elastic
diff --git a/‎internal/clients/api_client.go
+129-189 b/‎internal/clients/api_client.go
+129-189
diff --git a/‎internal/elasticsearch/cluster/script.go
+10-11 b/‎internal/elasticsearch/cluster/script.go
+10-11
@@ -60,121 +60,7 @@ type ApiClient struct {
 
 func NewApiClientFunc(version string) func(context.Context, *schema.ResourceData) (interface{}, diag.Diagnostics) {
 	return func(ctx context.Context, d *schema.ResourceData) (interface{}, diag.Diagnostics) {
-		var diags diag.Diagnostics
-		config := elasticsearch.Config{}
-		config.Header = http.Header{"User-Agent": []string{fmt.Sprintf("elasticstack-terraform-provider/%s", version)}}
-
-		if v, ok := d.GetOk("elasticsearch"); ok {
-			// if defined we must have only one entry
-			if esc := v.([]interface{})[0]; esc != nil {
-				esConfig := esc.(map[string]interface{})
-				if username, ok := esConfig["username"]; ok {
-					config.Username = username.(string)
-				}
-				if password, ok := esConfig["password"]; ok {
-					config.Password = password.(string)
-				}
-				if apikey, ok := esConfig["api_key"]; ok {
-					config.APIKey = apikey.(string)
-				}
-
-				// default endpoints taken from Env if set
-				if es := os.Getenv("ELASTICSEARCH_ENDPOINTS"); es != "" {
-					endpoints := make([]string, 0)
-					for _, e := range strings.Split(es, ",") {
-						endpoints = append(endpoints, strings.TrimSpace(e))
-					}
-					config.Addresses = endpoints
-				}
-				// setting endpoints from config block if provided
-				if eps, ok := esConfig["endpoints"]; ok && len(eps.([]interface{})) > 0 {
-					endpoints := make([]string, 0)
-					for _, e := range eps.([]interface{}) {
-						endpoints = append(endpoints, e.(string))
-					}
-					config.Addresses = endpoints
-				}
-
-				if insecure, ok := esConfig["insecure"]; ok && insecure.(bool) {
-					tlsClientConfig := ensureTLSClientConfig(&config)
-					tlsClientConfig.InsecureSkipVerify = true
-				}
-
-				if caFile, ok := esConfig["ca_file"]; ok && caFile.(string) != "" {
-					caCert, err := os.ReadFile(caFile.(string))
-					if err != nil {
-						diags = append(diags, diag.Diagnostic{
-							Severity: diag.Error,
-							Summary:  "Unable to read CA File",
-							Detail:   err.Error(),
-						})
-						return nil, diags
-					}
-					config.CACert = caCert
-				}
-				if caData, ok := esConfig["ca_data"]; ok && caData.(string) != "" {
-					config.CACert = []byte(caData.(string))
-				}
-
-				if certFile, ok := esConfig["cert_file"]; ok && certFile.(string) != "" {
-					if keyFile, ok := esConfig["key_file"]; ok && keyFile.(string) != "" {
-						cert, err := tls.LoadX509KeyPair(certFile.(string), keyFile.(string))
-						if err != nil {
-							diags = append(diags, diag.Diagnostic{
-								Severity: diag.Error,
-								Summary:  "Unable to read certificate or key file",
-								Detail:   err.Error(),
-							})
-							return nil, diags
-						}
-						tlsClientConfig := ensureTLSClientConfig(&config)
-						tlsClientConfig.Certificates = []tls.Certificate{cert}
-					} else {
-						diags = append(diags, diag.Diagnostic{
-							Severity: diag.Error,
-							Summary:  "Unable to read key file",
-							Detail:   "Path to key file has not been configured or is empty",
-						})
-						return nil, diags
-					}
-				}
-				if certData, ok := esConfig["cert_data"]; ok && certData.(string) != "" {
-					if keyData, ok := esConfig["key_data"]; ok && keyData.(string) != "" {
-						cert, err := tls.X509KeyPair([]byte(certData.(string)), []byte(keyData.(string)))
-						if err != nil {
-							diags = append(diags, diag.Diagnostic{
-								Severity: diag.Error,
-								Summary:  "Unable to parse certificate or key",
-								Detail:   err.Error(),
-							})
-							return nil, diags
-						}
-						tlsClientConfig := ensureTLSClientConfig(&config)
-						tlsClientConfig.Certificates = []tls.Certificate{cert}
-					} else {
-						diags = append(diags, diag.Diagnostic{
-							Severity: diag.Error,
-							Summary:  "Unable to parse key",
-							Detail:   "Key data has not been configured or is empty",
-						})
-						return nil, diags
-					}
-				}
-			}
-		}
-
-		es, err := elasticsearch.NewClient(config)
-		if err != nil {
-			diags = append(diags, diag.Diagnostic{
-				Severity: diag.Error,
-				Summary:  "Unable to create Elasticsearch client",
-				Detail:   err.Error(),
-			})
-		}
-		if logging.IsDebugOrHigher() {
-			es.Transport = newDebugTransport("elasticsearch", es.Transport)
-		}
-		return &ApiClient{es, version}, diags
+		return newEsApiClient(d, "elasticsearch", version, true)
 	}
 }
 
