[Fleet] Fix creation of POLICY_CHANGE action during 7.9 => 7.10 migration (#81041)

Author: nchaulet

x-pack/plugins/ingest_manager/server/services/agent_policy_update.ts

@@ -6,8 +6,7 @@
 
 import { KibanaRequest, SavedObjectsClientContract } from 'src/core/server';
 import { generateEnrollmentAPIKey, deleteEnrollmentApiKeyForAgentPolicyId } from './api_keys';
-import { unenrollForAgentPolicyId } from './agents';
-import { outputService } from './output';
+import { isAgentsSetup, unenrollForAgentPolicyId } from './agents';
 import { agentPolicyService } from './agent_policy';
 import { appContextService } from './app_context';
 
@@ -31,11 +30,8 @@ export async function agentPolicyUpdateEventHandler(
   action: string,
   agentPolicyId: string
 ) {
-  const adminUser = await outputService.getAdminUser(soClient);
-  const outputId = await outputService.getDefaultOutputId(soClient);
-
-  // If no admin user and no default output fleet is not enabled just skip this hook
-  if (!adminUser || !outputId) {
+  // If Agents are not setup skip this hook
+  if (!(await isAgentsSetup(soClient))) {
     return;
   }
 

x-pack/plugins/ingest_manager/server/services/agents/index.ts

@@ -16,3 +16,4 @@ export * from './update';
 export * from './actions';
 export * from './reassign';
 export * from './authenticate';
+export * from './setup';

x-pack/plugins/ingest_manager/server/services/agents/setup.ts

@@ -0,0 +1,48 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SavedObjectsClientContract } from 'src/core/server';
+import { SO_SEARCH_LIMIT } from '../../constants';
+import { agentPolicyService } from '../agent_policy';
+import { outputService } from '../output';
+import { getLatestConfigChangeAction } from './actions';
+
+export async function isAgentsSetup(soClient: SavedObjectsClientContract): Promise<boolean> {
+  const adminUser = await outputService.getAdminUser(soClient, false);
+  const outputId = await outputService.getDefaultOutputId(soClient);
+  // If admin user (fleet_enroll) and output id exist Agents are correctly setup
+  return adminUser && outputId ? true : false;
+}
+
+/**
+ * During the migration from 7.9 to 7.10 we introduce a new agent action POLICY_CHANGE per policy
+ * this function ensure that action exist for each policy
+ *
+ * @param soClient
+ */
+export async function ensureAgentActionPolicyChangeExists(soClient: SavedObjectsClientContract) {
+  // If Agents are not setup skip
+  if (!(await isAgentsSetup(soClient))) {
+    return;
+  }
+
+  const { items: agentPolicies } = await agentPolicyService.list(soClient, {
+    perPage: SO_SEARCH_LIMIT,
+  });
+
+  await Promise.all(
+    agentPolicies.map(async (agentPolicy) => {
+      const policyChangeActionExist = !!(await getLatestConfigChangeAction(
+        soClient,
+        agentPolicy.id
+      ));
+
+      if (!policyChangeActionExist) {
+        return agentPolicyService.createFleetPolicyChangeAction(soClient, agentPolicy.id);
+      }
+    })
+  );
+}

x-pack/plugins/ingest_manager/server/services/output.ts

@@ -65,8 +65,8 @@ class OutputService {
     return outputs.saved_objects[0].id;
   }
 
-  public async getAdminUser(soClient: SavedObjectsClientContract) {
-    if (cachedAdminUser) {
+  public async getAdminUser(soClient: SavedObjectsClientContract, useCache = true) {
+    if (useCache && cachedAdminUser) {
       return cachedAdminUser;
     }
 

x-pack/plugins/ingest_manager/server/services/setup.ts

@@ -29,6 +29,7 @@ import { generateEnrollmentAPIKey } from './api_keys';
 import { settingsService } from '.';
 import { awaitIfPending } from './setup_utils';
 import { createDefaultSettings } from './settings';
+import { ensureAgentActionPolicyChangeExists } from './agents';
 
 const FLEET_ENROLL_USERNAME = 'fleet_enroll';
 const FLEET_ENROLL_ROLE = 'fleet_enroll';
@@ -80,6 +81,7 @@ async function createSetupSideEffects(
   ) {
     throw new Error('Policy not found');
   }
+
   for (const installedPackage of installedPackages) {
     const packageShouldBeInstalled = DEFAULT_AGENT_POLICIES_PACKAGES.some(
       (packageName) => installedPackage.name === packageName
@@ -105,6 +107,8 @@ async function createSetupSideEffects(
     }
   }
 
+  await ensureAgentActionPolicyChangeExists(soClient);
+
   return { isIntialized: true };
 }