Merge remote-tracking branch 'origin/main' into zero-replica-index

* origin/main:
  Add support for the `alert_delay` param in the Create Rule API (#715)
  chore: prepare release v0.11.6 (#716)
  Validate that mappings are a JSON object, not just valid json (#719)
  fix: move all resources in one namespace for tcp monitor acc tests (#717)
  Bump github.com/golangci/golangci-lint from 1.59.1 to 1.60.1 in /tools (#714)
  Bump github.com/docker/docker in /tools (#718)
  Bump github.com/goreleaser/goreleaser from 1.26.1 to 1.26.2 in /tools (#642)
  Bump github.com/hashicorp/terraform-plugin-framework (#705)
  Add kibana synthetics http and tcp monitor resources (#699)
  Kibana spaces data source (#682)
  Use ephemeral github token for build. (#712)
  chore: 8.15.0 is here - lets try it out (#708)
  Update changelog for 0.11.5
  Bump version for 0.11.5 (#706)
  Bugfix SLO API: Update type for `group_by` to accept either string or array-of-strings (#701)
  Support `restriction` in `elasticstack_elasticsearch_security_api_key` (#577)
  chore: follow-up CR changes for synthetics private location resource (#697)

.buildkite/hooks/pre-command

@@ -12,5 +12,5 @@ if [[ "$BUILDKITE_PIPELINE_SLUG" == "terraform-provider-elasticstack-release" ]]
   export GPG_PRIVATE_SECRET=$(scripts/retry.sh 5 vault kv get -field gpg_private ${RELEASE_VAULT_PATH})
   export GPG_PASSPHRASE_SECRET=$(scripts/retry.sh 5 vault kv get -field gpg_passphrase ${RELEASE_VAULT_PATH})
   export GPG_FINGERPRINT_SECRET=$(scripts/retry.sh 5 vault kv get -field gpg_fingerprint ${RELEASE_VAULT_PATH})
-  export GITHUB_TOKEN=$(scripts/retry.sh 5 vault kv get -field gh_personal_access_token ${RELEASE_VAULT_PATH})
+  export GITHUB_TOKEN="${VAULT_GITHUB_TOKEN}"
 fi

.github/workflows/test.yml

@@ -60,10 +60,12 @@ jobs:
         image: docker.elastic.co/elasticsearch/elasticsearch:${{ matrix.version }}
         env:
           discovery.type: single-node
-          xpack.license.self_generated.type: trial
           xpack.security.enabled: true
           xpack.security.authc.api_key.enabled: true
+          xpack.security.authc.token.enabled: true
+          xpack.security.http.ssl.enabled: false
           xpack.watcher.enabled: true
+          xpack.license.self_generated.type: trial
           repositories.url.allowed_urls: https://example.com/*
           path.repo: /tmp
           ELASTIC_PASSWORD: ${{ env.ELASTIC_PASSWORD }}
@@ -78,9 +80,10 @@ jobs:
           ELASTICSEARCH_USERNAME: ${{ env.KIBANA_SYSTEM_USERNAME }}
           ELASTICSEARCH_PASSWORD: ${{ env.KIBANA_SYSTEM_PASSWORD }}
           XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY: a7a6311933d3503b89bc2dbc36572c33a6c10925682e591bffcab6911c06786d
-          xpack.fleet.enabled: true
+#          LOGGING_ROOT_LEVEL: debug
         ports:
           - 5601:5601
+        options: --health-cmd="curl http://localhost:5601/api/status" --health-interval=10s --health-timeout=5s --health-retries=10
 
     timeout-minutes: 15
     strategy:
@@ -103,6 +106,7 @@ jobs:
           - '8.12.2'
           - '8.13.4'
           - '8.14.3'
+          - '8.15.0'
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
@@ -134,6 +138,12 @@ jobs:
           ELASTICSEARCH_USERNAME: "elastic"
           ELASTICSEARCH_PASSWORD: ${{ env.ELASTIC_PASSWORD }}
 
