Skip to content

AB2D-7301 Enable Datadog sidecar on ECS services #1801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gfreeman-navapbc wants to merge 9 commits into
base: main
Choose a base branch
from
Open

AB2D-7301 Enable Datadog sidecar on ECS services #1801

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
650af45
add service module updates for all services
gfreeman-navapbc Jun 11, 2026
c96eaf5
update tofu plan and apply to account for more than one container wit…
gfreeman-navapbc Jun 11, 2026
51cf8d8
fix command to just ignore agent containers
gfreeman-navapbc Jun 12, 2026
8625614
remove zsh-specific syntax
gfreeman-navapbc Jun 12, 2026
a766c8a
update api module to have alb handled by cdap service module
gfreeman-navapbc Jun 12, 2026
d23568f
remove unused data call
gfreeman-navapbc Jun 16, 2026
4a6addc
Merge branch 'main' into gfreeman/AB2D-7301
gfreeman-navapbc Jun 16, 2026
ff1025b
add permission for events queue
gfreeman-navapbc Jun 16, 2026
0b2b776
Merge branch 'main' into gfreeman/AB2D-7301
gfreeman-navapbc Jun 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/tofu-apply.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ jobs:
tofu init -var=parent_env=$ENV -reconfigure
tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
export ACTIVE_TASK_ARN=$(aws ecs list-tasks --cluster ab2d-$ENV-contracts --service ab2d-$ENV-contracts --query 'taskArns[0]' --output text)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-contracts --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[].image" --output text | cut -d ':' -f 2)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-contracts --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[?name != 'datadog-agent'].image" --output text | cut -d ':' -f 2)
tofu plan ${{ inputs.contracts_image_tag != '' && format('{0}{1}', '-var=contracts_service_image_tag=', inputs.contracts_image_tag) || '-var=contracts_service_image_tag="$ACTIVE_IMAGE_TAG"' }} -out=tfplan
tofu apply -input=false tfplan
- name: tofu apply - events
Expand All @@ -122,15 +122,15 @@ jobs:
tofu init -var=parent_env=$ENV -reconfigure
tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
export ACTIVE_TASK_ARN=$(aws ecs list-tasks --cluster ab2d-$ENV-events --service ab2d-$ENV-events --query 'taskArns[0]' --output text)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-events --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[].image" --output text | cut -d ':' -f 2)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-events --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[?name != 'datadog-agent'].image" --output text | cut -d ':' -f 2)
tofu plan ${{ inputs.events_image_tag != '' && format('{0}{1}', '-var=events_service_image_tag=', inputs.events_image_tag) || '-var=events_service_image_tag="$ACTIVE_IMAGE_TAG"' }} -out=tfplan
- name: tofu apply - api
working-directory: ops/services/30-api/
run: |
tofu init -var=parent_env=$ENV -reconfigure
tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
export ACTIVE_TASK_ARN=$(aws ecs list-tasks --cluster ab2d-$ENV-api --service ab2d-$ENV-api --query 'taskArns[0]' --output text)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-api --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[].image" --output text | cut -d ':' -f 2)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-api --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[?name != 'datadog-agent'].image" --output text | cut -d ':' -f 2)
tofu plan ${{ inputs.api_image_tag != '' && format('{0}{1}', '-var=api_service_image_tag=', inputs.api_image_tag) || '-var=api_service_image_tag="$ACTIVE_IMAGE_TAG"' }} -out=tfplan
tofu apply -input=false tfplan
- name: tofu plan - idr-db-importer
Expand All @@ -139,7 +139,7 @@ jobs:
tofu init -var=parent_env=$ENV -reconfigure
tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
export ACTIVE_TASK_ARN=$(aws ecs list-tasks --cluster ab2d-$ENV --service ab2d-$ENV-idr-db-importer --query 'taskArns[0]' --output text)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[].image" --output text | cut -d ':' -f 2)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[?name != 'datadog-agent'].image" --output text | cut -d ':' -f 2)
tofu plan ${{ inputs.idr_db_importer_image_tag != '' && format('{0}{1}', '-var=image_tag=', inputs.idr_db_importer_image_tag) || '-var=image_tag="$ACTIVE_IMAGE_TAG"' }} -out=tfplan
tofu apply -input=false tfplan
- name: tofu apply - lambda
Expand All @@ -155,6 +155,6 @@ jobs:
tofu init -var=parent_env=$ENV -reconfigure
tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
export ACTIVE_TASK_ARN=$(aws ecs list-tasks --cluster ab2d-$ENV-worker --service ab2d-$ENV-worker --query 'taskArns[0]' --output text)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-worker --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[].image" --output text | cut -d ':' -f 2)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-worker --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[?name != 'datadog-agent'].image" --output text | cut -d ':' -f 2)
tofu plan ${{ inputs.worker_image_tag != '' && format('{0}{1}', '-var=worker_service_image_tag=', inputs.worker_image_tag) || '-var=worker_service_image_tag="$ACTIVE_IMAGE_TAG"' }} -out=tfplan
tofu apply -input=false tfplan
10 changes: 5 additions & 5 deletions .github/workflows/tofu-plan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,31 +110,31 @@ jobs:
tofu init -var=parent_env=$ENV -reconfigure
tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
export ACTIVE_TASK_ARN=$(aws ecs list-tasks --cluster ab2d-$ENV-contracts --service ab2d-$ENV-contracts --query 'taskArns[0]' --output text)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-contracts --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[].image" --output text | cut -d ':' -f 2)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-contracts --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[?name != 'datadog-agent'].image" --output text | cut -d ':' -f 2)
tofu plan ${{ inputs.contracts_image_tag != '' && format('{0}{1}', '-var=contracts_service_image_tag=', inputs.contracts_image_tag) || '-var=contracts_service_image_tag="$ACTIVE_IMAGE_TAG"' }}
- name: tofu plan - events
working-directory: ops/services/20-events/
run: |
tofu init -var=parent_env=$ENV -reconfigure
tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
export ACTIVE_TASK_ARN=$(aws ecs list-tasks --cluster ab2d-$ENV-events --service ab2d-$ENV-events --query 'taskArns[0]' --output text)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-events --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[].image" --output text | cut -d ':' -f 2)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-events --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[?name != 'datadog-agent'].image" --output text | cut -d ':' -f 2)
tofu plan ${{ inputs.events_image_tag != '' && format('{0}{1}', '-var=events_service_image_tag=', inputs.events_image_tag) || '-var=events_service_image_tag="$ACTIVE_IMAGE_TAG"' }}
- name: tofu plan - api
working-directory: ops/services/30-api/
run: |
tofu init -var=parent_env=$ENV -reconfigure
tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
export ACTIVE_TASK_ARN=$(aws ecs list-tasks --cluster ab2d-$ENV-api --service ab2d-$ENV-api --query 'taskArns[0]' --output text)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-api --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[].image" --output text | cut -d ':' -f 2)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-api --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[?name != 'datadog-agent'].image" --output text | cut -d ':' -f 2)
tofu plan ${{ inputs.api_image_tag != '' && format('{0}{1}', '-var=api_service_image_tag=', inputs.api_image_tag) || '-var=api_service_image_tag="$ACTIVE_IMAGE_TAG"' }}
- name: tofu plan - idr-db-importer
working-directory: ops/services/30-idr-db-importer/
run: |
tofu init -var=parent_env=$ENV -reconfigure
tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
export ACTIVE_TASK_ARN=$(aws ecs list-tasks --cluster ab2d-$ENV --service ab2d-$ENV-idr-db-importer --query 'taskArns[0]' --output text)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[].image" --output text | cut -d ':' -f 2)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[?name != 'datadog-agent'].image" --output text | cut -d ':' -f 2)
tofu plan ${{ inputs.idr_db_importer_image_tag != '' && format('{0}{1}', '-var=image_tag=', inputs.idr_db_importer_image_tag) || '-var=image_tag="$ACTIVE_IMAGE_TAG"' }}
- name: tofu plan - lambda
working-directory: ops/services/30-lambda/
Expand All @@ -148,5 +148,5 @@ jobs:
tofu init -var=parent_env=$ENV -reconfigure
tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
export ACTIVE_TASK_ARN=$(aws ecs list-tasks --cluster ab2d-$ENV-worker --service ab2d-$ENV-worker --query 'taskArns[0]' --output text)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-worker --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[].image" --output text | cut -d ':' -f 2)
export ACTIVE_IMAGE_TAG=$(aws ecs describe-tasks --cluster ab2d-$ENV-worker --tasks $ACTIVE_TASK_ARN --query "tasks[].containers[?name != 'datadog-agent'].image" --output text | cut -d ':' -f 2)
tofu plan ${{ inputs.worker_image_tag != '' && format('{0}{1}', '-var=worker_service_image_tag=', inputs.worker_image_tag) || '-var=worker_service_image_tag="$ACTIVE_IMAGE_TAG"' }}
2 changes: 1 addition & 1 deletion ops/services/.opentofu-version
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.10.1
1.12.1
8 changes: 0 additions & 8 deletions ops/services/20-contracts/data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,3 @@
data "aws_sns_topic" "events" {
name = "${local.service_prefix}-events"
}

