add CF stack sets template by hiroqn · Pull Request #37 · DataDog/cloudformation-template

hiroqn · 2022-02-28T15:10:59Z

Note: Please remember to review the contribution guidelines
if you have not yet done so.

What does this PR do?

CloudFormation StackSets Support

Motivation

CloudFormation StackSets can deploy datadog integration to multiple AWS account easy.
CloudFormation StackSets does not support below features

nested Stack
- This is undocumented.
Fn::Transform.
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-macros.html
  
  StackSets does not currently support creating or updating stack sets with service-managed permissions from templates that reference AWS CloudFormation macros.

So, I needed to change template.

It is useful to install multiple AWS accounts through Organization Unit with StackSets.

Design Decision

using `DdApiKeyEncrypted` and `DdAppKeyEncrypted`

First, I try to use SecretManager at Administrator account (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html), and allow cross account access.

But it was difficult to configure cross account access by KMS cross account key policy restriction

LogArchive and CloudTrail

I currently removed this option, becauseFn::Transform is not supported.

Testing Guidelines

Our organization uses StackSets through Terraform like below.

resource "aws_cloudformation_stack_set" "datadog-integration" {
  auto_deployment {
    enabled                          = true
    retain_stacks_on_account_removal = false
  }
  name             = "datadog-integration"
  capabilities     = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM"]
  permission_model = "SERVICE_MANAGED"
  parameters = {
    DdApiKeyEncrypted = "TODO:ENCRYPTED_KEY"
    DdAppKeyEncrypted = "TODO:ENCRYPTED_KEY"
    DdKMSKeyId        = "TODO:KMS_KEY_ID"
  }
  template_body = file("${path.module}/datadog-integration.yaml")
}

resource "aws_cloudformation_stack_set_instance" "datadog_integration" {
  deployment_targets {
    organizational_unit_ids = ["OU ID"]
  }
  region         = "TODO:REGION"
  stack_set_name = aws_cloudformation_stack_set.datadog-integration.name
}

Additional Notes

CloudSecurityPosture is not tested because our organization is not using this feature.

add CF stack sets template

573b7fd

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add CF stack sets template#37

add CF stack sets template#37
hiroqn wants to merge 1 commit intoDataDog:masterfrom
herp-inc:add-stacksets-cf

hiroqn commented Feb 28, 2022 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

hiroqn commented Feb 28, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What does this PR do?

Motivation

Design Decision

using DdApiKeyEncrypted and DdAppKeyEncrypted

LogArchive and CloudTrail

Testing Guidelines

Additional Notes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

hiroqn commented Feb 28, 2022 •

edited

Loading

using `DdApiKeyEncrypted` and `DdAppKeyEncrypted`