Update security_monitoring endpoints for cloud_configuration rules (#1268)

Co-authored-by: ci.datadog-api-spec <[email protected]>
Co-authored-by: api-clients-generation-pipeline[bot] <54105614+api-clients-generation-pipeline[bot]@users.noreply.github.com>

Author: api-clients-generation-pipeline[bot]

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.4",
-            "regenerated": "2022-12-13 20:15:37.769174",
-            "spec_repo_commit": "cb07e37b"
+            "regenerated": "2022-12-14 13:19:08.162310",
+            "spec_repo_commit": "72a02090"
         },
         "v2": {
             "apigentools_version": "1.6.4",
-            "regenerated": "2022-12-13 20:15:37.783093",
-            "spec_repo_commit": "cb07e37b"
+            "regenerated": "2022-12-14 13:19:08.177644",
+            "spec_repo_commit": "72a02090"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -1761,6 +1761,148 @@ components:
           example: infra_host
           type: string
       type: object
+    CloudConfigurationComplianceRuleOptions:
+      description: Options for cloud_configuration rules.
+      properties:
+        complexRule:
+          description: 'Whether the rule is a complex one.
+
+            Must be set to true if `regoRule.resourceTypes` contains more than one
+            item. Defaults to false.
+
+            '
+          type: boolean
+        regoRule:
+          $ref: '#/components/schemas/CloudConfigurationRegoRule'
+      required:
+      - regoRule
+      type: object
+    CloudConfigurationRegoRule:
+      description: Rule details.
+      properties:
+        policy:
+          description: 'The policy written in `rego`, see: https://www.openpolicyagent.org/docs/latest/policy-language/'
+          example: "package datadog\n\nimport data.datadog.output as dd_output\nimport
+            future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource)
+            = \"skip\" if {\n  # Logic that evaluates to true if the resource should
+            be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true
+            if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that
+            evaluates to true if the resource is not compliant\n  true\n}\n\n# This
+            part remains unchanged for all rules\nresults contains result if {\n  some
+            resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource,
+            eval(resource))\n}\n"
+          type: string
+        resourceTypes:
+          description: List of resource types that will be evaluated upon. Must have
+            at least one element.
+          example:
+          - gcp_iam_service_account
+          - gcp_iam_policy
+          items:
+            type: string
+          type: array
+      required:
+      - policy
+      - resourceTypes
+      type: object
+    CloudConfigurationRuleCaseCreate:
+      description: Description of signals.
+      properties:
+        notifications:
+          description: Notification targets for each rule case.
+          items:
+            description: Notification.
+            type: string
+          type: array
+        status:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSeverity'
+      required:
+      - status
+      type: object
+    CloudConfigurationRuleComplianceSignalOptions:
+      description: How to generate compliance signals. Useful for cloud_configuration
+        rules only.
+      properties:
+        userActivationStatus:
+          description: Whether signals will be sent.
+          type: boolean
+        userGroupByFields:
+          description: Fields to use to group findings by when sending signals.
+          items:
+            type: string
+          type: array
+      type: object
+    CloudConfigurationRuleCreatePayload:
+      description: Create a new cloud configuration rule.
+      properties:
+        cases:
+          description: 'Description of generated findings and signals (severity and
+            channels to be notified in case of a signal). Must contain exactly one
+            item.
+
+            '
+          items:
+            $ref: '#/components/schemas/CloudConfigurationRuleCaseCreate'
+          type: array
+        complianceSignalOptions:
+          $ref: '#/components/schemas/CloudConfigurationRuleComplianceSignalOptions'
+        isEnabled:
+          description: Whether the rule is enabled.
+          example: true
+          type: boolean
+        message:
+          description: Message in markdown format for generated findings and signals.
+          example: '#Description
+
+            Explanation of the rule.
+
+
+            #Remediation
+
+            How to fix the security issue.
+
+            '
+          type: string
+        name:
+          description: The name of the rule.
+          example: My security monitoring rule.
+          type: string
+        options:
+          $ref: '#/components/schemas/CloudConfigurationRuleOptions'
+        tags:
+          description: Tags for generated findings and signals.
+          example:
+          - env:prod
+          - team:security
+          items:
+            description: Tag.
+            type: string
+          type: array
+        type:
+          $ref: '#/components/schemas/CloudConfigurationRuleType'
+      required:
+      - name
+      - isEnabled
+      - options
+      - complianceSignalOptions
+      - cases
+      - message
+      type: object
+    CloudConfigurationRuleOptions:
+      description: Options on cloud configuration rules.
+      properties:
+        complianceRuleOptions:
+          $ref: '#/components/schemas/CloudConfigurationComplianceRuleOptions'
+      required:
+      - complianceRuleOptions
+      type: object
+    CloudConfigurationRuleType:
+      description: The rule type.
+      enum:
+      - cloud_configuration
+      type: string
+      x-enum-varnames:
+      - CLOUD_CONFIGURATION
     CloudWorkloadSecurityAgentRuleAttributes:
       description: A Cloud Workload Security Agent rule returned by the API.
       properties:
@@ -8344,6 +8486,7 @@ components:
       oneOf:
       - $ref: '#/components/schemas/SecurityMonitoringStandardRuleCreatePayload'
       - $ref: '#/components/schemas/SecurityMonitoringSignalRuleCreatePayload'
+      - $ref: '#/components/schemas/CloudConfigurationRuleCreatePayload'
       type: object
     SecurityMonitoringRuleDecreaseCriticalityBasedOnEnv:
       description: 'If true, signals in non-production environments have a lower severity
@@ -8549,6 +8692,8 @@ components:
     SecurityMonitoringRuleOptions:
       description: Options on rules.
       properties:
+        complianceRuleOptions:
+          $ref: '#/components/schemas/CloudConfigurationComplianceRuleOptions'
         decreaseCriticalityBasedOnEnv:
           $ref: '#/components/schemas/SecurityMonitoringRuleDecreaseCriticalityBasedOnEnv'
         detectionMethod:
@@ -8643,6 +8788,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringRuleCase'
           type: array
+        complianceSignalOptions:
+          $ref: '#/components/schemas/CloudConfigurationRuleComplianceSignalOptions'
         filters:
           description: Additional queries to filter matched events before they are
             processed.
@@ -9323,6 +9470,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringRuleCase'
           type: array
+        complianceSignalOptions:
+          $ref: '#/components/schemas/CloudConfigurationRuleComplianceSignalOptions'
         createdAt:
           description: When the rule was created, timestamp in milliseconds.
           format: int64

