Skip to content

feat(contrib/apim-callout): Deploy to Azure button + production hardening#4641

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
mainfrom
eliottness/azure-arm
Apr 9, 2026
Merged

feat(contrib/apim-callout): Deploy to Azure button + production hardening#4641
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
mainfrom
eliottness/azure-arm

Conversation

@eliottness

@eliottness eliottness commented Apr 7, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Adds one-click "Deploy to Azure" infrastructure-as-code for the APIM callout service introduced in #4620.

Key components

  • deploy/azure/main.bicep — Top-level Bicep template orchestrating all modules
  • deploy/azure/modules/ — Modular Bicep files: VNet + subnets (networking), Azure Container Apps (container-app), Datadog Agent ACI sidecar (agent), private DNS (dns), APIM VNet integration (apim-network), and optional policy injection (apim-policy)
  • deploy/azure/azuredeploy.json — Compiled ARM template for the "Deploy to Azure" button
  • deploy/azure/deploy.sh — CLI deployment script with validation, what-if preview, and rollback
  • deploy/azure/test-callout.sh — Post-deployment smoke test
  • deploy/azure/policies/ — APIM XML policy templates (inbound, outbound, full)
  • deploy/boomi/ — Boomi gateway policy templates (Groovy scripts + JSON callout configs)

Motivation

Provide a turnkey deployment experience so customers can go from zero to a running APIM callout setup with a single click in the Azure Portal, or via az deployment / deploy.sh for CLI users.

Describe how you validated your changes

  • az bicep build compiles without errors
  • Full E2E deployment to Azure: VNet, ACA, ACI (DD Agent), private DNS, APIM integration all provisioned and functional
  • test-callout.sh passes against the deployed infrastructure
  • "Deploy to Azure" button tested in Azure Portal

Additional Notes

@github-actions github-actions Bot added the apm:ecosystem contrib/* related feature requests or bugs label Apr 7, 2026
@eliottness eliottness changed the title Deploy to Azure button + production hardening feat(contrib/apim-callout): Deploy to Azure button + production hardening Apr 7, 2026
@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Apr 7, 2026

Copy link
Copy Markdown

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 60.08%

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 56b59d5 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!

@codecov

codecov Bot commented Apr 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.77%. Comparing base (f5fba99) to head (38ff8c1).

Additional details and impacted files

see 11 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pr-commenter

pr-commenter Bot commented Apr 7, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-04-08 10:35:25

Comparing candidate commit 56b59d5 in PR branch eliottness/azure-arm with baseline commit 887cc43 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 217 metrics, 7 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

@eliottness
eliottness force-pushed the eliottness/azure-arm branch from ebcaad9 to a5f7017 Compare April 7, 2026 13:58
@eliottness
eliottness force-pushed the eliottness/azure-apim-callout branch from f5fba99 to 3bdb8de Compare April 7, 2026 14:01
eliottness added a commit that referenced this pull request Apr 8, 2026
### What does this PR do?

Adds a new `contrib/azure/apim-callout` package — an HTTP/JSON callout
service for Azure API Management (APIM) and Boomi API Gateway that runs
the Datadog WAF and returns access control decisions.

### Key components

- **`apim.go`** — Core handler implementing the 4-call (APIM) and 2-call
(Boomi) callout protocols with request/response header and body
inspection via Datadog AppSec
- **`apim_messages.go`** — Message types and serialization for the
callout JSON protocol
- **`cmd/apim-callout/`** — Production-ready binary with TLS, health
checks, graceful shutdown, and DD Agent telemetry
- **`cmd/apim-callout/Dockerfile`** — Multi-stage Docker image for the
callout service
- **`apim_test.go`** — Unit tests covering both protocols, blocking,
propagation headers, phase mismatch handling, body inspection, TTL
cache, and policy file validation
- **`cmd/apim-callout/main_test.go`** — Integration tests for CLI flags,
TLS, health endpoint, and graceful shutdown

### Motivation

Customers running Azure APIM or Boomi gateways need a way to enforce
Datadog AppSec (WAF + ASM) at the gateway level before traffic reaches
their backends. This service sits as an HTTP callout target, processes
headers/bodies through the WAF, and returns block/allow decisions with
optional response modification.

