cloudformation-template icon indicating copy to clipboard operation
cloudformation-template copied to clipboard

Published 20 hours ago verified publisher icon DataDog

Allow passing APIKey and AppKey as AWS Secrets Manager secrets

Open blimmer opened this issue 1 year ago • 2 comments

Context

I'm the author of cdk-datadog-integration, which provides AWS CDK constructs to set up Datadog integrations via these CloudFormation templates.

In older versions of the CloudFormation template, I could pass the Datadog API Key as a Secrets Manager secret: https://github.com/DataDog/cloudformation-template/blob/53d9b7f5dccbf3b0049cbbb21ec6ea024fbb7327/aws/main.yaml#L19-L23

This allowed me to keep plain-text secrets out of the AWS CDK code, instead referencing it within Secrets Manager.

However, the new quickstart_v2 requires two secrets: APIKey and APPKey, neither of which can be passed as secrets.

Therefore, to update my construct to use the newer quickstart, users would have to hardcode APIKey and APPKey in plain-text, which is not ideal.

Expected Behavior

All CloudFormation parameters that could be considered sensitive should be passable via AWS Secrets Manager ARNs vs. hard-coded parameters.

Actual Behavior

These sensitive parameters must currently be passed as hard-coded strings.

Steps to Reproduce the Problem

  1. Attempt to use the current quickstart template (https://github.com/DataDog/cloudformation-template/blob/53d9b7f5dccbf3b0049cbbb21ec6ea024fbb7327/aws_quickstart/main_v2.yaml) without hard-coding APPKey and APIKey as strings.

Specifications

  • Datadog CloudFormation template version: https://github.com/DataDog/cloudformation-template/blob/53d9b7f5dccbf3b0049cbbb21ec6ea024fbb7327/aws_quickstart/main_v2.yaml

Stacktrace

N/A

blimmer avatar Jul 19 '23 09:07 blimmer

Are there any updates regarding this?

Flojolomo avatar Mar 18 '24 19:03 Flojolomo

I would also like to see this implemented. This functionality is available in the datadog-forwarder stack (which requires the API key, but not the App key https://github.com/DataDog/cloudformation-template/blob/ed7b680f8903452165e9c3e0076fb7a41da9d5e4/aws/main.yaml#L19), but not the stackSET (https://github.com/DataDog/cloudformation-template/blob/53d9b7f5dccbf3b0049cbbb21ec6ea024fbb7327/aws_organizations/main_organizations.yaml#L4). So, it is trivial to implement. I really really really don't want to maintain a fork of the official stackset, and since we're trying to deploy both with terraform, I also very much want to keep these secrets out of the state file. Any update would be greatly appreciated.

dheitman-prom avatar Sep 23 '24 00:09 dheitman-prom