[datadog_agentless_scanning_gcp_scan_options] Add Terraform provider for GCP scan options (#3321)

feat(agentless): implement gcp scan options tf provider

add(agentless): register the new resource in fwprovider/framework_provider

fix(agentless): fix gcp project id validation

test(agentless): test gcp scan options tf provider

docs(agentless): generate docs

test(agentless): generate cassettes

docs(agentless): fix gcp nutshell

perf(agentless): replace listScanOptions with getScanOptions

style(agentless): update the gcp project id field description

Co-authored-by: DeForest Richards <[email protected]>

docs(agentless-gcp): regenerate docs

test(agentless-gcp): regenerate cassettes

test(agentless-gcp): regenerate cassettes for TestAccDatadogAgentlessScanningGcpScanOptions_InvalidProjectID

Co-authored-by: mohamed.challal <[email protected]>

Author: mohamed-challal

datadog/fwprovider/framework_provider.go

@@ -32,6 +32,7 @@ var _ provider.Provider = &FrameworkProvider{}
 
 var Resources = []func() resource.Resource{
 	NewAgentlessScanningAwsScanOptionsResource,
+	NewAgentlessScanningGcpScanOptionsResource,
 	NewOpenapiApiResource,
 	NewAPIKeyResource,
 	NewApplicationKeyResource,

