From a449d96459230864e2eede9086e5092dc7829ba0 Mon Sep 17 00:00:00 2001 From: Fanny Jiang Date: Wed, 27 May 2026 15:49:09 -0400 Subject: [PATCH 1/2] [TON-513] fix workflow instrumentation permissions --- aws_quickstart/CHANGELOG.md | 4 ++++ aws_quickstart/main_extended_workflow.yaml | 10 ++++++++++ aws_quickstart/main_workflow.yaml | 10 ++++++++++ aws_quickstart/version.txt | 2 +- 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md index 8e539449..2303245e 100644 --- a/aws_quickstart/CHANGELOG.md +++ b/aws_quickstart/CHANGELOG.md @@ -1,3 +1,7 @@ +# 4.11.1 (May 27, 2026) + +- Forward `InstrumentationResourceTypes` and `DatadogSite` from workflow templates to the nested integration role stack, so Datadog UI launches can attach the Agent instrumentation IAM permissions selected by the onboarding workflow. Affects `main_workflow.yaml` and `main_extended_workflow.yaml` + # 4.11.0 (May 19, 2026) - Allow the Datadog Agent running in agentless scanner instances to read the systemd journal. diff --git a/aws_quickstart/main_extended_workflow.yaml b/aws_quickstart/main_extended_workflow.yaml index 5b2e19a4..33e9cd7f 100644 --- a/aws_quickstart/main_extended_workflow.yaml +++ b/aws_quickstart/main_extended_workflow.yaml @@ -92,6 +92,13 @@ Parameters: Datadog CSPM is a product that automatically detects resource misconfigurations in your AWS account according to industry benchmarks. More info: https://www.datadoghq.com/product/security-platform/cloud-security-posture-management/ Default: false + InstrumentationResourceTypes: + Type: CommaDelimitedList + Description: >- + Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance, aws:ecs:cluster, aws:eks:cluster) + that the Datadog integration role should be granted the IAM permissions required to instrument with the Datadog + Agent. Leave blank to skip granting any extra instrumentation permissions. + Default: "" AgentlessVulnerabilityScanning: Type: String AllowedValues: @@ -474,6 +481,8 @@ Resources: ExternalId: !Ref ExternalId IAMRoleName: !Ref IAMRoleName ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false] + InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes] + DatadogSite: !Ref DatadogSite DdAWSAccountId: !If - IsGov - !If @@ -756,6 +765,7 @@ Metadata: - ScannerDelegateRoleName - ScannerInstanceRoleARN - DisableMetricCollection + - InstrumentationResourceTypes ParameterLabels: APIKey: default: "DatadogApiKey *" diff --git a/aws_quickstart/main_workflow.yaml b/aws_quickstart/main_workflow.yaml index d361e220..48b7b61b 100644 --- a/aws_quickstart/main_workflow.yaml +++ b/aws_quickstart/main_workflow.yaml @@ -58,6 +58,13 @@ Parameters: Disabling resource collection for this account will lead to a loss in visibility into your AWS services. Disable this if you do not want to collect configuration information for the resources in this AWS account. Default: false + InstrumentationResourceTypes: + Type: CommaDelimitedList + Description: >- + Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance, aws:ecs:cluster, aws:eks:cluster) + that the Datadog integration role should be granted the IAM permissions required to instrument with the Datadog + Agent. Leave blank to skip granting any extra instrumentation permissions. + Default: "" WorkflowId: Description: >- Unique identifier for this workflow instance. This is generated by the Datadog UI and used to track @@ -330,6 +337,8 @@ Resources: ExternalId: !Ref ExternalId IAMRoleName: !Ref IAMRoleName ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false] + InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes] + DatadogSite: !Ref DatadogSite DdAWSAccountId: !If - IsGov - !If @@ -490,6 +499,7 @@ Metadata: Parameters: - IAMRoleName - DisableResourceCollection + - InstrumentationResourceTypes ParameterLabels: APIKey: default: "DatadogApiKey *" diff --git a/aws_quickstart/version.txt b/aws_quickstart/version.txt index bf721f57..341d4629 100644 --- a/aws_quickstart/version.txt +++ b/aws_quickstart/version.txt @@ -1 +1 @@ -v4.11.0 +v4.11.1 From 3c3df53e127896d478de405d998cbb2d7f7d447c Mon Sep 17 00:00:00 2001 From: Fanny Jiang Date: Wed, 27 May 2026 16:48:29 -0400 Subject: [PATCH 2/2] [TON-513] include extended instrumentation permissions --- aws_quickstart/CHANGELOG.md | 2 +- aws_quickstart/main_extended.yaml | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/aws_quickstart/CHANGELOG.md b/aws_quickstart/CHANGELOG.md index 2303245e..a2903ad5 100644 --- a/aws_quickstart/CHANGELOG.md +++ b/aws_quickstart/CHANGELOG.md @@ -1,6 +1,6 @@ # 4.11.1 (May 27, 2026) -- Forward `InstrumentationResourceTypes` and `DatadogSite` from workflow templates to the nested integration role stack, so Datadog UI launches can attach the Agent instrumentation IAM permissions selected by the onboarding workflow. Affects `main_workflow.yaml` and `main_extended_workflow.yaml` +- Forward `InstrumentationResourceTypes` and `DatadogSite` from workflow and extended templates to the nested integration role stack, so launches can attach the Agent instrumentation IAM permissions selected during onboarding. Affects `main_workflow.yaml`, `main_extended_workflow.yaml`, and `main_extended.yaml` # 4.11.0 (May 19, 2026) diff --git a/aws_quickstart/main_extended.yaml b/aws_quickstart/main_extended.yaml index 7c8c8434..b009a835 100644 --- a/aws_quickstart/main_extended.yaml +++ b/aws_quickstart/main_extended.yaml @@ -82,6 +82,13 @@ Parameters: Datadog CSPM is a product that automatically detects resource misconfigurations in your AWS account according to industry benchmarks. More info: https://www.datadoghq.com/product/security-platform/cloud-security-posture-management/ Default: false + InstrumentationResourceTypes: + Type: CommaDelimitedList + Description: >- + Comma-separated list of AWS resource types (UDM form, e.g. aws:ec2:instance, aws:ecs:cluster, aws:eks:cluster) + that the Datadog integration role should be granted the IAM permissions required to instrument with the Datadog + Agent. Leave blank to skip granting any extra instrumentation permissions. + Default: "" AgentlessVulnerabilityScanning: Type: String AllowedValues: @@ -269,6 +276,8 @@ Resources: ExternalId: !GetAtt DatadogAPICall.Outputs.ExternalId IAMRoleName: !Ref IAMRoleName ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false] + InstrumentationResourceTypes: !Join [",", !Ref InstrumentationResourceTypes] + DatadogSite: !Ref DatadogSite DdAWSAccountId: !If - IsGov - !If @@ -327,6 +336,7 @@ Metadata: - ScannerDelegateRoleName - ScannerInstanceRoleARN - DisableMetricCollection + - InstrumentationResourceTypes ParameterLabels: APIKey: default: "DatadogApiKey *"