elastic · seanrathier · Feb 24, 2026 · Jan 29, 2026 · Jan 30, 2026 · Jan 30, 2026
@@ -29479,6 +29479,13 @@ paths:
                       maxLength: 255
                       minLength: 1
                       type: string
+                    target_csp:
+                      description: Target cloud service provider. If not provided, will be auto-detected from inputs.
+                      enum:
+                        - aws
+                        - azure
+                        - gcp
+                      type: string
                 description:
                   description: Policy description.
                   type: string

@@ -32052,6 +32052,13 @@ paths:
                       maxLength: 255
                       minLength: 1
                       type: string
+                    target_csp:
+                      description: Target cloud service provider. If not provided, will be auto-detected from inputs.
+                      enum:
+                        - aws
+                        - azure
+                        - gcp
+                      type: string
                 description:
                   description: Policy description.
                   type: string

@@ -22,6 +22,9 @@ export const TENANT_ID_VAR_NAME = 'tenant_id';
 export const CLIENT_ID_VAR_NAME = 'client_id';
 export const AZURE_CREDENTIALS_CLOUD_CONNECTOR_ID = 'azure_credentials_cloud_connector_id';
 
+// Cloud connector support flag
+export const SUPPORTS_CLOUD_CONNECTORS_VAR_NAME = 'supports_cloud_connectors';
+
 // Account type variable names for different cloud providers
 export const AWS_ACCOUNT_TYPE_VAR_NAME = 'aws.account_type';
 export const AZURE_ACCOUNT_TYPE_VAR_NAME = 'azure.account_type';
@@ -32,6 +35,9 @@ export const GCP_ACCOUNT_TYPE_VAR_NAME = 'gcp.account_type';
 export const SINGLE_ACCOUNT = 'single-account';
 export const ORGANIZATION_ACCOUNT = 'organization-account';
 
+// Default account type for cloud connectors when not explicitly specified
+export const CLOUD_CONNECTOR_DEFAULT_ACCOUNT_TYPE = SINGLE_ACCOUNT;
+
 export const SUPPORTED_CLOUD_CONNECTOR_VARS = [
   AWS_ROLE_ARN_VAR_NAME,
   AWS_CREDENTIALS_EXTERNAL_ID_VAR_NAME,
@@ -43,4 +49,5 @@ export const SUPPORTED_CLOUD_CONNECTOR_VARS = [
   TENANT_ID_VAR_NAME,
   CLIENT_ID_VAR_NAME,
   AZURE_CREDENTIALS_CLOUD_CONNECTOR_ID,
+  SUPPORTS_CLOUD_CONNECTORS_VAR_NAME,
 ];
@@ -26,6 +26,7 @@ const _allowedExperimentalValues = {
   enableSloTemplates: true,
   newBrowseIntegrationUx: false, // When enabled integrations, browse integrations page will use the new UX.
   enableVersionSpecificPolicies: false, // When enabled, version specific policies will be created when packages use agent version conditions
+  enableVarGroups: false, // When enabled, var_groups from the package spec drive conditional variable visibility and input filtering.
   enableIntegrationInactivityAlerting: false, // When enabled, an inactivity monitoring alerting rule template is created on fresh integration package install.
 };
 

@@ -30,6 +30,7 @@ export {
   getCredentialSchema,
   getAllVarKeys,
   getAllSupportedVarNames,
+  getCredentialKeyFromVarName,
 } from './schemas';
 
 // Accessor functions
@@ -43,3 +44,14 @@ export {
   getVarTarget,
   findFirstVarEntry,
 } from './var_accessor';
+
+// Var group helpers for cloud connector detection
+export type { VarGroupSelection, CloudConnectorOptionResult } from './var_group_helpers';
+export {
+  getSelectedOption,
+  getCloudConnectorOption,
+  getCloudConnectorVars,
+  getAllCloudConnectorVarNames,
+  getIacTemplateUrlFromVarGroupSelection,
+  detectTargetCsp,
+} from './var_group_helpers';
@@ -13,6 +13,7 @@ import {
   getCredentialSchema,
   getAllVarKeys,
   getAllSupportedVarNames,
+  getCredentialKeyFromVarName,
 } from './schemas';
 
 describe('Cloud Connector Schemas', () => {
@@ -55,10 +56,12 @@ describe('Cloud Connector Schemas', () => {
       expect(clientId.isSecret).toBe(true);
     });
 
-    it('should have azureCredentialsCloudConnectorId field with correct keys', () => {
-      const { azureCredentialsCloudConnectorId } = AZURE_CREDENTIAL_SCHEMA.fields;
-      expect(azureCredentialsCloudConnectorId.primary).toBe('azure_credentials_cloud_connector_id');
-      expect(azureCredentialsCloudConnectorId.isSecret).toBe(false);
+    it('should have azure_credentials_cloud_connector_id field with correct keys', () => {
+      const { azure_credentials_cloud_connector_id } = AZURE_CREDENTIAL_SCHEMA.fields;
+      expect(azure_credentials_cloud_connector_id.primary).toBe(
+        'azure_credentials_cloud_connector_id'
+      );
+      expect(azure_credentials_cloud_connector_id.isSecret).toBe(false);
     });
   });
 
@@ -144,4 +147,74 @@ describe('Cloud Connector Schemas', () => {
       expect(allVarNames.length).toBeGreaterThan(0);
     });
   });
+
+  describe('getCredentialKeyFromVarName', () => {
+    describe('AWS provider', () => {
+      it('should return roleArn for primary key role_arn', () => {
+        expect(getCredentialKeyFromVarName('aws', 'role_arn')).toBe('roleArn');
+      });
+
+      it('should return roleArn for alias aws.role_arn', () => {
+        expect(getCredentialKeyFromVarName('aws', 'aws.role_arn')).toBe('roleArn');
+      });
+
+      it('should return externalId for primary key external_id', () => {
+        expect(getCredentialKeyFromVarName('aws', 'external_id')).toBe('externalId');
+      });
+
+      it('should return externalId for alias aws.credentials.external_id', () => {
+        expect(getCredentialKeyFromVarName('aws', 'aws.credentials.external_id')).toBe(
+          'externalId'
+        );
+      });
+
+      it('should return undefined for unknown var name', () => {
+        expect(getCredentialKeyFromVarName('aws', 'unknown_var')).toBeUndefined();
+      });
+    });
+
+    describe('Azure provider', () => {
+      it('should return tenantId for primary key tenant_id', () => {
+        expect(getCredentialKeyFromVarName('azure', 'tenant_id')).toBe('tenantId');
+      });
+
+      it('should return tenantId for alias azure.credentials.tenant_id', () => {
+        expect(getCredentialKeyFromVarName('azure', 'azure.credentials.tenant_id')).toBe(
+          'tenantId'
+        );
+      });
+
+      it('should return clientId for primary key client_id', () => {
+        expect(getCredentialKeyFromVarName('azure', 'client_id')).toBe('clientId');
+      });
+
+      it('should return clientId for alias azure.credentials.client_id', () => {
+        expect(getCredentialKeyFromVarName('azure', 'azure.credentials.client_id')).toBe(
+          'clientId'
+        );
+      });
+
+      it('should return azure_credentials_cloud_connector_id for its primary key', () => {
+        expect(getCredentialKeyFromVarName('azure', 'azure_credentials_cloud_connector_id')).toBe(
+          'azure_credentials_cloud_connector_id'
+        );
+      });
+    });
+
+    describe('GCP provider', () => {
+      it('should return projectId for primary key project_id', () => {
+        expect(getCredentialKeyFromVarName('gcp', 'project_id')).toBe('projectId');
+      });
+
+      it('should return serviceAccountKey for primary key service_account_key', () => {
+        expect(getCredentialKeyFromVarName('gcp', 'service_account_key')).toBe('serviceAccountKey');
+      });
+    });
+
+    describe('Unknown provider', () => {
+      it('should return undefined for unknown provider', () => {
+        expect(getCredentialKeyFromVarName('unknown' as any, 'role_arn')).toBeUndefined();
+      });
+    });
+  });
 });
@@ -59,7 +59,7 @@ export const AZURE_CREDENTIAL_SCHEMA: CloudConnectorCredentialSchema = {
       aliases: [AZURE_CLIENT_ID_VAR_NAME], // 'azure.credentials.client_id'
       isSecret: true,
     },
-    azureCredentialsCloudConnectorId: {
+    azure_credentials_cloud_connector_id: {
       primary: AZURE_CREDENTIALS_CLOUD_CONNECTOR_ID, // 'azure_credentials_cloud_connector_id'
       aliases: [AZURE_CREDENTIALS_CLOUD_CONNECTOR_ID_VAR_NAME], // 'azure.credentials.azure_credentials_cloud_connector_id'
       isSecret: false,
@@ -132,3 +132,34 @@ export function getAllSupportedVarNames(): string[] {
 
   return allVarNames;
 }
+
+/**
+ * Gets the credential property name for a given var key name.
+ * Handles both primary keys and aliases, mapping them back to the logical credential field name.
+ *
+ * @param provider - The cloud provider (e.g., 'aws', 'azure')
+ * @param varName - The var key name (e.g., 'role_arn' or 'aws.role_arn')
+ * @returns The credential property name (e.g., 'roleArn') or undefined if not found
+ *
+ * @example
+ * getCredentialKeyFromVarName('aws', 'role_arn') // → 'roleArn'
+ * getCredentialKeyFromVarName('aws', 'aws.role_arn') // → 'roleArn'
+ * getCredentialKeyFromVarName('azure', 'tenant_id') // → 'tenantId'
+ */
+export function getCredentialKeyFromVarName(
+  provider: CloudProvider,
+  varName: string
+): string | undefined {
+  const schema = CREDENTIAL_SCHEMAS[provider];
+  if (!schema) {
+    return undefined;
+  }
+
+  for (const [credentialKey, mapping] of Object.entries(schema.fields)) {
+    if (mapping.primary === varName || mapping.aliases.includes(varName)) {
+      return credentialKey;
+    }
+  }
+
+  return undefined;
+}
@@ -66,7 +66,7 @@ export interface NormalizedAwsCredentials {
 export interface NormalizedAzureCredentials {
   tenantId?: string | { id: string; isSecretRef: boolean };
   clientId?: string | { id: string; isSecretRef: boolean };
-  azureCredentialsCloudConnectorId?: string;
+  azure_credentials_cloud_connector_id?: string;
 }
 
 /**

@@ -454,7 +454,7 @@ describe('Cloud Connector Var Accessor', () => {
       expect(credentials).toEqual({
         tenantId: 'tenant-123',
         clientId: 'client-456',
-        azureCredentialsCloudConnectorId: 'connector-789',
+        azure_credentials_cloud_connector_id: 'connector-789',
       });
     });
 
@@ -543,7 +543,7 @@ describe('Cloud Connector Var Accessor', () => {
         {
           tenantId: 'new-tenant',
           clientId: 'new-client',
-          azureCredentialsCloudConnectorId: 'new-connector',
+          azure_credentials_cloud_connector_id: 'new-connector',
         },
         'azure',
         packageInfo

@@ -265,9 +265,9 @@ function readAzureCredentials(
   return {
     tenantId: findVarValue(vars, getAllVarKeys(schema.fields.tenantId)),
     clientId: findVarValue(vars, getAllVarKeys(schema.fields.clientId)),
-    azureCredentialsCloudConnectorId: findVarValue(
+    azure_credentials_cloud_connector_id: findVarValue(
       vars,
-      getAllVarKeys(schema.fields.azureCredentialsCloudConnectorId)
+      getAllVarKeys(schema.fields.azure_credentials_cloud_connector_id)
     ) as string | undefined,
   };
 }
@@ -395,13 +395,13 @@ function writeAzureCredentials(
     };
   }
 
-  // Write azureCredentialsCloudConnectorId
-  if (credentials.azureCredentialsCloudConnectorId !== undefined) {
-    const connectorIdKeys = getAllVarKeys(schema.fields.azureCredentialsCloudConnectorId);
+  // Write azure_credentials_cloud_connector_id
+  if (credentials.azure_credentials_cloud_connector_id !== undefined) {
+    const connectorIdKeys = getAllVarKeys(schema.fields.azure_credentials_cloud_connector_id);
     const existingKey = findExistingVarKey(vars, connectorIdKeys) || connectorIdKeys[0];
     updatedVars[existingKey] = {
       ...vars[existingKey],
-      value: credentials.azureCredentialsCloudConnectorId,
+      value: credentials.azure_credentials_cloud_connector_id,
     };
   }