diff --git a/lib/barcelona/plugins/datadog_plugin.rb b/lib/barcelona/plugins/datadog_plugin.rb index 84c17399..abf8d027 100644 --- a/lib/barcelona/plugins/datadog_plugin.rb +++ b/lib/barcelona/plugins/datadog_plugin.rb @@ -3,7 +3,7 @@ module Plugins class DatadogPlugin < Base # This plugin must be the last of the instalation order # Usage sample: - # bcn district put-plugin -a api_key=8e53.... -a hook_priority=10 ec-staging datadog + # bcn district put-plugin -a api_key=8e53.... -a hook_priority=10 -a cws=enabled ec-staging datadog def on_container_instance_user_data(_instance, user_data) add_files!(user_data) @@ -19,7 +19,7 @@ def on_network_stack_template(_stack, template) return template if bastion_lc.nil? user_data = InstanceUserData.load_or_initialize(bastion_lc["Properties"]["UserData"]) - add_files!(user_data, has_docker: false) + add_files!(user_data, has_docker: false, role: 'bastion') user_data.run_commands += [ agent_command(has_docker: false) ] @@ -56,86 +56,29 @@ def api_key attributes["api_key"] end - def add_files!(user_data, has_docker: true) - # this seems to be added to the bastion instance as well. "role:app" should probably be "role:bastion" to be accurate - if has_docker - user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML) - api_key: #{api_key} - logs_enabled: true - listeners: - - name: docker - config_providers: - - name: docker - polling: true - logs_config: - container_collect_all: true - process_config: - enabled: 'true' + def security_enabled + attributes["cws"] == 'enabled' + end + + def add_files!(user_data, has_docker: true, role: 'app') + user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", agent_config_file(has_docker: has_docker, role: role)) + + if security_enabled + user_data.add_file("/etc/datadog-agent/system-probe.yaml", "root:root", "000755", <<~YAML) runtime_security_config: enabled: true - compliance_config: - enabled: true - sbom: - enabled: true - container_image: - enabled: true - host: - enabled: true - container_image: - enabled: true - tags: - - barcelona:#{district.name} - - barcelona-dd-agent - - district:#{district.name} - - role:app - DATADOG_YAML - else - user_data.add_file("/etc/datadog-agent/datadog.yaml", "root:root", "000755", <<~DATADOG_YAML) - api_key: #{api_key} - logs_enabled: true - listeners: - - name: docker - config_providers: - - name: docker - polling: true - logs_config: - container_collect_all: false - process_config: - enabled: 'true' + YAML + + user_data.add_file("/etc/datadog-agent/security-agent.yaml", "root:root", "000755", <<~YAML) runtime_security_config: enabled: true compliance_config: enabled: true - sbom: - enabled: true - container_image: - enabled: false - host: + host_benchmarks: enabled: true - container_image: - enabled: false - tags: - - barcelona:#{district.name} - - barcelona-dd-agent - - district:#{district.name} - - role:app - DATADOG_YAML + YAML end - user_data.add_file("/etc/datadog-agent/system-probe.yaml", "root:root", "000755", <<~YAML) - runtime_security_config: - enabled: true - YAML - - user_data.add_file("/etc/datadog-agent/security-agent.yaml", "root:root", "000755", <<~YAML) - runtime_security_config: - enabled: true - compliance_config: - enabled: true - host_benchmarks: - enabled: true - YAML - if has_docker user_data.add_file("/etc/datadog-agent/conf.d/docker.d/docker_daemon.yaml", "root:root", "000755", <<~YAML) init_config: @@ -150,6 +93,114 @@ def add_files!(user_data, has_docker: true) - type: journald YAML end + + def agent_config_file(has_docker: true, role: 'app') + if has_docker + if security_enabled + <<~DATADOG_YAML + api_key: #{api_key} + logs_enabled: true + listeners: + - name: docker + config_providers: + - name: docker + polling: true + logs_config: + container_collect_all: true + process_config: + enabled: 'true' + runtime_security_config: + enabled: true + compliance_config: + enabled: true + sbom: + enabled: true + container_image: + enabled: true + host: + enabled: true + container_image: + enabled: true + tags: + - barcelona:#{district.name} + - barcelona-dd-agent + - district:#{district.name} + - role:#{role} + DATADOG_YAML + else + <<~DATADOG_YAML + api_key: #{api_key} + logs_enabled: true + listeners: + - name: docker + config_providers: + - name: docker + polling: true + logs_config: + container_collect_all: true + process_config: + enabled: 'true' + tags: + - barcelona:#{district.name} + - barcelona-dd-agent + - district:#{district.name} + - role:#{role} + DATADOG_YAML + end + else + if security_enabled + <<~DATADOG_YAML + api_key: #{api_key} + logs_enabled: true + listeners: + - name: docker + config_providers: + - name: docker + polling: true + logs_config: + container_collect_all: false + process_config: + enabled: 'true' + runtime_security_config: + enabled: true + compliance_config: + enabled: true + sbom: + enabled: true + container_image: + enabled: false + host: + enabled: true + container_image: + enabled: false + tags: + - barcelona:#{district.name} + - barcelona-dd-agent + - district:#{district.name} + - role:#{role} + DATADOG_YAML + else + <<~DATADOG_YAML + api_key: #{api_key} + logs_enabled: true + listeners: + - name: docker + config_providers: + - name: docker + polling: true + logs_config: + container_collect_all: false + process_config: + enabled: 'true' + tags: + - barcelona:#{district.name} + - barcelona-dd-agent + - district:#{district.name} + - role:#{role} + DATADOG_YAML + end + end + end end end end diff --git a/spec/lib/barcelona/plugins/datadog_plugin_spec.rb b/spec/lib/barcelona/plugins/datadog_plugin_spec.rb index cd4bb814..3441b093 100644 --- a/spec/lib/barcelona/plugins/datadog_plugin_spec.rb +++ b/spec/lib/barcelona/plugins/datadog_plugin_spec.rb @@ -5,12 +5,14 @@ module Plugins describe DatadogPlugin do context "without proxy plugin" do let(:api_key) { 'abcdef'} + let(:security_enabled) { 'enabled' } let!(:district) do create :district, plugins_attributes: [ { name: 'datadog', plugin_attributes: { - "api_key" => api_key + "api_key" => api_key, + "cws" => security_enabled } } ] @@ -32,6 +34,7 @@ module Plugins expect(agent_config_hash['api_key']).to eq(api_key) expect(agent_config_hash['logs_enabled']).to eq(true) expect(agent_config_hash['runtime_security_config']['enabled']).to eq(true) + expect(agent_config_hash['tags'].last).to eq('role:app') end it "installs system-probe config file" do @@ -52,6 +55,38 @@ module Plugins expect(security_agent_config_hash['compliance_config']['host_benchmarks']['enabled']).to eq(true) end + context "when security switch is off" do + let(:security_enabled) { nil } + + it "gets hooked with container_instance_user_data trigger" do + expect(user_data["runcmd"].last).to eq "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G docker dd-agent && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent" + end + + it "installs agent config file without security" do + agent_config = user_data['write_files'].find do |f| + f['path'] == '/etc/datadog-agent/datadog.yaml' + end + agent_config_hash = YAML.load(agent_config['content']) + expect(agent_config_hash['api_key']).to eq(api_key) + expect(agent_config_hash['logs_enabled']).to eq(true) + expect(agent_config_hash.dig('runtime_security_config', 'enabled')).to be_nil + end + + it "dosn't installs system-probe config file" do + agent_config = user_data['write_files'].find do |f| + f['path'] == '/etc/datadog-agent/system-probe.yaml' + end + expect(agent_config).to be_nil + end + + it "dosn't installs security config file" do + agent_config = user_data['write_files'].find do |f| + f['path'] == '/etc/datadog-agent/security-agent.yaml' + end + expect(agent_config).to be_nil + end + end + context "when hooked with network_stack_template trigger" do before do district.save! @@ -96,6 +131,39 @@ module Plugins expect(security_agent_config_hash['compliance_config']['enabled']).to eq(true) expect(security_agent_config_hash['compliance_config']['host_benchmarks']['enabled']).to eq(true) end + + context "when security switch is off" do + let(:security_enabled) { nil } + + it "gets hooked with container_instance_user_data trigger" do + expect(user_data["runcmd"].last).to eq "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent" + end + + it "installs agent config file without security" do + agent_config = user_data['write_files'].find do |f| + f['path'] == '/etc/datadog-agent/datadog.yaml' + end + agent_config_hash = YAML.load(agent_config['content']) + expect(agent_config_hash['api_key']).to eq(api_key) + expect(agent_config_hash['logs_enabled']).to eq(true) + expect(agent_config_hash['tags'].last).to eq('role:bastion') + expect(agent_config_hash.dig('runtime_security_config', 'enabled')).to be_nil + end + + it "dosn't installs system-probe config file" do + agent_config = user_data['write_files'].find do |f| + f['path'] == '/etc/datadog-agent/system-probe.yaml' + end + expect(agent_config).to be_nil + end + + it "dosn't installs security config file" do + agent_config = user_data['write_files'].find do |f| + f['path'] == '/etc/datadog-agent/security-agent.yaml' + end + expect(agent_config).to be_nil + end + end end end end