docs/datadog_api_client.v2.model.rst

@@ -680,6 +680,55 @@ ci\_app\_warning
    :members:
    :show-inheritance:
 
+cloud\_configuration\_compliance\_rule\_options
+-----------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.cloud_configuration_compliance_rule_options
+   :members:
+   :show-inheritance:
+
+cloud\_configuration\_rego\_rule
+--------------------------------
+
+.. automodule:: datadog_api_client.v2.model.cloud_configuration_rego_rule
+   :members:
+   :show-inheritance:
+
+cloud\_configuration\_rule\_case\_create
+----------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.cloud_configuration_rule_case_create
+   :members:
+   :show-inheritance:
+
+cloud\_configuration\_rule\_compliance\_signal\_options
+-------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options
+   :members:
+   :show-inheritance:
+
+cloud\_configuration\_rule\_create\_payload
+-------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.cloud_configuration_rule_create_payload
+   :members:
+   :show-inheritance:
+
+cloud\_configuration\_rule\_options
+-----------------------------------
+
+.. automodule:: datadog_api_client.v2.model.cloud_configuration_rule_options
+   :members:
+   :show-inheritance:
+
+cloud\_configuration\_rule\_type
+--------------------------------
+
+.. automodule:: datadog_api_client.v2.model.cloud_configuration_rule_type
+   :members:
+   :show-inheritance:
+
 cloud\_workload\_security\_agent\_rule\_attributes
 --------------------------------------------------
 

