[Change Proposal] Add support for required conditional groups of variables

[jsoriano]

There are cases where there are sets of variables that are optional, but it is required to set at least one of them. This is frequent for example when there are different available authentication options.

For example in Cloudflare there are three variables defined as optional: auth_token, auth_email and auth_key. Either the token needs to be set, or the email and the key.

We need a way to express this in the package manifests.

There are some options to explore:

Option 1: Variable groups

So it is possible to define "groups" in a similar fashion to select, and the selected group can have its own restrictions, something like this:

      - name: auth
        type: select_vargroup
        required: true
        options:
          - name: key
            title: Authentication using email and password
            vars:
              - name: auth_email
                type: text
                title: Auth Email
                description: The Auth Email. Needs to be used with an Auth Key. Do not fill if you are using an Auth Token.
                multi: false
                required: true
                show_user: true
              - name: auth_key
                type: password
                title: Auth Key
                description: The Auth Key. Needs to be used with an Auth Email. Do not fill if you are using an Auth Token.
                multi: false
                required: true
                show_user: true
                secret: true
          - name: token
            title: Authentication using token
            vars:
              - name: auth_token
                type: password
                title: Auth token
                description: The auth token. If set, Auth Email and Auth Key will be ignored.
                required: true
                multi: false
                show_user: true
                secret: true

This would also require changes in Fleet UI.

Option 2: Groups of requirements

Define a list of groups that must be configured. Something like this would mean what is wanted in the Cloudflare integration:

required_vars:
  - [auth_email, auth_key]
  - [auth_token]

Understood as (auth_email AND auth_key) OR (auth_token).

This option wouldn't require breaking changes in packages. It will also require changes in Fleet UI.

[criamico]

Kibana related PR: elastic/kibana#182645

[seanrathier]

• This would solve https://github.com/elastic/security-team/issues/10623

The proposal presented would help out with the CSPM integration. The problem statement aligns with the CSPM challenge where we need to have all the stream variables optional because we have the optionsaccess_key and secret_key need to be required together but session_token should be required by itself. I think this case looks like option 2.

However, I can see other scenarios getting more complex, so I am leaning on option 1

[seanrathier]

Is this proposal going to be resolved before the 8.18 release?
I have an open issue for validating the CSPM integration inputs that would need this and I will be willing to work on this once the solution decision is finalized.

• https://github.com/elastic/security-team/issues/11441
• https://github.com/elastic/security-team/issues/10623

CC: @acorretti @smriti0321