Skip to content

[Bug] Cannot set "documents" field as object in Kibana detection rule via Terraform #1446

New issue
New issue
Open
Open
[Bug] Cannot set "documents" field as object in Kibana detection rule via Terraform#1446
Labels
bugSomething isn't working
@lelianthorel

Description

@lelianthorel
lelianthorel
opened on Nov 14, 2025

Describe the bug
When creating a Kibana security detection rule with Terraform, it is impossible to properly configure the documents field in the actions.params block. Terraform forces it to be a string, but the API expects an object or list of objects. As a result, the exported rule does not match the expected structure, and we cannot automate rule creation correctly.

To Reproduce
Steps to reproduce the behavior:

  1. Use the following Terraform configuration snippet:
resource "elasticstack_kibana_security_detection_rule" "detection-rule" {
  name = "successful_ssh_connections_from_password"
  actions = [{
    id             = each.value.actions.id
    action_type_id = each.value.actions.action_type_id
    group          = each.value.actions.group
    params = {
      documents = ["{'test':'test'}"] # or "[{'test':'test'}]"
    }
  }]
}

  1. Run terraform apply or tofu apply.

  2. See the error:

Error: Incorrect attribute value type
element 0: attribute "params": element "documents": string required, but have object.

Expected behavior
Terraform should allow the documents field to accept an object or list of objects to match the expected structure of the action connector, not just a string. The applied rule should result in:

"params": {
  "documents": [
    {
      "test": "test"
    }
  ]
}

instead of forcing "documents": "[{'test':'test'}]" or stringified JSON.

Debug output
Terraform logs when applying the resource:

resource "elasticstack_kibana_security_detection_rule" "detection-rule" {
  name = "successful_ssh_connections_from_password"
  actions = [{
    id             = each.value.actions.id
    action_type_id = each.value.actions.action_type_id
    group          = each.value.actions.group
    params = {
      documents = "[{'test':'test'}]"
    }
  }]
}

module.elastic-infomaniak.elasticstack_fleet_integration.integration["fim"]: Refreshing state...
module.elastic-infomaniak.elasticstack_kibana_security_detection_rule.detection-rule["successful_ssh_connections_from_password"]: Refreshing state...
module.elastic-infomaniak.elasticstack_kibana_security_detection_rule.detection-rule["successful_ssh_connections_from_password"]: Modifying... [id=default/969730e8-5aeb-4424-8717-a1830804b002]
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
Image

Versions (please complete the following information):

  • OS: Linux
  • Opentofu Version: 1.10.7
  • Provider version: elasticstack_v0.12.1
  • Elasticsearch Version: 8.18.2

Additional context

  • Tested various ways to pass the documents value: string, JSON string, list of strings. Only string is accepted, which prevents creating valid actions.
  • Manually created rules in Kibana have documents as a list of objects, e.g.:
"params": {
  "documents": [
    {"test": "test"}
  ]
}
  • This appears to be a bug in the Terraform provider.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions