[Validation] Detect manifest variable shadowing

[andrewkroh]

Problem

We had a recent issue with a package where the same named variable was declared in both the package level manifest and the data stream level manifest. This was unintentional and I thought it could be an opportunity to improve package validation.

Proposed change

Add a semantic validation rule that fails when it detects variable shadowing in manifests. The rule would need to consider variables declared at the root level, policy_template level, and data stream level. It needs to take into account that variables are scoped to an input type at the policy_template level and data stream level.

Or if variable shadowing / redeclaration is an intentional feature then the spec should document the expected behavior with respect to precedence. Developers need to know which value should be passed into the Agent handlebar template.

Example of shadowing

In this hypothetical example access_key_id has been declared three times for the same data stream.

# manifest.yml
vars:
  - name: access_key_id
    type: text
    title: Access Key ID

policy_templates:
  - name: billing
    data_streams:
      - billing
    inputs:
      - type: foo/metrics
        vars:
          - name: access_key_id
            type: text
            title: Access Key ID

# data_stream/billing/manifest.yml
streams:
  - input: foo/metrics
    vars:
      - name: access_key_id
        type: text
        title: Access Key ID

[andrewkroh]

@efd6 mentioned a nice side effect:

Also, with this properly checked, it would be possible to vet the test configs so that they will fail out if a field is used in the wrong place relative to the manifest.

For example, test configs sometimes declare the variable at the wrong level.

# data_stream/billing/_dev/test/system/test-metrics-config.yml
input: foo/metrics

# One of these is definitely wrong if we disallow redeclaration.
vars:
  access_key_id: FOO

data_stream:
  vars:
      access_key_id: FOO

I would think that the Fleet API that accepts the configuration for the package could perform this validation and reject variables that are specified but don't exist in the manifest (but I don't know the API well). Also this could be detected by package-spec validation of the system test config.

[andrewkroh]

The AWS inspector policy template declares proxy_url at both the policy template and in the data stream level. I used this opportunity to observe variable precedence. The value declared in the stream is the one that prevailed in the agent policy.

Issue: elastic/integrations#6148