feat(dspm): expose configuration properties for AWS/Azure DSPM Cloud Accounts (#1820)

* feat(dspm): expose config props for azure/aws dspm cloud accounts

* feat(dspm): expose method to update DSPM status

Author: kirklandnuts

api/cloud_accounts_aws_dspm.go

@@ -52,6 +52,7 @@ type AwsDspmResponse struct {
 type AwsDspm struct {
 	v2CommonIntegrationData
 	awsDspmToken `json:"serverToken"`
+	Props        *DspmProps  `json:"props,omitempty"`
 	Data         AwsDspmData `json:"data"`
 }
 

api/cloud_accounts_azure_dspm.go

@@ -52,6 +52,7 @@ type AzureDspmResponse struct {
 type AzureDspm struct {
 	v2CommonIntegrationData
 	azureDspmToken `json:"serverToken"`
+	Props          *DspmProps    `json:"props,omitempty"`
 	Data           AzureDspmData `json:"data"`
 }
 

api/cloud_accounts_dspm_props.go

@@ -0,0 +1,108 @@
+package api
+
+import "encoding/json"
+
+// DspmProps represents the props section for DSPM integrations.
+//
+// The API returns props in two different formats depending on the endpoint:
+//   - GET returns props as a JSON object with camelCase keys
+//   - PATCH returns props as a JSON-encoded string with UPPER_SNAKE_CASE keys
+//
+// UnmarshalJSON handles both forms transparently.
+type DspmProps struct {
+	Dspm *DspmPropsConfig `json:"dspm,omitempty"`
+}
+
+func (p *DspmProps) UnmarshalJSON(data []byte) error {
+	if string(data) == "null" {
+		return nil
+	}
+
+	// If data is a JSON string, unwrap it first. This handles the PATCH
+	// response format where props is a JSON-encoded string.
+	if len(data) > 0 && data[0] == '"' {
+		var s string
+		if err := json.Unmarshal(data, &s); err != nil {
+			return err
+		}
+		if s == "" {
+			return nil
+		}
+		data = []byte(s)
+	}
+
+	// Try camelCase keys first (GET response format).
+	// "type plain DspmProps" creates an alias without the custom UnmarshalJSON
+	// method, avoiding infinite recursion when calling json.Unmarshal.
+	type plain DspmProps
+	if err := json.Unmarshal(data, (*plain)(p)); err == nil && p.Dspm != nil {
+		return nil
+	}
+
+	// Fall back to UPPER_SNAKE_CASE keys (PATCH response format)
+	var upper struct {
+		Dspm *dspmPropsConfigUpper `json:"DSPM,omitempty"`
+	}
+	if err := json.Unmarshal(data, &upper); err != nil {
+		return err
+	}
+	if upper.Dspm != nil {
+		p.Dspm = upper.Dspm.toConfig()
+	}
+	return nil
+}
+
+// DspmPropsConfig contains DSPM-specific configuration
+type DspmPropsConfig struct {
+	ScanIntervalHours *int                  `json:"scanIntervalHours,omitempty"`
+	MaxDownloadBytes  *int                  `json:"maxDownloadBytes,omitempty"`
+	DatastoreFilters  *DspmDatastoreFilters `json:"datastoreFilters,omitempty"`
+}
+
+// DspmDatastoreFilters configures which datastores to include/exclude from scanning
+type DspmDatastoreFilters struct {
+	FilterMode     string   `json:"filterMode"`
+	DatastoreNames []string `json:"datastoreNames"`
+}
+
+// dspmPropsConfigUpper mirrors DspmPropsConfig with UPPER_SNAKE_CASE JSON tags
+// for deserializing PATCH responses.
+type dspmPropsConfigUpper struct {
+	ScanIntervalHours *int                       `json:"SCAN_INTERVAL_HOURS,omitempty"`
+	MaxDownloadBytes  *int                       `json:"MAX_DOWNLOAD_BYTES,omitempty"`
+	DatastoreFilters  *dspmDatastoreFiltersUpper `json:"DATASTORE_FILTERS,omitempty"`
+}
+
+type dspmDatastoreFiltersUpper struct {
+	FilterMode     string   `json:"FILTER_MODE"`
+	DatastoreNames []string `json:"DATASTORE_NAMES"`
+}
+
+func (u *dspmPropsConfigUpper) toConfig() *DspmPropsConfig {
+	cfg := &DspmPropsConfig{
+		ScanIntervalHours: u.ScanIntervalHours,
+		MaxDownloadBytes:  u.MaxDownloadBytes,
+	}
+	if u.DatastoreFilters != nil {
+		cfg.DatastoreFilters = &DspmDatastoreFilters{
+			FilterMode:     u.DatastoreFilters.FilterMode,
+			DatastoreNames: u.DatastoreFilters.DatastoreNames,
+		}
+	}
+	return cfg
+}
+
+const apiV2DspmStatus = "v2/dspm/status"
+
+// DspmStatusRequest is the request body for the DSPM status endpoint
+type DspmStatusRequest struct {
+	Ok      bool   `json:"ok"`
+	Message string `json:"message"`
+}
+
+// UpdateDspmStatus updates the status of a DSPM integration using server token auth.
+func (svc *CloudAccountsService) UpdateDspmStatus(serverToken string, status DspmStatusRequest) error {
+	return svc.client.RequestEncoderDecoderWithToken(
+		"POST", apiV2DspmStatus, serverToken, status, nil,
+	)
+}

api/http.go

@@ -172,6 +172,42 @@ func (c *Client) RequestEncoderDecoder(method, path string, data, v interface{})
 	return c.RequestDecoder(method, path, body, v)
 }
 
+// RequestEncoderDecoderWithToken performs an HTTP request using a server token
+// for authentication instead of the client's API key token. Used for endpoints
+// authenticated via ServerTokenProps (e.g., POST /api/v2/dspm/status).
+func (c *Client) RequestEncoderDecoderWithToken(method, path, token string, data, v interface{}) error {
+	body, err := jsonReader(data)
+	if err != nil {
+		return err
+	}
+
+	apiPath, err := url.Parse(c.apiPath(path))
+	if err != nil {
+		return err
+	}
+
+	u := c.baseURL.ResolveReference(apiPath)
+	request, err := http.NewRequest(method, u.String(), body)
+	if err != nil {
+		return err
+	}
+
+	request.Header.Set("Authorization", token)
+	request.Header.Set("Content-Type", "application/json")
+	request.Header.Set("Accept", "application/json")
+
+	for k, v := range c.headers {
+		request.Header.Set(k, v)
+	}
+
+	res, err := c.DoDecoder(request, v)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	return nil
+}
+
 // Do calls request.Do() directly
 func (c *Client) Do(req *http.Request) (*http.Response, error) {
 	response, err := c.c.Do(req)