-
Notifications
You must be signed in to change notification settings - Fork 293
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws payload tagging #4309
base: master
Are you sure you want to change the base?
aws payload tagging #4309
Conversation
Overall package sizeSelf size: 6.64 MB Dependency sizes
🤖 This report was automatically generated by heaviest-objects-in-the-universe |
988466f
to
2b87d75
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #4309 +/- ##
===========================================
+ Coverage 69.19% 88.03% +18.84%
===========================================
Files 1 109 +108
Lines 198 3812 +3614
Branches 33 33
===========================================
+ Hits 137 3356 +3219
- Misses 61 456 +395 ☔ View full report in Codecov by Sentry. |
It looks like the
|
The |
BenchmarksBenchmark execution time: 2024-06-04 16:46:28 Comparing candidate commit aa6cfc5 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 260 metrics, 6 unstable metrics. |
bfec84d
to
c48d29a
Compare
c48d29a
to
aa6cfc5
Compare
This PR rebuilds #4131. It removes hundreds of files worth of whitespace changes and rebuilds yarn.lock based on current
master
branch. Ultimately @jbertran will have done 90% of the work in this PR.What does this PR do?
This PR introduces AWS payload reporting as tags.
Configuration
We introduce 3 new environment variables:
DD_TRACE_CLOUD_REQUEST_PAYLOAD_TAGGING
defines the activation of the feature for requests, values being either"all"
(no additional redactionor a comma-separated list of JSONPath queries identifying payload paths to be replaced with the value
"redacted"`.DD_TRACE_CLOUD_RESPONSE_PAYLOAD_TAGGING
DD_TRACE_CLOUD_PAYLOAD_TAGGING_MAX_DEPTH
sets the depth after which we stop creating tags from a payloadBehaviour
With the feature activated,
aws-sdk
calls to the enabled plugins will create additional tags representing the payload, with the following modifications:This PR only provides the feature for SNS as a first service, but the framework introduced here only requires slight adaptations of a given AWS service plugin to make it available, as well as the addition of the static PII fields configuration.
New dependencies
Adding
jsonpath
seems safe given the constraints it imposes on its scripts, even if I don't expect scripts to be used. Usingrfdc
is more questionable - we need a deep clone because JSONPathapply
can only do side-effects, and we must not modify the payload, but maybe something simpler works.Remaining work
In some cases, JSONPath filter expressions are not sufficient to do what we want.
For example, setting attributes for entities (like SNS topics) requires setting an
AttributeName
and anAttributeValue
at top-level of the JSON payload. Ideally, we should be able to redact theAttributeValue
only when theAttributeName
matches a disallowed value (for exampleKMSMasterKeyId
). JSONPath syntax does not allow such a complex query, so we need to also specify custom logic hooks that do not go through JSONPath to redact data.Motivation
This come from:
datadog-lambda-js
, but only scoped to lambda function input and output. This provides the same level of information, with additional redaction granularity, for AWS plugins.Plugin Checklist
Additional Notes
Security
Datadog employees:
@DataDog/security-design-and-guidance
.Unsure? Have a question? Request a review!