Complete Plugin Framework role resource migration with documentation

Co-authored-by: tobio <[email protected]>

Author: Copilot

CHANGELOG.md

@@ -20,6 +20,7 @@
 - Add support for `unenrollment_timeout` in `elasticstack_fleet_agent_policy` ([#1169](https://github.com/elastic/terraform-provider-elasticstack/issues/1169))
 - Handle default value for `allow_restricted_indices` in `elasticstack_elasticsearch_security_api_key` ([#1315](https://github.com/elastic/terraform-provider-elasticstack/pull/1315))
 - Fixed `nil` reference in kibana synthetics API client in case of response errors ([#1320](https://github.com/elastic/terraform-provider-elasticstack/pull/1320))
+- Migrate `elasticstack_elasticsearch_security_role` resource to Terraform Plugin Framework ([#1330](https://github.com/elastic/terraform-provider-elasticstack/pull/1330))
 
 ## [0.11.17] - 2025-07-21
 

docs/resources/elasticsearch_security_role.md

@@ -55,21 +55,21 @@ output "role" {
 
 ### Optional
 
-- `applications` (Block Set) A list of application privilege entries. (see [below for nested schema](#nestedblock--applications))
+- `applications` (Attributes Set) A list of application privilege entries. (see [below for nested schema](#nestedatt--applications))
 - `cluster` (Set of String) A list of cluster privileges. These privileges define the cluster level actions that users with this role are able to execute.
 - `description` (String) The description of the role.
-- `elasticsearch_connection` (Block List, Max: 1, Deprecated) Elasticsearch connection configuration block. This property will be removed in a future provider version. Configure the Elasticsearch connection via the provider configuration instead. (see [below for nested schema](#nestedblock--elasticsearch_connection))
+- `elasticsearch_connection` (Block List, Deprecated) Elasticsearch connection configuration block. (see [below for nested schema](#nestedblock--elasticsearch_connection))
 - `global` (String) An object defining global privileges.
-- `indices` (Block Set) A list of indices permissions entries. (see [below for nested schema](#nestedblock--indices))
+- `indices` (Attributes Set) A list of indices permissions entries. (see [below for nested schema](#nestedatt--indices))
 - `metadata` (String) Optional meta-data.
-- `remote_indices` (Block Set) A list of remote indices permissions entries. Remote indices are effective for remote clusters configured with the API key based model. They have no effect for remote clusters configured with the certificate based model. (see [below for nested schema](#nestedblock--remote_indices))
+- `remote_indices` (Attributes Set) A list of remote indices permissions entries. Remote indices are effective for remote clusters configured with the API key based model. They have no effect for remote clusters configured with the certificate based model. (see [below for nested schema](#nestedatt--remote_indices))
 - `run_as` (Set of String) A list of users that the owners of this role can impersonate.
 
 ### Read-Only
 
 - `id` (String) Internal identifier of the resource
 
-<a id="nestedblock--applications"></a>
+<a id="nestedatt--applications"></a>
 ### Nested Schema for `applications`
 
 Required:
@@ -100,7 +100,7 @@ Optional:
 - `username` (String) Username to use for API authentication to Elasticsearch.
 
 
-<a id="nestedblock--indices"></a>
+<a id="nestedatt--indices"></a>
 ### Nested Schema for `indices`
 
 Required:
@@ -111,10 +111,10 @@ Required:
 Optional:
 
 - `allow_restricted_indices` (Boolean) Include matching restricted indices in names parameter. Usage is strongly discouraged as it can grant unrestricted operations on critical data, make the entire system unstable or leak sensitive information.
-- `field_security` (Block List, Max: 1) The document fields that the owners of the role have read access to. (see [below for nested schema](#nestedblock--indices--field_security))
+- `field_security` (Attributes List) The document fields that the owners of the role have read access to. (see [below for nested schema](#nestedatt--indices--field_security))
 - `query` (String) A search query that defines the documents the owners of the role have read access to.
 
-<a id="nestedblock--indices--field_security"></a>
+<a id="nestedatt--indices--field_security"></a>
 ### Nested Schema for `indices.field_security`
 
 Optional:
@@ -124,7 +124,7 @@ Optional:
 
 
 
-<a id="nestedblock--remote_indices"></a>
+<a id="nestedatt--remote_indices"></a>
 ### Nested Schema for `remote_indices`
 
 Required:
@@ -135,10 +135,10 @@ Required:
 
 Optional:
 
-- `field_security` (Block List, Max: 1) The document fields that the owners of the role have read access to. (see [below for nested schema](#nestedblock--remote_indices--field_security))
+- `field_security` (Attributes List) The document fields that the owners of the role have read access to. (see [below for nested schema](#nestedatt--remote_indices--field_security))
 - `query` (String) A search query that defines the documents the owners of the role have read access to.
 
-<a id="nestedblock--remote_indices--field_security"></a>
+<a id="nestedatt--remote_indices--field_security"></a>
 ### Nested Schema for `remote_indices.field_security`
 
 Optional:

internal/elasticsearch/security/role/acc_test.go

@@ -320,4 +320,4 @@ func checkResourceSecurityRoleDestroy(s *terraform.State) error {
 		}
 	}
 	return nil
-}
+}

internal/elasticsearch/security/role/create.go

@@ -12,4 +12,4 @@ func (r *roleResource) Create(ctx context.Context, req resource.CreateRequest, r
 	if resp.Diagnostics.HasError() {
 		return
 	}
-}
+}

internal/elasticsearch/security/role/delete.go

@@ -30,4 +30,4 @@ func (r *roleResource) Delete(ctx context.Context, req resource.DeleteRequest, r
 
 	sdkDiags := elasticsearch.DeleteRole(ctx, client, compId.ResourceId)
 	resp.Diagnostics.Append(diagutil.FrameworkDiagsFromSDK(sdkDiags)...)
-}
+}

internal/elasticsearch/security/role/models.go

@@ -25,11 +25,11 @@ type ApplicationData struct {
 }
 
 type IndexPermsData struct {
-	FieldSecurity           types.List `tfsdk:"field_security"`
-	Names                   types.Set  `tfsdk:"names"`
-	Privileges              types.Set  `tfsdk:"privileges"`
-	Query                   types.String `tfsdk:"query"`
-	AllowRestrictedIndices  types.Bool `tfsdk:"allow_restricted_indices"`
+	FieldSecurity          types.List   `tfsdk:"field_security"`
+	Names                  types.Set    `tfsdk:"names"`
+	Privileges             types.Set    `tfsdk:"privileges"`
+	Query                  types.String `tfsdk:"query"`
+	AllowRestrictedIndices types.Bool   `tfsdk:"allow_restricted_indices"`
 }
 
 type RemoteIndexPermsData struct {
@@ -43,4 +43,4 @@ type RemoteIndexPermsData struct {
 type FieldSecurityData struct {
 	Grant  types.Set `tfsdk:"grant"`
 	Except types.Set `tfsdk:"except"`
-}
+}

internal/elasticsearch/security/role/read.go

@@ -211,17 +211,17 @@ func (r *roleResource) Read(ctx context.Context, req resource.ReadRequest, resp
 			}
 
 			indexObj, diags := types.ObjectValue(map[string]attr.Type{
-				"field_security":            types.ListType{ElemType: types.ObjectType{AttrTypes: map[string]attr.Type{"grant": types.SetType{ElemType: types.StringType}, "except": types.SetType{ElemType: types.StringType}}}},
-				"names":                     types.SetType{ElemType: types.StringType},
-				"privileges":                types.SetType{ElemType: types.StringType},
-				"query":                     types.StringType,
-				"allow_restricted_indices":  types.BoolType,
+				"field_security":           types.ListType{ElemType: types.ObjectType{AttrTypes: map[string]attr.Type{"grant": types.SetType{ElemType: types.StringType}, "except": types.SetType{ElemType: types.StringType}}}},
+				"names":                    types.SetType{ElemType: types.StringType},
+				"privileges":               types.SetType{ElemType: types.StringType},
+				"query":                    types.StringType,
+				"allow_restricted_indices": types.BoolType,
 			}, map[string]attr.Value{
-				"field_security":            fieldSecList,
-				"names":                     namesSet,
-				"privileges":                privSet,
-				"query":                     queryVal,
-				"allow_restricted_indices":  allowRestrictedVal,
+				"field_security":           fieldSecList,
+				"names":                    namesSet,
+				"privileges":               privSet,
+				"query":                    queryVal,
+				"allow_restricted_indices": allowRestrictedVal,
 			})
 			resp.Diagnostics.Append(diags...)
 			if resp.Diagnostics.HasError() {
@@ -233,11 +233,11 @@ func (r *roleResource) Read(ctx context.Context, req resource.ReadRequest, resp
 
 		indicesSet, diags := types.SetValue(types.ObjectType{
 			AttrTypes: map[string]attr.Type{
-				"field_security":            types.ListType{ElemType: types.ObjectType{AttrTypes: map[string]attr.Type{"grant": types.SetType{ElemType: types.StringType}, "except": types.SetType{ElemType: types.StringType}}}},
-				"names":                     types.SetType{ElemType: types.StringType},
-				"privileges":                types.SetType{ElemType: types.StringType},
-				"query":                     types.StringType,
-				"allow_restricted_indices":  types.BoolType,
+				"field_security":           types.ListType{ElemType: types.ObjectType{AttrTypes: map[string]attr.Type{"grant": types.SetType{ElemType: types.StringType}, "except": types.SetType{ElemType: types.StringType}}}},
+				"names":                    types.SetType{ElemType: types.StringType},
+				"privileges":               types.SetType{ElemType: types.StringType},
+				"query":                    types.StringType,
+				"allow_restricted_indices": types.BoolType,
 			},
 		}, indicesElements)
 		resp.Diagnostics.Append(diags...)
@@ -248,11 +248,11 @@ func (r *roleResource) Read(ctx context.Context, req resource.ReadRequest, resp
 	} else {
 		data.Indices = types.SetNull(types.ObjectType{
 			AttrTypes: map[string]attr.Type{
-				"field_security":            types.ListType{ElemType: types.ObjectType{AttrTypes: map[string]attr.Type{"grant": types.SetType{ElemType: types.StringType}, "except": types.SetType{ElemType: types.StringType}}}},
-				"names":                     types.SetType{ElemType: types.StringType},
-				"privileges":                types.SetType{ElemType: types.StringType},
-				"query":                     types.StringType,
-				"allow_restricted_indices":  types.BoolType,
+				"field_security":           types.ListType{ElemType: types.ObjectType{AttrTypes: map[string]attr.Type{"grant": types.SetType{ElemType: types.StringType}, "except": types.SetType{ElemType: types.StringType}}}},
+				"names":                    types.SetType{ElemType: types.StringType},
+				"privileges":               types.SetType{ElemType: types.StringType},
+				"query":                    types.StringType,
+				"allow_restricted_indices": types.BoolType,
 			},
 		})
 	}
@@ -403,4 +403,4 @@ func (r *roleResource) Read(ctx context.Context, req resource.ReadRequest, resp
 	}
 
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
-}
+}

internal/elasticsearch/security/role/resource.go

@@ -33,4 +33,4 @@ func (r *roleResource) Configure(_ context.Context, req resource.ConfigureReques
 
 func (r *roleResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
 	resource.ImportStatePassthroughID(ctx, path.Root("id"), req, resp)
-}
+}

internal/elasticsearch/security/role/schema.go

@@ -182,4 +182,4 @@ func GetSchema() schema.Schema {
 			},
 		},
 	}
-}
+}

internal/elasticsearch/security/role/update.go

@@ -293,4 +293,4 @@ func (r *roleResource) Update(ctx context.Context, req resource.UpdateRequest, r
 	if resp.Diagnostics.HasError() {
 		return
 	}
-}
+}