data "aws_sqs_queue" "events" {
name = "${local.service_prefix}-events"
}
Expand All @@ -25,10 +21,6 @@ data "aws_rds_cluster" "this" {
cluster_identifier = local.service_prefix
}

data "aws_iam_role" "task_execution_role" {
name = "${local.service_prefix}-microservices"
}

data "aws_ecr_image" "contracts" {
repository_name = "ab2d-contracts"
image_tag = var.contracts_service_image_tag
Expand Down
24 changes: 24 additions & 0 deletions ops/services/20-contracts/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# -------------------------------------------------------
# Additional Task Policies —
# -------------------------------------------------------
resource "aws_iam_policy" "contracts" {
name = "${module.platform.app}-${module.platform.env}-contracts"
description = "Additional IAM permissions for the AB2D Contracts module beyond the base service and platform modules"
policy = data.aws_iam_policy_document.contracts.json
}

data "aws_iam_policy_document" "contracts" {
statement {
sid = "CloudWatchMetricsAccess"
effect = "Allow"
actions = [
"cloudwatch:PutMetricData"
]
resources = ["*"]
condition {
test = "StringEquals"
variable = "cloudwatch:namespace"
values = ["ab2d/${module.platform.env}/contracts"]
}
}
}
39 changes: 18 additions & 21 deletions ops/services/20-contracts/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,13 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5"
version = "~> 6"
}
}
}

module "platform" {
source = "github.com/CMSgov/cdap//terraform/modules/platform?ref=f4c14d47cc20e7f6de9112d7155af1213c9bca5a"
source = "github.com/CMSgov/cdap//terraform/modules/platform?ref=8a6527c0689bb46ae0e74bd47e4087ab59cff1b0"
providers = { aws = aws, aws.secondary = aws.secondary }

app = local.app
Expand Down Expand Up @@ -38,9 +38,9 @@ locals {
ab2d_db_host = data.aws_rds_cluster.this.endpoint
aws_account_number = module.platform.account_id
aws_region = module.platform.primary_region.name
db_database_arn = module.platform.ssm.core.database_name.arn
db_password_arn = module.platform.ssm.core.database_password.arn
db_user_arn = module.platform.ssm.core.database_user.arn
db_database_arn = nonsensitive(module.platform.ssm.core.database_name.arn)
db_password_arn = nonsensitive(module.platform.ssm.core.database_password.arn)
db_user_arn = nonsensitive(module.platform.ssm.core.database_user.arn)
events_sqs_url = data.aws_sqs_queue.events.url
kms_master_key_id = nonsensitive(module.platform.kms_alias_primary.target_key_arn)
network_access_logs_bucket = module.platform.splunk_logging_bucket.bucket
Expand All @@ -51,14 +51,14 @@ locals {
contracts_image_tag = coalesce(var.contracts_service_image_tag, flatten([[for t in data.aws_ecr_image.contracts.image_tags : t if strcontains(t, "latest")], data.aws_ecr_image.contracts.image_tags])[0])
contracts_image_uri = "${local.contracts_image_repo}:${local.contracts_image_tag}"