datadog/fwprovider/resource_datadog_agentless_scanning_gcp_scan_options.go

@@ -0,0 +1,210 @@
+package fwprovider
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+
+	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
+	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+
+	"github.com/terraform-providers/terraform-provider-datadog/datadog/internal/utils"
+)
+
+var (
+	_ resource.ResourceWithConfigure = &agentlessScanningGcpScanOptionsResource{}
+)
+
+type agentlessScanningGcpScanOptionsResource struct {
+	Api  *datadogV2.AgentlessScanningApi
+	Auth context.Context
+}
+
+type agentlessScanningGcpScanOptionsResourceModel struct {
+	ID               types.String `tfsdk:"id"`
+	GcpProjectId     types.String `tfsdk:"gcp_project_id"`
+	VulnContainersOs types.Bool   `tfsdk:"vuln_containers_os"`
+	VulnHostOs       types.Bool   `tfsdk:"vuln_host_os"`
+}
+
+func NewAgentlessScanningGcpScanOptionsResource() resource.Resource {
+	return &agentlessScanningGcpScanOptionsResource{}
+}
+
+func (r *agentlessScanningGcpScanOptionsResource) Configure(_ context.Context, request resource.ConfigureRequest, response *resource.ConfigureResponse) {
+	providerData := request.ProviderData.(*FrameworkProvider)
+	r.Api = providerData.DatadogApiInstances.GetAgentlessScanningApiV2()
+	r.Auth = providerData.Auth
+}
+
+func (r *agentlessScanningGcpScanOptionsResource) Metadata(_ context.Context, request resource.MetadataRequest, response *resource.MetadataResponse) {
+	response.TypeName = "agentless_scanning_gcp_scan_options"
+}
+
+func (r *agentlessScanningGcpScanOptionsResource) Schema(_ context.Context, _ resource.SchemaRequest, response *resource.SchemaResponse) {
+	response.Schema = schema.Schema{
+		Description: "Provides a Datadog Agentless Scanning GCP scan options resource. This can be used to activate and configure Agentless scan options for a GCP project.",
+		Attributes: map[string]schema.Attribute{
+			// Resource ID
+			"id": utils.ResourceIDAttribute(),
+			"gcp_project_id": schema.StringAttribute{
+				Description: "The GCP project ID for which agentless scanning is configured.",
+				Required:    true,
+				Validators: []validator.String{
+					stringvalidator.RegexMatches(
+						regexp.MustCompile(`^[a-z]([a-z0-9-]{4,28}[a-z0-9])?$`),
+						"must be a valid GCP project ID: 6–30 characters, start with a lowercase letter, and include only lowercase letters, digits, or hyphens.",
+					),
+				},
+			},
+			"vuln_containers_os": schema.BoolAttribute{
+				Description: "Indicates if scanning for vulnerabilities in containers is enabled.",
+				Required:    true,
+			},
+			"vuln_host_os": schema.BoolAttribute{
+				Description: "Indicates if scanning for vulnerabilities in hosts is enabled.",
+				Required:    true,
+			},
+		},
+	}
+}
+
+func (r *agentlessScanningGcpScanOptionsResource) Create(ctx context.Context, request resource.CreateRequest, response *resource.CreateResponse) {
+	var state agentlessScanningGcpScanOptionsResourceModel
+	response.Diagnostics.Append(request.Plan.Get(ctx, &state)...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	body := datadogV2.GcpScanOptions{
+		Data: &datadogV2.GcpScanOptionsData{
+			Id:   state.GcpProjectId.ValueString(),
+			Type: datadogV2.GCPSCANOPTIONSDATATYPE_GCP_SCAN_OPTIONS,
+			Attributes: &datadogV2.GcpScanOptionsDataAttributes{
+				VulnContainersOs: boolPtr(state.VulnContainersOs.ValueBool()),
+				VulnHostOs:       boolPtr(state.VulnHostOs.ValueBool()),
+			},
+		},
+	}
+
+	gcpScanOptionsResponse, _, err := r.Api.CreateGcpScanOptions(r.Auth, body)
+	if err != nil {
+		response.Diagnostics.AddError("Error creating GCP scan options", err.Error())
+		return
+	}
+
+	r.updateStateFromResponse(&state, gcpScanOptionsResponse)
+	// Set the Terraform resource ID to the GCP project ID
+	state.ID = types.StringValue(state.GcpProjectId.ValueString())
+
+	response.Diagnostics.Append(response.State.Set(ctx, &state)...)
+}
+
+func (r *agentlessScanningGcpScanOptionsResource) Read(ctx context.Context, request resource.ReadRequest, response *resource.ReadResponse) {
