[K9VULN-12480] feat: Azure Agentless Scanner - Cloud Shell wizard scaffolding & preflight (Step 1)

[mohamed-challal]

What does this PR do?

Adds the initial scaffolding for an Azure Cloud Shell wizard that will deploy the Agentless Scanner infrastructure via Terraform, mirroring the existing GCP implementation in gcp/agentless/.
This PR implements Step 1 (Preflight Checks) end-to-end, with the remaining 5 steps stubbed out for follow-up PRs.

Why?

The current Azure agentless setup relies on ARM templates and per-subscription manual configuration. This Cloud Shell wizard will provide a streamlined, end-to-end setup experience (target: P95 < 5 minutes) with:

• Cross-subscription deployment from a single command
• Multi-region scanner support
• Real-time progress reporting to the Datadog UI via the workflow status API
• Key Vault–based API key storage (upcoming steps)

Related

• GCP equivalent: gcp/agentless/ link
• Azure TF module: DataDog/terraform-module-datadog-agentless-scanner/azure/ link
• Agentless Cloud Shell RFC: link

What's included

File	Purpose
config.py	Parses env vars (DD_API_KEY, DD_SITE, SCANNER_SUBSCRIPTION, SCANNER_LOCATIONS, SUBSCRIPTIONS_TO_SCAN, etc.) into a typed Config dataclass with validation
errors.py	Azure-specific exception hierarchy (SetupError → AzureAuthenticationError, AzureAccessError, ResourceProviderError, KeyVaultError, TerraformError, etc.)
shell.py	Shell utilities: run_command(), az_cli() with JSON parsing, az_cli_checked()
requests.py	HTTP client with retry/backoff for Datadog API calls (stdlib only, no external deps)
console_reporter.py	Console output formatting with step progress and unicode indicators
reporter.py	Composite reporter: console + Datadog workflow status API (/api/unstable/integration/azure/workflow/azure-agentless-setup)
preflight.py	Step 1 fully implemented: Azure CLI auth, set subscription, validate locations, parallel subscription access checks, check & register resource providers
main.py	Entry point with deploy command. Step 1 wired, steps 2–6 are TODO stubs
build.sh	Builds .pyz zipapp (same pattern as GCP)
test_config.py	15 unit tests for config parsing (valid inputs, derived properties, error cases)

Deploy steps overview

Step	Status	Description
1. Preflight checks	✅ This PR	Auth, subscription access, location validation, resource provider registration
2. Create state storage	🔜 Next PR	Storage Account + Key Vault in a dedicated state resource group
3. Store API key	🔜 Next PR	Store DD API key in Key Vault
4. Generate Terraform config	🔜 Next PR	Write main.tf + terraform.tfvars
5. Terraform init	🔜 Next PR	terraform init with Azure Storage backend
6. Deploy infrastructure	🔜 Next PR	terraform apply

How to test

# Build
cd azure && bash agentless/build.sh

# Run in Azure Cloud Shell (or locally with az cli)
DD_API_KEY="<key>" DD_APP_KEY="<key>" DD_SITE="datadoghq.com" \
WORKFLOW_ID="<uuid>" \
SCANNER_SUBSCRIPTION="subscription uuid" \
SCANNER_LOCATIONS="eastus" \
SUBSCRIPTIONS_TO_SCAN="comma separated uuid" \
python3 agentless/dist/azure_agentless_setup.pyz deploy

# Unit tests
cd azure && python -m pytest agentless/tests/ -v

[gpalmz]

codex review

[mohamed-challal]

@codex review

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.

[mohamed-challal]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7051ef8d6b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[gpalmz]

Thanks for doing this! I think there are quite a few opportunities to consolidate with existing utils, and would definitely recommend doing so. Pointed out a couple specific ones, but there are probably others too. I'd recommend having claude read through the repo with this in mind and see what it can do.

[mohamed-challal]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ed87ff76c1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[gpalmz]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ed87ff76c1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[gpalmz]

LGTM under the assumption that there will be a second pass for code consolidation. Thanks!

[gpalmz]

Noting for later: lots of potential for consolidation with these

[mohamed-challal]

yes, I will consolidate this in the next PR

[mohamed-challal]

Thanks a lot for the deep review and all the feedback!
I have tested azure_quickstart and azure_agentless on my dogfood org, everything looks good, I will merge this PR.