supporting cws multi-policy in terraform

[homoeconomics]

Adding new resources and data sources to support the CWS multi-policy feature.

1. Updated the data source datadog_csm_threats_agent_rules such that users could pass in the policy_id as an optional attribute to fetch rules in a specific policy.
2. Added a new data source datadog_csm_threats_policies for users to list their policies.
3. Added a new resource datadog_csm_threats_policy for users to manage their CWS policies.
4. Added a new resource datadog_csm_threats_multi_policy_agent_rule for users to manage their rules in a policy.

How to deploy policy resources:

resource "datadog_csm_threats_policies_list" "all" {
    entries {
        policy_id = datadog_csm_threats_policy.policy1.id
        name = "TERRAFORM_POLICY1"
        priority = 1
    }
    entries {
        policy_id = datadog_csm_threats_policy.policy2.id
        name = "TERRAFORM_POLICY2"
        priority = 2
    }
}

resource "datadog_csm_threats_policy" "policy1" {
    description = "created with terraform"
    enabled     = false
    tags        = []
}

resource "datadog_csm_threats_policy" "policy2" {
    description = "created with terraform 2"
    enabled     = true
    tags        = ["env:staging"]
}

TODO: record the tests after the DD SDK is updated.

[datadog-datadog-prod-us1]

⚪ Code Vulnerability

Suggested change

	mathrand "math/rand"
	mathrand "crypto/rand"

The math/rand library does not generate cryptographically secure random numbers. (...read more)

Using the math/rand package in Go for generating random numbers may lead to vulnerabilities in certain security-critical contexts. Here's why it is recommended to exercise caution when using this package:

1. Pseudorandomness: The math/rand package generates pseudorandom numbers, which are generated from a deterministic algorithm and a seed value. These numbers are not truly random and may exhibit patterns or predictable sequences. In security-critical applications, such as cryptography or secure password generation, true randomness is essential to prevent guessing or predicting the random values.
2. Predictable seed value: By default, the math/rand package uses a predictable seed value based on the current time. This means that if multiple processes or instances of the software start at the same time or use the same seed, they will generate the exact same sequence of random numbers. This predictability can be exploited by an attacker to reproduce the random values and potentially compromise the security of the system.
3. Insufficient entropy: In security-sensitive contexts, it is crucial to have a good source of entropy, which is a measure of unpredictability. The math/rand package does not provide a direct way to access system-level entropy sources. It relies on a fixed seed or a manually set seed value, which may not have sufficient entropy to generate adequately random numbers for cryptographic operations or other security-critical tasks.
4. SecureRandom: In contrast to math/rand, the crypto/rand package in Go provides a secure random number generator that uses a system-level entropy source. It generates cryptographically secure random numbers suitable for security-sensitive applications. It is recommended to use crypto/rand for generating random numbers in scenarios that require strong randomness and security.

To mitigate vulnerabilities and ensure the secure generation of random values, it is recommended to use the crypto/rand package instead of math/rand for security-critical applications. The crypto/rand package provides a more reliable source of random numbers, leveraging the underlying operating system's entropy source for improved security.

Always consider the specific requirements of your application and the context in which random numbers are used. Following best practices and using appropriate cryptographic libraries can help mitigate vulnerabilities and ensure the security of your Go applications.

    

[homoeconomics]

Do you mean httpResp.StatusCode != 404?

[homoeconomics]

I guess this is only for local testing and you don't plan to check this in?

[homoeconomics]

Maybe we should also mention that customers are supposed to create exactly one policy list.