Standalone ASM billing

[jandro996]

What Does This Do

Add new boolean environment variable DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED, when it's enabled:

• Libraries must add the numeric tag _dd.apm.enabled:0 to the metrics map of the service entry spans. _dd.apm.enabled is assumed to be 1 when absent, so it is backward compatible.
• Disable the generation of APM trace metrics by disabling the computation of the APM trace metrics and the computation agent-side of the APM trace metrics by pretending it was already done by the library (the trace payload sent to the agent must contain the HTTP header Datadog-Client-Computed-Stats: yes)
• Introduce a new propagated span tag _dd.p.appsec: 1 providing the knowledge to downstream services that the current distributed trace is containing at least one ASM event and must inherit from the given force-keep priority indeed.
• Ignore the force-keep priority in the absence of this propagated _dd.p.appsec span tag
• Use a new TimeSampler to only allow 1 APM trace per minute as standalone ASM is only interested in the traces containing ASM events. But the service catalog and the billing need a continuous ingestion of at least at 1 trace per minute to consider a service as being live and billable. In the absence of ASM events, no APM traces must be sent, so we need to let some regular APM traces go through, even in the absence of ASM events.

Motivation

ASM is a natural continuation of APM, leveraging concepts such as traces to build threat monitoring protection capabilities, or on telemetry to build vulnerability management. Though, some customers (primarily infrastructure-monitoring-only customers) that find APM too expensive but need ASM security features want to only pay for ASM. We want to make this possible, still internally leveraging APM and provide the same service to ASM customers, while allowing them to not use APM

Additional Notes

Jira ticket: APPSEC-10459