Skip to content

[Bug] The create API key resource errors without allow_restricted_indices parameter #1236

New issue
New issue
Open
Open
[Bug] The create API key resource errors without allow_restricted_indices parameter#1236
Labels
bugSomething isn't working
@nobuhikosekiya

Description

@nobuhikosekiya
nobuhikosekiya
opened on Aug 8, 2025

Describe the bug
In the condition of creating a Elastic Stack API key that includes role_descriptor condition on indicies using Terraform, although the API key is created, the terraform apply command returns an error.
Also, due to this, the later terraform plan/apply will every time re-create the API key which is not expected.

To Reproduce
Steps to reproduce the behavior:

  1. For a elasticstack, create a API key with resource elasticstack_elasticsearch_security_api_key with role_descriptor condition on indicies . Example:
resource "elasticstack_elasticsearch_security_api_key" "api_key" {
  # Set the name
  name = "My API key"

  # Set the role descriptors
  role_descriptors = jsonencode({
    role-a = {
      cluster = ["all"],
      indices = [
        {
          names      = ["index-a*"],
          privileges = ["read"]
        }
      ]
    }
  })

  # Set the expiration for the API key
  expiration = "1d"

  # Set the custom metadata for this user
  metadata = jsonencode({
    "env"    = "testing"
    "open"   = false
    "number" = 49
  })
}
  1. Do terraform apply
  2. See the error in the output. Example:```
    When applying changes to elasticstack_elasticsearch_security_api_key.api_key, provider
    │ "provider["registry.terraform.io/elastic/elasticstack"]" produced an unexpected new value: .role_descriptors: was
    │ cty.StringVal("{"role-a":{"cluster":["all"],"indices":[{"names":["index-a*"],"privileges":["read"]}]}}"),
    │ but now
    │ cty.StringVal("{"role-a":{"cluster":["all"],"indices":[{"names":["index-a*"],"privileges":["read"],"allow_restricted_indices":false}]}}").

    │ This is a bug in the provider, which should be reported in the provider's own issue tracker.

**Expected behavior**
Either document that allow_restricted_indices is a mandatory parameter or make it to not error when not specifying it. 

**Screenshots**

<img width="915" height="90" alt="Image" src="https://github.com/user-attachments/assets/270d2076-9ce5-4985-b0e1-9806f91a0adc" />

**Versions (please complete the following information):**
 - Terraform Version : ~> 1.6
 - Provider version: ~>0.11
 - Elasticsearch Version: 9.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions