Skip to content

feat: Disable Execution Role Permission Addition for DD API Key Secret #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 20, 2025
Merged

feat: Disable Execution Role Permission Addition for DD API Key Secret #50

merged 1 commit into from
Nov 20, 2025

Conversation

@gabedos
Copy link
Collaborator

@gabedos gabedos commented Nov 17, 2025

What does this PR do?

Introduces dd_manage_execution_role_secret_permissions that controls whether to create and attach secret access permissions to the execution role.

Set to false if your execution role already has the necessary secretsmanager:GetSecretValue permissions.

Motivation

#47

Describe how you validated your changes

This change does not support unit tests with the current framework because it involves IAM roles. Current unit tests only check for the configuration of the datadog agent task definition itself.

Manual QA steps:

  1. Define a dummy dd_api_key_secret value.
  2. Disable execution role editing via dd_manage_execution_role_secret_permissions = false
  3. terraform apply
  4. Open the task definitions's respective IAM role and observe that the dd-secret-access policy was not attached.

@gabedos gabedos requested a review from a team as a code owner November 17, 2025 20:01
clamoriniere
clamoriniere reviewed Nov 17, 2025
View reviewed changes
modules/ecs_fargate/variables.tf
variable "dd_manage_execution_role_secret_permissions" {
description = "Whether to create and attach secret access permissions to the execution role. Set to false if your execution role already has the necessary secretsmanager:GetSecretValue permissions."
type = bool
default = true
Copy link

@clamoriniere clamoriniere Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of using a bool for the new parameter, have you considered to ask the user to provide the role name so it can be possible to verify that it exists.

Copy link
Collaborator Author

@gabedos gabedos Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The user will already be supplying the role name via the variable execution_role. If the role exists and a secret api key is provided, we don't know if has the proper permissions configured and the module currently always adds the policy to get the secret.

  • If the role doesn't actually exist (dummy or incorrect value) then I believe the AWS API will reject the task creation request.
  • If no role is provided, then AWS API will also reject the request because it knows secrets are being loaded in which requires some execution role to be configured.

@gabedos gabedos requested a review from clamoriniere November 18, 2025 14:52
@gabedos gabedos merged commit 44c5dd3 into main Nov 20, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@clamoriniere clamoriniere clamoriniere approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gabedos @clamoriniere