Support Secrets Manager in template

DataDog / cloudformation-template

Easily set up the Datadog AWS integration using CloudFormation

Apache License 2.0

34 stars 42 forks source link

Support Secrets Manager in template #33

Closed duncanista closed 2 years ago

duncanista commented 2 years ago

What does this PR do?

Modified the template to allow users to specify Secrets Manager ARNs where they are storing their Datadog Api Keys (DdApiKeySecretArn). Users can now specify the ARN and leave the API Key field empty.

Removed the pattern condition for DdApiKey.
Added DdApiKeySecretArn with the same default value required for the Datadog Forwarder template.
Added condition to check if any of the values is empty/default value (in case user doesn't add ARN nor API Key).

Motivation

DataDog/cloudformation-template/issues/30

Testing Guidelines

Tested template in demo account:

[x] Creates resources with ARN (pipes ARN to the forwarder template).
[x] Creates resources with API Key when leaving ARN with default value.

Additional Notes

Template was tested using a mock ExternalId provided by Datadog.

jaredready commented 2 years ago

I just started running into this issue due to https://github.com/hashicorp/terraform-provider-aws/issues/55. I'd love to see this available.

andyshinn commented 2 years ago

Dope. When does something like this typically get deployed to https://datadog-cloudformation-template.s3.amazonaws.com/aws/main.yaml or is there a versioned URL we can be using?

rmvangun commented 2 years ago

I'm getting this error when trying to use the DdApiKeySecretArn parameter...

"Output 'DdApiKeySecretArn' not found in stack, referring to the ForwarderStack which is a nested template.

I believe this is due to:

  DdApiKeySecretArn:
    Description: ARN of SecretsManager Secret with Datadog API Key
    Value:
      Fn::GetAtt:
        - ForwarderStack
        - Outputs.DdApiKeySecretArn
    Export:
      Name:
        Fn::Sub: ${AWS::StackName}-ApiKeySecretArn

Though the ForwarderStack only conditionally includes DdApiKeySecretArn in the output if it was not already provided externally.

andyshinn commented 2 years ago

Same here. Looks like maybe there is a bug with updating an existing forwarder stack that did not have the ARN set manually.

jvanbrie commented 2 years ago

Thanks for bringing this to our attention, we're looking into it.

duncanista commented 2 years ago

This should be fixed by today. Thank you everyone for raising this issue. Will open a PR in a few minutes.