### Describe how you validated your changes

- All unit tests pass (`go test ./contrib/azure/apim-callout/...`)
- E2E test script (`azure-e2e-test.sh`) validated against a live Azure
APIM instance
- Docker image builds and runs correctly
- Policy files validated against the handler's expected JSON schema

### Additional Notes

- Deployment IaC (Bicep/ARM templates) is in a follow-up PR: #4641
- The `deploy/` directory structure is set up here (policies + boomi
templates) so the IaC PR only adds Azure-specific infra files
- Docker image release workflow is included
(`.github/workflows/docker-images-release.yml`)
Base automatically changed from eliottness/azure-apim-callout to main April 8, 2026 10:07
@eliottness
eliottness force-pushed the eliottness/azure-arm branch from a5f7017 to 56b59d5 Compare April 8, 2026 10:08
@eliottness
eliottness marked this pull request as ready for review April 8, 2026 10:10
@eliottness
eliottness requested a review from a team as a code owner April 8, 2026 10:10
eliottness added a commit that referenced this pull request Apr 8, 2026
Adds a new `contrib/azure/apim-callout` package — an HTTP/JSON callout
service for Azure API Management (APIM) and Boomi API Gateway that runs
the Datadog WAF and returns access control decisions.

- **`apim.go`** — Core handler implementing the 4-call (APIM) and 2-call
(Boomi) callout protocols with request/response header and body
inspection via Datadog AppSec
- **`apim_messages.go`** — Message types and serialization for the
callout JSON protocol
- **`cmd/apim-callout/`** — Production-ready binary with TLS, health
checks, graceful shutdown, and DD Agent telemetry
- **`cmd/apim-callout/Dockerfile`** — Multi-stage Docker image for the
callout service
- **`apim_test.go`** — Unit tests covering both protocols, blocking,
propagation headers, phase mismatch handling, body inspection, TTL
cache, and policy file validation
- **`cmd/apim-callout/main_test.go`** — Integration tests for CLI flags,
TLS, health endpoint, and graceful shutdown

Customers running Azure APIM or Boomi gateways need a way to enforce
Datadog AppSec (WAF + ASM) at the gateway level before traffic reaches
their backends. This service sits as an HTTP callout target, processes
headers/bodies through the WAF, and returns block/allow decisions with
optional response modification.

- All unit tests pass (`go test ./contrib/azure/apim-callout/...`)
- E2E test script (`azure-e2e-test.sh`) validated against a live Azure
APIM instance
- Docker image builds and runs correctly
- Policy files validated against the handler's expected JSON schema

- Deployment IaC (Bicep/ARM templates) is in a follow-up PR: #4641
- The `deploy/` directory structure is set up here (policies + boomi
templates) so the IaC PR only adds Azure-specific infra files
- Docker image release workflow is included
(`.github/workflows/docker-images-release.yml`)
eliottness added a commit that referenced this pull request Apr 8, 2026
Adds a new `contrib/azure/apim-callout` package — an HTTP/JSON callout
service for Azure API Management (APIM) and Boomi API Gateway that runs
the Datadog WAF and returns access control decisions.

- **`apim.go`** — Core handler implementing the 4-call (APIM) and 2-call
(Boomi) callout protocols with request/response header and body
inspection via Datadog AppSec
- **`apim_messages.go`** — Message types and serialization for the
callout JSON protocol
- **`cmd/apim-callout/`** — Production-ready binary with TLS, health
checks, graceful shutdown, and DD Agent telemetry
- **`cmd/apim-callout/Dockerfile`** — Multi-stage Docker image for the
callout service
- **`apim_test.go`** — Unit tests covering both protocols, blocking,
propagation headers, phase mismatch handling, body inspection, TTL
cache, and policy file validation
- **`cmd/apim-callout/main_test.go`** — Integration tests for CLI flags,
TLS, health endpoint, and graceful shutdown

Customers running Azure APIM or Boomi gateways need a way to enforce
Datadog AppSec (WAF + ASM) at the gateway level before traffic reaches
their backends. This service sits as an HTTP callout target, processes
headers/bodies through the WAF, and returns block/allow decisions with
optional response modification.

- All unit tests pass (`go test ./contrib/azure/apim-callout/...`)
- E2E test script (`azure-e2e-test.sh`) validated against a live Azure
APIM instance
- Docker image builds and runs correctly
- Policy files validated against the handler's expected JSON schema

- Deployment IaC (Bicep/ARM templates) is in a follow-up PR: #4641
- The `deploy/` directory structure is set up here (policies + boomi
templates) so the IaC PR only adds Azure-specific infra files
- Docker image release workflow is included
(`.github/workflows/docker-images-release.yml`)
@gh-worker-dd-mergequeue-cf854d
gh-worker-dd-mergequeue-cf854d Bot merged commit 747b2e5 into main Apr 9, 2026
184 checks passed
@gh-worker-dd-mergequeue-cf854d
gh-worker-dd-mergequeue-cf854d Bot deleted the eliottness/azure-arm branch April 9, 2026 08:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

apm:ecosystem contrib/* related feature requests or bugs appsec mergequeue-status: done

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants