From afcad7bf9b3838e59481867ef557e237a7b4a09b Mon Sep 17 00:00:00 2001 From: "datadog-datadog-prod-us1[bot]" <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com> Date: Mon, 3 Nov 2025 09:39:22 +0000 Subject: [PATCH] Implement FIPS-compliant Datadog Forwarder (AWSX-1578) Co-authored-by: RaphaelAllier <118757729+RaphaelAllier@users.noreply.github.com> --- aws/logs_monitoring/settings.py | 24 ++++++++++++++++++++---- aws/logs_monitoring/template.yaml | 17 +++++++++++++++++ 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/aws/logs_monitoring/settings.py b/aws/logs_monitoring/settings.py index 7d63efa68..9bcf1a5bb 100644 --- a/aws/logs_monitoring/settings.py +++ b/aws/logs_monitoring/settings.py @@ -27,6 +27,17 @@ def get_env_var(envvar, default, boolean=False): return value +## @param DD_AWS_USE_FIPS_ENDPOINTS - boolean - optional - default: false +## When set to true, forces all AWS SDK (boto3) clients to use AWS FIPS endpoints. +## This sets the AWS_USE_FIPS_ENDPOINT environment variable for the process and +## adds use_fips_endpoint=True to the default boto3 Config used where applicable. +DD_AWS_USE_FIPS_ENDPOINTS = get_env_var( + "DD_AWS_USE_FIPS_ENDPOINTS", "false", boolean=True +) +if DD_AWS_USE_FIPS_ENDPOINTS: + # Ensure botocore picks this up for all clients created in this process + os.environ["AWS_USE_FIPS_ENDPOINT"] = "true" + ## @param DD_API_KEY - String - conditional - default: none ## The Datadog API key associated with your Datadog Account ## It can be found here: @@ -157,10 +168,15 @@ def __init__(self, name, pattern, placeholder, enabled=True): INCLUDE_AT_MATCH = get_env_var("INCLUDE_AT_MATCH", default=None) EXCLUDE_AT_MATCH = get_env_var("EXCLUDE_AT_MATCH", default=None) -# Set boto3 timeout -boto3_config = botocore.config.Config( - connect_timeout=5, read_timeout=5, retries={"max_attempts": 2} -) +# Set boto3 timeout (and FIPS if enabled) +boto3_config_kwargs = { + "connect_timeout": 5, + "read_timeout": 5, + "retries": {"max_attempts": 2}, +} +if DD_AWS_USE_FIPS_ENDPOINTS: + boto3_config_kwargs["use_fips_endpoint"] = True +boto3_config = botocore.config.Config(**boto3_config_kwargs) # DD API Key # Check if the DD_API_KEY_SECRET_ARN environment variable is set if "DD_API_KEY_SECRET_ARN" in os.environ: diff --git a/aws/logs_monitoring/template.yaml b/aws/logs_monitoring/template.yaml index 1fe618514..d455ecb22 100644 --- a/aws/logs_monitoring/template.yaml +++ b/aws/logs_monitoring/template.yaml @@ -289,6 +289,13 @@ Parameters: - "true" - "false" Description: Set to true to enable enhanced Lambda metrics. This will generate additional custom metrics for Lambda functions, including cold starts, estimated AWS costs, and custom tags. Default is false. + DdAwsUseFipsEndpoints: + Type: String + Default: false + AllowedValues: + - true + - false + Description: Set to true to force AWS SDK calls from the Forwarder to use AWS FIPS endpoints. Conditions: IsAWSChina: !Equals [!Ref "AWS::Partition", aws-cn] IsGovCloud: !Equals [!Ref "AWS::Partition", aws-us-gov] @@ -378,6 +385,7 @@ Conditions: - !Equals [!Join ["", !Ref VPCSubnetIds], ""] SetDdLogLevel: !Not - !Equals [!Ref DdLogLevel, ""] + SetDdAwsUseFipsEndpoints: !Equals [!Ref DdAwsUseFipsEndpoints, true] Rules: MustSetDdApiKey: Assertions: @@ -577,6 +585,14 @@ Resources: - !Ref AWS::NoValue DD_TRACE_ENABLED: !Ref DdTraceEnabled DD_ENHANCED_METRICS: !Ref DdEnhancedMetrics + AWS_USE_FIPS_ENDPOINT: !If + - SetDdAwsUseFipsEndpoints + - "true" + - !Ref AWS::NoValue + DD_AWS_USE_FIPS_ENDPOINTS: !If + - SetDdAwsUseFipsEndpoints + - "true" + - !Ref AWS::NoValue ReservedConcurrentExecutions: !If - SetReservedConcurrentExecutions - !Ref ReservedConcurrency @@ -1055,6 +1071,7 @@ Metadata: - DdForwarderBucketName - DdStoreFailedEvents - DdLogLevel + - DdAwsUseFipsEndpoints ParameterLabels: DdApiKey: default: "DdApiKey *"