examples/v2/security-monitoring/CreateSecurityMonitoringRule_1092490364.py

@@ -0,0 +1,60 @@
+"""
+Create a cloud_configuration rule returns "OK" response
+"""
+
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
+from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import (
+    CloudConfigurationComplianceRuleOptions,
+)
+from datadog_api_client.v2.model.cloud_configuration_rego_rule import CloudConfigurationRegoRule
+from datadog_api_client.v2.model.cloud_configuration_rule_case_create import CloudConfigurationRuleCaseCreate
+from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import (
+    CloudConfigurationRuleComplianceSignalOptions,
+)
+from datadog_api_client.v2.model.cloud_configuration_rule_create_payload import CloudConfigurationRuleCreatePayload
+from datadog_api_client.v2.model.cloud_configuration_rule_options import CloudConfigurationRuleOptions
+from datadog_api_client.v2.model.cloud_configuration_rule_type import CloudConfigurationRuleType
+from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
+
+body = CloudConfigurationRuleCreatePayload(
+    type=CloudConfigurationRuleType.CLOUD_CONFIGURATION,
+    name="Example-Create_a_cloud_configuration_rule_returns_OK_response_cloud",
+    is_enabled=False,
+    cases=[
+        CloudConfigurationRuleCaseCreate(
+            status=SecurityMonitoringRuleSeverity.INFO,
+            notifications=[
+                "channel",
+            ],
+        ),
+    ],
+    options=CloudConfigurationRuleOptions(
+        compliance_rule_options=CloudConfigurationComplianceRuleOptions(
+            complex_rule=False,
+            rego_rule=CloudConfigurationRegoRule(
+                policy="package datadog\n",
+                resource_types=[
+                    "gcp_compute_disk",
+                ],
+            ),
+        ),
+    ),
+    message="ddd",
+    tags=[
+        "my:tag",
+    ],
+    compliance_signal_options=CloudConfigurationRuleComplianceSignalOptions(
+        user_activation_status=True,
+        user_group_by_fields=[
+            "@account_id",
+        ],
+    ),
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = SecurityMonitoringApi(api_client)
+    response = api_instance.create_security_monitoring_rule(body=body)
+
+    print(response)

examples/v2/security-monitoring/GetSecurityMonitoringRule_3370522281.py

@@ -0,0 +1,19 @@
+"""
+Get a cloud configuration rule's details returns "OK" response
+"""
+
+from os import environ
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
+
+# there is a valid "cloud_configuration_rule" in the system
+CLOUD_CONFIGURATION_RULE_ID = environ["CLOUD_CONFIGURATION_RULE_ID"]
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = SecurityMonitoringApi(api_client)
+    response = api_instance.get_security_monitoring_rule(
+        rule_id=CLOUD_CONFIGURATION_RULE_ID,
+    )
+
+    print(response)

examples/v2/security-monitoring/UpdateSecurityMonitoringRule_428087276.py

@@ -0,0 +1,55 @@
+"""
+Update a cloud configuration rule's details returns "OK" response
+"""
+
+from os import environ
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
+from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import (
+    CloudConfigurationComplianceRuleOptions,
+)
+from datadog_api_client.v2.model.cloud_configuration_rego_rule import CloudConfigurationRegoRule
+from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import (
+    CloudConfigurationRuleComplianceSignalOptions,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase
+from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
+from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
+from datadog_api_client.v2.model.security_monitoring_rule_update_payload import SecurityMonitoringRuleUpdatePayload
+
+# there is a valid "cloud_configuration_rule" in the system
+CLOUD_CONFIGURATION_RULE_ID = environ["CLOUD_CONFIGURATION_RULE_ID"]
+
+body = SecurityMonitoringRuleUpdatePayload(
+    name="Example-Update_a_cloud_configuration_rule_s_details_returns_OK_response_cloud_updated",
+    is_enabled=False,
+    cases=[
+        SecurityMonitoringRuleCase(
+            status=SecurityMonitoringRuleSeverity.INFO,
+            notifications=[],
+        ),
+    ],
+    options=SecurityMonitoringRuleOptions(
+        compliance_rule_options=CloudConfigurationComplianceRuleOptions(
+            rego_rule=CloudConfigurationRegoRule(
+                policy="package datadog\n",
+                resource_types=[
+                    "gcp_compute_disk",
+                ],
+            ),
+        ),
+    ),
+    message="ddd",
+    tags=[],
+    compliance_signal_options=CloudConfigurationRuleComplianceSignalOptions(
+        user_activation_status=False,
+        user_group_by_fields=[],
+    ),
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = SecurityMonitoringApi(api_client)
+    response = api_instance.update_security_monitoring_rule(rule_id=CLOUD_CONFIGURATION_RULE_ID, body=body)
+
+    print(response)