IAM/DatadogAWSIntegrationRole.template.yaml

---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'IAM Role and IAM Policy for Datadog AWS Integration'
Outputs:
  DatadogAccountID:
    Value:
      Ref: DatadogAccountID
  #DatadogExternalID:
  #  Value:
  #    Ref: DatadogExternalID
  PolicyArn:
    Value:
      Ref: DatadogAWSIntegrationPolicy
  RoleName:
    Value:
      Ref: DatadogAWSIntegrationRole
Parameters:
  DatadogAccountID:
    Default: '464622532012'
    Description: "Datadog's account ID (Ref: https://docs.datadoghq.com/integrations/amazon_web_services/)"
    Type: String
  DatadogExternalID:
    Default: YourExternalID
    Description: External ID generate by Datadog (https://app.datadoghq.com/account/settings#integrations/amazon_web_services)
    Type: String
    NoEcho: 'true'
  PermissionLevel:
    Default: full
    AllowedValues:
    - full
    - minimum
    Description: Select permission to grant to IAM Role
    Type: String
  PermissionsFull:
    # Delete double quotes(") after copy & paste from doc (#installation)
    Default: >-
        apigateway:GET,
        autoscaling:Describe*,
        budgets:ViewBudget,
        cloudfront:GetDistributionConfig,
        cloudfront:ListDistributions,
        cloudtrail:DescribeTrails,
        cloudtrail:GetTrailStatus,
        cloudtrail:LookupEvents,
        cloudwatch:Describe*,
        cloudwatch:Get*,
        cloudwatch:List*,
        codedeploy:List*,
        codedeploy:BatchGet*,
        directconnect:Describe*,
        dynamodb:List*,
        dynamodb:Describe*,
        ec2:Describe*,
        ecs:Describe*,
        ecs:List*,
        elasticache:Describe*,
        elasticache:List*,
        elasticfilesystem:DescribeFileSystems,
        elasticfilesystem:DescribeTags,
        elasticfilesystem:DescribeAccessPoints,
        elasticloadbalancing:Describe*,
        elasticmapreduce:List*,
        elasticmapreduce:Describe*,
        es:ListTags,
        es:ListDomainNames,
        es:DescribeElasticsearchDomains,
        fsx:DescribeFileSystems,
        fsx:ListTagsForResource,
        health:DescribeEvents,
        health:DescribeEventDetails,
        health:DescribeAffectedEntities,
        kinesis:List*,
        kinesis:Describe*,
        lambda:GetPolicy,
        lambda:List*,
        logs:DeleteSubscriptionFilter,
        logs:DescribeLogGroups,
        logs:DescribeLogStreams,
        logs:DescribeSubscriptionFilters,
        logs:FilterLogEvents,
        logs:PutSubscriptionFilter,
        logs:TestMetricFilter,
        organizations:DescribeOrganization,
        rds:Describe*,
        rds:List*,
        redshift:DescribeClusters,
        redshift:DescribeLoggingStatus,
        route53:List*,
        s3:GetBucketLogging,
        s3:GetBucketLocation,
        s3:GetBucketNotification,
        s3:GetBucketTagging,
        s3:ListAllMyBuckets,
        s3:PutBucketNotification,
        ses:Get*,
        sns:List*,
        sns:Publish,
        sqs:ListQueues,
        states:ListStateMachines,
        states:DescribeStateMachine,
        support:*,
        tag:GetResources,
        tag:GetTagKeys,
        tag:GetTagValues,
        xray:BatchGetTraces,
        xray:GetTraceSummaries
    Type: CommaDelimitedList
  PermissionsMinimum:
    # Delete double quotes(") after copy & paste from doc (#permissions)
    Default: >-
        cloudwatch:Get*,
        cloudwatch:List*,
        ec2:Describe*,
        support:*,
        tag:GetResources,
        tag:GetTagKeys,
        tag:GetTagValues
    Type: CommaDelimitedList
Conditions:
  Permissions:
    Fn::Equals:
    - Ref: PermissionLevel
    - full
Resources:
  DatadogAWSIntegrationPolicy:
    Properties:
      PolicyDocument:
        Statement:
        - Action:
            Fn::If:
            - Permissions
            - Ref: PermissionsFull
            - Ref: PermissionsMinimum
          Effect: Allow
          Resource: "*"
        Version: '2012-10-17'
      Roles:
      - Ref: DatadogAWSIntegrationRole
      # When you want to give a specific name
      #ManagedPolicyName: "DatadogAWSIntegrationRolePolicy"
    Type: AWS::IAM::ManagedPolicy
  DatadogAWSIntegrationRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Action:
          - sts:AssumeRole
          Condition:
            StringEquals:
              sts:ExternalId:
                Ref: DatadogExternalID
          Effect: Allow
          Principal:
            AWS:
              Fn::Sub: arn:aws:iam::${DatadogAccountID}:root
        Version: '2012-10-17'
      # When you want to give a specific name
      #RoleName: 'DatadogAWSIntegrationRole'
    Type: AWS::IAM::Role