elastic · tobio · Dec 10, 2025 · Nov 17, 2025 · Nov 25, 2025 · Dec 5, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,72 @@
 ## [Unreleased]
 
+### Breaking changes
+
+#### `elasticstack_fleet_integration_policy` input block has changed to a map attribute. 
+
+The `input` block in the `elasticstack_fleet_integration_policy` resource has been restructured into the `inputs` map attribute. 
+This transition:
+* Allows the provider to implement semantic equality checking across all inputs within the integration policy. This change:
+  * Prevents several state consistency errors experienced whilst using this resource
+  * Allow practitioners to only define configuration for the inputs, streams, and variables that differ from the package defined defaults.
+* Reduces the scope of the large `streams_json` string. Instead allowing each stream to be defined as it's own object for Terraform drift checking. 
+
+Existing usage of the `input` block must be migrated to the attribute syntax. Some [examples](https://github.com/elastic/terraform-provider-elasticstack/compare/input-attribute?expand=1#diff-3346189f5ed24da90a529a5fa0d06be1745ee9013775c4b8e42a0e909155e5b6) of this migration can be seen in the changes to the provider automated tests. As a step-by-step guide however:
+
+1. `input` blocks are merged together into a single `inputs` attribute
+2. The `input_id` attribute is removed, and instead used as the map key when defining an input
+3. `streams_json` is removed, with the contents becoming a `streams` map attribute
+
+Combined, this looks like:
+
+```hcl
+input {
+  input_id = "tcp-tcp"
+  enabled  = false
+  streams_json = jsonencode({
+    "tcp.generic" : {
+      "enabled" : false
+      "vars" : {
+        "listen_address" : "localhost"
+        "listen_port" : 8085
+        "data_stream.dataset" : "tcp.generic"
+        "tags" : []
+        "syslog_options" : "field: message"
+        "ssl" : ""
+        "custom" : ""
+      }
+    }
+  })
+}
+```
+
+becoming
+
+```hcl
+inputs = {
+  "tcp-tcp" = {
+    enabled = false
+    streams = {
+      "tcp.generic" = {
+        enabled = false
+        vars = jsonencode({
+          "listen_address" : "localhost"
+          "listen_port" : 8085
+          "data_stream.dataset" : "tcp.generic"
+          "tags" : []
+          "syslog_options" : "field: message"
+          "ssl" : ""
+          "custom" : ""
+        })
+      }
+    }
+  }
+}
+```
+
+### Changes
+- Move the `input` block to an `inputs` map in `elasticstack_fleet_integration_policy` ([#1482](https://github.com/elastic/terraform-provider-elasticstack/pull/1482))
+
 ## [0.13.0] - 2025-12-10
 
 ### Breaking changes

diff --git a/docs/resources/fleet_integration_policy.md b/docs/resources/fleet_integration_policy.md
@@ -66,22 +66,24 @@ resource "elasticstack_fleet_integration_policy" "sample" {
   // Optional: specify a custom output to send data to
   // output_id           = "my-custom-output-id"
 
