degica · essa · Mar 1, 2024 · Feb 29, 2024 · Feb 29, 2024
diff --git a/lib/barcelona/plugins/datadog_plugin.rb b/lib/barcelona/plugins/datadog_plugin.rb
@@ -19,9 +19,9 @@ def on_network_stack_template(_stack, template)
         return template if bastion_lc.nil?
 
         user_data = InstanceUserData.load_or_initialize(bastion_lc["Properties"]["UserData"])
-        add_files!(user_data)
+        add_files!(user_data, has_docker: false)
         user_data.run_commands += [
-          agent_command
+          agent_command(has_docker: false)
         ]
         bastion_lc["Properties"]["UserData"] = user_data.build
         template
@@ -42,11 +42,11 @@ def on_heritage_task_definition(_heritage, task_definition)
         )
       end
 
-      def agent_command
+      def agent_command(has_docker: true)
         [
           "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=#{api_key} bash -c",
           '"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)" &&',
-          'usermod -a -G docker dd-agent &&',
+          has_docker ? 'usermod -a -G docker dd-agent &&' : '',
           'usermod -a -G systemd-journal dd-agent &&',
           'systemctl restart datadog-agent'
         ].flatten.compact.join(" ")
@@ -56,38 +56,71 @@ def api_key
         attributes["api_key"]
       end
 
-      def add_files!(user_data)
+      def add_files!(user_data, has_docker: true)
         # this seems to be added to the bastion instance as well. "role:app" should probably be "role:bastion" to be accurate
-        user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML)
-          api_key: #{api_key}
-          logs_enabled: true
-          listeners:
-            - name: docker
-          config_providers:
-            - name: docker
-              polling: true
-          logs_config:
-            container_collect_all: true
-          process_config:
-            enabled: 'true'
-          runtime_security_config:
-            enabled: true
-          compliance_config:
-            enabled: true
-          sbom:
-            enabled: true
+        if has_docker
+          user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML)
+            api_key: #{api_key}
+            logs_enabled: true
+            listeners:
+              - name: docker
+            config_providers:
+              - name: docker
+                polling: true
+            logs_config:
+              container_collect_all: true
+            process_config:
+              enabled: 'true'
+            runtime_security_config:
+              enabled: true
+            compliance_config:
+              enabled: true
+            sbom:
+              enabled: true
+              container_image:
+                enabled: true
+              host:
+                enabled: true
             container_image:
               enabled: true
-            host:
+            tags:
+              - barcelona:#{district.name}
+              - barcelona-dd-agent
+              - district:#{district.name}
+              - role:app
+          DATADOG_YAML
+        else
+          user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML)
+            api_key: #{api_key}
+            logs_enabled: true
+            listeners:
+              - name: docker
+            config_providers:
+              - name: docker
+                polling: true
+            logs_config:
+              container_collect_all: false
+            process_config:
+              enabled: 'true'
+            runtime_security_config:
               enabled: true
-          container_image:
-            enabled: true
-          tags:
-            - barcelona:#{district.name}
-            - barcelona-dd-agent
-            - district:#{district.name}
-            - role:app
-        DATADOG_YAML
+            compliance_config:
+              enabled: true
+            sbom:
+              enabled: true
+              container_image:
+                enabled: false
+              host:
+                enabled: true
+            container_image:
+              enabled: false
+            tags:
+              - barcelona:#{district.name}
+              - barcelona-dd-agent
+              - district:#{district.name}
+              - role:app
+          DATADOG_YAML
+        end
 
         user_data.add_file("/etc/datadog-agent/system-probe.yaml", "root:root", "000755", <<~YAML)
           runtime_security_config:
@@ -103,12 +136,14 @@ def add_files!(user_data)
               enabled: true
         YAML
 
-        user_data.add_file("/etc/datadog-agent/conf.d/docker.d/docker_daemon.yaml", "root:root", "000755", <<~YAML)
-          init_config:
-          instances:
-            - url: "unix://var/run/docker.sock"
-              new_tag_names: true
-        YAML
+        if has_docker
+          user_data.add_file("/etc/datadog-agent/conf.d/docker.d/docker_daemon.yaml", "root:root", "000755", <<~YAML)
+            init_config:
+            instances:
+              - url: "unix://var/run/docker.sock"
+                new_tag_names: true
+          YAML
+        end
 
         user_data.add_file("/etc/datadog-agent/conf.d/journal.d/conf.yaml", "root:root", "000755", <<~YAML)
           logs:

diff --git a/spec/lib/barcelona/plugins/datadog_plugin_spec.rb b/spec/lib/barcelona/plugins/datadog_plugin_spec.rb
@@ -64,7 +64,7 @@ module Plugins
           end
 
           it "adds datadog agent instalation to bastion servers" do
-            expect(user_data["runcmd"].last).to eq "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G docker dd-agent && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent"
+            expect(user_data["runcmd"].last).to eq "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" &&  usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent"
           end
 
           it "installs agent config file to bastion servers" do
@@ -74,7 +74,9 @@ module Plugins
             agent_config_hash = YAML.load(agent_config['content'])
             expect(agent_config_hash['api_key']).to eq(api_key)
             expect(agent_config_hash['logs_enabled']).to eq(true)
+            expect(agent_config_hash['logs_config']['container_collect_all']).not_to eq(true)
             expect(agent_config_hash['runtime_security_config']['enabled']).to eq(true)
+            expect(agent_config_hash['container_image']['enabled']).not_to eq(true)
           end
 
           it "installs system-probe config file to bastion servers" do