Passing ISecret for DD Construct (V2) should allow for passing KMS key

[wimaac]

Expected Behavior

Passing in an ISecret with a non-default encryptionKey field into the DD Construct (V2) for use in the extension layer should also add the grantDecrypt function to the KMS in question. Currently it only adds the grantRead function to the lambdas in question. In order to use a non-default KMS and cross account secret, this is necessary.

Actual Behavior

Passing in via the apiSecretKey property does add the grantRead to the Secret. However, it doesn't add the grantDecrypt. Thus a secret from a different AWS account cannot be used.

Steps to Reproduce the Problem

1. Create a secret with the DD API key in Account add files for layers and handlers #1. Use a non-default KMS key. Grant both the secret and KMS key to account Revert "add files for layers and handlers" #2
2. In account Revert "add files for layers and handlers" #2, run CDK stack with DD construct. Attempt to use the secret in account add files for layers and handlers #1. It will fail without permissions to decrypt the KMS key.

Specifications

• Datadog Lambda Layer version: 52
• Node version: 20