feat(contrib): add Azure APIM callout security processor#4620
Conversation
BenchmarksBenchmark execution time: 2026-04-08 10:01:22 Comparing candidate commit 7f4e243 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 216 metrics, 8 unstable metrics.
|
|
✅ Tests 🎉 All green!❄️ No new flaky tests detected 🎯 Code Coverage (details) 🔗 Commit SHA: 7f4e243 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback! |
dce3cb6 to
2b7d8d8
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files
🚀 New features to boost your workflow:
|
| component := "apim-callout" | ||
| if m.req.Gateway == "boomi" { | ||
| component = "boomi-callout" |
There was a problem hiding this comment.
Once merged, these proxies components have to be used in the backend (ref https://github.com/DataDog/dd-go/pull/206155)
| | `DD_APIM_CALLOUT_TLS` | `false` | Enable TLS | | ||
| | `DD_APIM_CALLOUT_TLS_CERT_FILE` | | TLS certificate path (required when TLS is on) | | ||
| | `DD_APIM_CALLOUT_TLS_KEY_FILE` | | TLS private key path (required when TLS is on) | |
There was a problem hiding this comment.
Out of curiosity, could the external processor be configured with TLS inside boomi/azure?
There was a problem hiding this comment.
Yes but you would need a well known cert
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f5fba99446
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Signed-off-by: Eliott Bouhana <[email protected]>
f5fba99 to
3bdb8de
Compare
Policy files live in the deploy/ branch; this test cannot run without them. Remove it from the base branch and regenerate contribs_generated.go.
Remove trailing blank line and use err.Error() instead of passing error directly to format string.
Adds a new `contrib/azure/apim-callout` package — an HTTP/JSON callout service for Azure API Management (APIM) and Boomi API Gateway that runs the Datadog WAF and returns access control decisions. - **`apim.go`** — Core handler implementing the 4-call (APIM) and 2-call (Boomi) callout protocols with request/response header and body inspection via Datadog AppSec - **`apim_messages.go`** — Message types and serialization for the callout JSON protocol - **`cmd/apim-callout/`** — Production-ready binary with TLS, health checks, graceful shutdown, and DD Agent telemetry - **`cmd/apim-callout/Dockerfile`** — Multi-stage Docker image for the callout service - **`apim_test.go`** — Unit tests covering both protocols, blocking, propagation headers, phase mismatch handling, body inspection, TTL cache, and policy file validation - **`cmd/apim-callout/main_test.go`** — Integration tests for CLI flags, TLS, health endpoint, and graceful shutdown Customers running Azure APIM or Boomi gateways need a way to enforce Datadog AppSec (WAF + ASM) at the gateway level before traffic reaches their backends. This service sits as an HTTP callout target, processes headers/bodies through the WAF, and returns block/allow decisions with optional response modification. - All unit tests pass (`go test ./contrib/azure/apim-callout/...`) - E2E test script (`azure-e2e-test.sh`) validated against a live Azure APIM instance - Docker image builds and runs correctly - Policy files validated against the handler's expected JSON schema - Deployment IaC (Bicep/ARM templates) is in a follow-up PR: #4641 - The `deploy/` directory structure is set up here (policies + boomi templates) so the IaC PR only adds Azure-specific infra files - Docker image release workflow is included (`.github/workflows/docker-images-release.yml`)
Adds a new `contrib/azure/apim-callout` package — an HTTP/JSON callout service for Azure API Management (APIM) and Boomi API Gateway that runs the Datadog WAF and returns access control decisions. - **`apim.go`** — Core handler implementing the 4-call (APIM) and 2-call (Boomi) callout protocols with request/response header and body inspection via Datadog AppSec - **`apim_messages.go`** — Message types and serialization for the callout JSON protocol - **`cmd/apim-callout/`** — Production-ready binary with TLS, health checks, graceful shutdown, and DD Agent telemetry - **`cmd/apim-callout/Dockerfile`** — Multi-stage Docker image for the callout service - **`apim_test.go`** — Unit tests covering both protocols, blocking, propagation headers, phase mismatch handling, body inspection, TTL cache, and policy file validation - **`cmd/apim-callout/main_test.go`** — Integration tests for CLI flags, TLS, health endpoint, and graceful shutdown Customers running Azure APIM or Boomi gateways need a way to enforce Datadog AppSec (WAF + ASM) at the gateway level before traffic reaches their backends. This service sits as an HTTP callout target, processes headers/bodies through the WAF, and returns block/allow decisions with optional response modification. - All unit tests pass (`go test ./contrib/azure/apim-callout/...