From 9997719d8227705b330afdd33e53cba38d19d0cd Mon Sep 17 00:00:00 2001
From: Igor Iunash <Igralino@ya.ru>
Date: Mon, 23 Mar 2026 20:53:48 +0100
Subject: [PATCH] feat(permissions): add DatadogIntegrationRoleManagedPolicy5
 for Resource Catalog and Cloud Cost Management

Add 27 missing IAM permissions reported by the Datadog console to support
Resource Catalog and Cloud Cost Management features. Permissions cover
account, appconfig, bedrock, cost-optimization-hub, dms, greengrass,
iotfleetwise, rekognition, route53-recovery-control-config, and s3 services.

Applied to both aws/datadog_integration_role.yaml and
aws_organizations/main_organizations.yaml templates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 aws/datadog_integration_role.yaml         | 42 +++++++++++++++++++++++
 aws_organizations/main_organizations.yaml | 42 +++++++++++++++++++++++
 2 files changed, 84 insertions(+)

diff --git a/aws/datadog_integration_role.yaml b/aws/datadog_integration_role.yaml
index 58101b53..1a01c746 100644
--- a/aws/datadog_integration_role.yaml
+++ b/aws/datadog_integration_role.yaml
@@ -1000,6 +1000,48 @@ Resources:
               - 'workspaces-web:ListTrustStores'
               - 'workspaces-web:ListUserAccessLoggingSettings'
               - 'workspaces-web:ListUserSettings'
+  DatadogIntegrationRoleManagedPolicy5:
+    Type: 'AWS::IAM::ManagedPolicy'
+    Condition: GrantFullPermissions
+    Properties:
+      ManagedPolicyName: !Sub
+        - '${IAMRoleName}-ManagedPolicy-5'
+        - { IAMRoleName: !Ref IAMRoleName }
+      Roles:
+        - !Ref DatadogIntegrationRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Resource: '*'
+            Action:
+              - 'account:GetAlternateContact'
+              - 'account:GetPrimaryEmail'
+              - 'appconfig:ListApplications'
+              - 'appconfig:ListDeploymentStrategies'
+              - 'appconfig:ListExtensionAssociations'
+              - 'appconfig:ListExtensions'
+              - 'bedrock:ListEvaluationJobs'
+              - 'bedrock:ListMarketplaceModelEndpoints'
+              - 'cost-optimization-hub:ListRecommendations'
+              - 'dms:ListDataProviders'
+              - 'dms:ListInstanceProfiles'
+              - 'dms:ListMigrationProjects'
+              - 'greengrass:ListBulkDeployments'
+              - 'greengrass:ListConnectorDefinitions'
+              - 'greengrass:ListCoreDefinitions'
+              - 'greengrass:ListDeviceDefinitions'
+              - 'greengrass:ListFunctionDefinitions'
+              - 'greengrass:ListGroups'
+              - 'greengrass:ListLoggerDefinitions'
+              - 'greengrass:ListResourceDefinitions'
+              - 'greengrass:ListSubscriptionDefinitions'
+              - 'iotfleetwise:ListModelManifests'
+              - 'rekognition:DescribeProjects'
+              - 'rekognition:ListStreamProcessors'
+              - 'route53-recovery-control-config:ListClusters'
+              - 'route53-recovery-control-config:ListControlPanels'
+              - 's3:GetIntelligentTieringConfiguration'
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
diff --git a/aws_organizations/main_organizations.yaml b/aws_organizations/main_organizations.yaml
index 88f0b4ec..84db8101 100644
--- a/aws_organizations/main_organizations.yaml
+++ b/aws_organizations/main_organizations.yaml
@@ -1302,6 +1302,48 @@ Resources:
               - "workspaces-web:ListTrustStores"
               - "workspaces-web:ListUserAccessLoggingSettings"
               - "workspaces-web:ListUserSettings"
+  DatadogIntegrationRoleManagedPolicy5:
+    Type: "AWS::IAM::ManagedPolicy"
+    Condition: ResourceCollectionPermissions
+    Properties:
+      ManagedPolicyName: !Sub
+        - "${IAMRoleName}-ManagedPolicy-5"
+        - { IAMRoleName: !Ref IAMRoleName }
+      Roles:
+        - !Ref DatadogIntegrationRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Resource: "*"
+            Action:
+              - "account:GetAlternateContact"
+              - "account:GetPrimaryEmail"
+              - "appconfig:ListApplications"
+              - "appconfig:ListDeploymentStrategies"
+              - "appconfig:ListExtensionAssociations"
+              - "appconfig:ListExtensions"
+              - "bedrock:ListEvaluationJobs"
+              - "bedrock:ListMarketplaceModelEndpoints"
+              - "cost-optimization-hub:ListRecommendations"
+              - "dms:ListDataProviders"
+              - "dms:ListInstanceProfiles"
+              - "dms:ListMigrationProjects"
+              - "greengrass:ListBulkDeployments"
+              - "greengrass:ListConnectorDefinitions"
+              - "greengrass:ListCoreDefinitions"
+              - "greengrass:ListDeviceDefinitions"
+              - "greengrass:ListFunctionDefinitions"
+              - "greengrass:ListGroups"
+              - "greengrass:ListLoggerDefinitions"
+              - "greengrass:ListResourceDefinitions"
+              - "greengrass:ListSubscriptionDefinitions"
+              - "iotfleetwise:ListModelManifests"
+              - "rekognition:DescribeProjects"
+              - "rekognition:ListStreamProcessors"
+              - "route53-recovery-control-config:ListClusters"
+              - "route53-recovery-control-config:ListControlPanels"
+              - "s3:GetIntelligentTieringConfiguration"
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups: