Define Open API specs for WIF

examples/v2/aws-wif/CreateAwsWifIntakeMapping.rb

@@ -0,0 +1,14 @@
+# Create an AWS WIF intake mapping returns "Created" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::AWSWIFAPI.new
+
+body = DatadogAPIClient::V2::AwsWifIntakeMappingCreateRequest.new({
+  data: DatadogAPIClient::V2::AwsWifIntakeMappingCreateData.new({
+    attributes: DatadogAPIClient::V2::AwsWifIntakeMappingAttributes.new({
+      arn_pattern: "arn:aws:iam::123456789012:role/my-agent-role",
+    }),
+    type: DatadogAPIClient::V2::AwsWifIntakeMappingType::AWS_WIF_INTAKE_MAPPING,
+  }),
+})
+p api_instance.create_aws_wif_intake_mapping(body)

examples/v2/aws-wif/CreateAwsWifPersonaMapping.rb

@@ -0,0 +1,15 @@
+# Create an AWS WIF persona mapping returns "Created" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::AWSWIFAPI.new
+
+body = DatadogAPIClient::V2::AwsWifPersonaMappingCreateRequest.new({
+  data: DatadogAPIClient::V2::AwsWifPersonaMappingCreateData.new({
+    attributes: DatadogAPIClient::V2::AwsWifPersonaMappingCreateAttributes.new({
+      account_identifier: "user@example.com",
+      arn_pattern: "arn:aws:iam::123456789012:role/my-workload-role",
+    }),
+    type: DatadogAPIClient::V2::AwsWifPersonaMappingType::AWS_WIF_CONFIG,
+  }),
+})
+p api_instance.create_aws_wif_persona_mapping(body)

examples/v2/aws-wif/DeleteAwsWifIntakeMapping.rb

@@ -0,0 +1,5 @@
+# Delete an AWS WIF intake mapping returns "No Content" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::AWSWIFAPI.new
+api_instance.delete_aws_wif_intake_mapping("9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d")

examples/v2/aws-wif/DeleteAwsWifPersonaMapping.rb

@@ -0,0 +1,5 @@
+# Delete an AWS WIF persona mapping returns "No Content" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::AWSWIFAPI.new
+api_instance.delete_aws_wif_persona_mapping("9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d")

examples/v2/aws-wif/GetAwsWifIntakeMapping.rb

@@ -0,0 +1,5 @@
+# Get an AWS WIF intake mapping returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::AWSWIFAPI.new
+p api_instance.get_aws_wif_intake_mapping("9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d")

examples/v2/aws-wif/GetAwsWifPersonaMapping.rb

@@ -0,0 +1,5 @@
+# Get an AWS WIF persona mapping returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::AWSWIFAPI.new
+p api_instance.get_aws_wif_persona_mapping("9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d")

examples/v2/aws-wif/ListAwsWifIntakeMappings.rb

@@ -0,0 +1,5 @@
+# List AWS WIF intake mappings returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::AWSWIFAPI.new
+p api_instance.list_aws_wif_intake_mappings()

examples/v2/aws-wif/ListAwsWifPersonaMappings.rb

@@ -0,0 +1,5 @@
+# List AWS WIF persona mappings returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::AWSWIFAPI.new
+p api_instance.list_aws_wif_persona_mappings()

examples/v2/delegated-token/GetDelegatedToken.rb

@@ -0,0 +1,5 @@
+# Get a delegated token returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::DelegatedTokenAPI.new
+p api_instance.get_delegated_token()

examples/v2/intake-key/GetIntakeKey.rb

@@ -0,0 +1,5 @@
+# Get an intake API key returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::IntakeKeyAPI.new
+p api_instance.get_intake_key()