hpms_api_params_arn = module.platform.ssm.core.hpms_api_params.arn
hpms_auth_key_id_arn = module.platform.ssm.core.hpms_auth_key_id.arn
hpms_auth_key_secret_arn = module.platform.ssm.core.hpms_auth_key_secret.arn
hpms_url_arn = module.platform.ssm.core.hpms_url.arn
hpms_api_params_arn = nonsensitive(module.platform.ssm.core.hpms_api_params.arn)
hpms_auth_key_id_arn = nonsensitive(module.platform.ssm.core.hpms_auth_key_id.arn)
hpms_auth_key_secret_arn = nonsensitive(module.platform.ssm.core.hpms_auth_key_secret.arn)
hpms_url_arn = nonsensitive(module.platform.ssm.core.hpms_url.arn)
}

module "cluster" {
source = "github.com/CMSgov/cdap//terraform/modules/cluster?ref=cbd07ee078ecd379a32125b8354bd1ecaf5c275d"
source = "github.com/CMSgov/cdap//terraform/modules/cluster?ref=8a6527c0689bb46ae0e74bd47e4087ab59cff1b0"
platform = module.platform
}

Expand Down Expand Up @@ -249,20 +249,23 @@ resource "aws_lb_listener_rule" "contracts" {
}

module "contracts_service" {
source = "github.com/CMSgov/cdap//terraform/modules/service?ref=f4c14d47cc20e7f6de9112d7155af1213c9bca5a"
source = "github.com/CMSgov/cdap//terraform/modules/service?ref=52af0763fab4e65b29ead8bf88774f0bad4bdd87"

cluster_arn = module.cluster.this.id
cpu = 1024
desired_count = 1
execution_role_arn = data.aws_iam_role.task_execution_role.arn
force_new_deployment = anytrue([var.force_contracts_deployment, var.contracts_service_image_tag != null])
health_check_grace_period_seconds = null
image = local.contracts_image_uri
memory = 2048
platform = module.platform
security_groups = [data.aws_security_group.api.id]
service_name_override = "contracts"
task_role_arn = data.aws_iam_role.task_execution_role.arn
additional_task_role_policies = { contracts = aws_iam_policy.contracts.arn }

alb_listener_arn = aws_lb_listener.internal_lb.arn
alb_port_name = "http"
alb_priority = 100
alb_path_patterns = ["/contracts", "/contracts/*"]

container_environment = [
{ name = "AB2D_DB_HOST", value = local.ab2d_db_host },
Expand All @@ -282,13 +285,6 @@ module "contracts_service" {
{ name = "HPMS_AUTH_KEY_SECRET", valueFrom = local.hpms_auth_key_secret_arn }
]

load_balancers = [{
target_group_arn = aws_lb_target_group.contracts.arn
container_name = local.service
container_port = 8070

}]

mount_points = [
{
"containerPath" = "/tmp",
Expand All @@ -312,6 +308,7 @@ module "contracts_service" {
containerPort = 8070
hostPort = 8070
protocol = "tcp"
name = "http"
}
]

Expand Down
39 changes: 39 additions & 0 deletions ops/services/20-events/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# -------------------------------------------------------
# Additional Task Policies —
# -------------------------------------------------------
resource "aws_iam_policy" "events" {
name = "${module.platform.app}-${module.platform.env}-events"
description = "Additional IAM permissions for the AB2D Events module beyond the base service and platform modules"
policy = data.aws_iam_policy_document.events.json
}

data "aws_iam_policy_document" "events" {
statement {
sid = "SQSAccess"
effect = "Allow"
actions = [
"sqs:SendMessage",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:GetQueueAttributes"
]
resources = [
"arn:aws:sqs:${module.platform.primary_region.name}:${module.platform.aws_caller_identity.account_id}:ab2d-${module.platform.env}-events"
]
}

statement {
sid = "CloudWatchMetricsAccess"
effect = "Allow"
actions = [
"cloudwatch:PutMetricData"
]
resources = ["*"]

@mianava mianava Jun 11, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noting this is required as broad, right? There's not a specific resource to define here.

@gfreeman-navapbc gfreeman-navapbc Jun 11, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, we have to narrow things down by the namespace, as far as google/chat leads me to believe

condition {
test = "StringEquals"
variable = "cloudwatch:namespace"
values = ["ab2d/${module.platform.env}/events"]
}
}
}
Loading
Loading