[Alerting][TaskManager] Skip UIAM conversion retries for org-membership failures

[ersin-erdal]

Summary

Extends the UIAM API key provisioning task (rules and tasks) so it stops
retrying rules/tasks that hit a permanent UIAM conversion failure with
error code 0xBE2B58:

Internal server error: API key with ID [...] is not valid for conversion. ES API key creator [...] is not a member of organization [...]

It joins the existing permanent failure code
0x357391 ("ES API key creator is not a Cloud user").

What changed

• New shared constant list PERMANENT_UIAM_CONVERSION_ERROR_CODES in both alerting/server/provisioning/constants.ts and task_manager/server/uiam_api_key_provisioning/constants.ts, grouping NON_CLOUD_USER_API_KEY_CREATOR_ERROR_CODE (0x357391) and the new API_KEY_CREATOR_NOT_ORG_MEMBER_ERROR_CODE (0xBE2B58).
• getExcludeRulesFilter and getExcludeTasksFilter now OR over that list inside the FAILED branch, so any rule/task whose persisted uiam_api_keys_provisioning_status doc carries one of these codes is excluded from future provisioning attempts.
• Unit tests parameterised over the list and a new assertion verifying the failed branch contains an OR of every known permanent code (so a future code added to the list will fail the test until covered).

The persistence side already writes the UIAM code onto the status doc via map_convert_response_to_result.ts, so no additional plumbing was needed.

To verify

1. Start an unenrolled stack:

   yarn es serverless --projectType observability --uiam
   yarn start --serverless oblt --run-examples --no-uiam
   

   With UIAM disabled, example rules are created with ES-only API keys.
2. In config/kibana.dev.yml set feature_flags.overrides.alerting.rules.provisionUiamApiKeys: true and restart Kibana with yarn start --serverless oblt --run-examples.
3. Drive at least one rule into a permanent failure with each code (e.g. create the rule with an ES API key whose creator is not a member of the UIAM organization for 0xBE2B58; with a non-Cloud user for 0x357391).
4. Inspect the provisioning status docs:

   GET /.kibana_alerting_cases_*/_search
   {
     "query": { "match": { "type": "uiam_api_keys_provisioning_status" } }
   }
   

   Confirm the failing rules have attributes.status: "failed" and attributes.errorCode set to 0x357391 or 0xBE2B58.
5. Trigger another provisioning run and verify the failing rules are no longer attempted (no new attempts logged, status doc unchanged) while other failed rules without these codes continue to be retried.

Made with Cursor

[infra-vault-gh-plugin-prod]

Pinging @elastic/response-ops (Team:ResponseOps)

[darnautov]

we already have a package @kbn/uiam-api-keys-provisioning-status, shall we consolidate these codes there?

[ersin-erdal]

Good call — done in ba5d286. The two codes plus PERMANENT_UIAM_CONVERSION_ERROR_CODES now live in @kbn/uiam-api-keys-provisioning-status alongside the status/entity enums; the alerting and task_manager plugins import them from there.

[kibanamachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: ba5d286
• Build duration: 73 mins

Failed CI Steps

• FTR Configs #66
• Scout Lane #46 - serverless-observability_complete / default

Metrics [docs]

✅ unchanged

History

• 💛 Build #450350 was flaky a5df068