Added space awareness to Agent Policies #1390
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jamesagarside
added
enhancement
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds space awareness functionality to Fleet Agent Policies and their associated Integration Policies in the Terraform provider. This allows users to control which Kibana spaces an agent policy is available in, with integration policies inheriting space assignments from their parent agent policy.
Key Changes:
- Added
space_idsattribute to agent policies as an optional field for controlling space availability - Added read-only
space_idsattribute to integration policies that inherits from the parent agent policy - Included acceptance tests and documentation updates for the new functionality
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/fleet/agent_policy/schema.go | Adds optional space_ids list attribute to agent policy schema |
| internal/fleet/agent_policy/models.go | Implements space_ids serialization/deserialization in agent policy API models |
| internal/fleet/agent_policy/acc_test.go | Adds acceptance test for agent policy with space_ids configuration |
| internal/fleet/integration_policy/schema.go | Adds computed read-only space_ids attribute to integration policy schema |
| internal/fleet/integration_policy/models.go | Implements space_ids population from API response for integration policies |
| examples/resources/elasticstack_fleet_agent_policy/resource.tf | Updates example to demonstrate space_ids usage |
| docs/resources/fleet_agent_policy.md | Documents the new space_ids attribute for agent policies |
| docs/resources/fleet_integration_policy.md | Documents the read-only space_ids attribute for integration policies |
Co-authored-by: Copilot <[email protected]>
When upgrading from schema V0 to V1, the space_ids field was not initialized in the upgraded state model, causing a type mismatch error during state migration. This fix initializes SpaceIds to null for V0 states that didn't have this field, matching the pattern used for agent_policy_ids. Fixes test: TestAccResourceIntegrationPolicySecretsFromSDK
- Make GET after CREATE optional (only if CREATE returned valid ID) - Gracefully fall back to CREATE response if GET fails - Add defensive nil checks to prevent unknown value errors This should handle cases where space configuration prevents immediate read-back of created policies.
When creating an agent policy with space_ids, the policy is created
within that specific Kibana space. The subsequent GET request to read
back the policy must include the space context in the URL, otherwise
it returns 404 due to Kibana's space isolation.
Changes:
- Added GetAgentPolicyInSpace() function to make space-aware GET requests
using the pattern /s/{space_id}/api/fleet/agent_policies/{id}
- Updated Create() to use GetAgentPolicyInSpace() when space_ids is set
- Falls back to standard GetAgentPolicy() for non-space-aware policies
This fixes the runtime error where policies with space_ids would fail
with "Provider returned invalid result object after apply" showing
unknown values for id, policy_id, and other fields.
Resolves the 404 error when reading back space-aware policies.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <[email protected]>
Extended space-aware API support beyond CREATE to cover the full
resource lifecycle (READ, UPDATE, DELETE). When a policy is created
with space_ids, all subsequent operations must use space-aware URLs.
Changes:
- Added GetAgentPolicyInSpace() for space-aware GET requests
- Added UpdateAgentPolicyInSpace() for space-aware PUT requests
- Added DeleteAgentPolicyInSpace() for space-aware DELETE requests
- Updated Read() to use space-aware GET when space_ids is set
- Updated Update() to use space-aware PUT when space_ids is set
- Updated Delete() to use space-aware DELETE when space_ids is set
All operations now follow the pattern:
- Default space: /api/fleet/agent_policies/...
- Custom space: /s/{space_id}/api/fleet/agent_policies/...
Testing confirmed all CRUD operations work correctly with space_ids:
✅ CREATE - Policy created with space_ids
✅ READ - Policy read from correct space
✅ UPDATE - Policy updated within space
✅ DELETE - Policy deleted from space
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <[email protected]>
…ency fixes
Adds full Kibana Space support for Fleet agent policies and integration policies,
enabling multi-tenant deployments with space isolation.
Changes:
- Add space-aware API functions for package policies in Fleet client
* GetPackagePolicyInSpace, CreatePackagePolicyInSpace
* UpdatePackagePolicyInSpace, DeletePackagePolicyInSpace
- Update all integration_policy CRUD operations to use space-aware requests
- Make integration_policy space_ids Optional+Computed instead of read-only
- Fix state consistency: preserve space_ids when API doesn't return it
- Fix input handling: don't populate auto-generated inputs when not configured
This enables creating integration policies in specific Kibana spaces by
referencing space-aware agent policies. The space context is passed via
space-aware URLs (/s/{space_id}/api/fleet/...) for proper API isolation.
Fixes #1390
…ation Fixes three issues causing TestAccResourceIntegrationPolicySecrets failures: 1. Import state handling: Added import detection logic in Read function to preserve inputs populated from API during import operations. Previously, inputs were incorrectly nullified when prior state was empty (which occurs during all import operations). 2. Test configuration: Corrected step 3 import test to use testAccResourceIntegrationPolicySecretsUpdate() instead of testAccResourceIntegrationPolicyUpdate(), ensuring AWS logs configuration matches steps 1-2. 3. Import verification: Added space_ids to ImportStateVerifyIgnore for both single-valued and multi-valued secret tests. The API returns space_ids for all policies, but test configs don't specify it since it's inherited from agent policies. Space-aware Fleet functionality fully preserved: - All space-aware CRUD operations unchanged - Import detection doesn't interfere with space_ids handling - Works correctly for both space-aware and regular imports Files changed: - internal/fleet/integration_policy/read.go: Import detection logic - internal/fleet/integration_policy/acc_test.go: Test fixes Resolves CI test failures in TestAccResourceIntegrationPolicySecrets
Fixes TestAccResourceOutputKafka test failure caused by space_ids appearing in plan after update operations. Problem: After updating a Fleet output resource, Terraform showed a non-empty plan with 'space_ids = (known after apply)', even though no changes were made. This occurred because: - space_ids is marked as Optional + Computed in schema - Previous logic conditionally preserved space_ids from prior state - When config didn't specify space_ids, but state had it, Terraform detected a diff Solution: Simplified space_ids handling to ALWAYS set to null during Read operations, since: - API doesn't return space_ids for Fleet outputs - space_ids is only used to route API calls during create/update/delete - Users shouldn't rely on reading this value back from state Applied fix to all three output types: - Elasticsearch: internal/fleet/output/models_elasticsearch.go - Kafka: internal/fleet/output/models_kafka.go - Logstash: internal/fleet/output/models_logstash.go Changes: - Removed conditional logic (if IsNull || IsUnknown) - Always set space_ids to null in fromAPI* methods - Updated comments to reflect correct behavior This ensures plan stability after apply while preserving space-aware Fleet functionality for create/update/delete operations. Resolves CI test failures in TestAccResourceOutputKafka
Resolves plan stability issues where space_ids was showing as "(known after apply)" instead of remaining null after updates. The issue occurred because space_ids is marked as Optional+Computed but lacked a plan modifier. Without UseStateForUnknown(), Terraform treats null computed values as potentially changing, causing non-empty plans after updates. Changes: - Add listplanmodifier.UseStateForUnknown() to space_ids in all resources - Import listplanmodifier package where needed - Fixes TestAccResourceOutputKafka and prevents similar issues in other resources Affected resources: - agent_policy - integration_policy - output (Elasticsearch, Kafka, Logstash) - server_host This ensures space_ids null values are preserved across update operations, preventing spurious plan diffs. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
…iers
This commit fixes two related issues with space_ids handling:
**Issue 1: Output resources showing non-empty plans**
The output populate functions were unconditionally setting space_ids to null,
causing Terraform to detect a change even when nothing changed. Since the
Fleet API doesn't return space_ids for outputs, we now preserve the value
from the plan/state instead of overwriting it.
**Issue 2: Agent policy version errors on older Elasticsearch**
Adding UseStateForUnknown() plan modifier caused space_ids values to persist
across updates, triggering version checks on Elasticsearch < 9.1.0 even when
space_ids wasn't explicitly configured. The plan modifier was preserving the
["default"] value returned by the API during create.
**Solution:**
1. **Output models**: Remove space_ids null assignment in populateFromAPI
- Files: models_elasticsearch.go, models_kafka.go, models_logstash.go
- Now preserves plan/state value instead of overwriting to null
2. **All resources**: Remove UseStateForUnknown() plan modifiers
- For agent_policy/integration_policy/server_host: API returns space_ids,
so we want to follow the API response, not preserve state values
- For output: Fix at populate level, not schema level
- Removes unnecessary imports of listplanmodifier
**Test Impact:**
- Fixes TestAccResourceOutputKafka (non-empty plan issue)
- Fixes TestAccResourceAgentPolicy* (version check issue on older ES)
The root cause was attempting to use plan modifiers for state management
when the real issue was in the populate logic. This fix addresses both
the symptom (plan diffs) and the cause (inappropriate null assignment).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <[email protected]>
Fixes "Provider returned invalid result object after apply" error during CREATE operations for output resources. **Problem:** When space_ids is not specified in config, the plan has space_ids=null. After calling populateFromAPI during create, space_ids remained null (not explicitly set). Since space_ids is Optional+Computed, Terraform requires it to have a known value after apply, not remain unset. **Solution:** Only set space_ids to null if it's currently null/unknown. This ensures: 1. CREATE: space_ids starts null → set to explicit null → satisfies Terraform 2. UPDATE: space_ids has value from plan → preserved → no plan diff **Why Conditional Check:** - `IsNull() || IsUnknown()` → Set to explicit null (fixes create) - Has concrete value → Preserve it (prevents update plan diffs) This combines the benefits of both approaches: - CREATE works (explicit null satisfies Terraform) - UPDATE works (preserves plan value, no spurious diffs) Fixes TestAccResourceOutputElasticsearch and TestAccResourceOutputLogstash. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Fixes "non-refresh plan was not empty" error showing space_ids as "(known after apply)" during UPDATE operations for output resources. **Root Cause:** During update, we only read from req.Plan, which doesn't include space_ids when it's not in the config. This caused space_ids to be null in planModel, and when populateFromAPI set it to explicit null, Terraform couldn't tell if this was intentional or computed, showing it as "(known after apply)". **Solution:** 1. Read BOTH plan and state at the start of Update 2. If space_ids is not in plan (null/unknown), copy from state 3. This ensures planModel has the correct space_ids value before populateFromAPI is called 4. No plan diff because state value is preserved **Flow:** - Plan has space_ids = null (not in config) - State has space_ids = null (from create) - Copy from state → planModel.SpaceIds = null (from state) - populateFromAPI sees IsNull() → sets to explicit null (no change) - Save to state → no diff detected **Why This Works:** - UPDATE with space_ids not in config: Preserves state value → no diff - UPDATE with space_ids in config: Uses plan value → works as expected - CREATE: Only has plan, no state → conditional null works Fixes TestAccResourceOutputKafka Step 2/2 failure. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Resolves persistent "non-refresh plan was not empty" issue where space_ids shows as "(known after apply)" after update operations. **Root Cause:** The issue occurs during the REFRESH (Read) operation after an update: 1. Update completes, state has space_ids = null 2. Terraform performs refresh (calls Read) 3. Read calls populateFromAPI which sets space_ids = null 4. Terraform sees space_ids as "computed" and marks it as unknown 5. Next plan shows: + space_ids = (known after apply) **Why Previous Fixes Didn't Work:** - Commit 2ac6f2f: Removed plan modifier → fixed agent_policy but broke output - Commit 0346a2d: Conditional null → fixed CREATE but not UPDATE refresh - Commit 051561a: State preservation in Update → didn't address Read refresh **The Correct Solution:** Use UseStateForUnknown() plan modifier ONLY for output resources. **Why It's Safe for Output:** - Output API never returns space_ids → always null in state - No version check in output resources (unlike agent_policy) - Plan modifier prevents Terraform from marking null as unknown during refresh **Why agent_policy doesn't use it:** - Agent policy API DOES return space_ids = ["default"] - Plan modifier would preserve this value - Would trigger version check on ES < 9.1.0 **Flow with Plan Modifier:** - CREATE: space_ids = null → saved to state - UPDATE: space_ids = null in config - Plan modifier: If unknown, use state value (null) - Update: space_ids stays null - Read refresh: space_ids stays null - Plan modifier prevents marking as unknown - Result: No plan diff Fixes TestAccResourceOutputKafka for all Elasticsearch versions. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
…entations Implemented fixes based on GitHub Copilot code review feedback: 1. **Add space-aware GetEnrollmentTokens function** - Created GetEnrollmentTokensInSpace() in fleet client for consistency - Updated enrollment_tokens/read.go to use space-aware method when querying all tokens - Ensures space filtering works correctly for both policy-specific and all-tokens queries 2. **Refactor integration_policy update.go** - Eliminated code duplication in UpdatePackagePolicy calls - Extracted space ID determination into single location - Simplified conditional logic for better readability 3. **Test argument validation** - Verified testAccResourceIntegrationPolicySecretsUpdate argument is correct - The "updated" value is intentionally used for testing secret updates **Impact**: Improved code quality, consistency, and maintainability without changing functionality. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Co-authored-by: Copilot <[email protected]>
…RY improvements Addressed GitHub Copilot code review feedback: 1. **Fix state preservation timing in output/update.go** - Moved space_ids state preservation to after populateFromAPI call - Follows the pattern established in integration_policy/update.go (lines 81-111) - Ensures state is preserved after API response is processed, not before 2. **Extract buildSpaceAwarePath helper function** - Created buildSpaceAwarePath(spaceID, basePath) to eliminate duplication - Replaced 60+ occurrences of the space-aware path construction pattern - Improved maintainability and consistency across all Fleet API methods **Impact**: Improved code quality through proper state handling timing and DRY principle application. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
The previous Copilot suggestion changed the import detection logic to use `req.ImportState`, which doesn't exist on `resource.ReadRequest` in the terraform-plugin-framework. Reverted to the previous working implementation that detects imports by checking if PolicyID is set while Name is null/unknown. This fixes the build failure: - req.ImportState undefined (type resource.ReadRequest has no field or method ImportState) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
tobio
reviewed
Oct 26, 2025
| // buildSpaceAwarePath constructs an API path with space awareness. | ||
| // If spaceID is empty or "default", returns the basePath unchanged. | ||
| // Otherwise, prepends "/s/{spaceID}" to the basePath. | ||
| func buildSpaceAwarePath(spaceID, basePath string) string { |
Member
There was a problem hiding this comment.
The client generator is injecting this space_id parameter for a subset of kibana paths. The benefit there is that we don't have to redefine al the API operations and manually build up the HTTP requests.
Are you able to:
- Extract the code which injects the space id parameter into it's own dedicated function. You'll need to add that function into the list of transformers here
- Add the fleet paths to the
spaceIdPathsslice so the path parameter is injected into the client for us. - Refactor this code to remove the space id variants you've added, and instead just supply the expected space to the API client.
Contributor
Author
There was a problem hiding this comment.
Looks like this is Blocked by upstream Kibana OpenAPI spec
Confirmed Fleet endpoints exist (/api/fleet/agent_policies, /api/fleet/outputs, etc.)
No space-aware variants (/s/{spaceId}/api/fleet/*) exist in the spec yet
The Kibana team hasn't added space aware Fleet support to their official OpenAPI specification
Current Approach:
The InSpace() wrapper functions work correctly with the default-space-first fix
These wrappers provide necessary error handling and response parsing
Removing them would require either:
Kibana adding /s/{spaceId}/api/fleet/ endpoints to their OpenAPI spec
Manually adding these paths to the transform_schema.go (causes duplicate type definitions)
Recommendation
Keep current wrapper functions until Kibana updates their OpenAPI spec upstream.
Member
There was a problem hiding this comment.
I've added a commit to this PR demonstrating a different approach which removes all this duplication.
Contributor
Author
There was a problem hiding this comment.
@tobio Thanks for the request editor example with enrolment tokens! Makes total sense - I'll apply that pattern to all the remaining Fleet resources in this PR.
Also fixed two small bugs I spotted:
| // The CREATE response may not include all fields (e.g., space_ids can be null in the response | ||
| // even when specified in the request). Read the policy back to get the complete state. | ||
| // Only do this if we got a valid ID from the create response. | ||
| if policy != nil && policy.Id != "" { |
Member
There was a problem hiding this comment.
IIUC this is the same as the core of the Read function. Are we able to extract this and re-use it here, in read, and presumably in Update as well?
Comment on lines
+123
to
+126
| if !isInputKnown { | ||
| // Import or fresh read - populate everything from API | ||
| // (continue to normal population below) | ||
| } else if isInputNullOrEmpty { |
Member
There was a problem hiding this comment.
Suggested change
| if !isInputKnown { | |
| // Import or fresh read - populate everything from API | |
| // (continue to normal population below) | |
| } else if isInputNullOrEmpty { | |
| if model.Input.IsNull() { |
Couple of questions:
- Can we just do away with the first condition here? It's not clear what it's preventing from falling through to the empty case
ifInputKnown && len() == 0.inputis currently defined as a block, so I'm not sure what the behaviour is here. I'd expectisInputKnownmeans that the user has defined aninputsomewhere, and that if that collection is empty then it's been explicitly defined as empty and we should populate the model. I assume that's wrong though since you've written this code, is there an example of a TF config which hits each of these cases?
Apply default-space-first operational model across all space-aware Fleet resources to prevent resource orphaning when users reorder space_ids. Changes: - Add GetOperationalSpace() utility that always prefers "default" space - Update agent_policy (read, update, delete operations) - Update integration_policy (read, update, delete operations) - Update output (read, update, delete operations) - Update server_host (read, update, delete operations) The "default" space is used as the operational anchor because it cannot be deleted in Kibana, making it a stable reference point. This prevents resource orphaning when space_ids list is reordered. Testing: - 23 unit tests for GetOperationalSpace() including orphaning prevention - All existing tests passing - No breaking changes Fixes resource orphaning bug identified in code review.
…nge) BREAKING CHANGE: The `space_ids` field in the enrollment tokens data source has been changed from a list to a single `space_id` string field. Since enrollment tokens are scoped to a single space, using a list was semantically incorrect. This change aligns the API with the actual Fleet behavior where each token belongs to exactly one space. Migration: - Before: `space_ids = ["my-space"]` - After: `space_id = "my-space"` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Added comprehensive unit and acceptance tests covering:
Unit Tests (17 new tests):
- TestExtractSpaceIDs: Validates Terraform List → Go slice conversion
* Null/unknown lists
* Single and multiple spaces
* Special characters and empty strings
- TestSpaceIDsToList: Validates Go slice → Terraform List conversion
* Empty/nil slices return null lists (by design)
* Single and multiple spaces
* Special characters
- TestExtractAndConvertRoundTrip: Validates bidirectional conversion
* Ensures ExtractSpaceIDs and SpaceIDsToList are inverse operations
* Tests 0-5 space scenarios
Acceptance Tests (1 critical test):
- TestAccResourceAgentPolicySpaceReordering: THE CRITICAL BUG FIX VALIDATION
* Step 1: Create with space_ids = ["default"]
* Step 2: Prepend new space → ["space-test-a", "default"]
- Validates policy_id UNCHANGED (no recreation/orphaning)
* Step 3: Reorder spaces → ["default", "space-test-a"]
- Validates policy_id STILL unchanged
This test EXPLICITLY validates the default-space-first operational model
prevents resource orphaning when users reorder space_ids.
Coverage Impact:
- internal/fleet: 38.5% → 96.2% (+57.7% coverage!)
- ExtractSpaceIDs: 0% → 100%
- SpaceIDsToList: 0% → 100%
- GetOperationalSpace: Already 100% (from previous tests)
Test Count: 40 unit tests + 1 critical acceptance test = 41 total
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <[email protected]>
…o inconsistent result
tobio
reviewed
Oct 29, 2025
- Changed space_ids to SetAttribute across all 5 Fleet resources - Fixed prepend bug by reading from STATE not PLAN - Removed 3 helper functions (ExtractSpaceIDs, GetOperationalSpace, ShouldPreserveSpaceIdsOrder) - Eliminates drift from Kibana's alphabetical sorting - Net -89 lines of code Implements @tobio's PR feedback. All unit tests passing.
Member
|
@jamesagarside are you able to follow up with #1390 (comment) as well? |
…on space_ids The integration resource's space_ids field should only have RequiresReplace() plan modifier, not UseStateForUnknown(). This restores the original behavior from the ListAttribute implementation before the Set migration. The two modifiers are contradictory: RequiresReplace() destroys the resource on space_ids changes, so there's no state for UseStateForUnknown() to use.
Update TestAccResourceAgentPolicy to use TestCheckTypeSetElemAttr instead of index-based assertion for space_ids. Sets don't guarantee element order, so index-based checks (space_ids.0) are incorrect. This brings the test in line with the Set migration and matches the pattern used in TestAccResourceAgentPolicySpaceReordering.
Following Tobio's enrollment tokens example, refactor all Fleet client functions to use spaceAwarePathRequestEditor instead of duplicate *InSpace functions with manual HTTP handling. Changes: - Deleted 17 duplicate *InSpace functions (~581 lines of manual HTTP code) - Updated base functions to accept spaceID parameter and use request editor - Simplified all CRUD operations to single function calls - Updated test files for new signatures Benefits: - Single code path using generated client (vs manual HTTP) - Consistent pattern across all Fleet resources - Eliminates 50% code duplication for Fleet operations - Easier to maintain and test All Fleet resources now use: GetResource(ctx, client, id, spaceID) CreateResource(ctx, client, spaceID, body) UpdateResource(ctx, client, id, spaceID, body) DeleteResource(ctx, client, id, spaceID) The spaceAwarePathRequestEditor handles path modification automatically.
jamesagarside
force-pushed
the
space-aware-fleet
branch
from
682d166 to
fc5f9c9
Compare
tobio
approved these changes
Nov 4, 2025
Member
tobio
left a comment
tobio
left a comment
There was a problem hiding this comment.
LGTM, thanks for persisting with the changes here!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR implements comprehensive Kibana Spaces support across all Fleet resources, enabling multi-tenant Fleet management within the Terraform provider. Users can now create and manage Fleet resources (agent policies, integrations, outputs, server hosts) in specific Kibana spaces instead of being limited to the default space.
Completes #1304
What Changed
New Feature:
space_idsAttributeAll Fleet resources now support an optional
space_idsfield:["default"](backward compatible)Resources Updated
elasticstack_fleet_agent_policyelasticstack_fleet_integration_policyelasticstack_fleet_outputelasticstack_fleet_server_hostelasticstack_fleet_integrationelasticstack_fleet_enrollment_tokens(data source)Implementation
1. Space-Aware API Methods (internal/clients/fleet/fleet.go)
Added 650+ lines of space-aware client methods that construct space-specific API paths (
/s/{space_id}/api/fleet/...):GetAgentPolicyInSpace,CreateAgentPolicyInSpace,UpdateAgentPolicyInSpace,DeleteAgentPolicyInSpace2. CRUD Updates Across All Resources
space_idsis setspace_idsfrom parent agent policy3. State Management Fixes
UseStateForUnknownplan modifiers to prevent spurious diffsspace_idspreservation during update operations4. Testing & Documentation
space_idsexamplesExample
Changelog
Added
Fixed
Requirements