-
Notifications
You must be signed in to change notification settings - Fork 45
/
Copy pathmain.yaml
212 lines (212 loc) · 7.4 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
AWSTemplateFormatVersion: 2010-09-09
Description: Datadog AWS Integration
Parameters:
ExternalId:
Description: >-
External ID for the Datadog role (generate at
https://app.datadoghq.com/account/settings#integrations/amazon-web-services)
Type: String
AllowedPattern: .+
ConstraintDescription: ExternalId is required
DdApiKey:
Description: >-
API key for the Datadog account (find at
https://app.datadoghq.com/account/settings#api)
It will be stored in AWS Secrets Manager securely. If DdApiKeySecretArn is also set, this value is ignored.
Type: String
NoEcho: true
Default: ''
DdApiKeySecretArn:
Type: String
AllowedPattern: '(arn:.*:secretsmanager:.*)?'
Default: ''
Description: The ARN of the secret storing the Datadog API key, if you already have it stored in Secrets Manager. You must store the secret as a plaintext, rather than a key-value pair.
DdSite:
Type: String
Default: datadoghq.com
Description: Define your Datadog Site to send data to. For the Datadog EU site, set to datadoghq.eu
AllowedPattern: .+
ConstraintDescription: DdSite is required
IAMRoleName:
Description: Customize the name of IAM role for Datadog AWS integration
Type: String
Default: DatadogIntegrationRole
BasePermissions:
Description: >-
Customize the base permissions for the Datadog IAM role.
Select "Core" to only grant Datadog permissions to a very limited set of metrics and metadata (not recommended).
Type: String
Default: Full
AllowedValues:
- Full
- Core
LogArchives:
Description: >-
S3 paths to store log archives for log rehydration. Separate multiple paths with comma,
e.g., "my-bucket,my-bucket-with-path/path". Permissions will be automatically added to
the Datadog integration IAM role. https://docs.datadoghq.com/logs/archives/rehydrating/?tab=awss3
Type: String
Default: ''
CloudTrails:
Description: >-
S3 buckets for Datadog CloudTrail integration. Separate multiple buckets with comma,
e.g., "bucket1,bucket2". Permissions will be automatically added to the Datadog integration IAM role.
https://docs.datadoghq.com/integrations/amazon_cloudtrail/
Type: String
Default: ''
DdAWSAccountId:
Description: >-
Datadog AWS account ID allowed to assume the integration IAM role. DO NOT CHANGE!
Type: String
Default: '464622532012'
DdForwarderName:
Type: String
Default: DatadogForwarder
Description: >-
The Datadog Forwarder Lambda function name. DO NOT change when updating an existing CloudFormation stack,
otherwise the current forwarder function will be replaced and all the triggers will be lost.
InstallDatadogPolicyMacro:
Type: String
Default: true
AllowedValues:
- true
- false
Description: If you already deployed a stack using this template, set this parameter to "false" to skip the installation of the DatadogPolicy Macro again.
CloudSecurityPostureManagementPermissions:
Type: String
Default: false
AllowedValues:
- true
- false
Description: >-
Set this value to "true" to add permissions for Datadog to monitor your AWS cloud resource configurations.
You need this set to "true" to use Cloud Security Posture Management. You will also need "BasePermissions" set to "Full".
Conditions:
ShouldInstallDatadogPolicyMacro:
Fn::Equals:
- Ref: InstallDatadogPolicyMacro
- true
WillCreateDdApiKeySecretArn:
Fn::Equals:
- Ref: DdApiKeySecretArn
- ''
Rules:
MustSetDdApiKey:
Assertions:
- Assert:
Fn::Or:
- Fn::Not:
- Fn::Equals:
- Ref: DdApiKey
- ''
- Fn::Not:
- Fn::Equals:
- Ref: DdApiKeySecretArn
- ''
AssertDescription: DdApiKey or DdApiKeySecretArn must be set
Resources:
# A Macro used to generate policies for the integration IAM role based on user inputs
DatadogPolicyMacroStack:
Type: AWS::CloudFormation::Stack
Condition: ShouldInstallDatadogPolicyMacro
Properties:
TemplateURL: 'https://<BUCKET_PLACEHOLDER>.s3.amazonaws.com/aws/datadog_policy_macro.yaml'
# The IAM role for Datadog integration
DatadogIntegrationRoleStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: 'https://<BUCKET_PLACEHOLDER>.s3.amazonaws.com/aws/datadog_integration_role.yaml'
Parameters:
ExternalId: !Ref ExternalId
BasePermissions: !Ref BasePermissions
IAMRoleName: !Ref IAMRoleName
LogArchives: !Ref LogArchives
CloudTrails: !Ref CloudTrails
CloudSecurityPostureManagementPermissions: !Ref CloudSecurityPostureManagementPermissions
DdAWSAccountId: !Ref DdAWSAccountId
Tags:
- # A trick to create a conditional dependency on DatadogPolicyMacroStack
# https://stackoverflow.com/questions/34607476/cloudformation-apply-condition-on-dependson
Key: 'DatadogPolicyMacroStackId'
Value:
!If [
ShouldInstallDatadogPolicyMacro,
!Ref DatadogPolicyMacroStack,
'null',
]
# The Lambda function to ship logs from S3 and CloudWatch, custom metrics and traces from Lambda functions to Datadog
# https://github.com/DataDog/datadog-serverless-functions/tree/master/aws/logs_monitoring
ForwarderStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: 'https://datadog-cloudformation-template.s3.amazonaws.com/aws/forwarder/latest.yaml'
Parameters:
DdApiKey: !Ref DdApiKey
DdApiKeySecretArn:
!If [
WillCreateDdApiKeySecretArn,
'arn:aws:secretsmanager:DEFAULT',
!Ref DdApiKeySecretArn,
]
DdSite: !Ref DdSite
FunctionName: !Ref DdForwarderName
Outputs:
IAMRoleName:
Description: AWS IAM Role named to be used with the DataDog AWS Integration
Value: !Ref IAMRoleName
AccountId:
Description: AWS Account number
Value: !Ref 'AWS::AccountId'
Region:
Description: AWS Region
Value: !Ref 'AWS::Region'
DatadogForwarderArn:
Description: Datadog Forwarder Lambda Function ARN
Value:
Fn::GetAtt:
- ForwarderStack
- Outputs.DatadogForwarderArn
Export:
Name:
Fn::Sub: ${AWS::StackName}-DatadogForwarderArn
DdApiKeySecretArn:
Description: ARN of SecretsManager Secret with Datadog API Key
Value:
Fn::GetAtt:
- ForwarderStack
- Outputs.DdApiKeySecretArn
Export:
Name:
Fn::Sub: ${AWS::StackName}-ApiKeySecretArn
Condition: WillCreateDdApiKeySecretArn
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Required
Parameters:
- IAMRoleName
- ExternalId
- DdApiKey
- DdApiKeySecretArn
- BasePermissions
- DdSite
- Label:
default: Optional
Parameters:
- LogArchives
- CloudTrails
- CloudSecurityPostureManagementPermissions
- Label:
default: Advanced
Parameters:
- DdAWSAccountId
- DdForwarderName
- InstallDatadogPolicyMacro
ParameterLabels:
ExternalId:
default: 'ExternalId *'
DdApiKey:
default: 'DdApiKey *'
DdSite:
default: 'DdSite *'