elastic · Copilot · Nov 6, 2025 · Nov 6, 2025 · Nov 6, 2025 · Nov 6, 2025
diff --git a/CODING_STANDARDS.md b/CODING_STANDARDS.md
@@ -36,6 +36,7 @@ This document outlines the coding standards and conventions used in the terrafor
 - Prefer using existing util functions over longer form, duplicated code:
   - `utils.IsKnown(val)` instead of `!val.IsNull() && !val.IsUnknown()`
   - `utils.ListTypeAs` instead of `val.ElementsAs` or similar for other collection types
+- The final state for a resource should be derived from a read request following a mutative request (eg create or update). We should not use the response from a mutative request to build the final resource state.
 
 ## Schema Definitions
 

diff --git a/docs/resources/kibana_security_exception_item.md b/docs/resources/kibana_security_exception_item.md
@@ -0,0 +1,173 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "elasticstack_kibana_security_exception_item Resource - terraform-provider-elasticstack"
+subcategory: "Kibana"
+description: |-
+  Manages a Kibana Exception Item. Exception items define the specific query conditions used to prevent rules from generating alerts.
+  See the Kibana Exceptions API documentation https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-exceptions-api for more details.
+---
+
+# elasticstack_kibana_security_exception_item (Resource)
+
+Manages a Kibana Exception Item. Exception items define the specific query conditions used to prevent rules from generating alerts.
+
+See the [Kibana Exceptions API documentation](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-exceptions-api) for more details.
+
+## Example Usage
+
+### Basic exception item
+
+```terraform
+resource "elasticstack_kibana_security_exception_list" "example" {
+  list_id        = "my-exception-list"
+  name           = "My Exception List"
+  description    = "List of exceptions for security rules"
+  type           = "detection"
+  namespace_type = "single"
+
+  tags = ["security", "detections"]
+}
+
+resource "elasticstack_kibana_security_exception_item" "example" {
+  list_id        = elasticstack_kibana_security_exception_list.example.list_id
+  item_id        = "my-exception-item"
+  name           = "My Exception Item"
+  description    = "Exclude specific processes from alerts"
+  type           = "simple"
+  namespace_type = "single"
+
+  entries = [
+    {
+      type     = "match"
+      field    = "process.name"
+      operator = "included"
+      value    = "trusted-process"
+    }
+  ]
+
+  tags = ["trusted", "whitelisted"]
+}
+```
+
+### Complex exception item with multiple entries
+
+```terraform
+resource "elasticstack_kibana_security_exception_list" "example" {
+  list_id        = "my-exception-list"
+  name           = "My Exception List"
+  description    = "List of exceptions"
+  type           = "detection"
+  namespace_type = "single"
+}
+
+resource "elasticstack_kibana_security_exception_item" "complex_entry" {
+  list_id        = elasticstack_kibana_security_exception_list.example.list_id
+  item_id        = "complex-exception"
+  name           = "Complex Exception with Multiple Entries"
+  description    = "Exception with multiple conditions"
+  type           = "simple"
+  namespace_type = "single"
+
+  # Multiple entries with different operators
+  entries = [
+    {
+      type     = "match"
+      field    = "host.name"
+      operator = "included"
+      value    = "trusted-host"
+    },
+    {
+      type     = "match_any"
+      field    = "user.name"
+      operator = "excluded"
+      values   = ["admin", "root"]
+    }
+  ]
+
+  os_types = ["linux"]
+  tags     = ["complex", "multi-condition"]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `description` (String) Describes the exception item.
+- `entries` (Attributes List) The exception item entries. This defines the conditions under which the exception applies. (see [below for nested schema](#nestedatt--entries))
+- `list_id` (String) The exception list's identifier that this item belongs to.
+- `name` (String) The name of the exception item.
+- `type` (String) The type of exception item. Must be `simple`.
+
+### Optional
+
+- `comments` (Attributes List) Array of comments about the exception item. (see [below for nested schema](#nestedatt--comments))
+- `expire_time` (String) The exception item's expiration date in RFC3339 format. This field is only available for regular exception items, not endpoint exceptions.
+- `item_id` (String) The exception item's human readable string identifier.
+- `meta` (String) Placeholder for metadata about the exception item as JSON string.
+- `namespace_type` (String) Determines whether the exception item is available in all Kibana spaces or just the space in which it is created. Can be `single` (default) or `agnostic`.
+- `os_types` (List of String) Array of OS types for which the exceptions apply. Valid values: `linux`, `macos`, `windows`.
+- `space_id` (String) An identifier for the space. If space_id is not provided, the default space is used.
+- `tags` (List of String) String array containing words and phrases to help categorize exception items.
+
+### Read-Only
+
+- `created_at` (String) The timestamp of when the exception item was created.
