From ff2cf3ad578f2d1b0b0f9178a659b1d4d105c728 Mon Sep 17 00:00:00 2001 From: Kyle Harris Date: Tue, 9 Jun 2026 11:52:10 -0400 Subject: [PATCH] feat(aws_streams): make metric stream IAM ARNs partition-aware for GovCloud Convert all hardcoded arn:aws: references in streams_main.yaml to arn:${AWS::Partition}: so the StackSet admin/execution roles and the Datadog service/stream roles resolve correctly in the aws-us-gov partition. This unblocks creating CloudWatch metric streams in GovCloud accounts (targeting us2.ddog-gov.com / us2.fed), whose intake endpoint is already mapped in streams_single_region.yaml. Drive-by: normalize the StackSet child TemplateURL from path-style (https://s3.amazonaws.com//...) to virtual-hosted style (https://.s3.amazonaws.com/...) to match the convention used throughout aws_quickstart and avoid path-style deprecation quirks. Bump version v1.1.2 -> v1.1.3. Co-Authored-By: Claude Opus 4.8 (1M context) --- aws_streams/streams_main.yaml | 28 ++++++++++++++-------------- aws_streams/version.txt | 2 +- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/aws_streams/streams_main.yaml b/aws_streams/streams_main.yaml index b9f2b11..d815d95 100644 --- a/aws_streams/streams_main.yaml +++ b/aws_streams/streams_main.yaml @@ -95,18 +95,18 @@ Resources: Action: - "s3:*" Resource: - - "arn:aws:s3:::cf-templates-*" + - !Sub "arn:${AWS::Partition}:s3:::cf-templates-*" - Effect: Allow Action: - "cloudformation:*" Resource: - - !Sub "arn:aws:cloudformation:*:${AWS::AccountId}:stack/StackSet-DatadogStreams-*" - - !Sub "arn:aws:cloudformation:*:${AWS::AccountId}:stackset/DatadogStreams*" + - !Sub "arn:${AWS::Partition}:cloudformation:*:${AWS::AccountId}:stack/StackSet-DatadogStreams-*" + - !Sub "arn:${AWS::Partition}:cloudformation:*:${AWS::AccountId}:stackset/DatadogStreams*" - Effect: Allow Action: - "sns:Publish" Resource: - - "arn:aws:sns:*:*:CfnNotificationSNSTopic" + - !Sub "arn:${AWS::Partition}:sns:*:*:CfnNotificationSNSTopic" - Effect: Allow Action: - iam:GetRole @@ -115,7 +115,7 @@ Resources: StringEquals: "iam:PassedToService": "streams.metrics.cloudwatch.amazonaws.com" Resource: - - !Sub "arn:aws:iam::${AWS::AccountId}:role/DatadogMetricStreamRole" + - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/DatadogMetricStreamRole" - Effect: Allow Action: - iam:GetRole @@ -124,7 +124,7 @@ Resources: StringEquals: "iam:PassedToService": "firehose.amazonaws.com" Resource: - - !Sub "arn:aws:iam::${AWS::AccountId}:role/DatadogServiceRole" + - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/DatadogServiceRole" - Effect: Allow Action: - s3:CreateBucket @@ -134,7 +134,7 @@ Resources: - s3:PutBucketTagging - s3:PutObjectTagging Resource: - - !Sub "arn:aws:s3:::datadog-aws-metric-stream-backup-${AWS::AccountId}-*" + - !Sub "arn:${AWS::Partition}:s3:::datadog-aws-metric-stream-backup-${AWS::AccountId}-*" - Effect: Allow Action: - logs:CreateLogGroup @@ -145,7 +145,7 @@ Resources: - logs:DescribeLogStreams - logs:TagResource Resource: - - !Sub "arn:aws:logs:*:${AWS::AccountId}:log-group:datadog-metric-stream*" + - !Sub "arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:datadog-metric-stream*" - Effect: Allow Action: - firehose:CreateDeliveryStream @@ -153,7 +153,7 @@ Resources: - firehose:DeleteDeliveryStream - firehose:TagDeliveryStream Resource: - - !Sub "arn:aws:firehose:*:${AWS::AccountId}:deliverystream/datadog-metrics-stream" + - !Sub "arn:${AWS::Partition}:firehose:*:${AWS::AccountId}:deliverystream/datadog-metrics-stream" - Effect: Allow Action: - cloudwatch:PutMetricStream @@ -162,7 +162,7 @@ Resources: - cloudwatch:DeleteMetricStream - cloudwatch:TagResource Resource: - - !Sub "arn:aws:cloudwatch:*:${AWS::AccountId}:metric-stream/datadog-metrics-stream" + - !Sub "arn:${AWS::Partition}:cloudwatch:*:${AWS::AccountId}:metric-stream/datadog-metrics-stream" ServiceRole: Type: "AWS::IAM::Role" Properties: @@ -191,8 +191,8 @@ Resources: - "s3:ListBucketMultipartUploads" - "s3:PutObject" Resource: - - !Sub "arn:aws:s3:::datadog-aws-metric-stream-backup-${AWS::AccountId}-*" - - !Sub "arn:aws:s3:::datadog-aws-metric-stream-backup-${AWS::AccountId}-*/*" + - !Sub "arn:${AWS::Partition}:s3:::datadog-aws-metric-stream-backup-${AWS::AccountId}-*" + - !Sub "arn:${AWS::Partition}:s3:::datadog-aws-metric-stream-backup-${AWS::AccountId}-*/*" DatadogMetricStreamRole: Type: AWS::IAM::Role Properties: @@ -217,7 +217,7 @@ Resources: - "firehose:PutRecord" - "firehose:PutRecordBatch" Resource: - - !Sub "arn:aws:firehose:*:${AWS::AccountId}:deliverystream/datadog-metrics-stream" + - !Sub "arn:${AWS::Partition}:firehose:*:${AWS::AccountId}:deliverystream/datadog-metrics-stream" Description: A metric stream role DatadogStreamStackSet: Type: AWS::CloudFormation::StackSet @@ -231,7 +231,7 @@ Resources: Accounts: - !Ref "AWS::AccountId" Regions: !Ref Regions - TemplateURL: "https://s3.amazonaws.com//aws/streams_single_region.yaml" + TemplateURL: "https://.s3.amazonaws.com/aws/streams_single_region.yaml" Parameters: - ParameterKey: ApiKey ParameterValue: !Ref ApiKey diff --git a/aws_streams/version.txt b/aws_streams/version.txt index 0f1acbd..99a4aef 100644 --- a/aws_streams/version.txt +++ b/aws_streams/version.txt @@ -1 +1 @@ -v1.1.2 +v1.1.3