`) - E2E test script (`azure-e2e-test.sh`) validated against a live Azure APIM instance - Docker image builds and runs correctly - Policy files validated against the handler's expected JSON schema - Deployment IaC (Bicep/ARM templates) is in a follow-up PR: #4641 - The `deploy/` directory structure is set up here (policies + boomi templates) so the IaC PR only adds Azure-specific infra files - Docker image release workflow is included (`.github/workflows/docker-images-release.yml`)
…ning (#4641) ### What does this PR do? Adds one-click "Deploy to Azure" infrastructure-as-code for the APIM callout service introduced in #4620. ### Key components - **`deploy/azure/main.bicep`** — Top-level Bicep template orchestrating all modules - **`deploy/azure/modules/`** — Modular Bicep files: VNet + subnets (`networking`), Azure Container Apps (`container-app`), Datadog Agent ACI sidecar (`agent`), private DNS (`dns`), APIM VNet integration (`apim-network`), and optional policy injection (`apim-policy`) - **`deploy/azure/azuredeploy.json`** — Compiled ARM template for the "Deploy to Azure" button - **`deploy/azure/deploy.sh`** — CLI deployment script with validation, what-if preview, and rollback - **`deploy/azure/test-callout.sh`** — Post-deployment smoke test - **`deploy/azure/policies/`** — APIM XML policy templates (inbound, outbound, full) - **`deploy/boomi/`** — Boomi gateway policy templates (Groovy scripts + JSON callout configs) ### Motivation Provide a turnkey deployment experience so customers can go from zero to a running APIM callout setup with a single click in the Azure Portal, or via `az deployment` / `deploy.sh` for CLI users. ### Describe how you validated your changes - `az bicep build` compiles without errors - Full E2E deployment to Azure: VNet, ACA, ACI (DD Agent), private DNS, APIM integration all provisioned and functional - `test-callout.sh` passes against the deployed infrastructure - "Deploy to Azure" button tested in Azure Portal ### Additional Notes - Depends on #4620 (base branch) for the Go service and Dockerfile - The ARM template (`azuredeploy.json`) is compiled from Bicep — marked as `linguist-generated` in `.gitattributes` Co-authored-by: eliott.bouhana <[email protected]>
What does this PR do?
Adds a new
contrib/azure/apim-calloutpackage — an HTTP/JSON callout service for Azure API Management (APIM) and Boomi API Gateway that runs the Datadog WAF and returns access control decisions.Key components
apim.go— Core handler implementing the 4-call (APIM) and 2-call (Boomi) callout protocols with request/response header and body inspection via Datadog AppSecapim_messages.go— Message types and serialization for the callout JSON protocolcmd/apim-callout/— Production-ready binary with TLS, health checks, graceful shutdown, and DD Agent telemetrycmd/apim-callout/Dockerfile— Multi-stage Docker image for the callout serviceapim_test.go— Unit tests covering both protocols, blocking, propagation headers, phase mismatch handling, body inspection, TTL cache, and policy file validationcmd/apim-callout/main_test.go— Integration tests for CLI flags, TLS, health endpoint, and graceful shutdownMotivation
Customers running Azure APIM or Boomi gateways need a way to enforce Datadog AppSec (WAF + ASM) at the gateway level before traffic reaches their backends. This service sits as an HTTP callout target, processes headers/bodies through the WAF, and returns block/allow decisions with optional response modification.
Describe how you validated your changes
go test ./contrib/azure/apim-callout/...)azure-e2e-test.sh) validated against a live Azure APIM instanceAdditional Notes
deploy/directory structure is set up here (policies + boomi templates) so the IaC PR only adds Azure-specific infra files.github/workflows/docker-images-release.yml)