Base CWS implementation (#7)

Author: gabedos

examples/ecs_fargate/main.tf

@@ -35,29 +35,37 @@ module "ecs_task" {
     is_log_router_dependency_enabled = true,
   }
 
+  dd_cws = {
+    enabled = true,
+  }
+
   # Configure Task Definition
   family = "datadog-terraform-app"
-  container_definitions = {
-    dogstatsd = {
-      name      = "datadog-dogstatsd-app",
-      image     = "ghcr.io/datadog/apps-dogstatsd:main",
-      essential = false,
+  container_definitions = jsonencode([
+    {
+      name           = "datadog-dogstatsd-app",
+      image          = "ghcr.io/datadog/apps-dogstatsd:main",
+      essential      = false,
     },
-    apm = {
-      name      = "datadog-apm-app",
-      image     = "ghcr.io/datadog/apps-tracegen:main",
-      essential = false,
+    {
+      name           = "datadog-apm-app",
+      image          = "ghcr.io/datadog/apps-tracegen:main",
+      essential      = false,
     },
-    cws = {
+    {
       name      = "datadog-cws-app",
       image     = "public.ecr.aws/ubuntu/ubuntu:22.04_stable",
       essential = true,
       entryPoint = [
         "/usr/bin/bash",
         "-c",
         "cp /usr/bin/bash /tmp/malware; chmod u+s /tmp/malware; apt update;apt install -y curl wget; /tmp/malware -c 'while true; do wget https://google.com; sleep 60; done'"
-      ]
+      ],
     }
+  ])
+  runtime_platform = {
+    cpu_architecture        = "ARM64",
+    operating_system_family = "LINUX",
   }
   requires_compatibilities = ["FARGATE"]
 }

modules/ecs_fargate/datadog.tf

@@ -1,4 +1,9 @@
 locals {
+  # Datadog ECS task tags
+  tags = {
+    dd_ecs_terraform_module = "1.0.0"
+  }
+
   # Datadog Firelens log configuration
   dd_firelens_log_configuration = var.dd_log_collection.enabled ? merge(
     {
@@ -33,6 +38,17 @@ locals {
   is_dsd_socket_mount = var.dd_dogstatsd.enabled && var.dd_dogstatsd.socket_enabled && local.is_linux
   is_apm_dsd_volume   = local.is_apm_socket_mount || local.is_dsd_socket_mount
 
+  cws_entry_point_prefix = ["/cws-instrumentation-volume/cws-instrumentation", "trace", "--"]
+  is_cws_supported       = local.is_linux && var.dd_cws.enabled
+
+  cws_mount = local.is_cws_supported ? [
+    {
+      sourceVolume  = "cws-instrumentation-volume"
+      containerPath = "/cws-instrumentation-volume"
+      readOnly      = false
+    }
+  ] : []
+
   apm_dsd_mount = local.is_apm_dsd_volume ? [
     {
       containerPath = "/var/run/datadog"
@@ -76,9 +92,17 @@ locals {
     }
   ] : []
 
+  cws_dependency = local.is_cws_supported ? [
+    {
+      containerName = "cws-instrumentation-init"
+      condition     = "SUCCESS"
+    }
+  ] : []
+
   modified_container_definitions = [
-    for container in var.container_definitions : merge(
+    for container in jsondecode(var.container_definitions) : merge(
       container,
+      # Note: only configure CWS on container if entryPoint is set
       {
         # Append new environment variables to any existing ones.
         environment = concat(
@@ -90,13 +114,28 @@ locals {
         # Append new volume mounts to any existing mountPoints.
         mountPoints = concat(
           lookup(container, "mountPoints", []),
-          local.apm_dsd_mount
+          local.apm_dsd_mount,
+          local.is_cws_supported && lookup(container, "entryPoint", []) != [] ? local.cws_mount : [],
         )
         dependsOn = concat(
           lookup(container, "dependsOn", []),
           local.agent_dependency,
           local.log_router_dependency,
+          local.is_cws_supported && lookup(container, "entryPoint", []) != [] ? local.cws_dependency : [],
         )
+        entryPoint = local.is_cws_supported && lookup(container, "entryPoint", []) != [] ? concat(
+          local.cws_entry_point_prefix,
+          lookup(container, "entryPoint", []),
+        ) : null
+        linuxParameters = local.is_cws_supported && lookup(container, "entryPoint", []) != [] ? {
+          # Note: SYS_PTRACE is the only supported capability on Fargate
+          capabilities = {
+            add = [
+              "SYS_PTRACE",
+            ]
+            drop = []
+          }
+        } : null
       },
       # Only override the log configuration if the Datadog firelens configuration exists
       local.dd_firelens_log_configuration != null ? { logConfiguration = local.dd_firelens_log_configuration } : {}
@@ -110,12 +149,30 @@ locals {
     }
   ] : []
 
+  cws_volume = local.is_cws_supported ? [
+    {
+      name = "cws-instrumentation-volume"
+    }
+  ] : []
+
   modified_volumes = concat(
-    [for k, v in coalesce(var.volumes, {}) : v],
-    local.apm_dsd_volume
+    [for k, v in coalesce(var.volumes, []) : v],
+    local.apm_dsd_volume,
+    local.cws_volume,
   )
 
