Exposing set action on Terraform V2 (#2568)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-06-03 09:24:16.469657",
-            "spec_repo_commit": "5906d277"
+            "regenerated": "2025-06-04 09:10:40.335493",
+            "spec_repo_commit": "6c99bb98"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-06-03 09:24:16.484530",
-            "spec_repo_commit": "5906d277"
+            "regenerated": "2025-06-04 09:10:40.351166",
+            "spec_repo_commit": "6c99bb98"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -7526,6 +7526,50 @@ components:
           type: string
         kill:
           $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleKill'
+        metadata:
+          $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActionMetadata'
+        set:
+          $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActionSet'
+      type: object
+    CloudWorkloadSecurityAgentRuleActionMetadata:
+      description: The metadata action applied on the scope matching the rule
+      properties:
+        image_tag:
+          description: The image tag of the metadata action
+          type: string
+        service:
+          description: The service of the metadata action
+          type: string
+        short_image:
+          description: The short image of the metadata action
+          type: string
+      type: object
+    CloudWorkloadSecurityAgentRuleActionSet:
+      description: The set action applied on the scope matching the rule
+      properties:
+        append:
+          description: Whether the value should be appended to the field
+          type: boolean
+        field:
+          description: The field of the set action
+          type: string
+        name:
+          description: The name of the set action
+          type: string
+        scope:
+          description: The scope of the set action
+          type: string
+        size:
+          description: The size of the set action
+          format: int64
+          type: integer
+        ttl:
+          description: The time to live of the set action
+          format: int64
+          type: integer
+        value:
+          description: The value of the set action
+          type: string
       type: object
     CloudWorkloadSecurityAgentRuleActions:
       description: The array of actions the rule can perform if triggered
@@ -7541,6 +7585,11 @@ components:
         agentConstraint:
           description: The version of the Agent
           type: string
+        blocking:
+          description: The blocking policies that the rule belongs to
+          items:
+            type: string
+          type: array
         category:
           description: The category of the Agent rule
           example: Process Activity
@@ -7564,6 +7613,11 @@ components:
           description: The description of the Agent rule
           example: My Agent rule
           type: string
+        disabled:
+          description: The disabled policies that the rule belongs to
+          items:
+            type: string
+          type: array
         enabled:
           description: Whether the Agent rule is enabled
           example: true
@@ -7577,6 +7631,11 @@ components:
           items:
             type: string
           type: array
+        monitoring:
+          description: The monitoring policies that the rule belongs to
+          items:
+            type: string
+          type: array
         name:
           description: The name of the Agent rule
           example: my_agent_rule
@@ -7611,10 +7670,22 @@ components:
     CloudWorkloadSecurityAgentRuleCreateAttributes:
       description: Create a new Cloud Workload Security Agent rule.
       properties:
+        actions:
+          $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions'
+        blocking:
+          description: The blocking policies that the rule belongs to
+          items:
+            type: string
+          type: array
         description:
           description: The description of the Agent rule.
           example: My Agent rule
           type: string
+        disabled:
+          description: The disabled policies that the rule belongs to
+          items:
+            type: string
+          type: array
         enabled:
           description: Whether the Agent rule is enabled
           example: true
@@ -7628,6 +7699,11 @@ components:
           items:
             type: string
           type: array
+        monitoring:
+          description: The monitoring policies that the rule belongs to
+          items:
+            type: string
+          type: array
         name:
           description: The name of the Agent rule.
           example: my_agent_rule
@@ -7718,10 +7794,22 @@ components:
     CloudWorkloadSecurityAgentRuleUpdateAttributes:
       description: Update an existing Cloud Workload Security Agent rule
       properties:
+        actions:
+          $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions'
+        blocking:
+          description: The blocking policies that the rule belongs to
+          items:
+            type: string
+          type: array
         description:
           description: The description of the Agent rule
           example: My Agent rule
           type: string
+        disabled:
+          description: The disabled policies that the rule belongs to
+          items:
+            type: string
+          type: array
         enabled:
           description: Whether the Agent rule is enabled
           example: true
@@ -7730,6 +7818,11 @@ components:
           description: The SECL expression of the Agent rule
           example: exec.file.name == "sh"
           type: string
+        monitoring:
+          description: The monitoring policies that the rule belongs to
+          items:
+            type: string
+          type: array
         policy_id:
           description: The ID of the policy where the Agent rule is saved
           example: a8c8e364-6556-434d-b798-a4c23de29c0b

docs/datadog_api_client.v2.model.rst

@@ -2839,6 +2839,20 @@ datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_rule\_action mod
    :members:
    :show-inheritance:
 
+datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_rule\_action\_metadata module
+---------------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_rule_action_metadata
+   :members:
+   :show-inheritance:
+
+datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_rule\_action\_set module
+----------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.cloud_workload_security_agent_rule_action_set
+   :members:
+   :show-inheritance:
+
 datadog\_api\_client.v2.model.cloud\_workload\_security\_agent\_rule\_attributes module
 ---------------------------------------------------------------------------------------
 

