[Fleet] Avoid enabling agentless inputs by default in default deployment mode (elastic#269428)

jsoriano · web-flow · commit ae0d5ad6cca1 · 2026-05-20T12:22:12.000-05:00
The simplified policy API enables all inputs that are enabled by
default. This simplifies configuration following the defaults included
by package developers.

This change slightly changes this behavior to disable agentless-only
inputs when agentless is not enabled.

With previous implementation the request would have returned a 400
error, with current implementation the agentless-only inputs are
silently disabled. There is no way to enable agentless-only inputs in a
non-agentless policy.
diff --git a/x-pack/platform/plugins/shared/fleet/common/services/simplified_package_policy_helper.test.ts b/x-pack/platform/plugins/shared/fleet/common/services/simplified_package_policy_helper.test.ts
@@ -15,6 +15,130 @@ import {
   generateInputId,
 } from './simplified_package_policy_helper';
 
+/**
+ * Minimal multi-template package fixture covering both shapes of the
+ * deployment-mode annotation that drove https://github.com/elastic/kibana/issues/268930:
+ *
+ * - `otel`: a normal template with no `deployment_modes` annotation. Implicitly
+ *   allowed in both default and agentless modes.
+ * - `apache-agentless`: a template marked agentless-only at the template level
+ *   (`deployment_modes.default.enabled = false`). Its `aws/s3` input is also
+ *   annotated `deployment_modes: ['agentless']` for good measure.
+ * - `mixed`: a template with no template-level annotation but a per-input
+ *   annotation: `httpjson` is unannotated (allowed everywhere), `cel` is
+ *   annotated `deployment_modes: ['agentless']`.
+ */
+const multiTemplatePkgInfo = {
+  name: 'good_v3',
+  title: 'Good v3',
+  version: '1.0.0',
+  description: 'Test package with multiple policy templates',
+  type: 'integration',
+  format_version: '3.0.0',
+  owner: { github: 'elastic/fleet' },
+  policy_templates: [
+    {
+      name: 'otel',
+      title: 'OTel template',
+      description: 'Default-allowed template',
+      inputs: [{ type: 'otelcol', title: 'OTel collector', description: '' }],
+      multiple: true,
+    },
+    {
+      name: 'apache-agentless',
+      title: 'Apache agentless template',
+      description: 'Agentless-only template',
+      deployment_modes: {
+        agentless: { enabled: true },
+        default: { enabled: false },
+      },
+      inputs: [
+        {
+          type: 'aws/s3',
+          title: 'AWS S3',
+          description: '',
+          deployment_modes: ['agentless'],
+        },
+      ],
+      multiple: false,
+    },
+    {
+      name: 'mixed',
+      title: 'Mixed template',
+      description: 'Template with default-allowed and agentless-only inputs',
+      inputs: [
+        { type: 'httpjson', title: 'HTTP JSON', description: '' },
+        {
+          type: 'cel',
+          title: 'CEL',
+          description: '',
+          deployment_modes: ['agentless'],
+        },
+      ],
+      multiple: true,
+    },
+  ],
+  data_streams: [
+    {
+      type: 'logs',
+      dataset: 'good_v3.otel_logs',
+      title: 'OTel logs',
+      release: 'ga',
+      package: 'good_v3',
+      ingest_pipeline: 'default',
+      path: 'otel_logs',
+      streams: [
+        {
+          input: 'otelcol',
+          title: 'OTel logs stream',
+          description: '',
+          vars: [],
+          template_path: '',
+        },
+      ],
+    },
+    {
+      type: 'logs',
+      dataset: 'good_v3.s3_logs',
+      title: 'S3 logs',
+      release: 'ga',
+      package: 'good_v3',
+      ingest_pipeline: 'default',
+      path: 's3_logs',
+      streams: [
+        {
+          input: 'aws/s3',
+          title: 'S3 logs stream',
+          description: '',
+          vars: [],
+          template_path: '',
+        },
+      ],
+    },
+    {
+      type: 'logs',
+      dataset: 'good_v3.cel_logs',
+      title: 'CEL logs',
+      release: 'ga',
+      package: 'good_v3',
+      ingest_pipeline: 'default',
+      path: 'cel_logs',
+      streams: [
+        {
+          input: 'cel',
+          title: 'CEL logs stream',
+          description: '',
+          vars: [],
+          template_path: '',
+        },
+      ],
+    },
+  ],
+  latestVersion: '1.0.0',
+  keepPoliciesUpToDate: false,
+  status: 'not_installed',
+} as unknown as PackageInfo;
+
 function getEnabledInputsAndStreams(newPackagePolicy: NewPackagePolicy) {
   return newPackagePolicy.inputs
     .filter((input) => input.enabled)
@@ -250,4 +374,120 @@ describe('toPackagePolicy', () => {
       expect((simplified as any).var_group_selections).toEqual(varGroupSelections);
     });
   });
+
+  /**
+   * Regression tests for https://github.com/elastic/kibana/issues/268930.
+   *
+   * When a multi-policy-template package is used with the simplified API and
+   * the resulting policy targets the default deployment mode, inputs that the
+   * package spec marks as not allowed in default mode (either via a
+   * template-level `deployment_modes.default.enabled = false` flag or a
+   * per-input `deployment_modes: ['agentless']` annotation) must come out as
+   * `enabled: false` so that `validateDeploymentModesForInputs` does not
+   * reject the policy with a 400.
+   *
+   * Agentless mode is intentionally not subject to this filtering: that flow
+   * already routes through an explicit `policy_template` and would not benefit.
+   */
+  describe('default-mode filtering for multi-template packages', () => {
+    it('disables inputs from agentless-only templates when no inputs are listed', () => {
+      const res = simplifiedPackagePolicytoNewPackagePolicy(
+        {
+          name: 'good-v3-defaults',
+          namespace: 'default',
+          policy_ids: ['policy123'],
+        },
+        multiTemplatePkgInfo
+      );
+
+      const apacheInput = res.inputs.find((input) => input.policy_template === 'apache-agentless');
+      expect(apacheInput).toBeDefined();
+      expect(apacheInput?.enabled).toBe(false);
+    });
+
+    it('disables agentless-only inputs inside otherwise default-allowed templates', () => {
+      const res = simplifiedPackagePolicytoNewPackagePolicy(
+        {
+          name: 'good-v3-defaults',
+          namespace: 'default',
+          policy_ids: ['policy123'],
+        },
+        multiTemplatePkgInfo
+      );
+
+      const celInput = res.inputs.find(
+        (input) => input.policy_template === 'mixed' && input.type === 'cel'
+      );
+      const httpjsonInput = res.inputs.find(
+        (input) => input.policy_template === 'mixed' && input.type === 'httpjson'
+      );
+
+      expect(celInput?.enabled).toBe(false);
+      expect(httpjsonInput?.enabled).toBe(true);
+    });
+
+    it('keeps inputs without deployment_modes annotations enabled in default mode', () => {
+      const res = simplifiedPackagePolicytoNewPackagePolicy(
+        {
+          name: 'good-v3-defaults',
+          namespace: 'default',
+          policy_ids: ['policy123'],
+        },
+        multiTemplatePkgInfo
+      );
+
+      const otelInput = res.inputs.find((input) => input.policy_template === 'otel');
+      expect(otelInput?.enabled).toBe(true);
+    });
+
+    it('disables streams of inputs filtered out by default-mode policy', () => {
+      const res = simplifiedPackagePolicytoNewPackagePolicy(
+        {
+          name: 'good-v3-defaults',
+          namespace: 'default',
+          policy_ids: ['policy123'],
+        },
+        multiTemplatePkgInfo
+      );
+
+      const apacheInput = res.inputs.find((input) => input.policy_template === 'apache-agentless');
+      expect(apacheInput?.streams.length).toBeGreaterThan(0);
+      expect(apacheInput?.streams.every((stream) => stream.enabled === false)).toBe(true);
+    });
+
+    it('does not affect agentless policies (symmetric behavior intentionally omitted)', () => {
+      const res = simplifiedPackagePolicytoNewPackagePolicy(
+        {
+          name: 'good-v3-agentless',
+          namespace: 'default',
+          policy_ids: ['policy123'],
+          supports_agentless: true,
+        },
+        multiTemplatePkgInfo
+      );
+
+      const apacheInput = res.inputs.find((input) => input.policy_template === 'apache-agentless');
+      const celInput = res.inputs.find(
+        (input) => input.policy_template === 'mixed' && input.type === 'cel'
+      );
+      expect(apacheInput?.enabled).toBe(true);
+      expect(celInput?.enabled).toBe(true);
+    });
+
+    it('is a no-op for packages without deployment_modes annotations', () => {
+      const res = simplifiedPackagePolicytoNewPackagePolicy(
+        {
+          name: 'nginx-1',
+          namespace: 'default',
+          policy_ids: ['policy123'],
+        },
+        nginxPackageInfo as unknown as PackageInfo
+      );
+
+      expect(getEnabledInputsAndStreams(res)).toEqual({
+        'nginx-logfile': ['nginx.access', 'nginx.error'],
+        'nginx-nginx/metrics': ['nginx.stubstatus'],
+      });
+    });
+  });
 });
diff --git a/x-pack/platform/plugins/shared/fleet/common/services/simplified_package_policy_helper.ts b/x-pack/platform/plugins/shared/fleet/common/services/simplified_package_policy_helper.ts
@@ -237,6 +237,18 @@ export function simplifiedPackagePolicytoNewPackagePolicy(
       options.experimental_data_stream_features;
   }
 
+  // Disable agentless-only inputs for non-agentless policies; the reverse is unnecessary as the agentless API always passes an explicit policy_template.
+  if (!supportsAgentless) {
+    packagePolicy.inputs.forEach((input) => {
+      if (!isInputAllowedForDeploymentMode(input, 'default', packageInfo)) {
+        input.enabled = false;
+        input.streams.forEach((stream) => {
+          stream.enabled = false;
+        });
+      }
+    });
+  }
+
   // Build a input and streams Map to easily find package policy stream
   const inputMap: InputMap = new Map();
   packagePolicy.inputs.forEach((input) => {