+      - id: force-install-synthetics
+        name: Force install synthetics
+        if: matrix.version == '8.14.3' || matrix.version == '8.15.0'
+        run: |-
+          for i in {1..5}; do curl -s -H "Authorization: ApiKey ${{ steps.get-api-key.outputs.apikey }}" --header "Content-Type: application/json" --header "kbn-xsrf: true" --request POST --data '{ "force": true }' http://localhost:5601/api/fleet/epm/packages/synthetics/1.2.2 && break || sleep 15; done
+
       - name: TF acceptance tests
         timeout-minutes: 10
         run: make testacc

CHANGELOG.md

@@ -1,12 +1,25 @@
 ## [Unreleased]
 
+- Add the `alert_delay` field to the Create Rule API ([#715](https://github.com/elastic/terraform-provider-elasticstack/pull/715))
+
+## [0.11.6] - 2024-08-20
+
+- Improve validation for index settings and mappings ([#719](https://github.com/elastic/terraform-provider-elasticstack/pull/719))
+- Add support for Kibana synthetics http and tcp monitors ([#699](https://github.com/elastic/terraform-provider-elasticstack/pull/699))
+- Add `elasticstack_kibana_spaces` data source ([#682](https://github.com/elastic/terraform-provider-elasticstack/pull/682))
+
+## [0.11.5] - 2024-08-12
+
 - Fix setting `id` for Fleet outputs and servers ([#666](https://github.com/elastic/terraform-provider-elasticstack/pull/666))
 - Fix `elasticstack_fleet_enrollment_tokens` returning empty tokens in some case ([#683](https://github.com/elastic/terraform-provider-elasticstack/pull/683))
 - Add support for Kibana synthetics private locations ([#696](https://github.com/elastic/terraform-provider-elasticstack/pull/696))
+- Support setting `restriction` in `elasticstack_elasticsearch_security_api_key` role definitions ([#577](https://github.com/elastic/terraform-provider-elasticstack/pull/577))
+- Fix type of `group_by` attribute in the `kibana_slo` resource to be compatible with versions 8.14+ ([#701](https://github.com/elastic/terraform-provider-elasticstack/pull/701))
 
 ## [0.11.4] - 2024-06-13
 
 ### Breaking changes
+
 - The `title` attribute is now required in the elasticstack_kibana_data_view resource. In practice the resource didn't work without this set, the schema now enforces it's correctly configured.
 
 ### Fixed
@@ -31,7 +44,7 @@
 
 ### Added
 
-- Added datasource for alerting connectors.  ([#607](https://github.com/elastic/terraform-provider-elasticstack/pull/607))
+- Added datasource for alerting connectors. ([#607](https://github.com/elastic/terraform-provider-elasticstack/pull/607))
 
 ## [0.11.2] - 2024-03-13
 
@@ -143,6 +156,7 @@
 - Add 'min\_\*' conditions to ILM rollover ([#250](https://github.com/elastic/terraform-provider-elasticstack/pull/250))
 - Add support for Kibana connections ([#226](https://github.com/elastic/terraform-provider-elasticstack/pull/226))
 - **[Breaking Change] Add 'deletion_protection' field to index resource** to avoid unintentional deletion. ([#167](https://github.com/elastic/terraform-provider-elasticstack/pull/167))
+
   - To delete index resource, you'll need to explicitly set `deletion_protection = false` as follows.
 
