making extended work with v2 changes, adding it to taskcat

aws_organizations/main_organizations.yaml

@@ -330,7 +330,7 @@ Resources:
               reason = json.dumps(cfResponse)
               cfnresponse.send(
                   event,
-                  signalcontext,
+                  context,
                   responseStatus=response_status,
                   responseData=cfResponse,
                   reason=reason,

aws_quickstart/datadog_integration_api_call_v2.yaml

@@ -308,7 +308,7 @@ Resources:
               reason = json.dumps(cfResponse)
               cfnresponse.send(
                   event,
-                  signalcontext,
+                  context,
                   responseStatus=response_status,
                   responseData=cfResponse,
                   reason=reason,

aws_quickstart/main_extended.yaml

@@ -66,6 +66,15 @@ Parameters:
       Disable this if you only want to collect tags or resource configuration information from this AWS account, 
       and do not want to use Datadog Infrastructure Monitoring.
     Default: false
+  DisableResourceCollection:
+    Type: String
+    AllowedValues:
+      - true
+      - false
+    Description: >-
+      Disabling resource collection for this account will lead to a loss in visibility into your AWS services. 
+      Disable this if you do not want to collect configuration information for the resources in this AWS account.
+    Default: false
   CloudSecurityPostureManagement:
     Type: String
     AllowedValues:
@@ -109,15 +118,28 @@ Parameters:
     Description: >-
       Enable Agentless Scanning of datastores (S3 buckets). "CloudSecurityPostureManagement" must be set to 'true'.
     Default: false
+Rules:
+  ResourceCollectionValidState:
+    Assertions:
+      - Assert:
+          Fn::Not:
+            - Fn::And:
+                - Fn::Equals:
+                    - Ref: DisableResourceCollection
+                    - 'true'
+                - Fn::Equals:
+                    - Ref: CloudSecurityPostureManagement
+                    - 'true'
+        AssertDescription: CloudSecurityPostureManagement requires ResourceCollection, must enable ResourceCollection
 Conditions:
   InstallForwarder:
     Fn::Equals:
       - !Ref InstallLambdaLogForwarder
       - true
-  CloudSecurityPostureManagementPermissions:
+  ResourceCollectionPermissions:
     Fn::Equals:
-      - !Ref CloudSecurityPostureManagement
-      - true
+      - !Ref DisableResourceCollection
+      - false
   EnableAgentlessScanning:
     Fn::And:
       - Fn::Not:
@@ -175,9 +197,10 @@ Resources:
         DatadogApiKey: !Ref APIKey
         DatadogAppKey: !Ref APPKey
         DatadogSite: !Ref DatadogSite
-        RoleName: !Ref IAMRoleName
+        IAMRoleName: !Ref IAMRoleName
         CloudSecurityPostureManagement: !Ref CloudSecurityPostureManagement
         DisableMetricCollection: !Ref DisableMetricCollection
+        DisableResourceCollection: !Ref DisableResourceCollection
   # The IAM role for Datadog integration
   DatadogIntegrationRoleStack:
     Type: AWS::CloudFormation::Stack
@@ -186,7 +209,7 @@ Resources:
       Parameters:
         ExternalId: !GetAtt DatadogAPICall.Outputs.ExternalId
         IAMRoleName: !Ref IAMRoleName
-        CloudSecurityPostureManagementPermissions: !If [CloudSecurityPostureManagementPermissions, true, false]
+        ResourceCollectionPermissions: !If [ResourceCollectionPermissions, true, false]
         DdAWSAccountId: !If
           - IsAP1
           - "417141415827"

aws_quickstart/taskcat/.taskcat_extended.yml

@@ -0,0 +1,20 @@
+general:
+  auth:
+    default: "<REPLACE_AWS_PROFILE>"
+  s3_bucket: datadog-cloudformation-templates-aws-taskcat-test
+
+project:
+  name: aws-quickstart
+  regions:
+  - us-east-2
+tests:
+  default:
+    template: ./main_extended.yaml
+    parameters:
+      APIKey: "<REPLACE_DD_API_KEY>"
+      APPKey: "<REPLACE_DD_APP_KEY>"
+      DatadogSite: "datadoghq.com"
+      IAMRoleName: "DatadogIntegrationRole-taskcat-$[taskcat_random-string]"
+      InstallLambdaLogForwarder: "true"
+      DisableMetricCollection: "false"
+      CloudSecurityPostureManagement: "false"

aws_quickstart/taskcat/run-taskcat-tests.sh

@@ -1,5 +1,22 @@
 #!/bin/bash
 
+# Usage: ./run-taskcat-tests.sh <test_version>
+
+set -e
+
+# Read the S3 bucket
+if [ -z "$1" ]; then
+    echo "Must specify a test_version (either 'standard' or 'extended')"
+    exit 1
+else
+    TEST_VERSION=$1
+fi
+
+if [ "$TEST_VERSION" != "standard" ]  &&  [ "$TEST_VERSION" != "extended" ]; then
+    echo "Invalid test_version - Must specify either 'standard' or 'extended'"
+    exit 1
+fi
+
 if [ -z "$AWS_SSO_PROFILE_NAME" ]; then
     echo "Missing AWS_SSO_PROFILE_NAME - Must specify an AWS profile name"
     exit 1
@@ -31,7 +48,16 @@ for f in ../*.yaml; do
    sed "s|<BUCKET_PLACEHOLDER>.s3.amazonaws.com/aws/<VERSION_PLACEHOLDER>|${TASKCAT_S3_BUCKET}.s3.amazonaws.com/${TASKCAT_PROJECT}|g" $f > ./tmp/$(basename $f)
 done
 
-sed "s|<REPLACE_DD_API_KEY>|${DD_API_KEY}|g ; s|<REPLACE_DD_APP_KEY>|${DD_APP_KEY}|g ; s|<REPLACE_AWS_PROFILE>|${AWS_SSO_PROFILE_NAME}|g" ./.taskcat.yml > ./tmp/.taskcat.yml
+if [ "$TEST_VERSION" = "standard" ]; then
+    cp ./.taskcat.yml ./tmp/.taskcat-temp.yml
+elif [ "$TEST_VERSION" = "extended" ]; then
+    cp ./.taskcat_extended.yml ./tmp/.taskcat-temp.yml
+else
+    echo "Invalid test_version - Must specify either 'standard' or 'extended'"
+    exit 1
+fi
+
+sed "s|<REPLACE_DD_API_KEY>|${DD_API_KEY}|g ; s|<REPLACE_DD_APP_KEY>|${DD_APP_KEY}|g ; s|<REPLACE_AWS_PROFILE>|${AWS_SSO_PROFILE_NAME}|g" ./tmp/.taskcat-temp.yml > ./tmp/.taskcat.yml
 
 taskcat upload -b ${TASKCAT_S3_BUCKET} -k ${TASKCAT_PROJECT} -p tmp