Add Support for Kibana Security Detection Rules

[Copilot]

This PR implements support for managing Kibana Security Detection Rules through the new elasticstack_kibana_security_detection_rule resource. This addresses the need for Infrastructure as Code management of security detection rules in Kibana.

Overview

The implementation provides a complete Terraform Plugin Framework resource that supports full CRUD operations for Kibana Security Detection Rules. The resource follows the established patterns in the provider and integrates with the existing Kibana client infrastructure using the generated API client.

Key Features

• Comprehensive Schema: Supports all major detection rule attributes including:

  • Rule metadata (name, description, type, severity, tags)
  • Query configuration (query, language, index patterns)
  • Timing settings (interval, from/to time ranges)
  • Rule-specific settings (risk score, max signals, version)
  • Optional fields (author, license, references, false positives)

• Multiple Rule Types: Supports all Kibana security rule types:

  • query - KQL/Lucene query-based rules
  • eql - Event Query Language rules
  • machine_learning - ML-based anomaly detection
  • threshold - Threshold-based rules
  • threat_match - Threat intelligence matching
  • new_terms - New terms detection

• Space-Aware Operations: Properly handles Kibana spaces with composite ID management

• Plugin Framework Implementation: Built using the modern Terraform Plugin Framework, consistent with other new resources in the provider

• Generated API Client Integration: Uses the generated Kibana API client from /generated/kbapi for consistent and type-safe API interactions

Implementation Details

API Integration

The resource integrates with Kibana's Security Detection Rules API using the generated client:

POST /s/{space_id}/api/detection_engine/rules - Create rule
GET /s/{space_id}/api/detection_engine/rules?id={rule_id} - Read rule  
PUT /s/{space_id}/api/detection_engine/rules - Update rule
DELETE /s/{space_id}/api/detection_engine/rules?id={rule_id} - Delete rule

The implementation leverages the SecurityDetectionsAPI types from the generated client for proper type safety and validation.

Example Usage

resource "elasticstack_kibana_security_detection_rule" "example" {
  name        = "Suspicious Process Activity"
  description = "Detects suspicious process execution patterns"
  type        = "query"
  query       = "process.name : (cmd.exe or powershell.exe) and user.name : admin*"
  language    = "kuery"
  severity    = "high"
  risk        = 75
  enabled     = true
  
  tags        = ["security", "windows", "process"]
  interval    = "5m"
  from        = "now-6m"
  to          = "now"
  
  author      = ["Security Team"]
  references  = ["https://attack.mitre.org/techniques/T1059/"]
}

Directory Structure

The implementation follows the established pattern for Plugin Framework resources:

internal/kibana/security/detection_rule/
├── resource.go      # Resource definition and configuration
├── schema.go        # Terraform schema definition  
├── models.go        # Data structures
├── client.go        # Generated API client integration
├── create.go        # Create operation and data transformations
├── read.go          # Read operation
├── update.go        # Update operation
├── delete.go        # Delete operation
└── acc_test.go      # Comprehensive acceptance tests

Testing

The implementation includes:

• Comprehensive acceptance tests covering Create, Read, Update, and Delete operations
• Import state verification testing
• Unit test compatibility (all existing tests continue to pass)
• Proper error handling and validation
• Code formatting and linting compliance

Documentation

Auto-generated documentation is included following the provider's documentation standards, providing comprehensive attribute descriptions and usage examples.

Fixes #1290.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[cla-checker-service]

❌ Author of the following commits did not sign a Contributor Agreement:
0b2e3eb, 32d0255, ccbd16d, eb0b1ad, a0d49ba, cc0b67b

Please, read and sign the above mentioned agreement if you want to contribute to this project

[nick-benoit]

Add a terraform usage example

[nick-benoit]

Use GetKibanaOapiClient instead of GetKibanaClient

[nick-benoit]

@copilot please review open PR comments

[nick-benoit]

@copilot Review open comments

[Copilot]

@nick-benoit Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub.

You can ask me to try again later by mentioning me in a new comment.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: 558a7106-2749-44f1-a7b5-d00943174ae6

Sorry for the inconvenience!

[tobio]

@nick-benoit do we close this one down?

[Copilot]

@tobio Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub.

You can ask me to try again later by mentioning me in a new comment.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: cd42eb2a-9d40-4599-b92b-7417bbe59055

Sorry for the inconvenience!