chore(wls): Add Windows support (#43609)

### What does this PR do?
- Supports APM Workload Selection on Windows by adding `dd-compile-policy.exe` to the build
- Fixes an issue in the Windows `InstallPath` variable, not matching the actual file hierarchy

### Motivation
Making workload Selection work on Windows

### Describe how you validated your changes
Manual QA on a VM

### Additional Notes


Co-authored-by: baptiste.foy <baptiste.foy@datadoghq.com>

Author: BaptisteFoy

comp/workloadselection/impl/workloadselection.go

@@ -7,11 +7,9 @@
 package workloadselectionimpl
 
 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
 	"sort"
@@ -26,8 +24,7 @@ import (
 )
 
 var (
-	configPath                  = filepath.Join(config.DefaultConfPath, "managed", "rc-orgwide-wls-policy.bin")
-	ddPolicyCompileRelativePath = filepath.Join("embedded", "bin", "dd-compile-policy")
+	configPath = filepath.Join(config.DefaultConfPath, "managed", "rc-orgwide-wls-policy.bin")
 	// Pattern to extract policy ID from config path: datadog/\d+/<product>/<config_id>/<hash>
 	policyIDPattern = regexp.MustCompile(`^datadog/\d+/[^/]+/([^/]+)/`)
 	// Pattern to extract numeric prefix from policy ID: N.<name>
@@ -78,36 +75,6 @@ type workloadselectionComponent struct {
 	config config.Component
 }
 
-// isCompilePolicyBinaryAvailable checks if the compile policy binary is available
-// and executable
-func (c *workloadselectionComponent) isCompilePolicyBinaryAvailable() bool {
-	compilePath := filepath.Join(getInstallPath(), ddPolicyCompileRelativePath)
-	info, err := os.Stat(compilePath)
-	if err != nil {
-		if !os.IsNotExist(err) {
-			c.log.Warnf("failed to stat APM workload selection compile policy binary: %v", err)
-		}
-		return false
-	}
-	return info.Mode().IsRegular() && info.Mode()&0111 != 0
-}
-
-// compilePolicyBinary compiles the policy binary into a binary file
-// readable by the injector
-func (c *workloadselectionComponent) compileAndWriteConfig(rawConfig []byte) error {
-	if err := os.MkdirAll(filepath.Dir(configPath), 0755); err != nil {
-		return err
-	}
-	cmd := exec.Command(filepath.Join(getInstallPath(), ddPolicyCompileRelativePath), "--input-string", string(rawConfig), "--output-file", configPath)
-	var stdoutBuf, stderrBuf bytes.Buffer
-	cmd.Stdout = &stdoutBuf
-	cmd.Stderr = &stderrBuf
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("error executing dd-policy-compile (%w); out: '%s'; err: '%s'", err, stdoutBuf.String(), stderrBuf.String())
-	}
-	return nil
-}
-
 // policyConfig represents a config with its ordering information
 type policyConfig struct {
 	path   string

comp/workloadselection/impl/workloadselection_unix.go

@@ -0,0 +1,52 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2025-present Datadog, Inc.
+
+//go:build !windows
+
+package workloadselectionimpl
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+)
+
+// getCompilePolicyBinaryPath returns the full path to the compile policy binary on Unix
+func getCompilePolicyBinaryPath() string {
+	return filepath.Join(getInstallPath(), "embedded", "bin", "dd-compile-policy")
+}
+
+// isCompilePolicyBinaryAvailable checks if the compile policy binary is available
+// and executable on Unix systems
+func (c *workloadselectionComponent) isCompilePolicyBinaryAvailable() bool {
+	compilePath := getCompilePolicyBinaryPath()
+	info, err := os.Stat(compilePath)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			c.log.Warnf("failed to stat APM workload selection compile policy binary: %v", err)
+		}
+		return false
+	}
+	// On Unix, check for executable bits
+	return info.Mode().IsRegular() && info.Mode()&0111 != 0
+}
+
+// compileAndWriteConfig compiles the policy binary into a binary file readable by the injector
+// On Unix systems, uses standard 0755 permissions for the directory
+func (c *workloadselectionComponent) compileAndWriteConfig(rawConfig []byte) error {
+	if err := os.MkdirAll(filepath.Dir(configPath), 0755); err != nil {
+		return err
+	}
+	cmd := exec.Command(getCompilePolicyBinaryPath(), "--input-string", string(rawConfig), "--output-file", configPath)
+	var stdoutBuf, stderrBuf bytes.Buffer
+	cmd.Stdout = &stdoutBuf
+	cmd.Stderr = &stderrBuf
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("error executing dd-policy-compile (%w); out: '%s'; err: '%s'", err, stdoutBuf.String(), stderrBuf.String())
+	}
+	return nil
+}

comp/workloadselection/impl/workloadselection_windows.go

@@ -0,0 +1,95 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2025-present Datadog, Inc.
+
+//go:build windows
+
+package workloadselectionimpl
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"golang.org/x/sys/windows"
+)
+
+// getCompilePolicyBinaryPath returns the full path to the compile policy binary on Windows
+func getCompilePolicyBinaryPath() string {
+	return filepath.Join(getInstallPath(), "bin", "dd-compile-policy.exe")
+}
+
+// isCompilePolicyBinaryAvailable checks if the compile policy binary is available
+// on Windows systems
+func (c *workloadselectionComponent) isCompilePolicyBinaryAvailable() bool {
+	compilePath := getCompilePolicyBinaryPath()
+	info, err := os.Stat(compilePath)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			c.log.Warnf("failed to stat APM workload selection compile policy binary: %v", err)
+		}
+		return false
+	}
+	// On Windows, check that it's a regular file (not a directory)
+	return info.Mode().IsRegular()
+}
+
+// setFileReadableByEveryone sets the DACL on a file to allow:
+// - Current owner (ddagentuser): Full Control
+// - SYSTEM: Full Control
+// - Administrators: Full Control
+// - Everyone: Read and Execute
+// The owner is NOT changed - it remains as ddagentuser
+func setFileReadableByEveryone(path string) error {
+	// Create an SDDL with only the DACL part (no Owner/Group)
+	// D:AI - DACL, Auto-Inherit.
+	//        "Inherit permissions from the parent folder (System/Admins usually)."
+	// (A;;GRGX;;;WD) - Allow Generic Read + Generic Execute to Everyone (World Domain).
+	sddl := "D:AI(A;;GRGX;;;WD)"
+
+	sd, err := windows.SecurityDescriptorFromString(sddl)
+	if err != nil {
+		return fmt.Errorf("failed to create security descriptor: %w", err)
+	}
+
+	dacl, _, err := sd.DACL()
+	if err != nil {
+		return fmt.Errorf("failed to get DACL: %w", err)
+	}
+
+	// Only set the DACL, don't touch owner or group
+	return windows.SetNamedSecurityInfo(
+		path,
+		windows.SE_FILE_OBJECT,
+		windows.DACL_SECURITY_INFORMATION|windows.PROTECTED_DACL_SECURITY_INFORMATION,
+		nil,  // owner - leave unchanged
+		nil,  // group - leave unchanged
+		dacl, // DACL - set this
+		nil,  // SACL - leave unchanged
+	)
+}
+
+// compileAndWriteConfig compiles the policy binary into a binary file readable by the injector
+// On Windows, sets ACLs to allow Everyone read+execute access while keeping ddagentuser as owner
+func (c *workloadselectionComponent) compileAndWriteConfig(rawConfig []byte) error {
+	dir := filepath.Dir(configPath)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return err
+	}
+	cmd := exec.Command(getCompilePolicyBinaryPath(), "--input-string", string(rawConfig), "--output-file", configPath)
+	var stdoutBuf, stderrBuf bytes.Buffer
+	cmd.Stdout = &stdoutBuf
+	cmd.Stderr = &stderrBuf
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("error executing dd-policy-compile (%w); out: '%s'; err: '%s'", err, stdoutBuf.String(), stderrBuf.String())
+	}
+	// Set permissions on the file to allow Everyone read+execute access
+	// We keep the current owner (ddagentuser) and only modify the DACL
+	if err := setFileReadableByEveryone(configPath); err != nil {
+		return fmt.Errorf("failed to set permissions on file %s: %w", configPath, err)
+	}
+	return nil
+}

…ion/impl/workloadselection_linux_test.go …n/impl/workloadselection_withbin_test.gocomp/workloadselection/impl/workloadselection_linux_test.go renamed to comp/workloadselection/impl/workloadselection_withbin_test.go comp/workloadselection/impl/workloadselection_linux_test.go renamed to comp/workloadselection/impl/workloadselection_withbin_test.go

@@ -3,13 +3,14 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2025-present Datadog, Inc.
 
-//go:build linux
+//go:build linux || windows
 
 package workloadselectionimpl
 
 import (
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -20,6 +21,14 @@ import (
 	"github.com/DataDog/datadog-agent/pkg/remoteconfig/state"
 )
 
+// getBinaryPath returns the correct binary path based on the platform
+func getBinaryPath(tempDir string) string {
+	if runtime.GOOS == "windows" {
+		return filepath.Join(tempDir, "bin", "dd-compile-policy.exe")
+	}
+	return filepath.Join(tempDir, "embedded", "bin", "dd-compile-policy")
+}
+
 // TestNewComponent tests the component initialization
 func TestNewComponent(t *testing.T) {
 	tests := []struct {
@@ -62,7 +71,7 @@ func TestNewComponent(t *testing.T) {
 
 			// Create binary if needed
 			if tt.setupBinary {
-				binaryPath := filepath.Join(tempDir, ddPolicyCompileRelativePath)
+				binaryPath := getBinaryPath(tempDir)
 				require.NoError(t, os.MkdirAll(filepath.Dir(binaryPath), 0755))
 				// Create executable file
 				require.NoError(t, os.WriteFile(binaryPath, []byte("#!/bin/sh\necho test"), 0755))
@@ -100,7 +109,7 @@ func TestIsCompilePolicyBinaryAvailable(t *testing.T) {
 		{
 			name: "binary exists and is executable",
 			setupFunc: func(t *testing.T, tempDir string) string {
-				binaryPath := filepath.Join(tempDir, ddPolicyCompileRelativePath)
+				binaryPath := getBinaryPath(tempDir)
 				require.NoError(t, os.MkdirAll(filepath.Dir(binaryPath), 0755))
 				require.NoError(t, os.WriteFile(binaryPath, []byte("#!/bin/sh\necho test"), 0755))
 				return tempDir
@@ -117,17 +126,19 @@ func TestIsCompilePolicyBinaryAvailable(t *testing.T) {
 		{
 			name: "binary exists but is not executable",
 			setupFunc: func(t *testing.T, tempDir string) string {
-				binaryPath := filepath.Join(tempDir, ddPolicyCompileRelativePath)
+				binaryPath := getBinaryPath(tempDir)
 				require.NoError(t, os.MkdirAll(filepath.Dir(binaryPath), 0755))
 				require.NoError(t, os.WriteFile(binaryPath, []byte("#!/bin/sh\necho test"), 0644))
 				return tempDir
 			},
-			expectResult: false,
+			// On Windows, executability is determined by extension, not permissions
+			// So this test expects different results on Windows vs Unix
+			expectResult: runtime.GOOS == "windows",
 		},
 		{
 			name: "binary exists but is a directory",
 			setupFunc: func(t *testing.T, tempDir string) string {
-				binaryPath := filepath.Join(tempDir, ddPolicyCompileRelativePath)
+				binaryPath := getBinaryPath(tempDir)
 				require.NoError(t, os.MkdirAll(binaryPath, 0755))
 				return tempDir
 			},

…n/impl/workloadselection_nolinux_test.go …mpl/workloadselection_withoutbin_test.gocomp/workloadselection/impl/workloadselection_nolinux_test.go renamed to comp/workloadselection/impl/workloadselection_withoutbin_test.go comp/workloadselection/impl/workloadselection_nolinux_test.go renamed to comp/workloadselection/impl/workloadselection_withoutbin_test.go

@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2025-present Datadog, Inc.
 
-//go:build !linux
+//go:build !linux && !windows
 
 package workloadselectionimpl
 
@@ -17,8 +17,8 @@ import (
 	logmock "github.com/DataDog/datadog-agent/comp/core/log/mock"
 )
 
-// TestNewComponent_NonLinux tests that the component is created but RCListener is not enabled on non-Linux platforms
-func TestNewComponent_NonLinux(t *testing.T) {
+// TestNewComponent_WithoutBin tests that the component is created but RCListener is not enabled on platforms without the compile policy binary
+func TestNewComponent_WithoutBin(t *testing.T) {
 	tests := []struct {
 		name                     string
 		workloadSelectionEnabled bool

deps/compile_policy/BUILD.bazel

@@ -11,21 +11,31 @@ alias(
     actual = select({
         "//:linux_arm64": "@compile_policy_arm64//:dd-compile-policy",
         "//:linux_x86_64": "@compile_policy_x86_64//:dd-compile-policy",
+        "//:windows_x86_64": "@compile_policy_windows_x86_64//:dd-compile-policy.exe",
+    }),
+    target_compatible_with = select({
+        "//:linux_arm64": [],
+        "//:linux_x86_64": [],
+        "//:windows_x86_64": [],
+        "//conditions:default": ["@platforms//:incompatible"],
     }),
-    target_compatible_with = [
-        "@platforms//os:linux",
-    ],
 )
 
 pkg_files(
     name = "bin_files",
     srcs = [":dd_compile_policy"],
-    attributes = pkg_attributes(
-        group = "root",
-        mode = "0555",
-        owner = "root",
-    ),
-    prefix = "embedded/bin",
+    attributes = select({
+        "//:windows_x86_64": None,  # Windows doesn't use Unix permissions
+        "//conditions:default": pkg_attributes(
+            group = "root",
+            mode = "0555",
+            owner = "root",
+        ),
+    }),
+    prefix = select({
+        "//:windows_x86_64": "bin/agent",
+        "//conditions:default": "embedded/bin",
+    }),
 )
 
 pkg_files(

deps/compile_policy/compile_policy.MODULE.bazel

@@ -2,7 +2,7 @@
 
 http_archive = use_repo_rule("//third_party/bazel/tools/build_defs/repo:http.bzl", "http_archive")
 
-VERSION = "0.1.0"
+VERSION = "0.1.2"
 
 # Define URLs for each architecture. This is used for the Linux build only; Windows and Darwin are not supported yet.
 # When we do those, we can make this parameterized.
@@ -14,7 +14,7 @@ http_archive(
         "LICENSE": "//deps/compile_policy:LICENSE",
         "LICENSE-3rdparty.csv": "//deps/compile_policy:LICENSE-3rdparty.csv",
     },
-    sha256 = "ce7ada4e91d3b57849cc602fbb541f6b48988735a6d95ac4044dfab28272dd56",
+    sha256 = "f32c245da1e0152e981ea6a3531b244bbab42c02666ec9bf37edc52204a96355",
     urls = [
         "https://github.com/DataDog/dd-policy-engine/releases/download/v{version}/dd-compile-policy-linux-amd64.tar.gz".format(
             version = VERSION,
@@ -29,10 +29,25 @@ http_archive(
         "LICENSE": "//deps/compile_policy:LICENSE",
         "LICENSE-3rdparty.csv": "//deps/compile_policy:LICENSE-3rdparty.csv",
     },
-    sha256 = "fe3c4470ca33030c4aa002dfb283aef672a8eff37b1660f9bcff67917e2fc64f",
+    sha256 = "1e9447733ac2a623d59b657b689811695738e040a7dd7be22a368c07cbd52842",
     urls = [
         "https://github.com/DataDog/dd-policy-engine/releases/download/v{version}/dd-compile-policy-linux-arm64.tar.gz".format(
             version = VERSION,
         ),
     ],
 )
+
+http_archive(
+    name = "compile_policy_windows_x86_64",
+    files = {
+        "BUILD.bazel": "//deps/compile_policy:overlay.BUILD.bazel",
+        "LICENSE": "//deps/compile_policy:LICENSE",
+        "LICENSE-3rdparty.csv": "//deps/compile_policy:LICENSE-3rdparty.csv",
+    },
+    sha256 = "39cabb8dc85e29837be223d389b6c00b715513e7ffc6fa8a0d69db03fdc66f2e",
+    urls = [
+        "https://github.com/DataDog/dd-policy-engine/releases/download/v{version}/dd-compile-policy-windows-x64.zip".format(
+            version = VERSION,
+        ),
+    ],
+)