[TON-197] Add EC2 agent install IAM permissions to CloudFormation template#298
Draft
swang392 wants to merge 3 commits intoray.eah/ton-xxx-agent-install-eventbridgefrom
Draft
Conversation
…plate Adds DatadogAgentInstallEC2Policy (gated on AgentOnCloudResources condition) with 5 statements covering: SSM document/command operations, SecretsManager secrets scoped to /datadog/ec2-instrumenter/*, datadog-ssm-* role/profile creation, IAM read+attach for existing customer resources, and iam:PassRole scoped to datadog-ssm-* roles with ec2.amazonaws.com condition. Bumps to v4.8.1. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…emplate Adds DatadogAgentInstallEKSPolicy (gated on AgentOnCloudResources) with the 5 delete permissions needed for EKS uninstall: eks:DeleteAccessEntry, lambda:DeleteFunction, iam:DeleteRolePolicy, iam:DeleteRole, and secretsmanager:DeleteSecret. All scoped to dd-eks-instrumenter-* resources and the /datadog/eks-instrumenter/* secret path. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…ninstall Replaces the uninstall-only stub with a complete 5-statement policy matching the enclave instrumenter-snap policy for EKS operations: EKS cluster list/describe/access-entry management (Resource: *), Lambda CRUD scoped to dd-eks-instrumenter-*, IAM role CRUD scoped to dd-eks-instrumenter-*, SecretsManager CRUD scoped to /datadog/eks-instrumenter/*, and iam:PassRole to lambda.amazonaws.com for dd-eks-instrumenter-* roles. Also adds ec2:DescribeNatGateways and iam:SimulatePrincipalPolicy (used in MatchesFilters preflight check). Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
DatadogAgentInstallEC2Policy(gated onAgentOnCloudResourcescondition /InstallAgentOnCloudResources=true) with 5 IAM statements covering all API calls the EC2 handler makes:DescribeInstanceInformation,SendCommand,GetDocument,CreateDocument,UpdateDocument,UpdateDocumentDefaultVersion(Resource:*)DescribeSecret,CreateSecret(scoped to/datadog/ec2-instrumenter/*)CreateRole,CreateInstanceProfile,AddRoleToInstanceProfile(scoped todatadog-ssm-*)GetInstanceProfile,ListAttachedRolePolicies,AttachRolePolicy,PutRolePolicy(Resource:*, needed for existing customer instance profiles in Cases B/C)iam:PassRolescoped todatadog-ssm-*roles withec2.amazonaws.comconditionv4.8.1and adds CHANGELOG entryDepends on
#296
Test plan
aws cloudformation validate-templateon the modified templateInstallAgentOnCloudResources=trueand verifyDatadogAgentInstallEC2Policyis created and attachedAccessDeniederrors🤖 Generated with Claude Code