Closed pas256 closed 1 year ago
I'm happy to do this refactor if you don't have any objections.
Hi @pas256 thanks for getting in touch and including all of those details. I just had a chance to read through and your idea makes sense to me. Thanks for offering, we would appreciate a PR
Challenge
We have many SAM applications deployed in many AWS accounts. As currently written, each one of our SAM templates must contain the Datadog configuration values:
This makes it difficult to deploy this template in an AWS account that is not
123456789012
or in a region that is notus-west-2
. Further than this, bothapiKeySecretArn
andenv
don't actually change between SAM applications deployed inus-west-2:123456789012
because123456789012
is always ourdev
account.To make our SAM templates easily reusable across regions and accounts (without introducing Datadog specific parameters to every template), I would like to encapulate the
apiKeySecretArn
andenv
in the Macro Lambda as environment variables. The prerequisite to using this Macro (from following https://github.com/DataDog/datadog-cloudformation-macro/tree/master/serverless#installation) is to deploy the CloudFormation templatehttps://datadog-cloudformation-template.s3.amazonaws.com/aws/serverless-macro/latest.yml
in every account and in every region anyway, so why not make it possible to set the config at that point in time as well?Fortunately, the code to do this is already there.
env.ts
is already written to use the following:DD_API_KEY_SECRET_ARN
is the same asapiKeySecretArn
DD_ENV
is the same asenv
I tried this, but unfortunately,
index.ts
validates the config supplied to the Macro before reading the environment variables for the Lambda of the macro. Line 72 runs and validates paramters before Line 86 reads the ENV vars.Proposal
My proposal is to modify
index.ts
to read the environment variables, which combines ENV and config params, before validating them.However, since
setEnvConfiguration
doesn't modifyconfig
(it modifiesenvVariables
), the validation code would need to also run againstenvVariables
instead ofconfig
. A larger refactor than just moving the validation function call, but not impossible.End experience
At the end of this, I could modify
latest.yml
to set the config via environment variables once per account, per region, like so:and my SAM's template would only be
and because IAM policies support wildcards, the serverless function policy can be:
... and work in every account and region where we choose to deploy the SAM app.