From 6e833f587b1dd9c80ac6e1ba4e01cf33e8c4b1d3 Mon Sep 17 00:00:00 2001 From: Raymond Eah Date: Tue, 7 Apr 2026 15:19:05 -0400 Subject: [PATCH 1/2] [TON-XXX] Add EventBridge permissions for automated Agent installation on cloud resources Co-Authored-By: Claude Sonnet 4.6 (1M context) --- aws_quickstart/datadog_integration_role.yaml | 71 ++++++++++++++++++++ aws_quickstart/main_extended_workflow.yaml | 11 +++ 2 files changed, 82 insertions(+) diff --git a/aws_quickstart/datadog_integration_role.yaml b/aws_quickstart/datadog_integration_role.yaml index 821aff84..75f1157f 100644 --- a/aws_quickstart/datadog_integration_role.yaml +++ b/aws_quickstart/datadog_integration_role.yaml @@ -23,11 +23,21 @@ Parameters: Datadog AWS account ID allowed to assume the integration IAM role. DO NOT CHANGE! Type: String Default: "464622532012" + InstallAgentOnCloudResources: + Type: String + Default: false + AllowedValues: + - true + - false Conditions: ShouldInstallSecurityAuditPolicy: Fn::Equals: - Ref: ResourceCollectionPermissions - true + AgentOnCloudResources: + Fn::Equals: + - !Ref InstallAgentOnCloudResources + - "true" Resources: DatadogIntegrationRole: Type: "AWS::IAM::Role" @@ -61,6 +71,67 @@ Resources: [!Sub "arn:${AWS::Partition}:iam::aws:policy/SecurityAudit"], !Ref AWS::NoValue, ] + DatadogEventBridgeInvocationRole: + Type: AWS::IAM::Role + Condition: AgentOnCloudResources + Properties: + RoleName: datadog-eventbridge-invocation-role + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: events.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: InvokeDatadogApiDestination + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: events:InvokeApiDestination + Resource: !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:api-destination/datadog-*" + + DatadogAgentInstallEventBridgePolicy: + Type: AWS::IAM::Policy + Condition: AgentOnCloudResources + DependsOn: DatadogEventBridgeInvocationRole + Properties: + PolicyName: DatadogAgentInstallEventBridgePolicy + Roles: + - !Ref DatadogIntegrationRole + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - events:PutRule + - events:PutTargets + - events:DeleteRule + - events:RemoveTargets + - events:DescribeRule + - events:ListTargetsByRule + - events:CreateConnection + - events:UpdateConnection + - events:DeleteConnection + - events:DescribeConnection + - events:CreateApiDestination + - events:UpdateApiDestination + - events:DeleteApiDestination + - events:DescribeApiDestination + Resource: + - !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:rule/datadog-*" + - !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:connection/datadog-*" + - !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:api-destination/datadog-*" + - Effect: Allow + Action: + - iam:PassRole + Resource: + - !GetAtt DatadogEventBridgeInvocationRole.Arn + Condition: + StringEquals: + iam:PassedToService: events.amazonaws.com + DatadogAttachIntegrationPermissionsLambdaExecutionRole: Type: AWS::IAM::Role Properties: diff --git a/aws_quickstart/main_extended_workflow.yaml b/aws_quickstart/main_extended_workflow.yaml index 1778dec0..8cc159b8 100644 --- a/aws_quickstart/main_extended_workflow.yaml +++ b/aws_quickstart/main_extended_workflow.yaml @@ -62,6 +62,16 @@ Parameters: or send logs using AWS PrivateLink should select "no" and install this independently (https://docs.datadoghq.com/serverless/libraries_integrations/forwarder/#installation). Default: true + InstallAgentOnCloudResources: + Type: String + AllowedValues: + - true + - false + Description: >- + Automatically install and manage the Datadog Agent on EKS clusters, + EC2 instances, and ECS clusters. Datadog will monitor CloudTrail events + and install the Agent on resources matching rules configured in Datadog. + Default: false DisableMetricCollection: Type: String AllowedValues: @@ -460,6 +470,7 @@ Resources: - !FindInMap [DdAccountIdBySite, "ddog-gov.com", AccountIdGovCloud] - !FindInMap [DdAccountIdBySite, "ddog-gov.com", AccountId] - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountId] + InstallAgentOnCloudResources: !Ref InstallAgentOnCloudResources # Step 3: Notify IAM role creation finished NotifyIAMRoleCreationFinished: From 47fd0174f2c106b52c6c07517bb646899808178e Mon Sep 17 00:00:00 2001 From: Raymond Eah Date: Tue, 7 Apr 2026 16:10:33 -0400 Subject: [PATCH 2/2] [TON-XXX] Bump version to 4.8.0, update CHANGELOG Co-Authored-By: Claude Sonnet 4.6 (1M context) --- aws_quickstart/CHANGELOG.md | 4 ++++ aws_quickstart/version.txt | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md index 6170240c..bd658364 100644 --- a/aws_quickstart/CHANGELOG.md +++ b/aws_quickstart/CHANGELOG.md @@ -1,3 +1,7 @@ +# 4.8.0 (April 7, 2026) + +- Add `InstallAgentOnCloudResources` parameter to enable automated Datadog Agent installation on EKS clusters, EC2 instances, and ECS clusters via EventBridge. When enabled, grants Datadog's backend IAM permissions to create and manage EventBridge rules in each active AWS region using the existing cross-account integration role. + # 4.7.3 (March 23, 2026) - Send Lambda log forwarder ARN back in the `stack_complete` workflow status payload so Datadog can register the deployed forwarder with the AWS integration automatically diff --git a/aws_quickstart/version.txt b/aws_quickstart/version.txt index ece1b3d5..ba50f2da 100644 --- a/aws_quickstart/version.txt +++ b/aws_quickstart/version.txt @@ -1 +1 @@ -v4.7.4 +v4.8.0