[datadog_compliance_custom_framework] Terraform Provider for Custom Frameworks #2975

nkonjeti · 2025-04-16T22:27:54Z

Motivation:

We wanted a terraform provider to interact with our Custom Framework APIs. The terraform resources will remain as the source of truth so whenever a resource is updated/created/deleted this will be reflected in the database and UI.

Testing

I built the Terrraform provider locally.

Tested the following:

Creating

Updating

Deleting/Destroying

Changing order of rules

no changes in state so no action taken

Terraform Provider Immutable Fields (Handle And Version)

if handle or version is changed in a framework this will delete the old framework and create a new one with the new handle and version

in this example, updating the version to 2 deleted the old framework (version 1) and created a new framework with version 2

in this example updating the handle and version deleted the old framework with the old handle and version, and created a new framework with the new handle and version

Testing Large Input
Created this Framework: https://dd.datad0g.com/security/compliance/home/custom/my-custom-framework-terraform-3/3.0.0?previousUrl=%2Fsecurity%2Fcompliance%2Fhome&timestamp=1747948011353&live=true
one control with over 200 rule ids (seconds to complete)

Commands:

cd examples/resources/datadog_custom_framework 
terraform init
terraform plan -var="datadog_api_key=<>" -var="datadog_app_key=<>"
terraform apply

also added unit tests!

datadog/tests/resource_datadog_custom_framework_test.go

docs/resources/custom_framework.md

datadog/fwprovider/resource_datadog_custom_framework.go

datadog/internal/validators/duplicate_control_validator.go

datadog/internal/validators/duplicate_requirement_validator.go

examples/resources/datadog_compliance_custom_framework/resource.tf

datadog/fwprovider/resource_datadog_compliance_custom_framework.go

This reverts commit 367c92c.

Matzoc · 2025-05-23T15:57:09Z

datadog/fwprovider/resource_datadog_compliance_custom_framework.go

+	apiReqMap := make(map[string]datadogV2.CustomFrameworkRequirement)
+	apiCtrlMap := make(map[string]map[string]datadogV2.CustomFrameworkControl)
+
+	for _, req := range data.GetData().Attributes.Requirements {


NIT: this is very hard to read in github, could we extract some of the inner loops to their own methods so its more digestible? It also would make it easier to read in the editor

Matzoc · 2025-05-23T16:00:13Z

datadog/internal/validators/duplicate_requirement_validator.go

+	return v.Description(ctx)
+}
+
+func (v requirementNameValidator) ValidateList(ctx context.Context, req validator.ListRequest, resp *validator.ListResponse) {


Is there a specific reason why we need two validators? the code looks pretty similar between these two (I am probably missing something)

nkonjeti requested review from a team as code owners April 16, 2025 22:27

nkonjeti changed the title ~~provider for custom frameworks~~ Terraform Provider for Custom Frameworks Apr 24, 2025

nkonjeti force-pushed the neha.konjeti/framework-provider branch from ccaf302 to f8a90fe Compare April 25, 2025 18:59

nkonjeti added the changelog/no-changelog label Apr 25, 2025

nkonjeti marked this pull request as draft April 25, 2025 20:34

nkonjeti commented Apr 30, 2025

View reviewed changes

datadog/tests/resource_datadog_custom_framework_test.go Outdated Show resolved Hide resolved

nkonjeti changed the title ~~Terraform Provider for Custom Frameworks~~ [K9VULN-4477]: Terraform Provider for Custom Frameworks Apr 30, 2025

nkonjeti marked this pull request as ready for review May 1, 2025 21:14

nkonjeti requested a review from a team as a code owner May 1, 2025 21:14

brett0000FF approved these changes May 1, 2025

View reviewed changes

nkonjeti changed the title ~~[K9VULN-4477]: Terraform Provider for Custom Frameworks~~ Terraform Provider for Custom Frameworks May 2, 2025

nkonjeti commented May 5, 2025

View reviewed changes

docs/resources/custom_framework.md Outdated Show resolved Hide resolved