Summary
I'd like a supported way to use this module with secrets rotated by AWS Secrets Manager's managed external secrets feature for Datadog, which launched in May 2026.
That feature stores the API key as JSON:
{ "apiKey": "<32-char hex key>", "apiKeyId": "<uuid>" }Today, dd_api_key_secret_arn requires the secret to be stored as
plaintext, so a managed-rotated secret cannot be used.
Why it matters
Datadog API keys consumed by this module are some of the longest-lived,
highest-blast-radius credentials in our AWS estate, and today they are
effectively never rotated. Supporting the managed envelope would give us:
- Automatic, scheduled rotation with no custom Lambdas to maintain.
- Reduced blast radius if a key leaks — rotation horizon becomes days instead of a manual process.
- Audit/compliance wins — verifiable rotation cadence on a credential that submits all production telemetry.
- One canonical pattern across every forwarder deployment, instead of one-off rotation scripts per team or environment.
References
Summary
I'd like a supported way to use this module with secrets rotated by AWS Secrets Manager's managed external secrets feature for Datadog, which launched in May 2026.
That feature stores the API key as JSON:
{ "apiKey": "<32-char hex key>", "apiKeyId": "<uuid>" }Today, dd_api_key_secret_arn requires the secret to be stored as
plaintext, so a managed-rotated secret cannot be used.
Why it matters
Datadog API keys consumed by this module are some of the longest-lived,
highest-blast-radius credentials in our AWS estate, and today they are
effectively never rotated. Supporting the managed envelope would give us:
References
"The secret must be stored as plaintext, not as a key-value pair."