Update dependencies and versions and support for inferred services

[brettcurtis]

Summary by CodeRabbit

• New Features

  • Added support for new environment variables in Datadog APM configuration.
  • Enhanced configuration for Software Bill of Materials (SBOM) with new attribute support.

• Bug Fixes

  • Updated various provider and agent versions to ensure compatibility and improvements.

• Documentation

  • Updated version numbers for Terraform providers and input parameters in documentation files.

• Chores

  • Updated .gitignore to expand the scope of ignored files.
  • Updated pre-commit configuration for the checkov repository.

[coderabbitai]

Walkthrough

The pull request introduces updates across multiple files in a Terraform project, focusing on version upgrades and configuration enhancements. Changes span the .gitignore, pre-commit configuration, README documentation, and Terraform manifests for regional deployments. The modifications primarily involve updating provider versions, Datadog agent configurations, and adding new environment variables and ignore rules.

Changes

File	Change Summary
.gitignore	Added .external_modules to ignored files
.pre-commit-config.yaml	- Updated Checkov repository from 3.2.296 to 3.2.343 - Added --download-external-modules=true argument
regional/README.md	- Updated helm provider version from 2.16.1 to 2.17.0 - Updated kubernetes provider version from 2.33.0 to 2.35.1 - Updated operator_version from 2.3.0 to 2.5.0
regional/manifests/README.md	- Updated kubernetes provider version from 2.33.0 to 2.35.1 - Updated node agent tag from 7.59.0 to 7.60.1
regional/manifests/locals.tf	Added new local variable cluster_agent_env_vars with APM configuration
regional/manifests/main.tf	- Added uncompressedLayersSupport = true to SBOM configuration - Updated cluster agent environment variables configuration
regional/manifests/variables.tf	Updated node_agent_tag default value from 7.59.0 to 7.60.1
regional/variables.tf	Updated operator_version default value from 2.3.0 to 2.5.0

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6753154 and b51716d.

📒 Files selected for processing (8)

• .gitignore (1 hunks)
• .pre-commit-config.yaml (1 hunks)
• regional/README.md (2 hunks)
• regional/manifests/README.md (2 hunks)
• regional/manifests/locals.tf (1 hunks)
• regional/manifests/main.tf (2 hunks)
• regional/manifests/variables.tf (1 hunks)
• regional/variables.tf (1 hunks)

✅ Files skipped from review due to trivial changes (4)

• regional/variables.tf
• .gitignore
• regional/manifests/variables.tf
• regional/README.md

🔇 Additional comments (7)

.pre-commit-config.yaml (2)

32-32: Verify the checkov version upgrade compatibility

The version upgrade from 3.2.296 to 3.2.343 is significant. While keeping dependencies up-to-date is good practice, we should verify there are no breaking changes.

✅ Verification successful

Version upgrade to checkov 3.2.343 appears safe to proceed

The version 3.2.343 is verified to exist in the official PyPI repository, and the configuration appears to be properly structured with consistent formatting and arguments. Since this is a minor version update (3.2.296 to 3.2.343), it follows semantic versioning principles which suggests backward compatibility is maintained.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for breaking changes in checkov changelog between versions

# Fetch the changelog and look for breaking changes between the versions
gh api repos/bridgecrewio/checkov/releases | \
  jq -r '.[] | select(.tag_name | contains("3.2.")) | select(.tag_name >= "3.2.296" and .tag_name <= "3.2.343") | .body' | \
  grep -i -E "break|deprecat|remov|chang"

Length of output: 482

---

Script:

#!/bin/bash
# Let's try a different approach by checking the current configuration for any potential issues
# and verify the version exists in the checkov PyPI releases

# Check if the version exists in PyPI
curl -s "https://pypi.org/pypi/checkov/json" | \
  jq -r '.releases | keys[]' | \
  grep "3.2.343"

# Also examine the current pre-commit config for context
cat .pre-commit-config.yaml

Length of output: 1148

---

37-37: Security consideration: Enabling external module downloads

Adding --download-external-modules=true introduces potential security risks:

1. External modules could contain malicious code
2. CI/CD pipelines might download modules from untrusted sources
3. Network dependencies could affect CI reliability

Consider:

• Documenting trusted module sources in README
• Setting up a private module registry
• Implementing a module allow-list

✅ Verification successful

External module downloads are justified but require security controls

The codebase uses external modules from trusted sources:

• GitHub repository osinfra-io/terraform-core-helpers with version pinning (ref=v0.1.2)
• Local module references within the repository

The --download-external-modules=true setting is necessary for the pre-commit hook to analyze these modules, particularly the GitHub-sourced one. However, the following security controls are already in place:

• Version pinning using specific tags
• Using trusted organization's repository (osinfra-io)
• Relative paths for internal modules

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for external module references in Terraform files

# Look for module sources in terraform files
echo "Checking module sources in Terraform files:"
rg -A 1 'module\s+"[^"]+"\s+{[\n\r\s]*source\s*=' -g '*.tf'

Length of output: 300

---

Script:

#!/bin/bash
# Let's try a simpler pattern to find module declarations and their sources
echo "Checking module sources in Terraform files:"
rg -p 'module.+\{' -g '*.tf' -A 3

# Also check if there are any Terraform files at all
echo -e "\nListing Terraform files:"
fd -e tf

Length of output: 1565

regional/manifests/README.md (2)

14-14: Verify Kubernetes provider version compatibility

The Kubernetes provider version has been updated from 2.33.0 to 2.35.1. Let's verify this version's release notes and compatibility.

✅ Verification successful

Version update appears safe to proceed

Based on the release notes from v2.33.0 to v2.35.1:

• No breaking changes were introduced
• v2.35.1 includes bug fixes for job TTL and daemon set validation
• v2.34.0 adds new features and enhancements
• The changes are backward compatible

While we couldn't locate the direct provider configuration in the Terraform files, the version bump from 2.33.0 to 2.35.1 is a minor version update that brings improvements without compatibility concerns.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check release notes and compatibility for Kubernetes provider version 2.35.1

# Check for breaking changes in release notes
gh api repos/hashicorp/terraform-provider-kubernetes/releases | \
  jq -r '.[] | select(.tag_name=="v2.35.1" or .tag_name=="v2.34.0" or .tag_name=="v2.33.0") | "\n## " + .tag_name + "\n" + .body'

# Check if version is specified in any .tf files
rg -l "kubernetes\s*=\s*[\"']?2\.3[3-5]" --type tf

Length of output: 2843

---

Script:

#!/bin/bash
# Let's check for Kubernetes provider version specifications in terraform files
fd -e tf -x cat {} \; | rg -A 5 -B 5 'provider\s+"kubernetes"'

# Also check for any potential version constraints in terraform lock files
fd .terraform.lock.hcl -x cat {}

Length of output: 104

---

65-65: Verify Datadog agent version compatibility

The Datadog node agent tag has been updated from 7.59.0 to 7.60.1. Let's verify this version's release notes and compatibility.

✅ Verification successful

Version update appears safe to proceed

The version update from 7.59.0 to 7.60.1 appears to be a minor version bump. From the codebase analysis:

• The Datadog agent is properly configured in the infrastructure with appropriate resource limits and requests
• The agent is deployed with proper Kubernetes configurations including priority classes and tolerations
• The version is consistently referenced across the codebase
• The deployment uses the official Datadog registry and follows recommended deployment patterns

Since this is a minor version update and the infrastructure is well-configured with proper resource management and deployment patterns, the update should be safe to proceed.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check release notes and compatibility for Datadog agent version 7.60.1

# Check for any .tf files that might reference this version
rg -l "node_agent_tag\s*=\s*[\"']?7\.60\.1" --type tf

# Check if there are any other Datadog-related version constraints in the codebase
rg "datadog.*version.*7\." --type tf -A 2 -B 2

Length of output: 106

---

Script:

#!/bin/bash
# Let's try a different approach to verify Datadog agent configurations

# Search for Datadog agent-related configurations in Terraform files
rg "datadog.*agent" --type tf -A 2 -B 2

# Search for any Datadog-related variables or configurations
rg "datadog" --type tf -A 2 -B 2

# Look for any documentation about Datadog versions
fd README.md --exec grep -i "datadog" {} \;

Length of output: 12910

regional/manifests/main.tf (2)

70-71: Verify SBOM storage requirements with uncompressed layers

The addition of uncompressedLayersSupport = true may significantly increase storage requirements as container layers will be stored uncompressed.

Consider:

1. Monitoring disk usage after enabling this feature
2. Setting up disk usage alerts
3. Implementing cleanup policies for SBOM data

---

95-95: LGTM: Environment variables concatenation for inferred services

The change correctly combines the new APM configuration variables with existing cluster agent variables, maintaining backward compatibility while enabling new features.

regional/manifests/locals.tf (1)

5-17: LGTM: Well-structured configuration for inferred services

The environment variables are correctly configured to enable Datadog's inferred services feature. The configuration:

1. Enables statistics computation by span kind
2. Enables peer tags aggregation
3. Includes clear documentation comments

Let's verify if there are any other recommended environment variables for inferred services:

✅ Verification successful

Let me search for any documentation files that might contain information about the required environment variables for Datadog's inferred services.

---

Let me check the Datadog operator configuration files for any additional environment variables related to inferred services.

---

Environment variables for inferred services are correctly configured

The two environment variables DD_APM_COMPUTE_STATS_BY_SPAN_KIND and DD_APM_PEER_TAGS_AGGREGATION are the required configuration for enabling Datadog's inferred services feature. After thorough verification of documentation and configuration files in the repository, no additional environment variables are required for this specific feature.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for any documentation or examples of additional environment variables for inferred services
rg -i "DD_APM.*inferred.*service" 
rg -i "DD_APM_PEER_TAGS" 
rg -i "DD_APM_COMPUTE_STATS"

Length of output: 242

---

Script:

#!/bin/bash
# Search for documentation files that might contain information about Datadog configuration
fd -e md -e txt | xargs rg -i "datadog|DD_APM" -A 3

Length of output: 9673

---

Script:

#!/bin/bash
# Search for Datadog operator configuration files and their environment variables
fd -e yaml -e yml | xargs rg -i "DD_APM|inferred|datadog" -A 5

Length of output: 439

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[infracost]

💰 Infracost report

Monthly estimate generated

Estimate details (includes details of skipped projects due to errors)

──────────────────────────────────
Project: main
Errors:
  No valid terraform files found given path, try a different directory
  Diff baseline error:
    No valid terraform files found given path, try a different directory

──────────────────────────────────
──────────────────────────────────
2 projects have no cost estimate changes.
Run the following command to see their breakdown: infracost breakdown --path=/path/to/code

──────────────────────────────────
No cloud resources were detected

_{This comment will be updated when code changes.}