update csm_threats_agent_rule resource and data_source

QuentinGuillard · QuentinGuillard · commit fcacf6ff2fc6 · 2025-05-26T11:23:25.000+02:00
diff --git a/datadog/fwprovider/data_source_datadog_csm_threats_agent_rule.go b/datadog/fwprovider/data_source_datadog_csm_threats_agent_rule.go
@@ -62,7 +62,7 @@ func (r *csmThreatsAgentRulesDataSource) Configure(_ context.Context, request da
 	r.auth = providerData.Auth
 }
 
-func (r *csmThreatsAgentRulesDataSource) Metadata(_ context.Context, request datasource.MetadataRequest, response *datasource.MetadataResponse) {
+func (*csmThreatsAgentRulesDataSource) Metadata(_ context.Context, _ datasource.MetadataRequest, response *datasource.MetadataResponse) {
 	response.TypeName = "csm_threats_agent_rules"
 }
 
diff --git a/datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go b/datadog/fwprovider/resource_datadog_csm_threats_agent_rule.go
@@ -13,6 +13,8 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 
+	"net/http"
+
 	"github.com/terraform-providers/terraform-provider-datadog/datadog/internal/utils"
 )
 
@@ -57,7 +59,7 @@ func (r *csmThreatsAgentRuleResource) Schema(_ context.Context, _ resource.Schem
 		Attributes: map[string]schema.Attribute{
 			"id": utils.ResourceIDAttribute(),
 			"policy_id": schema.StringAttribute{
-				Required:    true,
+				Optional:    true,
 				Description: "The ID of the agent policy in which the rule is saved",
 			},
 			"name": schema.StringAttribute{
@@ -70,38 +72,35 @@ func (r *csmThreatsAgentRuleResource) Schema(_ context.Context, _ resource.Schem
 			"description": schema.StringAttribute{
 				Optional:    true,
 				Description: "A description for the Agent rule.",
-				Computed:    true,
 			},
 			"enabled": schema.BoolAttribute{
-				Required:    true,
-				Description: "Indicates Whether the Agent rule is enabled.",
+				Optional:    true,
+				Description: "Indicates whether the Agent rule is enabled. Must not be used without policy_id.",
 			},
 			"expression": schema.StringAttribute{
 				Required:    true,
 				Description: "The SECL expression of the Agent rule",
-				PlanModifiers: []planmodifier.String{
-					stringplanmodifier.RequiresReplace(),
-				},
 			},
 			"product_tags": schema.SetAttribute{
 				Optional:    true,
 				ElementType: types.StringType,
 				Description: "The list of product tags associated with the rule",
-				Computed:    true,
 			},
 		},
 	}
 }
 
 func (r *csmThreatsAgentRuleResource) ImportState(ctx context.Context, request resource.ImportStateRequest, response *resource.ImportStateResponse) {
 	result := strings.SplitN(request.ID, ":", 2)
-	if len(result) != 2 {
-		response.Diagnostics.AddError("error retrieving policy_id or rule_id from given ID", "")
-		return
-	}
 
-	response.Diagnostics.Append(response.State.SetAttribute(ctx, path.Root("policy_id"), result[0])...)
-	response.Diagnostics.Append(response.State.SetAttribute(ctx, path.Root("id"), result[1])...)
+	if len(result) == 2 {
+		response.Diagnostics.Append(response.State.SetAttribute(ctx, path.Root("policy_id"), result[0])...)
+		response.Diagnostics.Append(response.State.SetAttribute(ctx, path.Root("id"), result[1])...)
+	} else if len(result) == 1 {
+		response.Diagnostics.Append(response.State.SetAttribute(ctx, path.Root("id"), result[0])...)
+	} else {
+		response.Diagnostics.AddError("unexpected import format", "expected '<policy_id>:<rule_id>' or '<rule_id>'")
+	}
 }
 
 func (r *csmThreatsAgentRuleResource) Create(ctx context.Context, request resource.CreateRequest, response *resource.CreateResponse) {
@@ -111,6 +110,9 @@ func (r *csmThreatsAgentRuleResource) Create(ctx context.Context, request resour
 		return
 	}
 
+	csmThreatsMutex.Lock()
+	defer csmThreatsMutex.Unlock()
+
 	agentRulePayload, err := r.buildCreateCSMThreatsAgentRulePayload(&state)
 	if err != nil {
 		response.Diagnostics.AddError("error while parsing resource", err.Error())
@@ -137,11 +139,23 @@ func (r *csmThreatsAgentRuleResource) Read(ctx context.Context, request resource
 		return
 	}
 
+	csmThreatsMutex.Lock()
+	defer csmThreatsMutex.Unlock()
+
 	agentRuleId := state.Id.ValueString()
-	policyId := state.PolicyId.ValueString()
-	res, httpResponse, err := r.api.GetCSMThreatsAgentRule(r.auth, agentRuleId, *datadogV2.NewGetCSMThreatsAgentRuleOptionalParameters().WithPolicyId(policyId))
+
+	var res datadogV2.CloudWorkloadSecurityAgentRuleResponse
+	var httpResp *http.Response
+	var err error
+	if !state.PolicyId.IsNull() && !state.PolicyId.IsUnknown() {
+		policyId := state.PolicyId.ValueString()
+		res, httpResp, err = r.api.GetCSMThreatsAgentRule(r.auth, agentRuleId, *datadogV2.NewGetCSMThreatsAgentRuleOptionalParameters().WithPolicyId(policyId))
+	} else {
+		res, httpResp, err = r.api.GetCSMThreatsAgentRule(r.auth, agentRuleId)
+	}
+
 	if err != nil {
-		if httpResponse != nil && httpResponse.StatusCode == 404 {
+		if httpResp.StatusCode == 404 {
 			response.State.RemoveResource(ctx)
 			return
 		}
@@ -164,9 +178,13 @@ func (r *csmThreatsAgentRuleResource) Update(ctx context.Context, request resour
 		return
 	}
 
+	csmThreatsMutex.Lock()
+	defer csmThreatsMutex.Unlock()
+
 	agentRulePayload, err := r.buildUpdateCSMThreatsAgentRulePayload(&state)
 	if err != nil {
 		response.Diagnostics.AddError("error while parsing resource", err.Error())
+		return
 	}
 
 	res, _, err := r.api.UpdateCSMThreatsAgentRule(r.auth, state.Id.ValueString(), *agentRulePayload)
@@ -190,11 +208,22 @@ func (r *csmThreatsAgentRuleResource) Delete(ctx context.Context, request resour
 		return
 	}
 
+	csmThreatsMutex.Lock()
+	defer csmThreatsMutex.Unlock()
+
 	id := state.Id.ValueString()
-	policyId := state.PolicyId.ValueString()
-	httpResp, err := r.api.DeleteCSMThreatsAgentRule(r.auth, id, *datadogV2.NewDeleteCSMThreatsAgentRuleOptionalParameters().WithPolicyId(policyId))
+
+	var httpResp *http.Response
+	var err error
+	if !state.PolicyId.IsNull() && !state.PolicyId.IsUnknown() {
+		policyId := state.PolicyId.ValueString()
+		httpResp, err = r.api.DeleteCSMThreatsAgentRule(r.auth, id, *datadogV2.NewDeleteCSMThreatsAgentRuleOptionalParameters().WithPolicyId(policyId))
+	} else {
+		httpResp, err = r.api.DeleteCSMThreatsAgentRule(r.auth, id)
+	}
+
 	if err != nil {
-		if httpResp != nil && httpResp.StatusCode == 404 {
+		if httpResp.StatusCode == 404 {
 			return
 		}
 		response.Diagnostics.Append(utils.FrameworkErrorDiag(err, "error deleting agent rule"))
@@ -210,32 +239,39 @@ func (r *csmThreatsAgentRuleResource) buildCreateCSMThreatsAgentRulePayload(stat
 	attributes.Name = name
 	attributes.Description = description
 	attributes.Enabled = &enabled
-	attributes.PolicyId = &policyId
+	attributes.PolicyId = policyId
 	attributes.ProductTags = productTags
 
 	data := datadogV2.NewCloudWorkloadSecurityAgentRuleCreateData(attributes, datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE)
 	return datadogV2.NewCloudWorkloadSecurityAgentRuleCreateRequest(*data), nil
 }
 
 func (r *csmThreatsAgentRuleResource) buildUpdateCSMThreatsAgentRulePayload(state *csmThreatsAgentRuleModel) (*datadogV2.CloudWorkloadSecurityAgentRuleUpdateRequest, error) {
-	agentRuleId, policyId, _, description, enabled, _, productTags := r.extractAgentRuleAttributesFromResource(state)
+	agentRuleId, policyId, _, description, enabled, expression, productTags := r.extractAgentRuleAttributesFromResource(state)
 
 	attributes := datadogV2.CloudWorkloadSecurityAgentRuleUpdateAttributes{}
+	attributes.Expression = &expression
 	attributes.Description = description
 	attributes.Enabled = &enabled
-	attributes.PolicyId = &policyId
+	attributes.PolicyId = policyId
 	attributes.ProductTags = productTags
 
 	data := datadogV2.NewCloudWorkloadSecurityAgentRuleUpdateData(attributes, datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE)
 	data.Id = &agentRuleId
 	return datadogV2.NewCloudWorkloadSecurityAgentRuleUpdateRequest(*data), nil
 }
 
-func (r *csmThreatsAgentRuleResource) extractAgentRuleAttributesFromResource(state *csmThreatsAgentRuleModel) (string, string, string, *string, bool, string, []string) {
+func (r *csmThreatsAgentRuleResource) extractAgentRuleAttributesFromResource(state *csmThreatsAgentRuleModel) (string, *string, string, *string, bool, string, []string) {
 	// Mandatory fields
 	id := state.Id.ValueString()
-	policyId := state.PolicyId.ValueString()
 	name := state.Name.ValueString()
+
+	// Optional fields
+	var policyId *string
+	if !state.PolicyId.IsNull() && !state.PolicyId.IsUnknown() {
+		val := state.PolicyId.ValueString()
+		policyId = &val
+	}
 	enabled := state.Enabled.ValueBool()
 	expression := state.Expression.ValueString()
 	description := state.Description.ValueStringPointer()
@@ -244,7 +280,7 @@ func (r *csmThreatsAgentRuleResource) extractAgentRuleAttributesFromResource(sta
 		for _, tag := range state.ProductTags.Elements() {
 			tagStr, ok := tag.(types.String)
 			if !ok {
-				return "", "", "", nil, false, "", nil
+				return "", nil, "", nil, false, "", nil
 			}
 			productTags = append(productTags, tagStr.ValueString())
 		}
diff --git a/datadog/tests/data_source_datadog_csm_threats_agent_rules_test.go b/datadog/tests/data_source_datadog_csm_threats_agent_rules_test.go
@@ -64,6 +64,42 @@ func TestAccCSMThreatsAgentRulesDataSource(t *testing.T) {
 	})
 }
 
+func TestAccCSMThreatsAgentRulesDataSourceWithoutPolicyID(t *testing.T) {
+	t.Parallel()
+	ctx, providers, accProviders := testAccFrameworkMuxProviders(context.Background(), t)
+
+	agentRuleName := uniqueAgentRuleName(ctx)
+
+	agentRuleConfig := fmt.Sprintf(`
+	resource "datadog_csm_threats_agent_rule" "agent_rule_without_policy" {
+		name              = "%s"
+		enabled           = true
+		description       = "rule without policy"
+		expression 		  = "open.file.name == \"etc/shadow/password\""
+		product_tags      = ["compliance_framework:PCI-DSS"]
+	}
+	`, agentRuleName)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV5ProviderFactories: accProviders,
+		CheckDestroy:             testAccCheckCSMThreatsAgentRuleDestroy(providers.frameworkProvider),
+		Steps: []resource.TestStep{
+			{
+				Config: agentRuleConfig,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCSMThreatsAgentRuleExists(providers.frameworkProvider, "datadog_csm_threats_agent_rule.agent_rule_without_policy"),
+					resource.TestCheckResourceAttr("datadog_csm_threats_agent_rule.agent_rule_without_policy", "name", agentRuleName),
+					resource.TestCheckResourceAttr("datadog_csm_threats_agent_rule.agent_rule_without_policy", "description", "rule without policy"),
+					resource.TestCheckResourceAttr("datadog_csm_threats_agent_rule.agent_rule_without_policy", "expression", "open.file.name == \"etc/shadow/password\""),
+					resource.TestCheckResourceAttr("datadog_csm_threats_agent_rule.agent_rule_without_policy", "enabled", "true"),
+					resource.TestCheckTypeSetElemAttr("datadog_csm_threats_agent_rule.agent_rule_without_policy", "product_tags.*", "compliance_framework:PCI-DSS"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckDatadogCSMThreatsAgentRulesDataSourceConfig(policyName, agentRuleName string) string {
 	return fmt.Sprintf(`
 data "datadog_csm_threats_agent_rules" "my_data_source" {
diff --git a/datadog/tests/resource_datadog_csm_threats_agent_rule_test.go b/datadog/tests/resource_datadog_csm_threats_agent_rule_test.go
@@ -91,6 +91,52 @@ func TestAccCSMThreatsAgentRule_CreateAndUpdate(t *testing.T) {
 	})
 }
 
+func TestAccCSMThreatsAgentRule_CreateAndUpdateWithoutPolicyID(t *testing.T) {
+	ctx, providers, accProviders := testAccFrameworkMuxProviders(context.Background(), t)
+
+	agentRuleName := uniqueAgentRuleName(ctx)
+	resourceName := "datadog_csm_threats_agent_rule.agent_rule_without_policy"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV5ProviderFactories: accProviders,
+		CheckDestroy:             testAccCheckCSMThreatsAgentRuleDestroy(providers.frameworkProvider),
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(`
+					resource "datadog_csm_threats_agent_rule" "agent_rule_without_policy" {
+						name              = "%s"
+						enabled           = true
+						description       = "initial description"
+						expression        = "open.file.name == \"etc/shadow/password\""
+						product_tags      = ["compliance_framework:HIPAA"]
+					}
+					`, agentRuleName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCSMThreatsAgentRuleExistsWithoutPolicyID(providers.frameworkProvider, resourceName),
+					checkCSMThreatsAgentRuleContent(resourceName, agentRuleName, "initial description", "open.file.name == \"etc/shadow/password\"", "compliance_framework:HIPAA"),
+				),
+			},
+			// update the description
+			{
+				Config: fmt.Sprintf(`
+					resource "datadog_csm_threats_agent_rule" "agent_rule_without_policy" {
+						name              = "%s"
+						enabled           = true
+						description       = "updated description"
+						expression        = "open.file.name == \"etc/shadow/password\""
+						product_tags      = ["compliance_framework:HIPAA"]
+					}
+					`, agentRuleName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckCSMThreatsAgentRuleExistsWithoutPolicyID(providers.frameworkProvider, resourceName),
+					checkCSMThreatsAgentRuleContent(resourceName, agentRuleName, "updated description", "open.file.name == \"etc/shadow/password\"", "compliance_framework:HIPAA"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckCSMThreatsAgentRuleExists(accProvider *fwprovider.FrameworkProvider, resourceName string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		resource, ok := s.RootModule().Resources[resourceName]
@@ -115,6 +161,29 @@ func testAccCheckCSMThreatsAgentRuleExists(accProvider *fwprovider.FrameworkProv
 	}
 }
 
+func testAccCheckCSMThreatsAgentRuleExistsWithoutPolicyID(accProvider *fwprovider.FrameworkProvider, resourceName string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		resource, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("resource '%s' not found in the state", resourceName)
+		}
+
+		if resource.Type != "datadog_csm_threats_agent_rule" {
+			return fmt.Errorf("resource %s is not of type datadog_csm_threats_agent_rule", resourceName)
+		}
+
+		auth := accProvider.Auth
+		apiInstances := accProvider.DatadogApiInstances
+
+		_, _, err := apiInstances.GetCSMThreatsApiV2().GetCSMThreatsAgentRule(auth, resource.Primary.ID)
+		if err != nil {
+			return fmt.Errorf("received an error retrieving agent rule: %s", err)
+		}
+
+		return nil
+	}
+}
+
 func testAccCheckCSMThreatsAgentRuleDestroy(accProvider *fwprovider.FrameworkProvider) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		auth := accProvider.Auth
diff --git a/docs/resources/csm_threats_agent_rule.md b/docs/resources/csm_threats_agent_rule.md
@@ -29,11 +29,11 @@ resource "datadog_csm_threats_agent_rule" "my_agent_rule" {
 - `enabled` (Boolean) Indicates Whether the Agent rule is enabled.
 - `expression` (String) The SECL expression of the Agent rule
 - `name` (String) The name of the Agent rule.
-- `policy_id` (String) The ID of the agent policy in which the rule is saved
 
 ### Optional
 
 - `description` (String) A description for the Agent rule.
+- `policy_id` (String) The ID of the agent policy in which the rule is saved
 - `product_tags` (Set of String) The list of product tags associated with the rule
 
 ### Read-Only

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ func (r *csmThreatsAgentRulesDataSource) Configure(_ context.Context, request da`
`62`	`62`	`r.auth = providerData.Auth`
`63`	`63`	`}`
`64`	`64`
`65`		`-func (r csmThreatsAgentRulesDataSource) Metadata(_ context.Context, request datasource.MetadataRequest, response datasource.MetadataResponse) {`
	`65`	`+func (csmThreatsAgentRulesDataSource) Metadata(_ context.Context, _ datasource.MetadataRequest, response datasource.MetadataResponse) {`
`66`	`66`	`response.TypeName = "csm_threats_agent_rules"`
`67`	`67`	`}`
`68`	`68`