Forked from miketheman/datadog-role-delegation.json
Last active
December 12, 2018 11:08
-
-
Save 14kw/8ef8a2dd02a30035f9e5db5a6358a101 to your computer and use it in GitHub Desktop.
Datadog AWS Integration Automated Setup - CloudFormation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: 2010-09-09 | |
Parameters: | |
SharedSecret: | |
Default: "" | |
Description: Shared Secret aka External ID | |
Type: String | |
NoEcho: "true" | |
CloudTrailBucket: | |
Default: "" | |
Description: CloudTrail logs bucket name | |
Type: String | |
Resources: | |
DatadogAWSIntegrationRole: | |
Type: "AWS::IAM::Role" | |
Properties: | |
AssumeRolePolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Action: "sts:AssumeRole" | |
Effect: Allow | |
Condition: | |
StringEquals: | |
"sts:ExternalId": !Ref SharedSecret | |
Principal: | |
AWS: "arn:aws:iam::464622532012:root" | |
Path: / | |
DatadogAWSIntegrationPolicy: | |
Type: "AWS::IAM::Policy" | |
Properties: | |
PolicyName: DatadogAWSIntegrationPolicy | |
PolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Action: | |
- "autoscaling:Describe*" | |
- "budgets:ViewBudget" | |
- "cloudfront:GetDistributionConfig" | |
- "cloudfront:ListDistributions" | |
- "cloudtrail:DescribeTrails" | |
- "cloudtrail:GetTrailStatus" | |
- "cloudwatch:Describe*" | |
- "cloudwatch:Get*" | |
- "cloudwatch:List*" | |
- "codedeploy:List*" | |
- "codedeploy:BatchGet*" | |
- "directconnect:Describe*" | |
- "dynamodb:List*" | |
- "dynamodb:Describe*" | |
- "ec2:Describe*" | |
- "ecs:Describe*" | |
- "ecs:List*" | |
- "elasticache:Describe*" | |
- "elasticache:List*" | |
- "elasticfilesystem:DescribeFileSystems" | |
- "elasticfilesystem:DescribeTags" | |
- "elasticloadbalancing:Describe*" | |
- "elasticmapreduce:List*" | |
- "elasticmapreduce:Describe*" | |
- "es:ListTags" | |
- "es:ListDomainNames" | |
- "es:DescribeElasticsearchDomains" | |
- "health:DescribeEvents" | |
- "health:DescribeEventDetails" | |
- "health:DescribeAffectedEntities" | |
- "kinesis:List*" | |
- "kinesis:Describe*" | |
- "lambda:AddPermission" | |
- "lambda:GetPolicy" | |
- "lambda:List*" | |
- "lambda:RemovePermission" | |
- "logs:Get*" | |
- "logs:Describe*" | |
- "logs:FilterLogEvents" | |
- "logs:TestMetricFilter" | |
- "logs:PutSubscriptionFilter" | |
- "logs:DeleteSubscriptionFilter" | |
- "logs:DescribeSubscriptionFilters" | |
- "rds:Describe*" | |
- "rds:List*" | |
- "redshift:DescribeClusters" | |
- "redshift:DescribeLoggingStatus" | |
- "route53:List*" | |
- "s3:GetBucketLogging" | |
- "s3:GetBucketLocation" | |
- "s3:GetBucketNotification" | |
- "s3:GetBucketTagging" | |
- "s3:ListAllMyBuckets" | |
- "s3:PutBucketNotification" | |
- "ses:Get*" | |
- "sns:List*" | |
- "sns:Publish" | |
- "sqs:ListQueues" | |
- "support:*" | |
- "tag:GetResources" | |
- "tag:GetTagKeys" | |
- "tag:GetTagValues" | |
Effect: Allow | |
Resource: "*" | |
Roles: | |
- !Ref DatadogAWSIntegrationRole | |
DatadogAWSCloudTrailReadOnlyAccessPolicy: | |
Type: "AWS::IAM::Policy" | |
Properties: | |
PolicyName: DatadogAWSCloudTrailReadOnlyAccessPolicy | |
PolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Action: | |
- "s3:ListBucket" | |
- "s3:GetBucketLocation" | |
- "s3:GetObject" | |
Effect: Allow | |
Resource: | |
- !Sub "arn:aws:s3:::${CloudTrailBucket}" | |
- !Sub "arn:aws:s3:::${CloudTrailBucket}/*" | |
Roles: | |
- !Ref DatadogAWSIntegrationRole | |
Outputs: | |
RoleName: | |
Description: The IAM Role to share with Datadog | |
Value: !GetAtt | |
- DatadogAWSIntegrationRole | |
- Arn | |
SharedSecret: | |
Description: The Shared Secret aka External ID | |
Value: !Ref SharedSecret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ aws cloudformation create-stack --stack-name DatadogAWSIntegration --capabilities CAPABILITY_IAM --template-body file://datadog-role-delegation.yaml --parameters ParameterKey=SharedSecret,ParameterValue=some-complex-generated-shared-secret ParameterKey=CloudTrailBucket,ParameterValue=your-cloudtrail-logs-bucketname | |
{ | |
"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/DatadogAWSIntegration/some-long-guid" | |
} | |
$ aws cloudformation describe-stacks --stack-name DatadogAWSIntegration --output json | jq '.Stacks[].Outputs[]' | |
{ | |
"Description": "The IAM Role to share with Datadog", | |
"OutputKey": "RoleName", | |
"OutputValue": "arn:aws:iam::123456789012:role/DatadogAWSIntegration-DatadogAWSIntegrationRole-ILKF6RXU0UQT" | |
} | |
{ | |
"Description": "The Shared Secret aka External ID", | |
"OutputKey": "SharedSecret", | |
"OutputValue": "some-complex-generated-shared-secret" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment