Add security exception list resource

Author: nick-benoit

internal/kibana/security_exception_list/acc_test.go

@@ -0,0 +1,136 @@
+package security_exception_list_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/elastic/terraform-provider-elasticstack/internal/acctest"
+	"github.com/elastic/terraform-provider-elasticstack/internal/versionutils"
+	"github.com/google/uuid"
+	"github.com/hashicorp/go-version"
+	"github.com/hashicorp/terraform-plugin-testing/config"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+)
+
+var minExceptionListAPISupport = version.Must(version.NewVersion("7.9.0"))
+
+func TestAccResourceExceptionList(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() { acctest.PreCheck(t) },
+		Steps: []resource.TestStep{
+			{
+				SkipFunc:                 versionutils.CheckIfVersionIsUnsupported(minExceptionListAPISupport),
+				ProtoV6ProviderFactories: acctest.Providers,
+				ConfigDirectory:          acctest.NamedTestCaseDirectory("create"),
+				ConfigVariables: config.Variables{
+					"list_id":        config.StringVariable("test-exception-list"),
+					"name":           config.StringVariable("Test Exception List"),
+					"description":    config.StringVariable("Test exception list for acceptance tests"),
+					"type":           config.StringVariable("detection"),
+					"namespace_type": config.StringVariable("single"),
+					"tags":           config.ListVariable(config.StringVariable("test")),
+				},
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_exception_list.test", "list_id", "test-exception-list"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_exception_list.test", "name", "Test Exception List"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_exception_list.test", "description", "Test exception list for acceptance tests"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_exception_list.test", "type", "detection"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_exception_list.test", "namespace_type", "single"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_exception_list.test", "tags.0", "test"),
+					resource.TestCheckResourceAttrSet("elasticstack_kibana_security_exception_list.test", "id"),
+					resource.TestCheckResourceAttrSet("elasticstack_kibana_security_exception_list.test", "created_at"),
+					resource.TestCheckResourceAttrSet("elasticstack_kibana_security_exception_list.test", "created_by"),
+				),
+			},
+			{
+				SkipFunc:                 versionutils.CheckIfVersionIsUnsupported(minExceptionListAPISupport),
+				ProtoV6ProviderFactories: acctest.Providers,
+				ConfigDirectory:          acctest.NamedTestCaseDirectory("update"),
+				ConfigVariables: config.Variables{
+					"list_id":        config.StringVariable("test-exception-list"),
+					"name":           config.StringVariable("Test Exception List Updated"),
+					"description":    config.StringVariable("Updated description"),
+					"type":           config.StringVariable("detection"),
+					"namespace_type": config.StringVariable("single"),
+					"tags":           config.ListVariable(config.StringVariable("test"), config.StringVariable("updated")),
+				},
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_exception_list.test", "name", "Test Exception List Updated"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_exception_list.test", "description", "Updated description"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_exception_list.test", "tags.0", "test"),
+					resource.TestCheckResourceAttr("elasticstack_kibana_security_exception_list.test", "tags.1", "updated"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccResourceExceptionListWithSpace(t *testing.T) {
+	resourceName := "elasticstack_kibana_security_exception_list.test"
+	spaceResourceName := "elasticstack_kibana_space.test"
+	spaceID := fmt.Sprintf("test-space-%s", uuid.New().String()[:8])
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t) },
+		ProtoV6ProviderFactories: acctest.Providers,
+		Steps: []resource.TestStep{
+			{
+				SkipFunc:        versionutils.CheckIfVersionIsUnsupported(minExceptionListAPISupport),
+				ConfigDirectory: acctest.NamedTestCaseDirectory("create"),
+				ConfigVariables: config.Variables{
+					"space_id":       config.StringVariable(spaceID),
+					"list_id":        config.StringVariable("test-exception-list-space"),
+					"name":           config.StringVariable("Test Exception List in Space"),
+					"description":    config.StringVariable("Test exception list in custom space"),
+					"type":           config.StringVariable("detection"),
+					"namespace_type": config.StringVariable("single"),
+					"tags":           config.ListVariable(config.StringVariable("test"), config.StringVariable("space")),
+				},
+				Check: resource.ComposeTestCheckFunc(
+					// Check space attributes
+					resource.TestCheckResourceAttr(spaceResourceName, "space_id", spaceID),
+					resource.TestCheckResourceAttr(spaceResourceName, "name", "Test Space for Exception Lists"),
+
+					// Check exception list attributes
+					resource.TestCheckResourceAttr(resourceName, "space_id", spaceID),
+					resource.TestCheckResourceAttr(resourceName, "list_id", "test-exception-list-space"),
+					resource.TestCheckResourceAttr(resourceName, "name", "Test Exception List in Space"),
+					resource.TestCheckResourceAttr(resourceName, "description", "Test exception list in custom space"),
+					resource.TestCheckResourceAttr(resourceName, "type", "detection"),
+					resource.TestCheckResourceAttr(resourceName, "namespace_type", "single"),
+					resource.TestCheckResourceAttr(resourceName, "tags.0", "test"),
+					resource.TestCheckResourceAttr(resourceName, "tags.1", "space"),
+					resource.TestCheckResourceAttrSet(resourceName, "id"),
+					resource.TestCheckResourceAttrSet(resourceName, "created_at"),
+					resource.TestCheckResourceAttrSet(resourceName, "created_by"),
+				),
+			},
+			{
+				SkipFunc:        versionutils.CheckIfVersionIsUnsupported(minExceptionListAPISupport),
+				ConfigDirectory: acctest.NamedTestCaseDirectory("update"),
+				ConfigVariables: config.Variables{
+					"space_id":       config.StringVariable(spaceID),
+					"list_id":        config.StringVariable("test-exception-list-space"),
+					"name":           config.StringVariable("Test Exception List in Space Updated"),
+					"description":    config.StringVariable("Updated description in space"),
+					"type":           config.StringVariable("detection"),
+					"namespace_type": config.StringVariable("single"),
+					"tags":           config.ListVariable(config.StringVariable("test"), config.StringVariable("space"), config.StringVariable("updated")),
+				},
+				Check: resource.ComposeTestCheckFunc(
+					// Check space attributes remain the same
+					resource.TestCheckResourceAttr(spaceResourceName, "space_id", spaceID),
+					resource.TestCheckResourceAttr(spaceResourceName, "name", "Test Space for Exception Lists"),
+
+					// Check updated exception list attributes
+					resource.TestCheckResourceAttr(resourceName, "space_id", spaceID),
+					resource.TestCheckResourceAttr(resourceName, "name", "Test Exception List in Space Updated"),
+					resource.TestCheckResourceAttr(resourceName, "description", "Updated description in space"),
+					resource.TestCheckResourceAttr(resourceName, "tags.0", "test"),
+					resource.TestCheckResourceAttr(resourceName, "tags.1", "space"),
+					resource.TestCheckResourceAttr(resourceName, "tags.2", "updated"),
+				),
+			},
+		},
+	})
+}

internal/kibana/security_exception_list/create.go

@@ -0,0 +1,180 @@
+package security_exception_list
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/elastic/terraform-provider-elasticstack/generated/kbapi"
+	"github.com/elastic/terraform-provider-elasticstack/internal/clients/kibana_oapi"
+	"github.com/elastic/terraform-provider-elasticstack/internal/utils"
+	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+func (r *ExceptionListResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var plan ExceptionListModel
+
+	diags := req.Plan.Get(ctx, &plan)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	client, err := r.client.GetKibanaOapiClient()
+	if err != nil {
+		resp.Diagnostics.AddError("Failed to get Kibana client", err.Error())
+		return
+	}
+
+	// Build the request body
+	body := kbapi.CreateExceptionListJSONRequestBody{
+		ListId:      (*kbapi.SecurityExceptionsAPIExceptionListHumanId)(plan.ListID.ValueStringPointer()),
+		Name:        kbapi.SecurityExceptionsAPIExceptionListName(plan.Name.ValueString()),
+		Description: kbapi.SecurityExceptionsAPIExceptionListDescription(plan.Description.ValueString()),
+		Type:        kbapi.SecurityExceptionsAPIExceptionListType(plan.Type.ValueString()),
+	}
+
+	// Set optional namespace_type
+	if utils.IsKnown(plan.NamespaceType) {
+		nsType := kbapi.SecurityExceptionsAPIExceptionNamespaceType(plan.NamespaceType.ValueString())
+		body.NamespaceType = &nsType
+	}
+
+	// Set optional os_types
+	if utils.IsKnown(plan.OsTypes) && !plan.OsTypes.IsNull() {
+		var osTypes []string
+		diags := plan.OsTypes.ElementsAs(ctx, &osTypes, false)
+		resp.Diagnostics.Append(diags...)
+		if resp.Diagnostics.HasError() {
+			return
+		}
+		if len(osTypes) > 0 {
+			osTypesArray := make(kbapi.SecurityExceptionsAPIExceptionListOsTypeArray, len(osTypes))
+			for i, osType := range osTypes {
+				osTypesArray[i] = kbapi.SecurityExceptionsAPIExceptionListOsType(osType)
+			}
+			body.OsTypes = &osTypesArray
+		}
+	}
+
+	// Set optional tags
+	if utils.IsKnown(plan.Tags) && !plan.Tags.IsNull() {
+		var tags []string
+		diags := plan.Tags.ElementsAs(ctx, &tags, false)
+		resp.Diagnostics.Append(diags...)
+		if resp.Diagnostics.HasError() {
+			return
+		}
+		if len(tags) > 0 {
+			tagsArray := kbapi.SecurityExceptionsAPIExceptionListTags(tags)
+			body.Tags = &tagsArray
+		}
+	}
+
+	// Set optional meta
+	if utils.IsKnown(plan.Meta) && !plan.Meta.IsNull() {
+		var meta kbapi.SecurityExceptionsAPIExceptionListMeta
+		if err := json.Unmarshal([]byte(plan.Meta.ValueString()), &meta); err != nil {
+			resp.Diagnostics.AddError("Failed to parse meta JSON", err.Error())
+			return
+		}
+		body.Meta = &meta
+	}
+
+	// Create the exception list
+	createResp, diags := kibana_oapi.CreateExceptionList(ctx, client, plan.SpaceID.ValueString(), body)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if createResp == nil || createResp.JSON200 == nil {
+		resp.Diagnostics.AddError("Failed to create exception list", "API returned empty response")
+		return
+	}
+
+	/*
+	 * In create/update paths we typically follow the write operation with a read, and then set the state from the read.
+	 * We want to avoid a dirty plan immediately after an apply.
+	 */
+	// Read back the created resource to get the final state
+	readParams := &kbapi.ReadExceptionListParams{
+		Id: (*kbapi.SecurityExceptionsAPIExceptionListId)(&createResp.JSON200.Id),
+	}
+
+	readResp, diags := kibana_oapi.GetExceptionList(ctx, client, plan.SpaceID.ValueString(), readParams)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	if readResp == nil || readResp.JSON200 == nil {
+		resp.State.RemoveResource(ctx)
+		return
+	}
+
+	// Update state with read response
+	diags = r.updateStateFromAPIResponse(ctx, &plan, readResp.JSON200)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	diags = resp.State.Set(ctx, plan)
+	resp.Diagnostics.Append(diags...)
+}
+
+func (r *ExceptionListResource) updateStateFromAPIResponse(ctx context.Context, model *ExceptionListModel, apiResp *kbapi.SecurityExceptionsAPIExceptionList) diag.Diagnostics {
+	var diags diag.Diagnostics
+
+	model.ID = types.StringValue(string(apiResp.Id))
+	model.ListID = types.StringValue(string(apiResp.ListId))
+	model.Name = types.StringValue(string(apiResp.Name))
+	model.Description = types.StringValue(string(apiResp.Description))
+	model.Type = types.StringValue(string(apiResp.Type))
+	model.NamespaceType = types.StringValue(string(apiResp.NamespaceType))
+	model.CreatedAt = types.StringValue(apiResp.CreatedAt.Format("2006-01-02T15:04:05.000Z"))
+	model.CreatedBy = types.StringValue(apiResp.CreatedBy)
+	model.UpdatedAt = types.StringValue(apiResp.UpdatedAt.Format("2006-01-02T15:04:05.000Z"))
+	model.UpdatedBy = types.StringValue(apiResp.UpdatedBy)
+	model.Immutable = types.BoolValue(apiResp.Immutable)
+	model.TieBreakerID = types.StringValue(apiResp.TieBreakerId)
+
+	// Set optional os_types
+	if apiResp.OsTypes != nil && len(*apiResp.OsTypes) > 0 {
+		// osTypes := make([]string, len(*apiResp.OsTypes))
+		// for i, osType := range *apiResp.OsTypes {
+		// 	osTypes[i] = string(osType)
+		// }
+		// list, d := types.ListValueFrom(ctx, types.StringType, osTypes)
+		list, d := types.ListValueFrom(ctx, types.StringType, apiResp.OsTypes)
+		diags.Append(d...)
+		model.OsTypes = list
+	} else {
+		model.OsTypes = types.ListNull(types.StringType)
+	}
+
+	// Set optional tags
+	if apiResp.Tags != nil && len(*apiResp.Tags) > 0 {
+		list, d := types.ListValueFrom(ctx, types.StringType, *apiResp.Tags)
+		diags.Append(d...)
+		model.Tags = list
+	} else {
+		model.Tags = types.ListNull(types.StringType)
+	}
+
+	// Set optional meta
+	if apiResp.Meta != nil {
+		metaJSON, err := json.Marshal(apiResp.Meta)
+		if err != nil {
+			diags.AddError("Failed to serialize meta", err.Error())
+			return diags
+		}
+		model.Meta = types.StringValue(string(metaJSON))
+	} else {
+		model.Meta = types.StringNull()
+	}
+
+	return diags
+}

