[datadog_integration_gcp_sts] Add Account tags, ResourceCollectionEnabled and IsSecurityCommandCenterEnabled support to gcp tf module

[dtru-ddog]

Purpose
Attempting to add new fields for gcp sts tf module to utilize and set account tags for customer accounts.

[ash-ddog]

Nothing really blocking, but we should talk about some of these comments. 👍

Also, are there no tests in the terraform stuff? 🤔

[ash-ddog]

This is not idiomatic Go. Typically, you initialize slices to nil. nil slices are valid for just about anything (i.e. iteration, appending, etc).
var accountTags []string

But not familiar enough with this terraform stuff to know if that'll make a difference.

[NitriKx]

Guess this is a copy paste from the code for host_filters (same type)

[ash-ddog]

Feels weird to include account_tags=[] in the REST call when it's an optional field.

[ash-ddog]

Same comments apply here.

[ash-ddog]

Should we be doing something like the IsUnknown() for AccountTags (like we're doing below) since it's also a new field? Not familiar enough with terraform to know what's right here.

[ash-ddog]

All this stuff is super duplicative. Is it worth refactoring like this?

func (r *integrationGcpStsResource) buildIntegrationGcpStsCreateRequest(ctx context.Context, state *integrationGcpStsModel) (*datadogV2.GCPSTSServiceAccountCreateRequest, diag.Diagnostics) {
	attrs, diags := r.buildIntegrationGcpStsAccountAttributes(ctx, state)
	req := datadogV2.NewGCPSTSServiceAccountCreateRequestWithDefaults()
	req.Data = datadogV2.NewGCPSTSServiceAccountDataWithDefaults()
	req.Data.SetAttributes(*attrs)
	return req, diags
}

func (r *integrationGcpStsResource) buildIntegrationGcpStsUpdateRequest(ctx context.Context, state *integrationGcpStsModel) (*datadogV2.GCPSTSServiceAccountUpdateRequest, diag.Diagnostics) {
	attrs, diags := r.buildIntegrationGcpStsAccountAttributes(ctx, state)
	req := datadogV2.NewGCPSTSServiceAccountUpdateRequestWithDefaults()
	req.Data = datadogV2.NewGCPSTSServiceAccountUpdateRequestDataWithDefaults()
	req.Data.SetAttributes(*attrs)
	return req, diags
}

func (r *integrationGcpStsResource) buildIntegrationGcpStsAccountAttributes(ctx context.Context, state *integrationGcpStsModel) (*datadogV2.GCPSTSServiceAccountAttributes, diag.Diagnostics) {
	diags := diag.Diagnostics{}
	attributes := datadogV2.NewGCPSTSServiceAccountAttributesWithDefaults()

	accountTags := make([]string, 0)
	if !state.AccountTags.IsNull() {
		diags.Append(state.AccountTags.ElementsAs(ctx, &accountTags, false)...)
	}
	attributes.SetAccountTags(accountTags)

	if !state.Automute.IsNull() {
		attributes.SetAutomute(state.Automute.ValueBool())
	}
	if !state.ClientEmail.IsNull() {
		attributes.SetClientEmail(state.ClientEmail.ValueString())
	}
	if !state.IsCspmEnabled.IsNull() {
		attributes.SetIsCspmEnabled(state.IsCspmEnabled.ValueBool())
	}

	hostFilters := make([]string, 0)
	if !state.HostFilters.IsNull() {
		diags.Append(state.HostFilters.ElementsAs(ctx, &hostFilters, false)...)
	}
	attributes.SetHostFilters(hostFilters)

	return attributes, diags
}

Weird thing is that I'm pretty sure that the update API does not support updating ClientEmail, but it was already in the update body before these changes 🥴 .

[NitriKx]

IMO that's pertinent but maybe an a separated PR?

[ash-ddog]

Looks like we mostly took this (thanks), but still we have ClientEmail in the update API when that's not supported. Not blocking, but could confuse someone in the future.

[smuhit]

Agreed.. But didn't want to make functionally different changes (removal of ClientEmail in the Update call) in a PR that is essentially additive changes.

[mariuskiessling]

Hey @ash-ddog and @dtru-ddog, do you have any updates on this PR? I was about to hand in my own PR for this missing field when I saw that this one already exists. We rely on setting the account tags in one of our configurations that we provision from Terraform. Anything I can do to help this thing be merged?

[NitriKx]

I would also like to see that merged, may I help? For the automated tests we can recycle my closed PR #2248

[skarimo]

Whats the reasoning for this change? This can potentially break existing customers if they set automute to true in the UI.

[smuhit]

Fair enough. Hadn't really considered the case where customers were using both terraform and the UI to manage their configuration. Will remove.

[skarimo]

Same question here about new default value on TF side. Can we rely on the backend to handle defaults properly since it is already computed-optional field on terraform side?

[smuhit]

Same as above

[skarimo]

Suggested change

	if !state.IsSecurityCommandCenterEnabled.IsNull() {
	if !state.IsSecurityCommandCenterEnabled.IsUnknown() {

[ash-ddog]

Nothing blocking but most notable comments

• Do we want to add CloudRunRevisionFilters ?
• Do we need to do IsUnknown() for AccountTags

[ash-ddog]

• What is DelegateAccountEmail vs ClientEmail ? My guess is DelegateAccountEmail == client_id and ClientEmail == client_email
  • Update: read the descriptions below, but still, not sure how DelegateAccountEmail can have any affect on the API call we make since it's not a request parameter?
• We're missing cloud_run_revision_filters here, not sure if that's on purpose or not.

[ash-ddog]

Oh I'm sorry, thought this PR was for our V1 API but it's V2.

But still the comments above are valid.

[smuhit]

DelegateAccountEmail is the STS delegate. (Basically, the principal that needs the token creator role on the client Email).

In this schema, it's a computed value that this provider returns (and not as input), mainly to allow setup purely through terraform.

Basically:

• terraform to create GCP service account (including permissions)
• terraform using this module to configure the datadog gcp sts integration (using output from previous)
• terraform to give output of integration (second bullet) the token creator role to the service account in first bullet

Let me know if you have questions

[smuhit]

We have an upcoming task to add cloud_run_revision_filters.

[ash-ddog]

Kinda nit: might want to be more specific about what this actually is? maybe Filters to be applied for GCE instance resources or something?

[smuhit]

I just shuffled it (to be ordered alphabetically).. I didn't actually add this description (It exists currently: https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_gcp_sts#host_filters)

We can update it, but can tackle in a separate PR

[ash-ddog]

Looks like we mostly took this (thanks), but still we have ClientEmail in the update API when that's not supported. Not blocking, but could confuse someone in the future.

[ash-ddog]

Should we be doing something like the IsUnknown() for AccountTags (like we're doing below) since it's also a new field? Not familiar enough with terraform to know what's right here.