chore(asm): make it possible to enable asm threat monitoring in AWS Lambda for dev builds (#13602)

florentinl · web-flow · commit 4c7f8b2b7c00 · 2025-06-05T16:31:18.000+02:00
Jira Ticket: APPSEC-57888 ## Description Do not automatically disable ASM in the context of AWS lambda but make it possible to enable threat monitoring with the regular env var DD_APPSEC_ENABLED. In production libddwaf is stripped from the `datadog-lambda-python` release builds and this will force disable ASM regardless. This will only impact dev builds that use DD_APPSEC_ENABLED=true ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
diff --git a/ddtrace/appsec/_processor.py b/ddtrace/appsec/_processor.py
@@ -179,7 +179,7 @@ def on_span_start(self, span: Span) -> None:
         if not hasattr(self, "_ddwaf"):
             self.delayed_init()
 
-        if span.span_type not in {SpanTypes.WEB, SpanTypes.GRPC}:
+        if span.span_type not in asm_config._asm_processed_span_types:
             return
 
         _asm_request_context.start_context(span)
diff --git a/ddtrace/settings/asm.py b/ddtrace/settings/asm.py
@@ -14,6 +14,7 @@
 from ddtrace.appsec._constants import LOGIN_EVENTS_MODE
 from ddtrace.appsec._constants import TELEMETRY_INFORMATION_NAME
 from ddtrace.constants import APPSEC_ENV
+from ddtrace.ext import SpanTypes
 from ddtrace.internal import core
 from ddtrace.internal.serverless import in_aws_lambda
 from ddtrace.settings._config import config as tracer_config
@@ -64,6 +65,7 @@ class ASMConfig(DDConfig):
     # prevent empty string
     if _asm_static_rule_file == "":
         _asm_static_rule_file = None
+    _asm_processed_span_types = {SpanTypes.WEB, SpanTypes.GRPC}
     _iast_enabled = tracer_config._from_endpoint.get("iast_enabled", DDConfig.var(bool, IAST.ENV, default=False))
     _iast_request_sampling = DDConfig.var(float, IAST.ENV_REQUEST_SAMPLING, default=30.0)
     _iast_debug = DDConfig.var(bool, IAST.ENV_DEBUG, default=False, private=True)
@@ -224,9 +226,20 @@ class ASMConfig(DDConfig):
 
     def __init__(self):
         super().__init__()
+
+        if in_aws_lambda():
+            self._asm_processed_span_types.add(SpanTypes.SERVERLESS)
+
+            # As a first step, only Threat Management in monitoring mode should be enabled in AWS Lambda
+            tracer_config._remote_config_enabled = False
+            self._api_security_enabled = False
+            self._ep_enabled = False
+            self._iast_supported = False
+
         if not self._iast_supported:
             self._iast_enabled = False
-        if not self._asm_libddwaf_available or in_aws_lambda():
+
+        if not self._asm_libddwaf_available:
             self._asm_enabled = False
             self._asm_can_be_enabled = False
             self._iast_enabled = False
diff --git a/tests/appsec/architectures/test_appsec_loading_modules.py b/tests/appsec/architectures/test_appsec_loading_modules.py
@@ -63,7 +63,7 @@ def test_loading(appsec_enabled, iast_enabled, aws_lambda):
                     for m in MODULES_ALWAYS_LOADED:
                         assert m in data["appsec"], f"{m} not in {data['appsec']}"
                     for m in MODULE_ASM_ONLY:
-                        if appsec_enabled == "true" and not aws_lambda:
+                        if appsec_enabled == "true":
                             assert m in data["appsec"], f"{m} not in {data['appsec']} data:{data}"
                         else:
                             assert m not in data["appsec"], f"{m} in {data['appsec']} data:{data}"
