Enable datadog seucirty

degica · Feb 27, 2024 · a764be2 · a764be2
1 parent 6798ab4
commit a764be2
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 5 deletions.
diff --git a/lib/barcelona/plugins/datadog_plugin.rb b/lib/barcelona/plugins/datadog_plugin.rb
@@ -27,7 +27,7 @@ def on_heritage_task_definition(_heritage, task_definition)
 
       def agent_command
         [
-          "DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=#{api_key} bash -c",
+          "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=#{api_key} bash -c",
           '"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)" &&',
           'usermod -a -G docker dd-agent &&',
           'usermod -a -G systemd-journal dd-agent &&',
@@ -53,6 +53,18 @@ def add_files!(user_data)
             container_collect_all: true
           process_config:
             enabled: 'true'
+          runtime_security_config:
+            enabled: true
+          compliance_config:
+            enabled: true
+          sbom:
+            enabled: true
+            container_image:
+              enabled: true
+            host:
+              enabled: true
+          container_image:
+            enabled: true
           tags:
             - barcelona:#{district.name}
             - barcelona-dd-agent

diff --git a/spec/lib/barcelona/plugins/datadog_plugin_spec.rb b/spec/lib/barcelona/plugins/datadog_plugin_spec.rb
@@ -4,21 +4,34 @@ module Barcelona
   module Plugins
     describe DatadogPlugin do
       context "without proxy plugin" do
+        let(:api_key) { 'abcdef'}
         let!(:district) do
           create :district, plugins_attributes: [
             {
               name: 'datadog',
               plugin_attributes: {
-                "api_key" => "abcdef"
+                "api_key" => api_key
               }
             }
           ]
         end
+        let (:user_data) do
+          ci = ContainerInstance.new(district)
+          YAML.load(Base64.decode64(ci.user_data.build))
+        end
 
         it "gets hooked with container_instance_user_data trigger" do
-          ci = ContainerInstance.new(district)
-          user_data = YAML.load(Base64.decode64(ci.user_data.build))
-          expect(user_data["runcmd"].last).to eq "DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G docker dd-agent && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent"
+          expect(user_data["runcmd"].last).to eq "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G docker dd-agent && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent"
+        end
+
+        it "installs agent config file" do
+          agent_config = user_data['write_files'].find do |f|
+            f['path'] == '/etc/datadog-agent/datadog.yaml'
+          end
+          agent_config_hash = YAML.load(agent_config['content'])
+          expect(agent_config_hash['api_key']).to eq(api_key)
+          expect(agent_config_hash['logs_enabled']).to eq(true)
+          expect(agent_config_hash['runtime_security_config']['enabled']).to eq(true)
         end
       end
     end