feat: automate AppSec enablement setup (e.g: AWS_LAMBDA_RUNTIME_API)
#143
Conversation
In order to simplify onboarding & make it more uniform across languages, inspect the value of the `AWS_LAMBDA_EXEC_WRAPPER` environment variable and apply select environment variable changes it perofrms upon decorating a handler. This is necessary/useful because that environment variable is not honored by custom runtimes (`provided`, `provided.al2`) as well as the `go1.x` runtime (which is a glorified provided runtime). The datadog Lambda wrapper starts a proxy to inject ASM functionality directly on the Lambda runtime API instead of having to manually instrument each and every lambda handler/application, and modifies `AWS_LAMBDA_RUNTIME_API` to instruct Lambda language runtime client libraries to go through it instead of directly interacting with the Lambda control plane. APPSEC-11534
Codecov Report
@@ Coverage Diff @@
## main #143 +/- ##
==========================================
- Coverage 83.60% 82.40% -1.20%
==========================================
Files 13 13
Lines 860 881 +21
==========================================
+ Hits 719 726 +7
- Misses 113 126 +13
- Partials 28 29 +1
... and 1 file with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
RomainMuller
changed the title
AWS_LAMBDA_RUNTIME_API)
There was a problem hiding this comment.
So, unfortunately, I don't think this does what you think it's doing. I could be wrong, in which case, we should explore this further.
During the initialization phase of a lambda invocation, function initialization happens after extensions and the runtime are initialized. This means that the AWS_LAMBDA_RUNTIME_API env var will get set after the runtime is configured, which is too late.
I tested this out to confirm and indeed did not see any calls to the appsec proxy despite seeing that it was running.
You can read more about the lambda runtime here: https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtime-environment.html
ddlambda.go
Outdated
| func setupAppSec() { | ||
| const ServerlessAppSecEnabledEnvVar = "DD_SERVERLESS_APPSEC_ENABLED" | ||
| const AwsLambdaRuntimeApiEnvVar = "AWS_LAMBDA_RUNTIME_API" | ||
| const DatadogAgentUrl = "127.0.0.1:9000" |
There was a problem hiding this comment.
These should probably be globals.
There was a problem hiding this comment.
I don't suppose those would be tremendously useful outside of this particular scope and since they're constants I don't see much of a point hoisting them up into the module namespace. I can do that if that is a strong style preference...
ddlambda.go
Outdated
| return | ||
| } | ||
|
|
||
| _ = os.Setenv(AwsLambdaRuntimeApiEnvVar, DatadogAgentUrl) |
There was a problem hiding this comment.
We should consider checking that the extension is indeed present before doing this redirect.
There was a problem hiding this comment.
How do you suggest doing this? Just a file presence check? I could do that...
I actually did test this out on my end and it produced the expected behavior. As far as I could tell from the This now makes me feel I need to test that again to make sure I did not get a false positive because of some other configuration... |
|
Did some more research into my previous findings w/r/t |
|
|
||
| if awsLambdaRpcSupport { | ||
| if port := os.Getenv(awsLambdaServerPortEnvVar); port != "" { | ||
| logger.Warn(fmt.Sprintf("%s activation with the go1.x AWS Lambda runtime requires setting the `lambda.norpc` go build tag", serverlessAppSecEnabledEnvVar)) |
There was a problem hiding this comment.
So, I'd hate to say that setting this build tag is required to use appsec, when in fact it is not. Alternatively, they can always set these environment variables manually.
DataDog#143) * feat: honor AWS_LAMBDA_EXEC_WRAPPER when AWS Lambda does not In order to simplify onboarding & make it more uniform across languages, inspect the value of the `AWS_LAMBDA_EXEC_WRAPPER` environment variable and apply select environment variable changes it perofrms upon decorating a handler. This is necessary/useful because that environment variable is not honored by custom runtimes (`provided`, `provided.al2`) as well as the `go1.x` runtime (which is a glorified provided runtime). The datadog Lambda wrapper starts a proxy to inject ASM functionality directly on the Lambda runtime API instead of having to manually instrument each and every lambda handler/application, and modifies `AWS_LAMBDA_RUNTIME_API` to instruct Lambda language runtime client libraries to go through it instead of directly interacting with the Lambda control plane. APPSEC-11534 * pivot to a different, cheaper strategy * typo fix * PR feedback * minor fixups * add warning in go1.x runtime if lambda.norpc build tag was not enabled
* Create codeql-analysis.yml (DataDog#100) * Create codeql-analysis.yml * Update codeql-analysis.yml * Update run_integration_tests.sh * Do not show error messages even if neither DD_API_KEY nor DD_KMS_API_KEY is set when Lambda Extension is running (DataDog#102) * Bump version to 1.4.0 * Bump go + fasthttp + lint (DataDog#104) * Consolidate serverless configurations into one place (DataDog#105) * Update README.md * Update README.md * Bump dd-trace-go to latest version to address some vulnerabilities (DataDog#109) * Bump dd-trace-go to latest version to address some vulnaribilities * update go.sum with `go mod tidy` * Bump version to 1.6.0 * bump codeql (DataDog#112) * Bump dd-trace-go to v1.41 (DataDog#115) * Bump version to 1.7.0 * [SLS-2330] Add support for universal instrumentation with the extension (DataDog#116) add option to use universal instrumentation * [EEP-444] include error in failed metric send log (DataDog#118) Co-authored-by: Corey Griffin <CoreyGriffin@users.noreply.github.com> * [SLS-2492] Upgrade aws sdk v2 (DataDog#113) upgrade sdk * Bump version to 1.8.0 * Use new account in integration tests (DataDog#119) * set the architecture explicitely (DataDog#122) * mask init runtime logs (DataDog#123) * Update libs (DataDog#121) * bump go 1.18 (DataDog#125) * Retry sending trace payloads on failure. (DataDog#128) * Bump version to 1.9.0 * Update DD Trace to v1.51.0(DataDog#133) * Bump go version to 1.20 (DataDog#140) Bump go version to 1.20 * Upgrade version of dd-trace-go to v1.54.1 (DataDog#141) * Bump version to 1.10.0 * Propagate trace context from SQS events (DataDog#142) * Default parent id to be trace id if not found elsewhere. * Look for trace context in context object as well as headers. * Apply trace context before starting the function execution span. * Update signature in tests. * Add spanid of execution span to context. * Do not ignore priority "-128". * Test that default parent id set to trace id. * Test span id added to context. * Test uses trace context from context object. * Bump version to 1.11.0 * feat: automate AppSec enablement setup (e.g: `AWS_LAMBDA_RUNTIME_API`) (DataDog#143) * feat: honor AWS_LAMBDA_EXEC_WRAPPER when AWS Lambda does not In order to simplify onboarding & make it more uniform across languages, inspect the value of the `AWS_LAMBDA_EXEC_WRAPPER` environment variable and apply select environment variable changes it perofrms upon decorating a handler. This is necessary/useful because that environment variable is not honored by custom runtimes (`provided`, `provided.al2`) as well as the `go1.x` runtime (which is a glorified provided runtime). The datadog Lambda wrapper starts a proxy to inject ASM functionality directly on the Lambda runtime API instead of having to manually instrument each and every lambda handler/application, and modifies `AWS_LAMBDA_RUNTIME_API` to instruct Lambda language runtime client libraries to go through it instead of directly interacting with the Lambda control plane. APPSEC-11534 * pivot to a different, cheaper strategy * typo fix * PR feedback * minor fixups * add warning in go1.x runtime if lambda.norpc build tag was not enabled * Bump version to 1.12.0 * Re-add configs after upstream rebase * Bump packages * Remove deprecated `io/ioutil` calls --------- Co-authored-by: Tian Chu <tian.chu@datadoghq.com> Co-authored-by: Soshi Katsuta <skatsuta@users.noreply.github.com> Co-authored-by: Maxime David <maxime.david@datadoghq.com> Co-authored-by: kimi <47579703+kimi-p@users.noreply.github.com> Co-authored-by: Kimi Wu <kimi.wu@datadoghq.com> Co-authored-by: Dylan Yang <dylan.yang@datadoghq.com> Co-authored-by: Corey Griffin <15809365+CoreyGriffin@users.noreply.github.com> Co-authored-by: Corey Griffin <CoreyGriffin@users.noreply.github.com> Co-authored-by: Marcin Rabenda <xrn.design@gmail.com> Co-authored-by: Rey Abolofia <purple4reina@gmail.com> Co-authored-by: Rey Abolofia <rey.abolofia@datadoghq.com> Co-authored-by: Andrew Rodriguez <49878080+zARODz11z@users.noreply.github.com> Co-authored-by: Ivan Topolcic <IvanTopolcic@users.noreply.github.com> Co-authored-by: Romain Marcadier <romain.muller@telecomnancy.net>
What does this PR do?
In order to simplify onboarding & make it more uniform across languages, inspect the value of the
DD_SERVERLESS_APPSEC_ENABLEDenvironment variable, and overridesAWS_LAMBDA_RUNTIME_APIto redirect the Lambda runtime API to the Datadog extension so that the AppSec proxy is used, and turns onDD_UNIVERSAL_INSTRUMENTATION(unless it was already manually configured by the user).Motivation
This is necessary/useful because the
AWS_LAMBDA_EXEC_WRAPPERenvironment variable is not honored by custom runtimes (provided,provided.al2) as well as thego1.xruntime (which is a glorified provided runtime). The datadog Lambda wrapper starts a proxy to inject ASM functionality directly on the Lambda runtime API instead of having to manually instrument each and every lambda handler/application, and modifiesAWS_LAMBDA_RUNTIME_APIto instruct Lambda language runtime client libraries to go through it instead of directly interacting with the Lambda control plane.Testing Guidelines
Deployed it on AWS Lambda with a demo app of mine and observed the expected behavior.
Types of changes
Checklist