Add security list resource

Author: nick-benoit

examples/resources/elasticstack_kibana_security_list/resource.tf

@@ -0,0 +1,6 @@
+resource "elasticstack_kibana_security_list" "ip_list" {
+  space_id    = "default"
+  name        = "Trusted IP Addresses"
+  description = "List of trusted IP addresses for security rules"
+  type        = "ip"
+}

examples/resources/elasticstack_kibana_security_list/resource_keyword.tf

@@ -0,0 +1,7 @@
+resource "elasticstack_kibana_security_list" "keyword_list" {
+  space_id    = "security"
+  list_id     = "custom-keywords"
+  name        = "Custom Keywords"
+  description = "Custom keyword list for detection rules"
+  type        = "keyword"
+}

internal/clients/kibana_oapi/security_lists.go

@@ -0,0 +1,154 @@
+package kibana_oapi
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/elastic/terraform-provider-elasticstack/generated/kbapi"
+	"github.com/elastic/terraform-provider-elasticstack/internal/diagutil"
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+)
+
+// CreateListIndex creates the .lists and .items data streams for a space if they don't exist.
+// This is required before any list operations can be performed.
+func CreateListIndex(ctx context.Context, client *Client, spaceId string) diag.Diagnostics {
+	resp, err := client.API.CreateListIndexWithResponse(ctx, kbapi.SpaceId(spaceId))
+	if err != nil {
+		return diagutil.FrameworkDiagFromError(err)
+	}
+
+	switch resp.StatusCode() {
+	case http.StatusOK:
+		return nil
+	default:
+		return reportUnknownError(resp.StatusCode(), resp.Body)
+	}
+}
+
+// GetList reads a security list from the API by ID
+func GetList(ctx context.Context, client *Client, spaceId string, params *kbapi.ReadListParams) (*kbapi.ReadListResponse, diag.Diagnostics) {
+	resp, err := client.API.ReadListWithResponse(ctx, kbapi.SpaceId(spaceId), params)
+	if err != nil {
+		return nil, diagutil.FrameworkDiagFromError(err)
+	}
+
+	switch resp.StatusCode() {
+	case http.StatusOK:
+		return resp, nil
+	case http.StatusNotFound:
+		return nil, nil
+	default:
+		return nil, reportUnknownError(resp.StatusCode(), resp.Body)
+	}
+}
+
+// CreateList creates a new security list.
+func CreateList(ctx context.Context, client *Client, spaceId string, body kbapi.CreateListJSONRequestBody) (*kbapi.CreateListResponse, diag.Diagnostics) {
+	resp, err := client.API.CreateListWithResponse(ctx, kbapi.SpaceId(spaceId), body)
+	if err != nil {
+		return nil, diagutil.FrameworkDiagFromError(err)
+	}
+
+	switch resp.StatusCode() {
+	case http.StatusOK:
+		return resp, nil
+	default:
+		return nil, reportUnknownError(resp.StatusCode(), resp.Body)
+	}
+}
+
+// UpdateList updates an existing security list.
+func UpdateList(ctx context.Context, client *Client, spaceId string, body kbapi.UpdateListJSONRequestBody) (*kbapi.UpdateListResponse, diag.Diagnostics) {
+	resp, err := client.API.UpdateListWithResponse(ctx, kbapi.SpaceId(spaceId), body)
+	if err != nil {
+		return nil, diagutil.FrameworkDiagFromError(err)
+	}
+
+	switch resp.StatusCode() {
+	case http.StatusOK:
+		return resp, nil
+	default:
+		return nil, reportUnknownError(resp.StatusCode(), resp.Body)
+	}
+}
+
+// DeleteList deletes an existing security list.
+func DeleteList(ctx context.Context, client *Client, spaceId string, params *kbapi.DeleteListParams) diag.Diagnostics {
+	resp, err := client.API.DeleteListWithResponse(ctx, kbapi.SpaceId(spaceId), params)
+	if err != nil {
+		return diagutil.FrameworkDiagFromError(err)
+	}
+
+	switch resp.StatusCode() {
+	case http.StatusOK:
+		return nil
+	case http.StatusNotFound:
+		return nil
+	default:
+		return reportUnknownError(resp.StatusCode(), resp.Body)
+	}
+}
+
+// GetListItem reads a security list item from the API by ID or list_id and value
+func GetListItem(ctx context.Context, client *Client, spaceId string, params *kbapi.ReadListItemParams) (*kbapi.ReadListItemResponse, diag.Diagnostics) {
+	resp, err := client.API.ReadListItemWithResponse(ctx, kbapi.SpaceId(spaceId), params)
+	if err != nil {
+		return nil, diagutil.FrameworkDiagFromError(err)
+	}
+
+	switch resp.StatusCode() {
+	case http.StatusOK:
+		return resp, nil
+	case http.StatusNotFound:
+		return nil, nil
+	default:
+		return nil, reportUnknownError(resp.StatusCode(), resp.Body)
+	}
+}
+
+// CreateListItem creates a new security list item.
+func CreateListItem(ctx context.Context, client *Client, spaceId string, body kbapi.CreateListItemJSONRequestBody) (*kbapi.CreateListItemResponse, diag.Diagnostics) {
+	resp, err := client.API.CreateListItemWithResponse(ctx, kbapi.SpaceId(spaceId), body)
+	if err != nil {
+		return nil, diagutil.FrameworkDiagFromError(err)
+	}
+
+	switch resp.StatusCode() {
+	case http.StatusOK:
+		return resp, nil
+	default:
+		return nil, reportUnknownError(resp.StatusCode(), resp.Body)
+	}
+}
+
+// UpdateListItem updates an existing security list item.
+func UpdateListItem(ctx context.Context, client *Client, spaceId string, body kbapi.UpdateListItemJSONRequestBody) (*kbapi.UpdateListItemResponse, diag.Diagnostics) {
+	resp, err := client.API.UpdateListItemWithResponse(ctx, kbapi.SpaceId(spaceId), body)
+	if err != nil {
+		return nil, diagutil.FrameworkDiagFromError(err)
+	}
+
+	switch resp.StatusCode() {
+	case http.StatusOK:
+		return resp, nil
+	default:
+		return nil, reportUnknownError(resp.StatusCode(), resp.Body)
+	}
+}
+
+// DeleteListItem deletes an existing security list item.
+func DeleteListItem(ctx context.Context, client *Client, spaceId string, params *kbapi.DeleteListItemParams) diag.Diagnostics {
+	resp, err := client.API.DeleteListItemWithResponse(ctx, kbapi.SpaceId(spaceId), params)
+	if err != nil {
+		return diagutil.FrameworkDiagFromError(err)
+	}
+
+	switch resp.StatusCode() {
+	case http.StatusOK:
+		return nil
+	case http.StatusNotFound:
+		return nil
+	default:
+		return reportUnknownError(resp.StatusCode(), resp.Body)
+	}
+}

