fluent-plugin-aws-elasticsearch-service 0.1.4 → 0.1.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +1 -1
- data/README.md +97 -20
- data/fluent-plugin-aws-elasticsearch-service.gemspec +1 -1
- data/lib/fluent/plugin/out_aws-elasticsearch-service.rb +28 -9
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 336a3781840865fe97e3706eb663486e97c36b54
|
4
|
+
data.tar.gz: ecba7aa13b0569e3aa9940905c988320f38cabbe
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: dc057bb9614641abbfe7058ba9b73523718dcf8ec41ac28ae7ddec31b0715590ebf1ecaf4dc82af6d8b93b52d3bf4ec3c3d671c9def22d7876cc939a08e63e54
|
7
|
+
data.tar.gz: 6215725de5851401a57545687022105c0119ab2b3798feee7a7ca107d73b207d6594fa48b23b7f7d32c5019571ca646f31595ffcf3aaf5fca553c5e0207db3a0
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -16,38 +16,115 @@ In your fluentd configration, use `type aws-elasticsearch-service`.
|
|
16
16
|
|
17
17
|
example:
|
18
18
|
|
19
|
-
```
|
20
|
-
source
|
21
|
-
type
|
22
|
-
format
|
19
|
+
```ruby
|
20
|
+
<source>
|
21
|
+
type tail
|
22
|
+
format apache
|
23
23
|
time_format "%d/%b/%Y:%T %z"
|
24
24
|
path "/var/log/nginx/access.log"
|
25
25
|
pos_file "/var/log/td-agent/nginx.access.pos"
|
26
26
|
tag "es.nginx.access"
|
27
|
-
|
27
|
+
</source>
|
28
28
|
|
29
|
-
match
|
29
|
+
<match es.**>
|
30
30
|
type "aws-elasticsearch-service"
|
31
31
|
type_name "access_log"
|
32
32
|
logstash_format true
|
33
33
|
include_tag_key true
|
34
34
|
tag_key "@log_name"
|
35
|
-
flush_interval
|
36
|
-
|
37
|
-
endpoint
|
38
|
-
url
|
39
|
-
region
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
35
|
+
flush_interval 1s
|
36
|
+
|
37
|
+
<endpoint>
|
38
|
+
url https://CLUSTER_ENDPOINT_URL
|
39
|
+
region eu-west-1
|
40
|
+
# access_key_id "secret"
|
41
|
+
# secret_access_key "seekret"
|
42
|
+
</endpoint>
|
43
|
+
</match>
|
44
|
+
```
|
45
|
+
|
46
|
+
## IAM
|
47
|
+
If you do not wish to use credentials in your configuration via the `access_key_id` and `secret_access_key` options you should use IAM policies.
|
48
|
+
|
49
|
+
The first step is to assign an IAM instance role `ROLE` to your EC2 instances. Name it appropriately. The role should contain no policy: we're using the possession of the role as the authenticating factor and placing the policy against the ES cluster.
|
50
|
+
|
51
|
+
You should then configure a policy for the ES cluster policy thus, with appropriate substitutions for the capitalized terms:
|
52
|
+
|
53
|
+
```json
|
54
|
+
{
|
55
|
+
"Version": "2012-10-17",
|
56
|
+
"Statement": [
|
57
|
+
{
|
58
|
+
"Effect": "Allow",
|
59
|
+
"Principal": {
|
60
|
+
"AWS": "arn:aws:iam::ACCOUNT:role/ROLE"
|
61
|
+
},
|
62
|
+
"Action": "es:*",
|
63
|
+
"Resource": "arn:aws:es:eu-west-1:ACCOUNT:domain/ES_DOMAIN/*"
|
64
|
+
},
|
65
|
+
{
|
66
|
+
"Effect": "Allow",
|
67
|
+
"Principal": {
|
68
|
+
"AWS": "*"
|
69
|
+
},
|
70
|
+
"Action": "es:*",
|
71
|
+
"Resource": "arn:aws:es:eu-west-1:ACCOUNT:domain/ES_DOMAIN/*",
|
72
|
+
"Condition": {
|
73
|
+
"IpAddress": {
|
74
|
+
"aws:SourceIp": [
|
75
|
+
"1.2.3.4/32",
|
76
|
+
"5.6.7.8/32"
|
77
|
+
]
|
78
|
+
}
|
79
|
+
}
|
80
|
+
}
|
81
|
+
]
|
82
|
+
}
|
48
83
|
```
|
49
84
|
|
50
|
-
|
85
|
+
This will allow your fluentd hosts (by virtue of the possession of the role) and any traffic coming from the specified IP addresses (you querying Kibana) to access the various endpoints. Whilst not ideally secure (both the fluentd and Kibana boxes should ideally be restricted to the verbs they require) it should allow you to get up and ingesting logs without anything getting in your way, before you tighten down the policy.
|
86
|
+
|
87
|
+
Additionally, you can use an STS assumed role as the authenticating factor and instruct the plugin to assume this role. This is useful for cross-account access and when assigning a standard role is not possible. The endpoint configuration looks like:
|
88
|
+
|
89
|
+
```ruby
|
90
|
+
<endpoint>
|
91
|
+
url https://CLUSTER_ENDPOINT_URL
|
92
|
+
region eu-west-1
|
93
|
+
assume_role_arn arn:aws:sts::ACCOUNT:assumed-role/ROLE
|
94
|
+
assume_role_session_name SESSION_ID # Defaults to fluentd if omitted
|
95
|
+
</endpoint>
|
96
|
+
```
|
97
|
+
|
98
|
+
The policy attached to your AWS Elasticsearch cluster then becomes something like:
|
99
|
+
|
100
|
+
```json
|
101
|
+
{
|
102
|
+
"Version": "2012-10-17",
|
103
|
+
"Statement": [
|
104
|
+
{
|
105
|
+
"Effect": "Allow",
|
106
|
+
"Principal": {
|
107
|
+
"AWS": "arn:aws:sts::ACCOUNT:assumed-role/ROLE/SESSION_ID"
|
108
|
+
},
|
109
|
+
"Action": "es:*",
|
110
|
+
"Resource": "arn:aws:es:eu-west-1:ACCOUNT:domain/ES_DOMAIN/*"
|
111
|
+
}
|
112
|
+
]
|
113
|
+
}
|
114
|
+
```
|
115
|
+
|
116
|
+
You'll need to ensure that the environment in which the fluentd plugin runs has the capability to assume this role, by attaching a policy something like this to the instance profile:
|
117
|
+
|
118
|
+
```json
|
119
|
+
{
|
120
|
+
"Version": "2012-10-17",
|
121
|
+
"Statement": {
|
122
|
+
"Effect": "Allow",
|
123
|
+
"Action": "sts:AssumeRole",
|
124
|
+
"Resource": "arn:aws:iam::ACCOUNT:role/ROLE"
|
125
|
+
}
|
126
|
+
}
|
127
|
+
```
|
51
128
|
|
52
129
|
## Development
|
53
130
|
|
@@ -5,7 +5,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
5
5
|
|
6
6
|
Gem::Specification.new do |spec|
|
7
7
|
spec.name = "fluent-plugin-aws-elasticsearch-service"
|
8
|
-
spec.version = "0.1.
|
8
|
+
spec.version = "0.1.6"
|
9
9
|
spec.authors = ["atomita"]
|
10
10
|
spec.email = ["sleeping.cait.sith+gh@gmail.com"]
|
11
11
|
|
@@ -16,6 +16,8 @@ module Fluent
|
|
16
16
|
config_param :url, :string
|
17
17
|
config_param :access_key_id, :string, :default => ""
|
18
18
|
config_param :secret_access_key, :string, :default => ""
|
19
|
+
config_param :assume_role_arn, :string, :default => nil
|
20
|
+
config_param :assume_role_session_name, :string, :default => "fluentd"
|
19
21
|
end
|
20
22
|
|
21
23
|
|
@@ -24,7 +26,7 @@ module Fluent
|
|
24
26
|
#
|
25
27
|
def get_connection_options
|
26
28
|
raise "`endpoint` require." if @endpoint.empty?
|
27
|
-
|
29
|
+
|
28
30
|
hosts =
|
29
31
|
begin
|
30
32
|
@endpoint.map do |ep|
|
@@ -35,14 +37,14 @@ module Fluent
|
|
35
37
|
end
|
36
38
|
|
37
39
|
host[:aws_elasticsearch_service] = {
|
38
|
-
:credentials => credentials(ep
|
40
|
+
:credentials => credentials(ep),
|
39
41
|
:region => ep[:region]
|
40
42
|
}
|
41
|
-
|
43
|
+
|
42
44
|
host
|
43
45
|
end
|
44
46
|
end
|
45
|
-
|
47
|
+
|
46
48
|
{
|
47
49
|
hosts: hosts
|
48
50
|
}
|
@@ -54,14 +56,26 @@ module Fluent
|
|
54
56
|
#
|
55
57
|
# get AWS Credentials
|
56
58
|
#
|
57
|
-
def credentials(
|
59
|
+
def credentials(opts)
|
58
60
|
calback = lambda do
|
59
61
|
credentials = nil
|
60
|
-
|
61
|
-
credentials
|
62
|
-
|
62
|
+
unless opts[:access_key_id].empty? or opts[:secret_access_key].empty?
|
63
|
+
credentials = Aws::Credentials.new opts[:access_key_id], opts[:secret_access_key]
|
64
|
+
else
|
65
|
+
if opts[:assume_role_arn].nil?
|
66
|
+
credentials = Aws::SharedCredentials.new({
|
67
|
+
retries: 2
|
68
|
+
}).credentials
|
69
|
+
credentials ||= Aws::InstanceProfileCredentials.new.credentials
|
70
|
+
else
|
71
|
+
credentials = sts_credential_provider({
|
72
|
+
role_arn: opts[:assume_role_arn],
|
73
|
+
role_session_name: opts[:assume_role_session_name],
|
74
|
+
region: opts[:region]
|
75
|
+
}).credentials
|
76
|
+
end
|
63
77
|
end
|
64
|
-
credentials
|
78
|
+
raise "No valid AWS credentials found." unless credentials.set?
|
65
79
|
credentials
|
66
80
|
end
|
67
81
|
def calback.inspect
|
@@ -71,6 +85,11 @@ module Fluent
|
|
71
85
|
calback
|
72
86
|
end
|
73
87
|
|
88
|
+
def sts_credential_provider(opts)
|
89
|
+
# AssumeRoleCredentials is an auto-refreshing credential provider
|
90
|
+
@sts ||= Aws::AssumeRoleCredentials.new(opts)
|
91
|
+
end
|
92
|
+
|
74
93
|
end
|
75
94
|
|
76
95
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: fluent-plugin-aws-elasticsearch-service
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- atomita
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2016-06-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|