1

I am trying to use Cloud Custodian webhooks to create tagged events in Datadog using the Datadog API.

The following code nearly works, except account_id is not created as a tag in Datadog. If I capture the body sent, it contains "01234" (i.e. a string.)

- type: webhook
        url: https://api.datadoghq.eu/api/v1/events
        method: POST
        headers:
          DD-API-KEY: '`{{ dd_api_key }}`'
        body: |- 
          {
            "title": `nutkin news`, 
            "text": `squirrel found in account`, 
            "tags": [resource.Name, policy.name, account_id]
          }

If I remove the jmespath queries in tags and just send string literals e.g.

`01234`

, it will not be appear in Datadog as a tag, but if I send

`aws_account_id:01234`

it will appear as a tag.

Ideally, for all the tags, I would like a mix of a string and the result of the jmespath query, as it would be more useable for users of Datadog (e.g. something like what is included below.)

"tags": [`resource_name:`resource.Name, `policy_name:`policy.name, `account_id:`account_id]

I've spent days on this. I've read all the docs on custodian, json and jmespath and just can't find the right syntax of brackets, quotes and backticks. Maybe it is not even possible to mix string literals and jmespath queries.

Just to reiterate the question, how do I combine string literals with jmespath queries to build up a web hook body in custodian web hooks?

mikejmcfarlane
  • 11
  • 4
  • Just wanted to quickly say that this looks good as a first question. I will quickly let you know the 'Goods' and 'Improvements' that I noticed, so you have guidance as to where to go from here. **Goods:** The fact that your title is an actual question is EXCELLENT. You'd be surprised at how many ignore this rule. Also, technologies have links so we don't need to put in 30+ minutes of research just to understand the question. – Nate T Nov 07 '21 at 02:43
  • **Improvements:** -- Should use `backtick` notation to let readers know which terms are technologies or are central to understanding the question. -- Repeat the main question at the very end. Sometimes the context will bring other questions to light, making it unclear what your main question is. If it is the last thing we read in the question, it will be fresh in our mind as we answer. -- Finally, when you add a link, bind it to a word. This way it does not break up the surrounding sentence and distract the reader's attention. – Nate T Nov 07 '21 at 02:43
  • **Note:** The purpose here is not to degrade what you submitted. Your question is good, especially for a first question. I am just reviewing first questions and giving a bit of feedback to each user. The kind of feedback I wish I'd had. I am going to edit to add some of the improvements I mentioned. Just remember, This is not to say the original is bad. That said, good can always be better. – Nate T Nov 07 '21 at 02:43
  • @NateT - *Should use backtick notation to let readers know which terms are technologies or are central to understanding the question.* - actually backticks should only be used for **code, errors, and other raw text literal content**. See [When should code formatting be used for non-code text?](https://meta.stackoverflow.com/q/254990/3744182). Use **bolding** or *italics* for emphasis. – dbc Nov 07 '21 at 17:21
  • Thanks for the detailed feedback, and the edit Nate – mikejmcfarlane Nov 08 '21 at 09:01

1 Answers1

0

Solved! Needed a join statement for each tag, like:

- type: webhook
  url: https://api.datadoghq.eu/api/v1/events
  method: POST
  headers:
  DD-API-KEY: '`{{ dd_api_key }}`'
  body: |- 
     {
       "title": `nutkin news`, 
       "text": `squirrel found in account`, 
       "tags": [join(``, [`aws_resource:`, resource.Name]), join(``, [`custodian_policy:`, policy.name]), join(``, [`aws_account:`, account_id])]
     }
mikejmcfarlane
  • 11
  • 4