Skip to content

[K9VULN-10951] feat(agentless-gcp): add destroy command, multi-region support and security hardening#120

Merged
mohamed-challal merged 22 commits into
mainfrom
mohamed.challal/improve-agentless-gcp-cloud-shell-wizard
Jan 23, 2026
Merged

[K9VULN-10951] feat(agentless-gcp): add destroy command, multi-region support and security hardening#120
mohamed-challal merged 22 commits into
mainfrom
mohamed.challal/improve-agentless-gcp-cloud-shell-wizard

Conversation

@mohamed-challal
Copy link
Copy Markdown
Contributor

@mohamed-challal mohamed-challal commented Jan 15, 2026
edited
Loading

Summary

This PR adds several improvements to the agentless GCP Cloud Shell setup wizard: CLI verbs, destroy command, multi-region support, security hardening, and performance optimizations.

All the details of the initiative are available in this RFC.

Changes

CLI Commands

  • Added deploy / destroy / help verbs for better UX and future extensibility
  • Implemented destroy command with interactive cleanup prompts (API key secret deletion)

Multi-Region Support

  • SCANNER_REGIONS now accepts comma-separated list (max 4 regions)
  • Deploys VPC and scanner in each specified region
  • Shortened VPC names to dd-agentless-{region} to avoid GCP 63-char limit

Security Hardening

  • GCS state bucket: Added public access prevention (--pap), regional storage and versioning
  • Secret Manager: API key now stored in Secret Manager to remove it from the TF state

Performance

  • Parallelized project access checks and API enablement (10 workers)
  • Added TERRAFORM_PARALLELISM = 10 constant
  • API key validation: Fail early if API key is invalid
  • Incremental build in build.sh (skips rebuild if no source changes)
  • Display progress bar for terraform apply

Commands & Environment Variables (updated)

Variable Description
SCANNER_REGIONS Comma-separated list of regions (was GCP_REGION)
TF_STATE_BUCKET Renamed (was GCP_STATE_BUCKET)
SCANNER_PROJECT Renamed (was GCP_SCANNER_PROJECT)
PROJECTS_TO_SCAN Renamed (was GCP_PROJECTS_TO_SCAN)

Deploy

curl -sSL "https://raw.githubusercontent.com/DataDog/integrations-management/main/gcp/agentless/dist/gcp_agentless_setup.pyz" -o gcp_agentless_setup.pyz && DD_API_KEY="xxx" DD_APP_KEY="xxx" DD_SITE="datadoghq.com" SCANNER_PROJECT="my-project" SCANNER_REGIONS="us-central1" PROJECTS_TO_SCAN="my-project" python3 gcp_agentless_setup.pyz deploy

Destroy

python3 gcp_agentless_setup.pyz destroy

Next Steps

  • Integrate with Status Workflow API to track deployment progress and enable UI polling for completion status

@mohamed-challal
perf(agentless-gcp): check accesses and enable apis in parallel
0f5bedc
@mohamed-challal
perf(agentless-gcp): parallelize terraform apply
fa08a71
@mohamed-challal
secure(agentless-gcp): store API key in Secret Manager instead of Ter…
ce11a56 
…raform state
@mohamed-challal
secure(agentless-gcp): add regional storage and public access prevent…
94b63b7 
…ion to the tf context gcs bucket
@mohamed-challal
refactor(agentless-gcp)!: rename wizard parameters
c0a1368
@mohamed-challal
feat(agentless-gcp)!: implement scanner multi-region deployment support
f74307d
@mohamed-challal
feat(agentless-gcp): fail fast if api key is invalid
c10773d
@mohamed-challal
feat(agentless-gcp): add a progress bar for terraform apply
558d18a
@mohamed-challal
style(agentless-gcp): display tf apply details in gray
ca96474
@mohamed-challal
feat(agentless-gcp)!: add a verb to the command line
74cb532
@mohamed-challal
style(agentless-gcp): add some logs to build.sh
a856591
@mohamed-challal
style(agentless-gcp): display more details about the api key secret l…
a772344 
…ocation
@mohamed-challal
fix(agentless-gcp): fix tf apply progress logging
1a43497
@mohamed-challal
fix(agentless-gcp): fix secret version lising command
36d7778
@mohamed-challal
fix(agentless-gcp): shorten vpc names
4a74382
@mohamed-challal
feat(agentless-gcp): support agentless destroy command
2c886de
@mohamed-challal
build(agentless-gcp): rebuild agentless dist script
5bc535c
@mohamed-challal
fix(agentless-gcp): fix bucket creation command flags
009131a
@mohamed-challal mohamed-challal self-assigned this Jan 15, 2026
@mohamed-challal mohamed-challal requested a review from a team as a code owner January 15, 2026 22:31
@mohamed-challal mohamed-challal requested review from mvhdd and removed request for a team January 15, 2026 22:31
@mohamed-challal mohamed-challal changed the title feat(agentless-gcp): improve agentless gcp cloud shell wizard [K9VULN-10951] feat(agentless-gcp): improve agentless gcp cloud shell wizard Jan 15, 2026
@mohamed-challal mohamed-challal changed the title [K9VULN-10951] feat(agentless-gcp): improve agentless gcp cloud shell wizard [K9VULN-10951] feat(agentless-gcp): add destroy command, multi-region support and security hardening Jan 15, 2026
diogocp
diogocp approved these changes Jan 19, 2026
View reviewed changes
Comment thread gcp/agentless/src/gcp_agentless_setup/secrets.py Outdated
Comment thread gcp/agentless/src/gcp_agentless_setup/progress.py
Comment thread gcp/agentless/src/gcp_agentless_setup/shell.py Outdated
@mohamed-challal mohamed-challal force-pushed the mohamed.challal/improve-agentless-gcp-cloud-shell-wizard branch from 37bf471 to c765801 Compare January 21, 2026 22:56
tedkahwaji
tedkahwaji approved these changes Jan 22, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@tedkahwaji tedkahwaji left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes under gcp/shared LGTM 👍

@mohamed-challal
Copy link
Copy Markdown
Contributor Author

mohamed-challal commented Jan 23, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 Bot commented Jan 23, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-01-23 13:57:46 UTC ℹ️ Start processing command /merge

2026-01-23 13:57:52 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 0s (p90).

2026-01-23 14:44:58 UTC ℹ️ MergeQueue: Retrying because an high priority merge request needed to be processed first. No action is needed from your side.

2026-01-23 14:45:05 UTC ⚠️ MergeQueue: This merge request build was cancelled

mohamed.challal@datadoghq.com cancelled this merge request build

@mohamed-challal
Copy link
Copy Markdown
Contributor Author

mohamed-challal commented Jan 23, 2026

/remove

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 Bot commented Jan 23, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-01-23 14:44:41 UTC ℹ️ Start processing command /remove

2026-01-23 14:45:02 UTC ℹ️ Devflow: /remove

@mohamed-challal mohamed-challal merged commit b288d79 into main Jan 23, 2026
1 of 2 checks passed
@mohamed-challal mohamed-challal deleted the mohamed.challal/improve-agentless-gcp-cloud-shell-wizard branch January 23, 2026 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@diogocp diogocp diogocp approved these changes

@tedkahwaji tedkahwaji tedkahwaji approved these changes

@mvhdd mvhdd Awaiting requested review from mvhdd mvhdd is a code owner automatically assigned from DataDog/gcp-integrations

Assignees

@mohamed-challal mohamed-challal

Labels

gcp-integrations mergequeue-status: removed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mohamed-challal @diogocp @tedkahwaji