CLI command to attach a package policy to the Agent

[klacabane]

Summary

The elastic-package install command currently installs a package assets. It would be useful to also have a command to attach an integration policy of the installed package to the elastic-agent started by the stack, after prompting for the inputs configuration. This will avoid UI configuration and enable automation of the package installation.

It could be a flag provided to install or its own dedicated command

[klacabane]

The system tests already do that by enrolling a new agent with policies defined in test configs under _dev/test/system/. Would it make sense to reuse that logic to have an agent continuously running with these configs ?

[jsoriano]

As discussed over slack, this feature makes sense, it could be something like elastic-package install --attach <agent id>. elastic/kibana#70582 would help to use this feature with any package on any cluster.

[klacabane]

After a first look at the workflow and code, the following two steps are required:

• Create and configure the integration to create an agent policy. We need a way to build the integration inputs and the ability to provide variables like hosts, credentials... In system tests we define a static yml configuration (example) that allows configuration for a single data stream.
  This should not be much different than what is already done, we'll only have to extend the capability to cover multiple streams: similar to the system tests we can build a policy by parsing the package and data stream's manifest, but instead of reading a single stream we'll have to parse every ds defined in data_streams directory. We'll then use user-defined configuration file (under <package>/_dev/policy ?) that will provide both package and ds variables that need to be substituted. The configuration file's format would like like this:

inputs:
  - type: elasticsearch/metrics
    vars:
      hosts:
        - "http://{{Hostname}}:5066"
    streams:
      - dataset: elasticsearch.stack_monitoring.index_recovery
        vars:
            active.only: true

• Assign an agent to the created policy
  Ability to provide an agent id --attach <agent-id> or fallback to the first available agent if none provided. This code already exists in the system test runner's logic and we should be able to reuse it.
  In system tests we reassign an existing agent to the newly created policy, and rollback the assignment when the test is done. Our use case is different because we want the agent to be long running so no rollback involved. It should also be possible to install --attach multiple packages within the same sessions and have them running in parallel.
  We could:
  • spawn an agent for each install --attach command. Not sure how doable that is, but we could possibly reuse the elastic-agent docker definition used by the stack up command and launch an additional container on every command execution
  • create a unique agent policy and update it on each command execution. We can omit the policy creation and reuse the policy already available to the Agent started by the stack up command

[klacabane]

Logging observations made while digging further:

• variables can be defined at package, input and data stream levels
• the configuration should be the starting point for the policy creation, ie we should only enable the inputs/streams set in the configuration instead of enabling every streams by default. This is to accommodate larger integration like the aws one that defines one policy template per service. Considering a use case where one would use the --attach functionality in aws package, I don't think enabling every single service would happen but we would instead prefer installing only the cloudwatch or ec2 integration only
• the last point suggests that we may want multiple configurations files and a way to pass them to the attach command. For example --attach ec2-policy.yml