diff --git a/README.md b/README.md index 384f1910..ec4c0c42 100644 --- a/README.md +++ b/README.md @@ -290,6 +290,8 @@ Here are some of the other variables that be set in the datadog_agent class to c | agent5_enable | boolean to install agent5 and override agent6 default | | apm_enabled | boolean to enable the APM agent; defaults to true | | process_enabled | boolean to enable the process agent; defaults to true | +| scrub_args | boolean to enable the process cmdline scrubbing; defaults to true | +| custom_sensitive_words| an array to add more words beyond the default ones used by the scrubbing feature; defaults to [] | | agent6_extra_options | hash to provide additional configuration options to agent6. | _NOTE: `agent6_extra_options` may be used to provide a fine grain control of additional agent6 config options. A deep merge is performed that may override options provided in the `datadog_agent` class parameters_ diff --git a/manifests/init.pp b/manifests/init.pp index 44229cd0..98d34437 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -166,6 +166,12 @@ # $process_enabled # String to enable the process/container agent # Boolean. Default: false +# $scrub_args +# Boolean to enable or disable the process cmdline scrubbing by the process-agent +# Boolean. Default: true +# $custom_sensitive_words +# Array to add more words to be used on the process cdmline scrubbing by the process-agent +# Array. Default: [] # # Actions: # @@ -262,6 +268,8 @@ $apm_enabled = $datadog_agent::params::apm_default_enabled, $apm_env = '', $process_enabled = $datadog_agent::params::process_default_enabled, + $scrub_args = $datadog_agent::params::process_default_scrub_args, + $custom_sensitive_words = $datadog_agent::params::process_default_custom_words, Hash[String[1], Data] $agent6_extra_options = {}, $agent5_repo_uri = $datadog_agent::params::agent5_default_repo, $agent6_repo_uri = $datadog_agent::params::agent6_default_repo, @@ -341,6 +349,8 @@ validate_legacy(Boolean, 'validate_bool', $agent5_enable) validate_legacy(String, 'validate_string', $apm_env) validate_legacy(Boolean, 'validate_bool', $process_enabled) + validate_legacy(Boolean, 'validate_bool', $scrub_args) + validate_legacy(Array, 'validate_array', $custom_sensitive_words) validate_legacy(String, 'validate_string', $agent5_repo_uri) validate_legacy(String, 'validate_string', $agent6_repo_uri) validate_legacy(String, 'validate_string', $apt_release) @@ -490,6 +500,14 @@ order => '07', } } + + if ($process_enabled == true) { + concat::fragment{ 'datadog process agent footer': + target => '/etc/dd-agent/datadog.conf', + content => template('datadog_agent/datadog_process_footer.conf.erb'), + order => '08', + } + } } else { # lint:ignore:quoted_booleans @@ -497,7 +515,11 @@ # lint:endignore $base_extra_config = { 'apm_config' => { 'apm_enabled' => $apm_enabled }, - 'process_config' => { 'enabled' => $process_enabled_str }, + 'process_config' => { + 'enabled' => $process_enabled_str, + 'scrub_args' => $scrub_args, + 'custom_sensitive_words' => $custom_sensitive_words, + }, } $extra_config = deep_merge($base_extra_config, $agent6_extra_options) diff --git a/manifests/params.pp b/manifests/params.pp index 3c707546..659513b4 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -15,19 +15,21 @@ # Sample Usage: # class datadog_agent::params { - $agent5_enable = false - $conf_dir = '/etc/dd-agent/conf.d' - $conf6_dir = '/etc/datadog-agent/conf.d' - $dd_user = 'dd-agent' - $dd_group = 'root' - $dd_groups = undef - $package_name = 'datadog-agent' - $service_name = 'datadog-agent' - $dogapi_version = 'installed' - $conf_dir_purge = false - $apt_default_release = 'stable' - $apm_default_enabled = false - $process_default_enabled = false + $agent5_enable = false + $conf_dir = '/etc/dd-agent/conf.d' + $conf6_dir = '/etc/datadog-agent/conf.d' + $dd_user = 'dd-agent' + $dd_group = 'root' + $dd_groups = undef + $package_name = 'datadog-agent' + $service_name = 'datadog-agent' + $dogapi_version = 'installed' + $conf_dir_purge = false + $apt_default_release = 'stable' + $apm_default_enabled = false + $process_default_enabled = false + $process_default_scrub_args = true + $process_default_custom_words = [] case $::operatingsystem { 'Ubuntu','Debian' : { diff --git a/spec/classes/datadog_agent_spec.rb b/spec/classes/datadog_agent_spec.rb index ca2b541d..05021d2f 100644 --- a/spec/classes/datadog_agent_spec.rb +++ b/spec/classes/datadog_agent_spec.rb @@ -308,7 +308,7 @@ )} end context 'with skip_ssl_validation set to true' do - let(:params) {{ :skip_ssl_validation => true, + let(:params) {{ :skip_ssl_validation => true, :agent5_enable => true, }} it { should contain_concat__fragment('datadog header').with( @@ -556,7 +556,7 @@ )} end context 'with ganglia_host set to localhost and ganglia_port set to 12345' do - let(:params) {{ :ganglia_host => 'testhost', + let(:params) {{ :ganglia_host => 'testhost', :ganglia_port => '12345', :agent5_enable => true, }} @@ -691,10 +691,10 @@ )} end context 'with service_discovery enabled' do - let(:params) {{ :service_discovery_backend => 'docker', - :sd_config_backend => 'etcd', - :sd_backend_host => 'localhost', - :sd_backend_port => '8080', + let(:params) {{ :service_discovery_backend => 'docker', + :sd_config_backend => 'etcd', + :sd_backend_host => 'localhost', + :sd_backend_port => '8080', :sd_jmx_enable => true, :agent5_enable => true, }} @@ -773,7 +773,47 @@ )} end + context 'with data scrubbing disabled' do + let(:params) {{ + :process_enabled => true, + :agent5_enable => true, + :scrub_args => false + }} + it { should contain_concat__fragment('datadog footer').with( + 'content' => /^process_agent_enabled: true\n/, + )} + it { should contain_concat__fragment('datadog process agent footer').with( + 'content' => /^\[process.config\]\n/, + )} + it { should contain_concat__fragment('datadog process agent footer').with( + 'content' => /^scrub_args: false\n/, + )} + it { should contain_concat__fragment('datadog process agent footer').with( + 'content' => /^custom_sensitive_words: \n/, + )} + end + + context 'with data scrubbing enabled with custom sensitive_words' do + let(:params) {{ + :process_enabled => true, + :agent5_enable => true, + :custom_sensitive_words => ['consul_token','dd_key'] + }} + it { should contain_concat__fragment('datadog footer').with( + 'content' => /^process_agent_enabled: true\n/, + )} + it { should contain_concat__fragment('datadog process agent footer').with( + 'content' => /^\[process.config\]\n/, + )} + it { should contain_concat__fragment('datadog process agent footer').with( + 'content' => /^scrub_args: true\n/, + )} + it { should contain_concat__fragment('datadog process agent footer').with( + 'content' => /^custom_sensitive_words: consul_token,dd_key\n/, + )} end + + end end if DEBIAN_OS.include?(operatingsystem) @@ -848,6 +888,12 @@ it { should contain_file('/etc/datadog-agent/datadog.yaml').with( 'content' => /^\ \ enabled: disabled\n/, )} + it { should contain_file('/etc/datadog-agent/datadog.yaml').with( + 'content' => /^\ \ scrub_args: true\n/, + )} + it { should contain_file('/etc/datadog-agent/datadog.yaml').with( + 'content' => /^\ \ custom_sensitive_words: \[\]\n/, + )} end end @@ -931,6 +977,50 @@ )} end end + + context 'with data scrubbing custom options' do + context 'with data scrubbing disabled' do + let(:params) {{ + :process_enabled => true, + :scrub_args => false + }} + it { should contain_file('/etc/datadog-agent/datadog.yaml').with( + 'content' => /^process_config:\n/, + )} + it { should contain_file('/etc/datadog-agent/datadog.yaml').with( + 'content' => /^\ \ enabled: 'true'\n/, + )} + it { should contain_file('/etc/datadog-agent/datadog.yaml').with( + 'content' => /^\ \ scrub_args: false\n/, + )} + it { should contain_file('/etc/datadog-agent/datadog.yaml').with( + 'content' => /^\ \ custom_sensitive_words: \[\]\n/, + )} + end + + context 'with data scrubbing enabled with custom sensitive_words' do + let(:params) {{ + :process_enabled => true, + :custom_sensitive_words => ['consul_token','dd_key'] + }} + it { should contain_file('/etc/datadog-agent/datadog.yaml').with( + 'content' => /^process_config:\n/, + )} + it { should contain_file('/etc/datadog-agent/datadog.yaml').with( + 'content' => /^\ \ enabled: 'true'\n/, + )} + it { should contain_file('/etc/datadog-agent/datadog.yaml').with( + 'content' => /^\ \ scrub_args: true\n/, + )} + it { should contain_file('/etc/datadog-agent/datadog.yaml').with( + 'content' => /^\ \ -\ consul_token\n/, + )} + it { should contain_file('/etc/datadog-agent/datadog.yaml').with( + 'content' => /^\ \ -\ dd_key\n/, + )} + + end + end end end end diff --git a/templates/datadog_process_footer.conf.erb b/templates/datadog_process_footer.conf.erb new file mode 100644 index 00000000..1706119a --- /dev/null +++ b/templates/datadog_process_footer.conf.erb @@ -0,0 +1,5 @@ +<% if @process_enabled -%> +[process.config] +scrub_args: <%= @scrub_args %> +custom_sensitive_words: <%= @custom_sensitive_words.join(',') %> +<% end -%>