Hi im trying to get Datadog setup for my org but when trying to deploy the aws integration stackset I’m getting a failure status right away from “DatadogAPICall” custom resource. fails to create, then fails to delete. logs say “Exception during processing: HTTP Error 403: Forbidden”. This is happening in a target account (stackset being deployed to OA). Im using this guide https://docs.datadoghq.com/integrations/guide/aws-organizations-setup/#setup . I am logged in as a full access user on the management account which has all org features enabled. anyone have any insight or should i reach out to support directly?
If you are trying to deploy it via CF and are trying to install the Lambda Forwarder, that more than likely is a S3 bucket creation issue. I gave up on it but here is what support had sent me before I gave up:
• Can you confirm if you already have an IAM role with the same name as the one the CF template is trying to create?
• Do you have an IAM role for CloudFormation that denies s3 access?
• Do you have Secure copy protocol (SCP) that could be blocking s3 access?
If you turn off the Lambda Forwarder, it will probably deploy. I decided to use the integration into our Lambda code.
Hey thanks for getting back. Im not even at the lambda forwarder or log ingestion parts. thats a separate step of the process (and different setup overall). right now i’m just going through the steps that creates the datadog roles and metrics access. from the docs:
The Datadog CloudFormation StackSet performs the following steps:
- Deploys the Datadog AWS CloudFormation Stack in every account under an AWS Organization or Organizational Unit.
- Automatically creates the necessary IAM role and policies in the target accounts.
- Automatically initiates ingestion of AWS CloudWatch metrics and events from the AWS resources in the accounts.
- Optionally disables metric collection for the AWS infrastructure. This is useful for Cloud Cost Management (CCM) or Cloud Security Management Misconfigurations (CSM Misconfigurations) specific use cases.
- Optionally configures CSM Misconfigurations to monitor resource misconfigurations in your AWS accounts.
Note: The StackSet does not set up log forwarding in the AWS accounts. To set up logs, follow the steps in the <https://docs.datadoghq.com/integrations/amazon_web_services/#log-collection|Log Collection> guide.
This is what I was talking about. If you go into Integrations / AWS / Add new accounts, I set “Send AWS Logs to Datadog” and the stack deployed without errors.