ci: migrate CI secrets from AWS SSM to Vault KV (#1145)

## Summary
- Migrate `get_secrets.sh` from `aws ssm get-parameter` to `vault kv
get`, matching the pattern used by `datadog-lambda-js`
- Remove `DATADOG_API_SECRET_ARN` from CI secrets — the ARN is a public
resource identifier, not sensitive data
- Hardcode the Secrets Manager ARN directly in
`integration-tests/lib/util.ts`

## Test plan
- [ ] Verify CI pipeline can fetch secrets from Vault KV at
`kv/k8s/gitlab-runner/datadog-lambda-extension/secrets`
- [ ] Verify integration tests pass with the hardcoded secret ARN
- [ ] Confirm `DD_API_KEY`, `DD_APP_KEY`, and external ID are correctly
resolved

Author: duncanista

.gitlab/scripts/get_secrets.sh

@@ -21,39 +21,15 @@ fi
 
 printf "Getting AWS External ID...\n"
 
-EXTERNAL_ID=$(aws ssm get-parameter \
-    --region us-east-1 \
-    --name "ci.datadog-lambda-extension.$EXTERNAL_ID_NAME" \
-    --with-decryption \
-    --query "Parameter.Value" \
-    --out text)
+EXTERNAL_ID=$(vault kv get -field="$EXTERNAL_ID_NAME" kv/k8s/gitlab-runner/datadog-lambda-extension/secrets)
 
 printf "Getting DD API KEY...\n"
 
-export DD_API_KEY=$(aws ssm get-parameter \
-    --region us-east-1 \
-    --name ci.datadog-lambda-extension.dd-api-key \
-    --with-decryption \
-    --query "Parameter.Value" \
-    --out text)
-
-printf "Getting DD API KEY Secret ARN...\n"
-
-export DATADOG_API_SECRET_ARN=$(aws ssm get-parameter \
-    --region us-east-1 \
-    --name ci.datadog-lambda-extension.dd-api-key-secret-arn \
-    --with-decryption \
-    --query "Parameter.Value" \
-    --out text)
+export DD_API_KEY=$(vault kv get -field=dd-api-key kv/k8s/gitlab-runner/datadog-lambda-extension/secrets)
 
 printf "Getting DD APP KEY...\n"
 
-export DD_APP_KEY=$(aws ssm get-parameter \
-    --region us-east-1 \
-    --name ci.datadog-lambda-extension.dd-app-key \
-    --with-decryption \
-    --query "Parameter.Value" \
-    --out text)
+export DD_APP_KEY=$(vault kv get -field=dd-app-key kv/k8s/gitlab-runner/datadog-lambda-extension/secrets)
 
 printf "Assuming role...\n"
 

integration-tests/lib/util.ts

@@ -6,7 +6,7 @@ import * as lambda from 'aws-cdk-lib/aws-lambda';
 import { LayerVersion } from "aws-cdk-lib/aws-lambda";
 import {ACCOUNT, REGION} from "../config";
 
-export const datadogSecretArn = process.env.DATADOG_API_SECRET_ARN!;
+export const datadogSecretArn = 'arn:aws:secretsmanager:us-east-1:425362996713:secret:extension-integration-tests-api-key-PnEPHz';
 export const extensionLayerArn = process.env.EXTENSION_LAYER_ARN!;
 
 export const defaultNodeRuntime = lambda.Runtime.NODEJS_24_X;