internal/kibana/security_list/acc_test.go

@@ -0,0 +1,153 @@
+package security_list_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/elastic/terraform-provider-elasticstack/internal/acctest"
+	"github.com/elastic/terraform-provider-elasticstack/internal/clients"
+	"github.com/elastic/terraform-provider-elasticstack/internal/clients/kibana_oapi"
+	"github.com/google/uuid"
+	"github.com/hashicorp/terraform-plugin-testing/config"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func ensureListIndexExists(t *testing.T) {
+	client, err := clients.NewAcceptanceTestingClient()
+	if err != nil {
+		t.Fatalf("Failed to create client: %v", err)
+	}
+
+	kibanaClient, err := client.GetKibanaOapiClient()
+	if err != nil {
+		t.Fatalf("Failed to get Kibana client: %v", err)
+	}
+
+	diags := kibana_oapi.CreateListIndex(context.Background(), kibanaClient, "default")
+	if diags.HasError() {
+		// It's OK if it already exists, we'll only fail on other errors
+		for _, d := range diags {
+			if d.Summary() != "Unexpected status code from server: got HTTP 409" {
+				t.Fatalf("Failed to create list index: %v", d.Detail())
+			}
+		}
+	}
+}
+
+func TestAccResourceSecurityList(t *testing.T) {
+	listID := "test-list-" + uuid.New().String()
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(t)
+			ensureListIndexExists(t)
+		},
+		ProtoV6ProviderFactories: acctest.Providers,
+		Steps: []resource.TestStep{
+			{ // Create
+				ConfigDirectory: acctest.NamedTestCaseDirectory("create"),
+				ConfigVariables: config.Variables{
+					"list_id":     config.StringVariable(listID),
+					"name":        config.StringVariable("Test Security List"),
+					"description": config.StringVariable("A test security list for IP addresses"),
+					"type":        config.StringVariable("ip"),
+				},
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet("elasticstack_kibana_security_list.test", "id"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "name", "Test Security List"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "description", "A test security list for IP addresses"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "type", "ip"),
+					resource.TestCheckResourceAttrSet("elasticstack_kibana_security_list.test", "created_at"),
+					resource.TestCheckResourceAttrSet("elasticstack_kibana_security_list.test", "created_by"),
+					resource.TestCheckResourceAttrSet("elasticstack_kibana_security_list.test", "updated_at"),
+					resource.TestCheckResourceAttrSet("elasticstack_kibana_security_list.test", "updated_by"),
+				),
+			},
+			{ // Update
+				ConfigDirectory: acctest.NamedTestCaseDirectory("update"),
+				ConfigVariables: config.Variables{
+					"list_id":     config.StringVariable(listID),
+					"name":        config.StringVariable("Updated Security List"),
+					"description": config.StringVariable("An updated test security list"),
+					"type":        config.StringVariable("ip"),
+				},
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "name", "Updated Security List"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "description", "An updated test security list"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccResourceSecurityList_KeywordType(t *testing.T) {
+	listID := "keyword-list-" + uuid.New().String()
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(t)
+			ensureListIndexExists(t)
+		},
+		ProtoV6ProviderFactories: acctest.Providers,
+		Steps: []resource.TestStep{
+			{
+				ConfigDirectory: acctest.NamedTestCaseDirectory("keyword_type"),
+				ConfigVariables: config.Variables{
+					"list_id":     config.StringVariable(listID),
+					"name":        config.StringVariable("Keyword Security List"),
+					"description": config.StringVariable("A test security list for keywords"),
+					"type":        config.StringVariable("keyword"),
+				},
