supporting cws policies_list

Author: QuentinGuillard

datadog/fwprovider/framework_provider.go

@@ -70,6 +70,7 @@ var Resources = []func() resource.Resource{
 	NewWebhookCustomVariableResource,
 	NewLogsCustomDestinationResource,
 	NewTenantBasedHandleResource,
+	NewCSMThreatsPoliciesListResource,
 	NewCSMThreatsPolicyResource,
 	NewCSMThreatsMultiPolicyAgentRuleResource,
 }

datadog/fwprovider/resource_datadog_csm_threats_multi_policies.go

@@ -0,0 +1,258 @@
+package fwprovider
+
+import (
+	"context"
+
+	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+
+	"github.com/terraform-providers/terraform-provider-datadog/datadog/internal/utils"
+)
+
+var (
+	_ resource.ResourceWithConfigure   = &csmThreatsPoliciesListResource{}
+	_ resource.ResourceWithImportState = &csmThreatsPoliciesListResource{}
+)
+
+type csmThreatsPoliciesListResource struct {
+	api  *datadogV2.CSMThreatsApi
+	auth context.Context
+}
+
+type csmThreatsPoliciesListModel struct {
+	ID      types.String                       `tfsdk:"id"`
+	Entries []csmThreatsPoliciesListEntryModel `tfsdk:"entries"`
+}
+
+type csmThreatsPoliciesListEntryModel struct {
+	PolicyID types.String `tfsdk:"policy_id"`
+	Name     types.String `tfsdk:"name"`
+	Priority types.Int64  `tfsdk:"priority"`
+}
+
+func NewCSMThreatsPoliciesListResource() resource.Resource {
+	return &csmThreatsPoliciesListResource{}
+}
+
+func (r *csmThreatsPoliciesListResource) Metadata(_ context.Context, request resource.MetadataRequest, response *resource.MetadataResponse) {
+	response.TypeName = "csm_threats_policies_list"
+}
+
+func (r *csmThreatsPoliciesListResource) Configure(_ context.Context, request resource.ConfigureRequest, response *resource.ConfigureResponse) {
+	providerData := request.ProviderData.(*FrameworkProvider)
+	r.api = providerData.DatadogApiInstances.GetCSMThreatsApiV2()
+	r.auth = providerData.Auth
+}
+
+func (r *csmThreatsPoliciesListResource) ImportState(ctx context.Context, request resource.ImportStateRequest, response *resource.ImportStateResponse) {
+	resource.ImportStatePassthroughID(ctx, path.Root("id"), request, response)
+}
+
+func (r *csmThreatsPoliciesListResource) Schema(_ context.Context, _ resource.SchemaRequest, response *resource.SchemaResponse) {
+	response.Schema = schema.Schema{
+		Description: "Provides a Datadog CSM Threats policies API resource.",
+		Attributes: map[string]schema.Attribute{
+			"id": utils.ResourceIDAttribute(),
+		},
+		Blocks: map[string]schema.Block{
+			"entries": schema.SetNestedBlock{
+				Description: "A set of policies that belong to this list/batch. All non-listed policies get deleted.",
+				NestedObject: schema.NestedBlockObject{
+					Attributes: map[string]schema.Attribute{
+						"policy_id": schema.StringAttribute{
+							Description: "The ID of the policy to manage (from `csm_threats_policy`).",
+							Required:    true,
+						},
+						"priority": schema.Int64Attribute{
+							Description: "The priority of the policy in this list.",
+							Required:    true,
+						},
+						"name": schema.StringAttribute{
+							Description: "Optional name. If omitted, fallback to the policy_id as name.",
+							Optional:    true,
+							Computed:    true,
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func (r *csmThreatsPoliciesListResource) Create(ctx context.Context, request resource.CreateRequest, response *resource.CreateResponse) {
+	var plan csmThreatsPoliciesListModel
+	response.Diagnostics.Append(request.Plan.Get(ctx, &plan)...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	plan.ID = types.StringValue("policies_list")
+
+	updatedEntries, err := r.applyBatchPolicies(ctx, plan.Entries, &response.Diagnostics)
+	if err != nil {
+		return
+	}
+
+	plan.Entries = updatedEntries
+	response.Diagnostics.Append(response.State.Set(ctx, &plan)...)
+}
+
+func (r *csmThreatsPoliciesListResource) Read(ctx context.Context, request resource.ReadRequest, response *resource.ReadResponse) {
+	var state csmThreatsPoliciesListModel
+	response.Diagnostics.Append(request.State.Get(ctx, &state)...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	if state.ID.IsUnknown() || state.ID.IsNull() || state.ID.ValueString() == "" {
+		response.State.RemoveResource(ctx)
+		return
+	}
+
+	listResponse, httpResp, err := r.api.ListCSMThreatsAgentPolicies(r.auth)
+	if err != nil {
+		if httpResp != nil && httpResp.StatusCode == 404 {
+			response.State.RemoveResource(ctx)
+			return
+		}
+		response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error while fetching agent policies"))
+		return
+	}
+
+	newEntries := make([]csmThreatsPoliciesListEntryModel, 0)
+	for _, policyData := range listResponse.GetData() {
+		policyID := policyData.GetId()
+		if policyID == "CWS_DD" {
+			continue
+		}
+		attributes := policyData.Attributes
+
+		name := attributes.GetName()
+		priorirty := attributes.GetPriority()
+
+		entry := csmThreatsPoliciesListEntryModel{
+			PolicyID: types.StringValue(policyID),
+			Name:     types.StringValue(name),
+			Priority: types.Int64Value(int64(priorirty)),
+		}
+		newEntries = append(newEntries, entry)
+	}
+
+	state.Entries = newEntries
+	response.Diagnostics.Append(response.State.Set(ctx, &state)...)
+}
+
+func (r *csmThreatsPoliciesListResource) Update(ctx context.Context, request resource.UpdateRequest, response *resource.UpdateResponse) {
+	var plan csmThreatsPoliciesListModel
+	response.Diagnostics.Append(request.Plan.Get(ctx, &plan)...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	updatedEntries, err := r.applyBatchPolicies(ctx, plan.Entries, &response.Diagnostics)
+	if err != nil {
+		return
+	}
+
+	plan.Entries = updatedEntries
+	response.Diagnostics.Append(response.State.Set(ctx, &plan)...)
+}
+
+func (r *csmThreatsPoliciesListResource) Delete(ctx context.Context, request resource.DeleteRequest, response *resource.DeleteResponse) {
+	_, err := r.applyBatchPolicies(ctx, []csmThreatsPoliciesListEntryModel{}, &response.Diagnostics)
+	if err != nil {
+		return
+	}
+	response.State.RemoveResource(ctx)
+}
+
+func (r *csmThreatsPoliciesListResource) applyBatchPolicies(ctx context.Context, entries []csmThreatsPoliciesListEntryModel, diags *diag.Diagnostics) ([]csmThreatsPoliciesListEntryModel, error) {
+	listResp, httpResp, err := r.api.ListCSMThreatsAgentPolicies(r.auth)
+	if err != nil {
+		if httpResp != nil && httpResp.StatusCode == 404 {
+			diags.Append(utils.FrameworkErrorDiag(err, "error while fetching agent policies"))
+			return nil, err
+		}
+	}
+
+	existingPolicies := make(map[string]struct{})
+	for _, policy := range listResp.GetData() {
+		if policy.GetId() == "CWS_DD" {
+			continue
+		}
+		existingPolicies[policy.GetId()] = struct{}{}
+	}
+
+	var batchItems []datadogV2.CloudWorkloadSecurityAgentPolicyBatchUpdateAttributesPoliciesItems
+
+	for i := range entries {
+		policyID := entries[i].PolicyID.ValueString()
+		name := entries[i].Name.ValueString()
+
+		if name == "" {
+			name = policyID
+			entries[i].Name = types.StringValue(name)
+		}
+		priority := entries[i].Priority.ValueInt64()
+
+		item := datadogV2.CloudWorkloadSecurityAgentPolicyBatchUpdateAttributesPoliciesItems{
+			Id:       &policyID,
+			Name:     &name,
+			Priority: &priority,
+		}
+
+		batchItems = append(batchItems, item)
+		delete(existingPolicies, policyID)
+	}
+
+	for policyID := range existingPolicies {
+		DeleteTrue := true
+		item := datadogV2.CloudWorkloadSecurityAgentPolicyBatchUpdateAttributesPoliciesItems{
+			Id:     &policyID,
+			Delete: &DeleteTrue,
+		}
+		batchItems = append(batchItems, item)
+	}
+
+	patchID := "batch_update_req"
+	typ := datadogV2.CLOUDWORKLOADSECURITYAGENTPOLICYBATCHUPDATEDATATYPE_POLICIES
+	attributes := datadogV2.NewCloudWorkloadSecurityAgentPolicyBatchUpdateAttributes()
+	attributes.SetPolicies(batchItems)
+	data := datadogV2.NewCloudWorkloadSecurityAgentPolicyBatchUpdateData(*attributes, patchID, typ)
+	batchReq := datadogV2.NewCloudWorkloadSecurityAgentPolicyBatchUpdateRequest(*data)
+
+	response, _, err := r.api.BatchUpdateCSMThreatsAgentPolicy(
+		r.auth,
+		*batchReq,
+	)
+	if err != nil {
+		diags.Append(utils.FrameworkErrorDiag(err, "error while applying batch policies"))
+		return nil, err
+	}
+
+	finalEntries := make([]csmThreatsPoliciesListEntryModel, 0)
+	for _, policy := range response.GetData() {
+		policyID := policy.GetId()
+		attributes := policy.Attributes
+
+		name := ""
+		if attributes.GetName() == "" {
+			name = policyID
+		}
+		name = attributes.GetName()
+		priority := attributes.GetPriority()
+
+		entry := csmThreatsPoliciesListEntryModel{
+			PolicyID: types.StringValue(policyID),
+			Name:     types.StringValue(name),
+			Priority: types.Int64Value(int64(priority)),
+		}
+		finalEntries = append(finalEntries, entry)
+	}
+
+	return finalEntries, nil
+}

datadog/fwprovider/resource_datadog_csm_threats_policy.go

@@ -3,6 +3,7 @@ package fwprovider
 import (
 	"context"
 	"fmt"
+	mathrand "math/rand"
 
 	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
 	"github.com/hashicorp/terraform-plugin-framework/path"
@@ -47,7 +48,7 @@ func (r *csmThreatsPolicyResource) Schema(_ context.Context, _ resource.SchemaRe
 		Attributes: map[string]schema.Attribute{
 			"id": utils.ResourceIDAttribute(),
 			"name": schema.StringAttribute{
-				Required:    true,
+				Computed:    true,
 				Description: "The name of the policy.",
 			},
 			"description": schema.StringAttribute{
@@ -182,13 +183,13 @@ func (r *csmThreatsPolicyResource) Delete(ctx context.Context, request resource.
 }
 
 func (r *csmThreatsPolicyResource) buildCreateCSMThreatsPolicyPayload(state *csmThreatsPolicyModel) (*datadogV2.CloudWorkloadSecurityAgentPolicyCreateRequest, error) {
-	_, name, description, enabled, tags, err := r.extractPolicyAttributesFromResource(state)
+	_, description, enabled, tags, err := r.extractPolicyAttributesFromResource(state)
 	if err != nil {
 		return nil, err
 	}
 
 	attributes := datadogV2.CloudWorkloadSecurityAgentPolicyCreateAttributes{}
-	attributes.Name = name
+	attributes.Name = fmt.Sprintf("policy-%d", mathrand.Intn(1000))
 	attributes.Description = description
 	attributes.Enabled = enabled
 	attributes.HostTags = tags
@@ -198,12 +199,11 @@ func (r *csmThreatsPolicyResource) buildCreateCSMThreatsPolicyPayload(state *csm
 }
 
 func (r *csmThreatsPolicyResource) buildUpdateCSMThreatsPolicyPayload(state *csmThreatsPolicyModel) (*datadogV2.CloudWorkloadSecurityAgentPolicyUpdateRequest, error) {
-	policyId, name, description, enabled, tags, err := r.extractPolicyAttributesFromResource(state)
+	policyId, description, enabled, tags, err := r.extractPolicyAttributesFromResource(state)
 	if err != nil {
 		return nil, err
 	}
 	attributes := datadogV2.CloudWorkloadSecurityAgentPolicyUpdateAttributes{}
-	attributes.Name = &name
 	attributes.Description = description
 	attributes.Enabled = enabled
 	attributes.HostTags = tags
@@ -213,24 +213,23 @@ func (r *csmThreatsPolicyResource) buildUpdateCSMThreatsPolicyPayload(state *csm
 	return datadogV2.NewCloudWorkloadSecurityAgentPolicyUpdateRequest(*data), nil
 }
 
-func (r *csmThreatsPolicyResource) extractPolicyAttributesFromResource(state *csmThreatsPolicyModel) (string, string, *string, *bool, []string, error) {
+func (r *csmThreatsPolicyResource) extractPolicyAttributesFromResource(state *csmThreatsPolicyModel) (string, *string, *bool, []string, error) {
 	// Mandatory fields
 	id := state.Id.ValueString()
-	name := state.Name.ValueString()
 	enabled := state.Enabled.ValueBoolPointer()
 	description := state.Description.ValueStringPointer()
 	var tags []string
 	if !state.Tags.IsNull() && !state.Tags.IsUnknown() {
 		for _, tag := range state.Tags.Elements() {
 			tagStr, ok := tag.(types.String)
 			if !ok {
-				return "", "", nil, nil, nil, fmt.Errorf("expected item to be of type types.String, got %T", tag)
+				return "", nil, nil, nil, fmt.Errorf("expected item to be of type types.String, got %T", tag)
 			}
 			tags = append(tags, tagStr.ValueString())
 		}
 	}
 
-	return id, name, description, enabled, tags, nil
+	return id, description, enabled, tags, nil
 }
 
 func (r *csmThreatsPolicyResource) updateStateFromResponse(ctx context.Context, state *csmThreatsPolicyModel, res *datadogV2.CloudWorkloadSecurityAgentPolicyResponse) {

docs/resources/csm_threats_policies_list.md

@@ -0,0 +1,36 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "datadog_csm_threats_policies_list Resource - terraform-provider-datadog"
+subcategory: ""
+description: |-
+  Provides a Datadog CSM Threats policies API resource.
+---
+
+# datadog_csm_threats_policies_list (Resource)
+
+Provides a Datadog CSM Threats policies API resource.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Optional
+
+- `entries` (Block Set) A set of policies that belong to this list/batch. All non-listed policies get deleted. (see [below for nested schema](#nestedblock--entries))
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--entries"></a>
+### Nested Schema for `entries`
+
+Required:
+
+- `policy_id` (String) The ID of the policy to manage (from `csm_threats_policy`).
+- `priority` (Number) The priority of the policy in this list.
+
+Optional:
+
+- `name` (String) Optional name. If omitted, fallback to the policy_id as name.

docs/resources/csm_threats_policy.md

@@ -15,10 +15,6 @@ Provides a Datadog CSM Threats policy API resource.
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
-### Required
-
-- `name` (String) The name of the policy.
-
 ### Optional
 
 - `description` (String) A description for the policy.
@@ -28,3 +24,4 @@ Provides a Datadog CSM Threats policy API resource.
 ### Read-Only
 
 - `id` (String) The ID of this resource.
+- `name` (String) The name of the policy.

go.mod

@@ -97,3 +97,4 @@ require (
 )
 
 go 1.23
+replace github.com/DataDog/datadog-api-client-go/v2 v2.34.1-0.20241226155556-e60f30b0e84e => ../datadog-api-spec/generated/datadog-api-client-go