Migrate Elasticsearch role mapping resource and data source to Plugin Framework (#1280)

* Initial plan

* Implement Plugin Framework role mapping resource and data source

Co-authored-by: tobio <444668+tobio@users.noreply.github.com>

* Apply code formatting

* Remove old SDKv2 registrations and generate docs

* Address review comments: extract read logic, use normalized JSON types, use framework diagnostics, and cleanup

Co-authored-by: tobio <444668+tobio@users.noreply.github.com>

* Address review comments: simplify diagnostics handling and add normalized JSON types to data source

Co-authored-by: tobio <444668+tobio@users.noreply.github.com>

* Address review feedback: use utils.SetValueFrom and utils.SetTypeAs for role handling

Co-authored-by: tobio <444668+tobio@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: tobio <444668+tobio@users.noreply.github.com>

Author: Copilot

CHANGELOG.md

@@ -8,6 +8,7 @@
 - Add support for managing cross_cluster API keys in `elasticstack_elasticsearch_security_api_key` ([#1252](https://github.com/elastic/terraform-provider-elasticstack/pull/1252))
 - Allow version changes without a destroy/create cycle with `elasticstack_fleet_integration` ([#1255](https://github.com/elastic/terraform-provider-elasticstack/pull/1255)). This fixes an issue where it was impossible to upgrade integrations which are used by an integration policy.
 - Add `namespace` attribute to `elasticstack_kibana_synthetics_monitor` resource to support setting data stream namespace independently from `space_id` ([#1247](https://github.com/elastic/terraform-provider-elasticstack/pull/1247))
+- Migrate `elasticstack_elasticsearch_security_role_mapping` resource and data source to Terraform Plugin Framework ([#1279](https://github.com/elastic/terraform-provider-elasticstack/pull/1279))
 
 ## [0.11.17] - 2025-07-21
 

docs/data-sources/elasticsearch_security_role_mapping.md

@@ -35,7 +35,7 @@ output "user" {
 
 ### Optional
 
-- `elasticsearch_connection` (Block List, Max: 1, Deprecated) Elasticsearch connection configuration block. This property will be removed in a future provider version. Configure the Elasticsearch connection via the provider configuration instead. (see [below for nested schema](#nestedblock--elasticsearch_connection))
+- `elasticsearch_connection` (Block List, Deprecated) Elasticsearch connection configuration block. (see [below for nested schema](#nestedblock--elasticsearch_connection))
 
 ### Read-Only
 

docs/resources/elasticsearch_security_role_mapping.md

@@ -46,7 +46,7 @@ output "role" {
 
 ### Optional
 
-- `elasticsearch_connection` (Block List, Max: 1, Deprecated) Elasticsearch connection configuration block. This property will be removed in a future provider version. Configure the Elasticsearch connection via the provider configuration instead. (see [below for nested schema](#nestedblock--elasticsearch_connection))
+- `elasticsearch_connection` (Block List, Deprecated) Elasticsearch connection configuration block. (see [below for nested schema](#nestedblock--elasticsearch_connection))
 - `enabled` (Boolean) Mappings that have `enabled` set to `false` are ignored when role mapping is performed.
 - `metadata` (String) Additional metadata that helps define which roles are assigned to each user. Keys beginning with `_` are reserved for system usage.
 - `role_templates` (String) A list of mustache templates that will be evaluated to determine the roles names that should granted to the users that match the role mapping rules.

internal/clients/elasticsearch/security.go

@@ -252,73 +252,88 @@ func DeleteRole(ctx context.Context, apiClient *clients.ApiClient, rolename stri
 	return diags
 }
 
-func PutRoleMapping(ctx context.Context, apiClient *clients.ApiClient, roleMapping *models.RoleMapping) diag.Diagnostics {
+func PutRoleMapping(ctx context.Context, apiClient *clients.ApiClient, roleMapping *models.RoleMapping) fwdiag.Diagnostics {
+	var diags fwdiag.Diagnostics
 	roleMappingBytes, err := json.Marshal(roleMapping)
 	if err != nil {
-		return diag.FromErr(err)
+		diags.AddError("Unable to marshal role mapping", err.Error())
+		return diags
 	}
 	esClient, err := apiClient.GetESClient()
 	if err != nil {
-		return diag.FromErr(err)
+		diags.AddError("Unable to get Elasticsearch client", err.Error())
+		return diags
 	}
 	res, err := esClient.Security.PutRoleMapping(roleMapping.Name, bytes.NewReader(roleMappingBytes), esClient.Security.PutRoleMapping.WithContext(ctx))
 	if err != nil {
-		return diag.FromErr(err)
+		diags.AddError("Unable to put role mapping", err.Error())
+		return diags
 	}
 	defer res.Body.Close()
-	if diags := utils.CheckError(res, "Unable to put role mapping"); diags.HasError() {
+	if sdkDiags := utils.CheckError(res, "Unable to put role mapping"); sdkDiags.HasError() {
+		diags.Append(utils.FrameworkDiagsFromSDK(sdkDiags)...)
 		return diags
 	}
 
-	return nil
+	return diags
 }
 
-func GetRoleMapping(ctx context.Context, apiClient *clients.ApiClient, roleMappingName string) (*models.RoleMapping, diag.Diagnostics) {
+func GetRoleMapping(ctx context.Context, apiClient *clients.ApiClient, roleMappingName string) (*models.RoleMapping, fwdiag.Diagnostics) {
+	var diags fwdiag.Diagnostics
 	esClient, err := apiClient.GetESClient()
 	if err != nil {
-		return nil, diag.FromErr(err)
+		diags.AddError("Unable to get Elasticsearch client", err.Error())
+		return nil, diags
 	}
 	req := esClient.Security.GetRoleMapping.WithName(roleMappingName)
 	res, err := esClient.Security.GetRoleMapping(req, esClient.Security.GetRoleMapping.WithContext(ctx))
 	if err != nil {
-		return nil, diag.FromErr(err)
+		diags.AddError("Unable to get role mapping", err.Error())
+		return nil, diags
 	}
 	defer res.Body.Close()
 
 	if res.StatusCode == http.StatusNotFound {
-		return nil, nil
+		return nil, diags
 	}
-	if diags := utils.CheckError(res, "Unable to get a role mapping."); diags.HasError() {
+	if sdkDiags := utils.CheckError(res, "Unable to get a role mapping."); sdkDiags.HasError() {
+		diags.Append(utils.FrameworkDiagsFromSDK(sdkDiags)...)
 		return nil, diags
 	}
 	roleMappings := make(map[string]models.RoleMapping)
 	if err := json.NewDecoder(res.Body).Decode(&roleMappings); err != nil {
-		return nil, diag.FromErr(err)
+		diags.AddError("Unable to decode role mapping response", err.Error())
+		return nil, diags
 
 	}
 	if roleMapping, ok := roleMappings[roleMappingName]; ok {
 		roleMapping.Name = roleMappingName
-		return &roleMapping, nil
+		return &roleMapping, diags
 	}
 
-	return nil, diag.Errorf("unable to find role mapping '%s' in the cluster", roleMappingName)
+	diags.AddError("Role mapping not found", fmt.Sprintf("unable to find role mapping '%s' in the cluster", roleMappingName))
+	return nil, diags
 }
 
-func DeleteRoleMapping(ctx context.Context, apiClient *clients.ApiClient, roleMappingName string) diag.Diagnostics {
+func DeleteRoleMapping(ctx context.Context, apiClient *clients.ApiClient, roleMappingName string) fwdiag.Diagnostics {
+	var diags fwdiag.Diagnostics
 	esClient, err := apiClient.GetESClient()
 	if err != nil {
-		return diag.FromErr(err)
+		diags.AddError("Unable to get Elasticsearch client", err.Error())
+		return diags
 	}
 	res, err := esClient.Security.DeleteRoleMapping(roleMappingName, esClient.Security.DeleteRoleMapping.WithContext(ctx))
 	if err != nil {
-		return diag.FromErr(err)
+		diags.AddError("Unable to delete role mapping", err.Error())
+		return diags
 	}
 	defer res.Body.Close()
-	if diags := utils.CheckError(res, "Unable to delete role mapping"); diags.HasError() {
+	if sdkDiags := utils.CheckError(res, "Unable to delete role mapping"); sdkDiags.HasError() {
+		diags.Append(utils.FrameworkDiagsFromSDK(sdkDiags)...)
 		return diags
 	}
 
-	return nil
+	return diags
 }
 
 func CreateApiKey(apiClient *clients.ApiClient, apikey *models.ApiKey) (*models.ApiKeyCreateResponse, fwdiag.Diagnostics) {