Add dynamic datacenter configuration infrastructure (Phase 1)

.gitignore

@@ -4,3 +4,6 @@
 **/.taskcat/
 **/taskcat_outputs/
 **/tmp/
+
+# Generated datacenter configuration files
+generated/

aws_account_level_logs/main.yaml

@@ -16,6 +16,7 @@ Parameters:
       - 'https://aws-kinesis-http-intake.logs.datadoghq.eu/v1/input'
       - 'https://aws-kinesis-http-intake.logs.ap1.datadoghq.com/api/v2/logs?dd-protocol=aws-kinesis-firehose'
       - 'https://aws-kinesis-http-intake.logs.ap2.datadoghq.com/api/v2/logs?dd-protocol=aws-kinesis-firehose'
+      - 'https://aws-kinesis-http-intake.logs.prtest07.datadoghq.com/api/v2/logs?dd-protocol=aws-kinesis-firehose'
       - 'https://aws-kinesis-http-intake.logs.us3.datadoghq.com/api/v2/logs?dd-protocol=aws-kinesis-firehose'
       - 'https://aws-kinesis-http-intake.logs.us5.datadoghq.com/api/v2/logs?dd-protocol=aws-kinesis-firehose'
       - 'https://aws-kinesis-http-intake.logs.ddog-gov.com/v1/input'

aws_config_stream/main_config_stream.yaml

@@ -33,6 +33,7 @@ Parameters:
       - https://cloudplatform-intake.datadoghq.eu/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose
       - https://cloudplatform-intake.ap1.datadoghq.com/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose
       - https://cloudplatform-intake.ap2.datadoghq.com/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose
+      - https://cloudplatform-intake.prtest07.datadoghq.com/api/v2/cloudchanges?dd-protocol=aws-kinesis-firehose
 Resources:
   ConfigurationRecorder:
     Type: AWS::Config::ConfigurationRecorder

aws_organizations/main_organizations.yaml

@@ -28,6 +28,7 @@ Parameters:
       - ddog-gov.com
       - ap1.datadoghq.com
       - ap2.datadoghq.com
+      - prtest07.datadoghq.com
   IAMRoleName:
     Description: Customize the name of IAM role for Datadog AWS integration
     Type: String
@@ -75,19 +76,30 @@ Rules:
                     - Ref: CloudSecurityPostureManagement
                     - "true"
         AssertDescription: CloudSecurityPostureManagement requires ResourceCollection, must enable ResourceCollection
+Mappings:
+  DdAccountIdBySite:
+    "datadoghq.com":
+      AccountId: "464622532012"
+    "datadoghq.eu":
+      AccountId: "464622532012"
+    "us3.datadoghq.com":
+      AccountId: "464622532012"
+    "us5.datadoghq.com":
+      AccountId: "464622532012"
+    "ap1.datadoghq.com":
+      AccountId: "417141415827"
+    "ap2.datadoghq.com":
+      AccountId: "412381753143"
+    "prtest07.datadoghq.com":
+      AccountId: "393946873269"
+    "ddog-gov.com":
+      AccountId: "392588925713"
+      AccountIdGovCloud: "065115117704"
 Conditions:
   ResourceCollectionPermissions:
     Fn::Equals:
       - !Ref DisableResourceCollection
       - false
-  IsAP1:
-    Fn::Equals:
-      - !Ref DatadogSite
-      - ap1.datadoghq.com
-  IsAP2:
-    Fn::Equals:
-      - !Ref DatadogSite
-      - ap2.datadoghq.com
   IsGov:
     Fn::Equals:
       - !Ref DatadogSite
@@ -379,19 +391,15 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              Fn::If:
-                - IsAP1
-                - AWS: !Sub "arn:${AWS::Partition}:iam::417141415827:root"
-                - Fn::If:
-                    - IsAP2
-                    - AWS: !Sub "arn:${AWS::Partition}:iam::412381753143:root"
-                    - Fn::If:
-                        - IsGov
-                        - Fn::If:
-                            - IsAWSGovCloud
-                            - AWS: !Sub "arn:${AWS::Partition}:iam::065115117704:root"
-                            - AWS: !Sub "arn:${AWS::Partition}:iam::392588925713:root"
-                        - AWS: !Sub "arn:${AWS::Partition}:iam::464622532012:root"
+              AWS: !Sub
+                - "arn:${AWS::Partition}:iam::${AccountId}:root"
+                - AccountId: !If
+                    - IsGov
+                    - !If
+                      - IsAWSGovCloud
+                      - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountIdGovCloud]
+                      - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountId]
+                    - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountId]
             Action:
               - "sts:AssumeRole"
             Condition:

