Skip to content

feat(contrib): add Azure APIM callout security processor#4620

Merged
eliottness merged 5 commits into
mainfrom
eliottness/azure-apim-callout
Apr 8, 2026
Merged

feat(contrib): add Azure APIM callout security processor#4620
eliottness merged 5 commits into
mainfrom
eliottness/azure-apim-callout

Conversation

@eliottness

@eliottness eliottness commented Mar 30, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Adds a new contrib/azure/apim-callout package — an HTTP/JSON callout service for Azure API Management (APIM) and Boomi API Gateway that runs the Datadog WAF and returns access control decisions.

Key components

  • apim.go — Core handler implementing the 4-call (APIM) and 2-call (Boomi) callout protocols with request/response header and body inspection via Datadog AppSec
  • apim_messages.go — Message types and serialization for the callout JSON protocol
  • cmd/apim-callout/ — Production-ready binary with TLS, health checks, graceful shutdown, and DD Agent telemetry
  • cmd/apim-callout/Dockerfile — Multi-stage Docker image for the callout service
  • apim_test.go — Unit tests covering both protocols, blocking, propagation headers, phase mismatch handling, body inspection, TTL cache, and policy file validation
  • cmd/apim-callout/main_test.go — Integration tests for CLI flags, TLS, health endpoint, and graceful shutdown

Motivation

Customers running Azure APIM or Boomi gateways need a way to enforce Datadog AppSec (WAF + ASM) at the gateway level before traffic reaches their backends. This service sits as an HTTP callout target, processes headers/bodies through the WAF, and returns block/allow decisions with optional response modification.

Describe how you validated your changes

  • All unit tests pass (go test ./contrib/azure/apim-callout/...)
  • E2E test script (azure-e2e-test.sh) validated against a live Azure APIM instance
  • Docker image builds and runs correctly
  • Policy files validated against the handler's expected JSON schema

Additional Notes

@pr-commenter

pr-commenter Bot commented Mar 30, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-04-08 10:01:22

Comparing candidate commit 7f4e243 in PR branch eliottness/azure-apim-callout with baseline commit 56e391d in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 216 metrics, 8 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

@datadog-prod-us1-3

datadog-prod-us1-3 Bot commented Mar 31, 2026

Copy link
Copy Markdown

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 60.09% (-0.05%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 7f4e243 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!

@eliottness
eliottness force-pushed the eliottness/azure-apim-callout branch from dce3cb6 to 2b7d8d8 Compare April 2, 2026 09:43
@codecov

codecov Bot commented Apr 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.73%. Comparing base (56e391d) to head (7f4e243).

Additional details and impacted files
Files with missing lines Coverage Δ
instrumentation/packages.go 7.81% <ø> (-1.57%) ⬇️

... and 268 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@eliottness
eliottness marked this pull request as ready for review April 2, 2026 11:51
@eliottness
eliottness requested review from a team as code owners April 2, 2026 11:51
@eliottness eliottness changed the title feat(contrib): add Azure APIM / Boomi HTTP callout security processor feat(contrib): add Azure APIM callout security processor Apr 2, 2026
@github-actions github-actions Bot added the apm:ecosystem contrib/* related feature requests or bugs label Apr 2, 2026

@e-n-0 e-n-0 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

Comment thread contrib/azure/apim-callout/policies/boomi-request-block.groovy Outdated
Comment thread contrib/azure/apim-callout/policies/azure-apim-full.xml Outdated
Comment on lines +114 to +116
component := "apim-callout"
if m.req.Gateway == "boomi" {
component = "boomi-callout"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once merged, these proxies components have to be used in the backend (ref https://github.com/DataDog/dd-go/pull/206155)

Comment thread contrib/azure/apim-callout/README.md Outdated
Comment on lines +58 to +60
| `DD_APIM_CALLOUT_TLS` | `false` | Enable TLS |
| `DD_APIM_CALLOUT_TLS_CERT_FILE` | | TLS certificate path (required when TLS is on) |
| `DD_APIM_CALLOUT_TLS_KEY_FILE` | | TLS private key path (required when TLS is on) |

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiosity, could the external processor be configured with TLS inside boomi/azure?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes but you would need a well known cert

@eliottness

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f5fba99446

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread contrib/azure/apim-callout/policies/boomi-request-block.groovy Outdated
Comment thread contrib/azure/apim-callout/policies/boomi-response-block.groovy Outdated
Comment thread contrib/azure/apim-callout/apim.go
Policy files live in the deploy/ branch; this test cannot run without
them. Remove it from the base branch and regenerate contribs_generated.go.
Remove trailing blank line and use err.Error() instead of passing
error directly to format string.
@eliottness
eliottness requested a review from e-n-0 April 7, 2026 14:28

@kakkoyun kakkoyun left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@eliottness
eliottness merged commit 887cc43 into main Apr 8, 2026
230 checks passed
@eliottness
eliottness deleted the eliottness/azure-apim-callout branch April 8, 2026 10:07
eliottness added a commit that referenced this pull request Apr 8, 2026
Adds a new `contrib/azure/apim-callout` package — an HTTP/JSON callout
service for Azure API Management (APIM) and Boomi API Gateway that runs
the Datadog WAF and returns access control decisions.

- **`apim.go`** — Core handler implementing the 4-call (APIM) and 2-call
(Boomi) callout protocols with request/response header and body
inspection via Datadog AppSec
- **`apim_messages.go`** — Message types and serialization for the
callout JSON protocol
- **`cmd/apim-callout/`** — Production-ready binary with TLS, health
checks, graceful shutdown, and DD Agent telemetry
- **`cmd/apim-callout/Dockerfile`** — Multi-stage Docker image for the
callout service
- **`apim_test.go`** — Unit tests covering both protocols, blocking,
propagation headers, phase mismatch handling, body inspection, TTL
cache, and policy file validation
- **`cmd/apim-callout/main_test.go`** — Integration tests for CLI flags,
TLS, health endpoint, and graceful shutdown

Customers running Azure APIM or Boomi gateways need a way to enforce
Datadog AppSec (WAF + ASM) at the gateway level before traffic reaches
their backends. This service sits as an HTTP callout target, processes
headers/bodies through the WAF, and returns block/allow decisions with
optional response modification.

- All unit tests pass (`go test ./contrib/azure/apim-callout/...`)
- E2E test script (`azure-e2e-test.sh`) validated against a live Azure
APIM instance
- Docker image builds and runs correctly
- Policy files validated against the handler's expected JSON schema

- Deployment IaC (Bicep/ARM templates) is in a follow-up PR: #4641
- The `deploy/` directory structure is set up here (policies + boomi
templates) so the IaC PR only adds Azure-specific infra files
- Docker image release workflow is included
(`.github/workflows/docker-images-release.yml`)
eliottness added a commit that referenced this pull request Apr 8, 2026
Adds a new `contrib/azure/apim-callout` package — an HTTP/JSON callout
service for Azure API Management (APIM) and Boomi API Gateway that runs
the Datadog WAF and returns access control decisions.

- **`apim.go`** — Core handler implementing the 4-call (APIM) and 2-call
(Boomi) callout protocols with request/response header and body
inspection via Datadog AppSec
- **`apim_messages.go`** — Message types and serialization for the
callout JSON protocol
- **`cmd/apim-callout/`** — Production-ready binary with TLS, health
checks, graceful shutdown, and DD Agent telemetry
- **`cmd/apim-callout/Dockerfile`** — Multi-stage Docker image for the
callout service
- **`apim_test.go`** — Unit tests covering both protocols, blocking,
propagation headers, phase mismatch handling, body inspection, TTL
cache, and policy file validation
- **`cmd/apim-callout/main_test.go`** — Integration tests for CLI flags,
TLS, health endpoint, and graceful shutdown

Customers running Azure APIM or Boomi gateways need a way to enforce
Datadog AppSec (WAF + ASM) at the gateway level before traffic reaches
their backends. This service sits as an HTTP callout target, processes
headers/bodies through the WAF, and returns block/allow decisions with
optional response modification.

- All unit tests pass (`go test ./contrib/azure/apim-callout/...`)
- E2E test script (`azure-e2e-test.sh`) validated against a live Azure
APIM instance
- Docker image builds and runs correctly
- Policy files validated against the handler's expected JSON schema

- Deployment IaC (Bicep/ARM templates) is in a follow-up PR: #4641
- The `deploy/` directory structure is set up here (policies + boomi
templates) so the IaC PR only adds Azure-specific infra files
- Docker image release workflow is included
(`.github/workflows/docker-images-release.yml`)
gh-worker-dd-mergequeue-cf854d Bot pushed a commit that referenced this pull request Apr 9, 2026
…ning (#4641)

### What does this PR do?

Adds one-click "Deploy to Azure" infrastructure-as-code for the APIM callout service introduced in #4620.

### Key components

- **`deploy/azure/main.bicep`** — Top-level Bicep template orchestrating all modules
- **`deploy/azure/modules/`** — Modular Bicep files: VNet + subnets (`networking`), Azure Container Apps (`container-app`), Datadog Agent ACI sidecar (`agent`), private DNS (`dns`), APIM VNet integration (`apim-network`), and optional policy injection (`apim-policy`)
- **`deploy/azure/azuredeploy.json`** — Compiled ARM template for the "Deploy to Azure" button
- **`deploy/azure/deploy.sh`** — CLI deployment script with validation, what-if preview, and rollback
- **`deploy/azure/test-callout.sh`** — Post-deployment smoke test
- **`deploy/azure/policies/`** — APIM XML policy templates (inbound, outbound, full)
- **`deploy/boomi/`** — Boomi gateway policy templates (Groovy scripts + JSON callout configs)

### Motivation

Provide a turnkey deployment experience so customers can go from zero to a running APIM callout setup with a single click in the Azure Portal, or via `az deployment` / `deploy.sh` for CLI users.

### Describe how you validated your changes

- `az bicep build` compiles without errors
- Full E2E deployment to Azure: VNet, ACA, ACI (DD Agent), private DNS, APIM integration all provisioned and functional
- `test-callout.sh` passes against the deployed infrastructure
- "Deploy to Azure" button tested in Azure Portal

### Additional Notes

- Depends on #4620 (base branch) for the Go service and Dockerfile
- The ARM template (`azuredeploy.json`) is compiled from Bicep — marked as `linguist-generated` in `.gitattributes`

Co-authored-by: eliott.bouhana <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

apm:ecosystem contrib/* related feature requests or bugs mergequeue-status: done

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants