[Fleet] Add create/delete agentless policies API

[nchaulet]

Summary

Related to #240879

That PR introduce a new agentless policies API to hide our complex data model to end users and avoid going in a inconsistent state where we created the agent policy but not the package policy or we did not call the agentless API.

Add a new POST /fleet/agentless_policies API and DELETE /fleet/agentless_policies/{policyId}

Note that API do not support cloud connectors yet, (it's why we keep the flag off for now), there is a process to improve cloud connector API here, they will plug into that new API once ready.

Details

New feature flags

• agentlessPoliciesAPI to enable the new API will be turned on
• useAgentlessAPIInUI to use new API in the package policy form off untill we support cloud connectors
• disabledAgentlessLegacyAPI not implemented yet to stop allowing agentless policies to be created through regular * agent /package policy endpoints

That PR

What/How to test

Try to create a bunch of agentless policies (without cloud connector) it should work as before

API

Example request to create a cspm integration

POST kbn:/api/fleet/agentless_policies
{
  "id": "test-123",
  "package": {
    "name": "cloud_security_posture",
    "version": "3.1.1"
  },
  "name": "cspm-5",
  "description": "",
  "namespace": "",
  "inputs": {
    "kspm-cloudbeat/cis_k8s": {
      "enabled": false
    },
    "kspm-cloudbeat/cis_eks": {
      "enabled": false
    },
    "cspm-cloudbeat/cis_aws": {
      "enabled": true,
      "vars": {
        "cloud_formation_template": "https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml&stackName=Elastic-Cloud-Security-Posture-Management&param_EnrollmentToken=FLEET_ENROLLMENT_TOKEN&param_FleetUrl=FLEET_URL&param_ElasticAgentVersion=KIBANA_VERSION&param_ElasticArtifactServer=https://artifacts.elastic.co/downloads/beats/elastic-agent",
        "cloud_formation_credentials_template": "https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-direct-access-key-ACCOUNT_TYPE-9.2.0.yml",
        "cloud_formation_cloud_connectors_template": "https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cloud-connectors-ACCOUNT_TYPE-9.2.0.yml&param_ElasticResourceId=RESOURCE_ID"
      },
      "streams": {
        "cloud_security_posture.findings": {
          "enabled": true,
          "vars": {
            "access_key_id": "test",
            "secret_access_key": "tata",
            "aws.credentials.type": "direct_access_keys",
            "aws.account_type": "organization-account",
            "aws.supports_cloud_connectors": false
          }
        }
      }
    },
    "cspm-cloudbeat/cis_gcp": {
      "enabled": false
    },
    "cspm-cloudbeat/cis_azure": {
      "enabled": false
    },
    "vuln_mgmt-cloudbeat/vuln_mgmt_aws": {
      "enabled": false
    }
  },
  "vars": {
    "posture": "cspm",
    "deployment": "aws"
  }
}

[nchaulet]

@Omolola-Akinleye @seanrathier For info we are working on having a dedicated API for agentless policies, to hide the complexity of the fleet structure behind, and to make things a little more robust, I may need to check with you later to be sure this work as expected with cloud connectors

[nchaulet]

@seanrathier @Omolola-Akinleye thanks for the zoom on that, correct me if I am wrong.
What we discuss will be to get this one merged:

• without support for cloud connectors
• andbehind a feature flag,

And in second time adapt #241210 to use that API instead of a new internal one to add proper support for cloud connector

[nchaulet]

That file is only moved (and added a few meta description) from server so we can have get the request type from schema instead of duplicating it.

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[jbudz]

.buildkite/ftr_platform_stateful_configs.yml LGTM

[nchaulet]

@elasticmachine merge upstream

[MichelLosier]

Looking great so far! Just a few minor things to look at. I still need to run this and smoke test it a bit.

[MichelLosier]

Suggested change

	export const agentlesPolicyRouteService = {
	export const agentlessPolicyRouteService = {

[MichelLosier]

Suggested change

	return sendRequestForRq<any>({
	return sendRequestForRq<CreateAgentlessPolicyResponse>({

Lets swap these any types with the response types

[MichelLosier]

What would be the role of the supports_cloud_connector field? Is the presence of a cloud_connector_id enough to suggest as much or is there an intermediate state where an agentless policy can support cloud connectors, but not have a relationship yet?

[nchaulet]

Yes cloud_connector_id should be sufficient, also we are not going to support cloud connector yet (there is so work to refacto the cloud connector API that will be done once that PR is merged), so I am just going to clean those

[MichelLosier]

I see we are first classing the relationship with cloud connectors with cloud_connector_id and we have the other field supports_cloud_connector below. Is there an option to namespace these fields together like:

cloud_connector: {
  isSupported: boolean,
  id: string
}

I suggest this from a place where if we view agentless as a platform, and if we expect there to be growth in the kinds of entities, or even the types of values other entities need to provide to this policy, I wonder if we should look at namespacing these fields into their own objects instead of a flat structure. WDYT?

[nchaulet]

yes having that kind of namespaced structure totally make sense, and we should probably suggest it for the following PR that will add support for cloud connector, in addition we will support inline cloud connector creation so we should probably support something like

could_conector: { id: ..} cloud_connector: {name: "", vars: ....}

[MichelLosier]

Looks good as well running locally 🚀

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: e15ee8b

Failed CI Steps

• FTR Configs #76
• FTR Configs #86

Test Failures

• [job] [logs] FTR Configs #76 / Alerting improving alert severity should correctly set severity_improving and previous_action_group data in alert document
• [job] [logs] FTR Configs #86 / Core Analysis - Entity Store @ess @skipInServerlessMKI Entity Store APIs get and list "before all" hook in "get and list"

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
fleet	1369	1370	+1

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
fleet	1534	1542	+8

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
fleet	2.1MB	2.1MB	+1.3KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
fleet	176.6KB	177.1KB	+500.0B

Unknown metric groups

API count

id	before	after	diff
fleet	1666	1674	+8

History

• 💔 Build #359864 failed 3d418d8
• 💛 Build #359511 was flaky 1976e0a
• 💔 Build #359475 failed dc6585e
• 💔 Build #359456 failed 9bb9e41
• 💔 Build #359172 failed bf68680