From a764be2326063c637d3bea14ac5f533fe825d8c3 Mon Sep 17 00:00:00 2001
From: Taku Nakajima <tnakajima@degica.com>
Date: Tue, 27 Feb 2024 16:03:16 +0900
Subject: [PATCH] Enable datadog seucirty

---
 lib/barcelona/plugins/datadog_plugin.rb       | 14 ++++++++++++-
 .../barcelona/plugins/datadog_plugin_spec.rb  | 21 +++++++++++++++----
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/lib/barcelona/plugins/datadog_plugin.rb b/lib/barcelona/plugins/datadog_plugin.rb
index dd90da99..ddd96ca9 100644
--- a/lib/barcelona/plugins/datadog_plugin.rb
+++ b/lib/barcelona/plugins/datadog_plugin.rb
@@ -27,7 +27,7 @@ def on_heritage_task_definition(_heritage, task_definition)
 
       def agent_command
         [
-          "DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=#{api_key} bash -c",
+          "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=#{api_key} bash -c",
           '"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)" &&',
           'usermod -a -G docker dd-agent &&',
           'usermod -a -G systemd-journal dd-agent &&',
@@ -53,6 +53,18 @@ def add_files!(user_data)
             container_collect_all: true
           process_config:
             enabled: 'true'
+          runtime_security_config:
+            enabled: true
+          compliance_config:
+            enabled: true
+          sbom:
+            enabled: true
+            container_image:
+              enabled: true
+            host:
+              enabled: true
+          container_image:
+            enabled: true
           tags:
             - barcelona:#{district.name}
             - barcelona-dd-agent
diff --git a/spec/lib/barcelona/plugins/datadog_plugin_spec.rb b/spec/lib/barcelona/plugins/datadog_plugin_spec.rb
index 2fbed5f1..47f9b761 100644
--- a/spec/lib/barcelona/plugins/datadog_plugin_spec.rb
+++ b/spec/lib/barcelona/plugins/datadog_plugin_spec.rb
@@ -4,21 +4,34 @@ module Barcelona
   module Plugins
     describe DatadogPlugin do
       context "without proxy plugin" do
+        let(:api_key) { 'abcdef'}
         let!(:district) do
           create :district, plugins_attributes: [
             {
               name: 'datadog',
               plugin_attributes: {
-                "api_key" => "abcdef"
+                "api_key" => api_key
               }
             }
           ]
         end
+        let (:user_data) do
+          ci = ContainerInstance.new(district)
+          YAML.load(Base64.decode64(ci.user_data.build))
+        end
 
         it "gets hooked with container_instance_user_data trigger" do
-          ci = ContainerInstance.new(district)
-          user_data = YAML.load(Base64.decode64(ci.user_data.build))
-          expect(user_data["runcmd"].last).to eq "DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G docker dd-agent && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent"
+          expect(user_data["runcmd"].last).to eq "DD_RUNTIME_SECURITY_CONFIG_ENABLED=true DD_AGENT_MAJOR_VERSION=7 DD_API_KEY=abcdef bash -c \"$(curl -L https://raw.githubusercontent.com/DataDog/datadog-agent/master/cmd/agent/install_script.sh)\" && usermod -a -G docker dd-agent && usermod -a -G systemd-journal dd-agent && systemctl restart datadog-agent"
+        end
+
+        it "installs agent config file" do
+          agent_config = user_data['write_files'].find do |f|
+            f['path'] == '/etc/datadog-agent/datadog.yaml'
+          end
+          agent_config_hash = YAML.load(agent_config['content'])
+          expect(agent_config_hash['api_key']).to eq(api_key)
+          expect(agent_config_hash['logs_enabled']).to eq(true)
+          expect(agent_config_hash['runtime_security_config']['enabled']).to eq(true)
         end
       end
     end