examples/v2/csm-threats/CreateCSMThreatsAgentRule_1295653933.py

@@ -0,0 +1,55 @@
+"""
+Create a Workload Protection agent rule with set action returns "OK" response
+"""
+
+from os import environ
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi
+from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action import CloudWorkloadSecurityAgentRuleAction
+from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action_set import (
+    CloudWorkloadSecurityAgentRuleActionSet,
+)
+from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_attributes import (
+    CloudWorkloadSecurityAgentRuleCreateAttributes,
+)
+from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_data import (
+    CloudWorkloadSecurityAgentRuleCreateData,
+)
+from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_request import (
+    CloudWorkloadSecurityAgentRuleCreateRequest,
+)
+from datadog_api_client.v2.model.cloud_workload_security_agent_rule_type import CloudWorkloadSecurityAgentRuleType
+
+# there is a valid "policy_rc" in the system
+POLICY_DATA_ID = environ["POLICY_DATA_ID"]
+
+body = CloudWorkloadSecurityAgentRuleCreateRequest(
+    data=CloudWorkloadSecurityAgentRuleCreateData(
+        attributes=CloudWorkloadSecurityAgentRuleCreateAttributes(
+            description="My Agent rule with set action",
+            enabled=True,
+            expression='exec.file.name == "sh"',
+            filters=[],
+            name="examplecsmthreat",
+            policy_id=POLICY_DATA_ID,
+            product_tags=[],
+            actions=[
+                CloudWorkloadSecurityAgentRuleAction(
+                    set=CloudWorkloadSecurityAgentRuleActionSet(
+                        name="test_set",
+                        value="test_value",
+                        scope="process",
+                    ),
+                ),
+            ],
+        ),
+        type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE,
+    ),
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = CSMThreatsApi(api_client)
+    response = api_instance.create_csm_threats_agent_rule(body=body)
+
+    print(response)

src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_action.py

@@ -15,6 +15,12 @@
 
 if TYPE_CHECKING:
     from datadog_api_client.v2.model.cloud_workload_security_agent_rule_kill import CloudWorkloadSecurityAgentRuleKill
+    from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action_metadata import (
+        CloudWorkloadSecurityAgentRuleActionMetadata,
+    )
+    from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action_set import (
+        CloudWorkloadSecurityAgentRuleActionSet,
+    )
 
 
 class CloudWorkloadSecurityAgentRuleAction(ModelNormal):
@@ -23,21 +29,33 @@ def openapi_types(_):
         from datadog_api_client.v2.model.cloud_workload_security_agent_rule_kill import (
             CloudWorkloadSecurityAgentRuleKill,
         )
+        from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action_metadata import (
+            CloudWorkloadSecurityAgentRuleActionMetadata,
+        )
+        from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action_set import (
+            CloudWorkloadSecurityAgentRuleActionSet,
+        )
 
         return {
             "filter": (str,),
             "kill": (CloudWorkloadSecurityAgentRuleKill,),
+            "metadata": (CloudWorkloadSecurityAgentRuleActionMetadata,),
+            "set": (CloudWorkloadSecurityAgentRuleActionSet,),
         }
 
     attribute_map = {
         "filter": "filter",
         "kill": "kill",
+        "metadata": "metadata",
+        "set": "set",
     }
 
     def __init__(
         self_,
         filter: Union[str, UnsetType] = unset,
         kill: Union[CloudWorkloadSecurityAgentRuleKill, UnsetType] = unset,
+        metadata: Union[CloudWorkloadSecurityAgentRuleActionMetadata, UnsetType] = unset,
+        set: Union[CloudWorkloadSecurityAgentRuleActionSet, UnsetType] = unset,
         **kwargs,
     ):
         """
@@ -48,9 +66,19 @@ def __init__(
 
         :param kill: Kill system call applied on the container matching the rule
         :type kill: CloudWorkloadSecurityAgentRuleKill, optional
+
+        :param metadata: The metadata action applied on the scope matching the rule
+        :type metadata: CloudWorkloadSecurityAgentRuleActionMetadata, optional
+
+        :param set: The set action applied on the scope matching the rule
+        :type set: CloudWorkloadSecurityAgentRuleActionSet, optional
         """
         if filter is not unset:
             kwargs["filter"] = filter
         if kill is not unset:
             kwargs["kill"] = kill
+        if metadata is not unset:
+            kwargs["metadata"] = metadata
+        if set is not unset:
+            kwargs["set"] = set
         super().__init__(kwargs)

src/datadog_api_client/v2/model/cloud_workload_security_agent_rule_action_metadata.py

@@ -0,0 +1,56 @@
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2019-Present Datadog, Inc.
+from __future__ import annotations
+
+from typing import Union
+
+from datadog_api_client.model_utils import (
+    ModelNormal,
+    cached_property,
+    unset,
+    UnsetType,
+)
+
+
+class CloudWorkloadSecurityAgentRuleActionMetadata(ModelNormal):
+    @cached_property
+    def openapi_types(_):
+        return {
+            "image_tag": (str,),
+            "service": (str,),
+            "short_image": (str,),
+        }
+
+    attribute_map = {
+        "image_tag": "image_tag",
+        "service": "service",
+        "short_image": "short_image",
+    }
+
+    def __init__(
+        self_,
+        image_tag: Union[str, UnsetType] = unset,
+        service: Union[str, UnsetType] = unset,
+        short_image: Union[str, UnsetType] = unset,
+        **kwargs,
+    ):
+        """
+        The metadata action applied on the scope matching the rule
+
+        :param image_tag: The image tag of the metadata action
+        :type image_tag: str, optional
+
+        :param service: The service of the metadata action
+        :type service: str, optional
+
+        :param short_image: The short image of the metadata action
+        :type short_image: str, optional
+        """
+        if image_tag is not unset:
+            kwargs["image_tag"] = image_tag
+        if service is not unset:
+            kwargs["service"] = service
+        if short_image is not unset:
+            kwargs["short_image"] = short_image
+        super().__init__(kwargs)