[datadog_security_monitoring_rule] Add Terraform Support for Signal Correlation Rules #1593
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
clementgbcn
changed the title
clementgbcn
force-pushed
the
cgc/SEC-3135-Signal-Correlation-Backward
branch
3 times, most recently
from
ad51fdf to
02d8e5b
Compare
clementgbcn
added
resource/datadog_security_monitoring_default_rule
and removed
changelog/feature
labels
clementgbcn
force-pushed
the
cgc/SEC-3135-Signal-Correlation-Backward
branch
2 times, most recently
from
c2fcf70 to
89db8dc
Compare
clementgbcn
force-pushed
the
cgc/SEC-3135-Signal-Correlation-Backward
branch
from
89db8dc to
a39d706
Compare
skarimo
reviewed
Oct 11, 2022
| @@ -317,35 +426,78 @@ func resourceDatadogSecurityMonitoringRuleCreate(ctx context.Context, d *schema. | |||
| return diag.FromErr(err) | |||
| } | |||
|
|
|||
| d.SetId(response.SecurityMonitoringStandardRuleResponse.GetId()) | |||
| if response.SecurityMonitoringStandardRuleResponse != nil { | |||
There was a problem hiding this comment.
NIT: I think it would be better to differentiate based on wether query or signal_query field is set.
There was a problem hiding this comment.
However, the next instruction is about getting the id of the response by accessing the non null field of the response. Therefore, it seems to me that this check is mandatory (and then sufficient) for assigning the id.
| query := d.Get("query").([]interface{}) | ||
| signalQuery := d.Get("signal_query").([]interface{}) | ||
| if len(query) > 0 && len(signalQuery) > 0 { | ||
| return fmt.Errorf("query list and signal query list cannot be both populated") |
There was a problem hiding this comment.
Why not use TF validation schema helpers such as ConflictsWith properties instead?
There was a problem hiding this comment.
I tried but it was not working since, as stated in the documentations:
// Only absolute attribute paths, ones starting with top level attribute
// names, are supported. Attribute paths cannot be accurately declared
// for TypeList (if MaxItems is greater than 1), TypeMap, or TypeSet
// attributes. To reference an attribute under a single configuration block
// (TypeList with Elem of *Resource and MaxItems of 1), the syntax is
// "parent_block_name.0.child_attribute_name".
In our case, it is a TypeList whose MaxItems is greater than 1.
skarimo
added
changelog/feature
changelog/improvement
and removed
changelog/feature
labels
skarimo
previously approved these changes
Oct 12, 2022
pietrodll
reviewed
Oct 13, 2022
…mon methods of rules
clementgbcn
force-pushed
the
cgc/SEC-3135-Signal-Correlation-Backward
branch
from
a96195e to
ba31583
Compare
pietrodll
previously approved these changes
Oct 13, 2022
Comment on lines
724
to
732
| if v, ok := query["metrics"]; ok && v != nil { | ||
| if tfMetrics, ok := v.([]interface{}); ok && len(tfMetrics) > 0 { | ||
| metrics := make([]string, len(tfMetrics)) | ||
| for i, value := range tfMetrics { | ||
| metrics[i] = value.(string) | ||
| } | ||
| payloadQuery.SetMetrics(metrics) | ||
| } | ||
| } |
There was a problem hiding this comment.
This code seems useless as metrics is not defined on signal_query.
Suggested change
| if v, ok := query["metrics"]; ok && v != nil { | |
| if tfMetrics, ok := v.([]interface{}); ok && len(tfMetrics) > 0 { | |
| metrics := make([]string, len(tfMetrics)) | |
| for i, value := range tfMetrics { | |
| metrics[i] = value.(string) | |
| } | |
| payloadQuery.SetMetrics(metrics) | |
| } | |
| } |
There was a problem hiding this comment.
✅ (in all places)
| Optional: true, | ||
| Description: "The rule type.", | ||
| Default: "log_detection", | ||
| }, | ||
| } | ||
| } | ||
|
|
||
| // SecurityMonitoringRuleInterface Common Interface to SecurityMonitoringRuleCreateInterface and SecurityMonitoringRuleReadInterface | ||
| type SecurityMonitoringRuleInterface interface { |
There was a problem hiding this comment.
I think these interfaces should be private, as they are utilities to factorize code.
skarimo
approved these changes
Oct 17, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR updates the Terraform provider to support
Signal Correlationrules.It replaces #1591 which was not backward compatible.
It impact the resources/data:
resource_datadog_security_monitoring_ruledata_source_datadog_security_monitoring_rulesTo be backward compatible, the fields which are specific to Signal Correlation rules (i.e.,
ruleId,defaultRuleId,correlatedByFields,correlatedQueryIndex) are populated in a different sub list Schema calledsignal_query.Since
queryis a List that could have multiple elements, it is not possible to enforce aDistinctsWith.Since the Go struct
SecurityMonitoringRuleResponsedoes not implement a common interface forSecurityMonitoringStandardRuleResponseandSecurityMonitoringSignalRuleResponse, most of the methods have been specialised in spite of having common code.Additionally, this PR homogenises the way the payloads are populated by using the Setters instead of directly accessing the attributes in
security_monitoring. It addresses remarks from previous PR about wording.How do these changes impact current model
Up to now, Datadog Security Monitoring has been supporting one common type of rule whose Terraform schema is
This schema is not modified for existing rule type.
On the other hand, signal correlation rules will have a similar schema which will differ by its queries and its type:
A check was implemented in Terraform to prevent users from having two populated lists (i.e.
queryandsignal_query).correlated_query_indexIn spite of being an index (thus an integer), the Terraform Schema uses a string to represent it because this value can be empty.
Having:
correlated_query_index=0: Means correlate on the projected attributes of the first query of the correlated rulecorrelated_query_index="": Means correlate on the non-projected per query attribute of the correlated rule.Since
TypeIntobject does not support anilvalue as a Default value, we decided to use a string which is converted to an integer if it is not empty.