diff --git a/lib/barcelona/plugins/datadog_plugin.rb b/lib/barcelona/plugins/datadog_plugin.rb index 927692eb..84c17399 100644 --- a/lib/barcelona/plugins/datadog_plugin.rb +++ b/lib/barcelona/plugins/datadog_plugin.rb @@ -19,9 +19,9 @@ def on_network_stack_template(_stack, template) return template if bastion_lc.nil? user_data = InstanceUserData.load_or_initialize(bastion_lc["Properties"]["UserData"]) - add_files!(user_data) + add_files!(user_data, has_docker: false) user_data.run_commands += [ - agent_command + agent_command(has_docker: false) ] bastion_lc["Properties"]["UserData"] = user_data.build template @@ -42,11 +42,11 @@ def on_heritage_task_definition(_heritage, task_definition) ) end - def agent_command + def agent_command(has_docker: true) [ "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=#{api_key} bash -c", '"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)" &&', - 'usermod -a -G docker dd-agent &&', + has_docker ? 'usermod -a -G docker dd-agent &&' : '', 'usermod -a -G systemd-journal dd-agent &&', 'systemctl restart datadog-agent' ].flatten.compact.join(" ") @@ -56,38 +56,71 @@ def api_key attributes["api_key"] end - def add_files!(user_data) + def add_files!(user_data, has_docker: true) # this seems to be added to the bastion instance as well. "role:app" should probably be "role:bastion" to be accurate - user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML) - api_key: #{api_key} - logs_enabled: true - listeners: - - name: docker - config_providers: - - name: docker - polling: true - logs_config: - container_collect_all: true - process_config: - enabled: 'true' - runtime_security_config: - enabled: true - compliance_config: - enabled: true - sbom: - enabled: true + if has_docker + user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML) + api_key: #{api_key} + logs_enabled: true + listeners: + - name: docker + config_providers: + - name: docker + polling: true + logs_config: + container_collect_all: true + process_config: + enabled: 'true' + runtime_security_config: + enabled: true + compliance_config: + enabled: true + sbom: + enabled: true + container_image: + enabled: true + host: + enabled: true container_image: enabled: true - host: + tags: + - barcelona:#{district.name} + - barcelona-dd-agent + - district:#{district.name} + - role:app + DATADOG_YAML + else + user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML) + api_key: #{api_key} + logs_enabled: true + listeners: + - name: docker + config_providers: + - name: docker + polling: true + logs_config: + container_collect_all: false + process_config: + enabled: 'true' + runtime_security_config: enabled: true - container_image: - enabled: true - tags: - - barcelona:#{district.name} - - barcelona-dd-agent - - district:#{district.name} - - role:app - DATADOG_YAML + compliance_config: + enabled: true + sbom: + enabled: true + container_image: + enabled: false + host: + enabled: true + container_image: + enabled: false + tags: + - barcelona:#{district.name} + - barcelona-dd-agent + - district:#{district.name} + - role:app + DATADOG_YAML + end user_data.add_file("/etc/datadog-agent/system-probe.yaml", "root:root", "000755", <<~YAML) runtime_security_config: @@ -103,12 +136,14 @@ def add_files!(user_data) enabled: true YAML - user_data.add_file("/etc/datadog-agent/conf.d/docker.d/docker_daemon.yaml", "root:root", "000755", <<~YAML) - init_config: - instances: - - url: "unix://var/run/docker.sock" - new_tag_names: true - YAML + if has_docker + user_data.add_file("/etc/datadog-agent/conf.d/docker.d/docker_daemon.yaml", "root:root", "000755", <<~YAML) + init_config: + instances: + - url: "unix://var/run/docker.sock" + new_tag_names: true + YAML + end user_data.add_file("/etc/datadog-agent/conf.d/journal.d/conf.yaml", "root:root", "000755", <<~YAML) logs: diff --git a/spec/lib/barcelona/plugins/datadog_plugin_spec.rb b/spec/lib/barcelona/plugins/datadog_plugin_spec.rb index 22d01bcf..cd4bb814 100644 --- a/spec/lib/barcelona/plugins/datadog_plugin_spec.rb +++ b/spec/lib/barcelona/plugins/datadog_plugin_spec.rb @@ -64,7 +64,7 @@ module Plugins end it "adds datadog agent instalation to bastion servers" do - expect(user_data["runcmd"].last).to eq "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G docker dd-agent && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent" + expect(user_data["runcmd"].last).to eq "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent" end it "installs agent config file to bastion servers" do @@ -74,7 +74,9 @@ module Plugins agent_config_hash = YAML.load(agent_config['content']) expect(agent_config_hash['api_key']).to eq(api_key) expect(agent_config_hash['logs_enabled']).to eq(true) + expect(agent_config_hash['logs_config']['container_collect_all']).not_to eq(true) expect(agent_config_hash['runtime_security_config']['enabled']).to eq(true) + expect(agent_config_hash['container_image']['enabled']).not_to eq(true) end it "installs system-probe config file to bastion servers" do