[Cloud Security][Fleet] Add cloud connector var group policy effects and UI hookup changes

[seanrathier]

Summary

Cloud Connector Policy Effects Implementation

Note: There are currently no integrations that support var_groups/cloud connectors until

• [Cloud-Security] Adding var-groups to support authentication vars - related to cloud connector feature integrations#16985

Major Changes

Fleet Cloud Connector

• Policy Effects System: Introduced automatic policy updates based on var_group selections. When users select a cloud connector option, the system automatically sets supports_cloud_connector and clears cloud_connector_id. When deselected, these flags are properly cleared.

• Code Migration: Moved cloud connector utility code from CSP plugin to Fleet plugin (common/services/cloud_connectors/) for better reusability across the codebase.

• Var Group Helpers: Added comprehensive helper functions to detect cloud connector selections from var_group configurations, extract cloud connector variables, and determine target CSP.

• Account Type Support: Implemented account type selector in the cloud connector UI (single-account vs organization-account) for cloud connector creation, selection and existing connector filtering.

• IaC Template URL Handling: Integrated IaC template URL resolution from var_group selections.

• Access Scope Fixes: Fixed credential access scope resolution for cloud connectors. Removed all code referring to input.stream and change to use access_vars. When not possible added a fallback to the input.stream for legacy handling

CSPM Package

• CloudSetup passes the IaC URL to cloud connector, CloudConnector UI no longer looks in PackageInfo. The was done to support VarGroup option IaC value
• CloudSetup passes the account type selection to the CloudConnector UI, this is used in the IaC url replacement and to not show the CloudConnector internal account type sleection

Screen.Recording.2026-02-05.at.10.47.27.AM.mov

Checklist

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
• Review the backport guidelines and apply applicable backport:* labels.

This PR was created with the assistance of Cursor

Related Issues

• [Cloud-Security] Adding var-groups to support authentication vars - related to cloud connector feature integrations#16985
• https://github.com/elastic/security-team/issues/15399
• https://github.com/elastic/security-team/issues/15402
• https://github.com/elastic/security-team/issues/15401

[Omolola-Akinleye]

can we check if package has groups as enabledVarGroups && packageInfo.var_groups?

[Omolola-Akinleye]

It's safe to remove account type selector for now from Cloud connector. Multi-account types are only supported CSPM and Asset Inventory and there is an existing UX there. We should default account type to single-account when package input stream var account-type isn't being used. When time comes, we handle UI later especially since there will be a re-design on Fleet Default UX and AWS integrations don't support multi-account.

[elasticmachine]

⏳ Build in-progress

• Buildkite Build
• Commit: e62dbd5
• Cloud Deployment
• Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-251488-e62dbd57efcf
• Security Deployment

History

• 💛 Build #400172 was flaky ed06302
• 💔 Build #399671 failed 8f9806a
• 💔 Build #399652 failed 7e1937c
• 💔 Build #398518 failed 8e082fa

cc @seanrathier

[Omolola-Akinleye]

🥇 LGTM! Thanks for all the changes and your patience!