Allow passing APIKey and AppKey as AWS Secrets Manager secrets

[blimmer]

Context

I'm the author of cdk-datadog-integration, which provides AWS CDK constructs to set up Datadog integrations via these CloudFormation templates.

In older versions of the CloudFormation template, I could pass the Datadog API Key as a Secrets Manager secret:

cloudformation-template/aws/main.yaml

Lines 19 to 23 in 53d9b7f

	DdApiKeySecretArn:
	Type: String
	AllowedPattern: "(arn:.*:secretsmanager:.*)?"
	Default: ""
	Description: The ARN of the secret storing the Datadog API key, if you already have it stored in Secrets Manager. You must store the secret as a plaintext, rather than a key-value pair.

This allowed me to keep plain-text secrets out of the AWS CDK code, instead referencing it within Secrets Manager.

However, the new quickstart_v2 requires two secrets: APIKey and APPKey, neither of which can be passed as secrets.

Therefore, to update my construct to use the newer quickstart, users would have to hardcode APIKey and APPKey in plain-text, which is not ideal.

Expected Behavior

All CloudFormation parameters that could be considered sensitive should be passable via AWS Secrets Manager ARNs vs. hard-coded parameters.

Actual Behavior

These sensitive parameters must currently be passed as hard-coded strings.

Steps to Reproduce the Problem

1. Attempt to use the current quickstart template (https://github.com/DataDog/cloudformation-template/blob/53d9b7f5dccbf3b0049cbbb21ec6ea024fbb7327/aws_quickstart/main_v2.yaml) without hard-coding APPKey and APIKey as strings.

Specifications

• Datadog CloudFormation template version: https://github.com/DataDog/cloudformation-template/blob/53d9b7f5dccbf3b0049cbbb21ec6ea024fbb7327/aws_quickstart/main_v2.yaml

Stacktrace

N/A

[Flojolomo]

Are there any updates regarding this?