   ```terraform
@@ -177,6 +191,7 @@
 - Correctly handle empty logstash pipeline metadata in plan diffs ([#256](https://github.com/elastic/terraform-provider-elasticstack/pull/256))
 - Fix error when logging API requests in debug mode ([#259](https://github.com/elastic/terraform-provider-elasticstack/pull/259))
 - **[Breaking Change] Change `pipeline_metadata` type from schema.TypeMap to schema.TypeString**. This is to fix an error caused by updates to Logstash Pipelines outside of TF ([#278](https://github.com/elastic/terraform-provider-elasticstack/issues/278))
+
   - To use the updated `pipeline_metadata` field, you'll need to encapsulate any Terraform configuration with **jsonencode{}** as follows:
 
     ```terraform
@@ -202,6 +217,7 @@
       - run `terraform apply`
     - OR
       - reimport the resources into state using `terraform import` (<https://developer.hashicorp.com/terraform/cli/import>)
+
 - Fix order of `indices` field in SLM ([#326](https://github.com/elastic/terraform-provider-elasticstack/pull/326))
 
 ## [0.5.0] - 2022-12-07
@@ -311,7 +327,9 @@
 - Initial set of docs
 - CI integration
 
-[Unreleased]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.4...HEAD
+[Unreleased]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.6...HEAD
+[0.11.6]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.5...v0.11.6
+[0.11.5]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.4...v0.11.5
 [0.11.4]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.3...v0.11.4
 [0.11.3]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.2...v0.11.3
 [0.11.2]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.1...v0.11.2

Makefile

@@ -1,7 +1,8 @@
 .DEFAULT_GOAL = help
 SHELL := /bin/bash
 
-VERSION ?= 0.11.4
+
+VERSION ?= 0.11.6
 
 NAME = elasticstack
 BINARY = terraform-provider-${NAME}
@@ -15,14 +16,14 @@ SWAGGER_VERSION ?= 8.7
 
 GOVERSION ?= $(shell grep -e '^go' go.mod | cut -f 2 -d ' ')
 
-STACK_VERSION ?= 8.13.4
+STACK_VERSION ?= 8.15.0
 
 ELASTICSEARCH_NAME ?= terraform-elasticstack-es
 ELASTICSEARCH_ENDPOINTS ?= http://$(ELASTICSEARCH_NAME):9200
 ELASTICSEARCH_USERNAME ?= elastic
 ELASTICSEARCH_PASSWORD ?= password
 ELASTICSEARCH_NETWORK ?= elasticstack-network
-ELASTICSEARCH_MEM ?= 1024m
+ELASTICSEARCH_MEM ?= 2048m
 
 KIBANA_NAME ?= terraform-elasticstack-kb
 KIBANA_ENDPOINT ?= http://$(KIBANA_NAME):5601
@@ -131,7 +132,7 @@ docker-kibana: docker-network docker-elasticsearch set-kibana-password ## Start
 		-e ELASTICSEARCH_USERNAME=$(KIBANA_SYSTEM_USERNAME) \
 		-e ELASTICSEARCH_PASSWORD=$(KIBANA_SYSTEM_PASSWORD) \
 		-e XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY=a7a6311933d3503b89bc2dbc36572c33a6c10925682e591bffcab6911c06786d \
-		-e "logging.root.level=debug" \
+		-e LOGGING_ROOT_LEVEL=debug \
 		--name $(KIBANA_NAME) \
 		--network $(ELASTICSEARCH_NETWORK) \
 		docker.elastic.co/kibana/kibana:$(STACK_VERSION); \
@@ -156,7 +157,7 @@ docker-kibana-with-tls: docker-network docker-elasticsearch set-kibana-password
 		-e SERVER_SSL_CERTIFICATE=/certs/localhost+1.pem \
 		-e SERVER_SSL_KEY=/certs/localhost+1-key.pem \
 		-e SERVER_SSL_ENABLED=true \
-		-e "logging.root.level=debug" \
+		-e LOGGING_ROOT_LEVEL=debug \
 		--name $(KIBANA_NAME) \
 		--network $(ELASTICSEARCH_NETWORK) \
 		docker.elastic.co/kibana/kibana:$(STACK_VERSION); \
@@ -215,6 +216,7 @@ tools: $(GOBIN) ## Install useful tools for linting, docs generation and develop
 	@ cd tools && go install github.com/golangci/golangci-lint/cmd/golangci-lint
 	@ cd tools && go install github.com/goreleaser/goreleaser
 	@ cd tools && go install github.com/deepmap/oapi-codegen/v2/cmd/oapi-codegen
+	@ cd tools && go install go.uber.org/mock/mockgen
 
 .PHONY: misspell
 misspell:

docs/data-sources/kibana_spaces.md

@@ -0,0 +1,51 @@
+---
+subcategory: "Kibana"
+layout: ""
+page_title: "Elasticstack: elasticstack_kibana_spaces Data Source"
+description: |-
+  Retrieve all Kibana spaces. See https://www.elastic.co/guide/en/kibana/master/spaces-api-get-all.html
+---
+
+# Data Source: elasticstack_kibana_spaces
+
+Use this data source to retrieve and get information about all existing Kibana spaces. 
+
+## Example Usage
+
+```terraform
+provider "elasticstack" {
+  elasticsearch {}
+  kibana {}
