The Datadog Serverless Framework plugin can be used to automatically configure and deploy your Lambda with App and API Protection.

To install and configure the Datadog Serverless Framework plugin:

1. Install the Datadog Serverless Framework plugin:

   serverless plugin install --name serverless-plugin-datadog
   

2. Enable App and API Protection by updating your serverless.yml with the enableASM configuration parameter:

   custom:
     datadog:
       enableASM: true
   

   Overall, your new serverless.yml file should contain at least:

   custom:
     datadog:
       apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or apiKey
       enableDDTracing: true
       enableASM: true
   

   See also the complete list of plugin parameters to further configure your lambda settings.

3. Redeploy the function and invoke it. After a few minutes, it appears in App and API Protection views.

The Datadog CLI modifies existing Lambda function configurations to enable instrumentation without requiring a new deployment. It is the quickest way to get started with Datadog’s serverless monitoring.

If you are configuring initial tracing for your functions, perform the following steps:

1. Install the Datadog CLI client:

   npm install -g @datadog/datadog-ci
   

2. If you are new to Datadog serverless monitoring, launch the Datadog CLI in interactive mode to guide your first installation for a quick start, and you can ignore the remaining steps. To permanently install Datadog for your production applications, skip this step and follow the remaining ones to run the Datadog CLI command in your CI/CD pipelines after your normal deployment.

   datadog-ci lambda instrument -i --appsec
   

3. Configure the AWS credentials:

   Datadog CLI requires access to the AWS Lambda service, and depends on the AWS JavaScript SDK to resolve the credentials. Ensure your AWS credentials are configured using the same method you would use when invoking the AWS CLI.

4. Configure the Datadog site:

   export DATADOG_SITE="<DATADOG_SITE>"
   

   Replace <DATADOG_SITE> with (ensure the correct Datadog site is selected on the right-hand side of this page).

5. Configure the Datadog API key:

   Datadog recommends saving the Datadog API key in AWS Secrets Manager for security. The key needs to be stored as a plaintext string (not a JSON blob). Ensure your Lambda functions have the required secretsmanager:GetSecretValue IAM permission.

   export DATADOG_API_KEY_SECRET_ARN="<DATADOG_API_KEY_SECRET_ARN>"
   

   For testing purposes, you can also set the Datadog API key in plaintext:

   export DATADOG_API_KEY="<DATADOG_API_KEY>"
   

6. Instrument your Lambda functions:

   To instrument your Lambda functions, run the following command.

   datadog-ci lambda instrument --appsec -f <functionname> -f <another_functionname> -r <aws_region> -v 114 -e 86
   

   To fill in the placeholders:

   • Replace <functionname> and <another_functionname> with your Lambda function names.
   • Alternatively, you can use --functions-regex to automatically instrument multiple functions whose names match the given regular expression.
   • Replace <aws_region> with the AWS region name.

   Note: Instrument your Lambda functions in a development or staging environment first. If the instrumentation result is unsatisfactory, run uninstrument with the same arguments to revert the changes.

   Additional parameters can be found in the CLI documentation.

The Datadog CDK Construct automatically installs Datadog on your functions using Lambda Layers, and configures your functions to send metrics, traces, and logs to Datadog through the Datadog Lambda Extension.

1. Install the Datadog CDK constructs library:

   # For AWS CDK v1
   pip install datadog-cdk-constructs
   
   # For AWS CDK v2
   pip install datadog-cdk-constructs-v2
   

2. Instrument your Lambda functions

   # For AWS CDK v1
   from datadog_cdk_constructs import Datadog
   # NOT SUPPORTED IN V1
   
   # For AWS CDK v2
   from datadog_cdk_constructs_v2 import Datadog
   
   datadog = Datadog(self, "Datadog",
       python_layer_version=114,
       extension_layer_version=86,
       site="<DATADOG_SITE>",
       api_key_secret_arn="<DATADOG_API_KEY_SECRET_ARN>", // or api_key
       enable_asm=True,
     )
   datadog.add_lambda_functions([<LAMBDA_FUNCTIONS>])
   

   To fill in the placeholders:

   • Replace <DATADOG_SITE> with (ensure the correct SITE is selected on the right).
   • Replace <DATADOG_API_KEY_SECRET_ARN> with the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The secretsmanager:GetSecretValue permission is required. For quick testing, you can use apiKey instead and set the Datadog API key in plaintext.

   More information and additional parameters can be found on the Datadog CDK documentation.

1. Install the Datadog Lambda library

   The Datadog Lambda Library can be installed as a layer or a gem. For most functions, Datadog recommends installing the library as a layer. If your Lambda function is deployed as a container image, you must install the library as a gem.

   The minor version of the datadog-lambda gem always matches the layer version. For example, datadog-lambda v0.5.0 matches the content of layer version 5.

   • Option A: Configure the layers for your Lambda function using the ARN in the following format:

     # Use this format for x86-based Lambda deployed in AWS commercial regions
     
     arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>:26
     
     # Use this format for arm64-based Lambda deployed in AWS commercial regions
     arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-<RUNTIME>-ARM:26
     
     
     # Use this format for x86-based Lambda deployed in AWS GovCloud regions
     arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>:26
     
     # Use this format for arm64-based Lambda deployed in AWS GovCloud regions
     arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-<RUNTIME>-ARM:26
     

     Replace <AWS_REGION> with a valid AWS region such as us-east-1. The available RUNTIME options are Ruby2-7, and Ruby3-2.

   • Option B: If you cannot use the prebuilt Datadog Lambda layer, alternatively you can install the gems datadog-lambda and datadog by adding them to your Gemfile as an alternative:

     gem 'datadog'
     gem 'datadog-lambda'
     

     datadog contains native extensions that must be compiled for Amazon Linux to work with AWS Lambda. Datadog therefore recommends that you build and deploy your Lambda as a container image. If your function cannot be deployed as a container image and you would like to use Datadog APM, Datadog recommends installing the Lambda Library as a layer instead of as a gem.

     Install gcc, gmp-devel, and make prior to running bundle install in your function’s Dockerfile to ensure that the native extensions can be successfully compiled.

     FROM <base image>
     
     # assemble your container image
     
     RUN yum -y install gcc gmp-devel make
     RUN bundle config set path 'vendor/bundle'
     RUN bundle install
     

2. Install the Datadog Lambda Extension

   • Option A: Configure the layers for your Lambda function using the ARN in the following format:

     # Use this format for x86-based Lambda deployed in AWS commercial regions
     arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension:86
     
     # Use this format for arm64-based Lambda deployed in AWS commercial regions
     arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM:86
     
     # Use this format for x86-based Lambda deployed in AWS GovCloud regions
     arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension:86
     
     # Use this format for arm64-based Lambda deployed in AWS GovCloud regions
     arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM:86
     

     Replace <AWS_REGION> with a valid AWS region, such as us-east-1.

   • Option B: Add the Datadog Lambda Extension to your container image by adding the following to your Dockerfile:

     COPY --from=public.ecr.aws/datadog/lambda-extension:<TAG> /opt/extensions/ /opt/extensions
     

     Replace <TAG> with either a specific version number (for example, 86) or with latest. You can see a complete list of possible tags in the Amazon ECR repository.

3. Configure your Lambda functions

   Enable Datadog APM and wrap your Lambda handler function using the wrapper provided by the Datadog Lambda library.

   require 'datadog/lambda'
   
   Datadog::Lambda.configure_apm do |c|
   # Enable the instrumentation
   end
   
   def handler(event:, context:)
       Datadog::Lambda.wrap(event, context) do
           return { statusCode: 200, body: 'Hello World' }
       end
   end
   

4. Configure Datadog site and API key

   • Set the environment variable DD_SITE to (ensure the correct SITE is selected on the right).
   • Set the environment variable DD_API_KEY_SECRET_ARN with the ARN of the AWS secret where your Datadog API key is securely stored. The key needs to be stored as a plaintext string (not a JSON blob). The secretsmanager:GetSecretValue permission is required. For quick testing, you can use DD_API_KEY instead and set the Datadog API key in plaintext.

5. Enable App and API Protection by adding the following environment variables on your function deployment:

   environment:
     AWS_LAMBDA_EXEC_WRAPPER: /opt/datadog_wrapper
     DD_SERVERLESS_APPSEC_ENABLED: true
   

6. Redeploy the function and invoke it. After a few minutes, it appears in App and API Protection views.