[IACP-673] Add terraform upload command for IaC artifact ingestion

[vishal-joshi-datadog]

Summary

Implements new datadog-ci terraform upload command to upload Terraform plan and state JSON files to Datadog CI intake API for enhanced cloud-to-code mapping and policy evaluation.

Changes

• Base command structure: Added packages/base/src/commands/terraform/ with CLI registration and command options
• Plugin implementation: Created packages/plugin-terraform/ with full upload logic
• Architecture: Follows existing plugin patterns (similar to coverage, sbom plugins)
• Multipart upload: Event envelope + gzipped IaC file to /api/v2/ciiac endpoint
• Auto-enrichment: Git/CI metadata, SHA256 hashing, file size calculation
• Features: Dry-run mode, verbose logging, optional repo-id override, retry logic

Usage

# Upload Terraform plan
datadog-ci terraform upload plan ./terraform-plan.json

# Upload Terraform state
datadog-ci terraform upload state ./terraform.tfstate

# With flags
datadog-ci terraform upload plan ./plan.json --repo-id "github.com/org/repo" --dry-run --verbose

Key Features

• Single file per invocation (users can loop for multiple files)
• No client-side validation/filtering (per RFC requirements)
• Automatic git metadata sync (with skip option)
• Supports all Datadog sites via DD_SITE environment variable
• Gzip compression and SHA256 hashing
• Retry logic for transient failures

Technical Details

• Event envelope includes: artifact type, hash, size, git/CI context, repo_id
• Uses multipart/form-data with event JSON + iac_file gzipped content
• Integration with existing git-metadata upload helper
• TypeScript build and linting passing

Testing

• TypeScript build passes
• Linting passes
• Unit tests
• Integration tests

Documentation

• Plugin README: packages/plugin-terraform/README.md
• JIRA
• RFC

🤖 Generated with Claude Code

[datadog-datadog-prod-us1]

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 62496c3 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[rtrieu]

minor suggestion

[rtrieu]

Suggested change

	When developing software, you can try with the following command:
	To test locally, run:

[ava-silver]

overall lgtm, just a couple nits before I approve

[ava-silver]

you can make validation (and typing!) easier by using typanion for validation, for example, isEnum can be used for enums here. An example of usage in this repo:

datadog-ci/packages/base/src/commands/lambda/cloudwatch.ts

Line 16 in 176ebd3

public action = Option.String({validator: t.isEnum(['disable', 'enable'] as const)})

[vishal-joshi-datadog]

Done

[ava-silver]

mind at least using these constants in your renderers to keep the style consistent?

datadog-ci/packages/base/src/helpers/renderer.ts

Lines 6 to 12 in 176ebd3

	export const dryRunTag = chalk.bold(chalk.cyan('[Dry Run]'))
	export const errorTag = chalk.bold(chalk.red('[Error]'))
	export const warningTag = chalk.bold(chalk.yellow('[Warning]'))
	export const warningExclamationSignTag = chalk.bold(chalk.yellow('[!]'))
	export const successCheckmarkTag = chalk.bold(chalk.green('✔'))
	export const failCrossTag = chalk.bold(chalk.red('✖'))

and if it makes sense feel free to use the helpers in that module as you see fit

[vishal-joshi-datadog]

Done

[ava-silver]

nit: maybe worth considering adding support directly into the cli for this -- doing this in series will end up being slow if the customer has a lot of plan files

[Drarig29]

Yes, we have multiple commands supporting glob patterns for multiple files (e.g. sourcemaps upload)

[vishal-joshi-datadog]

Done

[Drarig29]

Can you follow https://github.com/DataDog/datadog-ci/blob/master/CONTRIBUTING.md#things-to-update since you are adding a new command scope?

[Drarig29]

Yes, we have multiple commands supporting glob patterns for multiple files (e.g. sourcemaps upload)

[ava-silver]

one optional suggestion, but lgtm!