Allow packages which have format_version < 3.5.0 to ship alert rule templates (#1012)

tommyers-elastic · web-flow · commit c9365dbc509a · 2025-11-17T12:43:55.000+01:00
This allows Integrations to ship templates without bumping format_version explicitly.
The impact of this is that packages can still support installation on 8.19.x (where
templates are ignored), whilst also providing templates for users on stack versions
that support them.

It leaves the decision about format_version up to Integration developers, which ends
up being a trade off between stack support for the package and clarity for users about
what features and functionality the package provides.
diff --git a/code/go/pkg/validator/validator_test.go b/code/go/pkg/validator/validator_test.go
@@ -37,6 +37,7 @@ func TestValidateFile(t *testing.T) {
 		"good_input_otel":                    {},
 		"good_content":                       {},
 		"good_lookup_index":                  {},
+		"good_alert_rule_templates":          {},
 		"deploy_custom_agent":                {},
 		"deploy_custom_agent_multi_services": {},
 		"deploy_docker":                      {},
@@ -412,6 +413,11 @@ func TestValidateItemNotAllowed(t *testing.T) {
 				"file.txt",
 			},
 		},
+		"bad_alert_rule_templates": {
+			"kibana": []string{
+				"alerting_rule_template",
+			},
+		},
 	}
 
 	for pkgName, invalidItemsPerFolder := range tests {
diff --git a/spec/changelog.yml b/spec/changelog.yml
@@ -17,6 +17,9 @@
       link: https://github.com/elastic/package-spec/pull/999
 - version: 3.5.3-next
   changes:
+    - description: Make support for alert rule templates more permissive.
+      type: enhancement
+      link: https://github.com/elastic/package-spec/pull/1012
     - description: Allow to define the message field in an array in the remove procesor for event.original.
       type: enhancement
       link: https://github.com/elastic/package-spec/pull/1013
diff --git a/spec/integration/kibana/spec.yml b/spec/integration/kibana/spec.yml
@@ -150,7 +150,7 @@ versions:
     patch:
       - op: remove
         path: "/contents/13" # remove SLO definitions
-  - before: 3.5.0
+  - before: 3.4.0
     patch:
       - op: remove
         path: "/contents/13" # remove alerting rule template definitions
diff --git a/test/packages/bad_alert_rule_templates/_dev/build/docs/README.md b/test/packages/bad_alert_rule_templates/_dev/build/docs/README.md
@@ -0,0 +1 @@
+# Bad alert rule templates
diff --git a/test/packages/bad_alert_rule_templates/changelog.yml b/test/packages/bad_alert_rule_templates/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "1.0.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
diff --git a/test/packages/bad_alert_rule_templates/docs/README.md b/test/packages/bad_alert_rule_templates/docs/README.md
@@ -0,0 +1 @@
+# Bad alert rule templates
diff --git a/test/packages/bad_alert_rule_templates/kibana/alerting_rule_template/some-rule.json b/test/packages/bad_alert_rule_templates/kibana/alerting_rule_template/some-rule.json
@@ -0,0 +1,24 @@
+{
+    "id": "some-rule",
+    "type": "alerting_rule_template",
+    "attributes": {
+        "name": "[Something] Some rule",
+        "ruleTypeId": ".es-query",
+        "schedule": {
+            "interval": "1m"
+        },
+        "params": {
+            "searchType": "esqlQuery",
+            "timeWindowSize": 5,
+            "timeWindowUnit": "m",
+            "esqlQuery": {
+                "esql": "FROM metrics-something-default | STATS max=MAX(some_field) by some_dimension | WHERE max > 100"
+            },
+            "groupBy": "row",
+            "timeField": "@timestamp"
+        }
+    },
+    "managed": true,
+    "coreMigrationVersion": "8.8.0",
+    "typeMigrationVersion": "10.1.0"
+}
diff --git a/test/packages/bad_alert_rule_templates/manifest.yml b/test/packages/bad_alert_rule_templates/manifest.yml
@@ -0,0 +1,14 @@
+format_version: 3.3.0
+name: bad_alert_rule_templates
+title: "Bad Alert Rule Templates"
+version: 1.0.0
+description: "This package contains alerting rule templates with an unsupported 'format_version'."
+type: integration
+conditions:
+  kibana:
+    version: "^8.18.0"
+  elastic:
+    subscription: "basic"
+owner:
+  github: elastic/integrations
+  type: elastic
diff --git a/test/packages/bad_alert_rule_templates/sample_event.json b/test/packages/bad_alert_rule_templates/sample_event.json
@@ -0,0 +1,3 @@
+{
+    "description": "This is an example sample-event for Bad Alert Rule Templates. Replace it with a real sample event. Hint: If system tests exist, running `elastic-package test system --generate` will generate this file."
+}
diff --git a/test/packages/good_alert_rule_templates/_dev/build/docs/README.md b/test/packages/good_alert_rule_templates/_dev/build/docs/README.md
@@ -0,0 +1 @@
+# Good alert rule templates
diff --git a/test/packages/good_alert_rule_templates/changelog.yml b/test/packages/good_alert_rule_templates/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "1.0.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
diff --git a/test/packages/good_alert_rule_templates/docs/README.md b/test/packages/good_alert_rule_templates/docs/README.md
@@ -0,0 +1 @@
+# Good alert rule templates
diff --git a/test/packages/good_alert_rule_templates/kibana/alerting_rule_template/some-rule.json b/test/packages/good_alert_rule_templates/kibana/alerting_rule_template/some-rule.json
@@ -0,0 +1,24 @@
+{
+    "id": "some-rule",
+    "type": "alerting_rule_template",
+    "attributes": {
+        "name": "[Something] Some rule",
+        "ruleTypeId": ".es-query",
+        "schedule": {
+            "interval": "1m"
+        },
+        "params": {
+            "searchType": "esqlQuery",
+            "timeWindowSize": 5,
+            "timeWindowUnit": "m",
+            "esqlQuery": {
+                "esql": "FROM metrics-something-default | STATS max=MAX(some_field) by some_dimension | WHERE max > 100"
+            },
+            "groupBy": "row",
+            "timeField": "@timestamp"
+        }
+    },
+    "managed": true,
+    "coreMigrationVersion": "8.8.0",
+    "typeMigrationVersion": "10.1.0"
+}
diff --git a/test/packages/good_alert_rule_templates/manifest.yml b/test/packages/good_alert_rule_templates/manifest.yml
@@ -0,0 +1,14 @@
+format_version: 3.4.0
+name: good_alert_rule_templates
+title: "Good Alert Rule Templates"
+version: 1.0.0
+description: "This package contains alerting rule templates with a supported 'format_version'."
+type: integration
+conditions:
+  kibana:
+    version: "^8.19.0"
+  elastic:
+    subscription: "basic"
+owner:
+  github: elastic/integrations
+  type: elastic
diff --git a/test/packages/good_alert_rule_templates/sample_event.json b/test/packages/good_alert_rule_templates/sample_event.json
@@ -0,0 +1,3 @@
+{
+    "description": "This is an example sample-event for Good Alert Rule Templates. Replace it with a real sample event. Hint: If system tests exist, running `elastic-package test system --generate` will generate this file."
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+{`
	`2`	+ "description": "This is an example sample-event for Bad Alert Rule Templates. Replace it with a real sample event. Hint: If system tests exist, running `elastic-package test system --generate` will generate this file."
	`3`	`+}`