+- `created_by` (String) The user who created the exception item.
+- `id` (String) The unique identifier of the exception item (auto-generated by Kibana).
+- `tie_breaker_id` (String) Field used in search to ensure all items are sorted and returned correctly.
+- `updated_at` (String) The timestamp of when the exception item was last updated.
+- `updated_by` (String) The user who last updated the exception item.
+
+<a id="nestedatt--entries"></a>
+### Nested Schema for `entries`
+
+Required:
+
+- `field` (String) The field name. Required for all entry types.
+- `type` (String) The type of entry. Valid values: `match`, `match_any`, `list`, `exists`, `nested`, `wildcard`.
+
+Optional:
+
+- `entries` (Attributes List) Nested entries (for `nested` type). Only `match`, `match_any`, and `exists` entry types are allowed as nested entries. (see [below for nested schema](#nestedatt--entries--entries))
+- `list` (Attributes) Value list reference (for `list` type). (see [below for nested schema](#nestedatt--entries--list))
+- `operator` (String) The operator to use. Valid values: `included`, `excluded`. Note: The operator field is not supported for nested entry types and will be ignored if specified.
+- `value` (String) The value to match (for `match` and `wildcard` types).
+- `values` (List of String) Array of values to match (for `match_any` type).
+
+<a id="nestedatt--entries--entries"></a>
+### Nested Schema for `entries.entries`
+
+Required:
+
+- `field` (String) The field name.
+- `operator` (String) The operator to use. Valid values: `included`, `excluded`.
+- `type` (String) The type of nested entry. Valid values: `match`, `match_any`, `exists`.
+
+Optional:
+
+- `value` (String) The value to match (for `match` type).
+- `values` (List of String) Array of values to match (for `match_any` type).
+
+
+<a id="nestedatt--entries--list"></a>
+### Nested Schema for `entries.list`
+
+Required:
+
+- `id` (String) The value list ID.
+- `type` (String) The value list type (e.g., `keyword`, `ip`, `ip_range`).
+
+
+
+<a id="nestedatt--comments"></a>
+### Nested Schema for `comments`
+
+Required:
+
+- `comment` (String) The comment text.
+
+Read-Only:
+
+- `id` (String) The unique identifier of the comment (auto-generated by Kibana).
diff --git a/docs/resources/kibana_security_exception_list.md b/docs/resources/kibana_security_exception_list.md
@@ -0,0 +1,73 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "elasticstack_kibana_security_exception_list Resource - terraform-provider-elasticstack"
+subcategory: "Kibana"
+description: |-
+  Manages a Kibana Exception List. Exception lists are containers for exception items used to prevent security rules from generating alerts.
+  See the Kibana Exceptions API documentation https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-exceptions-api for more details.
+---
+
+# elasticstack_kibana_security_exception_list (Resource)
+
+Manages a Kibana Exception List. Exception lists are containers for exception items used to prevent security rules from generating alerts.
+
+See the [Kibana Exceptions API documentation](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-exceptions-api) for more details.
+
+## Example Usage
+
+### Basic exception list
+
+```terraform
+resource "elasticstack_kibana_security_exception_list" "example" {
+  list_id        = "my-detection-exception-list"
+  name           = "My Detection Exception List"
+  description    = "List of exceptions for security detection rules"
+  type           = "detection"
+  namespace_type = "single"
+
+  tags = ["security", "detections"]
+}
+```
+
+### Endpoint exception list with OS types
+
+```terraform
+resource "elasticstack_kibana_security_exception_list" "endpoint" {
+  list_id        = "my-endpoint-exception-list"
+  name           = "My Endpoint Exception List"
+  description    = "List of endpoint exceptions"
+  type           = "endpoint"
+  namespace_type = "agnostic"
+
+  os_types = ["linux", "windows", "macos"]
+  tags     = ["endpoint", "security"]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `description` (String) Describes the exception list.
+- `list_id` (String) The exception list's human readable string identifier.
+- `name` (String) The name of the exception list.
+- `type` (String) The type of exception list. Can be one of: `detection`, `endpoint`, `endpoint_trusted_apps`, `endpoint_events`, `endpoint_host_isolation_exceptions`, `endpoint_blocklists`.
+
+### Optional
+
+- `meta` (String) Placeholder for metadata about the list container as JSON string.
+- `namespace_type` (String) Determines whether the exception list is available in all Kibana spaces or just the space in which it is created. Can be `single` (default) or `agnostic`.
+- `os_types` (List of String) Array of OS types for which the exceptions apply. Valid values: `linux`, `macos`, `windows`.
+- `space_id` (String) An identifier for the space. If space_id is not provided, the default space is used.
+- `tags` (List of String) String array containing words and phrases to help categorize exception containers.
+
+### Read-Only
+
+- `created_at` (String) The timestamp of when the exception list was created.
