search

DataDog / cloudformation-template

Easily set up the Datadog AWS integration using CloudFormation
Apache License 2.0
34 stars 42 forks source link

Running CF template in AWS govcloud fails to create integration role #71

Open brianatinstrumental opened 10 months ago

brianatinstrumental commented 10 months ago

Expected Behavior

CF template creates all resources in the correct govcloud partition with included policy documents also referring to the govcloud partition

Actual Behavior

The CF template creates resources but references the main AWS partition instead of the govcloud one resulting in resource creation failures. In particular the following ARN is declared in a policy statement:

- 'arn:aws:iam::${DdAWSAccountId}:root' declared here: https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml#L76C1-L77C1

If the policy isn't needed in govcloud because we're using keys, we shouldn't create the resource. If we are using this role then it should be using the correct policy/role based off of the DdSite variable which can act as a toggle between govcloud/non govcloud partitions.

I'm also 99% sure that the account id needs to be different for the govcloud region as well if this policy is indeed used.

Steps to Reproduce the Problem

  1. Deploy CF template in US govcloud region

Specifications

Stacktrace

From cloudformation: 

Invalid principal in policy: "AWS":"arn:aws:iam::464622532012:root" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: edfb2d9c-ff31-424b-9664-401d59aadc7d; Proxy: null)
brentshulman-silkline commented 3 months ago

This looks changed in the latest quickstart, but I am still getting the principal error.

Resource handler returned message: "Invalid principal in policy: "AWS":"arn:aws-us-gov:iam::464622532012:root
 ...