Allow passing APIKey and AppKey as AWS Secrets Manager secrets - Githubissues

DataDog / cloudformation-template

Easily set up the Datadog AWS integration using CloudFormation

Apache License 2.0

34 stars 42 forks source link

Allow passing APIKey and AppKey as AWS Secrets Manager secrets #68

Open blimmer opened 11 months ago

blimmer commented 11 months ago

Context

I'm the author of cdk-datadog-integration, which provides AWS CDK constructs to set up Datadog integrations via these CloudFormation templates.

In older versions of the CloudFormation template, I could pass the Datadog API Key as a Secrets Manager secret: https://github.com/DataDog/cloudformation-template/blob/53d9b7f5dccbf3b0049cbbb21ec6ea024fbb7327/aws/main.yaml#L19-L23

This allowed me to keep plain-text secrets out of the AWS CDK code, instead referencing it within Secrets Manager.

However, the new quickstart_v2 requires two secrets: APIKey and APPKey, neither of which can be passed as secrets.

Therefore, to update my construct to use the newer quickstart, users would have to hardcode APIKey and APPKey in plain-text, which is not ideal.

Expected Behavior

All CloudFormation parameters that could be considered sensitive should be passable via AWS Secrets Manager ARNs vs. hard-coded parameters.

Actual Behavior

These sensitive parameters must currently be passed as hard-coded strings.

Steps to Reproduce the Problem

Attempt to use the current quickstart template (https://github.com/DataDog/cloudformation-template/blob/53d9b7f5dccbf3b0049cbbb21ec6ea024fbb7327/aws_quickstart/main_v2.yaml) without hard-coding APPKey and APIKey as strings.

Specifications

Datadog CloudFormation template version: https://github.com/DataDog/cloudformation-template/blob/53d9b7f5dccbf3b0049cbbb21ec6ea024fbb7327/aws_quickstart/main_v2.yaml

Stacktrace

N/A

Flojolomo commented 3 months ago

Are there any updates regarding this?