Kibana api key (elastic#372)

* Adding api key functionality for Kibana

* Adding support for api_key for Kibana

* Adding go-kibana-rest lib locally as it is abandoned by authors

* update docs

* added support for SLO client to use API keys

* add auth interceptor to connectors client

* added test case for Kibana API keys via provider

* slight fix to table test

* added fwschema

* fix copy-pasta

* some typos, generate docs

* manually patch generated code for  now

* update specs

* update new kb config from framework

* added api key to provider tests

* use built in jq

* remove kibana api key env

* API keys should cascade from ES->Kibana->Fleet

* update rules doc

---------

Co-authored-by: Jean-Louis Leysens <[email protected]>
Co-authored-by: Toby Brain <[email protected]>

Author: 3 people

.github/workflows/test.yml

@@ -121,6 +121,15 @@ jobs:
           KIBANA_SYSTEM_USERNAME: ${{ env.KIBANA_SYSTEM_USERNAME }}
           KIBANA_SYSTEM_PASSWORD: ${{ env.KIBANA_SYSTEM_PASSWORD }}
 
+      - id: get-api-key
+        name: Get ES API key
+        run: |-
+          echo "apikey=$(make create-es-api-key | jq -r .encoded)" >> "$GITHUB_OUTPUT"
+        env:
+          ELASTICSEARCH_ENDPOINTS: "http://localhost:9200"
+          ELASTICSEARCH_USERNAME: "elastic"
+          ELASTICSEARCH_PASSWORD: ${{ env.ELASTIC_PASSWORD }}
+
       - name: TF acceptance tests
         timeout-minutes: 10
         run: make testacc
@@ -131,3 +140,4 @@ jobs:
           ELASTICSEARCH_USERNAME: "elastic"
           ELASTICSEARCH_PASSWORD: ${{ env.ELASTIC_PASSWORD }}
           KIBANA_ENDPOINT: "http://localhost:5601"
+          KIBANA_API_KEY: ${{ steps.get-api-key.outputs.apikey }}

Makefile

@@ -28,6 +28,7 @@ KIBANA_NAME ?= terraform-elasticstack-kb
 KIBANA_ENDPOINT ?= http://$(KIBANA_NAME):5601
 KIBANA_SYSTEM_USERNAME ?= kibana_system
 KIBANA_SYSTEM_PASSWORD ?= password
+KIBANA_API_KEY_NAME ?= kibana-api-key
 
 SOURCE_LOCATION ?= $(shell pwd)
 
@@ -129,6 +130,10 @@ docker-network: ## Create a dedicated network for ES and test runs
 set-kibana-password: ## Sets the ES KIBANA_SYSTEM_USERNAME's password to KIBANA_SYSTEM_PASSWORD. This expects Elasticsearch to be available at localhost:9200
 	@ $(call retry, 10, curl -X POST -u $(ELASTICSEARCH_USERNAME):$(ELASTICSEARCH_PASSWORD) -H "Content-Type: application/json" http://localhost:9200/_security/user/$(KIBANA_SYSTEM_USERNAME)/_password -d "{\"password\":\"$(KIBANA_SYSTEM_PASSWORD)\"}" | grep -q "^{}")
 
+.PHONY: create-es-api-key
+create-es-api-key: ## Creates and outputs a new API Key. This expects Elasticsearch to be available at localhost:9200
+	@ $(call retry, 10, curl -X POST -u $(ELASTICSEARCH_USERNAME):$(ELASTICSEARCH_PASSWORD) -H "Content-Type: application/json" http://localhost:9200/_security/api_key -d "{\"name\":\"$(KIBANA_API_KEY_NAME)\"}")
+
 .PHONY: docker-clean
 docker-clean: ## Try to remove provisioned nodes and assigned network
 	@ docker rm -f $(ELASTICSEARCH_NAME) $(KIBANA_NAME) || true

docs/index.md

@@ -92,6 +92,7 @@ Kibana resources will re-use any Elasticsearch credentials specified, these may
 - `KIBANA_USERNAME` - The username to use for Kibana authentication
 - `KIBANA_PASSWORD` - The password to use for Kibana authentication
 - `KIBANA_ENDPOINT` - The Kibana host to connect to
+- `KIBANA_API_KEY` - An Elasticsearch API key to use instead of `KIBANA_USERNAME` and `KIBANA_PASSWORD`
 
 Fleet resources will re-use any Kibana or Elasticsearch credentials specified, these may be overridden with the following variables:
 - `FLEET_USERNAME` - The username to use for Kibana authentication
@@ -179,6 +180,7 @@ Optional:
 
 Optional:
 
+- `api_key` (String, Sensitive) API Key to use for authentication to Kibana
 - `endpoints` (List of String, Sensitive) A comma-separated list of endpoints where the terraform provider will point to, this must include the http(s) schema and port number.
 - `insecure` (Boolean) Disable TLS certificate validation
 - `password` (String, Sensitive) Password to use for API authentication to Kibana.

docs/resources/kibana_alerting_rule.md

@@ -40,6 +40,13 @@ resource "elasticstack_kibana_alerting_rule" "example" {
 }
 ```
 
+
+**NOTE:** `api_key` authentication is only supported for alerting rule resources from version 8.8.0 of the Elastic stack. Using an `api_key` will result in an error message like:
+
+```
+Could not create API key - Unsupported scheme "ApiKey" for granting API Key
+```
+
 <!-- schema generated by tfplugindocs -->
 ## Schema
 

generated/alerting/api/openapi.yaml

@@ -3627,5 +3627,5 @@ components:
       type: http
     apiKeyAuth:
       in: header
-      name: ApiKey
+      name: Authorization
       type: apiKey

generated/alerting/api_alerting.go

@@ -1550,5 +1550,5 @@ components:
       type: http
     apiKeyAuth:
       in: header
-      name: ApiKey
+      name: Authorization
       type: apiKey