Merge remote-tracking branch 'origin/main' into copilot/fix-1330

* origin/main: (90 commits)
  Add resource to manage ML datafeed state (#1422)
  Extract agent policy test config (#1439)
  chore(deps): update golang:1.25.4 docker digest to e68f6a0 (#1437)
  chore(deps): update kibana-openapi-spec digest to 6a867d8 (#1435)
  chore(deps): update docker.elastic.co/kibana/kibana docker tag to v9.2.1 (#1434)
  chore(deps): update docker.elastic.co/elasticsearch/elasticsearch docker tag to v9.2.1 (#1433)
  First take at documented coding standards (#1429)
  chore(deps): update golangci/golangci-lint-action action to v9 (#1431)
  chore(deps): update golang:1.25.4 docker digest to 6ca9eb0 (#1432)
  chore(deps): update kibana-openapi-spec digest to 96ffcd7 (#1430)
  chore(deps): update kibana-openapi-spec digest to a8e3b64 (#1428)
  chore(deps): update golang docker tag to v1.25.4 (#1423)
  Update the system_user acceptance tests to utilise the config directory pattern (#1404)
  Add an issue template for covering new stack features (#1418)
  chore(deps): update golang:1.25.3 docker digest to 6d4e5e7 (#1421)
  Update provider description (#1405)
  chore(deps): update golang:1.25.3 docker digest to 0afe9b5 (#1416)
  chore(deps): update module github.com/golangci/golangci-lint to v2.6.1 (#1417)
  Added space awareness to Agent Policies (#1390)
  Fix data view color field format params not computed in Terraform state (#1414)
  ...

Author: tobio

.buildkite/hooks/pre-command

@@ -2,6 +2,11 @@
 
 set -euo pipefail
 
+if [[ "${BUILDKITE_PIPELINE_SLUG}" != "terraform-provider-elasticstack-release" ]]; then
+  echo "Skipping pre-command hook for non-release pipeline"
+  exit 0
+fi
+
 RELEASE_VAULT_PATH=kv/ci-shared/terraform-providers
 
 if [[ "$BUILDKITE_PIPELINE_SLUG" == "terraform-provider-elasticstack-release" ]]; then

.buildkite/release.yml

@@ -1,7 +1,7 @@
 steps:
   - label: Release
     agents:
-      image: "golang:1.25.1@sha256:8305f5fa8ea63c7b5bc85bd223ccc62941f852318ebfbd22f53bbd0b358c07e1"
+      image: "golang:1.25.4@sha256:e68f6a00e88586577fafa4d9cefad1349c2be70d21244321321c407474ff9bf2"
       cpu: "16"
       memory: "24G"
       ephemeralStorage: "20G"

.buildkite/scripts/update-kibana-client.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+set -euo pipefail
+
+source /etc/profile.d/go.sh
+
+echo "--- Regenerating the Kibana client"
+make -C generated/kbapi all
+
+echo "--- Building the provider"
+make build
+
+echo "--- Starting Stack containers"
+make docker-fleet
+
+echo "--- Collecting docker info"
+docker ps 
+docker logs terraform-elasticstack-kb 2>&1 > kibana.log
+docker logs terraform-elasticstack-es 2>&1 > es.log
+docker logs terraform-elasticstack-fleet 2>&1 > fleet.log
+
+buildkite-agent artifact upload kibana.log
+buildkite-agent artifact upload es.log
+buildkite-agent artifact upload fleet.log
+
+echo "--- Running acceptance tests"
+ELASTICSEARCH_ENDPOINTS=http://localhost:9200 KIBANA_ENDPOINT=http://localhost:5601 ELASTICSEARCH_USERNAME=elastic ELASTICSEARCH_PASSWORD=password make testacc

.buildkite/update-kibana-client.yml

@@ -0,0 +1,8 @@
+agents:
+  provider: "gcp"
+  machineType: "n1-standard-4"
+  image: family/terraform-provider-elasticstack-ubuntu-2204
+steps:
+  - label: Regenerate Kibana client and build provider
+    command:
+      - ".buildkite/scripts/update-kibana-client.sh"

.env

@@ -0,0 +1,17 @@
+STACK_VERSION=9.1.5
+ELASTICSEARCH_CONTAINER_NAME=terraform-elasticstack-es
+ELASTICSEARCH_PASSWORD=password
+ELASTICSEARCH_PORT=9200
+ELASTICSEARCH_URL=http://localhost:${ELASTICSEARCH_PORT}
+ELASTICSEARCH_JAVA_OPTS="-Xms128m -Xmx1g"
+KIBANA_CONTAINER_NAME=terraform-elasticstack-kb
+KIBANA_SETTINGS_CONTAINER_NAME=terraform-elasticstack-kb-settings
+FLEET_SETTINGS_CONTAINER_NAME=terraform-elasticstack-fleet-settings
+KIBANA_CERTS_CONTAINER_NAME=terraform-elasticstack-kb-certs
+KIBANA_PORT=5601
+KIBANA_PASSWORD=password
+KIBANA_ENCRYPTION_KEY=GsRtLGKnnuvwVQ3lqSS5kGScdfpmgEDA
+FLEET_CONTAINER_NAME=terraform-elasticstack-fleet
+ACCEPTANCE_TESTS_CONTAINER_NAME=terraform-elasticstack-acceptance-tests
+TOKEN_ACCEPTANCE_TESTS_CONTAINER_NAME=terraform-elasticstack-token-acceptance-tests
+GOVERSION=1.25.1

.github/ISSUE_TEMPLATE/new_stack_functionality.yaml

@@ -0,0 +1,60 @@
+name: New Stack functionality
+description: Add support for new Stack functionality
+title: "[FEATURE] <title>"
+labels: ["Feature", "Stack Led"]
+body:
+- type: input
+  attributes:
+    label: Name of the resource
+    description: What is the name of the resource you are adding or extending?
+    placeholder: "e.g elasticstack_elasticsearch_ml_datafeed"
+- type: textarea
+  attributes:
+    label: Describe new functionality
+    description: A concise description of the new functionality to add. 
+    placeholder: |
+      If you're extending an existing resource:
+        * Describe any new fields, or changes to existing fields. 
+        * Reference the source code for the existing resource. 
+        * Describe any new cases that should be covered in acceptance testing.
+      e.g:
+        Add support for `query` field to the Machine Learning Datafeed resource. 
+        The code for the resource is in `internal/elasticsearch/ml/datafeed/`. 
+        Add new acceptance tests covering the new `query` field.  
+
+      If you're adding an entirely new resource:
+        * Describe the resource and its purpose.
+        * Include links to relevant API documentation.
+        * Describe where the resource code should live in the provider.
+        * Describe any cases that should be covered in acceptance testing.
+      e.g 
+        Add a new Machine Learning Datafeed resource to manage datafeeds for ML jobs. 
+        The new resource should live in `internal/elasticsearch/ml/datafeed/`. 
+        The resource will allow users to create, read, and delete ML datafeeds via the Elasticsearch API. 
+        API docs:
+          - Create: https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-ml-put-datafeed
+          - Get: https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-ml-get-datafeeds
+          - Delete: https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-ml-delete-datafeed
+        Make sure acceptance tests cover both a basic datafeed, and thoroughly cover all attributes in the resource schema, including datafeeds filtered by the `query` attribute.
+  validations:
+    required: true
+- type: input
+  attributes:
+    label: Version Introduced
+    description: What version of the Stack was this functionality introduced in?
+    placeholder: "e.g 9.2.0"
+  validations:
+    required: true
+- type: textarea
+  attributes:
+    label: Anything else?
+    placeholder: |
+      Links? References? Anything that will give us more context about the functionality you're adding!
+
+      e.g:
+        - Links to issues/PRs where this was added in Elasticsearch/Kibana etc.
+        - Links to any relevant documentation. 
+        - Describe any dependencies or relationships to other resources (e.g an ML datafeed is linked to an anomaly detection job).
+        - Describe any edge cases that should be covered in acceptance testing. 
+  validations:
+    required: false

.github/copilot-instructions.md

@@ -1,10 +1,16 @@
-You will be tasked to fix an issue from an open-source repository. This is a Go based repository hosting a Terrform provider for the elastic stack (elasticsearch and kibana) APIs. This repo currently supports both [plugin framework](https://developer.hashicorp.com/terraform/plugin/framework/getting-started/code-walkthrough) and [sdkv2](https://developer.hashicorp.com/terraform/plugin/sdkv2) resources. Unless you're told otherwise, all new resources _must_ use the plugin framework. 
+You will be writing or reviewing code for the Terraform provider for Elastic Stack (Elasticsearch, Kibana, Fleet, APM, and Logstash). This is a Go-based repository hosting the provider source. 
 
-Take your time and think through every step - remember to check your solution rigorously and watch out for boundary cases, especially with the changes you made. Your solution must be perfect. If not, continue working on it. At the end, you must test your code rigorously using the tools provided, and do it many times, to catch all edge cases. If it is not robust, iterate more and make it perfect. Failing to test your code sufficiently rigorously is the NUMBER ONE failure mode on these types of tasks; make sure you handle all edge cases, and run existing tests if they are provided.
+When writing code, you must adhere to the coding standards and conventions outlined in the [CODING_STANDARDS.md](../CODING_STANDARDS.md) document in this repository.
+
+When reviewing code, ensure that all changes comply with the coding standards and conventions specified in the [CODING_STANDARDS.md](../CODING_STANDARDS.md) document. Pay special attention to project structure, schema definitions, JSON handling, resource implementation, and testing practices.
+
+Take your time and think through every step - remember to check solutions rigorously and watch out for boundary cases, especially with the changes being made. 
+
+When writing code, your solution must be perfect. If not, continue working on it. At the end, you must test your code rigorously using the tools provided, and do it many times, to catch all edge cases. If it is not robust, iterate more and make it perfect. Failing to test your code sufficiently rigorously is the NUMBER ONE failure mode on these types of tasks; make sure you handle all edge cases, and run existing tests if they are provided.
 
 Please see [README.md](../README.md) and the [CONTRIBUTING.md](../CONTRIBUTING.md) docs before getting started.
 
-# Workflow
+# Development Workflow
 
 ## High-Level Problem Solving Strategy
 

.github/workflows/test.yml

@@ -50,7 +50,7 @@ jobs:
   test:
     name: Matrix Acceptance Test
     needs: build
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner == 'ubuntu-22.04' && 'ubuntu-22.04' || 'ubuntu-latest' }}
     env:
       ELASTIC_PASSWORD: password
       KIBANA_SYSTEM_USERNAME: kibana_system
@@ -63,14 +63,16 @@ jobs:
           xpack.security.enabled: true
           xpack.security.authc.api_key.enabled: true
           xpack.security.authc.token.enabled: true
+          xpack.ml.use_auto_machine_memory_percent: true
+          xpack.ml.max_model_memory_limit: 2g
           xpack.watcher.enabled: true
           xpack.license.self_generated.type: trial
           repositories.url.allowed_urls: https://example.com/*
           path.repo: /tmp
           ELASTIC_PASSWORD: ${{ env.ELASTIC_PASSWORD }}
         ports:
           - 9200:9200
-        options: --health-cmd="curl http://localhost:9200/_cluster/health" --health-interval=10s --health-timeout=5s --health-retries=10
+        options: --memory=2g --health-cmd="curl http://localhost:9200/_cluster/health" --health-interval=10s --health-timeout=5s --health-retries=10
       kibana:
         image: docker.elastic.co/kibana/kibana:${{ matrix.version }}
         env:
@@ -108,11 +110,6 @@ jobs:
       matrix:
         version:
           - '7.17.13'
-          - '8.0.1'
-          - '8.1.3'
-          - '8.2.3'
-          - '8.3.3'
-          - '8.4.3'
           - '8.5.3'
           - '8.6.2'
           - '8.7.1'
@@ -125,9 +122,22 @@ jobs:
           - '8.14.3'
           - '8.15.5'
           - '8.16.2'
-          - '8.17.0'
-          - '8.18.3'
-          - '9.0.3'
+          - '8.17.10'
+          - '8.18.7'
+          - '8.19.3'
+          - '9.0.7'
+          - '9.1.3'
+        include:
+          - version: '8.0.1'
+            runner: ubuntu-22.04
+          - version: '8.1.3'
+            runner: ubuntu-22.04
+          - version: '8.2.3'
+            runner: ubuntu-22.04
+          - version: '8.3.3'
+            runner: ubuntu-22.04
+          - version: '8.4.3'
+            runner: ubuntu-22.04
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6

CHANGELOG.md

@@ -1,5 +1,82 @@
 ## [Unreleased]
 
+- Fix `elasticstack_elasticsearch_snapshot_lifecycle` metadata type conversion causing terraform apply to fail ([#1409](https://github.com/elastic/terraform-provider-elasticstack/issues/1409))
+- Add new `elasticstack_elasticsearch_ml_anomaly_detection_job` resource ([#1329](https://github.com/elastic/terraform-provider-elasticstack/pull/1329))
+- Add new `elasticstack_elasticsearch_ml_datafeed` resource ([#1340](https://github.com/elastic/terraform-provider-elasticstack/pull/1340))
+- Add `space_ids` attribute to all Fleet resources to support space-aware Fleet resource management ([#1390](https://github.com/elastic/terraform-provider-elasticstack/pull/1390))
+- Add new `elasticstack_elasticsearch_ml_job_state` resource ([#1337](https://github.com/elastic/terraform-provider-elasticstack/pull/1337))
+- Add new `elasticstack_elasticsearch_ml_datafeed_state` resource ([#1422](https://github.com/elastic/terraform-provider-elasticstack/pull/1422))
+- Migrate `elasticstack_elasticsearch_security_role` resource to Terraform Plugin Framework ([#1330](https://github.com/elastic/terraform-provider-elasticstack/pull/1330))
+
+
+## [0.12.1] - 2025-10-22
+- Fix regression restricting the characters in an `elasticstack_elasticsearch_role_mapping` `name`. ([#1373](https://github.com/elastic/terraform-provider-elasticstack/pull/1373))
+- Add schema validations to require either (but not both) `index` and `data_view_id` is set for relevant Security Detection Rules ([#1381](https://github.com/elastic/terraform-provider-elasticstack/pull/1381))
+
+## [0.12.0] - 2025-10-15
+
+- Fix provider crash with `elasticstack_kibana_action_connector` when `config` or `secrets` was unset in 0.11.17 ([#1355](https://github.com/elastic/terraform-provider-elasticstack/pull/1355))
+- Added `labels` field to `elasticstack_kibana_synthetics_monitor` resource for associating key-value pairs with monitors ([#1360](https://github.com/elastic/terraform-provider-elasticstack/pull/1360))
+- Fixes provider crash with `elasticstack_kibana_slo` when using `kql_custom_indicator` with no `filter` set. ([#1354](https://github.com/elastic/terraform-provider-elasticstack/pull/1354))
+- Updates for Security Detection Rules ([#1361](https://github.com/elastic/terraform-provider-elasticstack/pull/1361)
+  - Add support for `threat` property
+  - Gracefully support `query` property not being set
+  - Add esql specific validations to reject unsupported fields `index` and `filters`
+  - Gracefully handle response action with no provided `frequency`
+  - Add validation for required `anomaly_threshold` field in anomaly detection rules
+  - Add support for `timeline_id` / `timeline_title` fields
+  - Gracefully handle `threat_query` not being provided for `threat_match` ule
+
+## [0.11.19] - 2025-10-22
+
+Version 0.11.19 is equivalent to 0.12.1. It is being released to help mitigate impact from 0.11.18 being inadvertently released ahead of schedule. This version contained a breaking change and defects related to internal refactors. While 0.11.19 still contains a breaking change from 0.11.17 it does fix defects (see details below) for any users relying on the latest 0.11.x version.
+
+- Fix regression restricting the characters in an `elasticstack_elasticsearch_role_mapping` `name`. ([#1373](https://github.com/elastic/terraform-provider-elasticstack/pull/1373))
+- Add schema validations to require either (but not both) `index` and `data_view_id` is set for relevant Security Detection Rules ([#1381](https://github.com/elastic/terraform-provider-elasticstack/pull/1381))
+- Fix provider crash with `elasticstack_kibana_action_connector` when `config` or `secrets` was unset in 0.11.17 ([#1355](https://github.com/elastic/terraform-provider-elasticstack/pull/1355))
+- Added `labels` field to `elasticstack_kibana_synthetics_monitor` resource for associating key-value pairs with monitors ([#1360](https://github.com/elastic/terraform-provider-elasticstack/pull/1360))
+- Fixes provider crash with `elasticstack_kibana_slo` when using `kql_custom_indicator` with no `filter` set. ([#1354](https://github.com/elastic/terraform-provider-elasticstack/pull/1354))
+- Updates for Security Detection Rules ([#1361](https://github.com/elastic/terraform-provider-elasticstack/pull/1361)
+  - Add support for `threat` property
+  - Gracefully support `query` property not being set
+  - Add esql specific validations to reject unsupported fields `index` and `filters`
+  - Gracefully handle response action with no provided `frequency`
+  - Add validation for required `anomaly_threshold` field in anomaly detection rules
+  - Add support for `timeline_id` / `timeline_title` fields
+  - Gracefully handle `threat_query` not being provided for `threat_match` ule
+
+## [0.11.18] - 2025-10-10
+
+### Breaking changes
+
+The `ssl` field on the `elasticstack_fleet_output` resource has been changes from a block to an attribute. This change ensures ongoing consistency within the resource schema for this resource, and aligns with Terraform best practices. 
+
+Existing `elasticstack_fleet_output` resources defining `ssl` will have to update the declaration to an attribute style. For example: 
+
+```hcl
+resource "elasticstack_fleet_output" "output" {
+  ...
+  ssl {
+    ...
+  }
+}
+```
+
+becomes 
+
+```hcl
+resource "elasticstack_fleet_output" "output" {
+  ...
+  ssl = {  # Note the equals sign here. 
+    ...
+  }
+}
+```
+
+### Changes
+
+- Create `elasticstack_kibana_security_detection_rule` resource. ([#1290](https://github.com/elastic/terraform-provider-elasticstack/pull/1290))
+- Add `elasticstack_kibana_export_saved_objects` data source ([#1293](https://github.com/elastic/terraform-provider-elasticstack/pull/1293))
 - Create `elasticstack_kibana_maintenance_window` resource. ([#1224](https://github.com/elastic/terraform-provider-elasticstack/pull/1224))
 - Add support for `solution` field in `elasticstack_kibana_space` resource and data source ([#1102](https://github.com/elastic/terraform-provider-elasticstack/issues/1102))
 - Add `slo_id` validation to `elasticstack_kibana_slo` ([#1221](https://github.com/elastic/terraform-provider-elasticstack/pull/1221))
@@ -21,7 +98,6 @@
 - Add support for `unenrollment_timeout` in `elasticstack_fleet_agent_policy` ([#1169](https://github.com/elastic/terraform-provider-elasticstack/issues/1169))
 - Handle default value for `allow_restricted_indices` in `elasticstack_elasticsearch_security_api_key` ([#1315](https://github.com/elastic/terraform-provider-elasticstack/pull/1315))
 - Fixed `nil` reference in kibana synthetics API client in case of response errors ([#1320](https://github.com/elastic/terraform-provider-elasticstack/pull/1320))
-- Migrate `elasticstack_elasticsearch_security_role` resource to Terraform Plugin Framework ([#1330](https://github.com/elastic/terraform-provider-elasticstack/pull/1330))
 
 ## [0.11.17] - 2025-07-21
 
@@ -459,7 +535,11 @@
 - Initial set of docs
 - CI integration
 
-[Unreleased]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.17...HEAD
+[Unreleased]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.12.1...HEAD
+[0.12.1]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.12.0...v0.12.1
+[0.12.0]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.18...v0.12.0
+[0.11.19]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.18...v0.11.19
+[0.11.18]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.17...v0.11.18
 [0.11.17]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.16...v0.11.17
 [0.11.16]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.15...v0.11.16
 [0.11.15]: https://github.com/elastic/terraform-provider-elasticstack/compare/v0.11.14...v0.11.15