Add automatic scrubbing for tracing

Jamie van Brunschot · albertvaka · commit e737652e94c2 · 2020-02-19T15:17:27.000+01:00
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -175,6 +175,9 @@
 #   $apm_analyzed_spans
 #       Hash defining the APM spans to analyze and their rates.
 #       Optional Hash. Default: undef.
+#   $apm_obfuscation
+#       Hash defining obfuscation rules for sensitive data.
+#       Optional Hash. Default: undef
 #   $process_enabled
 #       String to enable the process/container agent
 #       Boolean. Default: false
@@ -300,6 +303,7 @@
   String $apm_env = 'none',
   Boolean $apm_non_local_traffic = false,
   Optional[Hash[String, Float[0, 1]]] $apm_analyzed_spans = undef,
+  Optional[Hash[String, Data]] $apm_obfuscation = undef,
   Boolean $process_enabled = $datadog_agent::params::process_default_enabled,
   Boolean $scrub_args = $datadog_agent::params::process_default_scrub_args,
   Array $custom_sensitive_words = $datadog_agent::params::process_default_custom_words,
@@ -527,7 +531,7 @@
       }
     }
 
-    if ($apm_enabled == true) and ($apm_env != 'none') or $apm_analyzed_spans {
+    if ($apm_enabled == true) and (($apm_env != 'none') or $apm_analyzed_spans or $apm_obfuscation) {
       concat::fragment{ 'datadog apm footer':
         target  => '/etc/dd-agent/datadog.conf',
         content => template('datadog_agent/datadog_apm_footer.conf.erb'),
@@ -606,6 +610,16 @@
         $apm_analyzed_span_config = {}
     }
 
+    if $apm_obfuscation {
+        $apm_obfuscation_config = {
+          'apm_config' => {
+            'obfuscation' => $apm_obfuscation
+          }
+        }
+    } else {
+        $apm_obfuscation_config = {}
+    }
+
     if $statsd_forward_host != '' {
         if $_statsd_forward_port != '' {
             $statsd_forward_config = {
@@ -634,6 +648,7 @@
             $logs_base_config,
             $agent_extra_options,
             $apm_analyzed_span_config,
+            $apm_obfuscation_config,
             $statsd_forward_config,
             $host_config,
             $additional_checksd_config)
diff --git a/spec/classes/datadog_agent_spec.rb b/spec/classes/datadog_agent_spec.rb
@@ -1909,6 +1909,62 @@
                 )
               }
             end
+
+            context 'with apm_enabled set to true and apm_obfuscation specified' do
+              let(:params) do
+                {
+                  apm_enabled: true,
+                  apm_obfuscation: {
+                    elasticsearch: {
+                      enable: true,
+                      keep_values: [
+                        'user_id',
+                        'category_id',
+                      ],
+                    },
+                    redis: {
+                      enable: true,
+                    },
+                    memcached: {
+                      enable: true,
+                    },
+                    http: {
+                      remove_query_string: true,
+                      remove_paths_with_digits: true,
+                    },
+                    mongodb: {
+                      enable: true,
+                      keep_values: [
+                        'uid',
+                        'cat_id',
+                      ],
+                    },
+                  },
+                }
+              end
+
+              it {
+                is_expected.to contain_file('/etc/datadog-agent/datadog.yaml').with(
+                  'content' => %r{^apm_config:\n},
+                )
+              }
+              it {
+                is_expected.to contain_file('/etc/datadog-agent/datadog.yaml').with(
+                  'content' => %r{^apm_config:\n\ \ enabled: true\n},
+                )
+              }
+              it {
+                is_expected.to contain_file('/etc/datadog-agent/datadog.yaml').with(
+                  'content' => %r{^\ \ obfuscation:\n},
+                )
+              }
+              it {
+                is_expected.to contain_file('/etc/datadog-agent/datadog.yaml').with(
+                  'content' => %r{elasticsearch},
+                )
+              }
+            end
+
             context 'with extra_options and Process enabled' do
               let(:params) do
                 {
diff --git a/templates/datadog_apm_footer.conf.erb b/templates/datadog_apm_footer.conf.erb
@@ -9,3 +9,11 @@ env: <%= @apm_env %>
 <%= span %>: <%= value %>
 <% end %>
 <% end -%>
+
+<% if @apm_obfuscation -%>
+[trace.obfuscation]
+<% @apm_obfuscation.each do |service, data| -%>
+<%= service %>:
+  <%= data %>
+<% end %>
+<% end -%>
