From 24a1c298b7e63c6f1872f0290e22be5ef64e10f7 Mon Sep 17 00:00:00 2001
From: Rupa Lahiri <rupacoach@gmail.com>
Date: Wed, 11 Oct 2023 05:07:24 +0530
Subject: [PATCH 1/3] upgrade aws-sdk-go (#91)

Signed-off-by: Rupa Lahiri <rupacoach@gmail.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 8eed3ac..ebe4a6a 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/opensearch-project/terraform-provider-opensearch
 go 1.14
 
 require (
-	github.com/aws/aws-sdk-go v1.44.333
+	github.com/aws/aws-sdk-go v1.45.24
 	github.com/deoxxa/aws_signing_client v0.0.0-20161109131055-c20ee106809e
 	github.com/hashicorp/go-hclog v1.5.0
 	github.com/hashicorp/go-version v1.6.0
diff --git a/go.sum b/go.sum
index e248a8e..01c762e 100644
--- a/go.sum
+++ b/go.sum
@@ -63,8 +63,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.15.78/go.mod h1:E3/ieXAlvM0XWO57iftYVDLLvQ824smPP3ATZkfNZeM=
 github.com/aws/aws-sdk-go v1.43.21/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
-github.com/aws/aws-sdk-go v1.44.333 h1:X0j5TGXtHLZzDB/uRcGKLG77ERFtxYQtXefs+Apf2PU=
-github.com/aws/aws-sdk-go v1.44.333/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/aws/aws-sdk-go v1.45.24 h1:TZx/CizkmCQn8Rtsb11iLYutEQVGK5PK9wAhwouELBo=
+github.com/aws/aws-sdk-go v1.45.24/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=

From b33b9cb47d3992246b64ee4aab440f2d0987e644 Mon Sep 17 00:00:00 2001
From: Rupa Lahiri <rupacoach@gmail.com>
Date: Fri, 20 Oct 2023 00:39:46 +0530
Subject: [PATCH 2/3] Add anomaly detection (#105)

* Add anomaly detection

Signed-off-by: Rupa Lahiri <rupacoach@gmail.com>

* Add test for update

Signed-off-by: Rupa Lahiri <rupacoach@gmail.com>

* Add audit config in anomaly detector test

Signed-off-by: Rupa Lahiri <rupacoach@gmail.com>

* Format terraform in test

Signed-off-by: Rupa Lahiri <rupacoach@gmail.com>

---------

Signed-off-by: Rupa Lahiri <rupacoach@gmail.com>
---
 docs/resources/anomaly_detection.md           |  82 +++++
 .../opensearch_anomaly_detection/resource.tf  |  53 ++++
 provider/diff_suppress_funcs.go               |  20 ++
 provider/provider.go                          |   1 +
 .../resource_opensearch_anomaly_detection.go  | 224 ++++++++++++++
 ...ource_opensearch_anomaly_detection_test.go | 289 ++++++++++++++++++
 provider/util.go                              |   4 +
 7 files changed, 673 insertions(+)
 create mode 100644 docs/resources/anomaly_detection.md
 create mode 100644 examples/resources/opensearch_anomaly_detection/resource.tf
 create mode 100644 provider/resource_opensearch_anomaly_detection.go
 create mode 100644 provider/resource_opensearch_anomaly_detection_test.go

diff --git a/docs/resources/anomaly_detection.md b/docs/resources/anomaly_detection.md
new file mode 100644
index 0000000..a2abbd9
--- /dev/null
+++ b/docs/resources/anomaly_detection.md
@@ -0,0 +1,82 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "opensearch_anomaly_detection Resource - terraform-provider-opensearch"
+subcategory: ""
+description: |-
+  Provides an OpenSearch anonaly detection. Please refer to the OpenSearch anomaly detection documentation for details.
+---
+
+# opensearch_anomaly_detection (Resource)
+
+Provides an OpenSearch anonaly detection. Please refer to the OpenSearch anomaly detection documentation for details.
+
+## Example Usage
+
+```terraform
+resource "opensearch_anomaly_detection" "foo" {
+  body = <<EOF
+{
+  "name": "foo",
+  "description": "Test detector",
+  "time_field": "@timestamp",
+  "indices": [
+    "security-auditlog*"
+  ],
+  "feature_attributes": [
+    {
+      "feature_name": "test",
+      "feature_enabled": true,
+      "aggregation_query": {
+        "test": {
+          "value_count": {
+            "field": "audit_category.keyword"
+          }
+        }
+      }
+    }
+  ],
+  "filter_query": {
+    "bool": {
+      "filter": [
+        {
+          "range": {
+            "value": {
+              "gt": 1
+            }
+          }
+        }
+      ],
+      "adjust_pure_negative": true,
+      "boost": 1
+    }
+  },
+  "detection_interval": {
+    "period": {
+      "interval": 1,
+      "unit": "Minutes"
+    }
+  },
+  "window_delay": {
+    "period": {
+      "interval": 1,
+      "unit": "Minutes"
+    }
+  },
+  "result_index" : "opensearch-ad-plugin-result-test"
+}
+EOF
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `body` (String) The anomaly detection document
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+
diff --git a/examples/resources/opensearch_anomaly_detection/resource.tf b/examples/resources/opensearch_anomaly_detection/resource.tf
new file mode 100644
index 0000000..cb1a5c1
--- /dev/null
+++ b/examples/resources/opensearch_anomaly_detection/resource.tf
@@ -0,0 +1,53 @@
+resource "opensearch_anomaly_detection" "foo" {
+  body = <<EOF
+{
+  "name": "foo",
+  "description": "Test detector",
+  "time_field": "@timestamp",
+  "indices": [
+    "security-auditlog*"
+  ],
+  "feature_attributes": [
+    {
+      "feature_name": "test",
+      "feature_enabled": true,
+      "aggregation_query": {
+        "test": {
+          "value_count": {
+            "field": "audit_category.keyword"
+          }
+        }
+      }
+    }
+  ],
+  "filter_query": {
+    "bool": {
+      "filter": [
+        {
+          "range": {
+            "value": {
+              "gt": 1
+            }
+          }
+        }
+      ],
+      "adjust_pure_negative": true,
+      "boost": 1
+    }
+  },
+  "detection_interval": {
+    "period": {
+      "interval": 1,
+      "unit": "Minutes"
+    }
+  },
+  "window_delay": {
+    "period": {
+      "interval": 1,
+      "unit": "Minutes"
+    }
+  },
+  "result_index" : "opensearch-ad-plugin-result-test"
+}
+EOF
+}
diff --git a/provider/diff_suppress_funcs.go b/provider/diff_suppress_funcs.go
index e804715..0f8aeb4 100644
--- a/provider/diff_suppress_funcs.go
+++ b/provider/diff_suppress_funcs.go
@@ -142,3 +142,23 @@ func diffSuppressPolicy(k, old, new string, d *schema.ResourceData) bool {
 
 	return reflect.DeepEqual(oo, no)
 }
+
+func diffSuppressAnomalyDetection(k, old, new string, d *schema.ResourceData) bool {
+	var oo, no interface{}
+	if err := json.Unmarshal([]byte(old), &oo); err != nil {
+		return false
+	}
+	if err := json.Unmarshal([]byte(new), &no); err != nil {
+		return false
+	}
+
+	if om, ok := oo.(map[string]interface{}); ok {
+		normalizeAnomalyDetection(om)
+	}
+
+	if nm, ok := no.(map[string]interface{}); ok {
+		normalizeAnomalyDetection(nm)
+	}
+
+	return reflect.DeepEqual(oo, no)
+}
diff --git a/provider/provider.go b/provider/provider.go
index 036b06b..5f6842f 100644
--- a/provider/provider.go
+++ b/provider/provider.go
@@ -236,6 +236,7 @@ func Provider() *schema.Provider {
 			"opensearch_script":                    resourceOpensearchScript(),
 			"opensearch_snapshot_repository":       resourceOpensearchSnapshotRepository(),
 			"opensearch_channel_configuration":     resourceOpenSearchChannelConfiguration(),
+			"opensearch_anomaly_detection":         resourceOpenSearchAnomalyDetection(),
 		},
 
 		DataSourcesMap: map[string]*schema.Resource{
diff --git a/provider/resource_opensearch_anomaly_detection.go b/provider/resource_opensearch_anomaly_detection.go
new file mode 100644
index 0000000..0888ca7
--- /dev/null
+++ b/provider/resource_opensearch_anomaly_detection.go
@@ -0,0 +1,224 @@
+package provider
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/structure"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/olivere/elastic/uritemplates"
+	elastic7 "github.com/olivere/elastic/v7"
+)
+
+var anomalyDetectionSchema = map[string]*schema.Schema{
+	"body": {
+		Description:      "The anomaly detection document",
+		Type:             schema.TypeString,
+		Required:         true,
+		DiffSuppressFunc: diffSuppressAnomalyDetection,
+		StateFunc: func(v interface{}) string {
+			json, _ := structure.NormalizeJsonString(v)
+			return json
+		},
+		ValidateFunc: validation.StringIsJSON,
+	},
+}
+
+func resourceOpenSearchAnomalyDetection() *schema.Resource {
+	return &schema.Resource{
+		Description: "Provides an OpenSearch anonaly detection. Please refer to the OpenSearch anomaly detection documentation for details.",
+		Create:      resourceOpensearchAnomalyDetectionCreate,
+		Read:        resourceOpensearchAnomalyDetectionRead,
+		Update:      resourceOpensearchAnomalyDetectionUpdate,
+		Delete:      resourceOpensearchAnomalyDetectionDelete,
+		Schema:      anomalyDetectionSchema,
+		Importer: &schema.ResourceImporter{
+			StateContext: schema.ImportStatePassthroughContext,
+		},
+	}
+}
+
+func resourceOpensearchAnomalyDetectionCreate(d *schema.ResourceData, m interface{}) error {
+	res, err := resourceOpensearchPostAnomalyDetection(d, m)
+
+	if err != nil {
+		log.Printf("[INFO] Failed to put anomaly detector: %+v", err)
+		return err
+	}
+
+	d.SetId(res.ID)
+	log.Printf("[INFO] Object ID: %s", d.Id())
+
+	return resourceOpensearchAnomalyDetectionRead(d, m)
+}
+
+func resourceOpensearchAnomalyDetectionRead(d *schema.ResourceData, m interface{}) error {
+	res, err := resourceOpensearchAnomalyDetectionGet(d.Id(), m)
+
+	if elastic7.IsNotFound(err) {
+		log.Printf("[WARN] Anomaly Detector (%s) not found, removing from state", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	if err != nil {
+		return err
+	}
+
+	d.SetId(res.ID)
+
+	anomalyDetectionJSON, err := json.Marshal(res.AnomalyDetector)
+	if err != nil {
+		return err
+	}
+	anomalyDetectionJsonNormalized, err := structure.NormalizeJsonString(string(anomalyDetectionJSON))
+	if err != nil {
+		return err
+	}
+	err = d.Set("body", anomalyDetectionJsonNormalized)
+	return err
+}
+
+func resourceOpensearchAnomalyDetectionUpdate(d *schema.ResourceData, m interface{}) error {
+	_, err := resourceOpensearchPutAnomalyDetection(d, m)
+
+	if err != nil {
+		return err
+	}
+
+	return resourceOpensearchAnomalyDetectionRead(d, m)
+}
+
+func resourceOpensearchAnomalyDetectionGet(anomalyDetectionID string, m interface{}) (*anomalyDetectionResponse, error) {
+	var err error
+	response := new(anomalyDetectionResponse)
+
+	path, err := uritemplates.Expand("/_plugins/_anomaly_detection/detectors/{id}", map[string]string{
+		"id": anomalyDetectionID,
+	})
+	if err != nil {
+		return response, fmt.Errorf("error building URL path for anomaly detector: %+v", err)
+	}
+
+	var body json.RawMessage
+	osClient, err := getClient(m.(*ProviderConf))
+	if err != nil {
+		return nil, err
+	}
+	var res *elastic7.Response
+	res, err = osClient.PerformRequest(context.TODO(), elastic7.PerformRequestOptions{
+		Method: "GET",
+		Path:   path,
+	})
+	if err != nil {
+		return response, err
+	}
+	body = res.Body
+
+	if err := json.Unmarshal(body, response); err != nil {
+		return response, fmt.Errorf("error unmarshalling anomaly detector body: %+v: %+v", err, body)
+	}
+	log.Printf("[INFO] Response: %+v", response)
+	normalizeAnomalyDetection(response.AnomalyDetector)
