Add kibana role data source

docs/data-sources/kibana_security_role.md

@@ -0,0 +1,96 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "elasticstack_kibana_security_role Data Source - terraform-provider-elasticstack"
+subcategory: ""
+description: |-
+  Retrieve a specific role. See, https://www.elastic.co/guide/en/kibana/current/role-management-specific-api-get.html
+---
+
+# elasticstack_kibana_security_role (Data Source)
+
+Retrieve a specific role. See, https://www.elastic.co/guide/en/kibana/current/role-management-specific-api-get.html
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) The name for the role.
+
+### Optional
+
+- `elasticsearch_connection` (Block List, Max: 1, Deprecated) Elasticsearch connection configuration block. This property will be removed in a future provider version. Configure the Elasticsearch connection via the provider configuration instead. (see [below for nested schema](#nestedblock--elasticsearch_connection))
+- `metadata` (String) Optional meta-data.
+
+### Read-Only
+
+- `elasticsearch` (Set of Object) Elasticsearch cluster and index privileges. (see [below for nested schema](#nestedatt--elasticsearch))
+- `id` (String) The ID of this resource.
+- `kibana` (Set of Object) The list of objects that specify the Kibana privileges for the role. (see [below for nested schema](#nestedatt--kibana))
+
+<a id="nestedblock--elasticsearch_connection"></a>
+### Nested Schema for `elasticsearch_connection`
+
+Optional:
+
+- `api_key` (String, Sensitive) API Key to use for authentication to Elasticsearch
+- `ca_data` (String) PEM-encoded custom Certificate Authority certificate
+- `ca_file` (String) Path to a custom Certificate Authority certificate
+- `cert_data` (String) PEM encoded certificate for client auth
+- `cert_file` (String) Path to a file containing the PEM encoded certificate for client auth
+- `endpoints` (List of String, Sensitive) A list of endpoints where the terraform provider will point to, this must include the http(s) schema and port number.
+- `insecure` (Boolean) Disable TLS certificate validation
+- `key_data` (String, Sensitive) PEM encoded private key for client auth
+- `key_file` (String) Path to a file containing the PEM encoded private key for client auth
+- `password` (String, Sensitive) Password to use for API authentication to Elasticsearch.
+- `username` (String) Username to use for API authentication to Elasticsearch.
+
+
+<a id="nestedatt--elasticsearch"></a>
+### Nested Schema for `elasticsearch`
+
+Read-Only:
+
+- `cluster` (Set of String)
+- `indices` (Set of Object) (see [below for nested schema](#nestedobjatt--elasticsearch--indices))
+- `run_as` (Set of String)
+
+<a id="nestedobjatt--elasticsearch--indices"></a>
+### Nested Schema for `elasticsearch.indices`
+
+Read-Only:
+
+- `field_security` (List of Object) (see [below for nested schema](#nestedobjatt--elasticsearch--indices--field_security))
+- `names` (Set of String)
+- `privileges` (Set of String)
+- `query` (String)
+
+<a id="nestedobjatt--elasticsearch--indices--field_security"></a>
+### Nested Schema for `elasticsearch.indices.field_security`
+
+Read-Only:
+
+- `except` (Set of String)
+- `grant` (Set of String)
+
+
+
+
+<a id="nestedatt--kibana"></a>
+### Nested Schema for `kibana`
+
+Read-Only:
+
+- `base` (Set of String)
+- `feature` (Set of Object) (see [below for nested schema](#nestedobjatt--kibana--feature))
+- `spaces` (Set of String)
+
+<a id="nestedobjatt--kibana--feature"></a>
+### Nested Schema for `kibana.feature`
+
+Read-Only:
+
+- `name` (String)
+- `privileges` (Set of String)

internal/kibana/role_data_source.go

@@ -0,0 +1,180 @@
+package kibana
+
+import (
+	"context"
+
+	"github.com/elastic/terraform-provider-elasticstack/internal/clients"
+	"github.com/elastic/terraform-provider-elasticstack/internal/utils"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+)
+
+func DataSourceRole() *schema.Resource {
+	roleSchema := map[string]*schema.Schema{
+		"name": {
+			Description: "The name for the role.",
+			Type:        schema.TypeString,
+			Required:    true,
+		},
+		"elasticsearch": {
+			Description: "Elasticsearch cluster and index privileges.",
+			Type:        schema.TypeSet,
+			Computed:    true,
+			Elem: &schema.Resource{
+				Schema: map[string]*schema.Schema{
+					"cluster": {
+						Description: "List of the cluster privileges.",
+						Type:        schema.TypeSet,
+						Computed:    true,
+						Elem: &schema.Schema{
+							Type: schema.TypeString,
+						},
+					},
+					"indices": {
+						Description: "A list of indices permissions entries.",
+						Type:        schema.TypeSet,
+						Computed:    true,
+						Elem: &schema.Resource{
+							Schema: map[string]*schema.Schema{
+								"field_security": {
+									Description: "The document fields that the owners of the role have read access to.",
+									Type:        schema.TypeList,
+									Computed:    true,
+									Elem: &schema.Resource{
+										Schema: map[string]*schema.Schema{
+											"grant": {
+												Description: "List of the fields to grant the access to.",
+												Type:        schema.TypeSet,
+												Computed:    true,
+												Elem: &schema.Schema{
+													Type: schema.TypeString,
+												},
+											},
+											"except": {
+												Description: "List of the fields to which the grants will not be applied.",
+												Type:        schema.TypeSet,
+												Computed:    true,
+												Elem: &schema.Schema{
+													Type: schema.TypeString,
+												},
+											},
+										},
+									},
+								},
+								"query": {
+									Description: "A search query that defines the documents the owners of the role have read access to.",
+									Type:        schema.TypeString,
+									Computed:    true,
+								},
+								"names": {
+									Description: "A list of indices (or index name patterns) to which the permissions in this entry apply.",
+									Type:        schema.TypeSet,
+									Computed:    true,
+									Elem: &schema.Schema{
+										Type: schema.TypeString,
+									},
+								},
+								"privileges": {
+									Description: "The index level privileges that the owners of the role have on the specified indices.",
+									Type:        schema.TypeSet,
+									Computed:    true,
+									Elem: &schema.Schema{
+										Type: schema.TypeString,
+									},
+								},
+							},
+						},
+					},
+					"run_as": {
+						Description: "A list of usernames the owners of this role can impersonate.",
+						Type:        schema.TypeSet,
+						Computed:    true,
+						Elem: &schema.Schema{
+							Type: schema.TypeString,
+						},
+					},
+				},
+			},
+		},
+		"kibana": {
+			Description: "The list of objects that specify the Kibana privileges for the role.",
+			Type:        schema.TypeSet,
+			Computed:    true,
+			Elem: &schema.Resource{
+				Schema: map[string]*schema.Schema{
+					"base": {
+						Description: "A base privilege. When specified, the base must be [\"all\"] or [\"read\"].",
+						Type:        schema.TypeSet,
+						Computed:    true,
+						Elem: &schema.Schema{
+							Type: schema.TypeString,
+						},
+					},
+					"feature": {
+						Description: "List of privileges for specific features. When the feature privileges are specified, you are unable to use the \"base\" section.",
+						Type:        schema.TypeSet,
+						Computed:    true,
+						Elem: &schema.Resource{
+							Schema: map[string]*schema.Schema{
+								"name": {
+									Description: "Feature name.",
+									Type:        schema.TypeString,
+									Computed:    true,
+								},
+								"privileges": {
+									Description: "Feature privileges.",
+									Type:        schema.TypeSet,
+									Computed:    true,
+									Elem: &schema.Schema{
+										Type: schema.TypeString,
+									},
+								},
+							},
+						},
+					},
+					"spaces": {
+						Description: "The spaces to apply the privileges to. To grant access to all spaces, set to [\"*\"], or omit the value.",
+						Type:        schema.TypeSet,
+						Computed:    true,
+						Elem: &schema.Schema{
+							Type: schema.TypeString,
+						},
+					},
+				},
+			},
+		},
+		"metadata": {
+			Description:      "Optional meta-data.",
+			Type:             schema.TypeString,
+			Optional:         true,
+			Computed:         true,
+			ValidateFunc:     validation.StringIsJSON,
+			DiffSuppressFunc: utils.DiffJsonSuppress,
+		},
+	}
+
+	utils.AddConnectionSchema(roleSchema)
+
+	return &schema.Resource{
+		Description: "Retrieve a specific role. See, https://www.elastic.co/guide/en/kibana/current/role-management-specific-api-get.html",
+		ReadContext: dataSourceSecurityRoleRead,
+		Schema:      roleSchema,
+	}
+}
+
+func dataSourceSecurityRoleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client, diags := clients.NewApiClient(d, meta)
+	if diags.HasError() {
+		return diags
+	}
+
+	roleId := d.Get("name").(string)
+	id, diags := client.ID(ctx, roleId)
+	if diags.HasError() {
+		return diags
+	}
+	d.SetId(id.String())
+
+	return resourceRoleRead(ctx, d, meta)
+}

internal/kibana/role_data_source_test.go

@@ -0,0 +1,57 @@
+package kibana_test
+
+import (
+	"testing"
+
+	"github.com/elastic/terraform-provider-elasticstack/internal/acctest"
+	"github.com/elastic/terraform-provider-elasticstack/internal/utils"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccDataSourceKibanaSecurityRole(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t) },
+		ProtoV5ProviderFactories: acctest.Providers,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceSecurityRole,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.elasticstack_kibana_security_role.test", "name", "data_source_test"),
+					resource.TestCheckNoResourceAttr("data.elasticstack_kibana_security_role.test", "kibana.0.feature.#"),
+					resource.TestCheckNoResourceAttr("data.elasticstack_kibana_security_role.test", "elasticsearch.0.indices.0.field_security.#"),
+					utils.TestCheckResourceListAttr("data.elasticstack_kibana_security_role.test", "elasticsearch.0.run_as", []string{"elastic", "kibana"}),
+					utils.TestCheckResourceListAttr("data.elasticstack_kibana_security_role.test", "kibana.0.base", []string{"all"}),
+					utils.TestCheckResourceListAttr("data.elasticstack_kibana_security_role.test", "kibana.0.spaces", []string{"default"}),
+				),
+			},
+		},
+	})
+}
+
+const testAccDataSourceSecurityRole = `
+provider "elasticstack" {
+  elasticsearch {}
+  kibana {}
+}
+
+
+resource "elasticstack_kibana_security_role" "test" {
+	name    = "data_source_test"
+	elasticsearch {
+	  cluster = [ "create_snapshot" ]
+	  indices {
+		names = ["sample"]
+		privileges = ["create", "read", "write"]
+	  }
+	  run_as = ["kibana", "elastic"]
+	}
+	kibana {
+	  base = [ "all" ]
+	  spaces = ["default"]
+	}
+}
+
+data "elasticstack_kibana_security_role" "test" {
+  name = elasticstack_kibana_security_role.test.name
+}
+`

provider/provider.go

@@ -76,6 +76,8 @@ func New(version string) *schema.Provider {
 			"elasticstack_elasticsearch_snapshot_repository":                cluster.DataSourceSnapshotRespository(),
 			"elasticstack_elasticsearch_enrich_policy":                      enrich.DataSourceEnrichPolicy(),
 
+			"elasticstack_kibana_security_role": kibana.DataSourceRole(),
+
 			"elasticstack_fleet_enrollment_tokens": fleet.DataSourceEnrollmentTokens(),
 		},
 		ResourcesMap: map[string]*schema.Resource{