terraform-provider-elasticstack icon indicating copy to clipboard operation
terraform-provider-elasticstack copied to clipboard
verified publisher icon elastic

[Feature] Add support for prebuilt rules

Open tehbooom opened this issue 1 year ago • 0 comments

Is your feature request related to a problem? Please describe. I would like to manage all rules using terraform to include prebuilt ones from Elastic.

Describe the resource you would like to have implemented. Add another resource like elasticstack_kibana_prebuilt_rule that installs or updates all prebuilt rules from elastic. Optionally enable or disable rules based on alert.attribute.tags using POST api/detection_engine/rules/_bulk_action

Describe the solution you'd like Enable rules by alert.attribute.tags

resource "elasticstack_kibana_prebuilt_rule" "example" {
  tags = [
    "OS: Linux",
    "OS: Windows",
    "Data Source: GCP"
  ]
}

This would enable all rules

resource "elasticstack_kibana_prebuilt_rule" "example" {
  tags = ["all"]
}

This would install the rules but not enable them

resource "elasticstack_kibana_prebuilt_rule" "example" {
  tags = []
}

Only run if tags is updated or if GET api/detection_engine/rules/prepackaged/_status returns rules_not_installed or rules_not_updated is greater than or equal to 1.

Describe alternatives you've considered Using ansible.builtin.uri or curl as an alternative

Additional context Add any other context or screenshots about the feature request here.

tehbooom avatar Sep 03 '24 14:09 tehbooom