Add Kibana Security Exceptions API resources

[Copilot]

Implements Terraform resources for managing Kibana exception lists and items, which control when security detection rules should not generate alerts.

Resources Added

• elasticstack_kibana_security_exception_list - Container for related exception items
• elasticstack_kibana_security_exception_item - Query conditions that prevent alert generation

Implementation

• Full CRUD operations using generated Kibana OpenAPI client (kbapi)
• Plugin Framework implementation following system_user pattern
• Helper functions in internal/clients/kibana_oapi/exceptions.go
• Support for all exception types: detection, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, endpoint_blocklists
• Namespace handling (single/agnostic scoping)
• OS-specific filtering (Linux, macOS, Windows)

Usage

resource "elasticstack_kibana_security_exception_list" "trusted_processes" {
  list_id        = "trusted-process-list"
  name           = "Trusted Processes"
  description    = "Approved processes that should not trigger alerts"
  type           = "detection"
  namespace_type = "single"
  os_types       = ["linux", "windows"]
  tags           = ["trusted", "approved"]
}

resource "elasticstack_kibana_security_exception_item" "ssh_daemon" {
  list_id     = elasticstack_kibana_security_exception_list.trusted_processes.list_id
  name        = "SSH Daemon Exception"
  description = "Allow SSH daemon process"
  type        = "simple"
  
  entries = jsonencode([{
    field    = "process.name"
    operator = "included"
    type     = "match"
    value    = "sshd"
  }])
}

Notes

• Requires Elastic Stack 7.9.0+ (API introduction)
• Exception item entries field uses JSON encoding to support complex union types (match, match_any, exists, list, nested, wildcard)
• Acceptance tests require running Elasticsearch/Kibana instances

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[FEATURE] Support Elastic Security Exceptions</issue_title>
<issue_description>### Name of the resource

exceptions

Describe new functionality

Add support for the Kibana Exceptions API

Exceptions are made up of:

• Exception containers: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules.

• Exception items: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to true, the rule does not generate an alert.

We should add resources for both of these exception containers (exception_container) and also exception items (exception_item).

Details

• These a directory for each of these resources should be added to internal/kibana
• When making requests to Kibana use the generated Kibana Open Api Client (eg GetKibanaOapiClient())
• Implement this resource using the terraform-plugin-framework
• Use internal/elasticsearch/security/system_user/resource.go as an example of a terraform-plugin-framework based resource
• When implementing api requests double check the docs to verify all fields are supported

Version Introduced

7.9.0

Anything else?

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [FEATURE] Support Elastic Security Exceptions #1426

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.