Desired state config vs task based config automation. We don’t use it to create a new config, we use it to maintain and update the config automatically on an existing SearchGuard. We have 200+ roles mapped to various back end roles via oauth, for me the SearchGuard configuration files total many thousands of lines long and is generated by Puppet from various arrays and other external resources.
Puppet runs every 30 minutes, calls the API, and will change/correct anything that is not configured properly. If desired config matches actual config then no change is applied. Add a new group in some other project and it will automatically generate the proper SearchGuard config and apply it. Change a password in the password management system and it updates all associated services and applies it to SearchGuard.
To use sgadmin.sh would require generating a properly formatted config file, then calling sgadmin.sh to import it on every puppet run overwriting the previous config. We have done this previously but the REST API implementation is far better.