features/scenarios_model_mapping.rb

@@ -5876,6 +5876,24 @@
             "uuid" => "UUID",
             "body" => "CreateOrUpdateWidgetRequest",
     },
+    "v2.CreateAwsWifIntakeMapping" => {
+            "body" => "AwsWifIntakeMappingCreateRequest",
+    },
+    "v2.DeleteAwsWifIntakeMapping" => {
+            "config_uuid" => "UUID",
+    },
+    "v2.GetAwsWifIntakeMapping" => {
+            "config_uuid" => "UUID",
+    },
+    "v2.CreateAwsWifPersonaMapping" => {
+            "body" => "AwsWifPersonaMappingCreateRequest",
+    },
+    "v2.DeleteAwsWifPersonaMapping" => {
+            "config_uuid" => "UUID",
+    },
+    "v2.GetAwsWifPersonaMapping" => {
+            "config_uuid" => "UUID",
+    },
     "v2.ListWorkflows" => {
             "limit" => "Integer",
             "page" => "Integer",

features/v2/aws_wif.feature

@@ -0,0 +1,149 @@
+@endpoint(aws-wif) @endpoint(aws-wif-v2)
+Feature: AWS WIF
+  Manage AWS Workload Identity Federation (WIF) mappings. Persona mappings
+  link IAM role ARN patterns to Datadog users for delegated-token
+  authentication. Intake mappings link IAM role ARN patterns to managed-
+  rotation API keys for agent telemetry ingestion.
+
+  Background:
+    Given a valid "apiKeyAuth" key in the system
+    And a valid "appKeyAuth" key in the system
+    And an instance of "AWSWIF" API
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Create an AWS WIF intake mapping returns "Bad Request" response
+    Given new "CreateAwsWifIntakeMapping" request
+    And body with value {"data": {"attributes": {"arn_pattern": "arn:aws:iam::123456789012:role/my-agent-role"}, "type": "aws_wif_intake_mapping"}}
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Create an AWS WIF intake mapping returns "Conflict" response
+    Given new "CreateAwsWifIntakeMapping" request
+    And body with value {"data": {"attributes": {"arn_pattern": "arn:aws:iam::123456789012:role/my-agent-role"}, "type": "aws_wif_intake_mapping"}}
+    When the request is sent
+    Then the response status is 409 Conflict
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Create an AWS WIF intake mapping returns "Created" response
+    Given new "CreateAwsWifIntakeMapping" request
+    And body with value {"data": {"attributes": {"arn_pattern": "arn:aws:iam::123456789012:role/my-agent-role"}, "type": "aws_wif_intake_mapping"}}
+    When the request is sent
+    Then the response status is 201 Created
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Create an AWS WIF persona mapping returns "Bad Request" response
+    Given new "CreateAwsWifPersonaMapping" request
+    And body with value {"data": {"attributes": {"account_identifier": "user@example.com", "arn_pattern": "arn:aws:iam::123456789012:role/my-workload-role"}, "type": "aws_wif_config"}}
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Create an AWS WIF persona mapping returns "Conflict" response
+    Given new "CreateAwsWifPersonaMapping" request
+    And body with value {"data": {"attributes": {"account_identifier": "user@example.com", "arn_pattern": "arn:aws:iam::123456789012:role/my-workload-role"}, "type": "aws_wif_config"}}
+    When the request is sent
+    Then the response status is 409 Conflict
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Create an AWS WIF persona mapping returns "Created" response
+    Given new "CreateAwsWifPersonaMapping" request
+    And body with value {"data": {"attributes": {"account_identifier": "user@example.com", "arn_pattern": "arn:aws:iam::123456789012:role/my-workload-role"}, "type": "aws_wif_config"}}
+    When the request is sent
+    Then the response status is 201 Created
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Delete an AWS WIF intake mapping returns "Bad Request" response
+    Given new "DeleteAwsWifIntakeMapping" request
+    And request contains "config_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Delete an AWS WIF intake mapping returns "No Content" response
+    Given new "DeleteAwsWifIntakeMapping" request
+    And request contains "config_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 204 No Content
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Delete an AWS WIF intake mapping returns "Not Found" response
+    Given new "DeleteAwsWifIntakeMapping" request
+    And request contains "config_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Delete an AWS WIF persona mapping returns "Bad Request" response
+    Given new "DeleteAwsWifPersonaMapping" request
+    And request contains "config_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Delete an AWS WIF persona mapping returns "No Content" response
+    Given new "DeleteAwsWifPersonaMapping" request
+    And request contains "config_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 204 No Content
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Delete an AWS WIF persona mapping returns "Not Found" response
+    Given new "DeleteAwsWifPersonaMapping" request
+    And request contains "config_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Get an AWS WIF intake mapping returns "Bad Request" response
+    Given new "GetAwsWifIntakeMapping" request
+    And request contains "config_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Get an AWS WIF intake mapping returns "Not Found" response
+    Given new "GetAwsWifIntakeMapping" request
+    And request contains "config_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Get an AWS WIF intake mapping returns "OK" response
+    Given new "GetAwsWifIntakeMapping" request
+    And request contains "config_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 200 OK
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Get an AWS WIF persona mapping returns "Bad Request" response
+    Given new "GetAwsWifPersonaMapping" request
+    And request contains "config_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Get an AWS WIF persona mapping returns "Not Found" response
+    Given new "GetAwsWifPersonaMapping" request
+    And request contains "config_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Get an AWS WIF persona mapping returns "OK" response
+    Given new "GetAwsWifPersonaMapping" request
+    And request contains "config_uuid" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 200 OK
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: List AWS WIF intake mappings returns "OK" response
+    Given new "ListAwsWifIntakeMappings" request
+    When the request is sent
+    Then the response status is 200 OK
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: List AWS WIF persona mappings returns "OK" response
+    Given new "ListAwsWifPersonaMappings" request
+    When the request is sent
+    Then the response status is 200 OK

features/v2/cloud_authentication.feature

@@ -8,70 +8,70 @@ Feature: Cloud Authentication
     And a valid "appKeyAuth" key in the system
     And an instance of "CloudAuthentication" API
 
-  @generated @skip @team:DataDog/team-aaaauthn
+  @generated @skip @team:DataDog/delegated-auth-login
   Scenario: Create an AWS cloud authentication persona mapping returns "Bad Request" response
     Given operation "CreateAWSCloudAuthPersonaMapping" enabled
     And new "CreateAWSCloudAuthPersonaMapping" request
     And body with value {"data": {"attributes": {"account_identifier": "test@test.com", "arn_pattern": "arn:aws:iam::123456789012:user/testuser"}, "type": "aws_cloud_auth_config"}}
     When the request is sent
     Then the response status is 400 Bad Request
 
-  @generated @skip @team:DataDog/team-aaaauthn
+  @generated @skip @team:DataDog/delegated-auth-login
   Scenario: Create an AWS cloud authentication persona mapping returns "Conflict" response
     Given operation "CreateAWSCloudAuthPersonaMapping" enabled
     And new "CreateAWSCloudAuthPersonaMapping" request
     And body with value {"data": {"attributes": {"account_identifier": "test@test.com", "arn_pattern": "arn:aws:iam::123456789012:user/testuser"}, "type": "aws_cloud_auth_config"}}
     When the request is sent
     Then the response status is 409 Conflict
 
-  @generated @skip @team:DataDog/team-aaaauthn
+  @generated @skip @team:DataDog/delegated-auth-login
   Scenario: Create an AWS cloud authentication persona mapping returns "Created" response
     Given operation "CreateAWSCloudAuthPersonaMapping" enabled
     And new "CreateAWSCloudAuthPersonaMapping" request
     And body with value {"data": {"attributes": {"account_identifier": "test@test.com", "arn_pattern": "arn:aws:iam::123456789012:user/testuser"}, "type": "aws_cloud_auth_config"}}
     When the request is sent
     Then the response status is 201 Created
 
-  @generated @skip @team:DataDog/team-aaaauthn
+  @generated @skip @team:DataDog/delegated-auth-login
   Scenario: Delete an AWS cloud authentication persona mapping returns "No Content" response
     Given operation "DeleteAWSCloudAuthPersonaMapping" enabled
     And new "DeleteAWSCloudAuthPersonaMapping" request
     And request contains "persona_mapping_id" parameter from "REPLACE.ME"
     When the request is sent
     Then the response status is 204 No Content
 
-  @generated @skip @team:DataDog/team-aaaauthn
+  @generated @skip @team:DataDog/delegated-auth-login
   Scenario: Delete an AWS cloud authentication persona mapping returns "Not Found" response
     Given operation "DeleteAWSCloudAuthPersonaMapping" enabled
     And new "DeleteAWSCloudAuthPersonaMapping" request
     And request contains "persona_mapping_id" parameter from "REPLACE.ME"
     When the request is sent
     Then the response status is 404 Not Found
 
-  @generated @skip @team:DataDog/team-aaaauthn
+  @generated @skip @team:DataDog/delegated-auth-login
   Scenario: Get an AWS cloud authentication persona mapping returns "Not Found" response
     Given operation "GetAWSCloudAuthPersonaMapping" enabled
     And new "GetAWSCloudAuthPersonaMapping" request
     And request contains "persona_mapping_id" parameter from "REPLACE.ME"
     When the request is sent
     Then the response status is 404 Not Found
 
-  @generated @skip @team:DataDog/team-aaaauthn
+  @generated @skip @team:DataDog/delegated-auth-login
   Scenario: Get an AWS cloud authentication persona mapping returns "OK" response
     Given operation "GetAWSCloudAuthPersonaMapping" enabled
     And new "GetAWSCloudAuthPersonaMapping" request
     And request contains "persona_mapping_id" parameter from "REPLACE.ME"
     When the request is sent
     Then the response status is 200 OK
 
-  @generated @skip @team:DataDog/team-aaaauthn
+  @generated @skip @team:DataDog/delegated-auth-login
   Scenario: List AWS cloud authentication persona mappings returns "Bad Request" response
     Given operation "ListAWSCloudAuthPersonaMappings" enabled
     And new "ListAWSCloudAuthPersonaMappings" request
     When the request is sent
     Then the response status is 400 Bad Request
 
-  @generated @skip @team:DataDog/team-aaaauthn
+  @generated @skip @team:DataDog/delegated-auth-login
   Scenario: List AWS cloud authentication persona mappings returns "OK" response
     Given operation "ListAWSCloudAuthPersonaMappings" enabled
     And new "ListAWSCloudAuthPersonaMappings" request

features/v2/delegated_token.feature

@@ -0,0 +1,13 @@
+@endpoint(delegated-token) @endpoint(delegated-token-v2)
+Feature: Delegated Token
+  Exchange a cloud-provider identity proof or Datadog credential for a
+  short-lived delegated-user JWT via Workload Identity Federation.
+
+  @generated @skip @team:DataDog/delegated-auth-login
+  Scenario: Get a delegated token returns "OK" response
+    Given a valid "apiKeyAuth" key in the system
+    And a valid "appKeyAuth" key in the system
+    And an instance of "DelegatedToken" API
+    And new "GetDelegatedToken" request
+    When the request is sent
+    Then the response status is 200 OK

features/v2/intake_key.feature

@@ -0,0 +1,13 @@
+@endpoint(intake-key) @endpoint(intake-key-v2)
+Feature: Intake Key
+  Exchange a cloud-provider identity proof for a Datadog API key via
+  Workload Identity Federation intake mappings.
+
+  @generated @skip @team:DataDog/credentials-management
+  Scenario: Get an intake API key returns "OK" response
+    Given a valid "apiKeyAuth" key in the system
+    And a valid "appKeyAuth" key in the system
+    And an instance of "IntakeKey" API
+    And new "GetIntakeKey" request
+    When the request is sent
+    Then the response status is 200 OK