   # Datadog Agent container environment variables
+  base_env = [
+    {
+      name  = "ECS_FARGATE"
+      value = "true"
+    },
+    {
+      name  = "DD_ECS_TASK_COLLECTION_ENABLED"
+      value = "true"
+    }
+  ]
+
   dynamic_env = [
     for pair in [
       { key = "DD_API_KEY", value = var.dd_api_key },
@@ -140,10 +197,23 @@ locals {
     }
   ] : []
 
+  cws_vars = local.is_cws_supported ? [
+    {
+      name  = "DD_RUNTIME_SECURITY_CONFIG_ENABLED"
+      value = "true"
+    },
+    {
+      name  = "DD_RUNTIME_SECURITY_CONFIG_EBPFLESS_ENABLED"
+      value = "true"
+    }
+  ] : []
+
   dd_agent_env = concat(
-    var.dd_environment,
+    local.base_env,
     local.dynamic_env,
     local.origin_detection_vars,
+    local.cws_vars,
+    var.dd_environment,
   )
 
   # Datadog Agent container definition
@@ -175,6 +245,8 @@ locals {
         mountPoints      = local.apm_dsd_mount,
         logConfiguration = local.dd_firelens_log_configuration,
         dependsOn        = var.dd_log_collection.is_log_router_dependency_enabled && local.dd_firelens_log_configuration != null ? local.log_router_dependency : [],
+        systemControls   = []
+        volumesFrom      = []
       },
       var.dd_health_check.command == null ? {} : {
         healthCheck = {
@@ -204,6 +276,11 @@ locals {
         cpu              = var.dd_log_collection.cpu
         memory_limit_mib = var.dd_log_collection.memory_limit_mib
         user             = "0"
+        mountPoints      = []
+        environment      = []
+        portMappings     = []
+        systemControls   = []
+        volumesFrom      = []
       },
       var.dd_log_collection.log_router_health_check.command == null ? {} : {
         healthCheck = {
@@ -217,4 +294,22 @@ locals {
     )
   ] : []
 
+  # Datadog CWS tracer definition
+  dd_cws_container = local.is_cws_supported ? [
+    {
+      name             = "cws-instrumentation-init"
+      image            = "datadog/cws-instrumentation:latest"
+      cpu              = var.dd_cws.cpu
+      memory_limit_mib = var.dd_cws.memory_limit_mib
+      user             = "0"
+      essential        = false
+      entryPoint       = []
+      command          = ["/cws-instrumentation", "setup", "--cws-volume-mount", "/cws-instrumentation-volume"]
+      mountPoints      = local.cws_mount
+      environment      = []
+      portMappings     = []
+      systemControls   = []
+      volumesFrom      = []
+    }
+  ] : []
 }

modules/ecs_fargate/main.tf

@@ -8,6 +8,7 @@ resource "aws_ecs_task_definition" "this" {
     concat(
       local.dd_agent_container,
       local.dd_log_container,
+      local.dd_cws_container,
       [for k, v in local.modified_container_definitions : v],
     )
   )
@@ -139,7 +140,10 @@ resource "aws_ecs_task_definition" "this" {
     }
   }
 
-  tags = var.tags
+  tags = merge(
+    var.tags,
+    local.tags,
+  )
 
   depends_on = [
     aws_iam_role.new_ecs_task_role,

modules/ecs_fargate/variables.tf

@@ -197,12 +197,28 @@ variable "dd_log_collection" {
   }
 }
 
+variable "dd_cws" {
+  description = "Configuration for Datadog Cloud Workload Security (CWS)"
+  type = object({
+    enabled          = bool
+    cpu              = optional(number)
+    memory_limit_mib = optional(number)
+  })
+  default = {
+    enabled = false
+  }
+  validation {
+    condition     = var.dd_cws != null
+    error_message = "The Datadog Cloud Workload Security (CWS) configuration must be defined."
+  }
+}
+
 ################################################################################
 # Task Definition
 ################################################################################
 
 variable "container_definitions" {
-  description = "A map of valid [container definitions](http://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html). Please note that you should only provide values that are part of the container definition document"
+  description = "A list of valid [container definitions](http://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html). Please note that you should only provide values that are part of the container definition document"
   type        = any
 }
 
@@ -298,8 +314,8 @@ variable "requires_compatibilities" {
 variable "runtime_platform" {
   description = "Configuration block for `runtime_platform` that containers in your task may use"
   type = object({
-    cpu_architecture        = string
-    operating_system_family = string
+    cpu_architecture        = optional(string, "LINUX")
+    operating_system_family = optional(string, "X86_64")
   })
   default = {
     operating_system_family = "LINUX"
@@ -316,7 +332,7 @@ variable "skip_destroy" {
 variable "tags" {
   description = "A map of additional tags to add to the task definition/set created"
   type        = map(string)
-  default     = {}
+  default     = null
 }
 
 variable "task_role_arn" {