+	var state agentlessScanningGcpScanOptionsResourceModel
+	response.Diagnostics.Append(request.State.Get(ctx, &state)...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	projectID := state.GcpProjectId.ValueString()
+
+	gcpScanOptionsResponse, _, err := r.Api.GetGcpScanOptions(r.Auth, projectID)
+	if err != nil {
+		response.Diagnostics.AddError("Error reading GCP scan options", err.Error())
+		return
+	}
+
+	r.updateStateFromScanOptionsData(&state, *gcpScanOptionsResponse.Data)
+	// Set the Terraform resource ID to the GCP project ID
+	state.ID = types.StringValue(state.GcpProjectId.ValueString())
+
+	response.Diagnostics.Append(response.State.Set(ctx, &state)...)
+}
+
+func (r *agentlessScanningGcpScanOptionsResource) Update(ctx context.Context, request resource.UpdateRequest, response *resource.UpdateResponse) {
+	var state agentlessScanningGcpScanOptionsResourceModel
+	response.Diagnostics.Append(request.Plan.Get(ctx, &state)...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	projectID := state.GcpProjectId.ValueString()
+
+	body := datadogV2.GcpScanOptionsInputUpdate{
+		Data: &datadogV2.GcpScanOptionsInputUpdateData{
+			Id:   state.GcpProjectId.ValueString(),
+			Type: datadogV2.GCPSCANOPTIONSINPUTUPDATEDATATYPE_GCP_SCAN_OPTIONS,
+			Attributes: &datadogV2.GcpScanOptionsInputUpdateDataAttributes{
+				VulnContainersOs: boolPtr(state.VulnContainersOs.ValueBool()),
+				VulnHostOs:       boolPtr(state.VulnHostOs.ValueBool()),
+			},
+		},
+	}
+
+	_, res, err := r.Api.UpdateGcpScanOptions(r.Auth, projectID, body)
+	if err != nil {
+		errorMsg := "Error updating GCP scan options"
+		if res != nil {
+			errorMsg += fmt.Sprintf(". API response: %s", res.Body)
+		}
+		response.Diagnostics.AddError(errorMsg, err.Error())
+		return
+	}
+
+	// After update, we need to read the current state since the API doesn't return the updated object
+	readReq := resource.ReadRequest{State: response.State}
+	readResp := resource.ReadResponse{State: response.State, Diagnostics: diag.Diagnostics{}}
+
+	// Set the state with current values before reading
+	response.Diagnostics.Append(response.State.Set(ctx, &state)...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	r.Read(ctx, readReq, &readResp)
+	response.Diagnostics.Append(readResp.Diagnostics...)
+	response.State = readResp.State
+}
+
+func (r *agentlessScanningGcpScanOptionsResource) Delete(ctx context.Context, request resource.DeleteRequest, response *resource.DeleteResponse) {
+	var state agentlessScanningGcpScanOptionsResourceModel
+	response.Diagnostics.Append(request.State.Get(ctx, &state)...)
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	projectID := state.GcpProjectId.ValueString()
+
+	_, err := r.Api.DeleteGcpScanOptions(r.Auth, projectID)
+	if err != nil {
+		response.Diagnostics.AddError("Error deleting GCP scan options", err.Error())
+		return
+	}
+}
+
+func (r *agentlessScanningGcpScanOptionsResource) ImportState(ctx context.Context, request resource.ImportStateRequest, response *resource.ImportStateResponse) {
+	// Import the GCP project ID as both the Terraform resource ID and the gcp_project_id attribute
+	resource.ImportStatePassthroughID(ctx, path.Root("id"), request, response)
+	// Also set the gcp_project_id to the same value
+	response.Diagnostics.Append(response.State.SetAttribute(ctx, path.Root("gcp_project_id"), request.ID)...)
+}
+
+func (r *agentlessScanningGcpScanOptionsResource) updateStateFromResponse(state *agentlessScanningGcpScanOptionsResourceModel, resp datadogV2.GcpScanOptions) {
+	data := resp.GetData()
+	r.updateStateFromScanOptionsData(state, data)
+}
+
+func (r *agentlessScanningGcpScanOptionsResource) updateStateFromScanOptionsData(state *agentlessScanningGcpScanOptionsResourceModel, data datadogV2.GcpScanOptionsData) {
+	state.GcpProjectId = types.StringValue(data.GetId())
+
+	attributes := data.GetAttributes()
+	state.VulnContainersOs = types.BoolValue(attributes.GetVulnContainersOs())
+	state.VulnHostOs = types.BoolValue(attributes.GetVulnHostOs())
+}

datadog/tests/cassettes/TestAccDatadogAgentlessScanningGcpScanOptions_Basic.freeze

@@ -0,0 +1 @@
+2025-11-07T00:42:26.032946+01:00

datadog/tests/cassettes/TestAccDatadogAgentlessScanningGcpScanOptions_Basic.yaml

@@ -0,0 +1,169 @@
+---
+version: 2
+interactions:
+    - id: 0
+      request:
+        proto: HTTP/1.1
+        proto_major: 1
+        proto_minor: 1
+        content_length: 118
+        transfer_encoding: []
+        trailer: {}
+        host: api.datadoghq.com
+        remote_addr: ""
+        request_uri: ""
+        body: |
+            {"data":{"attributes":{"vuln_containers_os":true,"vuln_host_os":true},"id":"test-project","type":"gcp_scan_options"}}
+        form: {}
+        headers:
+            Accept:
+                - application/json
+            Content-Type:
+                - application/json
+        url: https://api.datadoghq.com/api/v2/agentless_scanning/accounts/gcp
+        method: POST
+      response:
+        proto: HTTP/1.1
+        proto_major: 1
+        proto_minor: 1
+        transfer_encoding: []
+        trailer: {}
+        content_length: 117
+        uncompressed: false
+        body: '{"data":{"id":"test-project","type":"gcp_scan_options","attributes":{"vuln_containers_os":true,"vuln_host_os":true}}}'
+        headers:
+            Content-Type:
+                - application/vnd.api+json
+        status: 201 Created
+        code: 201
+        duration: 839.950875ms
+    - id: 1
+      request:
+        proto: HTTP/1.1
+        proto_major: 1
+        proto_minor: 1
+        content_length: 0
+        transfer_encoding: []
+        trailer: {}
+        host: api.datadoghq.com
+        remote_addr: ""
+        request_uri: ""
+        body: ""
+        form: {}
+        headers:
+            Accept:
+                - application/json
+        url: https://api.datadoghq.com/api/v2/agentless_scanning/accounts/gcp
+        method: GET
+      response:
+        proto: HTTP/1.1
+        proto_major: 1
+        proto_minor: 1
+        transfer_encoding: []
+        trailer: {}
+        content_length: 119
+        uncompressed: false
+        body: '{"data":[{"id":"test-project","type":"gcp_scan_options","attributes":{"vuln_containers_os":true,"vuln_host_os":true}}]}'
+        headers:
+            Content-Type:
+                - application/vnd.api+json
+        status: 200 OK
+        code: 200
+        duration: 259.589417ms
+    - id: 2
+      request:
+        proto: HTTP/1.1
+        proto_major: 1
+        proto_minor: 1
+        content_length: 0
+        transfer_encoding: []
+        trailer: {}
+        host: api.datadoghq.com
+        remote_addr: ""
+        request_uri: ""
+        body: ""
+        form: {}
+        headers:
+            Accept:
+                - application/json
+        url: https://api.datadoghq.com/api/v2/agentless_scanning/accounts/gcp/test-project
+        method: GET
+      response:
+        proto: HTTP/1.1
+        proto_major: 1
+        proto_minor: 1
+        transfer_encoding: []
+        trailer: {}
+        content_length: 117
+        uncompressed: false
+        body: '{"data":{"id":"test-project","type":"gcp_scan_options","attributes":{"vuln_containers_os":true,"vuln_host_os":true}}}'
+        headers:
+            Content-Type:
+                - application/vnd.api+json
+        status: 200 OK
+        code: 200
+        duration: 180.8215ms
+    - id: 3
+      request:
+        proto: HTTP/1.1
+        proto_major: 1
+        proto_minor: 1
+        content_length: 0
+        transfer_encoding: []
+        trailer: {}
+        host: api.datadoghq.com
+        remote_addr: ""
+        request_uri: ""
+        body: ""
+        form: {}
+        headers:
+            Accept:
+                - '*/*'
+        url: https://api.datadoghq.com/api/v2/agentless_scanning/accounts/gcp/test-project
+        method: DELETE
+      response:
+        proto: HTTP/1.1
+        proto_major: 1
+        proto_minor: 1
+        transfer_encoding: []
+        trailer: {}
+        content_length: 0
+        uncompressed: false
+        body: ""
+        headers: {}
+        status: 204 No Content
+        code: 204
+        duration: 233.299417ms
+    - id: 4
+      request:
+        proto: HTTP/1.1
+        proto_major: 1
+        proto_minor: 1
+        content_length: 0
+        transfer_encoding: []
+        trailer: {}
+        host: api.datadoghq.com
+        remote_addr: ""
+        request_uri: ""
+        body: ""
+        form: {}
+        headers:
+            Accept:
+                - application/json
+        url: https://api.datadoghq.com/api/v2/agentless_scanning/accounts/gcp
+        method: GET
+      response:
+        proto: HTTP/1.1
+        proto_major: 1
+        proto_minor: 1
+        transfer_encoding: []
+        trailer: {}
+        content_length: 11
+        uncompressed: false
+        body: '{"data":[]}'
+        headers:
+            Content-Type:
+                - application/vnd.api+json
+        status: 200 OK
+        code: 200
+        duration: 223.779208ms

datadog/tests/cassettes/TestAccDatadogAgentlessScanningGcpScanOptions_Import.freeze

@@ -0,0 +1 @@
+2025-11-06T16:33:46.401715+01:00