+	log.Printf("[INFO] Response: %+v", response)
+	log.Printf("The version %v", response.Version)
+	return response, err
+}
+
+func resourceOpensearchPostAnomalyDetection(d *schema.ResourceData, m interface{}) (*anomalyDetectionResponse, error) {
+	anomalyDetectionJSON := d.Get("body").(string)
+
+	var err error
+	response := new(anomalyDetectionResponse)
+
+	path := "/_plugins/_anomaly_detection/detectors/"
+
+	var body json.RawMessage
+	osClient, err := getClient(m.(*ProviderConf))
+	if err != nil {
+		return nil, err
+	}
+	var res *elastic7.Response
+	res, err = osClient.PerformRequest(context.TODO(), elastic7.PerformRequestOptions{
+		Method: "POST",
+		Path:   path,
+		Body:   anomalyDetectionJSON,
+	})
+	if err != nil {
+		return response, err
+	}
+	body = res.Body
+
+	if err := json.Unmarshal(body, response); err != nil {
+		return response, fmt.Errorf("error unmarshalling anomaly detector body: %+v: %+v", err, body)
+	}
+	normalizeAnomalyDetection(response.AnomalyDetector)
+	return response, nil
+}
+
+func resourceOpensearchPutAnomalyDetection(d *schema.ResourceData, m interface{}) (*anomalyDetectionResponse, error) {
+	anomalyDetectionJSON := d.Get("body").(string)
+
+	var err error
+	response := new(anomalyDetectionResponse)
+
+	path, err := uritemplates.Expand("/_plugins/_anomaly_detection/detectors/{id}", map[string]string{
+		"id": d.Id(),
+	})
+	if err != nil {
+		return response, fmt.Errorf("error building URL path for anomaly detector: %+v", err)
+	}
+
+	var body json.RawMessage
+	osClient, err := getClient(m.(*ProviderConf))
+	if err != nil {
+		return nil, err
+	}
+	var res *elastic7.Response
+	res, err = osClient.PerformRequest(context.TODO(), elastic7.PerformRequestOptions{
+		Method: "PUT",
+		Path:   path,
+		Body:   anomalyDetectionJSON,
+	})
+	if err != nil {
+		return response, err
+	}
+	body = res.Body
+
+	if err := json.Unmarshal(body, response); err != nil {
+		return response, fmt.Errorf("error unmarshalling anomaly detector body: %+v: %+v", err, body)
+	}
+
+	return response, nil
+}
+
+func resourceOpensearchAnomalyDetectionDelete(d *schema.ResourceData, m interface{}) error {
+	var err error
+
+	path, err := uritemplates.Expand("/_plugins/_anomaly_detection/detectors/{id}", map[string]string{
+		"id": d.Id(),
+	})
+	if err != nil {
+		return fmt.Errorf("error building URL path for anomaly detector: %+v", err)
+	}
+
+	osClient, err := getClient(m.(*ProviderConf))
+	if err != nil {
+		return err
+	}
+	_, err = osClient.PerformRequest(context.TODO(), elastic7.PerformRequestOptions{
+		Method: "DELETE",
+		Path:   path,
+	})
+
+	return err
+}
+
+type anomalyDetectionResponse struct {
+	Version         int                    `json:"_version"`
+	ID              string                 `json:"_id"`
+	AnomalyDetector map[string]interface{} `json:"anomaly_detector"`
+}
diff --git a/provider/resource_opensearch_anomaly_detection_test.go b/provider/resource_opensearch_anomaly_detection_test.go
new file mode 100644
index 0000000..28f55e8
--- /dev/null
+++ b/provider/resource_opensearch_anomaly_detection_test.go
@@ -0,0 +1,289 @@
+package provider
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+func TestAccOpensearchAnomalyDetection(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers:    testAccOpendistroProviders,
+		CheckDestroy: testCheckOpensearchAnomalyDetectionDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccOpensearchAnomalyDetection,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckOpensearchAnomalyDetectionExists("opensearch_anomaly_detection.test-detector12"),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+			{
+				Config: testAccOpensearchAnomalyDetectionUpdate,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckOpensearchAnomalyDetectionExists("opensearch_anomaly_detection.test-detector12"),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func testCheckOpensearchAnomalyDetectionExists(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No monitor ID is set")
+		}
+
+		meta := testAccOpendistroProvider.Meta()
+
+		var err error
+		_, err = resourceOpensearchAnomalyDetectionGet(rs.Primary.ID, meta.(*ProviderConf))
+
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
+func testCheckOpensearchAnomalyDetectionDestroy(s *terraform.State) error {
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "opensearch_anomaly_detection" {
+			continue
+		}
+
+		meta := testAccOpendistroProvider.Meta()
+
+		var err error
+		_, err = resourceOpensearchAnomalyDetectionGet(rs.Primary.ID, meta.(*ProviderConf))
+
+		if err != nil {
+			return nil // should be not found error
+		}
+
+		return fmt.Errorf("Monitor %q still exists", rs.Primary.ID)
+	}
+
+	return nil
+}
+
+var testAccOpensearchAnomalyDetection = `
+resource "opensearch_audit_config" "test" {
+  enabled = true
+
+  audit {
+    enable_rest              = true
+    disabled_rest_categories = ["GRANTED_PRIVILEGES", "AUTHENTICATED"]
