diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md index a2903ad..57488a8 100644 --- a/aws_quickstart/CHANGELOG.md +++ b/aws_quickstart/CHANGELOG.md @@ -1,3 +1,7 @@ +# 4.12.0 (May 28, 2026) + +- Add an EventBridge pipeline that forwards EC2 and EKS resource lifecycle and configuration update events to Datadog, enabling the Datadog Agent management feature to react to changes in real time. Customers enable forwarding per resource type when configuring Agent management. + # 4.11.1 (May 27, 2026) - Forward `InstrumentationResourceTypes` and `DatadogSite` from workflow and extended templates to the nested integration role stack, so launches can attach the Agent instrumentation IAM permissions selected during onboarding. Affects `main_workflow.yaml`, `main_extended_workflow.yaml`, and `main_extended.yaml` diff --git a/aws_quickstart/datadog_agent_resource_update_forwarding.yaml b/aws_quickstart/datadog_agent_resource_update_forwarding.yaml new file mode 100644 index 0000000..59123d7 --- /dev/null +++ b/aws_quickstart/datadog_agent_resource_update_forwarding.yaml @@ -0,0 +1,145 @@ +# version: +AWSTemplateFormatVersion: 2010-09-09 +Description: Datadog AWS Integration - EventBridge forwarding of resource update events +Parameters: + APIKey: + Description: >- + API key for the Datadog account (find at https://app.datadoghq.com/organization-settings/api-keys). + Type: String + AllowedPattern: "([0-9a-f]{32})?" + NoEcho: true + APPKey: + Description: >- + APP key for the Datadog account (find at https://app.datadoghq.com/organization-settings/application-keys). + Type: String + AllowedPattern: "(([0-9a-f]{40})|(ddapp_[a-zA-Z0-9]{34}))?" + NoEcho: true + DatadogSite: + Type: String + Default: datadoghq.com + Description: >- + Datadog site events are forwarded to. + InstrumentationResourceTypes: + Type: String + Default: "" + Description: >- + Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance, + aws:eks:cluster) to forward CloudTrail events for. Only rules for the listed + types are deployed. +Conditions: + IncludeEC2: + Fn::Not: + - Fn::Equals: + - !Join ["", !Split [",aws:ec2:instance,", !Sub ",${InstrumentationResourceTypes},"]] + - !Sub ",${InstrumentationResourceTypes}," + IncludeEKS: + Fn::Not: + - Fn::Equals: + - !Join ["", !Split [",aws:eks:cluster,", !Sub ",${InstrumentationResourceTypes},"]] + - !Sub ",${InstrumentationResourceTypes}," +Resources: + DDIntakeConnection: + Type: AWS::Events::Connection + Properties: + Name: datadog-agent-resource-update-intake-connection + Description: Credentials for the Datadog resource update intake + AuthorizationType: API_KEY + AuthParameters: + ApiKeyAuthParameters: + ApiKeyName: DD-API-KEY + ApiKeyValue: !Ref APIKey + InvocationHttpParameters: + HeaderParameters: + - Key: DD-APPLICATION-KEY + Value: !Ref APPKey + IsValueSecret: true + DDIntakeApiDestination: + Type: AWS::Events::ApiDestination + Properties: + Name: datadog-agent-resource-update-intake-destination + ConnectionArn: !GetAtt DDIntakeConnection.Arn + InvocationEndpoint: !Sub "https://api.${DatadogSite}/api/unstable/instrumenter/events" + HttpMethod: POST + InvocationRateLimitPerSecond: 10 + DDEventBridgeInvocationRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: events.amazonaws.com + Action: sts:AssumeRole + Condition: + StringEquals: + aws:SourceAccount: !Ref AWS::AccountId + Policies: + - PolicyName: datadog-eventbridge-invoke + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: events:InvokeApiDestination + Resource: !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:api-destination/*" + DDEventForwardingRuleEC2: + Type: AWS::Events::Rule + Condition: IncludeEC2 + Properties: + Name: datadog-agent-resource-update-rule-ec2 + Description: Forward EC2 CloudTrail events to the Datadog resource update intake + State: ENABLED + EventPattern: + source: + - aws.ec2 + detail-type: + - "AWS API Call via CloudTrail" + detail: + errorCode: + - exists: false + $or: + - eventName: + - RunInstances + - ModifyInstanceAttribute + - eventName: + - CreateTags + - DeleteTags + requestParameters: + resourcesSet: + items: + resourceId: + - prefix: "i-" + Targets: + - Id: datadog-intake + Arn: !GetAtt DDIntakeApiDestination.Arn + RoleArn: !GetAtt DDEventBridgeInvocationRole.Arn + DDEventForwardingRuleEKS: + Type: AWS::Events::Rule + Condition: IncludeEKS + Properties: + Name: datadog-agent-resource-update-rule-eks + Description: Forward EKS CloudTrail events to the Datadog resource update intake + State: ENABLED + EventPattern: + source: + - aws.eks + detail-type: + - "AWS API Call via CloudTrail" + detail: + errorCode: + - exists: false + $or: + - eventName: + - CreateCluster + - UpdateClusterConfig + - UpdateClusterVersion + - eventName: + - TagResource + - UntagResource + requestParameters: + resourceArn: + - wildcard: "*:cluster/*" + Targets: + - Id: datadog-intake + Arn: !GetAtt DDIntakeApiDestination.Arn + RoleArn: !GetAtt DDEventBridgeInvocationRole.Arn diff --git a/aws_quickstart/main_extended_workflow.yaml b/aws_quickstart/main_extended_workflow.yaml index 33e9cd7..6948bdb 100644 --- a/aws_quickstart/main_extended_workflow.yaml +++ b/aws_quickstart/main_extended_workflow.yaml @@ -219,6 +219,11 @@ Conditions: Fn::Equals: - !Ref DisableResourceCollection - false + ShouldForwardEvents: + Fn::Not: + - Fn::Equals: + - !Join ["", !Ref InstrumentationResourceTypes] + - "" EnableAgentlessScanning: Fn::And: - Fn::Not: @@ -556,6 +561,20 @@ Resources: stack_id: !Ref AWS::StackId forwarder_arn: !GetAtt ForwarderStack.Outputs.DatadogForwarderArn + # EventBridge pipeline forwarding CloudTrail events to the Datadog resource update + # intake. Deployed only when at least one InstrumentationResourceTypes value is set; + # single-region (covers the region this stack is deployed in). + DatadogAgentResourceUpdateForwardingStack: + Type: AWS::CloudFormation::Stack + Condition: ShouldForwardEvents + Properties: + TemplateURL: "https://.s3.amazonaws.com/aws//datadog_agent_resource_update_forwarding.yaml" + Parameters: + APIKey: !Ref APIKey + APPKey: !Ref APPKey + DatadogSite: !Ref DatadogSite + InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes] + # Step 6: Notify starting agentless scanning setup (if enabling) NotifyAgentlessScanningStarted: Type: Custom::WorkflowStatus diff --git a/aws_quickstart/main_workflow.yaml b/aws_quickstart/main_workflow.yaml index 48b7b61..33ee860 100644 --- a/aws_quickstart/main_workflow.yaml +++ b/aws_quickstart/main_workflow.yaml @@ -119,6 +119,11 @@ Conditions: Fn::Equals: - !Ref DisableResourceCollection - false + ShouldForwardEvents: + Fn::Not: + - Fn::Equals: + - !Join ["", !Ref InstrumentationResourceTypes] + - "" IsGov: Fn::Or: - Fn::Equals: @@ -412,6 +417,20 @@ Resources: stack_id: !Ref AWS::StackId forwarder_arn: !GetAtt ForwarderStack.Outputs.DatadogForwarderArn + # EventBridge pipeline forwarding CloudTrail events to the Datadog resource update + # intake. Deployed only when at least one InstrumentationResourceTypes value is set; + # single-region (covers the region this stack is deployed in). + DatadogAgentResourceUpdateForwardingStack: + Type: AWS::CloudFormation::Stack + Condition: ShouldForwardEvents + Properties: + TemplateURL: "https://.s3.amazonaws.com/aws//datadog_agent_resource_update_forwarding.yaml" + Parameters: + APIKey: !Ref APIKey + APPKey: !Ref APPKey + DatadogSite: !Ref DatadogSite + InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes] + # Step 6: Final notification - stack complete (with forwarder) NotifyStackCompleteWithForwarder: Type: Custom::WorkflowStatus diff --git a/aws_quickstart/version.txt b/aws_quickstart/version.txt index 341d462..63a54c4 100644 --- a/aws_quickstart/version.txt +++ b/aws_quickstart/version.txt @@ -1 +1 @@ -v4.11.1 +v4.12.0