default value in DdApiKey and then set your resource ARN in DdApiKeySecretArn (since the first one will be ignored if the second is set).

If you are trying to update an existing forwarder, you can just point to the Secret's ARN, since setting DdApiKey would have created a resource in Secrets Manager to it. If this is the case, then read permissions to the new resource might be required.

Let me know if you are still having trouble with this.

[andyshinn]

I did not try, yet. But was looking at https://github.com/DataDog/cloudformation-template/blob/master/aws/main.yaml#L111-L118 and it didn't appear to set the DdApiKeySecretArn input for the forwarder. But I will give it a try.

[duncanista]

Ah, I see what is happening here. Sorry, I got confused because of the reference and was checking the support there.

Indeed there is no support to set a custom DdApiKeySecretArn in the AWS integration with CloudFormation. If you want to create a forwarder with it you can follow the documentation for the forwarder stated here.

Nonetheless, this should be supported directly in the template you pointed. Will work on it, thank you.

[shughes-uk]

Can I request the same support for the streams template?