+
+    enable_transport              = true
+    disabled_transport_categories = ["GRANTED_PRIVILEGES", "AUTHENTICATED"]
+
+    resolve_bulk_requests = true
+    log_request_body      = true
+    resolve_indices       = true
+
+    # Note: if set false, AWS OpenSearch will return HTTP 409 (Conflict)
+    exclude_sensitive_headers = true
+
+    ignore_users    = ["dashboardserver"]
+    ignore_requests = ["SearchRequest", "indices:data/read/*", "/_cluster/health"]
+  }
+
+  compliance {
+    enabled = true
+
+    # Note: if both internal/external are set true, AWS OpenSearch will return HTTP 409 (Conflict)
+    internal_config = true
+    external_config = false
+
+    read_metadata_only = true
+    read_ignore_users  = ["read-ignore-1"]
+
+    read_watched_field {
+      index  = "read-index-1"
+      fields = ["field-1", "field-2"]
+    }
+
+    read_watched_field {
+      index  = "read-index-2"
+      fields = ["field-3"]
+    }
+
+    write_metadata_only   = true
+    write_log_diffs       = false
+    write_watched_indices = ["write-index-1", "write-index-2", "log-*", "*"]
+    write_ignore_users    = ["write-ignore-1"]
+  }
+}
+
+resource "opensearch_anomaly_detection" "test-detector12" {
+  depends_on = [opensearch_audit_config.test]
+  body       = <<EOF
+{
+  "name": "test-detector12",
+  "description": "Test detector",
+  "time_field": "@timestamp",
+  "indices": [
+    "security-auditlog*"
+  ],
+  "feature_attributes": [
+    {
+      "feature_name": "test",
+      "feature_enabled": true,
+      "aggregation_query": {
+        "test": {
+          "value_count": {
+            "field": "audit_category.keyword"
+          }
+        }
+      }
+    }
+  ],
+  "filter_query": {
+    "bool": {
+      "filter": [
+        {
+          "range": {
+            "value": {
+              "gt": 1
+            }
+          }
+        }
+      ],
+      "adjust_pure_negative": true,
+      "boost": 1
+    }
+  },
+  "detection_interval": {
+    "period": {
+      "interval": 1,
+      "unit": "Minutes"
+    }
+  },
+  "window_delay": {
+    "period": {
+      "interval": 1,
+      "unit": "Minutes"
+    }
+  },
+  "result_index" : "opensearch-ad-plugin-result-test"
+}
+EOF
+}
+`
+
+var testAccOpensearchAnomalyDetectionUpdate = `
+resource "opensearch_audit_config" "test" {
+  enabled = true
+
+  audit {
+    enable_rest              = true
+    disabled_rest_categories = ["GRANTED_PRIVILEGES", "AUTHENTICATED"]
+
+    enable_transport              = true
+    disabled_transport_categories = ["GRANTED_PRIVILEGES", "AUTHENTICATED"]
+
+    resolve_bulk_requests = true
+    log_request_body      = true
+    resolve_indices       = true
+
+    # Note: if set false, AWS OpenSearch will return HTTP 409 (Conflict)
+    exclude_sensitive_headers = true
+
+    ignore_users    = ["dashboardserver"]
+    ignore_requests = ["SearchRequest", "indices:data/read/*", "/_cluster/health"]
+  }
+
+  compliance {
+    enabled = true
+
+    # Note: if both internal/external are set true, AWS OpenSearch will return HTTP 409 (Conflict)
+    internal_config = true
+    external_config = false
+
+    read_metadata_only = true
+    read_ignore_users  = ["read-ignore-1"]
+
+    read_watched_field {
+      index  = "read-index-1"
+      fields = ["field-1", "field-2"]
+    }
+
+    read_watched_field {
+      index  = "read-index-2"
+      fields = ["field-3"]
+    }
+
+    write_metadata_only   = true
+    write_log_diffs       = false
+    write_watched_indices = ["write-index-1", "write-index-2", "log-*", "*"]
+    write_ignore_users    = ["write-ignore-1"]
+  }
+}
+
+resource "opensearch_anomaly_detection" "test-detector12" {
+  depends_on = [opensearch_audit_config.test]
+  body       = <<EOF
+{
+  "name": "test-detector12",
+  "description": "Test detector 12",
+  "time_field": "@timestamp",
+  "indices": [
+    "security-auditlog*"
+  ],
+  "feature_attributes": [
+    {
+      "feature_name": "test",
+      "feature_enabled": true,
+      "aggregation_query": {
+        "test": {
+          "value_count": {
+            "field": "audit_category.keyword"
+          }
+        }
+      }
+    }
+  ],
+  "filter_query": {
+    "bool": {
+      "filter": [
+        {
+          "range": {
+            "value": {
+              "gt": 1
+            }
+          }
+        }
+      ],
+      "adjust_pure_negative": true,
+      "boost": 1
+    }
+  },
+  "detection_interval": {
+    "period": {
+      "interval": 1,
+      "unit": "Minutes"
+    }
+  },
+  "window_delay": {
+    "period": {
+      "interval": 1,
+      "unit": "Minutes"
+    }
+  },
+  "result_index" : "opensearch-ad-plugin-result-test"
+}
+EOF
+}
+`
diff --git a/provider/util.go b/provider/util.go
index 38b975a..c3db0a7 100644
--- a/provider/util.go
+++ b/provider/util.go
@@ -166,6 +166,10 @@ func normalizedIndexSettings(settings map[string]interface{}) map[string]interfa
 	return f
 }
 
+func normalizeAnomalyDetection(tpl map[string]interface{}) {
+	delete(tpl, "last_update_time")
+}
+
 func flattenMap(m map[string]interface{}) map[string]interface{} {
 	f := make(map[string]interface{})
 	for k, v := range m {

From 0cfc9f29940f8f85822e55fb7759fbbd7e4163c8 Mon Sep 17 00:00:00 2001
From: massimob76 <massimob76@gmail.com>
Date: Wed, 1 Nov 2023 21:03:44 +0000
Subject: [PATCH 3/3] =?UTF-8?q?When=20the=20provider=20assumes=20a=20given?=
 =?UTF-8?q?=20role,=20don't=20use=20the=20default=20profile=E2=80=A6=20(#8?=
 =?UTF-8?q?7)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* When the provider assumes a given role, don't use the default profile if the profile is not given, but allow aws-sdk-go to find the credentials using the default credential provider chain (#86)

Signed-off-by: Massimo Battestini <massimob76@gmail.com>

* Adds unit tests for AWS profile change (#86)

Signed-off-by: Massimo Battestini <massimob76@gmail.com>

---------

Signed-off-by: Massimo Battestini <massimob76@gmail.com>
---
 provider/provider.go                          |  19 +-
 provider/provider_test.go                     | 221 ++++++++++++++----
 .../api_assume_role_response.xml              |  25 ++
 provider/test-fixtures/test_aws_config        |   3 -
 provider/test-fixtures/test_aws_credentials   |   7 +
 5 files changed, 217 insertions(+), 58 deletions(-)
 create mode 100644 provider/test-fixtures/api_assume_role_response.xml
 delete mode 100644 provider/test-fixtures/test_aws_config
 create mode 100644 provider/test-fixtures/test_aws_credentials

diff --git a/provider/provider.go b/provider/provider.go
index 5f6842f..9d61841 100644
--- a/provider/provider.go
+++ b/provider/provider.go
@@ -396,11 +396,9 @@ func getClient(conf *ProviderConf) (*elastic7.Client, error) {
 	return client, nil
 }
 
-func assumeRoleCredentials(region, roleARN, roleExternalID, profile string) *awscredentials.Credentials {
-	sessOpts := awsSessionOptions(region)
-	if profile == "" {
-		sessOpts.Profile = "default"
-	} else {
+func assumeRoleCredentials(region, roleARN, roleExternalID, profile string, endpoint string) *awscredentials.Credentials {
+	sessOpts := awsSessionOptions(region, endpoint)
+	if profile != "" {
 		sessOpts.Profile = profile
 	}
 
@@ -418,7 +416,7 @@ func assumeRoleCredentials(region, roleARN, roleExternalID, profile string) *aws
 	return awscredentials.NewChainCredentials([]awscredentials.Provider{assumeRoleProvider})
 }
 
-func awsSessionOptions(region string) awssession.Options {
+func awsSessionOptions(region string, endpoint string) awssession.Options {
 	return awssession.Options{
 		Config: aws.Config{
 			Region:   aws.String(region),
@@ -433,13 +431,14 @@ func awsSessionOptions(region string) awssession.Options {
 			// it fail with Credential error
 			// https://github.com/aws/aws-sdk-go/issues/2914
 			HTTPClient: &http.Client{Timeout: 10 * time.Second},
+			Endpoint:   aws.String(endpoint),
 		},
 		SharedConfigState: awssession.SharedConfigEnable,
 	}
 }
 
-func awsSession(region string, conf *ProviderConf) *awssession.Session {
-	sessOpts := awsSessionOptions(region)
+func awsSession(region string, conf *ProviderConf, endpoint string) *awssession.Session {
+	sessOpts := awsSessionOptions(region, endpoint)
 
 	// 1. access keys take priority
 	// 2. next is an assume role configuration
@@ -453,7 +452,7 @@ func awsSession(region string, conf *ProviderConf) *awssession.Session {
 		if conf.awsAssumeRoleExternalID == "" {
 			conf.awsAssumeRoleExternalID = ""
 		}
-		sessOpts.Config.Credentials = assumeRoleCredentials(region, conf.awsAssumeRoleArn, conf.awsAssumeRoleExternalID, conf.awsProfile)
+		sessOpts.Config.Credentials = assumeRoleCredentials(region, conf.awsAssumeRoleArn, conf.awsAssumeRoleExternalID, conf.awsProfile, endpoint)
 	} else if conf.awsProfile != "" {
 		sessOpts.Profile = conf.awsProfile
 	}
@@ -476,7 +475,7 @@ func awsSession(region string, conf *ProviderConf) *awssession.Session {
 }
 
 func awsHttpClient(region string, conf *ProviderConf, headers map[string]string) (*http.Client, error) {
-	session := awsSession(region, conf)
+	session := awsSession(region, conf, "")
 	// Call Get() to ensure concurrency safe retrieval of credentials. Since the
 	// client is created in many go routines, this synchronizes it.
 	_, err := session.Config.Credentials.Get()
diff --git a/provider/provider_test.go b/provider/provider_test.go
index dae0016..865a31e 100644
--- a/provider/provider_test.go
+++ b/provider/provider_test.go
@@ -2,7 +2,10 @@ package provider
 
 import (
 	"context"
+	"net/http"
+	"net/http/httptest"
 	"os"
+	"strings"
 	"testing"
 
 	"github.com/aws/aws-sdk-go/aws/credentials"
@@ -82,13 +85,13 @@ func TestAWSCredsManualKey(t *testing.T) {
 	os.Setenv("AWS_SECRET_ACCESS_KEY", "ENV_SECRET")
 
 	// first, check that if we set aws_profile with aws_access_key_id - the latter takes precedence
-	testConfig := map[string]interface{}{
-		"aws_profile":    namedProfile,
-		"aws_access_key": manualAccessKeyID,
-		"aws_secret_key": "MANUAL_SECRET_KEY",
+	testConfig := &ProviderConf{
+		awsAccessKeyId:     manualAccessKeyID,
+		awsSecretAccessKey: "MANUAL_SECRET_KEY",
+		awsProfile:         namedProfile,
 	}
 
-	creds := getCreds(t, testRegion, testConfig)
+	creds := getCreds(t, testRegion, testConfig, "")
 
 	if creds.AccessKeyID != manualAccessKeyID {
 		t.Errorf("access key id should have been %s (we got %s)", manualAccessKeyID, creds.AccessKeyID)
@@ -106,16 +109,16 @@ func TestAWSCredsNamedProfile(t *testing.T) {
 	namedProfile := "testing"
 	profileAccessKeyID := "PROFILE_ACCESS_KEY"
 
-	os.Setenv("AWS_CONFIG_FILE", "./test-fixtures/test_aws_config") // set config file so we can ensure the profile we want to test exists
+	os.Setenv("AWS_SHARED_CREDENTIALS_FILE", "./test-fixtures/test_aws_credentials") // set credentials file so we can ensure the profile we want to test exists
 	os.Setenv("AWS_SDK_LOAD_CONFIG", "1")
 	os.Setenv("AWS_ACCESS_KEY_ID", envAccessKeyID)
 	os.Setenv("AWS_SECRET_ACCESS_KEY", "ENV_SECRET")
 
-	testConfig := map[string]interface{}{
-		"aws_profile": namedProfile,
+	testConfig := &ProviderConf{
+		awsProfile: namedProfile,
 	}
 
-	creds := getCreds(t, testRegion, testConfig)
+	creds := getCreds(t, testRegion, testConfig, "")
 
 	if creds.AccessKeyID != profileAccessKeyID {
 		t.Errorf("access key id should have been %s (we got %s)", profileAccessKeyID, creds.AccessKeyID)
@@ -123,7 +126,7 @@ func TestAWSCredsNamedProfile(t *testing.T) {
 
 	os.Unsetenv("AWS_ACCESS_KEY_ID")
 	os.Unsetenv("AWS_SECRET_ACCESS_KEY")
-	os.Unsetenv("AWS_CONFIG_FILE")
+	os.Unsetenv("AWS_SHARED_CREDENTIALS_FILE")
 	os.Unsetenv("AWS_SDK_LOAD_CONFIG")
 }
 
@@ -132,7 +135,6 @@ func TestAWSCredsNamedProfile(t *testing.T) {
 // 2. No configuration provided to the provider
 //
 // This tests that: we get the credentials from the environment variables (ie: from the default credentials provider chain)
-
 func TestAWSCredsEnv(t *testing.T) {
 	envAccessKeyID := "ENV_ACCESS_KEY"
 	testRegion := "us-east-1"
@@ -140,9 +142,9 @@ func TestAWSCredsEnv(t *testing.T) {
 	os.Setenv("AWS_ACCESS_KEY_ID", envAccessKeyID)
 	os.Setenv("AWS_SECRET_ACCESS_KEY", "ENV_SECRET")
 
-	testConfig := map[string]interface{}{}
+	testConfig := &ProviderConf{}
 
-	creds := getCreds(t, testRegion, testConfig)
+	creds := getCreds(t, testRegion, testConfig, "")
 
 	if creds.AccessKeyID != envAccessKeyID {
 		t.Errorf("access key id should have been %s (we got %s)", envAccessKeyID, creds.AccessKeyID)
@@ -152,6 +154,11 @@ func TestAWSCredsEnv(t *testing.T) {
 	os.Unsetenv("AWS_SECRET_ACCESS_KEY")
 }
 
+// Given:
+// 1. AWS profile is specified via environment variables
+// 2. No configuration provided to the provider
+//
+// This tests that: we get the credentials from the environment variables (ie: from the default credentials provider chain)
 func TestAWSCredsEnvNamedProfile(t *testing.T) {
 	namedProfile := "testing"
 	testRegion := "us-east-1"
@@ -159,65 +166,140 @@ func TestAWSCredsEnvNamedProfile(t *testing.T) {
 
 	os.Setenv("AWS_PROFILE", namedProfile)
 	os.Setenv("AWS_SDK_LOAD_CONFIG", "1")
-	os.Setenv("AWS_CONFIG_FILE", "./test-fixtures/test_aws_config") // set config file so we can ensure the profile we want to test exists
+	os.Setenv("AWS_SHARED_CREDENTIALS_FILE", "./test-fixtures/test_aws_credentials") // set credentials file so we can ensure the profile we want to test exists
 
-	testConfig := map[string]interface{}{}
+	testConfig := &ProviderConf{}
 
-	creds := getCreds(t, testRegion, testConfig)
+	creds := getCreds(t, testRegion, testConfig, "")
 
 	if creds.AccessKeyID != profileAccessKeyID {
 		t.Errorf("access key id should have been %s (we got %s)", profileAccessKeyID, creds.AccessKeyID)
 	}
 	os.Unsetenv("AWS_PROFILE")
-	os.Unsetenv("AWS_CONFIG_FILE")
+	os.Unsetenv("AWS_SHARED_CREDENTIALS_FILE")
 	os.Unsetenv("AWS_SDK_LOAD_CONFIG")
 }
 
 // Given:
-// 1. An AWS role ARN is specified
-// 2. No additional AWS configuration is provided to the provider
+// 1. AWS credentials are specified via environment variables
+// 2. An AWS role ARN and External ID are specified via the provider configuration
 //
-// This tests that: we can safely generate a session. Note we cannot get the credentials, because that requires connecting to AWS
+// This tests that: we can get the credentials after having assumed the given role from the specified AWS credentials.
 func TestAWSCredsAssumeRole(t *testing.T) {
+	envAccessKeyID := "ENV_ACCESS_KEY"
 	testRegion := "us-east-1"
+	assumeRoleArn := "arn:aws:iam::123456789012:role/demo/TestAR"
+	assumeRoleExternalId := "secret_id"
+	assumeRoleAccessKeyID := "ASIAIOSFODNN7EXAMPLE"
+
+	os.Setenv("AWS_ACCESS_KEY_ID", envAccessKeyID)
+	os.Setenv("AWS_SECRET_ACCESS_KEY", "ENV_SECRET")
 
-	testConfig := map[string]interface{}{
-		"aws_assume_role_arn":         "test_arn",
-		"aws_assume_role_external_id": "secret_id",
+	server := mockServer{
+		ResponseFixturePath: "./test-fixtures/api_assume_role_response.xml",
+		ExpectedAccessKeyId: envAccessKeyID,
+		ExpectedRoleArn:     assumeRoleArn,
+		ExpectedExternalId:  assumeRoleExternalId,
 	}
 
-	testConfigData := schema.TestResourceDataRaw(t, Provider().Schema, testConfig)
+	server.Start(t)
+	defer server.Stop()
 
-	conf := &ProviderConf{
-		awsAssumeRoleArn:        testConfigData.Get("aws_assume_role_arn").(string),
-		awsAssumeRoleExternalID: testConfigData.Get("aws_assume_role_external_id").(string),
+	testConfig := &ProviderConf{
+		awsAssumeRoleArn:        assumeRoleArn,
+		awsAssumeRoleExternalID: assumeRoleExternalId,
 	}
-	s := awsSession(testRegion, conf)
-	if s == nil {
-		t.Fatalf("awsSession returned nil")
+
+	creds := getCreds(t, testRegion, testConfig, server.Endpoint)
+
+	if creds.AccessKeyID != assumeRoleAccessKeyID {
+		t.Errorf("access key id should have been %s (we got %s)", assumeRoleAccessKeyID, creds.AccessKeyID)
 	}
+
+	os.Unsetenv("AWS_ACCESS_KEY_ID")
+	os.Unsetenv("AWS_SECRET_ACCESS_KEY")
 }
 
-func getCreds(t *testing.T, region string, config map[string]interface{}) credentials.Value {
-	awsAccessKey := ""
-	awsSecretKey := ""
-	awsProfile := ""
-	if val, ok := config["aws_access_key"]; ok {
-		awsAccessKey = val.(string)
+// Given:
+// 1. An AWS profile, role ARN and External ID are specified via the provider configuration
+//
+// This tests that: we can get the credentials after having assumed the given role from the specified profile.
+func TestAWSCredsAssumeRoleFromProfile(t *testing.T) {
+	testRegion := "us-east-1"
+	assumeRoleArn := "arn:aws:iam::123456789012:role/demo/TestAR"
+	assumeRoleExternalId := "secret_id"
+	namedProfile := "testing"
+	assumeRoleAccessKeyID := "ASIAIOSFODNN7EXAMPLE"
+
+	os.Setenv("AWS_SDK_LOAD_CONFIG", "1")
+	os.Setenv("AWS_SHARED_CREDENTIALS_FILE", "./test-fixtures/test_aws_credentials") // set credentials file so we can ensure the profile we want to test exists
+
+	server := mockServer{
+		ResponseFixturePath: "./test-fixtures/api_assume_role_response.xml",
+		ExpectedAccessKeyId: "PROFILE_ACCESS_KEY", // from the test-fixture config file
+		ExpectedRoleArn:     assumeRoleArn,
+		ExpectedExternalId:  assumeRoleExternalId,
 	}
-	if val, ok := config["aws_secret_key"]; ok {
-		awsSecretKey = val.(string)
+
+	server.Start(t)
+	defer server.Stop()
+
+	testConfig := &ProviderConf{
+		awsAssumeRoleArn:        assumeRoleArn,
+		awsAssumeRoleExternalID: assumeRoleExternalId,
+		awsProfile:              namedProfile,
 	}
-	if val, ok := config["aws_profile"]; ok {
-		awsProfile = val.(string)
+
+	creds := getCreds(t, testRegion, testConfig, server.Endpoint)
+
+	if creds.AccessKeyID != assumeRoleAccessKeyID {
+		t.Errorf("access key id should have been %s (we got %s)", assumeRoleAccessKeyID, creds.AccessKeyID)
 	}
 
-	conf := &ProviderConf{
-		awsAccessKeyId:     awsAccessKey,
-		awsSecretAccessKey: awsSecretKey,
-		awsProfile:         awsProfile,
+	os.Unsetenv("AWS_SDK_LOAD_CONFIG")
+	os.Unsetenv("AWS_SHARED_CREDENTIALS_FILE")
+}
+
+// Given:
+// 1. An AWS role ARN and External ID are specified via the provider configuration
+//
+// This tests that: we can get the credentials after having assumed the given role from the default profile.
+func TestAWSCredsAssumeRoleFromDefaultProfile(t *testing.T) {
+	testRegion := "us-east-1"
+	assumeRoleArn := "arn:aws:iam::123456789012:role/demo/TestAR"
+	assumeRoleExternalId := "secret_id"
+	assumeRoleAccessKeyID := "ASIAIOSFODNN7EXAMPLE"
+
+	os.Setenv("AWS_SDK_LOAD_CONFIG", "1")
+	os.Setenv("AWS_SHARED_CREDENTIALS_FILE", "./test-fixtures/test_aws_credentials") // set credentials file so we can ensure the profile we want to test exists
+
+	server := mockServer{
+		ResponseFixturePath: "./test-fixtures/api_assume_role_response.xml",
+		ExpectedAccessKeyId: "PROFILE_DEFAULT_ACCESS_KEY", // from the test-fixture config file
+		ExpectedRoleArn:     assumeRoleArn,
+		ExpectedExternalId:  assumeRoleExternalId,
+	}
+
+	server.Start(t)
+	defer server.Stop()
+
+	testConfig := &ProviderConf{
+		awsAssumeRoleArn:        assumeRoleArn,
+		awsAssumeRoleExternalID: assumeRoleExternalId,
 	}
-	s := awsSession(region, conf)
+
+	creds := getCreds(t, testRegion, testConfig, server.Endpoint)
+
+	if creds.AccessKeyID != assumeRoleAccessKeyID {
+		t.Errorf("access key id should have been %s (we got %s)", assumeRoleAccessKeyID, creds.AccessKeyID)
+	}
+
+	os.Unsetenv("AWS_SDK_LOAD_CONFIG")
+	os.Unsetenv("AWS_SHARED_CREDENTIALS_FILE")
+}
+
+func getCreds(t *testing.T, region string, config *ProviderConf, endpoint string) credentials.Value {
+	s := awsSession(region, config, endpoint)
 	if s == nil {
 		t.Fatalf("awsSession returned nil")
 	}
@@ -227,3 +309,52 @@ func getCreds(t *testing.T, region string, config map[string]interface{}) creden
 	}
 	return creds
 }
+
+type mockServer struct {
+	ResponseFixturePath string
+	ExpectedAccessKeyId string
+	ExpectedRoleArn     string
+	ExpectedExternalId  string
+	Endpoint            string
+	server              *httptest.Server
+}
+
+func (s *mockServer) Start(t *testing.T) {
+	s.server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		auth := r.Header.Get("Authorization")
+		if !strings.Contains(auth, s.ExpectedAccessKeyId) {
+			t.Errorf("Could not find expected access key id %s in authorization header %s", s.ExpectedAccessKeyId, auth)
+		}
+
+		err := r.ParseForm()
+		if err != nil {
+			t.Errorf("Error while parsing form: %v", err)
+		}
+
+		if r.PostForm.Get("RoleArn") != s.ExpectedRoleArn {
+			t.Errorf("expected RoleArn to be equal to %s, but got %s", s.ExpectedRoleArn, r.PostForm.Get("RoleArn"))
+		}
+
+		if r.PostForm.Get("ExternalId") != s.ExpectedExternalId {
+			t.Errorf("expected ExternalId to be equal to %s, but got %s", s.ExpectedExternalId, r.PostForm.Get("ExternalId"))
+		}
+
+		response, err := os.ReadFile(s.ResponseFixturePath)
+		if err != nil {
+			t.Errorf("Error while reading mockResponse %v", err)
+		}
+
+		w.WriteHeader(http.StatusOK)
+		_, err = w.Write(response)
+		if err != nil {
+			t.Errorf("Error while writing mock server response %v", err)
+		}
+	}))
+
+	s.Endpoint = s.server.URL
+}
+
+func (s *mockServer) Stop() {
+	s.server.Close()
+}
diff --git a/provider/test-fixtures/api_assume_role_response.xml b/provider/test-fixtures/api_assume_role_response.xml
new file mode 100644
index 0000000..4cd2930
--- /dev/null
+++ b/provider/test-fixtures/api_assume_role_response.xml
@@ -0,0 +1,25 @@
+<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+	<AssumeRoleResult>
+	<SourceIdentity>Alice</SourceIdentity>
+		<AssumedRoleUser>
+		<Arn>arn:aws:sts::123456789012:assumed-role/demo/TestAR</Arn>
+		<AssumedRoleId>ARO123EXAMPLE123:TestAR</AssumedRoleId>
+		</AssumedRoleUser>
+		<Credentials>
+		<AccessKeyId>ASIAIOSFODNN7EXAMPLE</AccessKeyId>
+		<SecretAccessKey>wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY</SecretAccessKey>
+		<SessionToken>
+			AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW
+			LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
+			QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
+			9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
+			+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==
+		</SessionToken>
+		<Expiration>2019-11-09T13:34:41Z</Expiration>
+		</Credentials>
+		<PackedPolicySize>6</PackedPolicySize>
+	</AssumeRoleResult>
+	<ResponseMetadata>
+		<RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
+	</ResponseMetadata>
+</AssumeRoleResponse>
\ No newline at end of file
diff --git a/provider/test-fixtures/test_aws_config b/provider/test-fixtures/test_aws_config
deleted file mode 100644
index 1020481..0000000
--- a/provider/test-fixtures/test_aws_config
+++ /dev/null
@@ -1,3 +0,0 @@
-[profile testing]
-aws_access_key_id = PROFILE_ACCESS_KEY
-aws_secret_access_key = PROFILE_SECRET_KEY 
diff --git a/provider/test-fixtures/test_aws_credentials b/provider/test-fixtures/test_aws_credentials
new file mode 100644
index 0000000..88b33b7
--- /dev/null
+++ b/provider/test-fixtures/test_aws_credentials
@@ -0,0 +1,7 @@
+[testing]
+aws_access_key_id = PROFILE_ACCESS_KEY
+aws_secret_access_key = PROFILE_SECRET_KEY
+
+[default]
+aws_access_key_id = PROFILE_DEFAULT_ACCESS_KEY
+aws_secret_access_key = PROFILE_DEFAULT_SECRET_KEY