Skip to content

[datadog_csm_threats] supporting cws multi-policy in terraform #2681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: master
Choose a base branch
from
Open

[datadog_csm_threats] supporting cws multi-policy in terraform #2681

wants to merge 15 commits into from

Conversation

homoeconomics
Copy link

@homoeconomics homoeconomics commented Nov 15, 2024
edited by QuentinGuillard
Loading

Adding new resources and data sources to support the CWS multi-policy feature.

  1. Updated the data source and resource datadog_csm_threats_agent_rule for users to manage their rules
  2. Added a new data source resource datadog_csm_threats_policy for users to manage their policies.
  • Create a policy resource:
resource "datadog_csm_threats_policy" "my_policy" {
    description  = "my terraform policy"
    enabled      = false
    name         = "TERRAFORM POLICY"
    tags         = ["env:staging"]
}
  • Create a multi policy agent rule resource:
resource "datadog_csm_threats_agent_rule" "my_rule" {
    description  = "my terraform rule"
    enabled      = false
    expression   = "bind.addr.ip==1.1.1.1"
    name         = "TERRAFORM_RULE"
    policy_id    = datadog_csm_threats_policy.my_policy.id
    product_tags = ["foo:bar"]
}

@homoeconomics homoeconomics force-pushed the daniel.zhou/CWS-3394-tf-provider branch from 6322019 to 5da3fb7 Compare November 15, 2024 20:48
datadog-datadog-prod-us1[bot]
datadog-datadog-prod-us1 bot reviewed Jan 30, 2025
View reviewed changes
homoeconomics
homoeconomics commented Jan 31, 2025
View reviewed changes
@QuentinGuillard QuentinGuillard force-pushed the daniel.zhou/CWS-3394-tf-provider branch 2 times, most recently from bf4b1af to 4c19fd8 Compare February 14, 2025 13:25
@QuentinGuillard QuentinGuillard force-pushed the daniel.zhou/CWS-3394-tf-provider branch from a390790 to 6fc7905 Compare February 27, 2025 13:04
@QuentinGuillard QuentinGuillard force-pushed the daniel.zhou/CWS-3394-tf-provider branch 2 times, most recently from f715a3a to 595f718 Compare February 28, 2025 16:56
@QuentinGuillard QuentinGuillard force-pushed the daniel.zhou/CWS-3394-tf-provider branch 2 times, most recently from 8c3f3f3 to 1d306ae Compare March 28, 2025 15:36
homoeconomics
homoeconomics commented Apr 1, 2025
View reviewed changes
@QuentinGuillard QuentinGuillard force-pushed the daniel.zhou/CWS-3394-tf-provider branch from 2c6ae21 to 37ea69b Compare April 3, 2025 12:09
@QuentinGuillard QuentinGuillard force-pushed the daniel.zhou/CWS-3394-tf-provider branch 2 times, most recently from a8a6b1c to fdbc105 Compare May 13, 2025 13:58
@QuentinGuillard QuentinGuillard force-pushed the daniel.zhou/CWS-3394-tf-provider branch from fdbc105 to 3f0069d Compare May 15, 2025 07:35
@QuentinGuillard QuentinGuillard force-pushed the daniel.zhou/CWS-3394-tf-provider branch from 84f08b8 to b528f99 Compare May 15, 2025 08:25
@QuentinGuillard QuentinGuillard marked this pull request as ready for review May 15, 2025 08:56
@QuentinGuillard QuentinGuillard requested review from a team as code owners May 15, 2025 08:56
@QuentinGuillard QuentinGuillard changed the title supporting cws multi-policy in terraform [CWS - Workload Protection] supporting cws multi-policy in terraform May 15, 2025
@QuentinGuillard QuentinGuillard changed the title [CWS - Workload Protection] supporting cws multi-policy in terraform [CWS] supporting cws multi-policy in terraform May 15, 2025
@QuentinGuillard QuentinGuillard changed the title [CWS] supporting cws multi-policy in terraform [datadog_csm_threats] supporting cws multi-policy in terraform May 15, 2025
homoeconomics
homoeconomics commented May 21, 2025
View reviewed changes
datadog/fwprovider/data_source_datadog_csm_threats_agent_rule.go Outdated
@@ -51,44 +61,113 @@ func (r *csmThreatsAgentRulesDataSource) Read(ctx context.Context, request datas
return
}