+}
+
+data "elasticstack_kibana_spaces" "all_spaces" {
+
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Read-Only
+
+- `id` (String) Generated ID for the spaces.
+- `spaces` (Attributes List) The list of spaces. (see [below for nested schema](#nestedatt--spaces))
+
+<a id="nestedatt--spaces"></a>
+### Nested Schema for `spaces`
+
+Required:
+
+- `name` (String) The display name for the space.
+
+Optional:
+
+- `description` (String) The description for the space.
+- `disabled_features` (List of String) The list of disabled features for the space. To get a list of available feature IDs, use the Features API (https://www.elastic.co/guide/en/kibana/master/features-api-get.html).
+- `image_url` (String) The data-URL encoded image to display in the space avatar.
+
+Read-Only:
+
+- `color` (String) The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.
+- `id` (String) Internal identifier of the resource.
+- `initials` (String) The initials shown in the space avatar. By default, the initials are automatically generated from the space name. Initials must be 1 or 2 characters.

docs/resources/elasticsearch_component_template.md

@@ -63,7 +63,7 @@ resource "elasticstack_elasticsearch_index_template" "my_template" {
 Optional:
 
 - `alias` (Block Set) Alias to add. (see [below for nested schema](#nestedblock--template--alias))
-- `mappings` (String) Mapping for fields in the index.
+- `mappings` (String) Mapping for fields in the index. Should be specified as a JSON object of field mappings. See the documentation (https://www.elastic.co/guide/en/elasticsearch/reference/current/explicit-mapping.html) for more details
 - `settings` (String) Configuration options for the index. See, https://www.elastic.co/guide/en/elasticsearch/reference/current/index-modules.html#index-modules-settings
 
 <a id="nestedblock--template--alias"></a>

docs/resources/elasticsearch_index_template.md

@@ -102,7 +102,7 @@ Optional:
 Optional:
 
 - `alias` (Block Set) Alias to add. (see [below for nested schema](#nestedblock--template--alias))
-- `mappings` (String) Mapping for fields in the index.
+- `mappings` (String) Mapping for fields in the index. Should be specified as a JSON object of field mappings. See the documentation (https://www.elastic.co/guide/en/elasticsearch/reference/current/explicit-mapping.html) for more details
 - `settings` (String) Configuration options for the index. See, https://www.elastic.co/guide/en/elasticsearch/reference/current/index-modules.html#index-modules-settings
 
 <a id="nestedblock--template--alias"></a>

docs/resources/elasticsearch_security_api_key.md

@@ -41,6 +41,37 @@ resource "elasticstack_elasticsearch_security_api_key" "api_key" {
   })
 }
 
+# restriction on a role descriptor for an API key is supported since Elastic 8.9
+resource "elasticstack_elasticsearch_security_api_key" "api_key_with_restriction" {
+  # Set the name
+  name = "My API key"
+  # Set the role descriptors
+  role_descriptors = jsonencode({
+    role-a = {
+      cluster = ["all"],
+      indices = [
+        {
+          names      = ["index-a*"],
+          privileges = ["read"]
+        }
+      ],
+      restriction = {
+        workflows = ["search_application_query"]
+      }
+    }
+  })
+
+  # Set the expiration for the API key
+  expiration = "1d"
+
+  # Set the custom metadata for this user
+  metadata = jsonencode({
+    "env"    = "testing"
+    "open"   = false
+    "number" = 49
+  })
+}
+
 output "api_key" {
   value     = elasticstack_elasticsearch_security_api_key.api_key
   sensitive = true

docs/resources/kibana_alerting_rule.md

@@ -62,6 +62,7 @@ Could not create API key - Unsupported scheme "ApiKey" for granting API Key
 ### Optional
 
 - `actions` (Block List) An action that runs under defined conditions. (see [below for nested schema](#nestedblock--actions))
+- `alert_delay` (Number) A number that indicates how many consecutive runs need to meet the rule conditions for an alert to occur.
 - `enabled` (Boolean) Indicates if you want to run the rule on an interval basis.
 - `rule_id` (String) A UUID v1 or v4 to use instead of a randomly generated ID.
 - `space_id` (String) An identifier for the space. If space_id is not provided, the default space is used.