[Fleet] flag package policy SO to trigger agent policy bump

packages/kbn-check-mappings-update-cli/current_fields.json

@@ -690,6 +690,7 @@
     "version"
   ],
   "ingest-package-policies": [
+    "bump_agent_policy_revision",
     "created_at",
     "created_by",
     "description",

packages/kbn-check-mappings-update-cli/current_mappings.json

@@ -2292,6 +2292,9 @@
   },
   "ingest-package-policies": {
     "properties": {
+      "bump_agent_policy_revision": {
+        "type": "boolean"
+      },
       "created_at": {
         "type": "date"
       },

src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts

@@ -123,7 +123,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "ingest-agent-policies": "5e95e539826a40ad08fd0c1d161da0a4d86ffc6d",
         "ingest-download-sources": "279a68147e62e4d8858c09ad1cf03bd5551ce58d",
         "ingest-outputs": "55988d5f778bbe0e76caa7e6468707a0a056bdd8",
-        "ingest-package-policies": "53a94064674835fdb35e5186233bcd7052eabd22",
+        "ingest-package-policies": "dfa7b1045a2667a822181f40f012786724492439",
         "ingest_manager_settings": "111a616eb72627c002029c19feb9e6c439a10505",
         "inventory-view": "b8683c8e352a286b4aca1ab21003115a4800af83",
         "kql-telemetry": "93c1d16c1a0dfca9c8842062cf5ef8f62ae401ad",

x-pack/plugins/fleet/common/types/models/package_policy.ts

@@ -112,6 +112,7 @@ export interface PackagePolicy extends Omit<NewPackagePolicy, 'inputs'> {
   updated_by: string;
   created_at: string;
   created_by: string;
+  bump_agent_policy_revision?: boolean;
 }
 
 export type DryRunPackagePolicy = NewPackagePolicy & {

x-pack/plugins/fleet/server/plugin.ts

@@ -143,6 +143,7 @@ import { registerFieldsMetadataExtractors } from './services/register_fields_met
 import { registerUpgradeManagedPackagePoliciesTask } from './services/setup/managed_package_policies';
 import { registerDeployAgentPoliciesTask } from './services/agent_policies/deploy_agent_policies_task';
 import { DeleteUnenrolledAgentsTask } from './tasks/delete_unenrolled_agents_task';
+import { registerBumpAgentPoliciesTask } from './services/agent_policies/bump_agent_policies_task';
 
 export interface FleetSetupDeps {
   security: SecurityPluginSetup;
@@ -619,6 +620,7 @@ export class FleetPlugin
     // Register task
     registerUpgradeManagedPackagePoliciesTask(deps.taskManager);
     registerDeployAgentPoliciesTask(deps.taskManager);
+    registerBumpAgentPoliciesTask(deps.taskManager);
 
     this.bulkActionsResolver = new BulkActionsResolver(deps.taskManager, core);
     this.checkDeletedFilesTask = new CheckDeletedFilesTask({

x-pack/plugins/fleet/server/saved_objects/index.ts

@@ -619,6 +619,7 @@ export const getSavedObjectTypes = (
           updated_by: { type: 'keyword' },
           created_at: { type: 'date' },
           created_by: { type: 'keyword' },
+          bump_agent_policy_revision: { type: 'boolean' },
         },
       },
       modelVersions: {
@@ -763,6 +764,26 @@ export const getSavedObjectTypes = (
             },
           ],
         },
+        '15': {
+          changes: [
+            {
+              type: 'mappings_addition',
+              addedMappings: {
+                bump_agent_policy_revision: { type: 'boolean' },
+              },
+            },
+          ],
+        },
+        // '16': {
+        //   changes: [
+        //     {
+        //       type: 'data_backfill',
+        //       backfillFn: (doc) => {
+        //         return { attributes: { ...doc.attributes, bump_agent_policy_revision: true } };
+        //       },
+        //     },
+        //   ],
+        // },
       },
       migrations: {
         '7.10.0': migratePackagePolicyToV7100,

x-pack/plugins/fleet/server/services/agent_policies/bump_agent_policies_task.test.ts

@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { loggingSystemMock } from '@kbn/core/server/mocks';
+
+import { agentPolicyService } from '../agent_policy';
+
+import { packagePolicyService } from '../package_policy';
+import type { PackagePolicy } from '../../types';
+
+import { _updatePackagePoliciesThatNeedBump } from './bump_agent_policies_task';
+
+jest.mock('../app_context');
+jest.mock('../agent_policy');
+jest.mock('../package_policy');
+
+const mockedAgentPolicyService = jest.mocked(agentPolicyService);
+const mockedPackagePolicyService = jest.mocked(packagePolicyService);
+
+describe('_updatePackagePoliciesThatNeedBump', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+    mockedPackagePolicyService.list.mockResolvedValueOnce({
+      total: 1,
+      items: [
+        {
+          id: 'packagePolicy1',
+          bump_agent_policy_revision: true,
+        } as PackagePolicy,
+      ],
+      page: 1,
+      perPage: 100,
+    });
+    mockedPackagePolicyService.list.mockResolvedValueOnce({
+      total: 0,
+      items: [],
+      page: 1,
+      perPage: 100,
+    });
+  });
+
+  it('should update package policy if bump agent policy revision needed', async () => {
+    const logger = loggingSystemMock.createLogger();
+
+    await _updatePackagePoliciesThatNeedBump(logger);
+
+    expect(mockedPackagePolicyService.bulkUpdate).toHaveBeenCalledWith(undefined, undefined, [
+      { bump_agent_policy_revision: false, id: 'packagePolicy1' },
+    ]);
+  });
+});

x-pack/plugins/fleet/server/services/agent_policies/bump_agent_policies_task.ts

@@ -0,0 +1,95 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import type { Logger } from '@kbn/core/server';
+import type {
+  ConcreteTaskInstance,
+  TaskManagerSetupContract,
+  TaskManagerStartContract,
+} from '@kbn/task-manager-plugin/server';
+import { v4 as uuidv4 } from 'uuid';
+
+import { appContextService, packagePolicyService } from '..';
+import { runWithCache } from '../epm/packages/cache';
+
+const TASK_TYPE = 'fleet:bump_agent_policies';
+const BATCH_SIZE = 100;
+export function registerBumpAgentPoliciesTask(taskManagerSetup: TaskManagerSetupContract) {
+  taskManagerSetup.registerTaskDefinitions({
+    [TASK_TYPE]: {
+      title: 'Fleet Bump policies',
+      timeout: '5m',
+      maxAttempts: 3,
+      createTaskRunner: ({ taskInstance }: { taskInstance: ConcreteTaskInstance }) => {
+        let cancelled = false;
+        return {
+          async run() {
+            if (cancelled) {
+              throw new Error('Task has been cancelled');
+            }
+
+            await runWithCache(async () => {
+              await _updatePackagePoliciesThatNeedBump(appContextService.getLogger());
+
+              // TODO agent policies
+            });
+          },
+          async cancel() {
+            cancelled = true;
+          },
+        };
+      },
+    },
+  });
+}
+
+async function getPackagePoliciesToBump() {
+  return await packagePolicyService.list(appContextService.getInternalUserSOClient(), {
+    kuery: 'ingest-package-policies.bump_agent_policy_revision:true',
+    perPage: BATCH_SIZE,
+  });
+}
+
+export async function _updatePackagePoliciesThatNeedBump(logger: Logger) {
+  // TODO spaces?
+  let packagePoliciesToBump = await getPackagePoliciesToBump();
+
+  logger.info(
+    `Found ${packagePoliciesToBump.total} package policies that need agent policy revision bump`
+  );
+
+  while (packagePoliciesToBump.total > 0) {
+    const start = Date.now();
+    // resetting the flag will trigger a revision bump
+    await packagePolicyService.bulkUpdate(
+      appContextService.getInternalUserSOClient(),
+      appContextService.getInternalUserESClient(),
+      packagePoliciesToBump.items.map((item) => ({
+        ...item,
+        bump_agent_policy_revision: false,
+      }))
+    );
+    const updatedCount = packagePoliciesToBump.items.length;
+
+    packagePoliciesToBump = await getPackagePoliciesToBump();
+    logger.debug(
+      `Updated ${updatedCount} package policies in ${Date.now() - start}ms, ${
+        packagePoliciesToBump.total
+      } remaining`
+    );
+  }
+}
+
+export async function scheduleBumpAgentPoliciesTask(taskManagerStart: TaskManagerStartContract) {
+  await taskManagerStart.ensureScheduled({
+    id: `${TASK_TYPE}:${uuidv4()}`,
+    scope: ['fleet'],
+    params: {},
+    taskType: TASK_TYPE,
+    runAt: new Date(Date.now() + 3 * 1000),
+    state: {},
+  });
+}

