[Cloud Security] [Agentless] Add the creation of an agentless agent v…

…ia Agentless API in the GHA Create Environment (new) (#2493)

.github/workflows/test-environment.yml

@@ -30,13 +30,13 @@ on:
         description: "Provide the full Docker image path to override the default image (e.g. for testing BC/SNAPSHOT)"
         type: string
       run-sanity-tests:
-          description: "Run sanity tests after provision"
-          default: false
-          type: boolean
+        description: "Run sanity tests after provision"
+        default: false
+        type: boolean
       run-ui-sanity-tests:
-          description: "Run UI sanity tests after provision"
-          default: false
-          type: boolean
+        description: "Run UI sanity tests after provision"
+        default: false
+        type: boolean
       kibana_ref:
         description: "Kibana branch, tag, or commit SHA to check out the UI sanity tests from"
         required: false
@@ -81,9 +81,9 @@ on:
         default: false
         type: boolean
       run-ui-sanity-tests:
-          description: "Run UI sanity tests after provision"
-          default: false
-          type: boolean
+        description: "Run UI sanity tests after provision"
+        default: false
+        type: boolean
       kibana_ref:
         description: "Kibana branch, tag, or commit SHA to check out the UI sanity tests from"
         required: false
@@ -134,15 +134,15 @@ jobs:
       TF_VAR_ess_region: ${{ inputs.ess-region }}
       DEPLOYMENT_NAME: ${{ inputs.deployment_name }}
       TF_VAR_serverless_mode: ${{ inputs.serverless_mode }}
-      TEST_AGENTLESS: false # Change to true when creating an Agentless policy
+      TEST_AGENTLESS: true
       S3_BASE_BUCKET: "s3://tf-state-bucket-test-infra"
       S3_BUCKET_URL: "https://s3.console.aws.amazon.com/s3/buckets/tf-state-bucket-test-infra"
       DOCKER_IMAGE_OVERRIDE: ${{ inputs.docker-image-override }}
       CNVM_STACK_NAME: "${{ inputs.deployment_name }}-cnvm-sanity-test-stack"
     # Add "id-token" with the intended permissions.
     permissions:
-      contents: 'read'
-      id-token: 'write'
+      contents: "read"
+      id-token: "write"
     outputs:
       deploy-s3-bucket: ${{ steps.upload-state.outputs.s3-bucket-folder }}
       aws-cnvm-stack-name: ${{ steps.upload-state.outputs.aws-cnvm-stack }}
@@ -230,7 +230,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.9'
+          python-version: "3.9"
 
       - name: Install Poetry
         run: |

tests/integrations_setup/install_agentless_integrations.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 """
-This script installs CSPM integrations on the 'Agentless' agent policy.
+This script installs CSPM integrations for Agentless agents.
 The following steps are performed:
 1. Create a CSPM AWS integration.
 2. Create a CSPM Azure integration.
@@ -10,15 +10,10 @@
 import json
 
 import configuration_fleet as cnfg
+from fleet_api.agent_policy_api import create_agent_policy
 from fleet_api.package_policy_api import create_cspm_integration
 from loguru import logger
-from package_policy import (
-    generate_package_policy,
-    generate_policy_template,
-    generate_random_name,
-)
-
-AGENT_POLICY_ID = "agentless"
+from package_policy import generate_policy_template, generate_random_name, load_data
 
 
 def generate_aws_integration_data():
@@ -84,23 +79,34 @@ def generate_gcp_integration_data():
         generate_azure_integration_data(),
         generate_gcp_integration_data(),
     ]
-    cspm_template = generate_policy_template(cfg=cnfg.elk_config, stream_prefix="cloud_security_posture")
+    cspm_template = generate_policy_template(
+        cfg=cnfg.elk_config,
+        stream_prefix="cloud_security_posture",
+    )
     for integration_data in integrations:
-        NAME = integration_data["name"]
-        logger.info(f"Creating {NAME} integration for policy {AGENT_POLICY_ID}")
-        package_policy = generate_package_policy(
-            cspm_template,
-            integration_data,
+        INTEGRATION_NAME = integration_data["name"]
+        AGENTLESS_INPUT = {
+            "name": f"Agentless policy for {INTEGRATION_NAME}",
+            "supports_agentless": True,
+        }
+
+        logger.info(f"Starting installation of agentless-agent {INTEGRATION_NAME} integration.")
+        agent_data, package_data = load_data(
+            cfg=cnfg.elk_config,
+            agent_input=AGENTLESS_INPUT,
+            package_input=integration_data,
             stream_name="cloud_security_posture.findings",
         )
-        package_policy["force"] = True
 
-        logger.info(f"Creating {package_policy}")
+        logger.info("Create agentless-agent policy")
+        agent_policy_id = create_agent_policy(cfg=cnfg.elk_config, json_policy=agent_data)
 
-        create_cspm_integration(
+        logger.info(f"Create agentless-agent {INTEGRATION_NAME} integration")
+        package_policy_id = create_cspm_integration(
             cfg=cnfg.elk_config,
-            pkg_policy=package_policy,
-            agent_policy_id=AGENT_POLICY_ID,
+            pkg_policy=package_data,
+            agent_policy_id=agent_policy_id,
             cspm_data={},
         )
-        logger.info(f"Installation of {NAME} integration is done")
+
+        logger.info(f"Installation of {INTEGRATION_NAME} integration is done")

tests/integrations_setup/package_policy.py

@@ -217,6 +217,8 @@ def load_data(
     logger.info("Loading agent and package policies")
     agent_policy = SIMPLIFIED_AGENT_POLICY
     agent_policy["name"] = agent_input.get("name", "")
+    agent_policy["supports_agentless"] = bool(agent_input.get("supports_agentless"))
+
     stream_prefix = stream_name.split(".")[0]
     if package_name:
         package_template = generate_policy_template(