[SCHEMA]: "elasticstack_auth_*" resources

[tsouza]

The elasticstack_auth_* defines the following:

User

https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-user.html

resource 'elasticstack_auth_user' '<name>' {
	metadata {
		# variable key/value pair
	}
	email			string
	full_name 		string
	password 		string
	password_hash 	string
	roles 			[]string 
}

Rules

• Exactly of one of the following must be defined: password, password_hash. See description under password_hash in see https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-user.html for more information

Role

https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html

resource 'elasticstack_auth_role' '<name>' {
	metadata {
		# variable key/pair
	}
	cluster_privileges	[]string
	run_as_privileges	[]string
	index_privileges 	[]{
		indices		[]string
		privileges  []string
		field_privileges {
			granted_fields	[]string
			denied_fields	[]string
		}
		granted_documents_query {
			# variable key/value pair
		}
	}
	kibana_privileges 	[]{
		grant_all	{
			spaces		[]string
		}	
		grant_read	{
			spaces		[]string
		}	
		grant_custom	{
			spaces		[]string
			custom_feature_privileges []{
				features []enum
				grant	   enum
				sub_feature_privileges {
					short_url			 boolean
					store_search_session boolean
				}
			}
		}	
	}
}

Rules

• Under kibana_privileges, exactly one of the following must be defined: grant_all, grant_read, grant_custom
• Field kibana_privileges.grant_custom.custom_feature_privileges.features value enum's list: discover, dashboard, canvas, maps, machine-learning, graph, visualize-library, logs, metrics, apm-and-users-experience, uptime, security, dev-tools, advanced-settings, index-pattern-managegement, saved-objects-management, fleet, actions-and-connectors, stack-alerts, stack-monitoring
• Field kibana_privileges.grant_custom.custom_feature_privileges.grant value enum's list: all, read, none (discuss: should we explicitly add a none or the absence implies none?)
• Field field kibana_privileges.grant_custom.custom_feature_privileges.short_url is only supported when the feature is one of: discover, dashboard, visualize-library
• Field kibana_privileges.grant_custom.custom_feature_privileges.store_search_session is only supported when the feature is one of: discover, dashboard

Role Mapping

resource 'elasticstack_auth_role_mapping' '<name>' {
	roles 	[]string
	rules	[]string {
		user_field	enum
		type		enum
		text_value	  string
		number_value  number
		boolean_value boolean
	}
}

Rules:

• Field rules.user_field value enum's list: username, dn, groups, realm.name
• Field rules.type value enum's list: text, number, is-null, boolean
• Under rules, at most one of: text_value, number_value or boolean_value depending if type is text, number or boolean. In case type is is-null then no *_value field can be defined

API Key

https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html

resource 'elasticstack_auth_apikey' '<name>' {
	expiration	string
	role_descriptors {
		# key/value pair "role_name" -> "role_def" see definition of `Role`
	}
}