x-pack/plugins/fleet/server/services/setup/fleet_server_policies_enrollment_keys.test.ts

@@ -17,6 +17,7 @@ import { ensureAgentPoliciesFleetServerKeysAndPolicies } from './fleet_server_po
 jest.mock('../app_context');
 jest.mock('../agent_policy');
 jest.mock('../api_keys');
+jest.mock('../agent_policies/bump_agent_policies_task');
 
 const mockedEnsureDefaultEnrollmentAPIKeyForAgentPolicy = jest.mocked(
   ensureDefaultEnrollmentAPIKeyForAgentPolicy

x-pack/plugins/fleet/server/services/setup/fleet_server_policies_enrollment_keys.ts

@@ -13,6 +13,7 @@ import { ensureDefaultEnrollmentAPIKeyForAgentPolicy } from '../api_keys';
 import { SO_SEARCH_LIMIT } from '../../constants';
 import { appContextService } from '../app_context';
 import { scheduleDeployAgentPoliciesTask } from '../agent_policies/deploy_agent_policies_task';
+import { scheduleBumpAgentPoliciesTask } from '../agent_policies/bump_agent_policies_task';
 
 export async function ensureAgentPoliciesFleetServerKeysAndPolicies({
   logger,
@@ -37,7 +38,6 @@ export async function ensureAgentPoliciesFleetServerKeysAndPolicies({
   });
 
   const outdatedAgentPolicyIds: Array<{ id: string; spaceId?: string }> = [];
-
   await pMap(
     agentPolicies,
     async (agentPolicy) => {
@@ -55,23 +55,23 @@ export async function ensureAgentPoliciesFleetServerKeysAndPolicies({
     }
   );
 
-  if (!outdatedAgentPolicyIds.length) {
-    return;
-  }
+  await scheduleBumpAgentPoliciesTask(appContextService.getTaskManagerStart()!);
 
-  if (appContextService.getExperimentalFeatures().asyncDeployPolicies) {
-    return scheduleDeployAgentPoliciesTask(
-      appContextService.getTaskManagerStart()!,
-      outdatedAgentPolicyIds
-    );
-  } else {
-    return agentPolicyService
-      .deployPolicies(
-        soClient,
-        outdatedAgentPolicyIds.map(({ id }) => id)
-      )
-      .catch((error) => {
-        logger.warn(`Error deploying policies: ${error.message}`, { error });
-      });
+  if (outdatedAgentPolicyIds.length) {
+    if (appContextService.getExperimentalFeatures().asyncDeployPolicies) {
+      return scheduleDeployAgentPoliciesTask(
+        appContextService.getTaskManagerStart()!,
+        outdatedAgentPolicyIds
+      );
+    } else {
+      return agentPolicyService
+        .deployPolicies(
+          soClient,
+          outdatedAgentPolicyIds.map(({ id }) => id)
+        )
+        .catch((error) => {
+          logger.warn(`Error deploying policies: ${error.message}`, { error });
+        });
+    }
   }
 }