From cea65036f885fbaec73b617d0b884b901b04b6f0 Mon Sep 17 00:00:00 2001 From: Raymond Eah Date: Tue, 19 May 2026 16:51:03 -0400 Subject: [PATCH 1/5] [TON-388] feat(aws_quickstart): port InstrumentationResourceTypes to main_extended and main_extended_workflow v4.10.0 (PR #306) added the InstrumentationResourceTypes parameter only to main_v2.yaml. main_extended.yaml and main_extended_workflow.yaml are the templates UI launches actually use going forward, so the parameter and the DatadogSite + InstrumentationResourceTypes passthrough to the role stack belong there too. Co-Authored-By: Claude Opus 4.7 (1M context) --- aws_quickstart/main_extended.yaml | 10 ++++++++++ aws_quickstart/main_extended_workflow.yaml | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/aws_quickstart/main_extended.yaml b/aws_quickstart/main_extended.yaml index 7c8c8434..8c7b9098 100644 --- a/aws_quickstart/main_extended.yaml +++ b/aws_quickstart/main_extended.yaml @@ -116,6 +116,13 @@ Parameters: For cross-account Agentless Scanning: the ARNs of Agentless Scanner roles authorized to scan this account. AllowedPattern: "|arn:aws:iam::[0-9]{12}:role/.+" Default: "" + InstrumentationResourceTypes: + Type: CommaDelimitedList + Description: >- + Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance, aws:ecs:cluster, aws:eks:cluster) + that the Datadog integration role should be granted the IAM permissions required to instrument with the Datadog + Agent. Leave blank to skip granting any extra instrumentation permissions. + Default: "" Rules: CSPMResourceCollectionValidState: Assertions: @@ -269,6 +276,8 @@ Resources: ExternalId: !GetAtt DatadogAPICall.Outputs.ExternalId IAMRoleName: !Ref IAMRoleName ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false] + InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes] + DatadogSite: !Ref DatadogSite DdAWSAccountId: !If - IsGov - !If @@ -327,6 +336,7 @@ Metadata: - ScannerDelegateRoleName - ScannerInstanceRoleARN - DisableMetricCollection + - InstrumentationResourceTypes ParameterLabels: APIKey: default: "DatadogApiKey *" diff --git a/aws_quickstart/main_extended_workflow.yaml b/aws_quickstart/main_extended_workflow.yaml index 5b2e19a4..6e29c866 100644 --- a/aws_quickstart/main_extended_workflow.yaml +++ b/aws_quickstart/main_extended_workflow.yaml @@ -126,6 +126,13 @@ Parameters: For cross-account Agentless Scanning: the ARNs of Agentless Scanner roles authorized to scan this account. AllowedPattern: "|arn:aws:iam::[0-9]{12}:role/.+" Default: "" + InstrumentationResourceTypes: + Type: CommaDelimitedList + Description: >- + Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance, aws:ecs:cluster, aws:eks:cluster) + that the Datadog integration role should be granted the IAM permissions required to instrument with the Datadog + Agent. Leave blank to skip granting any extra instrumentation permissions. + Default: "" WorkflowId: Description: >- Unique identifier for this workflow instance. This is generated by the Datadog UI and used to track @@ -474,6 +481,8 @@ Resources: ExternalId: !Ref ExternalId IAMRoleName: !Ref IAMRoleName ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false] + InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes] + DatadogSite: !Ref DatadogSite DdAWSAccountId: !If - IsGov - !If @@ -756,6 +765,7 @@ Metadata: - ScannerDelegateRoleName - ScannerInstanceRoleARN - DisableMetricCollection + - InstrumentationResourceTypes ParameterLabels: APIKey: default: "DatadogApiKey *" From 445939dee1b1002bababdb19a98a70230375422f Mon Sep 17 00:00:00 2001 From: Raymond Eah Date: Tue, 19 May 2026 16:55:46 -0400 Subject: [PATCH 2/5] [TON-388] chore(aws_quickstart): bump to v4.11.0 with changelog entry Co-Authored-By: Claude Opus 4.7 (1M context) --- aws_quickstart/CHANGELOG.md | 4 ++++ aws_quickstart/version.txt | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md index 2edc93e9..3ce577ac 100644 --- a/aws_quickstart/CHANGELOG.md +++ b/aws_quickstart/CHANGELOG.md @@ -1,3 +1,7 @@ +# 4.11.0 (May 19, 2026) + +- Make the `InstrumentationResourceTypes` parameter (added in 4.10.0) available in the extended templates as well, so customers launching from the workflow path can also grant Agent management instrumentation permissions on their integration role. + # 4.10.0 (May 13, 2026) - Add `InstrumentationResourceTypes` parameter to `main_v2.yaml`. When set to a comma-separated list of UDM resource types (e.g. `aws:ec2:instance,aws:ecs:cluster,aws:eks:cluster`), the integration role's permission-attach Lambda calls `GET /api/unstable/instrumenter/aws/iam_permissions?resource_type=...&chunked=true` and attaches the returned IAM permissions as additional managed policies on the integration role, so customers can install the Datadog Agent on those resources without extra IAM setup. Failure to fetch or attach these extra permissions is non-blocking — the integration install proceeds with a warning. Affects `main_v2.yaml`, `datadog_integration_role.yaml`, `attach_integration_permissions.py` diff --git a/aws_quickstart/version.txt b/aws_quickstart/version.txt index d3d9bf7a..bf721f57 100644 --- a/aws_quickstart/version.txt +++ b/aws_quickstart/version.txt @@ -1 +1 @@ -v4.10.0 +v4.11.0 From caf18eb6e51e064d8f83d798d35ef1bb5a91c8ab Mon Sep 17 00:00:00 2001 From: Raymond Eah Date: Wed, 20 May 2026 14:12:44 -0400 Subject: [PATCH 3/5] [TON-388] docs(aws_quickstart): simplify 4.11.0 changelog entry Co-Authored-By: Claude Opus 4.7 (1M context) --- aws_quickstart/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md index 3ce577ac..044a03b4 100644 --- a/aws_quickstart/CHANGELOG.md +++ b/aws_quickstart/CHANGELOG.md @@ -1,6 +1,6 @@ # 4.11.0 (May 19, 2026) -- Make the `InstrumentationResourceTypes` parameter (added in 4.10.0) available in the extended templates as well, so customers launching from the workflow path can also grant Agent management instrumentation permissions on their integration role. +- Make the `InstrumentationResourceTypes` parameter (added in 4.10.0) available in `main_extended.yaml` and `main_extended_workflow.yaml` as well # 4.10.0 (May 13, 2026) From 678c7af0acdbd531d768eb8c33e74e42a767ff1c Mon Sep 17 00:00:00 2001 From: Raymond Eah Date: Wed, 20 May 2026 16:10:52 -0400 Subject: [PATCH 4/5] [TON-388] fix(aws_quickstart): shift InstrumentationResourceTypes port to main_workflow (drop main_extended) main_extended.yaml isn't on the UI launch path; revert there and apply to main_workflow.yaml instead. Co-Authored-By: Claude Opus 4.7 (1M context) --- aws_quickstart/CHANGELOG.md | 2 +- aws_quickstart/main_extended.yaml | 10 ---------- aws_quickstart/main_workflow.yaml | 10 ++++++++++ 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md index 044a03b4..57ccb090 100644 --- a/aws_quickstart/CHANGELOG.md +++ b/aws_quickstart/CHANGELOG.md @@ -1,6 +1,6 @@ # 4.11.0 (May 19, 2026) -- Make the `InstrumentationResourceTypes` parameter (added in 4.10.0) available in `main_extended.yaml` and `main_extended_workflow.yaml` as well +- Make the `InstrumentationResourceTypes` parameter (added in 4.10.0) available in `main_workflow.yaml` and `main_extended_workflow.yaml` as well # 4.10.0 (May 13, 2026) diff --git a/aws_quickstart/main_extended.yaml b/aws_quickstart/main_extended.yaml index 8c7b9098..7c8c8434 100644 --- a/aws_quickstart/main_extended.yaml +++ b/aws_quickstart/main_extended.yaml @@ -116,13 +116,6 @@ Parameters: For cross-account Agentless Scanning: the ARNs of Agentless Scanner roles authorized to scan this account. AllowedPattern: "|arn:aws:iam::[0-9]{12}:role/.+" Default: "" - InstrumentationResourceTypes: - Type: CommaDelimitedList - Description: >- - Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance, aws:ecs:cluster, aws:eks:cluster) - that the Datadog integration role should be granted the IAM permissions required to instrument with the Datadog - Agent. Leave blank to skip granting any extra instrumentation permissions. - Default: "" Rules: CSPMResourceCollectionValidState: Assertions: @@ -276,8 +269,6 @@ Resources: ExternalId: !GetAtt DatadogAPICall.Outputs.ExternalId IAMRoleName: !Ref IAMRoleName ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false] - InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes] - DatadogSite: !Ref DatadogSite DdAWSAccountId: !If - IsGov - !If @@ -336,7 +327,6 @@ Metadata: - ScannerDelegateRoleName - ScannerInstanceRoleARN - DisableMetricCollection - - InstrumentationResourceTypes ParameterLabels: APIKey: default: "DatadogApiKey *" diff --git a/aws_quickstart/main_workflow.yaml b/aws_quickstart/main_workflow.yaml index d361e220..3aa6038b 100644 --- a/aws_quickstart/main_workflow.yaml +++ b/aws_quickstart/main_workflow.yaml @@ -68,6 +68,13 @@ Parameters: External ID for the IAM role trust policy. This is generated by the Datadog UI and ensures that only your Datadog organization can assume this role. Type: String + InstrumentationResourceTypes: + Type: CommaDelimitedList + Description: >- + Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance, aws:ecs:cluster, aws:eks:cluster) + that the Datadog integration role should be granted the IAM permissions required to instrument with the Datadog + Agent. Leave blank to skip granting any extra instrumentation permissions. + Default: "" Mappings: # AccountIdGovCloud is only read on GovCloud sites (ddog-gov.com, us2.ddog-gov.com). # Commercial sites carry "NOT_APPLICABLE" so Fn::FindInMap can resolve the key at @@ -330,6 +337,8 @@ Resources: ExternalId: !Ref ExternalId IAMRoleName: !Ref IAMRoleName ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false] + InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes] + DatadogSite: !Ref DatadogSite DdAWSAccountId: !If - IsGov - !If @@ -490,6 +499,7 @@ Metadata: Parameters: - IAMRoleName - DisableResourceCollection + - InstrumentationResourceTypes ParameterLabels: APIKey: default: "DatadogApiKey *" From c7ae7ad7ae883b6e6d6a21c212f5c0bcc298fea6 Mon Sep 17 00:00:00 2001 From: Raymond Eah Date: Wed, 27 May 2026 11:32:56 -0400 Subject: [PATCH 5/5] [TON-388] docs(aws_quickstart): rewrite InstrumentationResourceTypes parameter description Co-Authored-By: Claude Opus 4.7 --- aws_quickstart/main_extended_workflow.yaml | 6 +++--- aws_quickstart/main_workflow.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/aws_quickstart/main_extended_workflow.yaml b/aws_quickstart/main_extended_workflow.yaml index 6e29c866..1b316b03 100644 --- a/aws_quickstart/main_extended_workflow.yaml +++ b/aws_quickstart/main_extended_workflow.yaml @@ -129,9 +129,9 @@ Parameters: InstrumentationResourceTypes: Type: CommaDelimitedList Description: >- - Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance, aws:ecs:cluster, aws:eks:cluster) - that the Datadog integration role should be granted the IAM permissions required to instrument with the Datadog - Agent. Leave blank to skip granting any extra instrumentation permissions. + Comma-separated list of AWS resource types, in UDM format, that Datadog uses to determine which additional + IAM permissions to grant the integration role. These permissions are used for Datadog Agent instrumentation. + Leave blank to skip granting extra instrumentation permissions. Default: "" WorkflowId: Description: >- diff --git a/aws_quickstart/main_workflow.yaml b/aws_quickstart/main_workflow.yaml index 3aa6038b..91604923 100644 --- a/aws_quickstart/main_workflow.yaml +++ b/aws_quickstart/main_workflow.yaml @@ -71,9 +71,9 @@ Parameters: InstrumentationResourceTypes: Type: CommaDelimitedList Description: >- - Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance, aws:ecs:cluster, aws:eks:cluster) - that the Datadog integration role should be granted the IAM permissions required to instrument with the Datadog - Agent. Leave blank to skip granting any extra instrumentation permissions. + Comma-separated list of AWS resource types, in UDM format, that Datadog uses to determine which additional + IAM permissions to grant the integration role. These permissions are used for Datadog Agent instrumentation. + Leave blank to skip granting extra instrumentation permissions. Default: "" Mappings: # AccountIdGovCloud is only read on GovCloud sites (ddog-gov.com, us2.ddog-gov.com).