Create basic structure for Kibana Security Detection Rules resource

Copilot · nick-benoit · Copilot · commit 32d025522537 · 2025-09-08T15:47:31.000Z
Co-authored-by: nick-benoit &lt;163016768+nick-benoit@users.noreply.github.com&gt;
diff --git a/internal/kibana/security/detection_rule/acc_test.go b/internal/kibana/security/detection_rule/acc_test.go
@@ -0,0 +1,48 @@
+package detection_rule_test
+
+import (
+	"testing"
+
+	"github.com/elastic/terraform-provider-elasticstack/internal/acctest"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+func TestAccResourceKibanaSecurityDetectionRule(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t) },
+		ProtoV6ProviderFactories: acctest.Providers,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccResourceKibanaSecurityDetectionRuleCreate(),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_detection_rule.test", "name", "Test Detection Rule"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_detection_rule.test", "description", "Test security detection rule"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_detection_rule.test", "type", "query"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_detection_rule.test", "severity", "medium"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_detection_rule.test", "enabled", "true"),
+				),
+			},
+		},
+	})
+}
+
+func testAccResourceKibanaSecurityDetectionRuleCreate() string {
+	return `
+provider "elasticstack" {
+  kibana {}
+}
+
+resource "elasticstack_kibana_security_detection_rule" "test" {
+  name        = "Test Detection Rule"
+  description = "Test security detection rule"
+  type        = "query"
+  query       = "*:*"
+  language    = "kuery"
+  severity    = "medium"
+  enabled     = true
+  tags        = ["test"]
+  interval    = "5m"
+  from        = "now-6m"
+  to          = "now"
+}`
+}
diff --git a/internal/kibana/security/detection_rule/create.go b/internal/kibana/security/detection_rule/create.go
@@ -0,0 +1,26 @@
+package detection_rule
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+)
+
+func (r *securityDetectionRuleResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var data SecurityDetectionRuleData
+	resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// TODO: Implement actual API call to create security detection rule
+	// For now, just set a placeholder ID
+	data.Id = data.RuleId
+	if data.Id.IsNull() || data.Id.IsUnknown() {
+		// Generate a UUID if rule_id is not provided
+		data.Id = data.Name // Placeholder - should generate proper UUID
+		data.RuleId = data.Id
+	}
+
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}
diff --git a/internal/kibana/security/detection_rule/delete.go b/internal/kibana/security/detection_rule/delete.go
@@ -0,0 +1,18 @@
+package detection_rule
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+)
+
+func (r *securityDetectionRuleResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+	var data SecurityDetectionRuleData
+	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// TODO: Implement actual API call to delete security detection rule
+	// For now, just remove from state
+}
diff --git a/internal/kibana/security/detection_rule/models.go b/internal/kibana/security/detection_rule/models.go
@@ -0,0 +1,36 @@
+package detection_rule
+
+import (
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+type SecurityDetectionRuleData struct {
+	Id                 types.String `tfsdk:"id"`
+	KibanaConnection   types.List   `tfsdk:"kibana_connection"`
+	SpaceId            types.String `tfsdk:"space_id"`
+	RuleId             types.String `tfsdk:"rule_id"`
+	Name               types.String `tfsdk:"name"`
+	Description        types.String `tfsdk:"description"`
+	Type               types.String `tfsdk:"type"`
+	Query              types.String `tfsdk:"query"`
+	Language           types.String `tfsdk:"language"`
+	Index              types.List   `tfsdk:"index"`
+	Severity           types.String `tfsdk:"severity"`
+	Risk               types.Int64  `tfsdk:"risk"`
+	Enabled            types.Bool   `tfsdk:"enabled"`
+	Tags               types.List   `tfsdk:"tags"`
+	From               types.String `tfsdk:"from"`
+	To                 types.String `tfsdk:"to"`
+	Interval           types.String `tfsdk:"interval"`
+	Meta               types.String `tfsdk:"meta"`
+	Author             types.List   `tfsdk:"author"`
+	License            types.String `tfsdk:"license"`
+	RuleNameOverride   types.String `tfsdk:"rule_name_override"`
+	TimestampOverride  types.String `tfsdk:"timestamp_override"`
+	Note               types.String `tfsdk:"note"`
+	References         types.List   `tfsdk:"references"`
+	FalsePositives     types.List   `tfsdk:"false_positives"`
+	ExceptionsList     types.List   `tfsdk:"exceptions_list"`
+	Version            types.Int64  `tfsdk:"version"`
+	MaxSignals         types.Int64  `tfsdk:"max_signals"`
+}
diff --git a/internal/kibana/security/detection_rule/read.go b/internal/kibana/security/detection_rule/read.go
@@ -0,0 +1,20 @@
+package detection_rule
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+)
+
+func (r *securityDetectionRuleResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+	var data SecurityDetectionRuleData
+	resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	// TODO: Implement actual API call to read security detection rule
+	// For now, just keep the current state
+	
+	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
+}
diff --git a/internal/kibana/security/detection_rule/resource.go b/internal/kibana/security/detection_rule/resource.go
@@ -0,0 +1,26 @@
+package detection_rule
+
+import (
+	"context"
+
+	"github.com/elastic/terraform-provider-elasticstack/internal/clients"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+)
+
+func NewSecurityDetectionRuleResource() resource.Resource {
+	return &securityDetectionRuleResource{}
+}
+
+type securityDetectionRuleResource struct {
+	client *clients.ApiClient
+}
+
+func (r *securityDetectionRuleResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_kibana_security_detection_rule"
+}
+
+func (r *securityDetectionRuleResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
+	client, diags := clients.ConvertProviderData(req.ProviderData)
+	resp.Diagnostics.Append(diags...)
+	r.client = client
+}
diff --git a/internal/kibana/security/detection_rule/schema.go b/internal/kibana/security/detection_rule/schema.go
@@ -0,0 +1,200 @@
+package detection_rule
+
+import (
+	"context"
+	"regexp"
+
+	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/int64default"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/listdefault"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+
+	providerschema "github.com/elastic/terraform-provider-elasticstack/internal/schema"
+)
+
+func (r *securityDetectionRuleResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
+	resp.Schema = GetSchema()
+}
+
+func GetSchema() schema.Schema {
+	return schema.Schema{
+		MarkdownDescription: "Creates or updates a Kibana security detection rule. See https://www.elastic.co/guide/en/security/current/rules-api-create.html",
+		Blocks: map[string]schema.Block{
+			"kibana_connection": providerschema.GetKbFWConnectionBlock(),
+		},
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				MarkdownDescription: "Internal identifier of the resource",
+				Computed:            true,
+			},
+			"space_id": schema.StringAttribute{
+				MarkdownDescription: "An identifier for the space. If space_id is not provided, the default space is used.",
+				Optional:            true,
+				Computed:            true,
+				Default:             stringdefault.StaticString("default"),
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"rule_id": schema.StringAttribute{
+				MarkdownDescription: "The identifier for the rule. If not provided, an ID is randomly generated.",
+				Optional:            true,
+				Computed:            true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"name": schema.StringAttribute{
+				MarkdownDescription: "The name of the detection rule.",
+				Required:            true,
+			},
+			"description": schema.StringAttribute{
+				MarkdownDescription: "The description of the detection rule.",
+				Required:            true,
+			},
+			"type": schema.StringAttribute{
+				MarkdownDescription: "The rule type. Valid values are: eql, query, machine_learning, threshold, threat_match, new_terms.",
+				Required:            true,
+				Validators: []validator.String{
+					stringvalidator.OneOf("eql", "query", "machine_learning", "threshold", "threat_match", "new_terms"),
+				},
+			},
+			"query": schema.StringAttribute{
+				MarkdownDescription: "The query that the rule will use to generate alerts.",
+				Optional:            true,
+			},
+			"language": schema.StringAttribute{
+				MarkdownDescription: "The query language. Valid values are: kuery, lucene, eql.",
+				Optional:            true,
+				Computed:            true,
+				Default:             stringdefault.StaticString("kuery"),
+				Validators: []validator.String{
+					stringvalidator.OneOf("kuery", "lucene", "eql"),
+				},
+			},
+			"index": schema.ListAttribute{
+				MarkdownDescription: "A list of index patterns to search.",
+				ElementType:         types.StringType,
+				Optional:            true,
+				Computed:            true,
+				Default:             listdefault.StaticValue(types.ListValueMust(types.StringType, []attr.Value{types.StringValue("*")})),
+			},
+			"severity": schema.StringAttribute{
+				MarkdownDescription: "The severity of the rule. Valid values are: low, medium, high, critical.",
+				Required:            true,
+				Validators: []validator.String{
+					stringvalidator.OneOf("low", "medium", "high", "critical"),
+				},
+			},
+			"risk": schema.Int64Attribute{
+				MarkdownDescription: "A numerical representation of the alert's severity from 1-100.",
+				Optional:            true,
+				Computed:            true,
+				Default:             int64default.StaticInt64(21),
+			},
+			"enabled": schema.BoolAttribute{
+				MarkdownDescription: "Determines whether the rule is enabled.",
+				Optional:            true,
+				Computed:            true,
+				Default:             booldefault.StaticBool(true),
+			},
+			"tags": schema.ListAttribute{
+				MarkdownDescription: "String array containing words and phrases to help categorize, filter, and search rules.",