res, _, err := r.api.ListCSMThreatsAgentRules(r.auth)
// Fetch CWS rules (without policy_id), using /security_monitoring/cloud_workload_security/agent_rules path
cwsRules, _, err := r.api.ListCloudWorkloadSecurityAgentRules(r.auth)
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems there was a misunderstanding. I was suggesting that we use this data source to handle only rules from RC (by calling ListCSMThreatsAgentRules) and we let data_source_datadog_cloud_workload_security_agent_rules handle rules from Mongo.

I don't see why we need to merge rules from Mongo and RC.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my bad, I moved multi_policy_agent_rules to agent_rules and readded cloud_workload_security_agent_rules

@QuentinGuillard QuentinGuillard force-pushed the daniel.zhou/CWS-3394-tf-provider branch 3 times, most recently from 6fbce23 to 2481912 Compare May 22, 2025 08:55
@QuentinGuillard QuentinGuillard force-pushed the daniel.zhou/CWS-3394-tf-provider branch from 2481912 to cf16019 Compare May 22, 2025 08:56
homoeconomics
homoeconomics commented May 22, 2025
View reviewed changes
datadog/fwprovider/data_source_datadog_csm_threats_agent_rule.go
r.api = providerData.DatadogApiInstances.GetCSMThreatsApiV2()
r.auth = providerData.Auth
}

func (*csmThreatsAgentRulesDataSource) Metadata(_ context.Context, _ datasource.MetadataRequest, response *datasource.MetadataResponse) {
func (r *csmThreatsAgentRulesDataSource) Metadata(_ context.Context, request datasource.MetadataRequest, response *datasource.MetadataResponse) {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: maybe you don't need this change?

datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go
@@ -93,9 +111,6 @@ func (r *csmThreatsAgentRuleResource) Create(ctx context.Context, request resour
return
}

csmThreatsMutex.Lock()
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this deleted? I thought we need this to prevent terraform from creating multiple rules simultaneously.

docs/resources/csm_threats_agent_rule.md
@@ -29,10 +29,12 @@ resource "datadog_csm_threats_agent_rule" "my_agent_rule" {
- `enabled` (Boolean) Indicates Whether the Agent rule is enabled.
- `expression` (String) The SECL expression of the Agent rule
- `name` (String) The name of the Agent rule.
- `policy_id` (String) The ID of the agent policy in which the rule is saved
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also update the Import section below? I think we should support both of these.

terraform import datadog_csm_threats_agent_rule.my_agent_rule <policy ID>:<rule ID>

terraform import datadog_csm_threats_agent_rule.my_agent_rule <rule ID>

datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go
resource.ImportStatePassthroughID(ctx, path.Root("id"), request, response)
result := strings.SplitN(request.ID, ":", 2)
if len(result) != 2 {
response.Diagnostics.AddError("error retrieving policy_id or rule_id from given ID", "")
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if it's possible to make it backward compatible. When this happens, instead of throwing an error, we just assume that it's a rule ID and the policy ID is not provided.

datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go
@@ -123,7 +138,8 @@ func (r *csmThreatsAgentRuleResource) Read(ctx context.Context, request resource
}

agentRuleId := state.Id.ValueString()
res, httpResponse, err := r.api.GetCSMThreatsAgentRule(r.auth, agentRuleId)
policyId := state.PolicyId.ValueString()
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible that the policyId is not in the state? Can we not set it in the request if that's the case?

datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go
// Mandatory fields
id := state.Id.ValueString()
policyId := state.PolicyId.ValueString()
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's not return an empty string if it's not there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@datadog-datadog-prod-us1 datadog-datadog-prod-us1[bot] datadog-datadog-prod-us1[bot] left review comments

@QuentinGuillard QuentinGuillard QuentinGuillard left review comments

@clachner clachner clachner approved these changes

@urseberry urseberry urseberry approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
changelog/feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@homoeconomics @clachner @urseberry @QuentinGuillard @laurerunser