A plugin to upload assets to Datadog's storage
Warning
The Apps plugin is in alpha and is likely to break in most setups. Use it only for experimentation; behavior and APIs may change without notice.
apps?: {
dryRun?: boolean;
enable?: boolean;
include?: string[];
identifier?: string;
name?: string;
description?: string;
selfService?: boolean;
permissions?: {
protectionLevel?: 'direct_publish' | 'approval_required';
runAs?: string;
};
authOverrides?: {
method?: 'apiKey' | 'oauth';
};
publish?: boolean;
}Upload built assets to Datadog storage as a compressed archive.
Note
You can override the domain used in the request with the DATADOG_SITE environment variable or the auth.site options (eg. datadoghq.eu).
You can override the full intake URL by setting the DATADOG_APPS_INTAKE_URL environment variable (eg. https://apps-intake.datadoghq.com/api/v1/apps).
default:
true
Prepare the archive and log the upload summary without sending anything to Datadog.
Set to false to actually upload assets to Datadog. You can also enable uploads by setting the DATADOG_APPS_UPLOAD_ASSETS (or DD_APPS_UPLOAD_ASSETS) environment variable.
Setting the apps.dryRun configuration will override any value set in the environment variable.
default:
truewhen anappsconfig block is present,falseotherwise.
Enable or disable the plugin without removing its configuration.
Must be a boolean. Non-boolean values are coerced today but will be rejected in a future major release.
default:
[]
Additional glob patterns (relative to the project root) to include in the uploaded archive. The bundler output directory is always included.
default:
apiKeywhen bothDD_API_KEYandDD_APP_KEYare configured, otherwiseoauth
Authentication method for uploading app bundles.
Use apiKey to send DD_API_KEY/DD_APP_KEY credentials from the shared auth config. Use oauth to complete a local Authorization Code + PKCE flow and upload with a short-lived bearer token instead.
When apps.authOverrides.method is not set, the plugin uses API/App-key auth if both keys are configured. If either key is missing, it uses OAuth by default.
You can also set DATADOG_APPS_AUTH_METHOD or DD_APPS_AUTH_METHOD to apiKey or oauth.
When the method is oauth, the plugin derives OAuth client settings from the resolved Datadog site. The plugin reads tokens from the OS credential store, refreshes expired access tokens when a refresh token is available, and only starts browser authorization when no usable stored token exists.
For first-time authorization, the plugin starts a temporary local HTTP callback server, opens Datadog authorization in the browser, exchanges the authorization code with PKCE, and saves the returned token response for later uploads.
OAuth token and authorization URLs are derived from auth.site, so it must match your Datadog data center (e.g. datadoghq.com, us5.datadoghq.com, datadoghq.eu). If auth.site includes a custom subdomain (e.g. myorg.us5.datadoghq.com), the browser is sent to that subdomain for authorization, while the token exchange and upload requests still use the base site (us5.datadoghq.com).
default: an internal computation between the
nameandrepositoryfields inpackage.jsonor from thegitplugin.
Override the app's identifier used to identify the current app against the assets upload API.
Can be useful to enforce a static identifier instead of relying on possibly changing information like app's name and repository's url.
default: extracted from the
namefield inpackage.json.
Override the app's name used in the assets upload API request.
Can be useful to enforce a static name instead of relying on the package.json name field.
default:
undefined(preserves existing description)
Human-readable description for the app. Set once at initial deploy; subsequent deploys without this field leave the existing description unchanged.
default:
undefined(preserves existing setting)
When true, the app appears in the Datadog self-service catalog so other users can run it from a central directory. When false, the app is hidden from the catalog. Omitting this field leaves the existing setting unchanged.
default:
undefined(preserves existing setting)
Controls whether publishing the app requires a second approver.
direct_publish— any user with publish rights can deploy immediately.approval_required— a second editor must approve before the app goes live.
Omitting this field leaves the existing setting unchanged.
default:
undefined(preserves existing setting)
UUID of the service account the app's backend functions run as. When set, all backend function executions use this service account's credentials instead of the uploading user's. Omitting this field leaves the existing setting unchanged.
Note
Only service accounts are accepted. Arbitrary user UUIDs are rejected by the Datadog API. The caller must have service_account_write permission and the service account's role set must be a subset of the caller's roles.
default:
true
When true (the default), the plugin publishes the uploaded version to live immediately after upload. Set to false to upload a draft without publishing it.
You can also disable publishing via the DATADOG_APPS_PUBLISH=false (or DD_APPS_PUBLISH=false) environment variable. The explicit apps.publish config takes precedence over the environment variable.
The datadog-apps deploy --no-publish CLI command sets this automatically — prefer the CLI over configuring this directly.