aws_organizations/version.txt

@@ -1 +1 @@
-v4.1.0
+v4.1.1

aws_quickstart/datadog_integration_api_call_v2.yaml

@@ -24,6 +24,7 @@ Parameters:
       - us5.datadoghq.com
       - ap1.datadoghq.com
       - ap2.datadoghq.com
+      - prtest07.datadoghq.com
       - ddog-gov.com
   IAMRoleName:
     Description: >-

aws_quickstart/main_extended.yaml

@@ -40,6 +40,7 @@ Parameters:
       - us5.datadoghq.com
       - ap1.datadoghq.com
       - ap2.datadoghq.com
+      - prtest07.datadoghq.com
       - ddog-gov.com
   IAMRoleName:
     Description: Customize the name of IAM role for Datadog AWS integration
@@ -164,6 +165,25 @@ Rules:
                         - Ref: AgentlessSensitiveDataScanning
                         - 'true'
         AssertDescription: Agentless Scanning options require ResourceCollection, must enable ResourceCollection
+Mappings:
+  DdAccountIdBySite:
+    "datadoghq.com":
+      AccountId: "464622532012"
+    "datadoghq.eu":
+      AccountId: "464622532012"
+    "us3.datadoghq.com":
+      AccountId: "464622532012"
+    "us5.datadoghq.com":
+      AccountId: "464622532012"
+    "ap1.datadoghq.com":
+      AccountId: "417141415827"
+    "ap2.datadoghq.com":
+      AccountId: "412381753143"
+    "prtest07.datadoghq.com":
+      AccountId: "393946873269"
+    "ddog-gov.com":
+      AccountId: "392588925713"
+      AccountIdGovCloud: "065115117704"
 Conditions:
   InstallForwarder:
     Fn::Equals:
@@ -192,14 +212,6 @@ Conditions:
         - Fn::Equals:
           - !Ref AgentlessSensitiveDataScanning
           - true
-  IsAP1:
-    Fn::Equals:
-      - !Ref DatadogSite
-      - ap1.datadoghq.com
-  IsAP2:
-    Fn::Equals:
-      - !Ref DatadogSite
-      - ap2.datadoghq.com
   IsGov:
     Fn::Equals:
       - !Ref DatadogSite
@@ -258,18 +270,12 @@ Resources:
         IAMRoleName: !Ref IAMRoleName
         ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false]
         DdAWSAccountId: !If
-          - IsAP1
-          - "417141415827"
+          - IsGov
           - !If
-            - IsAP2
-            - "412381753143"
-            - !If
-              - IsGov
-              - !If
-                - IsAWSGovCloud
-                - "065115117704"
-                - "392588925713"
-              - "464622532012"
+            - IsAWSGovCloud
+            - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountIdGovCloud]
+            - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountId]
+          - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountId]
   # The Lambda function to ship logs from S3 and CloudWatch, custom metrics and traces from Lambda functions to Datadog
   # https://github.com/DataDog/datadog-serverless-functions/tree/master/aws/logs_monitoring
   ForwarderStack:

aws_quickstart/main_v2.yaml

@@ -27,6 +27,7 @@ Parameters:
       - us5.datadoghq.com
       - ap1.datadoghq.com
       - ap2.datadoghq.com
+      - prtest07.datadoghq.com
       - ddog-gov.com
   IAMRoleName:
     Description: Customize the name of IAM role for Datadog AWS integration
@@ -87,6 +88,25 @@ Rules:
                     - Ref: CloudSecurityPostureManagement
                     - 'true'
         AssertDescription: CloudSecurityPostureManagement requires ResourceCollection, must enable ResourceCollection
+Mappings:
+  DdAccountIdBySite:
+    "datadoghq.com":
+      AccountId: "464622532012"
+    "datadoghq.eu":
+      AccountId: "464622532012"
+    "us3.datadoghq.com":
+      AccountId: "464622532012"
+    "us5.datadoghq.com":
+      AccountId: "464622532012"
+    "ap1.datadoghq.com":
+      AccountId: "417141415827"
+    "ap2.datadoghq.com":
+      AccountId: "412381753143"
+    "prtest07.datadoghq.com":
+      AccountId: "393946873269"
+    "ddog-gov.com":
+      AccountId: "392588925713"
+      AccountIdGovCloud: "065115117704"
 Conditions:
   InstallForwarder:
     Fn::Equals:
@@ -96,14 +116,6 @@ Conditions:
     Fn::Equals:
       - !Ref DisableResourceCollection
       - false
-  IsAP1:
-    Fn::Equals:
-      - !Ref DatadogSite
-      - ap1.datadoghq.com
-  IsAP2:
-    Fn::Equals:
-      - !Ref DatadogSite
-      - ap2.datadoghq.com
   IsGov:
     Fn::Equals:
       - !Ref DatadogSite
@@ -136,18 +148,12 @@ Resources:
         IAMRoleName: !Ref IAMRoleName
         ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false]
         DdAWSAccountId: !If
-          - IsAP1
-          - "417141415827"
+          - IsGov
           - !If
-            - IsAP2
-            - "412381753143"
-            - !If
-              - IsGov
-              - !If
-                - IsAWSGovCloud
-                - "065115117704"
-                - "392588925713"
-              - "464622532012"
+            - IsAWSGovCloud
+            - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountIdGovCloud]
+            - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountId]
+          - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountId]
   # The Lambda function to ship logs from S3 and CloudWatch, custom metrics and traces from Lambda functions to Datadog
   # https://github.com/DataDog/datadog-serverless-functions/tree/master/aws/logs_monitoring
   ForwarderStack:

aws_quickstart/main_workflow.yaml

@@ -37,6 +37,7 @@ Parameters:
       - us5.datadoghq.com
       - ap1.datadoghq.com
       - ap2.datadoghq.com
+      - prtest07.datadoghq.com
       - ddog-gov.com
   IAMRoleName:
     Description: Customize the name of IAM role for Datadog AWS integration
@@ -73,6 +74,25 @@ Parameters:
       External ID for the IAM role trust policy. This is generated by the Datadog UI and ensures
       that only your Datadog organization can assume this role.
     Type: String
+Mappings:
+  DdAccountIdBySite:
+    "datadoghq.com":
+      AccountId: "464622532012"
+    "datadoghq.eu":
+      AccountId: "464622532012"
+    "us3.datadoghq.com":
+      AccountId: "464622532012"
+    "us5.datadoghq.com":
+      AccountId: "464622532012"
+    "ap1.datadoghq.com":
+      AccountId: "417141415827"
+    "ap2.datadoghq.com":
+      AccountId: "412381753143"
+    "prtest07.datadoghq.com":
+      AccountId: "393946873269"
+    "ddog-gov.com":
+      AccountId: "392588925713"
+      AccountIdGovCloud: "065115117704"
 Conditions:
   InstallForwarder:
     Fn::Equals:
@@ -85,14 +105,6 @@ Conditions:
     Fn::Equals:
       - !Ref DisableResourceCollection
       - false
-  IsAP1:
-    Fn::Equals:
-      - !Ref DatadogSite
-      - ap1.datadoghq.com
-  IsAP2:
-    Fn::Equals:
-      - !Ref DatadogSite
-      - ap2.datadoghq.com
   IsGov:
     Fn::Equals:
       - !Ref DatadogSite
@@ -308,18 +320,12 @@ Resources:
         IAMRoleName: !Ref IAMRoleName
         ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false]
         DdAWSAccountId: !If
-          - IsAP1
-          - "417141415827"
+          - IsGov
           - !If
-            - IsAP2
-            - "412381753143"
-            - !If
-              - IsGov
-              - !If
-                - IsAWSGovCloud
-                - "065115117704"
-                - "392588925713"
-              - "464622532012"
+            - IsAWSGovCloud
+            - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountIdGovCloud]
+            - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountId]
+          - !FindInMap [DdAccountIdBySite, !Ref DatadogSite, AccountId]
 
   # Step 3: Notify IAM role creation finished
   NotifyIAMRoleCreationFinished:

aws_quickstart/version.txt

@@ -1 +1 @@
-v4.3.1
+v4.3.2

aws_streams/streams_single_region.yaml

@@ -96,6 +96,8 @@ Mappings:
             Endpoint: "https://awsmetrics-intake.ap1.datadoghq.com/api/v2/awsmetrics?dd-protocol=aws-kinesis-firehose"
         "ap2.datadoghq.com":
             Endpoint: "https://awsmetrics-intake.ap2.datadoghq.com/api/v2/awsmetrics?dd-protocol=aws-kinesis-firehose"
+        "prtest07.datadoghq.com":
+            Endpoint: "https://awsmetrics-intake.prtest07.datadoghq.com/api/v2/awsmetrics?dd-protocol=aws-kinesis-firehose"
         "datadoghq.com":
             Endpoint: "https://awsmetrics-intake.datadoghq.com/api/v2/awsmetrics?dd-protocol=aws-kinesis-firehose"
 Resources: