Optionally capture Lambda request and response payloads

[astuyve]

What does this PR do?

Uses span tags to recursively tag attrs of the request and response object.

• Max depth of 5 (not configurable)
• Max length of 5,000 chars (backend limit for span tags)
• Filters out common auth patterns
• Allows for more specific patterns with datadog.yaml obfuscations

Motivation

Testing Guidelines

Additional Notes

Types of Changes

• Bug fix
• New feature
• Breaking change
• Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

• This PR's description is comprehensive
• This PR contains breaking changes that are documented in the description
• This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
• This PR impacts documentation, and it has been updated (or a ticket has been logged)
• This PR's changes are covered by the automated tests
• This PR collects user input/sensitive content into Datadog
• This PR passes the integration tests (ask a Datadog member to run the tests)

TODO

• Documentation update

[codecov-commenter]

Codecov Report

Merging #222 (25b7c65) into main (fefe509) will decrease coverage by 0.41%.
The diff coverage is 72.72%.

@@            Coverage Diff             @@
##             main     #222      +/-   ##
==========================================
- Coverage   88.06%   87.65%   -0.42%     
==========================================
  Files          31       32       +1     
  Lines        1198     1231      +33     
  Branches      240      249       +9     
==========================================
+ Hits         1055     1079      +24     
- Misses         86       91       +5     
- Partials       57       61       +4     

Impacted Files	Coverage Δ
src/trace/listener.ts	87.32% <ø> (ø)
src/index.ts	77.87% <42.85%> (-2.32%)	⬇️
src/utils/tag-object.ts	80.00% <80.00%> (ø)
src/utils/index.ts	100.00% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fefe509...25b7c65. Read the comment docs.

[maxday]

Maybe this could be customizable by the customer?

[astuyve]

Oh good question - we actually already allow the customer to define obfuscation rules via datadog.yaml https://docs.datadoghq.com/tracing/setup_overview/configure_data_security/?tab=datadogyaml#replace-rules-for-tag-filtering

This is just a hardcoded list to prevent non-configured payload capture from indexing basic/common secrets. It's not something we want to automatically index. If a user wants to capture these, they'll have to manually set a tag.

[maxday]

oh I see, so maybe we should make a link/note about this config option when we'll release this new env var?

[astuyve]

Yup! And it'll be in the blog post :)

[DarcyRaynerDD]

LGTM, left some comments.

[DarcyRaynerDD]

nit: we typically name files like this tag-object.ts

[DarcyRaynerDD]

If it's a string, does it need to be parsed?

[astuyve]

Good question. This is needed to deeply tag nested JSON into separate items, otherwise it just tags an object (ala: setTag('request.body', { foo: { blah: 'ahhh' }}), which doesn't display nicely in the app.