fix(roles): guard built-in Datadog roles from create and update#562
Merged
Conversation
The 3 built-in Datadog roles (Admin, Read Only, Standard) cannot be created, updated, or deleted via the API. Only delete was being guarded with a SkipResource check; create and update would still attempt the request and fail. Add the same name-based guard to create_resource and update_resource so all three operations short-circuit cleanly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Cover all 3 built-in role names across create, update, and delete with parametrized SkipResource assertions, plus green/green cases confirming non-built-in role names proceed through to the destination client. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
heyronhay
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The 3 built-in Datadog roles (
Datadog Admin Role,Datadog Read Only Role,Datadog Standard Role) cannot be created, updated, or deleted via the API. Previously onlydelete_resourceraisedSkipResourcefor these names;create_resourceandupdate_resourcewould still attempt the request and fail (the existingmanagedattribute check only short-circuited when the destination role happened to carry it).This PR adds name-based
BUILTIN_ROLE_NAMESguards across all three CRUD paths indatadog_sync/model/roles.py:delete_resource— unchanged; existing guard still raisesSkipResource.update_resource— raisesSkipResourceat the top. Safe because the handler only invokes update when state mapping already exists (seeresources_handler.py:247), so skipping preserves the existing mapping.create_resource— does not unconditionally skip. Built-in roles always exist at the destination, and dependent resources (users, restriction policies, authn mappings, etc.) resolve role IDs viastate.destination["roles"][source_id]. Skipping outright would break those dependents. Instead:SkipResourceonly if the built-in is somehow not present at the destination (defensive).Test plan
tox -e ruff,blackcleantox -e py313 -- tests/unit/test_roles.py— 14/14 passtest_rolescontain zero POST/PATCH/DELETE; the two update-related integration tests are already@pytest.mark.skip(RBAC disabled in test org), so no integration impacttest_create_maps_existing_builtin_role_without_api_callexercises the load-bearing case: state mapping is recorded via_create_resource,post/patchnever awaited🤖 Generated with Claude Code