+				ElementType:         types.StringType,
+				Optional:            true,
+				Computed:            true,
+				Default:             listdefault.StaticValue(types.ListValueMust(types.StringType, []attr.Value{})),
+			},
+			"from": schema.StringAttribute{
+				MarkdownDescription: "Time from which data is analyzed each time the rule executes, using date math syntax.",
+				Optional:            true,
+				Computed:            true,
+				Default:             stringdefault.StaticString("now-6m"),
+			},
+			"to": schema.StringAttribute{
+				MarkdownDescription: "Time to which data is analyzed each time the rule executes, using date math syntax.",
+				Optional:            true,
+				Computed:            true,
+				Default:             stringdefault.StaticString("now"),
+			},
+			"interval": schema.StringAttribute{
+				MarkdownDescription: "How often the rule executes.",
+				Optional:            true,
+				Computed:            true,
+				Default:             stringdefault.StaticString("5m"),
+				Validators: []validator.String{
+					stringvalidator.RegexMatches(regexp.MustCompile(`^\d+[smhd]$`), "must be a valid duration (e.g., '5m', '1h')"),
+				},
+			},
+			"meta": schema.StringAttribute{
+				MarkdownDescription: "Optional metadata about the rule as a JSON string.",
+				Optional:            true,
+			},
+			"author": schema.ListAttribute{
+				MarkdownDescription: "String array containing the rule's author(s).",
+				ElementType:         types.StringType,
+				Optional:            true,
+				Computed:            true,
+				Default:             listdefault.StaticValue(types.ListValueMust(types.StringType, []attr.Value{})),
+			},
+			"license": schema.StringAttribute{
+				MarkdownDescription: "The rule's license.",
+				Optional:            true,
+			},
+			"rule_name_override": schema.StringAttribute{
+				MarkdownDescription: "Sets the source field for the alert's rule name.",
+				Optional:            true,
+			},
+			"timestamp_override": schema.StringAttribute{
+				MarkdownDescription: "Sets the time field used to query indices.",
+				Optional:            true,
+			},
+			"note": schema.StringAttribute{
+				MarkdownDescription: "Notes to help investigate alerts produced by the rule.",
+				Optional:            true,
+			},
+			"references": schema.ListAttribute{
+				MarkdownDescription: "String array containing notes about or references to relevant information about the rule.",
+				ElementType:         types.StringType,
+				Optional:            true,
+				Computed:            true,
+				Default:             listdefault.StaticValue(types.ListValueMust(types.StringType, []attr.Value{})),
+			},
+			"false_positives": schema.ListAttribute{
+				MarkdownDescription: "String array describing common reasons why the rule may issue false-positive alerts.",
+				ElementType:         types.StringType,
+				Optional:            true,
+				Computed:            true,
+				Default:             listdefault.StaticValue(types.ListValueMust(types.StringType, []attr.Value{})),
+			},
+			"exceptions_list": schema.ListAttribute{
+				MarkdownDescription: "List of exceptions that prevent alerts from being generated.",
+				ElementType:         types.StringType,
+				Optional:            true,
+				Computed:            true,
+				Default:             listdefault.StaticValue(types.ListValueMust(types.StringType, []attr.Value{})),
+			},
+			"version": schema.Int64Attribute{
+				MarkdownDescription: "The rule's version number.",
+				Optional:            true,
+				Computed:            true,
+				Default:             int64default.StaticInt64(1),
+			},
+			"max_signals": schema.Int64Attribute{
+				MarkdownDescription: "Maximum number of alerts the rule can produce during a single execution.",
+				Optional:            true,
+				Computed:            true,
+				Default:             int64default.StaticInt64(100),
+			},
+		},
+	}
+}
diff --git a/internal/kibana/security/detection_rule/update.go b/internal/kibana/security/detection_rule/update.go
diff --git a/provider/plugin_framework.go b/provider/plugin_framework.go
