search

DataDog / cloudformation-template

Easily set up the Datadog AWS integration using CloudFormation
Apache License 2.0
34 stars 44 forks source link

add CF stack sets template #37

Open hiroqn opened 2 years ago

hiroqn commented 2 years ago

Note: Please remember to review the contribution guidelines if you have not yet done so.

What does this PR do?

CloudFormation StackSets Support

Motivation

CloudFormation StackSets can deploy datadog integration to multiple AWS account easy. CloudFormation StackSets does not support below features

So, I needed to change template.

It is useful to install multiple AWS accounts through Organization Unit with StackSets.

Design Decision

using DdApiKeyEncrypted and DdAppKeyEncrypted

First, I try to use SecretManager at Administrator account (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html), and allow cross account access.

But it was difficult to configure cross account access by KMS cross account key policy restriction

LogArchive and CloudTrail

I currently removed this option, becauseFn::Transform is not supported.

Testing Guidelines

Our organization uses StackSets through Terraform like below.

resource "aws_cloudformation_stack_set" "datadog-integration" {
  auto_deployment {
    enabled                          = true
    retain_stacks_on_account_removal = false
  }
  name             = "datadog-integration"
  capabilities     = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM"]
  permission_model = "SERVICE_MANAGED"
  parameters = {
    DdApiKeyEncrypted = "TODO:ENCRYPTED_KEY"
    DdAppKeyEncrypted = "TODO:ENCRYPTED_KEY"
    DdKMSKeyId        = "TODO:KMS_KEY_ID"
  }
  template_body = file("${path.module}/datadog-integration.yaml")
}

resource "aws_cloudformation_stack_set_instance" "datadog_integration" {
  deployment_targets {
    organizational_unit_ids = ["OU ID"]
  }
  region         = "TODO:REGION"
  stack_set_name = aws_cloudformation_stack_set.datadog-integration.name
}

Additional Notes