StackSets does not currently support creating or updating stack sets with service-managed permissions from templates that reference AWS CloudFormation macros.
So, I needed to change template.
It is useful to install multiple AWS accounts through Organization Unit with StackSets.
Note: Please remember to review the contribution guidelines if you have not yet done so.
What does this PR do?
CloudFormation StackSets Support
Motivation
CloudFormation StackSets can deploy datadog integration to multiple AWS account easy. CloudFormation StackSets does not support below features
nested Stack
Fn::Transform
.So, I needed to change template.
It is useful to install multiple AWS accounts through Organization Unit with StackSets.
Design Decision
using
DdApiKeyEncrypted
andDdAppKeyEncrypted
First, I try to use SecretManager at Administrator account (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html), and allow cross account access.
But it was difficult to configure cross account access by KMS cross account key policy restriction
LogArchive and CloudTrail
I currently removed this option, because
Fn::Transform
is not supported.Testing Guidelines
Our organization uses StackSets through Terraform like below.
Additional Notes