[Create Environment] Adding ec module

[gurevichdmitry]

Summary of your changes

This PR introduces a new internal EC module that deploys the basic ELK stack. Additionally, the ability to override the image has been implemented as part of this change.

Screenshot/Data

Related Issues

Checklist

• I have added tests that prove my fix is effective or that my feature works
• I have added the necessary README/documentation (if appropriate)

Introducing a new rule?

• Generate rule metadata using this script
• Add relevant unit tests
• Generate relevant rule templates using this script, and open a PR in elastic/packages/cloud_security_posture

[mergify]

This pull request does not have a backport label. Could you fix it @gurevichdmitry? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit
  NOTE: backport-skip has been added to this pull request.

[amirbenun]

Nice!

[amirbenun]

Remove it's declaration on line 115

[gurevichdmitry]

Updates the declaration to support the working of the entire flow retroactively. The version with the hash is only required for Terraform to pin the version of the stack to be deployed.

[amirbenun]

Do we really have a usecase of overriding these?

[gurevichdmitry]

The main use case is to support pinned BC versions. As described in this task, if we provide just the version (e.g., 8.12.0) and a new BC candidate is released, the stack will be updated with the newest version underneath. To prevent that, we should provide the exact version to be deployed. Unfortunately, the ec provider does not support the direct deployment of versions with a hash. To work around this, we need to override the docker_image for all stack components (ElasticSearch, Kibana, and Integrations Server). In the test environments' main.tf, we provide docker_image_tag_override, which is then passed to the ec module and used to deploy the custom image.

[oren-zohar]

why do we even need the apm component?

[gurevichdmitry]

The default manual deployment on the cloud includes the Integrations server component.
We are installing the Integrations server component, which was introduced in version 8.x and consists of APM and Fleet Server. Fleet is necessary to centrally manage all agents, integrations, and APM is part of Integrations server component.

[amirbenun]

Nice, we should start using it instead of the "requested" version.

[amirbenun]

Do we need those?

[gurevichdmitry]

Yes, each stack component may use a different image tag

[amirbenun]

So we don't even deploy the requested version? Where do we use the commit sha?

[gurevichdmitry]

In the case of a released or snapshot version, stack_version will not be modified and remains the same. However, in the case of a BC version, we need to remove the hash from stack_version. This is essential because the ec provider might fail with an unknown version if the hash is included. Additionally, we need to override docker_image_tag. Instead of creating complex logic to handle different scenarios, we always provide docker_image_override in all cases to ensure that our deployment deploys the pinned version.

[amirbenun]

I see that we also clean that on the terraform? Where do we use the full version?

[gurevichdmitry]

For Terraform, we are utilizing the TF_VAR_stack_version: ${{ inputs.elk-stack-version }} environment variable, which is passed as is. Full version is used to deploy pinned BC version.

[amirbenun]

A few more comments to your consideration

[amirbenun]

I would consider getting the hash on a different optional parameter, PIN_VERSION for example.
This way we will avoid the cleaning code implemented both in bash and terraform, and the flow of using the pinned version will be more straight forward PIN_VERSION != "".

[gurevichdmitry]

@amirbenun I have refactored the code to support a separate pin_version Terraform variable. This eliminates the need for cleanup version in Terraform code. I've updated the step action responsible for initializing and updating TF_vars and provided comments for clarity. Additionally, I have improved the documentation to make it more clear.

[amirbenun]

Please add comments on why those are needed especially when deploying BC versions.

[oren-zohar]

💯

[oren-zohar]

if we reuse this part maybe we can export it to a script or to an action

[gurevichdmitry]

The common part is just to retrieve cleaned_version. Afterwards, the handling is different. In this action, we are adding AGENT_VERSION to GITHUB_OUTPUT (different jobs), and in the test-environments step, we are updating env vars of the same job.