feat(contrib/apim-callout): Deploy to Azure button + production hardening#4641
Conversation
|
✅ Tests 🎉 All green!❄️ No new flaky tests detected 🎯 Code Coverage (details) 🔗 Commit SHA: 56b59d5 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback! |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files🚀 New features to boost your workflow:
|
BenchmarksBenchmark execution time: 2026-04-08 10:35:25 Comparing candidate commit 56b59d5 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 217 metrics, 7 unstable metrics.
|
ebcaad9 to
a5f7017
Compare
f5fba99 to
3bdb8de
Compare
### What does this PR do? Adds a new `contrib/azure/apim-callout` package — an HTTP/JSON callout service for Azure API Management (APIM) and Boomi API Gateway that runs the Datadog WAF and returns access control decisions. ### Key components - **`apim.go`** — Core handler implementing the 4-call (APIM) and 2-call (Boomi) callout protocols with request/response header and body inspection via Datadog AppSec - **`apim_messages.go`** — Message types and serialization for the callout JSON protocol - **`cmd/apim-callout/`** — Production-ready binary with TLS, health checks, graceful shutdown, and DD Agent telemetry - **`cmd/apim-callout/Dockerfile`** — Multi-stage Docker image for the callout service - **`apim_test.go`** — Unit tests covering both protocols, blocking, propagation headers, phase mismatch handling, body inspection, TTL cache, and policy file validation - **`cmd/apim-callout/main_test.go`** — Integration tests for CLI flags, TLS, health endpoint, and graceful shutdown ### Motivation Customers running Azure APIM or Boomi gateways need a way to enforce Datadog AppSec (WAF + ASM) at the gateway level before traffic reaches their backends. This service sits as an HTTP callout target, processes headers/bodies through the WAF, and returns block/allow decisions with optional response modification. ### Describe how you validated your changes - All unit tests pass (`go test ./contrib/azure/apim-callout/...`) - E2E test script (`azure-e2e-test.sh`) validated against a live Azure APIM instance - Docker image builds and runs correctly - Policy files validated against the handler's expected JSON schema ### Additional Notes - Deployment IaC (Bicep/ARM templates) is in a follow-up PR: #4641 - The `deploy/` directory structure is set up here (policies + boomi templates) so the IaC PR only adds Azure-specific infra files - Docker image release workflow is included (`.github/workflows/docker-images-release.yml`)
Signed-off-by: Eliott Bouhana <[email protected]>
a5f7017 to
56b59d5
Compare
Adds a new `contrib/azure/apim-callout` package — an HTTP/JSON callout service for Azure API Management (APIM) and Boomi API Gateway that runs the Datadog WAF and returns access control decisions. - **`apim.go`** — Core handler implementing the 4-call (APIM) and 2-call (Boomi) callout protocols with request/response header and body inspection via Datadog AppSec - **`apim_messages.go`** — Message types and serialization for the callout JSON protocol - **`cmd/apim-callout/`** — Production-ready binary with TLS, health checks, graceful shutdown, and DD Agent telemetry - **`cmd/apim-callout/Dockerfile`** — Multi-stage Docker image for the callout service - **`apim_test.go`** — Unit tests covering both protocols, blocking, propagation headers, phase mismatch handling, body inspection, TTL cache, and policy file validation - **`cmd/apim-callout/main_test.go`** — Integration tests for CLI flags, TLS, health endpoint, and graceful shutdown Customers running Azure APIM or Boomi gateways need a way to enforce Datadog AppSec (WAF + ASM) at the gateway level before traffic reaches their backends. This service sits as an HTTP callout target, processes headers/bodies through the WAF, and returns block/allow decisions with optional response modification. - All unit tests pass (`go test ./contrib/azure/apim-callout/...`) - E2E test script (`azure-e2e-test.sh`) validated against a live Azure APIM instance - Docker image builds and runs correctly - Policy files validated against the handler's expected JSON schema - Deployment IaC (Bicep/ARM templates) is in a follow-up PR: #4641 - The `deploy/` directory structure is set up here (policies + boomi templates) so the IaC PR only adds Azure-specific infra files - Docker image release workflow is included (`.github/workflows/docker-images-release.yml`)
Adds a new `contrib/azure/apim-callout` package — an HTTP/JSON callout service for Azure API Management (APIM) and Boomi API Gateway that runs the Datadog WAF and returns access control decisions. - **`apim.go`** — Core handler implementing the 4-call (APIM) and 2-call (Boomi) callout protocols with request/response header and body inspection via Datadog AppSec - **`apim_messages.go`** — Message types and serialization for the callout JSON protocol - **`cmd/apim-callout/`** — Production-ready binary with TLS, health checks, graceful shutdown, and DD Agent telemetry - **`cmd/apim-callout/Dockerfile`** — Multi-stage Docker image for the callout service - **`apim_test.go`** — Unit tests covering both protocols, blocking, propagation headers, phase mismatch handling, body inspection, TTL cache, and policy file validation - **`cmd/apim-callout/main_test.go`** — Integration tests for CLI flags, TLS, health endpoint, and graceful shutdown Customers running Azure APIM or Boomi gateways need a way to enforce Datadog AppSec (WAF + ASM) at the gateway level before traffic reaches their backends. This service sits as an HTTP callout target, processes headers/bodies through the WAF, and returns block/allow decisions with optional response modification. - All unit tests pass (`go test ./contrib/azure/apim-callout/...`) - E2E test script (`azure-e2e-test.sh`) validated against a live Azure APIM instance - Docker image builds and runs correctly - Policy files validated against the handler's expected JSON schema - Deployment IaC (Bicep/ARM templates) is in a follow-up PR: #4641 - The `deploy/` directory structure is set up here (policies + boomi templates) so the IaC PR only adds Azure-specific infra files - Docker image release workflow is included (`.github/workflows/docker-images-release.yml`)
What does this PR do?
Adds one-click "Deploy to Azure" infrastructure-as-code for the APIM callout service introduced in #4620.
Key components
deploy/azure/main.bicep— Top-level Bicep template orchestrating all modulesdeploy/azure/modules/— Modular Bicep files: VNet + subnets (networking), Azure Container Apps (container-app), Datadog Agent ACI sidecar (agent), private DNS (dns), APIM VNet integration (apim-network), and optional policy injection (apim-policy)deploy/azure/azuredeploy.json— Compiled ARM template for the "Deploy to Azure" buttondeploy/azure/deploy.sh— CLI deployment script with validation, what-if preview, and rollbackdeploy/azure/test-callout.sh— Post-deployment smoke testdeploy/azure/policies/— APIM XML policy templates (inbound, outbound, full)deploy/boomi/— Boomi gateway policy templates (Groovy scripts + JSON callout configs)Motivation
Provide a turnkey deployment experience so customers can go from zero to a running APIM callout setup with a single click in the Azure Portal, or via
az deployment/deploy.shfor CLI users.Describe how you validated your changes
az bicep buildcompiles without errorstest-callout.shpasses against the deployed infrastructureAdditional Notes
azuredeploy.json) is compiled from Bicep — marked aslinguist-generatedin.gitattributes