internal/kibana/security_exception_list/delete.go

@@ -0,0 +1,34 @@
+package security_exception_list
+
+import (
+	"context"
+
+	"github.com/elastic/terraform-provider-elasticstack/generated/kbapi"
+	"github.com/elastic/terraform-provider-elasticstack/internal/clients/kibana_oapi"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+)
+
+func (r *ExceptionListResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+	var state ExceptionListModel
+
+	diags := req.State.Get(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	client, err := r.client.GetKibanaOapiClient()
+	if err != nil {
+		resp.Diagnostics.AddError("Failed to get Kibana client", err.Error())
+		return
+	}
+
+	// Delete by ID
+	id := kbapi.SecurityExceptionsAPIExceptionListId(state.ID.ValueString())
+	params := &kbapi.DeleteExceptionListParams{
+		Id: &id,
+	}
+
+	diags = kibana_oapi.DeleteExceptionList(ctx, client, state.SpaceID.ValueString(), params)
+	resp.Diagnostics.Append(diags...)
+}

internal/kibana/security_exception_list/models.go

@@ -0,0 +1,24 @@
+package security_exception_list
+
+import (
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+type ExceptionListModel struct {
+	ID            types.String `tfsdk:"id"`
+	SpaceID       types.String `tfsdk:"space_id"`
+	ListID        types.String `tfsdk:"list_id"`
+	Name          types.String `tfsdk:"name"`
+	Description   types.String `tfsdk:"description"`
+	Type          types.String `tfsdk:"type"`
+	NamespaceType types.String `tfsdk:"namespace_type"`
+	OsTypes       types.List   `tfsdk:"os_types"`
+	Tags          types.List   `tfsdk:"tags"`
+	Meta          types.String `tfsdk:"meta"`
+	CreatedAt     types.String `tfsdk:"created_at"`
+	CreatedBy     types.String `tfsdk:"created_by"`
+	UpdatedAt     types.String `tfsdk:"updated_at"`
+	UpdatedBy     types.String `tfsdk:"updated_by"`
+	Immutable     types.Bool   `tfsdk:"immutable"`
+	TieBreakerID  types.String `tfsdk:"tie_breaker_id"`
+}