Being able to configure trust and CCS/CCR with different Orgs

[kuisathaverat]

Readiness Checklist

• [X] I am running the latest version
• [X] I checked the documentation and found no answer
• [X] I checked to make sure that this issue has not already been filed
• [X] I am reporting the issue to the correct repository (for multi-repository projects)

Expected Behavior

When you configure a remote cluster in the same organization(or a different organization that you trust) a remote cluster is configured to use CCS.

Current Behavior

If you configure a remote cluster where the remote cluster is in a different organization the deployment fails with the following error:

╷
│ Error: api error: 1 error occurred:
│       * deployments.deployment_remote_resource_not_found: Invalid Remote Clusters Configuration. The following resource could not be found:(deployment [ESS_CLUSTER_IN_DIFFFERENT_ORG_ID] - ref_id [main-elasticsearch])
│ 
│ 
│ 
│   with ec_deployment.main,
│   on main.tf line 29, in resource "ec_deployment" "main":
│   29: resource "ec_deployment" "main" {
│ 

Sample configuration snippet

    remote_cluster {
      deployment_id = "ESS_CLUSTER_IN_DIFFFERENT_ORG_ID"
      alias         = "remote_cluster"
      ref_id        = "main-elasticsearch"
    }

checking the traces seems that these are the request that failed:

==================== Start of Request #8 ====================
PUT /api/v1/deployments/DEPLOYMENT_ID/elasticsearch/main-elasticsearch/remote-clusters HTTP/1.1
Host: staging.found.no
User-Agent: elastic-terraform-provider/0.5.0-dev (cloud-sdk-go/3.3.0)
Content-Length: 169
Accept: application/json
Authorization: [REDACTED]
Content-Type: application/json
Accept-Encoding: gzip

{"resources":[{"alias":"remote_cluster","deployment_id":"ESS_CLUSTER_IN_DIFFFERENT_ORG_ID","elasticsearch_ref_id":"main-elasticsearch","skip_unavailable":false}]}

====================  End of Request #8  ====================
==================== Start of Response #8 ====================
HTTP/1.1 400 Bad Request
Content-Length: 302
Accept-Ranges: bytes
Access-Control-Allow-Headers: Authorization, Content-Type, X-Management-Request, X-HTTP-Method-Override
Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 86400
Cache-Control: private, max-age=0, no-cache
Connection: keep-alive
Content-Security-Policy: default-src 'none'
Content-Type: application/json; charset=utf-8
Date: Tue, 27 Sep 2022 15:44:53 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
Via: 1.1 varnish
X-Cache: MISS
X-Cache-Hits: 0
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Ratelimit-Interval: 1 second
X-Ratelimit-Limit: 50
X-Ratelimit-Remaining: 49
X-Ratelimit-Reset: Tue, 27 Sep 2022 15:44:53 GMT
X-Served-By: cache-mad22043-MAD
X-Timer: S1664293493.270720,VS0,VE224
X-Ui-Tag: indeterminate
X-Xss-Protection: 0

{
    "errors": [
        {
            "message": "Invalid Remote Clusters Configuration. The following resource could not be found:(deployment [ESS_CLUSTER_IN_DIFFFERENT_ORG_ID] - ref_id [main-elasticsearch])", 
            "code": "deployments.deployment_remote_resource_not_found"
        }
    ]
}
====================  End of Response #8  ====================

 Terraform definition

terraform {
  required_version = ">= 0.12.29"

  required_providers {
    ec = {
      source  = "elastic/ec"
      version = "0.4.1"
    }
  }
}

provider "ec" {
  # ECE installation endpoint
  endpoint = "https://staging.found.no"d.
  apikey = "REDACTED"
  verbose = true
}

resource "ec_deployment" "main" {
  name = "overview-oblt"
  region                 = "gcp-us-central1"
  version                = "8.4.2"
  deployment_template_id = "gcp-observability"

  elasticsearch {
    autoscale = true
    remote_cluster {
      deployment_id = "ESS_CLUSTER_IN_DIFFFERENT_ORG_ID"
      alias         = "remote_cluster_tf_25"
      ref_id        = "main-elasticsearch"
    }
  }
}

Steps to Reproduce

1. Create a deployment in the org-A
2. Create a deployment in the org-B
3. Configure trust relationship between both orgs
4. try to use the provided terraform definition to create the cluster in the org-B as remote cluster in the cluster in the org-A

Context

Possible Solution

Your Environment

• Version used: ESS staging
• Running against Elastic Cloud SaaS or Elastic Cloud Enterprise and version:
• Environment name and version (e.g. Go 1.9):
• Server type and version:
• Operating System and version:
• Link to your project:

[Kushmaro]

This is currently not supported with the provider. Hence its not a bug.

[kuisathaverat]

indeed it is half supported and we are using it, you have to set the trust relationship between the deployments, and use the following configuration in the Terrafrom file of the new deployments:

  elasticsearch {
    autoscale = true
    trust_account {
      account_id = "1234566789"
      trust_all = true
    }
  }

then you can use the API to add the new remote cluster, this is the part is missing in the terraform provider

curl -L -X PUT -u 'username:password' -H 'Content-Type: application/json' 'https://example.us-east-1.aws.found.io/_cluster/settings' -d '      {
        "persistent": {
          "cluster": {
            "remote": {
              "new_remote_cluster": {
                "skip_unavailable": false,
                "mode": "proxy",
                "proxy_address": "example-1.us-east-1.aws.found.io:9400",
                "proxy_socket_connections": 3,
                "server_name": "example-1.us-east-1.aws.found.io",
                "seeds": null,
                "node_connections": null
              }
            }
          }
        }
      }'

[andrewnazarov]

We are interested in slightly different modification of this. We would like to configure CCR/CCS with a Elasticsearch installation that is not a part of Elastic Cloud and is self-hosted. The self-hosted Elasticsearch would be the remote one with the leader index.