Add Security List Data Stream Resource (#1525)

Author: nick-benoit

CHANGELOG.md

@@ -51,6 +51,12 @@ alias = [
 - Add `elasticstack_elasticsearch_alias` resource ([#1343](https://github.com/elastic/terraform-provider-elasticstack/pull/1343))
 - Add `mapping_total_fields_limit` to `elasticstack_elasticsearch_index` ([#1494](https://github.com/elastic/terraform-provider-elasticstack/pull/1494))
 - Add `elasticstack_kibana_default_data_view` resource ([#1379](https://github.com/elastic/terraform-provider-elasticstack/pull/1379))
+- Add support for [Security Exceptions](https://github.com/elastic/terraform-provider-elasticstack/issues/1332)
+  - Add `elasticstack_kibana_security_exception_item` resource ([#1496](https://github.com/elastic/terraform-provider-elasticstack/pull/1496))
+  - Add `elasticstack_kibana_security_exception_list` resource ([#1495](https://github.com/elastic/terraform-provider-elasticstack/pull/1495))
+  - Add `elasticstack_kibana_security_list` resource ([#1489](https://github.com/elastic/terraform-provider-elasticstack/pull/1489))
+  - Add `elasticstack_kibana_security_list_item` resource ([#1492](https://github.com/elastic/terraform-provider-elasticstack/pull/1492))
+  - Add `elasticstack_kibana_security_list_data_streams` resource ([#1525](https://github.com/elastic/terraform-provider-elasticstack/pull/1525))
 
 ## [0.12.2] - 2025-11-19
 - Fix `elasticstack_elasticsearch_snapshot_lifecycle` metadata type conversion causing terraform apply to fail ([#1409](https://github.com/elastic/terraform-provider-elasticstack/issues/1409))

examples/resources/elasticstack_kibana_security_list_data_streams/resource.tf

@@ -0,0 +1,8 @@
+# Create list data streams in the default space
+resource "elasticstack_kibana_security_list_data_streams" "default" {
+}
+
+# Create list data streams in a custom space
+resource "elasticstack_kibana_security_list_data_streams" "custom" {
+  space_id = "my-space"
+}

internal/clients/kibana_oapi/security_lists.go

@@ -12,15 +12,62 @@ import (
 
 // CreateListIndex creates the .lists and .items data streams for a space if they don't exist.
 // This is required before any list operations can be performed.
-func CreateListIndex(ctx context.Context, client *Client, spaceId string) diag.Diagnostics {
+// Returns true if acknowledged, and diagnostics if there was an error.
+func CreateListIndex(ctx context.Context, client *Client, spaceId string) (bool, diag.Diagnostics) {
 	resp, err := client.API.CreateListIndexWithResponse(ctx, kbapi.SpaceId(spaceId))
+	if err != nil {
+		return false, diagutil.FrameworkDiagFromError(err)
+	}
+
+	switch resp.StatusCode() {
+	case http.StatusOK:
+		if resp.JSON200 != nil {
+			return resp.JSON200.Acknowledged, nil
+		}
+		return true, nil
+	case http.StatusConflict:
+		// Data streams already exist ([docs](https://www.elastic.co/docs/api/doc/kibana/operation/operation-createlistindex#operation-createlistindex-409))
+		return true, nil
+	default:
+		return false, reportUnknownError(resp.StatusCode(), resp.Body)
+	}
+}
+
+// ReadListIndex reads the status of .lists and .items data streams for a space.
+// Returns the status of list_index and list_item_index separately, and diagnostics on error.
+func ReadListIndex(ctx context.Context, client *Client, spaceId string) (listIndex bool, listItemIndex bool, diags diag.Diagnostics) {
+	resp, err := client.API.ReadListIndexWithResponse(ctx, kbapi.SpaceId(spaceId))
+	if err != nil {
+		return false, false, diagutil.FrameworkDiagFromError(err)
+	}
+
+	switch resp.StatusCode() {
+	case http.StatusOK:
+		if resp.JSON200 != nil {
+			return resp.JSON200.ListIndex, resp.JSON200.ListItemIndex, nil
+		}
+		return false, false, nil
+	case http.StatusNotFound:
+		// Data streams don't exist
+		return false, false, nil
+	default:
+		return false, false, reportUnknownError(resp.StatusCode(), resp.Body)
+	}
+}
+
+// DeleteListIndex deletes the .lists and .items data streams for a space.
+// Returns diagnostics if there was an error.
+func DeleteListIndex(ctx context.Context, client *Client, spaceId string) diag.Diagnostics {
+	resp, err := client.API.DeleteListIndexWithResponse(ctx, kbapi.SpaceId(spaceId))
 	if err != nil {
 		return diagutil.FrameworkDiagFromError(err)
 	}
 
 	switch resp.StatusCode() {
 	case http.StatusOK:
 		return nil
+	case http.StatusNotFound:
+		return nil
 	default:
 		return reportUnknownError(resp.StatusCode(), resp.Body)
 	}

internal/kibana/security_exception_item/acc_test.go

@@ -7,6 +7,7 @@ import (
 	"github.com/elastic/terraform-provider-elasticstack/internal/utils/validators"
 	"github.com/hashicorp/terraform-plugin-framework-jsontypes/jsontypes"
 	"github.com/hashicorp/terraform-plugin-framework-timetypes/timetypes"
+	"github.com/hashicorp/terraform-plugin-framework-validators/listvalidator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
@@ -105,6 +106,9 @@ func (r *ExceptionItemResource) Schema(_ context.Context, _ resource.SchemaReque
 			"entries": schema.ListNestedAttribute{
 				MarkdownDescription: "The exception item entries. This defines the conditions under which the exception applies.",
 				Required:            true,
+				Validators: []validator.List{
+					listvalidator.SizeAtLeast(1),
+				},
 				NestedObject: schema.NestedAttributeObject{
 					Attributes: map[string]schema.Attribute{
 						"type": schema.StringAttribute{
@@ -151,6 +155,9 @@ func (r *ExceptionItemResource) Schema(_ context.Context, _ resource.SchemaReque
 								"type": schema.StringAttribute{
 									MarkdownDescription: "The value list type (e.g., `keyword`, `ip`, `ip_range`).",
 									Required:            true,
+									Validators: []validator.String{
+										stringvalidator.OneOf("keyword", "ip", "ip_range"),
+									},
 								},
 							},
 						},

internal/kibana/security_exception_item/schema.go

@@ -0,0 +1,49 @@
+variable "list_id" {
+  description = "The exception list ID"
+  type        = string
+}
+
+variable "item_id" {
+  description = "The exception item ID"
+  type        = string
+}
+
+provider "elasticstack" {
+  elasticsearch {}
+  kibana {}
+}
+
+resource "elasticstack_kibana_security_exception_list" "test" {
+  list_id        = var.list_id
+  name           = "Test Exception List for Exists Entry"
+  description    = "Test exception list for exists entry type"
+  type           = "detection"
+  namespace_type = "single"
+}
+
+resource "elasticstack_kibana_security_exception_item" "test" {
+  list_id        = elasticstack_kibana_security_exception_list.test.list_id
+  item_id        = var.item_id
+  name           = "Test Exception Item - Exists Entry Multiple"
+  description    = "Test exception item with multiple exists entries"
+  type           = "simple"
+  namespace_type = "single"
+  entries = [
+    {
+      type     = "exists"
+      field    = "file.hash.sha256"
+      operator = "included"
+    },
+    {
+      type     = "exists"
+      field    = "process.code_signature.trusted"
+      operator = "included"
+    },
+    {
+      type     = "exists"
+      field    = "network.protocol"
+      operator = "excluded"
+    }
+  ]
+  tags = ["test", "exists", "multiple"]
+}

internal/kibana/security_exception_item/testdata/TestAccResourceExceptionItemEntryType_Exists/exists_multiple/exception_item.tf

@@ -1,3 +1,8 @@
+variable "space_id" {
+  description = "The space ID"
+  type        = string
+}
+
 variable "exception_list_id" {
   description = "The exception list ID"
   type        = string
@@ -22,31 +27,53 @@ provider "elasticstack" {
   kibana {}
 }
 
+resource "elasticstack_kibana_space" "test" {
+  space_id = var.space_id
+  name     = "Test Space for List Entry"
+}
+
+resource "elasticstack_kibana_security_list_data_streams" "test" {
+  space_id = elasticstack_kibana_space.test.space_id
+}
+
 resource "elasticstack_kibana_security_exception_list" "test" {
+  space_id       = elasticstack_kibana_space.test.space_id
   list_id        = var.exception_list_id
-  name           = "Test Exception List for List Entry"
-  description    = "Test exception list for list entry type"
+  name           = "Test Exception List for List Entry - IP"
+  description    = "Test exception list for list entry type with ip"
   type           = "detection"
   namespace_type = "single"
 }
-resource "elasticstack_kibana_security_list_item" "test-item" {
-  list_id = elasticstack_kibana_security_list.test.list_id
-  value   = var.value_list_value
-}
 
