[DRAFT] Terraform support for SaaS generic integration API

[rossicris]

Summary

This PR adds Terraform support for the Datadog Web Integrations API, allowing users to manage third-party integration accounts (Twilio, Snowflake, Databricks, etc.) as Terraform resources.

What's being introduced

New resource: datadog_web_integration_account

A Terraform resource that maps to the Web Integrations API (/api/v2/web-integrations/{integration_name}/accounts).

Schema attributes:

Attribute	Type	Required	Description
id	string	computed	Account UUID from the API
integration_name	string	yes	Integration type (e.g. twilio, snowflake-web, databricks). Changing this forces replacement
name	string	yes	Display name for the account. Must be unique per integration
settings_json	string	yes	Integration-specific settings as JSON
secrets_json	string	yes (sensitive)	Integration-specific credentials as JSON

Implementation details:

• Uses utils.SendRequest with the provider HTTP client (no generated Web Integrations client yet)
• integration_name has RequiresReplace() (it is part of the API path)
• secrets_json has UseStateForUnknown() and is preserved from prior state on update (API never returns secrets)
• settings_json and secrets_json use jsontypes.NormalizedType{} for JSON handling
• 404 handling: Read removes the resource from state; Delete treats 404 as success

Files changed/added:

• datadog/fwprovider/resource_datadog_web_integration_account.go – resource implementation
• datadog/fwprovider/framework_provider.go – resource registration
• examples/resources/datadog_web_integration_account/resource.tf – Twilio, Snowflake, Databricks examples
• examples/resources/datadog_web_integration_account/import.sh – import examples

---

Expected behavior

Create

• Sends name, settings, and secrets to POST /api/v2/web-integrations/{integration_name}/accounts
• Stores the returned account id in state
• Fails with clear errors if settings_json or secrets_json are invalid or do not match the integration schema

Read

• Calls GET /api/v2/web-integrations/{integration_name}/accounts/{account_id}
• Updates state with id, integration_name, name, and settings_json from the response
• Keeps secrets_json from state (API does not return secrets)
• If the account is 404, removes the resource from state

Update

• Calls PATCH /api/v2/web-integrations/{integration_name}/accounts/{account_id} with name, settings, and secrets
• Uses prior state for secrets_json when the plan does not change it (e.g. UseStateForUnknown)
• Updates state with the response; secrets_json remains from prior state

Delete

• Calls DELETE /api/v2/web-integrations/{integration_name}/accounts/{account_id}
• Treats 404 as success (idempotent delete)

Import

• Import ID format: integration_name:account_id (e.g. twilio:abc123def456)
• Example: terraform import datadog_web_integration_account.example "twilio:abc123def456"

---

Supported integrations

• twilio – Twilio logs and metrics
• snowflake-web – Snowflake logs, metrics, and cost data
• databricks – Databricks jobs, clusters, and cost data

Each integration has its own schema for settings and secrets. Users can fetch the schema with:

GET /api/v2/web-integrations/{integration_name}/accounts/schema

---

Notes for users

1. Account name uniqueness – name must be unique per integration; the API enforces this.
2. Secrets are write-only – Secrets are never returned by the API; Terraform cannot detect drift on them.
3. JSON validation – settings_json and secrets_json must be valid JSON and match the integration schema; schema violations surface as API errors (e.g. 422).
4. Schema discovery – Use the schema endpoint or the examples for Twilio, Snowflake, and Databricks as a reference.

---

Testing

• Manual create/read/update/delete for at least one integration
• Import of an existing account
• Plan with integration_name change shows replacement
• Update without changing secrets_json does not clear secrets