Enabling App and API Protection for Google Cloud Run
AAP support for Google Cloud Run is in Preview.
How it works
The serverless-init
application wraps your process and executes it as a subprocess. It starts a DogStatsD listener for metrics and a Trace Agent listener for traces. It collects logs by wrapping the stdout/stderr streams of your application. After bootstrapping, serverless-init
then launches your command as a subprocess.
To get full instrumentation, ensure you are calling datadog-init
as the first command that runs inside your Docker container. You can do this by setting it as the entrypoint, or by setting it as the first argument in CMD.
Compatibility
Google Cloud Run support for App and API Protection serverless is in Preview.
**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6].
Get started
Add the following instructions and arguments to your Dockerfile.
COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
RUN npm install --prefix /dd_tracer/node dd-trace --save
ENV DD_SERVICE=datadog-demo-run-nodejs
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["/nodejs/bin/node", "/path/to/your/app.js"]
Explanation
Copy the Datadog serverless-init
into your Docker image.
COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
Copy the Datadog Node.js tracer into your Docker image.
RUN npm install --prefix /dd_tracer/node dd-trace --save
If you install the Datadog tracer library directly in your application, as outlined in the manual tracer instrumentation instructions, omit this step.
(Optional) Add Datadog tags.
ENV DD_SERVICE=datadog-demo-run-nodejs
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
Change the entrypoint to wrap your application in the Datadog serverless-init
process.
Note: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration.
ENTRYPOINT ["/app/datadog-init"]
Execute your binary application wrapped in the entrypoint. Adapt this line to your needs.
CMD ["/nodejs/bin/node", "/path/to/your/app.js"]
Alternative configuration
If you already have an entrypoint defined inside your Dockerfile, you can instead modify the CMD argument.
COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
RUN npm install --prefix /dd_tracer/node dd-trace --save
ENV DD_SERVICE=datadog-demo-run-nodejs
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
CMD ["/app/datadog-init", "/nodejs/bin/node", "/path/to/your/app.js"]
If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How serverless-init
works.
COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
RUN npm install --prefix /dd_tracer/node dd-trace --save
ENV DD_SERVICE=datadog-demo-run-nodejs
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["/your_entrypoint.sh", "/nodejs/bin/node", "/path/to/your/app.js"]
As long as your command to run is passed as an argument to datadog-init
, you will receive full instrumentation.
Further reading
Additional helpful documentation, links, and articles: