From 7abadcb9f52a8c1c9e8637f74f9bade10d8c607a Mon Sep 17 00:00:00 2001
From: Dan Marshall <git@danmarshall.net>
Date: Thu, 29 Oct 2020 22:37:49 +0000
Subject: [PATCH] Add support for API Key in SSM

---
 README.md                | 1 +
 datadog_lambda/metric.py | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/README.md b/README.md
index ffdee511..e2e47cd8 100644
--- a/README.md
+++ b/README.md
@@ -49,6 +49,7 @@ If `DD_FLUSH_TO_LOG` is set to `false` (not recommended), the Datadog API Key mu
 - DD_API_KEY - the Datadog API Key in plain-text, NOT recommended
 - DD_KMS_API_KEY - the KMS-encrypted API Key, requires the `kms:Decrypt` permission
 - DD_API_KEY_SECRET_ARN - the Secret ARN to fetch API Key from the Secrets Manager, requires the `secretsmanager:GetSecretValue` permission (and `kms:Decrypt` if using a customer managed CMK)
+- DD_API_KEY_SSM_NAME - the Parameter Name to fetch API Key from the Systems Manager Parameter Store, requires the `ssm:GetParameter` permission (and `kms:Decrypt` if using a SecureString with a customer managed CMK)
 
 You can also supply or override the API key at runtime (not recommended):
 
diff --git a/datadog_lambda/metric.py b/datadog_lambda/metric.py
index 90e30ca4..e147e5a7 100644
--- a/datadog_lambda/metric.py
+++ b/datadog_lambda/metric.py
@@ -136,12 +136,18 @@ def submit_errors_metric(lambda_context):
 # Set API Key and Host in the module, so they only set once per container
 if not api._api_key:
     DD_API_KEY_SECRET_ARN = os.environ.get("DD_API_KEY_SECRET_ARN", "")
+    DD_API_KEY_SSM_NAME = os.environ.get("DD_API_KEY_SSM_NAME", "")
     DD_KMS_API_KEY = os.environ.get("DD_KMS_API_KEY", "")
     DD_API_KEY = os.environ.get("DD_API_KEY", os.environ.get("DATADOG_API_KEY", ""))
     if DD_API_KEY_SECRET_ARN:
         api._api_key = boto3.client("secretsmanager").get_secret_value(
             SecretId=DD_API_KEY_SECRET_ARN
         )["SecretString"]
+    elif DD_API_KEY_SSM_NAME:
+        api._api_key = boto3.client("ssm").get_parameter(
+            Name=DD_API_KEY_SSM_NAME,
+            WithDecryption=True
+        )["Parameter"]["Value"]
     elif DD_KMS_API_KEY:
         api._api_key = boto3.client("kms").decrypt(
             CiphertextBlob=base64.b64decode(DD_KMS_API_KEY)