feat(terraform): add AD detector provisioning and lifecycle automation (#1680)

* feat(terraform): add AD detector provisioning and lifecycle automation

- add scripts/terraform/main.tf to configure OpenSearch provider and detector variables
- create detector via opensearch_anomaly_detection and output detector_id
- add local-exec start/stop hooks to make detector job handling idempotent on apply/destroy
- add scripts/terraform/README.md with prerequisites, configuration, and usage steps

Testing done:
- Verified Terraform can create and start the detector.

Signed-off-by: kaituo <kaituo@amazon.com>

* address comments

Signed-off-by: kaituo <kaituo@amazon.com>

---------

Signed-off-by: kaituo <kaituo@amazon.com>

Author: kaituo

.gitignore

@@ -15,4 +15,9 @@ out/
 .vscode
 bin/
 ._.DS_Store
-src/test/resources/job-scheduler/
+src/test/resources/job-scheduler/
+
+# Terraform local artifacts and secrets
+.terraform/
+*.tfstate*
+*.tfvars

CHANGELOG.md

@@ -10,6 +10,8 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 - Introduce Insights API ([1610](https://github.com/opensearch-project/anomaly-detection/pull/1610))
 
 ### Enhancements
+- feat(terraform): add AD detector provisioning and lifecycle automation ([1680](https://github.com/opensearch-project/anomaly-detection/pull/1680))
+
 ### Bug Fixes
 ### Infrastructure
 - Add integTest coverage reporting and README badge ([1679](https://github.com/opensearch-project/anomaly-detection/pull/1679))

README.md

@@ -1,6 +1,6 @@
 [![AD Test](https://github.com/opensearch-project/anomaly-detection/workflows/Build%20and%20Test%20Anomaly%20detection/badge.svg)](https://github.com/opensearch-project/anomaly-detection/actions?query=workflow%3A%22Build+and+Test+Anomaly+detection%22+branch%3A%22main%22)
-[![codecov](https://codecov.io/gh/opensearch-project/anomaly-detection/branch/main/graph/badge.svg?flag=plugin)](https://codecov.io/gh/opensearch-project/anomaly-detection)
-[![codecov integTest](https://codecov.io/gh/opensearch-project/anomaly-detection/branch/main/graph/badge.svg?flag=plugin_integtest)](https://codecov.io/gh/opensearch-project/anomaly-detection)
+[![Plugin Coverage](https://img.shields.io/codecov/c/github/opensearch-project/anomaly-detection/main?flag=plugin&label=Plugin%20coverage)](https://codecov.io/gh/opensearch-project/anomaly-detection)
+[![IntegTest Coverage](https://img.shields.io/codecov/c/github/opensearch-project/anomaly-detection/main?flag=plugin_integtest&label=IntegTest%20coverage)](https://codecov.io/gh/opensearch-project/anomaly-detection)
 [![Documentation](https://img.shields.io/badge/doc-reference-blue)](https://opensearch.org/docs/monitoring-plugins/ad/index/)
 [![Forum](https://img.shields.io/badge/chat-on%20forums-blue)](https://forum.opensearch.org/)
 ![PRs welcome!](https://img.shields.io/badge/PRs-welcome!-success)

scripts/terraform/README.md

@@ -0,0 +1,140 @@
+# OpenSearch Anomaly Detection with Terraform
+
+## Purpose
+
+This project uses Terraform to manage an OpenSearch Anomaly Detection detector and its job lifecycle.
+
+It does two things:
+
+- Creates or updates a detector via `opensearch_anomaly_detection`.
+- Automatically stops and restarts the detector job on apply (and stops it on destroy) using `null_resource` + `local-exec` calls to the OpenSearch AD APIs.
+
+## What This Configuration Creates
+
+- 1 anomaly detector with:
+  - configurable index pattern (`indices`)
+  - configurable time field (`time_field`)
+  - one feature using `max(<feature_field>)`
+  - configurable detection interval and window delay
+  - configurable result index
+- Output:
+  - `detector_id`
+
+## Prerequisites
+
+- Terraform `>= 1.5.0`
+- OpenSearch cluster reachable from your machine
+- OpenSearch Anomaly Detection plugin/API available
+- `curl` installed (used by `local-exec` provisioners)
+
+## Configuration
+
+Defaults in [`main.tf`](main.tf) target local development:
+
+- `opensearch_url = "http://localhost:9200"`
+- `opensearch_username = ""`
+- `opensearch_password = ""`
+
+You can change `opensearch_url` to your remote OpenSearch endpoint, for example `https://your-cluster.example.com:9200`.
+
+If your cluster has security enabled, prefer environment variables for credentials in production. `terraform.tfvars` and CLI flags also work, but they are less suitable for secrets.
+
+Preferred example: environment variables
+
+```bash
+export TF_VAR_opensearch_url='https://your-cluster.example.com:9200'
+export TF_VAR_opensearch_username='admin'
+export TF_VAR_opensearch_password='myStrongPassword123!'
+
+terraform plan
+```
+
+Example `terraform.tfvars`:
+
+```hcl
+opensearch_url      = "https://your-cluster.example.com:9200"
+opensearch_username = "admin"
+opensearch_password = "myStrongPassword123!"
+```
+
+Example CLI flags:
+
+```bash
+terraform plan \
+  -var='opensearch_url=https://your-cluster.example.com:9200' \
+  -var='opensearch_username=admin' \
+  -var='opensearch_password=myStrongPassword123!'
+```
+
+Avoid `-var` for passwords in production when possible, since command-line arguments can leak into shell history or CI logs.
+
+If you use `terraform.tfvars`, make sure it is excluded from version control.
+
+Important: this configuration currently stores connection settings in `null_resource` triggers so the destroy-time provisioner can stop the detector job. That means credentials may still be written to Terraform state even when provided via `TF_VAR_...` environment variables.
+
+Common detector variables:
+
+- `detector_name`
+- `indices`
+- `time_field`
+- `feature_field`
+- `detection_interval_minutes`
+- `window_delay_minutes`
+- `result_index`
+
+## How To Use
+
+1. Initialize providers:
+
+```bash
+terraform init
+```
+
+2. (Optional) Create `terraform.tfvars`:
+
+```hcl
+opensearch_url      = "http://localhost:9200"
+opensearch_username = ""
+opensearch_password = ""
+
+detector_name                = "tf-detector"
+indices                      = ["server-metrics"]
+time_field                   = "@timestamp"
+feature_field                = "deny"
+detection_interval_minutes   = 1
+window_delay_minutes         = 1
+result_index                 = "opensearch-ad-plugin-result-tf"
+```
+
+3. Review the plan:
+
+```bash
+terraform plan
+```
+
+4. Apply:
+
+```bash
+terraform apply
+```
+
+5. Get the detector ID:
+
+```bash
+terraform output detector_id
+```
+
+## Destroy
+
+To remove resources:
+
+```bash
+terraform destroy
+```
+
+The configuration attempts to stop the detector job before deletion.
+
+## Notes
+
+- `null_resource.start_detector_job` is trigger-based and re-runs when detector config or connection settings change.
+- Credentials are optional for unsecured local clusters; provide them for secured clusters.

scripts/terraform/main.tf

@@ -0,0 +1,198 @@
+terraform {
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    opensearch = {
+      source  = "opensearch-project/opensearch"
+      version = "~> 2.3.2"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.2"
+    }
+  }
+}
+
+############################
+# Connection (localhost)
+############################
+variable "opensearch_url" {
+  type    = string
+  default = "http://localhost:9200"
+}
+
+# Leave these empty if your local cluster has security disabled.
+variable "opensearch_username" {
+  type    = string
+  default = "" # e.g., "admin"
+}
+
+variable "opensearch_password" {
+  type      = string
+  default   = "" # e.g., "admin" or your configured password
+  sensitive = true
+}
+
+provider "opensearch" {
+  url      = var.opensearch_url
+  username = var.opensearch_username
+  password = var.opensearch_password
+}
+
+############################
+# Detector config
+############################
+variable "detector_name" {
+  type    = string
+  default = "tf-detector"
+}
+
+variable "indices" {
+  type    = list(string)
+  default = ["server-metrics"] # <-- change to your index / pattern
+}
+
+variable "time_field" {
+  type    = string
+  default = "@timestamp" # <-- change to your time field
+}
+
+variable "feature_field" {
+  type    = string
+  default = "deny" # <-- change to your numeric field
+}
+
+variable "detection_interval_minutes" {
+  type    = number
+  default = 1
+}
+
+variable "window_delay_minutes" {
+  type    = number
+  default = 1
+}
+
+variable "result_index" {
+  type    = string
+  default = "opensearch-ad-plugin-result-tf"
+}
+
+locals {
+  detector_body = {
+    name        = var.detector_name
+    description = "Detector created by Terraform"
+    time_field  = var.time_field
+    indices     = var.indices
+
+    feature_attributes = [
+      {
+        feature_name    = "feature_1"
+        feature_enabled = true
+        aggregation_query = {
+          feature_1 = {
+            max = { field = var.feature_field }
+          }
+        }
+      }
+    ]
+
+    detection_interval = {
+      period = {
+        interval = var.detection_interval_minutes
+        unit     = "Minutes"
+      }
+    }
+
+    window_delay = {
+      period = {
+        interval = var.window_delay_minutes
+        unit     = "Minutes"
+      }
+    }
+
+    result_index = var.result_index
+  }
+
+  detector_body_json = jsonencode(local.detector_body)
+  detector_body_sha  = sha256(local.detector_body_json)
+}
+
+resource "opensearch_anomaly_detection" "detector" {
+  body = local.detector_body_json
+}
+
+############################
+# Start / stop the job
+############################
+resource "null_resource" "start_detector_job" {
+  # Re-run if the detector is recreated OR its config changes.
+  triggers = {
+    detector_id       = opensearch_anomaly_detection.detector.id
+    detector_body_sha = local.detector_body_sha
+    opensearch_url    = var.opensearch_url
+    opensearch_user   = var.opensearch_username
+    opensearch_pass   = var.opensearch_password
+  }
+
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    environment = {
+      OPENSEARCH_URL      = var.opensearch_url
+      OPENSEARCH_USERNAME = var.opensearch_username
+      OPENSEARCH_PASSWORD = var.opensearch_password
+      DETECTOR_ID         = self.triggers.detector_id
+    }
+
+    command = <<EOT
+set -eo pipefail
+
+# Make apply idempotent across re-runs/config updates:
+if [ -n "$OPENSEARCH_USERNAME" ] || [ -n "$OPENSEARCH_PASSWORD" ]; then
+  curl -sS -XPOST "$OPENSEARCH_URL/_plugins/_anomaly_detection/detectors/$DETECTOR_ID/_stop" \
+    -H 'Content-Type: application/json' \
+    --user "$OPENSEARCH_USERNAME:$OPENSEARCH_PASSWORD" >/dev/null || true
+
+  curl -sSf -XPOST "$OPENSEARCH_URL/_plugins/_anomaly_detection/detectors/$DETECTOR_ID/_start" \
+    -H 'Content-Type: application/json' \
+    --user "$OPENSEARCH_USERNAME:$OPENSEARCH_PASSWORD" >/dev/null
+else
+  curl -sS -XPOST "$OPENSEARCH_URL/_plugins/_anomaly_detection/detectors/$DETECTOR_ID/_stop" \
+    -H 'Content-Type: application/json' >/dev/null || true
+
+  curl -sSf -XPOST "$OPENSEARCH_URL/_plugins/_anomaly_detection/detectors/$DETECTOR_ID/_start" \
+    -H 'Content-Type: application/json' >/dev/null
+fi
+EOT
+  }
+
+  # Stop before the detector is deleted (destroy order is reverse of depends_on).
+  provisioner "local-exec" {
+    when        = destroy
+    interpreter = ["/bin/bash", "-c"]
+    environment = {
+      OPENSEARCH_URL      = self.triggers.opensearch_url
+      OPENSEARCH_USERNAME = self.triggers.opensearch_user
+      OPENSEARCH_PASSWORD = self.triggers.opensearch_pass
+      DETECTOR_ID         = self.triggers.detector_id
+    }
+
+    command = <<EOT
+set -eo pipefail
+
+if [ -n "$OPENSEARCH_USERNAME" ] || [ -n "$OPENSEARCH_PASSWORD" ]; then
+  curl -sS -XPOST "$OPENSEARCH_URL/_plugins/_anomaly_detection/detectors/$DETECTOR_ID/_stop" \
+    -H 'Content-Type: application/json' \
+    --user "$OPENSEARCH_USERNAME:$OPENSEARCH_PASSWORD" >/dev/null || true
+else
+  curl -sS -XPOST "$OPENSEARCH_URL/_plugins/_anomaly_detection/detectors/$DETECTOR_ID/_stop" \
+    -H 'Content-Type: application/json' >/dev/null || true
+fi
+EOT
+  }
+
+  depends_on = [opensearch_anomaly_detection.detector]
+}
+
+output "detector_id" {
+  value = opensearch_anomaly_detection.detector.id
+}