elasticstack

elasticstack_kibana_action_connector

terraform {
  required_providers {
    elasticstack = {
      source  = "elastic/elasticstack"
    }
  }
}

provider "elasticstack" {
  kibana {
    endpoints = ["https://my-kibana:5601"]
    api_key   = var.kibana_api_key
  }
}

resource "elasticstack_kibana_action_connector" "slack" {
  name              = "Production Slack Alerts"
  connector_type_id = ".slack"

  config = jsonencode({})

  secrets = jsonencode({
    webhookUrl = "https://hooks.slack.com/services/T00/B00/XXXX"
  })
}

resource "elasticstack_kibana_action_connector" "index" {
  name              = "Alert Index Writer"
  connector_type_id = ".index"

  config = jsonencode({
    index              = "alert-history"
    executionTimeField = "@timestamp"
  })

  secrets = jsonencode({})
}

• config

  and

  secrets

  must be JSON-encoded strings via

  jsonencode()

• Secrets are stored in Terraform state; use a remote backend with encryption and restrict state file access
• Import existing connectors:

  terraform import elasticstack_kibana_action_connector.my_connector <space_id>/<connector_id>

  (use

  default

  for the default space)
• After import, secrets are not populated in state; you must supply them in config

• url: "https://api.example.com" ssl: verificationMode: full certificateAuthoritiesFiles: ["/path/to/ca.pem"]

undefined

1. Use preconfigured connectors for production on-prem. They eliminate secret sprawl, survive Saved Object imports, and cannot be accidentally deleted. Reserve API-created connectors for dynamic or user-managed scenarios.
2. Test connectors before attaching to rules. Use the

   _execute

   endpoint to verify connectivity. A misconfigured connector causes silent action failures that only appear in the rule's execution history.
3. Check

   referenced_by_count

   before deleting. Deleting a connector used by active rules causes those actions to fail. List connectors and verify zero references, or reassign rules to a new connector first.
4. Use the Email domain allowlist. The

   xpack.actions.email.domain_allowlist

   setting restricts which email domains connectors can send to. If you update this list, existing email connectors with recipients outside the new list will start failing.
5. Secure secrets in Terraform. Connector secrets (API keys, passwords, webhook URLs) are stored in Terraform state. Use encrypted remote backends (S3+KMS, Azure Blob+encryption, GCS+CMEK) and restrict access to state files. Use

   sensitive = true

   on variables.
6. One connector per service, not per rule. Create a single Slack connector and reference it from multiple rules. This centralizes secret rotation and reduces duplication.
7. Use Spaces for multi-tenant isolation. Connectors are scoped to a Kibana Space. Create separate spaces for different teams or environments and configure connectors per space.
8. Monitor connector health. Failed connector executions are logged in the event log index (

   .kibana-event-log-*

   ). Connector failures report as successful to Task Manager but fail silently for alert delivery. Check the Event Log Index for true failure rates.
9. Always configure a recovery action alongside the active action. Connectors for ITSM and on-call tools (ServiceNow, Jira, PagerDuty, Opsgenie) support a close/resolve operation. Without a recovery action, incidents remain open forever.
10. Use deduplication keys for on-call connectors. Set

    dedupKey

    (PagerDuty) or

    alias

    (Opsgenie) to

    {{rule.id}}-{{alert.id}}

    to ensure the resolve event closes exactly the right incident. Without this, a new incident is created every time the alert re-fires.
11. Prefer the Cases connector for investigation workflows. When an alert requires investigation with comments, attachments, and assignees, use Cases rather than a direct Jira/ServiceNow connector. Cases gives you a native investigation UI and can still push to ITSM via the Case's external connection.
12. Use the Index connector for durable audit trails. The Index connector writes to Elasticsearch, making alert history searchable and dashboardable. Pair it with an ILM policy on the target index to control retention.
13. Restrict connector access via Action settings. Use

    xpack.actions.enabledActionTypes

    to allowlist only the connector types your organization needs, and

    xpack.actions.allowedHosts

    to restrict outbound connections to known endpoints.

1. Missing

   kbn-xsrf

   header. All POST, PUT, DELETE requests require

   kbn-xsrf: true

   . Omitting it returns a 400 error.
2. Wrong

   connector_type_id

   . Use the exact string including the leading dot (e.g.,

   .slack

   , not

   slack

   ). Discover valid types via

   GET /api/actions/connector_types

   .
3. Empty

   secrets

   object required. Even for connectors without secrets (e.g.,

   .index

   ,

   .server-log

   ), you must provide

   "secrets": {}

   in the create request.
4. Connector type is immutable. You cannot change the

   connector_type_id

   after creation. Delete and recreate instead.
5. Secrets lost on export/import. Exporting connectors via Saved Objects strips secrets. After import, connectors show

   is_missing_secrets: true

   and a "Fix" button appears in the UI. You must re-enter secrets manually or via API.
6. Preconfigured connectors cannot be modified via API. Attempting to update or delete a preconfigured connector returns 400. Manage them exclusively in

   kibana.yml

   .
7. Rate limits from third-party services. Connectors that send high volumes of notifications (e.g., one per alert every minute) can hit Slack, PagerDuty, or email provider rate limits. Use alert summaries and action frequency controls on the rule side to reduce volume.
8. Connector networking failures. Kibana must be able to reach the connector's target URL. Verify firewall rules, proxy settings, and DNS resolution. Use

   xpack.actions.customHostSettings

   for TLS issues.
9. License requirements. Some connector types require a Gold, Platinum, or Enterprise license. Check the

   minimum_license_required

   field from

   GET /api/actions/connector_types

   . A connector that is

   enabled_in_config: true

   but

   enabled_in_license: false

   cannot be used.
10. Terraform import does not restore secrets. When importing an existing connector into Terraform, the secrets are not read back from Kibana. You must provide them in your Terraform configuration, or the next

    terraform apply

    will overwrite them with empty values.

.email

.slack

.slack_api

.pagerduty

.jira

.servicenow

.servicenow-sir

.servicenow-itom

.webhook

.index

.server-log

.opsgenie

.teams

.gen-ai

.bedrock

.gemini

.cases

.crowdstrike

.sentinelone

.microsoft_defender_endpoint

.thehive

Note: Use

GET /api/actions/connector_types

to discover all available types on your deployment along with their exact

minimum_license_required

values. Connector types for XSOAR, Jira Service Management, and MCP are available but may not appear in older API spec versions.

• Include

  kbn-xsrf: true

  on every POST, PUT, and DELETE; omitting it returns 400.

• connector_type_id

  is immutable — delete and recreate to change connector type.
• Always pass

  "secrets": {}

  even for connectors with no secrets (e.g.,

  .index

  ,

  .server-log

  ).
• Check

  referenced_by_count

  before deleting; a deleted connector silently breaks all referencing rule actions.
• Connectors are space-scoped; prefix paths with

  /s/<space_id>/api/actions/

  for non-default Kibana Spaces.
• Secrets are write-only: not returned by GET and stripped on Saved Object export/import; always re-supply after import.
• Test every new connector with

  _execute

  before attaching to rules; connector failures in production are silent.

• Kibana Connectors API Reference
• Connectors Overview
• Preconfigured Connectors
• Alerting Settings (Action Config)
• Terraform: elasticstack_kibana_action_connector
• Terraform: Managing Kibana Rule and Connector Resources