Merge branch 'main' into use-fips-compliant-id-generator-libs-for-rep…

…orting-plugin

.buildkite/pipelines/pull_request/base.yml

@@ -57,54 +57,6 @@ steps:
         - exit_status: '*'
           limit: 1
 
-  - command: .buildkite/scripts/steps/functional/threat_intelligence.sh
-    label: 'Threat Intelligence Cypress Tests'
-    agents:
-      queue: n2-4-spot
-    depends_on: build
-    timeout_in_minutes: 60
-    parallelism: 2
-    retry:
-      automatic:
-        - exit_status: '*'
-          limit: 1
-
-  - command: .buildkite/scripts/steps/functional/osquery_cypress.sh
-    label: 'Osquery Cypress Tests'
-    agents:
-      queue: n2-4-spot
-    depends_on: build
-    timeout_in_minutes: 60
-    parallelism: 6
-    retry:
-      automatic:
-        - exit_status: '*'
-          limit: 1
-
-  - command: .buildkite/scripts/steps/functional/security_serverless_osquery.sh
-    label: 'Serverless Osquery Cypress Tests'
-    agents:
-      queue: n2-4-spot
-    depends_on: build
-    timeout_in_minutes: 60
-    parallelism: 6
-    retry:
-      automatic:
-        - exit_status: '*'
-          limit: 1
-
-  # status_exception: Native role management is not enabled in this Elasticsearch instance
-  # - command: .buildkite/scripts/steps/functional/security_serverless_defend_workflows.sh
-  #   label: 'Serverless Security Defend Workflows Cypress Tests'
-  #   agents:
-  #     queue: n2-4-spot
-  #   depends_on: build
-  #   timeout_in_minutes: 60
-  #   retry:
-  #     automatic:
-  #       - exit_status: '*'
-  #         limit: 1
-
   - command: .buildkite/scripts/steps/lint.sh
     label: 'Linting'
     agents:

.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml

@@ -22,3 +22,15 @@ steps:
       automatic:
         - exit_status: '*'
           limit: 1
+
+  # status_exception: Native role management is not enabled in this Elasticsearch instance
+  # - command: .buildkite/scripts/steps/functional/security_serverless_defend_workflows.sh
+  #   label: 'Serverless Security Defend Workflows Cypress Tests'
+  #   agents:
+  #     queue: n2-4-spot
+  #   depends_on: build
+  #   timeout_in_minutes: 60
+  #   retry:
+  #     automatic:
+  #       - exit_status: '*'
+  #         limit: 1

.buildkite/pipelines/pull_request/security_solution/osquery_cypress.yml

@@ -0,0 +1,24 @@
+steps:
+  - command: .buildkite/scripts/steps/functional/osquery_cypress.sh
+    label: 'Osquery Cypress Tests'
+    agents:
+      queue: n2-4-spot
+    depends_on: build
+    timeout_in_minutes: 60
+    parallelism: 6
+    retry:
+      automatic:
+        - exit_status: '*'
+          limit: 1
+
+  - command: .buildkite/scripts/steps/functional/security_serverless_osquery.sh
+    label: 'Serverless Osquery Cypress Tests'
+    agents:
+      queue: n2-4-spot
+    depends_on: build
+    timeout_in_minutes: 60
+    parallelism: 6
+    retry:
+      automatic:
+        - exit_status: '*'
+          limit: 1

.buildkite/pipelines/pull_request/security_solution/threat_intelligence.yml

@@ -0,0 +1,12 @@
+steps:
+  - command: .buildkite/scripts/steps/functional/threat_intelligence.sh
+    label: 'Threat Intelligence Cypress Tests'
+    agents:
+      queue: n2-4-spot
+    depends_on: build
+    timeout_in_minutes: 60
+    parallelism: 2
+    retry:
+      automatic:
+        - exit_status: '*'
+          limit: 1

.buildkite/pipelines/security_solution/security_solution_cypress.yml

@@ -1,16 +1,4 @@
 steps:
-  - command: .buildkite/scripts/pipelines/security_solution_quality_gate/security_solution_cypress/mki_security_solution_cypress.sh cypress:run:qa:serverless
-    label: 'Serverless MKI QA Security Cypress Tests'
-    agents:
-      queue: n2-4-spot
-    # TODO : Revise the timeout when the pipeline will be officially integrated with the quality gate.
-    timeout_in_minutes: 300
-    parallelism: 6
-    retry:
-      automatic:
-        - exit_status: '*'
-          limit: 1
-
   - command: .buildkite/scripts/pipelines/security_solution_quality_gate/security_solution_cypress/mki_security_solution_cypress.sh cypress:run:qa:serverless:explore
     label: 'Serverless MKI QA Explore - Security Solution Cypress Tests'
     agents:
@@ -53,7 +41,7 @@ steps:
       queue: n2-4-spot
     # TODO : Revise the timeout when the pipeline will be officially integrated with the quality gate.
     timeout_in_minutes: 300
-    parallelism: 6
+    parallelism: 2
     retry:
       automatic:
         - exit_status: '*'
@@ -93,7 +81,7 @@ steps:
     retry:
       automatic:
         - exit_status: '*'
-          limit: 1   
+          limit: 1
 
   - command: .buildkite/scripts/pipelines/security_solution_quality_gate/security_solution_cypress/mki_security_solution_cypress.sh cypress:run:qa:serverless:entity_analytics
     label: 'Serverless MKI QA Entity Analytics - Security Solution Cypress Tests'
@@ -105,4 +93,4 @@ steps:
     retry:
       automatic:
         - exit_status: '*'
-          limit: 1                    
+          limit: 1

.buildkite/scripts/common/util.sh

@@ -173,29 +173,29 @@ download_artifact() {
 
 
 vault_get() {
-  path=$1
+  key_path=$1
   field=$2
 
-  fullPath="secret/ci/elastic-kibana/$path"
+  fullPath="secret/ci/elastic-kibana/$key_path"
   if [[ "$VAULT_ADDR" == *"secrets.elastic.co"* ]]; then
-    fullPath="secret/kibana-issues/dev/$path"
+    fullPath="secret/kibana-issues/dev/$key_path"
   fi
 
-  if [[ -z "${2:-}" ]]; then
-    retry 5 5 vault read "$fullPath"
+  if [[ -z "${2:-}" || "${2:-}" =~ ^-.* ]]; then
+    retry 5 5 vault read "$fullPath" "${@:2}"
   else
-    retry 5 5 vault read -field="$field" "$fullPath"
+    retry 5 5 vault read -field="$field" "$fullPath" "${@:3}"
   fi
 }
 
 vault_set() {
-  path=$1
+  key_path=$1
   shift
   fields=("$@")
 
-  fullPath="secret/ci/elastic-kibana/$path"
+  fullPath="secret/ci/elastic-kibana/$key_path"
   if [[ "$VAULT_ADDR" == *"secrets.elastic.co"* ]]; then
-    fullPath="secret/kibana-issues/dev/$path"
+    fullPath="secret/kibana-issues/dev/$key_path"
   fi
 
   # shellcheck disable=SC2068

.buildkite/scripts/pipelines/pull_request/pipeline.ts

@@ -88,7 +88,10 @@ const uploadPipeline = (pipelineContent: string | object) => {
     }
 
     if (
-      (await doAnyChangesMatch([/^x-pack\/plugins\/observability_onboarding/])) ||
+      (await doAnyChangesMatch([
+        /^x-pack\/plugins\/observability_onboarding/,
+        /^x-pack\/plugins\/fleet/,
+      ])) ||
       GITHUB_PR_LABELS.includes('ci:all-cypress-suites')
     ) {
       pipeline.push(
@@ -265,6 +268,58 @@ const uploadPipeline = (pipelineContent: string | object) => {
       );
     }
 
+    if (
+      (await doAnyChangesMatch([
+        /^package.json/,
+        /^src\/plugins\/data/,
+        /^src\/plugins\/kibana_utils/,
+        /^src\/plugins\/inspector/,
+        /^src\/plugins\/data_views/,
+        /^src\/core/,
+        /^packages\/kbn-securitysolution-.*/,
+        /^packages\/kbn-es-query/,
+        /^packages\/kbn-securitysolution-io-ts-list-types/,
+        /^packages\/kbn-i18n-react/,
+        /^packages\/kbn-i18n/,
+        /^packages\/shared-ux/,
+        /^packages\/kbn-doc-links/,
+        /^packages\/kbn-securitysolution-io-ts-list-types/,
+        /^x-pack\/plugins\/threat_intelligence/,
+        /^x-pack\/packages\/security-solution/,
+        /^x-pack\/test\/threat_intelligence_cypress/,
+        /^x-pack\/plugins\/cases/,
+        /^x-pack\/plugins\/timelines/,
+        /^x-pack\/plugins\/triggers_actions_ui/,
+        /^x-pack\/plugins\/rule_registry/,
+      ])) ||
+      GITHUB_PR_LABELS.includes('ci:all-cypress-suites')
+    ) {
+      pipeline.push(
+        getPipeline('.buildkite/pipelines/pull_request/security_solution/threat_intelligence.yml')
+      );
+    }
+
+    if (
+      (await doAnyChangesMatch([
+        /^src\/plugins\/controls/,
+        /^packages\/kbn-securitysolution-.*/,
+        /^x-pack\/plugins\/lists/,
+        /^x-pack\/plugins\/security_solution/,
+        /^x-pack\/plugins\/timelines/,
+        /^x-pack\/plugins\/triggers_actions_ui\/public\/application\/sections\/action_connector_form/,
+        /^x-pack\/plugins\/triggers_actions_ui\/public\/application\/sections\/alerts_table/,
+        /^x-pack\/plugins\/triggers_actions_ui\/public\/application\/context\/connectors_context\.tsx/,
+        /^x-pack\/test\/defend_workflows_cypress/,
+        /^x-pack\/test\/security_solution_cypress/,
+        /^fleet_packages\.json/, // It contains reference to prebuilt detection rules, we want to run security solution tests if it changes
+      ])) ||
+      GITHUB_PR_LABELS.includes('ci:all-cypress-suites')
+    ) {
+      pipeline.push(
+        getPipeline('.buildkite/pipelines/pull_request/security_solution/osquery_cypress.yml')
+      );
+    }
+
     pipeline.push(getPipeline('.buildkite/pipelines/pull_request/post_build.yml'));
 
     // remove duplicated steps

.buildkite/scripts/pipelines/security_solution_quality_gate/api-integration-tests.sh

@@ -14,7 +14,7 @@ echo "--- Serverless Security Second Quality Gate"
 cd x-pack/test/security_solution_api_integration
 set +e
 
-QA_API_KEY=$(vault_get security-solution-qg-enc-key qa_api_key)
+QA_API_KEY=$(vault_get security-solution-quality-gate qa_api_key)
 
 # Generate a random 5-digit number
 random_number=$((10000 + $RANDOM % 90000))

.buildkite/scripts/pipelines/security_solution_quality_gate/security_solution_cypress/mki_security_solution_cypress.sh

@@ -17,11 +17,12 @@ export JOB=kibana-security-solution-chrome
 buildkite-agent meta-data set "${BUILDKITE_JOB_ID}_is_test_execution_step" "true"
 
 mkdir .ftr
-retry 5 5 vault kv get -format=json -field=data secret/kibana-issues/dev/security-quality-gate/role-users > .ftr/role_users.json
+vault_get security-quality-gate/role-users data -format=json > .ftr/role_users.json
 
 cd x-pack/test/security_solution_cypress
 set +e
 
-QA_API_KEY=$(vault_get security-solution-qg-enc-key qa_api_key)
+QA_API_KEY=$(vault_get security-solution-quality-gate qa_api_key)
+BK_ANALYTICS_API_KEY=$(vault_get security-solution-quality-gate serverless-sec-sol-cypress-bk-api-key)
 
-CLOUD_QA_API_KEY=$QA_API_KEY yarn $1; status=$?; yarn junit:merge || :; exit $status
+BK_ANALYTICS_API_KEY=$BK_ANALYTICS_API_KEY CLOUD_QA_API_KEY=$QA_API_KEY yarn $1; status=$?; yarn junit:merge || :; exit $status

.buildkite/scripts/serverless/create_deploy_tag/info_sections/so_snapshot_comparison.ts

@@ -11,12 +11,15 @@ import { readFileSync } from 'fs';
 import { exec } from '../shared';
 import { BuildkiteClient, getKibanaDir } from '#pipeline-utils';
 
+type VersionChanges = Record<string, { from: number; to: number; emoji: string }>;
+
 export function compareSOSnapshots(
   previousSha: string,
   selectedSha: string
 ): null | {
   hasChanges: boolean;
   changed: string[];
+  versionChanges: VersionChanges;
   command: string;
 } {
   assertValidSha(previousSha);
@@ -33,9 +36,15 @@ export function compareSOSnapshots(
     const buildkite = new BuildkiteClient({ exec });
     buildkite.uploadArtifacts(outputPath);
 
+    const versionChanges = Object.keys(soComparisonResult.changes).reduce((changes, pluginId) => {
+      changes[pluginId] = soComparisonResult.changes[pluginId].versionChange;
+      return changes;
+    }, {} as VersionChanges);
+
     return {
       hasChanges: soComparisonResult.hasChanges,
       changed: soComparisonResult.changed,
+      versionChanges,
       command,
     };
   } catch (ex) {
@@ -47,14 +56,24 @@ export function compareSOSnapshots(
 export function makeSOComparisonBlockHtml(comparisonResult: {
   hasChanges: boolean;
   changed: string[];
+  versionChanges: VersionChanges;
   command: string;
 }): string {
   if (comparisonResult.hasChanges) {
+    const { versionChanges, changed, command } = comparisonResult;
     return `<div>
-<h4>Plugin Saved Object migration changes: *yes, ${comparisonResult.changed.length} plugin(s)*</h4>
-<div>Changed plugins: <strong>${comparisonResult.changed.join(', ')}</strong></div>
+<h4>Plugin Saved Object migration changes: *yes, ${changed.length} plugin(s)*</h4>
+<div>Changed plugins:</div>
+ <div>
+    <ul>
+${Object.keys(versionChanges).map((key) => {
+  const { from, to, emoji } = versionChanges[key];
+  return `<li>${emoji} ${key}: ${from} => ${to}</li>`;
+})}
+    </ul>
+ </div>
 <i>Find detailed info in the archived artifacts, or run the command yourself: </i>
-<div><pre>${comparisonResult.command}</pre></div>
+<div><pre>${command}</pre></div>
 </div>`;
   } else {
     return `<div>

.buildkite/scripts/steps/code_generation/elastic_assistant_codegen.sh

@@ -6,5 +6,5 @@ source .buildkite/scripts/common/util.sh
 
 echo --- Elastic Assistant OpenAPI Code Generation
 
-(cd x-pack/plugins/elastic_assistant && yarn openapi:generate)
+(cd x-pack/packages/kbn-elastic-assistant-common && yarn openapi:generate)
 check_for_changed_files "yarn openapi:generate" true

.buildkite/scripts/steps/functional/defend_workflows.sh

@@ -13,4 +13,6 @@ echo "--- Defend Workflows Cypress tests"
 cd x-pack/plugins/security_solution
 
 set +e
-yarn cypress:dw:run; status=$?; yarn junit:merge || :; exit $status
+BK_ANALYTICS_API_KEY=$(vault_get security-solution-ci defend-workflows-bk-api-key)
+
+BK_ANALYTICS_API_KEY=$BK_ANALYTICS_API_KEY yarn cypress:dw:run; status=$?; yarn junit:merge || :; exit $status

.buildkite/scripts/steps/functional/defend_workflows_serverless.sh

@@ -13,4 +13,6 @@ echo "--- Defend Workflows Cypress tests on Serverless"
 cd x-pack/plugins/security_solution
 
 set +e
-yarn cypress:dw:serverless:run; status=$?; yarn junit:merge || :; exit $status
+BK_ANALYTICS_API_KEY=$(vault_get security-solution-ci defend-workflows-bk-api-key)
+
+BK_ANALYTICS_API_KEY=$BK_ANALYTICS_API_KEY yarn cypress:dw:serverless:run; status=$?; yarn junit:merge || :; exit $status

.buildkite/scripts/steps/functional/security_serverless_ai_assistant.sh

@@ -13,4 +13,6 @@ echo "--- AI Assistant Cypress Tests on Serverless"
 cd x-pack/test/security_solution_cypress
 
 set +e
-yarn cypress:ai_assistant:run:serverless; status=$?; yarn junit:merge || :; exit $status
+BK_ANALYTICS_API_KEY=$(vault_get security-solution-ci sec-sol-cypress-bk-api-key)
+
+BK_ANALYTICS_API_KEY=$BK_ANALYTICS_API_KEY yarn cypress:ai_assistant:run:serverless; status=$?; yarn junit:merge || :; exit $status

.buildkite/scripts/steps/functional/security_serverless_detection_engine.sh

@@ -13,4 +13,6 @@ echo "--- Detection Engine Cypress Tests on Serverless"
 cd x-pack/test/security_solution_cypress
 
 set +e
-yarn cypress:detection_engine:run:serverless; status=$?; yarn junit:merge || :; exit $status
+BK_ANALYTICS_API_KEY=$(vault_get security-solution-ci sec-sol-cypress-bk-api-key)
+
+BK_ANALYTICS_API_KEY=$BK_ANALYTICS_API_KEY yarn cypress:detection_engine:run:serverless; status=$?; yarn junit:merge || :; exit $status

.buildkite/scripts/steps/functional/security_serverless_detection_engine_exceptions.sh

@@ -13,4 +13,6 @@ echo "--- Detection Engine - Exceptions - Cypress Tests on Serverless"
 cd x-pack/test/security_solution_cypress
 
 set +e
-yarn cypress:detection_engine:exceptions:run:serverless; status=$?; yarn junit:merge || :; exit $status
+BK_ANALYTICS_API_KEY=$(vault_get security-solution-ci sec-sol-cypress-bk-api-key)
+
+BK_ANALYTICS_API_KEY=$BK_ANALYTICS_API_KEY yarn cypress:detection_engine:exceptions:run:serverless; status=$?; yarn junit:merge || :; exit $status