+- `created_by` (String) The user who created the exception list.
+- `id` (String) The unique identifier of the exception list (auto-generated by Kibana).
+- `immutable` (Boolean) Whether the exception list is immutable.
+- `tie_breaker_id` (String) Field used in search to ensure all containers are sorted and returned correctly.
+- `updated_at` (String) The timestamp of when the exception list was last updated.
+- `updated_by` (String) The user who last updated the exception list.
diff --git a/docs/resources/kibana_security_list.md b/docs/resources/kibana_security_list.md
@@ -0,0 +1,110 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "elasticstack_kibana_security_list Resource - terraform-provider-elasticstack"
+subcategory: "Kibana"
+description: |-
+  Manages Kibana security lists (also known as value lists). Security lists are used by exception items to define sets of values for matching or excluding in security rules.
+  Example Usage
+
+  resource "elasticstack_kibana_security_list" "ip_list" {
+    space_id    = "default"
+    name        = "Trusted IP Addresses"
+    description = "List of trusted IP addresses for security rules"
+    type        = "ip"
+  }
+
+  resource "elasticstack_kibana_security_list" "keyword_list" {
+    space_id    = "security"
+    list_id     = "custom-keywords"
+    name        = "Custom Keywords"
+    description = "Custom keyword list for detection rules"
+    type        = "keyword"
+  }
+
+  Notes
+  Security lists define the type of data they can contain via the type attributeOnce created, the type of a list cannot be changedLists can be referenced by exception items to create more sophisticated matching rulesThe list_id is auto-generated if not provided
+---
+
+# elasticstack_kibana_security_list (Resource)
+
+Manages Kibana security lists (also known as value lists). Security lists are used by exception items to define sets of values for matching or excluding in security rules.
+
+## Example Usage
+
+```terraform
+resource "elasticstack_kibana_security_list" "ip_list" {
+  space_id    = "default"
+  name        = "Trusted IP Addresses"
+  description = "List of trusted IP addresses for security rules"
+  type        = "ip"
+}
+
+resource "elasticstack_kibana_security_list" "keyword_list" {
+  space_id    = "security"
+  list_id     = "custom-keywords"
+  name        = "Custom Keywords"
+  description = "Custom keyword list for detection rules"
+  type        = "keyword"
+}
+```
+
+## Notes
+
+- Security lists define the type of data they can contain via the `type` attribute
+- Once created, the `type` of a list cannot be changed
+- Lists can be referenced by exception items to create more sophisticated matching rules
+- The `list_id` is auto-generated if not provided
+
+## Example Usage
+
+### IP address list
+
+```terraform
+resource "elasticstack_kibana_security_list" "ip_list" {
+  space_id    = "default"
+  name        = "Trusted IP Addresses"
+  description = "List of trusted IP addresses for security rules"
+  type        = "ip"
+}
+```
+
+### Keyword list with custom list_id
+
+```terraform
+resource "elasticstack_kibana_security_list" "keyword_list" {
+  space_id    = "security"
+  list_id     = "custom-keywords"
+  name        = "Custom Keywords"
+  description = "Custom keyword list for detection rules"
+  type        = "keyword"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `description` (String) Describes the security list.
+- `name` (String) The name of the security list.
+- `type` (String) Specifies the Elasticsearch data type of values the list contains. Valid values include: `binary`, `boolean`, `byte`, `date`, `date_nanos`, `date_range`, `double`, `double_range`, `float`, `float_range`, `geo_point`, `geo_shape`, `half_float`, `integer`, `integer_range`, `ip`, `ip_range`, `keyword`, `long`, `long_range`, `shape`, `short`, `text`.
+
+### Optional
+
+- `deserializer` (String) Determines how retrieved list item values are presented. By default, list items are presented using Handlebars expressions based on the type.
+- `id` (String) The unique identifier of the security list (auto-generated by Kibana if not specified).
+- `list_id` (String) The value list's human-readable identifier.
+- `meta` (String) Placeholder for metadata about the value list as JSON string.
+- `serializer` (String) Determines how uploaded list item values are parsed. By default, list items are parsed using named regex groups based on the type.
+- `space_id` (String) An identifier for the space. If space_id is not provided, the default space is used.
+- `version` (Number) The document version number.
+
+### Read-Only
+
+- `created_at` (String) The timestamp of when the list was created.
+- `created_by` (String) The user who created the list.
+- `immutable` (Boolean) Whether the list is immutable.
+- `tie_breaker_id` (String) Field used in search to ensure all containers are sorted and returned correctly.
+- `updated_at` (String) The timestamp of when the list was last updated.
+- `updated_by` (String) The user who last updated the list.
+- `version_id` (String) The version id, normally returned by the API when the document is retrieved.