Kibana UI supports action filters but it is not importing in Terraform

[ASH895-N]

Describe the bug
I am testing for new scheduling feature (please refer to the following link because once the alert is created, this feature is no longer visible in the UI. I believe it is resolved in v8.13)

I am referring to this feature here - https://github.com/elastic/kibana/blob/7a8d328cfa0f59516124a760710d0d5831680abf/x-pack/plugins/alerting/docs/openapi/components/schemas/actions.yaml#L14-L65

"alerts_filter": {
                "timeframe": {
                    "days": [
                        7,
                        1,
                        2,
                        3,
                        4,
                        5,
                        6
                    ],
                    "timezone": "Europe/Berlin",
                    "hours": {
                        "start": "09:30",
                        "end": "10:30"
                    }
                }
            }

I see that this is not supported by Terraform provider yet. When I try to import the alert rule, we can see that Terraform GET API call receives the correct configuration - from Debug message:

2024-03-20T10:25:55.664+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: 2024/03/20 10:25:55 
2024-03-20T10:25:55.664+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: GET /s/default/api/alerting/rule/634fb919-6119-4987-870c-8a6c9a54a7e0 HTTP/1.1
2024-03-20T10:25:55.664+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Host: localhost:5601
2024-03-20T10:25:55.664+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: User-Agent: elasticstack-terraform-provider/0.11.1
2024-03-20T10:25:55.664+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Accept: application/json
<auth>
2024-03-20T10:25:55.664+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Accept-Encoding: gzip
2024-03-20T10:25:55.664+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1
2024-03-20T10:25:55.664+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: 2024/03/20 10:25:56 
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: HTTP/1.1 200 OK
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Transfer-Encoding: chunked
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Cache-Control: private, no-cache, no-store, must-revalidate
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Connection: keep-alive
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Content-Security-Policy: script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Content-Type: application/json; charset=utf-8
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Cross-Origin-Opener-Policy: same-origin
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Date: Wed, 20 Mar 2024 09:25:56 GMT
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Kbn-License-Sig: 5ec8382f7eb97c8cd451e7acc624279c8ef2022d181ec597752f98d4be148970
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Kbn-Name: kibana-cc586cc4d-dvgwd
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Keep-Alive: timeout=120
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Permissions-Policy: camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Referrer-Policy: no-referrer-when-downgrade
2024-03-20T10:25:56.172+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: Vary: accept-encoding
2024-03-20T10:25:56.174+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: X-Content-Type-Options: nosniff
2024-03-20T10:25:56.175+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1
2024-03-20T10:25:56.175+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: 74f
2024-03-20T10:25:56.175+0100 [DEBUG] provider.terraform-provider-elasticstack_v0.11.1: {"id":"634fb919-6119-4987-870c-8a6c9a54a7e0","name":"test-frequency-2","tags":[],"enabled":true,"consumer":"stackAlerts","throttle":null,"revision":0,"running":false,"schedule":{"interval":"1m"},"params":{"searchConfiguration":{"query":{"query":"","language":"kuery"},"index":"d3d7af60-4c81-11e8-b3d7-01146121b73d"},"timeField":"timestamp","searchType":"searchSource","timeWindowSize":5,"timeWindowUnit":"m","threshold":[1000],"thresholdComparator":">","size":100,"aggType":"count","groupBy":"all","termSize":5,"excludeHitsFromPreviousRun":true},"rule_type_id":".es-query","created_by":"elastic","updated_by":"elastic","created_at":"2024-03-20T09:17:30.968Z","updated_at":"2024-03-20T09:17:30.968Z","api_key_owner":"elastic","notify_when":null,"muted_alert_ids":[],"mute_all":false,"scheduled_task_id":"634fb919-6119-4987-870c-8a6c9a54a7e0","execution_status":{"status":"ok","last_execution_date":"2024-03-20T09:25:39.442Z","last_duration":857},"actions":[{"group":"query matched","params":{"subAction":"postMessage","subActionParams":{"channelIds":["channel_ID"],"text":"Elasticsearch query rule '{{rule.name}}' is active:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}\n- Link: {{context.link}}"}},"uuid":"d19cdcde-7e37-4343-94f4-1e58a49ed688","id":"2ac6bb2b-ab0e-491b-b74f-c465a7e02388","connector_type_id":".slack_api","frequency":{"summary":false,"throttle":null,"notify_when":"onActionGroupChange"},"alerts_filter":{"timeframe":{"days":[7,1,2,3,4,5,6],"timezone":"Europe/Berlin","hours":{"start":"10:00","end":"12:00"}}}}],"last_run":{"alerts_count":{"active":0,"new":0,"recovered":0,"ignored":0},"outcome_msg":null,"outcome_order":0,"outcome":"succeeded","warning":null},"next_run":"2024-03-20T09:26:39.276Z","api_key_created_by_user":false}

Alert JSON configuration -

{
    "id": "634fb919-6119-4987-870c-8a6c9a54a7e0",
    "name": "test-frequency-2",
    "tags": [],
    "enabled": true,
    "consumer": "stackAlerts",
    ...
    "schedule": {
        "interval": "1m"
    },
    "params": {
        ...
    },
    "rule_type_id": ".es-query",
   ...
    "notify_when": null,
    ...
    },
    "actions": [
        {
            "group": "query matched",
            "params": {
                "subAction": "postMessage",
                "subActionParams": {
                    "channelIds": [
                        "channel_ID"
                    ],
                    "text": "Elasticsearch query rule '{{rule.name}}' is active:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}\n- Link: {{context.link}}"
                }
            },
            "uuid": "d19cdcde-7e37-4343-94f4-1e58a49ed688",
            "id": "2ac6bb2b-ab0e-491b-b74f-c465a7e02388",
            "connector_type_id": ".slack_api",
            "frequency": {
                "summary": false,
                "throttle": null,
                "notify_when": "onActionGroupChange"
            },
            "alerts_filter": { ---> This setting 
                "timeframe": {
                    "days": [
                        7,
                        1,
                        2,
                        3,
                        4,
                        5,
                        6
                    ],
                    "timezone": "Europe/Berlin",
                    "hours": {
                        "start": "10:00",
                        "end": "12:00"
                    }
                }
            }
        }
    ],
   ...
}

But the imported resource isn't having the setting -

# module.kibana_alert_rules["test-frequency-2.yaml"].elasticstack_kibana_alerting_rule.elasticsearch_query_rules[0]:
resource "elasticstack_kibana_alerting_rule" "elasticsearch_query_rules" {
    consumer              = "stackAlerts"
    enabled               = true
    id                    = "default/634fb919-6119-4987-870c-8a6c9a54a7e0"
    interval              = "1m"
    last_execution_date   = "2024-03-20 09:25:39.442 +0000 UTC"
    last_execution_status = "ok"
    name                  = "test-frequency-2"
    params                = jsonencode(
        {
            ...
            timeWindowUnit             = "m"
        }
    )
    rule_id               = "634fb919-6119-4987-870c-8a6c9a54a7e0"
    rule_type_id          = ".es-query"
    scheduled_task_id     = "634fb919-6119-4987-870c-8a6c9a54a7e0"
    space_id              = "default"
    tags                  = []

    actions {
        group  = "query matched"
        id     = "2ac6bb2b-ab0e-491b-b74f-c465a7e02388"
        params = jsonencode(
            {
                subAction       = "postMessage"
                subActionParams = {
                    channelIds = [
                        "channel_ID",
                    ]
                    text       = <<-EOT
                        some text
                    EOT
                }
            }
        )
    }
}

I am not sure if this issue is reported previously. And I did not find any across all issues here. Therefore, I am creating this one.

We have upgraded ELK clusters to v8.12 mainly because our alerts need to use newer features like alert filters to reduce noise from the alerts. But, we need to manage them from Terraform automation. Unfortunately, I do not see this supported as yet from my tests.

Let me know if more information is needed from my end.

Expected behavior
Please update Terraform to support new features like alert filter.

• Elasticsearch Version [e.g. 7.16.0] - 8.12.2

[cnasikas]

Fixed by elastic/kibana#186963. Starting from v0.11.7, the Rule resource now supports the rule's alert_delay property and the rule's action alerts_filter and frequency properties. You can find complete documentation on the Elastic Terraform provider documentation page.