@@ -205,83 +91,16 @@ func NewAcceptanceTestingClient() (*ApiClient, error) {
 	return &ApiClient{es, "acceptance-testing"}, nil
 }
 
-func NewApiClient(d *schema.ResourceData, meta interface{}) (*ApiClient, error) {
-	defaultClient := meta.(*ApiClient)
-	// if the config provided let's use it
-	if esConn, ok := d.GetOk("elasticsearch_connection"); ok {
-		config := elasticsearch.Config{}
-		config.Header = http.Header{"User-Agent": []string{fmt.Sprintf("elasticstack-terraform-provider/%s", defaultClient.version)}}
-
-		// there is always only 1 connection per resource
-		conn := esConn.([]interface{})[0].(map[string]interface{})
-
-		if u := conn["username"]; u != nil {
-			config.Username = u.(string)
-		}
-		if p := conn["password"]; p != nil {
-			config.Password = p.(string)
-		}
-		if k := conn["api_key"]; k != nil {
-			config.APIKey = k.(string)
-		}
-		if endpoints := conn["endpoints"]; endpoints != nil {
-			var addrs []string
-			for _, e := range endpoints.([]interface{}) {
-				addrs = append(addrs, e.(string))
-			}
-			config.Addresses = addrs
-		}
-		if insecure := conn["insecure"]; insecure.(bool) {
-			tlsClientConfig := ensureTLSClientConfig(&config)
-			tlsClientConfig.InsecureSkipVerify = true
-		}
-		if caFile, ok := conn["ca_file"]; ok && caFile.(string) != "" {
-			caCert, err := os.ReadFile(caFile.(string))
-			if err != nil {
-				return nil, fmt.Errorf("Unable to read ca_file: %w", err)
-			}
-			config.CACert = caCert
-		}
-		if caData, ok := conn["ca_data"]; ok && caData.(string) != "" {
-			config.CACert = []byte(caData.(string))
-		}
+const esConnectionKey string = "elasticsearch_connection"
 
-		if certFile, ok := conn["cert_file"]; ok && certFile.(string) != "" {
-			if keyFile, ok := conn["key_file"]; ok && keyFile.(string) != "" {
-				cert, err := tls.LoadX509KeyPair(certFile.(string), keyFile.(string))
-				if err != nil {
-					return nil, fmt.Errorf("Unable to read certificate or key file: %w", err)
-				}
-				tlsClientConfig := ensureTLSClientConfig(&config)
-				tlsClientConfig.Certificates = []tls.Certificate{cert}
-			} else {
-				return nil, fmt.Errorf("Unable to read key file: Path to key file has not been configured or is empty")
-			}
-		}
-		if certData, ok := conn["cert_data"]; ok && certData.(string) != "" {
-			if keyData, ok := conn["key_data"]; ok && keyData.(string) != "" {
-				cert, err := tls.X509KeyPair([]byte(certData.(string)), []byte(keyData.(string)))
-				if err != nil {
-					return nil, fmt.Errorf("Unable to parse certificate or key: %w", err)
-				}
-				tlsClientConfig := ensureTLSClientConfig(&config)
-				tlsClientConfig.Certificates = []tls.Certificate{cert}
-			} else {
-				return nil, fmt.Errorf("Unable to parse key: Key data has not been configured or is empty")
-			}
-		}
+func NewApiClient(d *schema.ResourceData, meta interface{}) (*ApiClient, diag.Diagnostics) {
+	defaultClient := meta.(*ApiClient)
 
-		es, err := elasticsearch.NewClient(config)
-		if err != nil {
-			return nil, fmt.Errorf("Unable to create Elasticsearch client")
-		}
-		if logging.IsDebugOrHigher() {
-			es.Transport = newDebugTransport("elasticsearch", es.Transport)
-		}
-		return &ApiClient{es, defaultClient.version}, nil
-	} else { // or return the default client
-		return defaultClient, nil
+	if _, ok := d.GetOk(esConnectionKey); ok {
+		return newEsApiClient(d, esConnectionKey, defaultClient.version, false)
 	}
+
+	return defaultClient, nil
 }
 
 func ensureTLSClientConfig(config *elasticsearch.Config) *tls.Config {
@@ -360,3 +179,124 @@ func (a *ApiClient) ClusterID(ctx context.Context) (*string, diag.Diagnostics) {
 	})
 	return nil, diags
 }
+
+func newEsApiClient(d *schema.ResourceData, key string, version string, useEnvAsDefault bool) (*ApiClient, diag.Diagnostics) {
+	var diags diag.Diagnostics
+	config := elasticsearch.Config{}
+	config.Header = http.Header{"User-Agent": []string{fmt.Sprintf("elasticstack-terraform-provider/%s", version)}}
+
+	if esConn, ok := d.GetOk(key); ok {
+		// if defined, then we only have a single entry
+		if es := esConn.([]interface{})[0]; es != nil {
+			esConfig := es.(map[string]interface{})
+
+			if username, ok := esConfig["username"]; ok {
+				config.Username = username.(string)
+			}
+			if password, ok := esConfig["password"]; ok {
+				config.Password = password.(string)
+			}
+			if apikey, ok := esConfig["api_key"]; ok {
+				config.APIKey = apikey.(string)
+			}
+
+			if useEnvAsDefault {
+				if endpoints := os.Getenv("ELASTICSEARCH_ENDPOINTS"); endpoints != "" {
+					var addrs []string
+					for _, e := range strings.Split(endpoints, ",") {
+						addrs = append(addrs, strings.TrimSpace(e))
+					}
+					config.Addresses = addrs
+				}
+			}
+
+			if endpoints, ok := esConfig["endpoints"]; ok && len(endpoints.([]interface{})) > 0 {
+				var addrs []string
+				for _, e := range endpoints.([]interface{}) {
+					addrs = append(addrs, e.(string))
+				}
+				config.Addresses = addrs
+			}
+
+			if insecure, ok := esConfig["insecure"]; ok && insecure.(bool) {
+				tlsClientConfig := ensureTLSClientConfig(&config)
+				tlsClientConfig.InsecureSkipVerify = true
+			}
+
+			if caFile, ok := esConfig["ca_file"]; ok && caFile.(string) != "" {
+				caCert, err := os.ReadFile(caFile.(string))
+				if err != nil {
+					diags = append(diags, diag.Diagnostic{
+						Severity: diag.Error,
+						Summary:  "Unable to read CA File",
+						Detail:   err.Error(),
+					})
+					return nil, diags
+				}
+				config.CACert = caCert
+			}
+			if caData, ok := esConfig["ca_data"]; ok && caData.(string) != "" {
+				config.CACert = []byte(caData.(string))
+			}
+
+			if certFile, ok := esConfig["cert_file"]; ok && certFile.(string) != "" {
+				if keyFile, ok := esConfig["key_file"]; ok && keyFile.(string) != "" {
+					cert, err := tls.LoadX509KeyPair(certFile.(string), keyFile.(string))
+					if err != nil {
+						diags = append(diags, diag.Diagnostic{
+							Severity: diag.Error,
+							Summary:  "Unable to read certificate or key file",
+							Detail:   err.Error(),
+						})
+						return nil, diags
+					}
+					tlsClientConfig := ensureTLSClientConfig(&config)
+					tlsClientConfig.Certificates = []tls.Certificate{cert}
+				} else {
+					diags = append(diags, diag.Diagnostic{
+						Severity: diag.Error,
+						Summary:  "Unable to read key file",
+						Detail:   "Path to key file has not been configured or is empty",
+					})
+					return nil, diags
+				}
+			}
+			if certData, ok := esConfig["cert_data"]; ok && certData.(string) != "" {
+				if keyData, ok := esConfig["key_data"]; ok && keyData.(string) != "" {
+					cert, err := tls.X509KeyPair([]byte(certData.(string)), []byte(keyData.(string)))
+					if err != nil {
+						diags = append(diags, diag.Diagnostic{
+							Severity: diag.Error,
+							Summary:  "Unable to parse certificate or key",
+							Detail:   err.Error(),
+						})
+						return nil, diags
+					}
+					tlsClientConfig := ensureTLSClientConfig(&config)
+					tlsClientConfig.Certificates = []tls.Certificate{cert}
+				} else {
+					diags = append(diags, diag.Diagnostic{
+						Severity: diag.Error,
+						Summary:  "Unable to parse key",
+						Detail:   "Key data has not been configured or is empty",
+					})
+					return nil, diags
+				}
+			}
+		}
+	}
+
+	es, err := elasticsearch.NewClient(config)
+	if err != nil {
+		diags = append(diags, diag.Diagnostic{
+			Severity: diag.Error,
+			Summary:  "Unable to create Elasticsearch client",
+			Detail:   err.Error(),
+		})
+	}
+	if logging.IsDebugOrHigher() {
+		es.Transport = newDebugTransport("elasticsearch", es.Transport)
+	}
+
+	return &ApiClient{es, version}, diags
+}
@@ -66,10 +66,9 @@ func ResourceScript() *schema.Resource {
 }
 
