Merge branch 'copilot/add-elastic-security-exceptions' of github.com:elastic/terraform-provider-elasticstack into copilot/add-elastic-security-exceptions

nick-benoit · nick-benoit · commit 12e5203fbaeb · 2025-11-20T08:31:20.000-07:00
diff --git a/docs/resources/kibana_security_exception_item.md b/docs/resources/kibana_security_exception_item.md
@@ -103,7 +103,7 @@ resource "elasticstack_kibana_security_exception_item" "complex_entry" {
 ### Optional
 
 - `comments` (Attributes List) Array of comments about the exception item. (see [below for nested schema](#nestedatt--comments))
-- `expire_time` (String) The exception item's expiration date in ISO format. This field is only available for regular exception items, not endpoint exceptions.
+- `expire_time` (String) The exception item's expiration date in RFC3339 format. This field is only available for regular exception items, not endpoint exceptions.
 - `item_id` (String) The exception item's human readable string identifier.
 - `meta` (String) Placeholder for metadata about the exception item as JSON string.
 - `namespace_type` (String) Determines whether the exception item is available in all Kibana spaces or just the space in which it is created. Can be `single` (default) or `agnostic`.
diff --git a/internal/kibana/security/exception_item/create.go b/internal/kibana/security/exception_item/create.go
@@ -8,6 +8,7 @@ import (
 	"github.com/elastic/terraform-provider-elasticstack/generated/kbapi"
 	"github.com/elastic/terraform-provider-elasticstack/internal/clients/kibana_oapi"
 	"github.com/elastic/terraform-provider-elasticstack/internal/utils"
+	"github.com/hashicorp/terraform-plugin-framework-jsontypes/jsontypes"
 	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
@@ -140,24 +141,8 @@ func (r *ExceptionItemResource) Create(ctx context.Context, req resource.CreateR
 		return
 	}
 
-	// Read back the created resource to get computed fields
-	readParams := &kbapi.ReadExceptionListItemParams{
-		Id: (*kbapi.SecurityExceptionsAPIExceptionListItemId)(&createResp.JSON200.Id),
-	}
-
-	readResp, diags := kibana_oapi.GetExceptionListItem(ctx, client, readParams)
-	resp.Diagnostics.Append(diags...)
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	if readResp == nil || readResp.JSON200 == nil {
-		resp.Diagnostics.AddError("Failed to read created exception item", "API returned empty response")
-		return
-	}
-
-	// Update state with response
-	diags = r.updateStateFromAPIResponse(ctx, &plan, readResp.JSON200)
+	// Update state with create response
+	diags = r.updateStateFromAPIResponse(ctx, &plan, createResp.JSON200)
 	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
 		return
@@ -224,13 +209,13 @@ func (r *ExceptionItemResource) updateStateFromAPIResponse(ctx context.Context,
 		model.Meta = types.StringNull()
 	}
 
-	// Set entries (convert back to JSON)
+	// Set entries (convert back to JSON and normalize)
 	entriesJSON, err := json.Marshal(apiResp.Entries)
 	if err != nil {
 		diags.AddError("Failed to serialize entries", err.Error())
 		return diags
 	}
-	model.Entries = types.StringValue(string(entriesJSON))
+	model.Entries = jsontypes.NewNormalizedValue(string(entriesJSON))
 
 	// Set optional comments
 	if len(apiResp.Comments) > 0 {
diff --git a/internal/kibana/security/exception_item/models.go b/internal/kibana/security/exception_item/models.go
@@ -1,28 +1,29 @@
 package exception_item
 
 import (
+	"github.com/hashicorp/terraform-plugin-framework-jsontypes/jsontypes"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 )
 
 type ExceptionItemModel struct {
-	ID            types.String `tfsdk:"id"`
-	ItemID        types.String `tfsdk:"item_id"`
-	ListID        types.String `tfsdk:"list_id"`
-	Name          types.String `tfsdk:"name"`
-	Description   types.String `tfsdk:"description"`
-	Type          types.String `tfsdk:"type"`
-	NamespaceType types.String `tfsdk:"namespace_type"`
-	OsTypes       types.List   `tfsdk:"os_types"`
-	Tags          types.List   `tfsdk:"tags"`
-	Meta          types.String `tfsdk:"meta"`
-	Entries       types.String `tfsdk:"entries"`
-	Comments      types.List   `tfsdk:"comments"`
-	ExpireTime    types.String `tfsdk:"expire_time"`
-	CreatedAt     types.String `tfsdk:"created_at"`
-	CreatedBy     types.String `tfsdk:"created_by"`
-	UpdatedAt     types.String `tfsdk:"updated_at"`
-	UpdatedBy     types.String `tfsdk:"updated_by"`
-	TieBreakerID  types.String `tfsdk:"tie_breaker_id"`
+	ID            types.String         `tfsdk:"id"`
+	ItemID        types.String         `tfsdk:"item_id"`
+	ListID        types.String         `tfsdk:"list_id"`
+	Name          types.String         `tfsdk:"name"`
+	Description   types.String         `tfsdk:"description"`
+	Type          types.String         `tfsdk:"type"`
+	NamespaceType types.String         `tfsdk:"namespace_type"`
+	OsTypes       types.List           `tfsdk:"os_types"`
+	Tags          types.List           `tfsdk:"tags"`
+	Meta          types.String         `tfsdk:"meta"`
+	Entries       jsontypes.Normalized `tfsdk:"entries"`
+	Comments      types.List           `tfsdk:"comments"`
+	ExpireTime    types.String         `tfsdk:"expire_time"`
+	CreatedAt     types.String         `tfsdk:"created_at"`
+	CreatedBy     types.String         `tfsdk:"created_by"`
+	UpdatedAt     types.String         `tfsdk:"updated_at"`
+	UpdatedBy     types.String         `tfsdk:"updated_by"`
+	TieBreakerID  types.String         `tfsdk:"tie_breaker_id"`
 }
 
 type CommentModel struct {
diff --git a/internal/kibana/security/exception_item/schema.go b/internal/kibana/security/exception_item/schema.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	_ "embed"
 
+	"github.com/hashicorp/terraform-plugin-framework-jsontypes/jsontypes"
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
@@ -91,6 +92,7 @@ func (r *ExceptionItemResource) Schema(_ context.Context, _ resource.SchemaReque
 			"entries": schema.StringAttribute{
 				MarkdownDescription: "The exception item entries as JSON string. This defines the conditions under which the exception applies.",
 				Required:            true,
+				CustomType:          jsontypes.NormalizedType{},
 			},
 			"comments": schema.ListNestedAttribute{
 				MarkdownDescription: "Array of comments about the exception item.",
@@ -109,7 +111,7 @@ func (r *ExceptionItemResource) Schema(_ context.Context, _ resource.SchemaReque
 				},
 			},
 			"expire_time": schema.StringAttribute{
-				MarkdownDescription: "The exception item's expiration date in ISO format. This field is only available for regular exception items, not endpoint exceptions.",
+				MarkdownDescription: "The exception item's expiration date in RFC3339 format. This field is only available for regular exception items, not endpoint exceptions.",
 				Optional:            true,
 			},
 			"created_at": schema.StringAttribute{
diff --git a/internal/kibana/security/exception_list/create.go b/internal/kibana/security/exception_list/create.go
@@ -94,24 +94,8 @@ func (r *ExceptionListResource) Create(ctx context.Context, req resource.CreateR
 		return
 	}
 
-	// Read back the created resource to get computed fields
-	readParams := &kbapi.ReadExceptionListParams{
-		Id: (*kbapi.SecurityExceptionsAPIExceptionListId)(&createResp.JSON200.Id),
-	}
-
-	readResp, diags := kibana_oapi.GetExceptionList(ctx, client, readParams)
-	resp.Diagnostics.Append(diags...)
-	if resp.Diagnostics.HasError() {
-		return
-	}
-
-	if readResp == nil || readResp.JSON200 == nil {
-		resp.Diagnostics.AddError("Failed to read created exception list", "API returned empty response")
-		return
-	}
-
-	// Update state with response
-	diags = r.updateStateFromAPIResponse(ctx, &plan, readResp.JSON200)
+	// Update state with create response
+	diags = r.updateStateFromAPIResponse(ctx, &plan, createResp.JSON200)
 	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
 		return
diff --git a/internal/kibana/security/exception_list/update.go b/internal/kibana/security/exception_list/update.go
@@ -31,6 +31,9 @@ func (r *ExceptionListResource) Update(ctx context.Context, req resource.UpdateR
 		Id:          &id,
 		Name:        kbapi.SecurityExceptionsAPIExceptionListName(plan.Name.ValueString()),
 		Description: kbapi.SecurityExceptionsAPIExceptionListDescription(plan.Description.ValueString()),
+		// Type is required by the API even though it has RequiresReplace in the schema
+		// The API will reject updates without this field, even though the value cannot change
+		Type: kbapi.SecurityExceptionsAPIExceptionListType(plan.Type.ValueString()),
 	}
 
 	// Set optional namespace_type (should not change, but include it)

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,9 @@ func (r *ExceptionListResource) Update(ctx context.Context, req resource.UpdateR`
`31`	`31`	`Id: &id,`
`32`	`32`	`Name: kbapi.SecurityExceptionsAPIExceptionListName(plan.Name.ValueString()),`
`33`	`33`	`Description: kbapi.SecurityExceptionsAPIExceptionListDescription(plan.Description.ValueString()),`
	`34`	`+ // Type is required by the API even though it has RequiresReplace in the schema`
	`35`	`+ // The API will reject updates without this field, even though the value cannot change`
	`36`	`+ Type: kbapi.SecurityExceptionsAPIExceptionListType(plan.Type.ValueString()),`
`34`	`37`	`}`
`35`	`38`
`36`	`39`	`// Set optional namespace_type (should not change, but include it)`