Skip to content

[AWSCORE-563] Add docs for deploying forwarder stack as stackset #1028

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ktmq merged 4 commits into from
Dec 3, 2025
Merged

[AWSCORE-563] Add docs for deploying forwarder stack as stackset #1028

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0cf0838
feat(aws): add docs for deploying forwarder stack as stackset
ktmq Nov 26, 2025
656ebef
Apply suggestions from code review
ktmq Dec 1, 2025
919babe
Apply suggestions from code review
ktmq Dec 1, 2025
72bbe7a
Apply suggestions from code review
ktmq Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 59 additions & 3 deletions aws/logs_monitoring/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ For more information about sending AWS services logs with the Datadog Forwarder,

## Installation

Datadog recommends using [CloudFormation](#cloudformation) to automatically install the Forwarder. You can also complete the setup process using [Terraform](#terraform) or [manually](#manual). Once installed, you can subscribe the Forwarder to log sources such as S3 buckets or CloudWatch log groups by [setting up triggers][4].
Datadog recommends using [CloudFormation](?tab=cloudformation#cloudformation) to automatically install the Forwarder. You can also complete the setup process using [Terraform](?tab=terraform#terraform) or [manually](?tab=manual#manual). For multi-region or multi-account deployments, see [Multi-Region & Multi-Account](?tab=multiregionmultiaccount#multi-region-multi-account) for CloudFormation StackSets or use the [Terraform](?tab=terraform#terraform) module. Once installed, you can subscribe the Forwarder to log sources such as S3 buckets or CloudWatch log groups by [setting up triggers][4].

**Note**: Forwarder v4.1.0+ does not support x86_64 architecture. If you are using x86_64, you must migrate to ARM64 to use the Datadog Forwarder.

Expand All @@ -48,12 +48,68 @@ If you had previously enabled your AWS Integration using the [following CloudFor
[101]: https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/#set-up-triggers
[102]: https://github.com/DataDog/cloudformation-template/tree/master/aws

{{% /tab %}}
{{% tab "Multi-Region & Multi-Account (AWS Organizations)" %}}

### Multi-Region & Multi-Account

If you're using AWS Organizations, you can use CloudFormation StackSets to deploy the Forwarder across multiple AWS regions and accounts automatically.

#### Single account, multiple regions

1. Deploy the Forwarder template using [CloudFormation StackSets][151] in the AWS Console.
2. In the **Permissions** section, optionally provide an IAM admin role ARN, or leave the default IAM execution role name (`AWSCloudFormationStackSetExecutionRole`).
Comment thread
ktmq marked this conversation as resolved.
3. In the **Specify template** section:
1. Select **Amazon S3 URL**.
1. Enter the Forwarder template URL: `https://datadog-cloudformation-template.s3.amazonaws.com/aws/forwarder/latest.yaml`.
1. Click **Next**.
4. In the **Specify stack set details** section:
1. Provide a stack set name.
1. Provide a valid Datadog API key using **one** of the `DdApiKey`, `DdApiKeySecretArn`, or `DdApiKeySsmParameterName` fields.
1. Select the appropriate Datadog site in the `DdSite` field.
1. Optionally, configure other parameters.
1. Click **Next**.
5. In the **Configure stack set options** section:
1. Optionally, configure the provided options.
1. Check the box under **Capabilities**.
1. Click **Next**.
6. On the **Set deployment options** page:
1. Select **Deploy stacks in accounts** and enter your AWS account IDs.
1. Under **Specify regions**, add target regions where you want to deploy the Forwarder.
1. Click **Next**.
7. Review the details, and click **Submit**.

#### Multiple accounts

**Prerequisite**: You must be logged into your **AWS Organizations management account** to use this deployment method.

1. Enable [trusted access for CloudFormation StackSets][153] in AWS Organizations (this is a one-time setup).
2. Deploy from the organization management account using [CloudFormation StackSets][151].
3. In the **Permissions** section, choose **Service-managed permissions**. This option allows CloudFormation StackSets to create the necessary IAM roles in target accounts automatically.
4. In the **Specify template** section:
1. Select **Amazon S3 URL**.
1. Enter the Forwarder template URL: `https://datadog-cloudformation-template.s3.amazonaws.com/aws/forwarder/latest.yaml`.
1. Click **Next**.
5. In the **Specify stack set details** section:
1. Provide a stack set name.
1. Provide a valid Datadog API key using **one** of the `DdApiKey`, `DdApiKeySecretArn`, or `DdApiKeySsmParameterName` fields.
1. Select the appropriate Datadog site in the `DdSite` field.
1. Optionally, configure other parameters.
1. Click **Next**.
6. Choose **Deploy to organization** and specify target organizational units (OUs) or individual accounts, along with the regions where you want to deploy the Forwarder.

**Note**: Regardless of whether you specify organizational units or individual accounts, you must [set up triggers][155] after the Forwarder is deployed.

[151]: https://console.aws.amazon.com/cloudformation/home#/stacksets/create
[153]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html
[155]: https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/#set-up-triggers

{{% /tab %}}
{{% tab "Terraform" %}}

### Terraform

Install the Forwarder using the public Datadog Terraform module available at [https://registry.terraform.io/modules/DataDog/log-lambda-forwarder-datadog/aws/latest][201]. Once the Lambda function is deployed, [set up triggers on the Forwarder][202].
Install the Forwarder using the public [log-lambda-forwarder-datadog][201] Terraform module. The Terraform module supports both multi-region and multi-account deployments. After the Lambda function is deployed, [set up triggers on the Forwarder][202].

#### Sample configuration

Expand All @@ -70,7 +126,7 @@ module "datadog_forwarder" {
**Note**: Ensure that the `dd_site` parameter matches your [Datadog site][203]. Select your site on the right side of this page. Your Datadog site is {{< region-param key="dd_site" code="true" >}}.
Your [Datadog API key][204] to use for `dd_api_key` can be found under **Organization Settings** > **API Keys**.

For all configuration options and details, including [Multi-Region deployment][205], see the [module documentation][201].
For all configuration options and details, including [multi-region and multi-account deployments][205], see the [module documentation][201].

[201]: https://registry.terraform.io/modules/DataDog/log-lambda-forwarder-datadog/aws/latest
[202]: https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/#set-up-triggers
Expand Down
Loading