[K9VULN-9361] Move Agentless Scanning cloudformation to a dedicated folder#252
[K9VULN-9361] Move Agentless Scanning cloudformation to a dedicated folder#252
Conversation
aws_quickstart/main_extended.yaml
Outdated
| - IsCrossAccountScanning | ||
| - 'https://<BUCKET_PLACEHOLDER>.s3.amazonaws.com/aws/<VERSION_PLACEHOLDER>/datadog_agentless_delegate_role.yaml' | ||
| - 'https://<BUCKET_PLACEHOLDER>.s3.amazonaws.com/aws/<VERSION_PLACEHOLDER>/datadog_agentless_scanning.yaml' | ||
| - 'https://datadog-cloudformation-template.s3.amazonaws.com/aws_agentless/v1.0.0/datadog_agentless_delegate_role.yaml' |
There was a problem hiding this comment.
Setting the bucket and pinning the version here on purpose.
Whenever the aws_agentless/version.txt gets updated, the aws_agentless/release.sh script will update this file too.
There was a problem hiding this comment.
Co-authored-by: Diogo Pereira <diogo.pereira@datadoghq.com>
aws_quickstart/main_extended.yaml
Outdated
| - 'https://<BUCKET_PLACEHOLDER>.s3.amazonaws.com/aws/<VERSION_PLACEHOLDER>/datadog_agentless_delegate_role.yaml' | ||
| - 'https://<BUCKET_PLACEHOLDER>.s3.amazonaws.com/aws/<VERSION_PLACEHOLDER>/datadog_agentless_scanning.yaml' | ||
| - 'https://datadog-cloudformation-template.s3.amazonaws.com/aws_agentless/v5.0.0/datadog_agentless_delegate_role.yaml' | ||
| - 'https://datadog-cloudformation-template.s3.amazonaws.com/aws_agentless/v5.0.0/datadog_agentless_scanning.yaml' |
There was a problem hiding this comment.
💭 why pin this instead of getting the latest version from aws_agentless/version.txt?
There was a problem hiding this comment.
also looks like the agentless release script can use a different bucket name, so I assume we'd want to keep <BUCKET_PLACEHOLDER>?
There was a problem hiding this comment.
I added a placeholder for the version and updated the release script
There was a problem hiding this comment.
I think we'd want to keep datadog-cloudformation-template which is another S3 bucket.
diogocp
left a comment
diogocp
left a comment
There was a problem hiding this comment.
I'm skeptical of this change because it seems to create bigger problems than it solves.
For most changes, we will still need to bump the quickstart version and release it. It's the same thing with more steps. We still need reviews from the AWS integrations team for those changes.
We will have two version numbers to keep track of—except with this change we would only track one; we would need to pass the quickstart version to the agentless template for the API to know exactly what is being deployed.
I think there are problems with the current release process. But as long as we want to integrate with quickstart, we still need to go through its release process. If we really want to make improvements, we have to improve quickstart too.
| ``` | ||
|
|
||
| The release script will automatically: | ||
| - Update the pinned agentless version in `aws_quickstart/main_extended.yaml` to match the new version |
There was a problem hiding this comment.
I think this is outdated after your latest changes—as is the agentless release script.
I agree this makes things a bit more complex. I actually hesitated before doing it. Today, the issue is that We also have more Agentless templates coming:
To avoid confusion and establish clear ownership, I moved all Agentless Scanning templates into I considered an alternative where we keep I chose full separation so the answer to “where does my template live?” is always “aws_agentless/,” making the structure simpler to understand. |
5 participants
What does this PR do?
Move Agentless Scanning cloudformation out of
aws_quickstart/to a dedicated folder.We also now pin the agentless template link in
main_extended.yaml.