 # Create a value list to reference in the exception item
-resource "elasticstack_kibana_security_list" "test" {
+resource "elasticstack_kibana_security_list" "test-ip" {
+  space_id    = elasticstack_kibana_space.test.space_id
   list_id     = var.value_list_id
-  name        = "Test Value List"
-  description = "Test value list for list entry type"
+  name        = "Test Value List - IP"
+  description = "Test value list for list entry type with ip"
   type        = "ip"
+
+  depends_on = [elasticstack_kibana_security_list_data_streams.test]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "elasticstack_kibana_security_list_item" "test-item" {
+  space_id = elasticstack_kibana_space.test.space_id
+  list_id  = elasticstack_kibana_security_list.test-ip.list_id
+  value    = var.value_list_value
+
+  depends_on = [elasticstack_kibana_security_list_data_streams.test]
 }
 
 resource "elasticstack_kibana_security_exception_item" "test" {
+  space_id       = elasticstack_kibana_space.test.space_id
   list_id        = elasticstack_kibana_security_exception_list.test.list_id
   item_id        = var.item_id
-  name           = "Test Exception Item - List Entry"
-  description    = "Test exception item with list entry type"
+  name           = "Test Exception Item - List Entry IP"
+  description    = "Test exception item with list entry type using ip"
   type           = "simple"
   namespace_type = "single"
   entries = [
@@ -55,10 +82,10 @@ resource "elasticstack_kibana_security_exception_item" "test" {
       field    = "source.ip"
       operator = "included"
       list = {
-        id   = elasticstack_kibana_security_list.test.list_id
+        id   = elasticstack_kibana_security_list.test-ip.list_id
         type = "ip"
       }
     }
   ]
-  tags = ["test", "list"]
+  tags = ["test", "list", "ip"]
 }

internal/kibana/security_exception_item/testdata/TestAccResourceExceptionItemEntryType_List/list/exception_item.tf

@@ -0,0 +1,91 @@
+variable "space_id" {
+  description = "The space ID"
+  type        = string
+}
+
+variable "exception_list_id" {
+  description = "The exception list ID"
+  type        = string
+}
+
+variable "item_id" {
+  description = "The exception item ID"
+  type        = string
+}
+
+variable "value_list_id" {
+  description = "The value list ID"
+  type        = string
+}
+variable "value_list_value" {
+  description = "The value list value"
+  type        = string
+}
+
+provider "elasticstack" {
+  elasticsearch {}
+  kibana {}
+}
+
+resource "elasticstack_kibana_space" "test" {
+  space_id = var.space_id
+  name     = "Test Space for List Entry"
+}
+
+resource "elasticstack_kibana_security_list_data_streams" "test" {
+  space_id = elasticstack_kibana_space.test.space_id
+}
+
+resource "elasticstack_kibana_security_exception_list" "test" {
+  space_id       = elasticstack_kibana_space.test.space_id
+  list_id        = var.exception_list_id
+  name           = "Test Exception List for List Entry - IP Range"
+  description    = "Test exception list for list entry type with ip_range"
+  type           = "detection"
+  namespace_type = "single"
+}
+
+# Create a value list to reference in the exception item
+resource "elasticstack_kibana_security_list" "test-ip-range" {
+  space_id    = elasticstack_kibana_space.test.space_id
+  list_id     = var.value_list_id
+  name        = "Test Value List - IP Range"
+  description = "Test value list for list entry type with ip_range"
+  type        = "ip_range"
+
+  depends_on = [elasticstack_kibana_security_list_data_streams.test]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "elasticstack_kibana_security_list_item" "test-item" {
+  space_id = elasticstack_kibana_space.test.space_id
+  list_id  = elasticstack_kibana_security_list.test-ip-range.list_id
+  value    = var.value_list_value
+
+  depends_on = [elasticstack_kibana_security_list_data_streams.test]
+}
+
+resource "elasticstack_kibana_security_exception_item" "test" {
+  space_id       = elasticstack_kibana_space.test.space_id
+  list_id        = elasticstack_kibana_security_exception_list.test.list_id
+  item_id        = var.item_id
+  name           = "Test Exception Item - List Entry IP Range"
+  description    = "Test exception item with list entry type using ip_range"
+  type           = "simple"
+  namespace_type = "single"
+  entries = [
+    {
+      type     = "list"
+      field    = "destination.ip"
+      operator = "included"
+      list = {
+        id   = elasticstack_kibana_security_list.test-ip-range.list_id
+        type = "ip_range"
+      }
+    }
+  ]
+  tags = ["test", "list", "ip_range"]
+}