 func resourceScriptRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	var diags diag.Diagnostics
-	client, err := clients.NewApiClient(d, meta)
-	if err != nil {
-		return diag.FromErr(err)
+	client, diags := clients.NewApiClient(d, meta)
+	if diags.HasError() {
+		return diags
 	}
 
 	id := d.Id()
@@ -101,9 +100,9 @@ func resourceScriptRead(ctx context.Context, d *schema.ResourceData, meta interf
 }
 
 func resourceScriptPut(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	client, err := clients.NewApiClient(d, meta)
-	if err != nil {
-		return diag.FromErr(err)
+	client, diags := clients.NewApiClient(d, meta)
+	if diags.HasError() {
+		return diags
 	}
 
 	scriptID := d.Get("script_id").(string)
@@ -120,7 +119,7 @@ func resourceScriptPut(ctx context.Context, d *schema.ResourceData, meta interfa
 	if paramsJSON, ok := d.GetOk("params"); ok {
 		var params map[string]interface{}
 		bytes := []byte(paramsJSON.(string))
-		err = json.Unmarshal(bytes, &params)
+		err := json.Unmarshal(bytes, &params)
 		if err != nil {
 			return diag.FromErr(err)
 		}
@@ -138,9 +137,9 @@ func resourceScriptPut(ctx context.Context, d *schema.ResourceData, meta interfa
 }
 
 func resourceScriptDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	client, err := clients.NewApiClient(d, meta)
-	if err != nil {
-		return diag.FromErr(err)
+	client, diags := clients.NewApiClient(d, meta)
+	if diags.HasError() {
+		return diags
 	}
 
 	compId, diags := clients.CompositeIdFromStr(d.Id())