Support .bedrock and .gen-ai connectors (#1467)

* Support .bedrock and .gen-ai connectors

* Update changelog

* Acceptance test for bedrock connector

* Makefile target for running acc tests against started docker images

* Acc tests for bedrock and genai connectors

* Change min supported version for genai connector

Author: dimuon

CHANGELOG.md

@@ -1,5 +1,7 @@
 ## [Unreleased]
 
+- Support `.bedrock` and `.gen-ai` connectors ([#1467](https://github.com/elastic/terraform-provider-elasticstack/pull/1467))
+
 ## [0.12.2] - 2025-11-19
 - Fix `elasticstack_elasticsearch_snapshot_lifecycle` metadata type conversion causing terraform apply to fail ([#1409](https://github.com/elastic/terraform-provider-elasticstack/issues/1409))
 - Add new `elasticstack_elasticsearch_ml_anomaly_detection_job` resource ([#1329](https://github.com/elastic/terraform-provider-elasticstack/pull/1329))

Makefile

@@ -46,6 +46,12 @@ build-ci: ## build the terraform provider
 .PHONY: build
 build: lint build-ci ## build the terraform provider
 
+# run acceptance tests against the docker container that has been started with `make docker-kibana` (or `make docker-elasticsearch`)
+# To run specific test (e.g. TestAccResourceActionConnector) execute `make testacc-vs-docker TESTARGS='-run ^TestAccResourceKibanaConnectorBedrock$$'`
+.PHONY: testacc-vs-docker
+testacc-vs-docker:
+	@ ELASTICSEARCH_ENDPOINTS=http://localhost:9200 KIBANA_ENDPOINT=http://localhost:5601 ELASTICSEARCH_USERNAME=$(ELASTICSEARCH_USERNAME) ELASTICSEARCH_PASSWORD=$(ELASTICSEARCH_PASSWORD) make testacc
+
 .PHONY: testacc
 testacc: ## Run acceptance tests
 	TF_ACC=1 go tool gotestsum --format testname --rerun-fails=3 --packages="-v ./..." -- -count $(ACCTEST_COUNT) -parallel $(ACCTEST_PARALLELISM) $(TESTARGS) -timeout $(ACCTEST_TIMEOUT)

docs/resources/kibana_action_connector.md

@@ -52,6 +52,44 @@ resource "elasticstack_kibana_action_connector" "slack-api-connector" {
     token = "<your-token>"
   })
 }
+
+resource "elasticstack_kibana_action_connector" "bedrock-connector" {
+  name              = "aws-bedrock"
+  connector_type_id = ".bedrock"
+  config = jsonencode({
+    apiUrl       = "https://bedrock-runtime.us-east-1.amazonaws.com"
+    defaultModel = "anthropic.claude-v2"
+  })
+  secrets = jsonencode({
+    accessKey = "<your-aws-access-key>"
+    secret    = "<your-aws-secret-key>"
+  })
+}
+
+resource "elasticstack_kibana_action_connector" "genai-openai-connector" {
+  name              = "openai"
+  connector_type_id = ".gen-ai"
+  config = jsonencode({
+    apiProvider  = "OpenAI"
+    apiUrl       = "https://api.openai.com/v1"
+    defaultModel = "gpt-4"
+  })
+  secrets = jsonencode({
+    apiKey = "<your-openai-api-key>"
+  })
+}
+
+resource "elasticstack_kibana_action_connector" "genai-azure-connector" {
+  name              = "azure-openai"
+  connector_type_id = ".gen-ai"
+  config = jsonencode({
+    apiProvider = "Azure OpenAI"
+    apiUrl      = "https://my-resource.openai.azure.com/openai/deployments/my-deployment"
+  })
+  secrets = jsonencode({
+    apiKey = "<your-azure-api-key>"
+  })
+}
 ```
 
 <!-- schema generated by tfplugindocs -->

examples/resources/elasticstack_kibana_action_connector/resource.tf

@@ -37,3 +37,41 @@ resource "elasticstack_kibana_action_connector" "slack-api-connector" {
     token = "<your-token>"
   })
 }
+
+resource "elasticstack_kibana_action_connector" "bedrock-connector" {
+  name              = "aws-bedrock"
+  connector_type_id = ".bedrock"
+  config = jsonencode({
+    apiUrl       = "https://bedrock-runtime.us-east-1.amazonaws.com"
+    defaultModel = "anthropic.claude-v2"
+  })
+  secrets = jsonencode({
+    accessKey = "<your-aws-access-key>"
+    secret    = "<your-aws-secret-key>"
+  })
+}
+
+resource "elasticstack_kibana_action_connector" "genai-openai-connector" {
+  name              = "openai"
+  connector_type_id = ".gen-ai"
+  config = jsonencode({
+    apiProvider  = "OpenAI"
+    apiUrl       = "https://api.openai.com/v1"
+    defaultModel = "gpt-4"
+  })
+  secrets = jsonencode({
+    apiKey = "<your-openai-api-key>"
+  })
+}
+
+resource "elasticstack_kibana_action_connector" "genai-azure-connector" {
+  name              = "azure-openai"
+  connector_type_id = ".gen-ai"
+  config = jsonencode({
+    apiProvider = "Azure OpenAI"
+    apiUrl      = "https://my-resource.openai.azure.com/openai/deployments/my-deployment"
+  })
+  secrets = jsonencode({
+    apiKey = "<your-azure-api-key>"
+  })
+}

internal/clients/kibana_oapi/connector.go

@@ -194,6 +194,14 @@ var connectorConfigHandlers = map[string]connectorConfigHandler{
 		defaults:        connectorConfigWithDefaultsEmail,
 		remarshalConfig: remarshalConfig[kbapi.EmailConfig],
 	},
+	".bedrock": {
+		defaults:        connectorConfigWithDefaultsBedrock,
+		remarshalConfig: remarshalConfig[kbapi.BedrockConfig],
+	},
+	".gen-ai": {
+		defaults:        connectorConfigWithDefaultsGenAi,
+		remarshalConfig: remarshalConfigGenAi,
+	},
 	".gemini": {
 		remarshalConfig: remarshalConfig[kbapi.GeminiConfig],
 	},
@@ -275,6 +283,96 @@ func remarshalConfig[T any](plan string) (string, error) {
 	return string(customJSON), nil
 }
 
+// remarshalConfigGenAi handles config for .gen-ai connectors.
+// The .gen-ai connector type has multiple possible config structures depending on the apiProvider
+// (GenaiOpenaiConfig, GenaiAzureConfig, GenaiOpenaiOtherConfig). This function unmarshals to the
+// appropriate type based on the apiProvider field. By unmarshaling to a typed struct and marshaling
+// back, unknown fields are automatically filtered out.
+func remarshalConfigGenAi(plan string) (string, error) {
+	// First, unmarshal to a map to check the apiProvider
+	var configMap map[string]interface{}
+	if err := json.Unmarshal([]byte(plan), &configMap); err != nil {
+		return "", err
+	}
+
+	apiProvider, ok := configMap["apiProvider"].(string)
+	if !ok {
+		// apiProvider is required for .gen-ai connectors
+		return "", errors.New("apiProvider is required for .gen-ai connector type")
+	}
+
+	// Unmarshal to the appropriate specific type based on apiProvider.
+	// By unmarshaling (which ignores unknown fields) and then marshaling back,
+	// we automatically filter out any fields that aren't defined in the specific config type.
+	switch apiProvider {
+	case "OpenAI":
+		return remarshalConfig[kbapi.GenaiOpenaiConfig](plan)
+	case "Azure OpenAI":
+		return remarshalConfig[kbapi.GenaiAzureConfig](plan)
+	case "Other":
+		return remarshalConfig[kbapi.GenaiOpenaiOtherConfig](plan)
+	default:
