-
Notifications
You must be signed in to change notification settings - Fork 369
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[datadog_integration_gcp_sts] Add Account tags, ResourceCollectionEnabled and IsSecurityCommandCenterEnabled support to gcp tf module #2134
Changes from all commits
9186396
e78aa29
ca882c1
0f42469
09d1443
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,6 +3,8 @@ package fwprovider | |
import ( | ||
"context" | ||
|
||
"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault" | ||
|
||
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" | ||
"github.com/hashicorp/terraform-plugin-framework/diag" | ||
frameworkPath "github.com/hashicorp/terraform-plugin-framework/path" | ||
|
@@ -26,12 +28,15 @@ type integrationGcpStsResource struct { | |
} | ||
|
||
type integrationGcpStsModel struct { | ||
ID types.String `tfsdk:"id"` | ||
Automute types.Bool `tfsdk:"automute"` | ||
ClientEmail types.String `tfsdk:"client_email"` | ||
DelegateAccountEmail types.String `tfsdk:"delegate_account_email"` | ||
IsCspmEnabled types.Bool `tfsdk:"is_cspm_enabled"` | ||
HostFilters types.Set `tfsdk:"host_filters"` | ||
ID types.String `tfsdk:"id"` | ||
AccountTags types.Set `tfsdk:"account_tags"` | ||
Automute types.Bool `tfsdk:"automute"` | ||
ClientEmail types.String `tfsdk:"client_email"` | ||
DelegateAccountEmail types.String `tfsdk:"delegate_account_email"` | ||
HostFilters types.Set `tfsdk:"host_filters"` | ||
IsCspmEnabled types.Bool `tfsdk:"is_cspm_enabled"` | ||
IsSecurityCommandCenterEnabled types.Bool `tfsdk:"is_security_command_center_enabled"` | ||
ResourceCollectionEnabled types.Bool `tfsdk:"resource_collection_enabled"` | ||
} | ||
|
||
func NewIntegrationGcpStsResource() resource.Resource { | ||
|
@@ -52,6 +57,11 @@ func (r *integrationGcpStsResource) Schema(_ context.Context, _ resource.SchemaR | |
response.Schema = schema.Schema{ | ||
Description: "Provides a Datadog Integration GCP Sts resource. This can be used to create and manage Datadog - Google Cloud Platform integration.", | ||
Attributes: map[string]schema.Attribute{ | ||
"account_tags": schema.SetAttribute{ | ||
Optional: true, | ||
Description: "Tags to be associated with GCP metrics and service checks from your account.", | ||
ElementType: types.StringType, | ||
ash-ddog marked this conversation as resolved.
Show resolved
Hide resolved
|
||
}, | ||
"automute": schema.BoolAttribute{ | ||
Optional: true, | ||
Computed: true, | ||
|
@@ -71,17 +81,27 @@ func (r *integrationGcpStsResource) Schema(_ context.Context, _ resource.SchemaR | |
stringplanmodifier.UseStateForUnknown(), | ||
}, | ||
}, | ||
"host_filters": schema.SetAttribute{ | ||
Optional: true, | ||
Description: "Your Host Filters.", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Kinda nit: might want to be more specific about what this actually is? maybe There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I just shuffled it (to be ordered alphabetically).. I didn't actually add this description (It exists currently: https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/integration_gcp_sts#host_filters) We can update it, but can tackle in a separate PR |
||
ElementType: types.StringType, | ||
}, | ||
"is_cspm_enabled": schema.BoolAttribute{ | ||
Optional: true, | ||
Computed: true, | ||
Description: "When enabled, Datadog performs configuration checks across your Google Cloud environment by continuously scanning every resource, which may incur additional charges.", | ||
Description: "Whether Datadog collects cloud security posture management resources from your GCP project. If enabled, requires `resource_collection_enabled` to also be enabled.", | ||
}, | ||
"host_filters": schema.SetAttribute{ | ||
"is_security_command_center_enabled": schema.BoolAttribute{ | ||
Description: "When enabled, Datadog will attempt to collect Security Command Center Findings. Note: This requires additional permissions on the service account.", | ||
Optional: true, | ||
Description: "Your Host Filters.", | ||
ElementType: types.StringType, | ||
Computed: true, | ||
Default: booldefault.StaticBool(false), | ||
}, | ||
"id": utils.ResourceIDAttribute(), | ||
"resource_collection_enabled": schema.BoolAttribute{ | ||
Description: "When enabled, Datadog scans for all resources in your GCP environment.", | ||
Optional: true, | ||
Computed: true, | ||
}, "id": utils.ResourceIDAttribute(), | ||
}, | ||
} | ||
} | ||
|
@@ -148,7 +168,10 @@ func (r *integrationGcpStsResource) Create(ctx context.Context, request resource | |
delegateEmail := delegateResponse.Data.Attributes.GetDelegateAccountEmail() | ||
state.DelegateAccountEmail = types.StringValue(delegateEmail) | ||
|
||
body, diags := r.buildIntegrationGcpStsRequestBody(ctx, &state) | ||
attributes, diags := r.buildIntegrationGcpStsRequestBody(ctx, &state) | ||
body := datadogV2.NewGCPSTSServiceAccountCreateRequestWithDefaults() | ||
body.Data = datadogV2.NewGCPSTSServiceAccountDataWithDefaults() | ||
body.Data.SetAttributes(attributes) | ||
response.Diagnostics.Append(diags...) | ||
if response.Diagnostics.HasError() { | ||
return | ||
|
@@ -178,7 +201,11 @@ func (r *integrationGcpStsResource) Update(ctx context.Context, request resource | |
|
||
id := state.ID.ValueString() | ||
|
||
body, diags := r.buildIntegrationGcpStsUpdateRequestBody(ctx, &state) | ||
attributes, diags := r.buildIntegrationGcpStsRequestBody(ctx, &state) | ||
body := datadogV2.NewGCPSTSServiceAccountUpdateRequestWithDefaults() | ||
body.Data = datadogV2.NewGCPSTSServiceAccountUpdateRequestDataWithDefaults() | ||
body.Data.SetAttributes(attributes) | ||
|
||
response.Diagnostics.Append(diags...) | ||
if response.Diagnostics.HasError() { | ||
return | ||
|
@@ -222,6 +249,9 @@ func (r *integrationGcpStsResource) updateState(ctx context.Context, state *inte | |
state.ID = types.StringValue(resp.GetId()) | ||
|
||
attributes := resp.GetAttributes() | ||
if accountTags, ok := attributes.GetAccountTagsOk(); ok && len(*accountTags) > 0 { | ||
state.AccountTags, _ = types.SetValueFrom(ctx, types.StringType, *accountTags) | ||
} | ||
if automute, ok := attributes.GetAutomuteOk(); ok { | ||
state.Automute = types.BoolValue(*automute) | ||
} | ||
|
@@ -234,39 +264,24 @@ func (r *integrationGcpStsResource) updateState(ctx context.Context, state *inte | |
if isCspmEnabled, ok := attributes.GetIsCspmEnabledOk(); ok { | ||
state.IsCspmEnabled = types.BoolValue(*isCspmEnabled) | ||
} | ||
} | ||
|
||
func (r *integrationGcpStsResource) buildIntegrationGcpStsRequestBody(ctx context.Context, state *integrationGcpStsModel) (*datadogV2.GCPSTSServiceAccountCreateRequest, diag.Diagnostics) { | ||
diags := diag.Diagnostics{} | ||
attributes := datadogV2.GCPSTSServiceAccountAttributes{} | ||
|
||
if !state.Automute.IsNull() { | ||
attributes.SetAutomute(state.Automute.ValueBool()) | ||
} | ||
if !state.ClientEmail.IsNull() { | ||
attributes.SetClientEmail(state.ClientEmail.ValueString()) | ||
if isSecurityCommandCenterEnabled, ok := attributes.GetIsSecurityCommandCenterEnabledOk(); ok { | ||
state.IsSecurityCommandCenterEnabled = types.BoolValue(*isSecurityCommandCenterEnabled) | ||
} | ||
if !state.IsCspmEnabled.IsNull() { | ||
attributes.SetIsCspmEnabled(state.IsCspmEnabled.ValueBool()) | ||
} | ||
|
||
hostFilters := make([]string, 0) | ||
if !state.HostFilters.IsNull() { | ||
diags.Append(state.HostFilters.ElementsAs(ctx, &hostFilters, false)...) | ||
if resourceCollectionEnabled, ok := attributes.GetResourceCollectionEnabledOk(); ok { | ||
state.ResourceCollectionEnabled = types.BoolValue(*resourceCollectionEnabled) | ||
} | ||
attributes.SetHostFilters(hostFilters) | ||
|
||
req := datadogV2.NewGCPSTSServiceAccountCreateRequestWithDefaults() | ||
req.Data = datadogV2.NewGCPSTSServiceAccountDataWithDefaults() | ||
req.Data.SetAttributes(attributes) | ||
|
||
return req, diags | ||
} | ||
|
||
func (r *integrationGcpStsResource) buildIntegrationGcpStsUpdateRequestBody(ctx context.Context, state *integrationGcpStsModel) (*datadogV2.GCPSTSServiceAccountUpdateRequest, diag.Diagnostics) { | ||
func (r *integrationGcpStsResource) buildIntegrationGcpStsRequestBody(ctx context.Context, state *integrationGcpStsModel) (datadogV2.GCPSTSServiceAccountAttributes, diag.Diagnostics) { | ||
diags := diag.Diagnostics{} | ||
attributes := datadogV2.GCPSTSServiceAccountAttributes{} | ||
|
||
accountTags := make([]string, 0) | ||
if !state.AccountTags.IsNull() { | ||
diags.Append(state.AccountTags.ElementsAs(ctx, &accountTags, false)...) | ||
} | ||
attributes.SetAccountTags(accountTags) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same comments apply here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should we be doing something like the |
||
|
||
if !state.Automute.IsNull() { | ||
attributes.SetAutomute(state.Automute.ValueBool()) | ||
} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. All this stuff is super duplicative. Is it worth refactoring like this?
Weird thing is that I'm pretty sure that the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. IMO that's pertinent but maybe an a separated PR? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Looks like we mostly took this (thanks), but still we have There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Agreed.. But didn't want to make functionally different changes (removal of ClientEmail in the Update call) in a PR that is essentially additive changes. |
||
|
@@ -283,9 +298,12 @@ func (r *integrationGcpStsResource) buildIntegrationGcpStsUpdateRequestBody(ctx | |
} | ||
attributes.SetHostFilters(hostFilters) | ||
|
||
req := datadogV2.NewGCPSTSServiceAccountUpdateRequestWithDefaults() | ||
req.Data = datadogV2.NewGCPSTSServiceAccountUpdateRequestDataWithDefaults() | ||
req.Data.SetAttributes(attributes) | ||
if !state.IsSecurityCommandCenterEnabled.IsUnknown() { | ||
attributes.SetIsSecurityCommandCenterEnabled(state.IsSecurityCommandCenterEnabled.ValueBool()) | ||
} | ||
if !state.ResourceCollectionEnabled.IsUnknown() { | ||
attributes.SetResourceCollectionEnabled(state.ResourceCollectionEnabled.ValueBool()) | ||
} | ||
|
||
return req, diags | ||
return attributes, diags | ||
} |
Large diffs are not rendered by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DelegateAccountEmail
vsClientEmail
? My guess isDelegateAccountEmail == client_id
andClientEmail == client_email
DelegateAccountEmail
can have any affect on the API call we make since it's not a request parameter?cloud_run_revision_filters
here, not sure if that's on purpose or not.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I'm sorry, thought this PR was for our V1 API but it's V2.
But still the comments above are valid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DelegateAccountEmail is the STS delegate. (Basically, the principal that needs the token creator role on the client Email).
In this schema, it's a computed value that this provider returns (and not as input), mainly to allow setup purely through terraform.
Basically:
Let me know if you have questions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have an upcoming task to add
cloud_run_revision_filters
.