Skip to content

TON-710/711/712: structured instrumentation policy statements with overlap filtering and size-based chunking#336

Open
fanny-jiang wants to merge 6 commits into
masterfrom
fanny/TON-710/structured-statement-placeholder-rendering
Open

TON-710/711/712: structured instrumentation policy statements with overlap filtering and size-based chunking#336
fanny-jiang wants to merge 6 commits into
masterfrom
fanny/TON-710/structured-statement-placeholder-rendering

Conversation

@fanny-jiang

@fanny-jiang fanny-jiang commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Note: Please remember to review the contribution guidelines
if you have not yet done so.

What does this PR do?

Reworks how attach_integration_permissions.py (and the inlined copy in datadog_integration_permissions.yaml) builds the instrumentation IAM policies attached to the Datadog integration role:

  • Prefer structured policy_statements from the Datadog API over the legacy flat permissions list, rendering ${AccountId}/${Partition} placeholders in them. Falls back to the legacy permissions chunks (wrapped as Allow/*-resource statements) when policy_statements is absent.
  • Filter out instrumentation actions already covered by the role's standard permissions (filter_instrumentation_statements), comparing Action, Resource, and Condition so an action is only dropped when an existing standard-integration statement grants an equivalent-or-broader permission — not just because the action name happens to also appear, unconditioned, elsewhere.
  • Chunk the (unchunked) structured statements by measured policy-document size (chunk_statements, 6144-char AWS managed-policy limit) without splitting a statement's Action away from its Resource/Condition, and preflight-validate the resulting chunk count against the account's managed-policy-attachment quota (validate_statement_chunks) before touching anything currently attached.

Motivation

The Datadog API can now return fully-formed IAM policy statements (with real Resource scoping) instead of just flat permission lists, letting generated policies be scoped tighter than the previous Resource: "*" fallback. Once statements carry real scoping, they need to be filtered against what's already granted by the standard permissions (to avoid redundant/oversized policies) and safely chunked/validated against AWS's per-policy size and per-role attachment limits, since the unchunked structured statements are no longer pre-sized by the server the way the legacy permissions shape was.

Testing Guidelines

Added unit tests in attach_integration_permissions_test.py covering:

  • render_placeholders (string/list/dict recursion, non-placeholder passthrough)
  • resolve_instrumentation_statement_chunks (legacy fallback, explicit-empty policy_statements not treated as absent, preference for structured statements over legacy permissions)
  • filter_instrumentation_statements (Action/Resource/Condition-aware overlap detection)
  • chunk_statements / validate_statement_chunks (size-based chunking boundaries, oversize-chunk and attachment-quota preflight failures)

Additional Notes

None.

…hunks

Fetch full API attributes, render ${AccountId}/${Partition} placeholders,
and attach rendered statement chunks directly, falling back to the legacy
per-chunk action lists when policy_statements isn't present.
@datadog-prod-us1-5

This comment has been minimized.

…d permissions

Only drop an instrumentation action when an existing standard-integration
statement grants an equivalent-or-broader permission across Action,
Resource, and Condition. The role-creation path filters against the
permissions it just attached; the add-on path can't verify what's on the
role, so it passes no standard statements and filtering is a no-op.
…nstrumentation policies

Chunk structured policy_statements by managed-policy size limit, validate the
full candidate chunk set (size + attachment quota) against the role's existing
non-instrumentation policies before cleaning up and re-attaching.
@fanny-jiang fanny-jiang changed the title TON-710: prefer structured policy_statements over legacy permission chunks TON-710/711/712: structured instrumentation policy statements with overlap filtering and size-based chunking Jul 9, 2026
- use boto3 paginator for list_attached_role_policies, matching the
  existing pattern in datadog_agentless_api_call.py
- inline the single-caller _create_and_attach_policy wrapper
- chunk_statements tracks running document size incrementally instead
  of re-serializing the whole accumulated chunk each iteration
- filter_instrumentation_statements precomputes standard Action sets
  once instead of scanning a list per action per standard statement
@fanny-jiang

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

To use Codex here, create a Codex account and connect to github.

@fanny-jiang fanny-jiang marked this pull request as ready for review July 9, 2026 18:57
@fanny-jiang fanny-jiang requested a review from a team as a code owner July 9, 2026 18:57
…card matching

Validate structured policy_statements (Effect/Action/Resource/Condition, including
blank-string checks) before they can trigger cleanup of previously-attached
instrumentation policies, and replace fnmatch with an IAM-correct action-glob
matcher to avoid over-matching on bracket-class syntax fnmatch grants but IAM
does not. Also trims duplicate validation/policy-JSON logic and a couple of
overly-verbose comments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant