Datadog Demo App

Kelvo E-Comm

Polyglot microservices on AWS — fully instrumented with Datadog RUM, APM, DBM, ASM, IAST, RASP, SCA, SAST, Profiling, and FinOps.

Deploy to AWS View Datadog Features
RUM
APM
Logs
DBM
Profiling
ASM
RASP
IAST
SCA
SAST (CI)
Live Process
FinOps

Architecture — 7 Services, 3 Languages

Each service runs on a different AWS compute type to demonstrate full-stack Datadog observability.

ServiceLanguageAWS RuntimeLocal PortDatadog Service
Orders Java 21 / Spring Boot EC2 t3.medium8080 kelvo-ecomm-order-service
Cart Node.js 20 ECS Fargate3001 kelvo-ecomm-cart
Auth Node.js 20 ECS Fargate3002 kelvo-ecomm-auth
Payment Node.js 20 ECS Fargate3003 kelvo-ecomm-payment
Search Python 3.11 Lambda3004 kelvo-ecomm-search
Recommendations Python 3.11 Lambda3005 kelvo-ecomm-recommendations
Notifications Python 3.11 Lambda3006 kelvo-ecomm-notifications
Frontend React + TypeScript S3 + CloudFront3000 kelvo-ecomm

Databases

DatabaseAWSUsed By
PostgreSQL 16 RDS db.t3.medium (private subnet) Orders (products, orders) · Auth (users)
Redis 7 ElastiCache cache.t3.small (private subnet) Cart (sessions) · Payment (payment intents)

Deploy — One Command

./scripts/deploy-aws.sh does everything from scratch. No manual steps required after filling in .env.deploy.

⚠️
One manual step after deploy: Add DD_API_KEY and DD_APP_KEY as GitHub Actions secrets in your repo (Settings → Secrets and variables → Actions). Required for SAST + SCA CI workflows to report results to Datadog.
1

Fill in .env.deploy

Copy .env.aws to .env.deploy and set your AWS, Datadog, and RDS credentials. File is git-ignored — never committed.

2

Run the deploy script

Takes ~15–25 minutes on first deploy. Creates CloudFormation stack, builds Docker images, deploys Lambda code, builds and uploads the React frontend.

3

DBM user created automatically

The script waits for the EC2 SSM agent, then runs the PostgreSQL GRANT commands on RDS via SSM. No SSH access needed.

!

Add GitHub Actions secrets (manual)

Add DD_API_KEY and DD_APP_KEY to your repo's Actions secrets so SAST + SCA CI workflows can send results to Datadog.


# 1. Set your secrets
cp .env.aws .env.deploy
# edit .env.deploy with real values

# 2. Deploy everything (fully automated)
./scripts/deploy-aws.sh

# 3. Tear down when done
aws cloudformation delete-stack --stack-name rumshop-production --region us-west-2

What the script deploys

🏗️

CloudFormation Stack

VPC, public/private subnets, NAT Gateway, Internet Gateway, security groups, RDS, ElastiCache, EC2, ECS Cluster, ECR repos, API Gateway, S3, CloudFront.

🐳

Docker → ECR → ECS

Builds cart, auth, payment Node.js images, pushes to ECR, force-redeploys ECS Fargate services.

Java JAR → EC2

Runs Maven build, uploads JAR to S3, pulls from EC2 via SSM, restarts the systemd service.

🐍

Python → Lambda

Zips search, recommendations, notifications handlers, and deploys to Lambda. Datadog-Python311 layer already attached via CloudFormation.

⚛️

React → S3 + CloudFront

npm build with injected env vars, S3 sync, CloudFront invalidation. Routing via CloudFront CacheBehaviors — /api/* proxied to ALB.

🗃️

DBM user on RDS

Polls EC2 SSM agent, sends psql GRANT commands. Creates the datadog monitoring user with pg_monitor role for Database Monitoring.

Datadog Features — Full Coverage

Every feature is enabled automatically via CloudFormation, CloudFormation UserData, ECS task env vars, or GitHub Actions CI.

RUM — Real User Monitoring

frontend/src/index.tsx · @datadog/browser-rum
Verify: Digital Experience → RUM → Sessions. Browse the app to see session replays and correlated APM traces.
Session Replay RUM-to-APM

APM — Distributed Tracing

dd-java-agent (EC2) · dd-trace/init (ECS) · @datadog_lambda_wrapper (Lambda)
Verify: APM → Services. Apply BLACKFRIDAY coupon to generate a cross-service error trace.
Java Node.js Python

Continuous Profiler

-Ddd.profiling.enabled=true · DD_PROFILING_ENABLED=true
Verify: APM → Profiling → filter by kelvo-ecomm-order-service. Flame graphs after ~1 min of traffic.
Java Node.js Lambda

Dynamic Instrumentation

-Ddd.dynamic.instrumentation.enabled=true · DD_DYNAMIC_INSTRUMENTATION_ENABLED=true
Verify: APM → Dynamic Instrumentation → add a log probe to any running method. Output appears live without redeployment.
Java Node.js

ASM — Threat Detection

-Ddd.appsec.enabled=true · DD_APPSEC_ENABLED=true
Verify: Security → Application Security → Traces. Send ?id=1 OR 1=1 and observe the SQL injection flag.
Java Node.js Lambda

RASP — Runtime Protection

-Ddd.appsec.rasp.enabled=true · DD_APPSEC_RASP_ENABLED=true
Verify: Security → Application Security → Signals. RASP-blocked requests show HTTP 403 with rasp rule category.
Java Node.js Lambda

IAST — Code Security

-Ddd.iast.enabled=true · DD_IAST_ENABLED=true
Verify: Security → Code Security → Vulnerabilities. Runtime-detected issues appear with file and line references.
Java Node.js Lambda

SCA — Dependency Vulnerabilities

DD_APPSEC_SCA_ENABLED=true · datadog-sca-github-action (CI)
Verify: Security → Code Security → Libraries. Known CVEs in npm/pip/Maven deps. CI results in Code Analysis → Pipelines.
Runtime CI/CD

SAST — Static Analysis

.github/workflows/datadog-static-analysis.yml · datadog-static-analyzer-github-action
Verify: Security → Code Security → Code Analysis. Findings link to exact file/line in GitHub. Requires DD_API_KEY + DD_APP_KEY secrets.
CI/CD GitHub Actions

DBM — Database Monitoring

Datadog Agent on EC2 · postgres.d/conf.yaml · redisdb.d/conf.yaml
Verify: APM → Database Monitoring → Queries (PostgreSQL) · Infrastructure → Redis dashboard. Traces show "View in DBM" link.
PostgreSQL (RDS) Redis (ElastiCache) command_key

Live Process Monitoring

process_config.process_collection.enabled: true (EC2 Agent)
Verify: Infrastructure → Processes → filter by the EC2 host. Shows java, datadog-agent, and all system processes live.
EC2

FinOps / Cloud Cost

Resources intentionally oversized in CloudFormation
Verify: Infrastructure → Cloud Cost → Recommendations (appears after 48–72 h). EC2, ECS, RDS, Redis all flagged for downsizing.
EC2 t3.medium → t3.small RDS db.t3.medium → micro

Error Demos — Built-in for Datadog

Intentional errors to showcase RUM-to-APM trace correlation and cross-service error propagation.

🛒

Smart Watch Pro — Cart Limit

Add product #3 three times. The 3rd add fails with a generic frontend error. The real cause (inventory sync timeout — warehouse-api.internal:8443 unreachable) is only visible in Datadog APM traces.

🎟️

BLACKFRIDAY Coupon

Enter coupon BLACKFRIDAY in the cart. Cart calls Payment to validate — Payment returns a 500 (simulated Redis timeout). Full error chain visible in Datadog APM across both services.


Demo Coupons

CodeEffect
KELVO1010% off
KELVO2525% off
WELCOME55% welcome discount
FRETEFree shipping
BLACKFRIDAYTriggers backend 500 — use for Datadog error tracking demo

Demo login: demo@kelvo-ecomm.com / password123

FinOps — Intentional Overprovisioning

Resources are deployed oversized so Datadog Cloud Cost Recommendations flags them. Check Infrastructure → Cloud Cost after 48–72 hours.

ResourceDeployed (demo)Right-sized (ideal)Monthly savings
EC2 t3.medium ~$30/mo t3.small ~$15/mo ~$15
ECS × 3 tasks 512 CPU / 1024 MB ~$54/mo 256 / 512 ~$27/mo ~$27
RDS db.t3.medium ~$50/mo db.t3.micro ~$12/mo ~$38
ElastiCache cache.t3.small ~$25/mo cache.t3.micro ~$12/mo ~$13
Total ~$159/mo ~$66/mo ~$93/mo (58%)