-  input {
-    input_id = "tcp-tcp"
-    streams_json = jsonencode({
-      "tcp.generic" : {
-        "enabled" : true,
-        "vars" : {
-          "listen_address" : "localhost",
-          "listen_port" : 8080,
-          "data_stream.dataset" : "tcp.generic",
-          "tags" : [],
-          "syslog_options" : "field: message\n#format: auto\n#timezone: Local\n",
-          "ssl" : "#certificate: |\n#    -----BEGIN CERTIFICATE-----\n#    ...\n#    -----END CERTIFICATE-----\n#key: |\n#    -----BEGIN PRIVATE KEY-----\n#    ...\n#    -----END PRIVATE KEY-----\n",
-          "custom" : ""
+  inputs = {
+    "tcp-tcp" = {
+      enabled = true
+      streams = {
+        "tcp.generic" = {
+          enabled = true,
+          vars = jsonencode({
+            "listen_address" : "localhost",
+            "listen_port" : 8080,
+            "data_stream.dataset" : "tcp.generic",
+            "tags" : [],
+            "syslog_options" : "field: message\n#format: auto\n#timezone: Local\n",
+            "ssl" : "#certificate: |\n#    -----BEGIN CERTIFICATE-----\n#    ...\n#    -----END CERTIFICATE-----\n#key: |\n#    -----BEGIN PRIVATE KEY-----\n#    ...\n#    -----END PRIVATE KEY-----\n",
+            "custom" : ""
+          })
         }
       }
-    })
+    }
   }
 }
 ```
@@ -103,7 +105,7 @@ resource "elasticstack_fleet_integration_policy" "sample" {
 - `description` (String) The description of the integration policy.
 - `enabled` (Boolean) Enable the integration policy.
 - `force` (Boolean) Force operations, such as creation and deletion, to occur.
-- `input` (Block List) Integration inputs. (see [below for nested schema](#nestedblock--input))
+- `inputs` (Attributes Map) Integration inputs mapped by input ID. (see [below for nested schema](#nestedatt--inputs))
 - `output_id` (String) The ID of the output to send data to. When not specified, the default output of the agent policy will be used.
 - `policy_id` (String) Unique identifier of the integration policy.
 - `space_ids` (Set of String) The Kibana space IDs where this integration policy is available. When set, must match the space_ids of the referenced agent policy. If not set, will be inherited from the agent policy. Note: The order of space IDs does not matter as this is a set.
@@ -113,18 +115,22 @@ resource "elasticstack_fleet_integration_policy" "sample" {
 
 - `id` (String) The ID of this resource.
 
-<a id="nestedblock--input"></a>
-### Nested Schema for `input`
+<a id="nestedatt--inputs"></a>
+### Nested Schema for `inputs`
 
-Required:
+Optional:
+
+- `enabled` (Boolean) Enable the input.
+- `streams` (Attributes Map) Input streams mapped by stream ID. (see [below for nested schema](#nestedatt--inputs--streams))
+- `vars` (String, Sensitive) Input-level variables as JSON.
 
-- `input_id` (String) The identifier of the input.
+<a id="nestedatt--inputs--streams"></a>
+### Nested Schema for `inputs.streams`
 
 Optional:
 
-- `enabled` (Boolean) Enable the input.
-- `streams_json` (String, Sensitive) Input streams as JSON.
-- `vars_json` (String, Sensitive) Input variables as JSON.
+- `enabled` (Boolean) Enable the stream.
+- `vars` (String, Sensitive) Stream-level variables as JSON.
 
 ## Import
 

diff --git a/examples/resources/elasticstack_fleet_integration_policy/resource.tf b/examples/resources/elasticstack_fleet_integration_policy/resource.tf
@@ -35,21 +35,23 @@ resource "elasticstack_fleet_integration_policy" "sample" {
   // Optional: specify a custom output to send data to
   // output_id           = "my-custom-output-id"
 
-  input {
-    input_id = "tcp-tcp"
-    streams_json = jsonencode({
-      "tcp.generic" : {
-        "enabled" : true,
-        "vars" : {
-          "listen_address" : "localhost",
-          "listen_port" : 8080,
-          "data_stream.dataset" : "tcp.generic",
-          "tags" : [],
-          "syslog_options" : "field: message\n#format: auto\n#timezone: Local\n",
-          "ssl" : "#certificate: |\n#    -----BEGIN CERTIFICATE-----\n#    ...\n#    -----END CERTIFICATE-----\n#key: |\n#    -----BEGIN PRIVATE KEY-----\n#    ...\n#    -----END PRIVATE KEY-----\n",
-          "custom" : ""
+  inputs = {
+    "tcp-tcp" = {
+      enabled = true
+      streams = {
+        "tcp.generic" = {
+          enabled = true,
+          vars = jsonencode({
+            "listen_address" : "localhost",
+            "listen_port" : 8080,
+            "data_stream.dataset" : "tcp.generic",
+            "tags" : [],
+            "syslog_options" : "field: message\n#format: auto\n#timezone: Local\n",
+            "ssl" : "#certificate: |\n#    -----BEGIN CERTIFICATE-----\n#    ...\n#    -----END CERTIFICATE-----\n#key: |\n#    -----BEGIN PRIVATE KEY-----\n#    ...\n#    -----END PRIVATE KEY-----\n",
+            "custom" : ""
+          })
         }
       }
-    })
+    }
   }
 }
diff --git a/internal/fleet/integration/acc_test.go b/internal/fleet/integration/acc_test.go
@@ -199,22 +199,23 @@ resource "elasticstack_fleet_integration_policy" "sample" {
   integration_name    = elasticstack_fleet_integration.test_integration.name
   integration_version = elasticstack_fleet_integration.test_integration.version
 
-  input {
-    input_id = "tcp-tcp"
-    streams_json = jsonencode({
-      "tcp.generic" : {
-        "enabled" : true,
-        "vars" : {
-          "listen_address" : "localhost",
-          "listen_port" : 8080,
-          "data_stream.dataset" : "tcp.generic",
-          "tags" : [],
-          "syslog_options" : "field: message\n#format: auto\n#timezone: Local\n",
-          "ssl" : "#certificate: |\n#    -----BEGIN CERTIFICATE-----\n#    ...\n#    -----END CERTIFICATE-----\n#key: |\n#    -----BEGIN PRIVATE KEY-----\n#    ...\n#    -----END PRIVATE KEY-----\n",
-          "custom" : ""
-        }
+  inputs = {
+    "tcp-tcp" = {
+	  streams = {
+	    "tcp.generic" = {
+	      enabled = true,
+		  vars = jsonencode({ 
+		    "listen_address" : "localhost",
+			"listen_port" : 8080,
+		  	"data_stream.dataset" : "tcp.generic",
+			"tags" : [],
+			"syslog_options" : "field: message\n#format: auto\n#timezone: Local\n",
+			"ssl" : "#certificate: |\n#    -----BEGIN CERTIFICATE-----\n#    ...\n#    -----END CERTIFICATE-----\n#key: |\n#    -----BEGIN PRIVATE KEY-----\n#    ...\n#    -----END PRIVATE KEY-----\n",
+			"custom" : ""
+		  })
+		}
       }
-    })
+    }
   }
 }
 `, version, policyName, policyName)