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "type", "keyword"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccResourceSecurityList_SerializerDeserializer(t *testing.T) {
+	listID := "serializer-list-" + uuid.New().String()
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.PreCheck(t)
+			ensureListIndexExists(t)
+		},
+		ProtoV6ProviderFactories: acctest.Providers,
+		Steps: []resource.TestStep{
+			{ // Create with serializer and deserializer
+				ConfigDirectory: acctest.NamedTestCaseDirectory("create"),
+				ConfigVariables: config.Variables{
+					"list_id":      config.StringVariable(listID),
+					"name":         config.StringVariable("Custom Serializer List"),
+					"description":  config.StringVariable("A test list with custom serializer and deserializer"),
+					"type":         config.StringVariable("ip"),
+					"serializer":   config.StringVariable("{{ip}}"),
+					"deserializer": config.StringVariable("{{ip}}"),
+				},
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet("elasticstack_kibana_security_list.test", "id"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "name", "Custom Serializer List"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "type", "ip"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "serializer", "{{ip}}"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "deserializer", "{{ip}}"),
+				),
+			},
+			{ // Update name and description (serializer/deserializer are immutable)
+				ConfigDirectory: acctest.NamedTestCaseDirectory("update"),
+				ConfigVariables: config.Variables{
+					"list_id":      config.StringVariable(listID),
+					"name":         config.StringVariable("Updated Serializer List"),
+					"description":  config.StringVariable("Updated test list description"),
+					"type":         config.StringVariable("ip"),
+					"serializer":   config.StringVariable("{{ip}}"),
+					"deserializer": config.StringVariable("{{ip}}"),
+				},
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "name", "Updated Serializer List"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "description", "Updated test list description"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "serializer", "{{ip}}"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_list.test", "deserializer", "{{ip}}"),
+				),
+			},
+		},
+	})
+}

internal/kibana/security_list/create.go

@@ -0,0 +1,69 @@
+package security_list
+
+import (
+	"context"
+
+	"github.com/elastic/terraform-provider-elasticstack/generated/kbapi"
+	"github.com/elastic/terraform-provider-elasticstack/internal/clients/kibana_oapi"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+)
+
+func (r *securityListResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var plan SecurityListModel
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Get Kibana client
+	client, err := r.client.GetKibanaOapiClient()
+	if err != nil {
+		resp.Diagnostics.AddError("Failed to get Kibana client", err.Error())
+		return
+	}
+
+	// Convert plan to API request
+	createReq, diags := plan.toCreateRequest()
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// Create the list
+	spaceID := plan.SpaceID.ValueString()
+	createResp, diags := kibana_oapi.CreateList(ctx, client, spaceID, *createReq)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if createResp == nil || createResp.JSON200 == nil {
+		resp.Diagnostics.AddError("Failed to create security list", "API returned empty response")
+		return
+	}
+
+	// Read the created list to populate state
+	readParams := &kbapi.ReadListParams{
+		Id: createResp.JSON200.Id,
+	}
+
+	readResp, diags := kibana_oapi.GetList(ctx, client, spaceID, readParams)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if readResp == nil || readResp.JSON200 == nil {
+		resp.State.RemoveResource(ctx)
+		return
+	}
+
+	// Update state with read response
+	diags = plan.fromAPI(ctx, readResp.JSON200)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	resp.Diagnostics.Append(resp.State.Set(ctx, plan)...)
+}