+		return "", fmt.Errorf("unsupported apiProvider %q for .gen-ai connector type, must be one of: OpenAI, Azure OpenAI, Other", apiProvider)
+	}
+}
+
+func connectorConfigWithDefaultsBedrock(plan string) (string, error) {
+	var custom kbapi.BedrockConfig
+	if err := json.Unmarshal([]byte(plan), &custom); err != nil {
+		return "", err
+	}
+	if custom.DefaultModel == nil {
+		custom.DefaultModel = utils.Pointer("us.anthropic.claude-sonnet-4-5-20250929-v1:0")
+	}
+	customJSON, err := json.Marshal(custom)
+	if err != nil {
+		return "", err
+	}
+	return string(customJSON), nil
+}
+
+func connectorConfigWithDefaultsGenAi(plan string) (string, error) {
+	// First unmarshal to check the apiProvider
+	var configMap map[string]interface{}
+	if err := json.Unmarshal([]byte(plan), &configMap); err != nil {
+		return "", err
+	}
+
+	apiProvider, ok := configMap["apiProvider"].(string)
+	if !ok {
+		// apiProvider is required for .gen-ai connectors
+		return "", errors.New("apiProvider is required for .gen-ai connector type")
+	}
+
+	// Apply defaults and filter fields based on the specific config type.
+	// By unmarshaling (which ignores unknown fields) and marshaling back,
+	// unknown fields are automatically filtered out.
+	switch apiProvider {
+	case "OpenAI":
+		// No defaults to apply for OpenAI
+		return remarshalConfig[kbapi.GenaiOpenaiConfig](plan)
+	case "Azure OpenAI":
+		// No defaults to apply for Azure
+		return remarshalConfig[kbapi.GenaiAzureConfig](plan)
+	case "Other":
+		var config kbapi.GenaiOpenaiOtherConfig
+		if err := json.Unmarshal([]byte(plan), &config); err != nil {
+			return "", err
+		}
+		// Apply verificationMode default for "Other" provider
+		if config.VerificationMode == nil {
+			config.VerificationMode = utils.Pointer(kbapi.GenaiOpenaiOtherConfigVerificationModeFull)
+		}
+		customJSON, err := json.Marshal(config)
+		if err != nil {
+			return "", err
+		}
+		return string(customJSON), nil
+	default:
+		return "", fmt.Errorf("unsupported apiProvider %q for .gen-ai connector type, must be one of: OpenAI, Azure OpenAI, Other", apiProvider)
+	}
+}
+
 func connectorConfigWithDefaultsCasesWebhook(plan string) (string, error) {
 	var custom kbapi.CasesWebhookConfig
 	if err := json.Unmarshal([]byte(plan), &custom); err != nil {

internal/clients/kibana_oapi/connector_test.go

@@ -262,3 +262,168 @@ func TestGetConnectorByName(t *testing.T) {
 	require.NotNil(t, diags)
 	require.Nil(t, fail)
 }
+
+func TestConnectorConfigWithDefaults(t *testing.T) {
+	tests := []struct {
+		name            string
+		connectorTypeID string
+		planConfig      string
+		expectedError   bool
+		errorContains   string
+		validateResult  func(t *testing.T, result string)
+	}{
+		{
+			name:            "bedrock connector with valid config and explicit defaultModel",
+			connectorTypeID: ".bedrock",
+			planConfig:      `{"apiUrl":"https://bedrock.us-east-1.amazonaws.com","defaultModel":"anthropic.claude-v2"}`,
+			expectedError:   false,
+			validateResult: func(t *testing.T, result string) {
+				expected := `{"apiUrl":"https://bedrock.us-east-1.amazonaws.com","defaultModel":"anthropic.claude-v2"}`
+				require.JSONEq(t, expected, result)
+			},
+		},
+		{
+			name:            "bedrock connector without defaultModel gets default value",
+			connectorTypeID: ".bedrock",
+			planConfig:      `{"apiUrl":"https://bedrock.us-east-1.amazonaws.com"}`,
+			expectedError:   false,
+			validateResult: func(t *testing.T, result string) {
+				expected := `{"apiUrl":"https://bedrock.us-east-1.amazonaws.com","defaultModel":"us.anthropic.claude-sonnet-4-5-20250929-v1:0"}`
+				require.JSONEq(t, expected, result)
+			},
+		},
+		{
+			name:            "gen-ai connector with OpenAI provider with defaultModel",
+			connectorTypeID: ".gen-ai",
+			planConfig:      `{"apiProvider":"OpenAI","apiUrl":"https://api.openai.com/v1","defaultModel":"gpt-4"}`,
+			expectedError:   false,
+			validateResult: func(t *testing.T, result string) {
+				expected := `{"apiProvider":"OpenAI","apiUrl":"https://api.openai.com/v1","defaultModel":"gpt-4"}`
+				require.JSONEq(t, expected, result)
+			},
+		},
+		{
+			name:            "gen-ai connector with Azure provider",
+			connectorTypeID: ".gen-ai",
+			planConfig:      `{"apiProvider":"Azure OpenAI","apiUrl":"https://my-resource.openai.azure.com/openai/deployments/my-deployment"}`,
+			expectedError:   false,
+			validateResult: func(t *testing.T, result string) {
+				expected := `{"apiProvider":"Azure OpenAI","apiUrl":"https://my-resource.openai.azure.com/openai/deployments/my-deployment"}`
+				require.JSONEq(t, expected, result)
+			},
+		},
+		{
+			name:            "gen-ai connector with Other provider and explicit verificationMode",
+			connectorTypeID: ".gen-ai",
+			planConfig:      `{"apiProvider":"Other","apiUrl":"https://custom-llm.example.com/v1","defaultModel":"custom-model","verificationMode":"none"}`,
+			expectedError:   false,
+			validateResult: func(t *testing.T, result string) {
+				expected := `{"apiProvider":"Other","apiUrl":"https://custom-llm.example.com/v1","defaultModel":"custom-model","verificationMode":"none"}`
+				require.JSONEq(t, expected, result)
+			},
+		},
+		{
+			name:            "gen-ai connector with Other provider without verificationMode gets default",
+			connectorTypeID: ".gen-ai",
+			planConfig:      `{"apiProvider":"Other","apiUrl":"https://custom-llm.example.com/v1","defaultModel":"custom-model"}`,
+			expectedError:   false,
+			validateResult: func(t *testing.T, result string) {
+				expected := `{"apiProvider":"Other","apiUrl":"https://custom-llm.example.com/v1","defaultModel":"custom-model","verificationMode":"full"}`
+				require.JSONEq(t, expected, result)
+			},
+		},
+		{
+			name:            "gen-ai connector with OpenAI provider without defaultModel",
+			connectorTypeID: ".gen-ai",
+			planConfig:      `{"apiProvider":"OpenAI","apiUrl":"https://api.openai.com/v1"}`,
+			expectedError:   false,
+			validateResult: func(t *testing.T, result string) {
+				// Verify no verificationMode is added (that's only for Other provider)
+				expected := `{"apiProvider":"OpenAI","apiUrl":"https://api.openai.com/v1"}`
+				require.JSONEq(t, expected, result)
+			},
+		},
+		{
+			name:            "gemini connector with valid config",
+			connectorTypeID: ".gemini",
+			planConfig:      `{"apiUrl":"https://us-central1-aiplatform.googleapis.com","gcpProjectId":"my-project","gcpRegion":"us-central1","defaultModel":"gemini-pro"}`,
+			expectedError:   false,
+			validateResult: func(t *testing.T, result string) {
+				expected := `{"apiUrl":"https://us-central1-aiplatform.googleapis.com","gcpProjectId":"my-project","gcpRegion":"us-central1","defaultModel":"gemini-pro"}`
+				require.JSONEq(t, expected, result)
+			},
+		},
+		{
+			name:            "gen-ai OpenAI connector silently filters unknown fields",
+			connectorTypeID: ".gen-ai",
+			planConfig:      `{"apiProvider":"OpenAI","apiUrl":"https://api.openai.com/v1","defaultModel":"gpt-4","unknownField":"should-be-filtered"}`,
+			expectedError:   false,
+			validateResult: func(t *testing.T, result string) {
+				// Unknown field should be filtered out
+				expected := `{"apiProvider":"OpenAI","apiUrl":"https://api.openai.com/v1","defaultModel":"gpt-4"}`
+				require.JSONEq(t, expected, result)
+			},
+		},
+		{
+			name:            "gen-ai Azure connector silently filters invalid PKI fields",
+			connectorTypeID: ".gen-ai",
+			planConfig:      `{"apiProvider":"Azure OpenAI","apiUrl":"https://my.openai.azure.com","certificateData":"invalid-for-azure"}`,
+			expectedError:   false,
+			validateResult: func(t *testing.T, result string) {
+				// certificateData is not valid for Azure provider, should be filtered
+				expected := `{"apiProvider":"Azure OpenAI","apiUrl":"https://my.openai.azure.com"}`
+				require.JSONEq(t, expected, result)
+			},
+		},
+		{
+			name:            "gen-ai Other connector allows PKI fields",
+			connectorTypeID: ".gen-ai",
+			planConfig:      `{"apiProvider":"Other","apiUrl":"https://custom.com","defaultModel":"custom","certificateData":"pem-data","verificationMode":"full"}`,
+			expectedError:   false,
+			validateResult: func(t *testing.T, result string) {
+				expected := `{"apiProvider":"Other","apiUrl":"https://custom.com","defaultModel":"custom","certificateData":"pem-data","verificationMode":"full"}`
+				require.JSONEq(t, expected, result)
+			},
+		},
+		{
+			name:            "gen-ai connector without apiProvider returns error",
+			connectorTypeID: ".gen-ai",
+			planConfig:      `{"apiUrl":"https://api.example.com"}`,
+			expectedError:   true,
+			errorContains:   "apiProvider is required",
+		},
+		{
+			name:            "gen-ai connector with unknown apiProvider returns error",
+			connectorTypeID: ".gen-ai",
+			planConfig:      `{"apiProvider":"UnknownProvider","apiUrl":"https://api.example.com"}`,
+			expectedError:   true,
+			errorContains:   "unsupported apiProvider",
+		},
+		{
+			name:            "unknown connector type returns error",
+			connectorTypeID: ".unknown-type",
+			planConfig:      `{"key":"value"}`,
+			expectedError:   true,
+			errorContains:   "unknown connector type ID",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := kibana_oapi.ConnectorConfigWithDefaults(tt.connectorTypeID, tt.planConfig)
+
+			if tt.expectedError {
+				require.Error(t, err)
+				if tt.errorContains != "" {
+					require.Contains(t, err.Error(), tt.errorContains)
+				}
+			} else {
+				require.NoError(t, err)
+				require.NotEmpty(t, result)
+				if tt.validateResult != nil {
+					tt.validateResult(t, result)
+				}
+			}
+		})
+	}
+}