Allow passing APIKey and AppKey as AWS Secrets Manager secrets

[blimmer]

Context

I'm the author of cdk-datadog-integration, which provides AWS CDK constructs to set up Datadog integrations via these CloudFormation templates.

In older versions of the CloudFormation template, I could pass the Datadog API Key as a Secrets Manager secret:

cloudformation-template/aws/main.yaml

Lines 19 to 23 in 53d9b7f

	DdApiKeySecretArn:
	Type: String
	AllowedPattern: "(arn:.*:secretsmanager:.*)?"
	Default: ""
	Description: The ARN of the secret storing the Datadog API key, if you already have it stored in Secrets Manager. You must store the secret as a plaintext, rather than a key-value pair.

This allowed me to keep plain-text secrets out of the AWS CDK code, instead referencing it within Secrets Manager.

However, the new quickstart_v2 requires two secrets: APIKey and APPKey, neither of which can be passed as secrets.

Therefore, to update my construct to use the newer quickstart, users would have to hardcode APIKey and APPKey in plain-text, which is not ideal.

Expected Behavior

All CloudFormation parameters that could be considered sensitive should be passable via AWS Secrets Manager ARNs vs. hard-coded parameters.

Actual Behavior

These sensitive parameters must currently be passed as hard-coded strings.

Steps to Reproduce the Problem

1. Attempt to use the current quickstart template (https://github.com/DataDog/cloudformation-template/blob/53d9b7f5dccbf3b0049cbbb21ec6ea024fbb7327/aws_quickstart/main_v2.yaml) without hard-coding APPKey and APIKey as strings.

Specifications

• Datadog CloudFormation template version: https://github.com/DataDog/cloudformation-template/blob/53d9b7f5dccbf3b0049cbbb21ec6ea024fbb7327/aws_quickstart/main_v2.yaml

Stacktrace

N/A

[Flojolomo]

Are there any updates regarding this?

[dheitman-prom]

I would also like to see this implemented. This functionality is available in the datadog-forwarder stack (which requires the API key, but not the App key

cloudformation-template/aws/main.yaml

Line 19 in ed7b680

DdApiKeySecretArn:

), but not the stackSET (

cloudformation-template/aws_organizations/main_organizations.yaml

Line 4 in 53d9b7f

DatadogApiKey:

). So, it is trivial to implement. I really really really don't want to maintain a fork of the official stackset, and since we're trying to deploy both with terraform, I also very much want to keep these secrets out of the state file. Any update would be greatly appreciated.