Enabling App and API Protection for Google Cloud Run functions in Node.js

AAP support for Google Cloud Run is in Preview.

How it works

The serverless-init application wraps your process and executes it as a subprocess. It starts a DogStatsD listener for metrics and a Trace Agent listener for traces. It collects logs by wrapping the stdout/stderr streams of your application. After bootstrapping, serverless-init then launches your command as a subprocess.

To get full instrumentation, ensure you are calling datadog-init as the first command that runs inside your Docker container. You can do this by setting it as the entrypoint, or by setting it as the first argument in CMD.

Compatibility

Google Cloud Run support for App and API Protection serverless is in Preview.

Note: Threat Protection through Remote Configuration is not supported. Use Workflows to block IPs in your WAF.

Get started

Add the following instructions and arguments to your Dockerfile.

COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
RUN npm install --prefix /dd_tracer/node dd-trace --save
ENV DD_SERVICE=datadog-demo-run-nodejs
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["/nodejs/bin/node", "/path/to/your/app.js"]

Explanation

  1. Copy the Datadog serverless-init into your Docker image.

    COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init

  2. Copy the Datadog Node.js tracer into your Docker image.

    RUN npm install --prefix /dd_tracer/node dd-trace --save

    If you install the Datadog tracer library directly in your application, as outlined in the manual tracer instrumentation instructions, omit this step.

  3. (Optional) Add Datadog tags.

    ENV DD_SERVICE=datadog-demo-run-nodejs
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1

  4. Change the entrypoint to wrap your application in the Datadog serverless-init process. Note: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration.

    ENTRYPOINT ["/app/datadog-init"]

  5. Execute your binary application wrapped in the entrypoint. Adapt this line to your needs.

    CMD ["/nodejs/bin/node", "/path/to/your/app.js"]

Alternative configuration

If you already have an entrypoint defined inside your Dockerfile, you can instead modify the CMD argument.

COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
RUN npm install --prefix /dd_tracer/node dd-trace --save
ENV DD_SERVICE=datadog-demo-run-nodejs
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
CMD ["/app/datadog-init", "/nodejs/bin/node", "/path/to/your/app.js"]

If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How serverless-init works.

COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init
RUN npm install --prefix /dd_tracer/node dd-trace --save
ENV DD_SERVICE=datadog-demo-run-nodejs
ENV DD_ENV=datadog-demo
ENV DD_VERSION=1
ENV DD_APPSEC_ENABLED=1
ENTRYPOINT ["/app/datadog-init"]
CMD ["/your_entrypoint.sh", "/nodejs/bin/node", "/path/to/your/app.js"]

As long as your command to run is passed as an argument to datadog-init, you will receive full instrumentation.

Further reading

Additional helpful documentation, links, and articles:

How App and API Protection WorksDOCUMENTATION more more OOTB App and API Protection RulesDOCUMENTATION more more Troubleshooting App and API ProtectionDOCUMENTATION more more App and API ProtectionDOCUMENTATION more more Datadog Security extends compliance and threat protection capabilities for Google CloudBLOG more more
PREVIEWING: julio.guerra/aap-setup-page-grid