From 16460178b06f2c86144c57f242c74560e5f01b0e Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Mon, 27 Oct 2025 13:50:56 -0400 Subject: [PATCH 01/10] feat: add ust docker labels --- modules/ecs_fargate/datadog.tf | 38 ++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 9 deletions(-) diff --git a/modules/ecs_fargate/datadog.tf b/modules/ecs_fargate/datadog.tf index a35818e..3897a3c 100644 --- a/modules/ecs_fargate/datadog.tf +++ b/modules/ecs_fargate/datadog.tf @@ -119,6 +119,18 @@ locals { ] : [], ) + ust_docker_labels = merge( + var.dd_env != null ? { + "com.datadoghq.tags.env" = var.dd_env + } : {}, + var.dd_service != null ? { + "com.datadoghq.tags.service" = var.dd_service + } : {}, + var.dd_version != null ? { + "com.datadoghq.tags.version" = var.dd_version + } : {}, + ) + application_env_vars = concat( var.dd_apm.profiling != null ? [ { @@ -169,6 +181,11 @@ locals { local.ust_env_vars, local.application_env_vars, ), + # Merge UST docker labels with any existing docker labels. + dockerLabels = merge( + lookup(container, "dockerLabels", {}), + local.ust_docker_labels, + ), # Append new volume mounts to any existing mountPoints. mountPoints = concat( lookup(container, "mountPoints", []), @@ -296,12 +313,13 @@ locals { dd_agent_container = [ merge( { - name = "datadog-agent" - image = "${var.dd_registry}:${var.dd_image_version}" - essential = var.dd_essential - environment = local.dd_agent_env - cpu = var.dd_cpu - memory = var.dd_memory_limit_mib + name = "datadog-agent" + image = "${var.dd_registry}:${var.dd_image_version}" + essential = var.dd_essential + environment = local.dd_agent_env + dockerLabels = local.ust_docker_labels + cpu = var.dd_cpu + memory = var.dd_memory_limit_mib secrets = var.dd_api_key_secret != null ? [ { name = "DD_API_KEY" @@ -349,9 +367,10 @@ locals { dd_log_container = local.is_fluentbit_supported ? [ merge( { - name = "datadog-log-router" - image = "${var.dd_log_collection.fluentbit_config.registry}:${var.dd_log_collection.fluentbit_config.image_version}" - essential = var.dd_log_collection.fluentbit_config.is_log_router_essential + name = "datadog-log-router" + image = "${var.dd_log_collection.fluentbit_config.registry}:${var.dd_log_collection.fluentbit_config.image_version}" + essential = var.dd_log_collection.fluentbit_config.is_log_router_essential + dockerLabels = local.ust_docker_labels firelensConfiguration = { type = "fluentbit" options = merge( @@ -397,6 +416,7 @@ locals { command = ["/cws-instrumentation", "setup", "--cws-volume-mount", "/cws-instrumentation-volume"] mountPoints = local.cws_mount environment = local.ust_env_vars + dockerLabels = local.ust_docker_labels portMappings = [] systemControls = [] volumesFrom = [] From c9966526d02e97aaadc1501996224790e858972c Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Mon, 27 Oct 2025 16:21:20 -0400 Subject: [PATCH 02/10] test: add ust docker label tests --- modules/ecs_fargate/datadog.tf | 11 ++-- smoke_tests/ecs_fargate/outputs.tf | 4 ++ smoke_tests/ecs_fargate/ust-docker-labels.tf | 51 +++++++++++++++++++ tests/ust_docker_labels_test.go | 53 ++++++++++++++++++++ tests/utils.go | 11 ++++ 5 files changed, 125 insertions(+), 5 deletions(-) create mode 100644 smoke_tests/ecs_fargate/ust-docker-labels.tf create mode 100644 tests/ust_docker_labels_test.go diff --git a/modules/ecs_fargate/datadog.tf b/modules/ecs_fargate/datadog.tf index 3897a3c..39de752 100644 --- a/modules/ecs_fargate/datadog.tf +++ b/modules/ecs_fargate/datadog.tf @@ -183,8 +183,9 @@ locals { ), # Merge UST docker labels with any existing docker labels. dockerLabels = merge( - lookup(container, "dockerLabels", {}), local.ust_docker_labels, + // Placing this after local.ust_docker_labels ensures user defined UST labels are not overwritten. + lookup(container, "dockerLabels", {}), ), # Append new volume mounts to any existing mountPoints. mountPoints = concat( @@ -367,10 +368,9 @@ locals { dd_log_container = local.is_fluentbit_supported ? [ merge( { - name = "datadog-log-router" - image = "${var.dd_log_collection.fluentbit_config.registry}:${var.dd_log_collection.fluentbit_config.image_version}" - essential = var.dd_log_collection.fluentbit_config.is_log_router_essential - dockerLabels = local.ust_docker_labels + name = "datadog-log-router" + image = "${var.dd_log_collection.fluentbit_config.registry}:${var.dd_log_collection.fluentbit_config.image_version}" + essential = var.dd_log_collection.fluentbit_config.is_log_router_essential firelensConfiguration = { type = "fluentbit" options = merge( @@ -386,6 +386,7 @@ locals { user = "0" mountPoints = var.dd_log_collection.fluentbit_config.mountPoints environment = local.dd_log_agent_env + dockerLabels = local.ust_docker_labels portMappings = [] systemControls = [] volumesFrom = [] diff --git a/smoke_tests/ecs_fargate/outputs.tf b/smoke_tests/ecs_fargate/outputs.tf index 05c5064..502544f 100644 --- a/smoke_tests/ecs_fargate/outputs.tf +++ b/smoke_tests/ecs_fargate/outputs.tf @@ -37,3 +37,7 @@ output "role-parsing-with-path" { output "role-parsing-without-path" { value = module.dd_task_role_parsing_without_path } + +output "ust-docker-labels" { + value = module.dd_task_ust_docker_labels +} diff --git a/smoke_tests/ecs_fargate/ust-docker-labels.tf b/smoke_tests/ecs_fargate/ust-docker-labels.tf new file mode 100644 index 0000000..9c1a534 --- /dev/null +++ b/smoke_tests/ecs_fargate/ust-docker-labels.tf @@ -0,0 +1,51 @@ +# Unless explicitly stated otherwise all files in this repository are licensed +# under the Apache License Version 2.0. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2025-present Datadog, Inc. + +################################################################################ +# Task Definition: UST Docker Labels Test +################################################################################ + +module "dd_task_ust_docker_labels" { + source = "../../modules/ecs_fargate" + + # Configure Datadog with UST tags + dd_api_key = var.dd_api_key + dd_site = var.dd_site + dd_service = "ust-test-service" + dd_env = "ust-test-env" + dd_version = "1.2.3" + dd_tags = "team:test" + dd_essential = true + dd_is_datadog_dependency_enabled = true + + dd_log_collection = { + enabled = true, + } + + dd_cws = { + enabled = true, + } + + # Configure Task Definition with multiple containers + family = "${var.test_prefix}-ust-docker-labels" + container_definitions = jsonencode([ + { + name = "dummy-app", + image = "nginx:latest", + essential = true, + }, + { + name = "app-overwritten-ust", + image = "nginx:latest", + essential = false, + dockerLabels = { + "com.datadoghq.tags.service": "different_name", + "custom.label" = "custom-value" + } + } + ]) + + requires_compatibilities = ["FARGATE"] +} diff --git a/tests/ust_docker_labels_test.go b/tests/ust_docker_labels_test.go new file mode 100644 index 0000000..1ca2916 --- /dev/null +++ b/tests/ust_docker_labels_test.go @@ -0,0 +1,53 @@ +// Unless explicitly stated otherwise all files in this repository are licensed +// under the Apache License Version 2.0. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2025-present Datadog, Inc. + +package test + +import ( + "encoding/json" + "log" + + "github.com/aws/aws-sdk-go-v2/service/ecs/types" + "github.com/gruntwork-io/terratest/modules/terraform" +) + +// TestUSTDockerLabels tests that UST docker labels are propagated to all container definitions +// when dd_service, dd_env, and dd_version are set +func (s *ECSFargateSuite) TestUSTDockerLabels() { + log.Println("TestUSTDockerLabels: Running test...") + + // Retrieve the task output for the "ust-docker-labels" module + var containers []types.ContainerDefinition + task := terraform.OutputMap(s.T(), s.terraformOptions, "ust-docker-labels") + s.Equal(s.testPrefix+"-ust-docker-labels", task["family"], "Unexpected task family name") + + err := json.Unmarshal([]byte(task["container_definitions"]), &containers) + s.NoError(err, "Failed to parse container definitions") + s.Equal(5, len(containers), "Expected 4 containers in the task definition (3 app containers + 1 agent)") + + // Expected UST docker labels that should be present on all application containers + expectedUSTLabels := map[string]string{ + "com.datadoghq.tags.service": "ust-test-service", + "com.datadoghq.tags.env": "ust-test-env", + "com.datadoghq.tags.version": "1.2.3", + } + + dummyApp, found := GetContainer(containers, "dummy-app") + s.True(found, "Container dummy-app not found in definitions") + AssertDockerLabels(s.T(), dummyApp, expectedUSTLabels) + + datadogContainers := []string{"datadog-agent", "datadog-log-router", "cws-instrumentation-init"} + for _, containerName := range datadogContainers { + container, found := GetContainer(containers, containerName) + s.True(found, "Container %s not found in definitions", containerName) + AssertDockerLabels(s.T(), container, expectedUSTLabels) + } + + overwrittenLabels, found := GetContainer(containers, "app-overwritten-ust") + s.True(found, "Container app-overwritten-ust not found in definitions") + expectedUSTLabels["com.datadoghq.tags.service"] = "different_name" + AssertDockerLabels(s.T(), overwrittenLabels, expectedUSTLabels) + +} diff --git a/tests/utils.go b/tests/utils.go index 225bda5..d372f3b 100644 --- a/tests/utils.go +++ b/tests/utils.go @@ -118,3 +118,14 @@ func AssertContainerDependency(t *testing.T, container types.ContainerDefinition assert.True(t, found, "Expected dependency (container:%s, condition:%s) not found in %s container", *expectedDependency.ContainerName, expectedDependency.Condition, *container.Name) } + +// AssertDockerLabels checks if the expected docker labels are all present in the container +func AssertDockerLabels(t *testing.T, container types.ContainerDefinition, expectedLabels map[string]string) { + assert.NotNil(t, container.Name, "Container name cannot be nil") + + for key, expectedValue := range expectedLabels { + value, found := container.DockerLabels[key] + assert.True(t, found, "Docker label %s not found in %s container", key, *container.Name) + assert.Equal(t, expectedValue, value, "Docker label %s value does not match expected in %s container", key, *container.Name) + } +} From 3e319c366d01115397da93e301be0d895cc244c2 Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Mon, 27 Oct 2025 16:23:58 -0400 Subject: [PATCH 03/10] chore: terraform fmt --- smoke_tests/ecs_fargate/ust-docker-labels.tf | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/smoke_tests/ecs_fargate/ust-docker-labels.tf b/smoke_tests/ecs_fargate/ust-docker-labels.tf index 9c1a534..95bf58a 100644 --- a/smoke_tests/ecs_fargate/ust-docker-labels.tf +++ b/smoke_tests/ecs_fargate/ust-docker-labels.tf @@ -11,13 +11,14 @@ module "dd_task_ust_docker_labels" { source = "../../modules/ecs_fargate" # Configure Datadog with UST tags - dd_api_key = var.dd_api_key - dd_site = var.dd_site - dd_service = "ust-test-service" - dd_env = "ust-test-env" - dd_version = "1.2.3" - dd_tags = "team:test" + dd_api_key = var.dd_api_key + dd_site = var.dd_site + dd_service = "ust-test-service" + dd_env = "ust-test-env" + dd_version = "1.2.3" + dd_tags = "team:test" dd_essential = true + dd_is_datadog_dependency_enabled = true dd_log_collection = { @@ -41,7 +42,7 @@ module "dd_task_ust_docker_labels" { image = "nginx:latest", essential = false, dockerLabels = { - "com.datadoghq.tags.service": "different_name", + "com.datadoghq.tags.service" : "different_name", "custom.label" = "custom-value" } } From 28d5d984aaedd73fa0c0b0588f31bcf9b1cca6e1 Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Mon, 27 Oct 2025 17:34:25 -0400 Subject: [PATCH 04/10] feat: expose docker label config for datadog agent --- examples/ecs_fargate/main.tf | 5 ++++- modules/ecs_fargate/datadog.tf | 11 ++++++++--- modules/ecs_fargate/variables.tf | 6 ++++++ smoke_tests/ecs_fargate/ust-docker-labels.tf | 6 +++++- tests/ust_docker_labels_test.go | 3 +++ 5 files changed, 26 insertions(+), 5 deletions(-) diff --git a/examples/ecs_fargate/main.tf b/examples/ecs_fargate/main.tf index ccea245..90fabe6 100644 --- a/examples/ecs_fargate/main.tf +++ b/examples/ecs_fargate/main.tf @@ -13,11 +13,14 @@ module "datadog_ecs_fargate_task" { # Configure Datadog dd_api_key = var.dd_api_key dd_site = var.dd_site - dd_service = var.dd_service dd_tags = "team:cont-p, owner:container-monitoring" dd_essential = true dd_is_datadog_dependency_enabled = true + dd_service = "test-service" + dd_env = "test" + dd_version = "1.2.3" + dd_environment = [ { name = "DD_CUSTOM_FEATURE", diff --git a/modules/ecs_fargate/datadog.tf b/modules/ecs_fargate/datadog.tf index 39de752..2e56ff5 100644 --- a/modules/ecs_fargate/datadog.tf +++ b/modules/ecs_fargate/datadog.tf @@ -310,6 +310,11 @@ locals { local.dd_environment, ) + dd_agent_docker_labels = merge( + local.ust_docker_labels, + var.dd_docker_labels, + ) + # Datadog Agent container definition dd_agent_container = [ merge( @@ -318,7 +323,7 @@ locals { image = "${var.dd_registry}:${var.dd_image_version}" essential = var.dd_essential environment = local.dd_agent_env - dockerLabels = local.ust_docker_labels + dockerLabels = local.dd_agent_docker_labels cpu = var.dd_cpu memory = var.dd_memory_limit_mib secrets = var.dd_api_key_secret != null ? [ @@ -386,7 +391,7 @@ locals { user = "0" mountPoints = var.dd_log_collection.fluentbit_config.mountPoints environment = local.dd_log_agent_env - dockerLabels = local.ust_docker_labels + dockerLabels = local.dd_agent_docker_labels portMappings = [] systemControls = [] volumesFrom = [] @@ -417,7 +422,7 @@ locals { command = ["/cws-instrumentation", "setup", "--cws-volume-mount", "/cws-instrumentation-volume"] mountPoints = local.cws_mount environment = local.ust_env_vars - dockerLabels = local.ust_docker_labels + dockerLabels = local.dd_agent_docker_labels portMappings = [] systemControls = [] volumesFrom = [] diff --git a/modules/ecs_fargate/variables.tf b/modules/ecs_fargate/variables.tf index 0de5c4c..e5ef458 100644 --- a/modules/ecs_fargate/variables.tf +++ b/modules/ecs_fargate/variables.tf @@ -96,6 +96,12 @@ variable "dd_environment" { nullable = false } +variable "dd_docker_labels" { + description = "Datadog Agent container docker labels" + type = map(map(string)) + default = {} +} + variable "dd_tags" { description = "Datadog Agent global tags (eg. `key1:value1, key2:value2`)" type = string diff --git a/smoke_tests/ecs_fargate/ust-docker-labels.tf b/smoke_tests/ecs_fargate/ust-docker-labels.tf index 95bf58a..7a92d39 100644 --- a/smoke_tests/ecs_fargate/ust-docker-labels.tf +++ b/smoke_tests/ecs_fargate/ust-docker-labels.tf @@ -29,6 +29,10 @@ module "dd_task_ust_docker_labels" { enabled = true, } + dd_docker_labels = { + "com.datadoghq.tags.service" : "docker-agent-service", + } + # Configure Task Definition with multiple containers family = "${var.test_prefix}-ust-docker-labels" container_definitions = jsonencode([ @@ -42,7 +46,7 @@ module "dd_task_ust_docker_labels" { image = "nginx:latest", essential = false, dockerLabels = { - "com.datadoghq.tags.service" : "different_name", + "com.datadoghq.tags.service" : "overwritten_name", "custom.label" = "custom-value" } } diff --git a/tests/ust_docker_labels_test.go b/tests/ust_docker_labels_test.go index 1ca2916..6310dcb 100644 --- a/tests/ust_docker_labels_test.go +++ b/tests/ust_docker_labels_test.go @@ -38,7 +38,10 @@ func (s *ECSFargateSuite) TestUSTDockerLabels() { s.True(found, "Container dummy-app not found in definitions") AssertDockerLabels(s.T(), dummyApp, expectedUSTLabels) + // Expect UST docker labels to be present on all Datadog containers with + // overwritten labels when UST docker labels are specified. datadogContainers := []string{"datadog-agent", "datadog-log-router", "cws-instrumentation-init"} + expectedUSTLabels["com.datadoghq.tags.service"] = "docker-agent-service" for _, containerName := range datadogContainers { container, found := GetContainer(containers, containerName) s.True(found, "Container %s not found in definitions", containerName) From 54f4a3029a2d0bcbfe942be3cc3635137048c396 Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Mon, 27 Oct 2025 17:46:59 -0400 Subject: [PATCH 05/10] chore: add docs and fix variable def --- modules/ecs_fargate/README.md | 1 + modules/ecs_fargate/variables.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/ecs_fargate/README.md b/modules/ecs_fargate/README.md index da14d45..f361015 100644 --- a/modules/ecs_fargate/README.md +++ b/modules/ecs_fargate/README.md @@ -245,6 +245,7 @@ No modules. | [dd\_cluster\_name](#input\_dd\_cluster\_name) | Datadog cluster name | `string` | `null` | no | | [dd\_cpu](#input\_dd\_cpu) | Datadog Agent container CPU units | `number` | `null` | no | | [dd\_cws](#input\_dd\_cws) | Configuration for Datadog Cloud Workload Security (CWS) | 
object({
    enabled          = optional(bool, false)
    cpu              = optional(number)
    memory_limit_mib = optional(number)
  })
| 
{
  "enabled": false
}
| no | +| [dd\_docker\_labels](#input\_dd\_docker\_labels) | Datadog Agent container docker labels | `map(string)` | `{}` | no | | [dd\_dogstatsd](#input\_dd\_dogstatsd) | Configuration for Datadog DogStatsD | 
object({
    enabled                  = optional(bool, true)
    origin_detection_enabled = optional(bool, true)
    dogstatsd_cardinality    = optional(string, "orchestrator")
    socket_enabled           = optional(bool, true)
  })
| 
{
  "dogstatsd_cardinality": "orchestrator",
  "enabled": true,
  "origin_detection_enabled": true,
  "socket_enabled": true
}
| no | | [dd\_env](#input\_dd\_env) | The task environment name. Used for tagging (UST) | `string` | `null` | no | | [dd\_environment](#input\_dd\_environment) | Datadog Agent container environment variables. Highest precedence and overwrites other environment variables defined by the module. For example, `dd_environment = [ { name = 'DD_VAR', value = 'DD_VAL' } ]` | `list(map(string))` | 
[
  {}
]
| no | diff --git a/modules/ecs_fargate/variables.tf b/modules/ecs_fargate/variables.tf index e5ef458..d5cc82e 100644 --- a/modules/ecs_fargate/variables.tf +++ b/modules/ecs_fargate/variables.tf @@ -98,7 +98,7 @@ variable "dd_environment" { variable "dd_docker_labels" { description = "Datadog Agent container docker labels" - type = map(map(string)) + type = map(string) default = {} } From 55ed512b95f62fa45e89c9fe5fa236e7aa942ba7 Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Mon, 27 Oct 2025 17:53:15 -0400 Subject: [PATCH 06/10] fix: update test assertion --- tests/ust_docker_labels_test.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/ust_docker_labels_test.go b/tests/ust_docker_labels_test.go index 6310dcb..812b45c 100644 --- a/tests/ust_docker_labels_test.go +++ b/tests/ust_docker_labels_test.go @@ -48,9 +48,11 @@ func (s *ECSFargateSuite) TestUSTDockerLabels() { AssertDockerLabels(s.T(), container, expectedUSTLabels) } + // Expect UST docker labels to be overwritten on application container if docker labels + // are specified in the container definition. overwrittenLabels, found := GetContainer(containers, "app-overwritten-ust") s.True(found, "Container app-overwritten-ust not found in definitions") - expectedUSTLabels["com.datadoghq.tags.service"] = "different_name" + expectedUSTLabels["com.datadoghq.tags.service"] = "overwritten_name" AssertDockerLabels(s.T(), overwrittenLabels, expectedUSTLabels) } From 1419f73066999779dcb2ff02f818159551bd27d3 Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Mon, 27 Oct 2025 18:13:08 -0400 Subject: [PATCH 07/10] chore: update example --- examples/ecs_fargate/main.tf | 6 +++--- examples/ecs_fargate/variables.tf | 14 +++++++++++++- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/examples/ecs_fargate/main.tf b/examples/ecs_fargate/main.tf index 90fabe6..45a66d1 100644 --- a/examples/ecs_fargate/main.tf +++ b/examples/ecs_fargate/main.tf @@ -17,9 +17,9 @@ module "datadog_ecs_fargate_task" { dd_essential = true dd_is_datadog_dependency_enabled = true - dd_service = "test-service" - dd_env = "test" - dd_version = "1.2.3" + dd_service = var.dd_service + dd_env = var.dd_env + dd_version = var.dd_version dd_environment = [ { diff --git a/examples/ecs_fargate/variables.tf b/examples/ecs_fargate/variables.tf index fa04ce4..a2ab372 100644 --- a/examples/ecs_fargate/variables.tf +++ b/examples/ecs_fargate/variables.tf @@ -16,7 +16,19 @@ variable "dd_api_key_secret_arn" { } variable "dd_service" { - description = "Service name for resource filtering in Datadog" + description = "The service name for resource filtering and UST tagging in Datadog" + type = string + default = null +} + +variable "dd_env" { + description = "The environment for resource filtering and UST tagging in Datadog" + type = string + default = null +} + +variable "dd_version" { + description = "The version for resource filtering and UST tagging in Datadog" type = string default = null } From 6ee0a3b3d08bf4b9f07f2e0851fe24992190dfc9 Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Mon, 3 Nov 2025 10:24:56 -0500 Subject: [PATCH 08/10] chore: remove ust tagging for agent container --- modules/ecs_fargate/datadog.tf | 22 +++++--------------- smoke_tests/ecs_fargate/ust-docker-labels.tf | 11 ++-------- tests/all_dd_disabled_test.go | 1 - tests/all_dd_inputs_test.go | 2 -- tests/apm_dsd_tcp_udp_test.go | 1 - tests/logging_only_test.go | 2 -- tests/ust_docker_labels_test.go | 18 +++++++--------- 7 files changed, 14 insertions(+), 43 deletions(-) diff --git a/modules/ecs_fargate/datadog.tf b/modules/ecs_fargate/datadog.tf index 2e56ff5..c8f50a3 100644 --- a/modules/ecs_fargate/datadog.tf +++ b/modules/ecs_fargate/datadog.tf @@ -183,9 +183,8 @@ locals { ), # Merge UST docker labels with any existing docker labels. dockerLabels = merge( - local.ust_docker_labels, - // Placing this after local.ust_docker_labels ensures user defined UST labels are not overwritten. lookup(container, "dockerLabels", {}), + local.ust_docker_labels, ), # Append new volume mounts to any existing mountPoints. mountPoints = concat( @@ -306,15 +305,9 @@ locals { local.dynamic_env, local.origin_detection_vars, local.cws_vars, - local.ust_env_vars, local.dd_environment, ) - dd_agent_docker_labels = merge( - local.ust_docker_labels, - var.dd_docker_labels, - ) - # Datadog Agent container definition dd_agent_container = [ merge( @@ -323,7 +316,7 @@ locals { image = "${var.dd_registry}:${var.dd_image_version}" essential = var.dd_essential environment = local.dd_agent_env - dockerLabels = local.dd_agent_docker_labels + dockerLabels = var.dd_docker_labels cpu = var.dd_cpu memory = var.dd_memory_limit_mib secrets = var.dd_api_key_secret != null ? [ @@ -364,11 +357,6 @@ locals { dd_log_environment = var.dd_log_collection.fluentbit_config.environment != null ? var.dd_log_collection.fluentbit_config.environment : [] - dd_log_agent_env = concat( - local.ust_env_vars, - local.dd_log_environment - ) - # Datadog log router container definition dd_log_container = local.is_fluentbit_supported ? [ merge( @@ -390,8 +378,8 @@ locals { memory_limit_mib = var.dd_log_collection.fluentbit_config.memory_limit_mib user = "0" mountPoints = var.dd_log_collection.fluentbit_config.mountPoints - environment = local.dd_log_agent_env - dockerLabels = local.dd_agent_docker_labels + environment = local.dd_log_environment + dockerLabels = var.dd_docker_labels portMappings = [] systemControls = [] volumesFrom = [] @@ -422,7 +410,7 @@ locals { command = ["/cws-instrumentation", "setup", "--cws-volume-mount", "/cws-instrumentation-volume"] mountPoints = local.cws_mount environment = local.ust_env_vars - dockerLabels = local.dd_agent_docker_labels + dockerLabels = var.dd_docker_labels portMappings = [] systemControls = [] volumesFrom = [] diff --git a/smoke_tests/ecs_fargate/ust-docker-labels.tf b/smoke_tests/ecs_fargate/ust-docker-labels.tf index 7a92d39..a521c60 100644 --- a/smoke_tests/ecs_fargate/ust-docker-labels.tf +++ b/smoke_tests/ecs_fargate/ust-docker-labels.tf @@ -31,6 +31,8 @@ module "dd_task_ust_docker_labels" { dd_docker_labels = { "com.datadoghq.tags.service" : "docker-agent-service", + "com.datadoghq.tags.env": "agent-dev", + "com.datadoghq.tags.version": "v1.2.3" } # Configure Task Definition with multiple containers @@ -41,15 +43,6 @@ module "dd_task_ust_docker_labels" { image = "nginx:latest", essential = true, }, - { - name = "app-overwritten-ust", - image = "nginx:latest", - essential = false, - dockerLabels = { - "com.datadoghq.tags.service" : "overwritten_name", - "custom.label" = "custom-value" - } - } ]) requires_compatibilities = ["FARGATE"] diff --git a/tests/all_dd_disabled_test.go b/tests/all_dd_disabled_test.go index 9d54e8c..d44efa3 100644 --- a/tests/all_dd_disabled_test.go +++ b/tests/all_dd_disabled_test.go @@ -42,7 +42,6 @@ func (s *ECSFargateSuite) TestAllDDDisabled() { expectedAgentEnvVars := map[string]string{ "DD_API_KEY": "test-api-key", "DD_SITE": "datadoghq.com", - "DD_SERVICE": "test-service", "DD_TAGS": "team:cont-p, owner:container-monitoring", "DD_DOGSTATSD_TAG_CARDINALITY": "orchestrator", "DD_ECS_TASK_COLLECTION_ENABLED": "true", diff --git a/tests/all_dd_inputs_test.go b/tests/all_dd_inputs_test.go index 698314a..a03114b 100644 --- a/tests/all_dd_inputs_test.go +++ b/tests/all_dd_inputs_test.go @@ -51,7 +51,6 @@ func (s *ECSFargateSuite) TestAllDDInputs() { "DD_API_KEY": "test-api-key", "DD_SITE": "datadoghq.com", "ECS_FARGATE": "true", - "DD_SERVICE": "test-service", "DD_RUNTIME_SECURITY_CONFIG_EBPFLESS_ENABLED": "true", "DD_INSTALL_INFO_TOOL": "terraform", // "DD_INSTALL_INFO_INSTALLER_VERSION": "0.0.0", @@ -61,7 +60,6 @@ func (s *ECSFargateSuite) TestAllDDInputs() { expectedLogOptions := map[string]string{ "apikey": "test-api-key", "provider": "ecs", - "dd_service": "dd-test", "Host": "http-intake.logs.datadoghq.com", "TLS": "on", "dd_source": "dd-test", diff --git a/tests/apm_dsd_tcp_udp_test.go b/tests/apm_dsd_tcp_udp_test.go index cc1703e..1a361bb 100644 --- a/tests/apm_dsd_tcp_udp_test.go +++ b/tests/apm_dsd_tcp_udp_test.go @@ -42,7 +42,6 @@ func (s *ECSFargateSuite) TestApmDsdTcpUdp() { expectedAgentEnvVars := map[string]string{ "DD_API_KEY": "test-api-key", "DD_SITE": "datadoghq.com", - "DD_SERVICE": "test-service", "DD_TAGS": "team:cont-p, owner:container-monitoring", "DD_DOGSTATSD_TAG_CARDINALITY": "orchestrator", "DD_ECS_TASK_COLLECTION_ENABLED": "true", diff --git a/tests/logging_only_test.go b/tests/logging_only_test.go index 009ef15..92eba35 100644 --- a/tests/logging_only_test.go +++ b/tests/logging_only_test.go @@ -42,7 +42,6 @@ func (s *ECSFargateSuite) TestLoggingOnly() { expectedAgentEnvVars := map[string]string{ "DD_API_KEY": "test-api-key", "DD_SITE": "datadoghq.com", - "DD_SERVICE": "test-service", "DD_DOGSTATSD_TAG_CARDINALITY": "orchestrator", "DD_ECS_TASK_COLLECTION_ENABLED": "true", "ECS_FARGATE": "true", @@ -87,7 +86,6 @@ func (s *ECSFargateSuite) TestLoggingOnly() { // Verify log router environment variables expectedLogRouterEnvVars := map[string]string{ - "DD_SERVICE": "test-service", "DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL": "true", } AssertEnvVars(s.T(), logRouterContainer, expectedLogRouterEnvVars) diff --git a/tests/ust_docker_labels_test.go b/tests/ust_docker_labels_test.go index 812b45c..6bde250 100644 --- a/tests/ust_docker_labels_test.go +++ b/tests/ust_docker_labels_test.go @@ -25,7 +25,7 @@ func (s *ECSFargateSuite) TestUSTDockerLabels() { err := json.Unmarshal([]byte(task["container_definitions"]), &containers) s.NoError(err, "Failed to parse container definitions") - s.Equal(5, len(containers), "Expected 4 containers in the task definition (3 app containers + 1 agent)") + s.Equal(4, len(containers), "Expected 4 containers in the task definition (1 app container + 3 agent sidecar)") // Expected UST docker labels that should be present on all application containers expectedUSTLabels := map[string]string{ @@ -41,18 +41,14 @@ func (s *ECSFargateSuite) TestUSTDockerLabels() { // Expect UST docker labels to be present on all Datadog containers with // overwritten labels when UST docker labels are specified. datadogContainers := []string{"datadog-agent", "datadog-log-router", "cws-instrumentation-init"} - expectedUSTLabels["com.datadoghq.tags.service"] = "docker-agent-service" + expectedAgentUSTLabels := map[string]string{ + "com.datadoghq.tags.service": "docker-agent-service", + "com.datadoghq.tags.env": "agent-dev", + "com.datadoghq.tags.version": "v1.2.3", + } for _, containerName := range datadogContainers { container, found := GetContainer(containers, containerName) s.True(found, "Container %s not found in definitions", containerName) - AssertDockerLabels(s.T(), container, expectedUSTLabels) + AssertDockerLabels(s.T(), container, expectedAgentUSTLabels) } - - // Expect UST docker labels to be overwritten on application container if docker labels - // are specified in the container definition. - overwrittenLabels, found := GetContainer(containers, "app-overwritten-ust") - s.True(found, "Container app-overwritten-ust not found in definitions") - expectedUSTLabels["com.datadoghq.tags.service"] = "overwritten_name" - AssertDockerLabels(s.T(), overwrittenLabels, expectedUSTLabels) - } From c3e0bf7a689ab31339de5b73f98ed0b734e62fdc Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Mon, 3 Nov 2025 10:26:56 -0500 Subject: [PATCH 09/10] chore: terraform fmt --- smoke_tests/ecs_fargate/ust-docker-labels.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/smoke_tests/ecs_fargate/ust-docker-labels.tf b/smoke_tests/ecs_fargate/ust-docker-labels.tf index a521c60..d614c58 100644 --- a/smoke_tests/ecs_fargate/ust-docker-labels.tf +++ b/smoke_tests/ecs_fargate/ust-docker-labels.tf @@ -31,8 +31,8 @@ module "dd_task_ust_docker_labels" { dd_docker_labels = { "com.datadoghq.tags.service" : "docker-agent-service", - "com.datadoghq.tags.env": "agent-dev", - "com.datadoghq.tags.version": "v1.2.3" + "com.datadoghq.tags.env" : "agent-dev", + "com.datadoghq.tags.version" : "v1.2.3" } # Configure Task Definition with multiple containers From 7c5af11937dc69a4580d4f40db8b39cee8197ab6 Mon Sep 17 00:00:00 2001 From: Mathew Estafanous Date: Mon, 3 Nov 2025 11:13:23 -0500 Subject: [PATCH 10/10] chore: remove ust env from cws container --- modules/ecs_fargate/datadog.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/ecs_fargate/datadog.tf b/modules/ecs_fargate/datadog.tf index c8f50a3..d22fda2 100644 --- a/modules/ecs_fargate/datadog.tf +++ b/modules/ecs_fargate/datadog.tf @@ -409,7 +409,6 @@ locals { entryPoint = [] command = ["/cws-instrumentation", "setup", "--cws-volume-mount", "/cws-instrumentation-volume"] mountPoints = local.cws_mount - environment = local.ust_env_vars dockerLabels = var.dd_docker_labels portMappings = [] systemControls = []