DataDog · QuentinGuillard · Feb 25, 2025
@@ -27,6 +27,7 @@ type csmThreatsMultiPolicyAgentRuleModel struct {
 	Description types.String `tfsdk:"description"`
 	Enabled     types.Bool   `tfsdk:"enabled"`
 	Expression  types.String `tfsdk:"expression"`
+	ProductTags types.Set    `tfsdk:"product_tags"`
 }
 
 func NewCSMThreatsMultiPolicyAgentRuleResource() resource.Resource {
@@ -75,6 +76,11 @@ func (r *csmThreatsMultiPolicyAgentRuleResource) Schema(_ context.Context, _ res
 					stringplanmodifier.RequiresReplace(),
 				},
 			},
+			"product_tags": schema.SetAttribute{
+				Optional:    true,
+				ElementType: types.StringType,
+				Description: "The list of product tags associated with the rule",
+			},
 		},
 	}
 }
@@ -198,42 +204,54 @@ func (r *csmThreatsMultiPolicyAgentRuleResource) Delete(ctx context.Context, req
 }
 
 func (r *csmThreatsMultiPolicyAgentRuleResource) buildCreateCSMThreatsAgentRulePayload(state *csmThreatsMultiPolicyAgentRuleModel) (*datadogV2.CloudWorkloadSecurityAgentRuleCreateRequest, error) {
-	_, policyId, name, description, enabled, expression := r.extractAgentRuleAttributesFromResource(state)
+	_, policyId, name, description, enabled, expression, productTags := r.extractAgentRuleAttributesFromResource(state)
 
 	attributes := datadogV2.CloudWorkloadSecurityAgentRuleCreateAttributes{}
 	attributes.Expression = expression
 	attributes.Name = name
 	attributes.Description = description
 	attributes.Enabled = &enabled
 	attributes.PolicyId = &policyId
+	attributes.ProductTags = productTags
 
 	data := datadogV2.NewCloudWorkloadSecurityAgentRuleCreateData(attributes, datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE)
 	return datadogV2.NewCloudWorkloadSecurityAgentRuleCreateRequest(*data), nil
 }
 
 func (r *csmThreatsMultiPolicyAgentRuleResource) buildUpdateCSMThreatsAgentRulePayload(state *csmThreatsMultiPolicyAgentRuleModel) (*datadogV2.CloudWorkloadSecurityAgentRuleUpdateRequest, error) {
-	agentRuleId, policyId, _, description, enabled, _ := r.extractAgentRuleAttributesFromResource(state)
+	agentRuleId, policyId, _, description, enabled, _, productTags := r.extractAgentRuleAttributesFromResource(state)
 
 	attributes := datadogV2.CloudWorkloadSecurityAgentRuleUpdateAttributes{}
 	attributes.Description = description
 	attributes.Enabled = &enabled
 	attributes.PolicyId = &policyId
+	attributes.ProductTags = productTags
 
 	data := datadogV2.NewCloudWorkloadSecurityAgentRuleUpdateData(attributes, datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE)
 	data.Id = &agentRuleId
 	return datadogV2.NewCloudWorkloadSecurityAgentRuleUpdateRequest(*data), nil
 }
 
-func (r *csmThreatsMultiPolicyAgentRuleResource) extractAgentRuleAttributesFromResource(state *csmThreatsMultiPolicyAgentRuleModel) (string, string, string, *string, bool, string) {
+func (r *csmThreatsMultiPolicyAgentRuleResource) extractAgentRuleAttributesFromResource(state *csmThreatsMultiPolicyAgentRuleModel) (string, string, string, *string, bool, string, []string) {
 	// Mandatory fields
 	id := state.Id.ValueString()
 	policyId := state.PolicyId.ValueString()
 	name := state.Name.ValueString()
 	enabled := state.Enabled.ValueBool()
 	expression := state.Expression.ValueString()
 	description := state.Description.ValueStringPointer()
+	var productTags []string
+	if !state.ProductTags.IsNull() && !state.ProductTags.IsUnknown() {
+		for _, tag := range state.ProductTags.Elements() {
+			tagStr, ok := tag.(types.String)
+			if !ok {
+				return "", "", "", nil, false, "", nil
+			}
+			productTags = append(productTags, tagStr.ValueString())
+		}
+	}
 
-	return id, policyId, name, description, enabled, expression
+	return id, policyId, name, description, enabled, expression, productTags
 }
 
 func (r *csmThreatsMultiPolicyAgentRuleResource) updateStateFromResponse(ctx context.Context, state *csmThreatsMultiPolicyAgentRuleModel, res *datadogV2.CloudWorkloadSecurityAgentRuleResponse) {
@@ -245,4 +263,5 @@ func (r *csmThreatsMultiPolicyAgentRuleResource) updateStateFromResponse(ctx con
 	state.Description = types.StringValue(attributes.GetDescription())
 	state.Enabled = types.BoolValue(attributes.GetEnabled())
 	state.Expression = types.StringValue(attributes.GetExpression())
+	state.ProductTags, _ = types.SetValueFrom(ctx, types.StringType, attributes.GetProductTags())
 }
@@ -45,6 +45,7 @@ resource "datadog_cloud_workload_security_agent_rule" "acceptance_test" {
     description = "an agent rule"
     enabled = "true"
 	expression = "exec.file.name == \"java\""
+	product_tags = ["compliance_framework:PCI-DSS"]
 }
 `, name)
 }
@@ -60,6 +61,8 @@ func testAccCheckDatadogCloudWorkloadSecurityAgentRuleCreatedCheck(accProvider f
 			tfAgentRuleName, "enabled", "true"),
 		resource.TestCheckResourceAttr(
 			tfAgentRuleName, "expression", "exec.file.name == \"java\""),
+		resource.TestCheckResourceAttr(
+			tfAgentRuleName, "product_tags", "compliance_framework:PCI-DSS"),
 	)
 }
 
@@ -70,6 +73,7 @@ resource "datadog_cloud_workload_security_agent_rule" "acceptance_test" {
     description = "a new agent rule"
     enabled = "false"
 	expression = "exec.file.name == \"go\""
+	product_tags = ["compliance_framework:ISO-27799"]
 }
 `, name)
 }
@@ -85,6 +89,8 @@ func testAccCheckDatadogCloudWorkloadSecurityAgentRuleUpdatedCheck(accProvider f
 			tfAgentRuleName, "enabled", "false"),
 		resource.TestCheckResourceAttr(
 			tfAgentRuleName, "expression", "exec.file.name == \"go\""),
+		resource.TestCheckResourceAttr(
+			tfAgentRuleName, "product_tags", "compliance_framework:ISO-27799"),
 	)
 }
 

@@ -30,6 +30,7 @@ func TestAccCSMThreatsAgentRule_CreateAndUpdate(t *testing.T) {
 					enabled           = true
 					description       = "im a rule"
 					expression 		  = "open.file.name == \"etc/shadow/password\""
+					product_tags      = ["compliance_framework:PCI-DSS"]
 				}
 				`, agentRuleName),
 				Check: resource.ComposeTestCheckFunc(
@@ -39,6 +40,7 @@ func TestAccCSMThreatsAgentRule_CreateAndUpdate(t *testing.T) {
 						agentRuleName,
 						"im a rule",
 						"open.file.name == \"etc/shadow/password\"",
+						"[\"compliance_framework:PCI-DSS\"]",
 					),
 				),
 			},
@@ -50,6 +52,7 @@ func TestAccCSMThreatsAgentRule_CreateAndUpdate(t *testing.T) {
 					enabled           = true
 					description       = "updated agent rule for terraform provider test"
 					expression 		  = "open.file.name == \"etc/shadow/password\""
+					product_tags      = "compliance_framework:ISO-27799"
 				}
 				`, agentRuleName),
 				Check: resource.ComposeTestCheckFunc(
@@ -59,19 +62,21 @@ func TestAccCSMThreatsAgentRule_CreateAndUpdate(t *testing.T) {
 						agentRuleName,
 						"updated agent rule for terraform provider test",
 						"open.file.name == \"etc/shadow/password\"",
+						"[\"compliance_framework:ISO-27799\"]",
 					),
 				),
 			},
 		},
 	})
 }
 
-func checkCSMThreatsAgentRuleContent(resourceName string, name string, description string, expression string) resource.TestCheckFunc {
+func checkCSMThreatsAgentRuleContent(resourceName string, name string, description string, expression string, product_tags string) resource.TestCheckFunc {
 	return resource.ComposeTestCheckFunc(
 		resource.TestCheckResourceAttr(resourceName, "name", name),
 		resource.TestCheckResourceAttr(resourceName, "description", description),
 		resource.TestCheckResourceAttr(resourceName, "enabled", "true"),
 		resource.TestCheckResourceAttr(resourceName, "expression", expression),
+		resource.TestCheckResourceAttr(resourceName, "product_tags", product_tags),
 	)
 }
 

@@ -49,6 +49,7 @@ func TestAccCSMThreatsMultiPolicyAgentRule_CreateAndUpdate(t *testing.T) {
 					enabled           = true
 					description       = "im a rule"
 					expression 		  = "open.file.name == \"etc/shadow/password\""
+					product_tags      = ["compliance_framework:PCI-DSS"]
 				}
 				`, policyConfig, agentRuleName),
 				Check: resource.ComposeTestCheckFunc(
@@ -58,6 +59,7 @@ func TestAccCSMThreatsMultiPolicyAgentRule_CreateAndUpdate(t *testing.T) {
 						agentRuleName,
 						"im a rule",
 						"open.file.name == \"etc/shadow/password\"",
+						"[\"compliance_framework:PCI-DSS\"]",
 					),
 				),
 			},
@@ -71,6 +73,7 @@ func TestAccCSMThreatsMultiPolicyAgentRule_CreateAndUpdate(t *testing.T) {
 					enabled           = true
 					description       = "updated agent rule for terraform provider test"
 					expression 		  = "open.file.name == \"etc/shadow/password\""
+					product_tags      = ["compliance_framework:ISO-27799"]
 				}
 				`, policyConfig, agentRuleName),
 				Check: resource.ComposeTestCheckFunc(
@@ -80,6 +83,7 @@ func TestAccCSMThreatsMultiPolicyAgentRule_CreateAndUpdate(t *testing.T) {
 						agentRuleName,
 						"updated agent rule for terraform provider test",
 						"open.file.name == \"etc/shadow/password\"",
+						"[\"compliance_framework:ISO-27799\"]",
 					),
 				),
 			},

@@ -25,6 +25,7 @@ Provides a Datadog CSM Threats Agent Rule API resource.
 ### Optional
 
 - `description` (String) A description for the Agent rule.
+- `product_tags` (Set of String) The list of product tags associated with the rule
 
 ### Read-Only