fluent-plugin-aws-elasticsearch-service 0.1.4 → 0.1.6

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile +1 -1
  3. data/README.md +97 -20
  4. data/fluent-plugin-aws-elasticsearch-service.gemspec +1 -1
  5. data/lib/fluent/plugin/out_aws-elasticsearch-service.rb +28 -9
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 804bbbcf1d607ae465fa39f132a6b97a843d1673
4
- data.tar.gz: 780c3494851839ab063e2f63d1d86cf0f25a26df
3
+ metadata.gz: 336a3781840865fe97e3706eb663486e97c36b54
4
+ data.tar.gz: ecba7aa13b0569e3aa9940905c988320f38cabbe
5
5
  SHA512:
6
- metadata.gz: a2ca9588aec45f2945c6f6c822a61bc7791c9fa712b35addae722478f1bd49b7ef081c2c93e59b01d38be84b16f7a6f498cf6d9d2dd05be09c45e6df856bbd5c
7
- data.tar.gz: f908b30536317c870756531b26848e6834cc42313f521f8e119da967fa586776a3ecf7f88fbc345eb98a6475aa16bf3c685466260c67468fa67249de1bc9668e
6
+ metadata.gz: dc057bb9614641abbfe7058ba9b73523718dcf8ec41ac28ae7ddec31b0715590ebf1ecaf4dc82af6d8b93b52d3bf4ec3c3d671c9def22d7876cc939a08e63e54
7
+ data.tar.gz: 6215725de5851401a57545687022105c0119ab2b3798feee7a7ca107d73b207d6594fa48b23b7f7d32c5019571ca646f31595ffcf3aaf5fca553c5e0207db3a0
data/Gemfile CHANGED
@@ -5,4 +5,4 @@ gemspec
5
5
 
6
6
  gem 'fluent-plugin-elasticsearch', '~> 1.0', require: false
7
7
  gem 'aws-sdk', '~> 2', require: false
8
- gem 'faraday_middleware-aws-signers-v4', '>= 0.1.0, < 0.1.2', require: false
8
+ gem 'faraday_middleware-aws-signers-v4', '>= 0.1.0', '< 0.1.2', require: false
data/README.md CHANGED
@@ -16,38 +16,115 @@ In your fluentd configration, use `type aws-elasticsearch-service`.
16
16
 
17
17
  example:
18
18
 
19
- ```rb
20
- source do
21
- type :tail
22
- format :apache
19
+ ```ruby
20
+ <source>
21
+ type tail
22
+ format apache
23
23
  time_format "%d/%b/%Y:%T %z"
24
24
  path "/var/log/nginx/access.log"
25
25
  pos_file "/var/log/td-agent/nginx.access.pos"
26
26
  tag "es.nginx.access"
27
- end
27
+ </source>
28
28
 
29
- match ("es.**") do
29
+ <match es.**>
30
30
  type "aws-elasticsearch-service"
31
31
  type_name "access_log"
32
32
  logstash_format true
33
33
  include_tag_key true
34
34
  tag_key "@log_name"
35
- flush_interval "10s"
36
-
37
- endpoint do
38
- url "YOUR_ENDPOINT_URL"
39
- region "YOUR_ENDPOINT_REAGION"
40
- end
41
- # endpoint do
42
- # url "https://search-xxxxxxxx.ap-northeast-1.es.amazonaws.com"
43
- # region "ap-northeast-1"
44
- # access_key_id "yyyyyyyyy" # optional
45
- # secret_access_key "zzzzzzzzz" # optional
46
- # end
47
- end
35
+ flush_interval 1s
36
+
37
+ <endpoint>
38
+ url https://CLUSTER_ENDPOINT_URL
39
+ region eu-west-1
40
+ # access_key_id "secret"
41
+ # secret_access_key "seekret"
42
+ </endpoint>
43
+ </match>
44
+ ```
45
+
46
+ ## IAM
47
+ If you do not wish to use credentials in your configuration via the `access_key_id` and `secret_access_key` options you should use IAM policies.
48
+
49
+ The first step is to assign an IAM instance role `ROLE` to your EC2 instances. Name it appropriately. The role should contain no policy: we're using the possession of the role as the authenticating factor and placing the policy against the ES cluster.
50
+
51
+ You should then configure a policy for the ES cluster policy thus, with appropriate substitutions for the capitalized terms:
52
+
53
+ ```json
54
+ {
55
+ "Version": "2012-10-17",
56
+ "Statement": [
57
+ {
58
+ "Effect": "Allow",
59
+ "Principal": {
60
+ "AWS": "arn:aws:iam::ACCOUNT:role/ROLE"
61
+ },
62
+ "Action": "es:*",
63
+ "Resource": "arn:aws:es:eu-west-1:ACCOUNT:domain/ES_DOMAIN/*"
64
+ },
65
+ {
66
+ "Effect": "Allow",
67
+ "Principal": {
68
+ "AWS": "*"
69
+ },
70
+ "Action": "es:*",
71
+ "Resource": "arn:aws:es:eu-west-1:ACCOUNT:domain/ES_DOMAIN/*",
72
+ "Condition": {
73
+ "IpAddress": {
74
+ "aws:SourceIp": [
75
+ "1.2.3.4/32",
76
+ "5.6.7.8/32"
77
+ ]
78
+ }
79
+ }
80
+ }
81
+ ]
82
+ }
48
83
  ```
49
84
 
50
- If you use the "IAM User", please copy "access_key_id" and "secret_access_key" from a "IAM User".
85
+ This will allow your fluentd hosts (by virtue of the possession of the role) and any traffic coming from the specified IP addresses (you querying Kibana) to access the various endpoints. Whilst not ideally secure (both the fluentd and Kibana boxes should ideally be restricted to the verbs they require) it should allow you to get up and ingesting logs without anything getting in your way, before you tighten down the policy.
86
+
87
+ Additionally, you can use an STS assumed role as the authenticating factor and instruct the plugin to assume this role. This is useful for cross-account access and when assigning a standard role is not possible. The endpoint configuration looks like:
88
+
89
+ ```ruby
90
+ <endpoint>
91
+ url https://CLUSTER_ENDPOINT_URL
92
+ region eu-west-1
93
+ assume_role_arn arn:aws:sts::ACCOUNT:assumed-role/ROLE
94
+ assume_role_session_name SESSION_ID # Defaults to fluentd if omitted
95
+ </endpoint>
96
+ ```
97
+
98
+ The policy attached to your AWS Elasticsearch cluster then becomes something like:
99
+
100
+ ```json
101
+ {
102
+ "Version": "2012-10-17",
103
+ "Statement": [
104
+ {
105
+ "Effect": "Allow",
106
+ "Principal": {
107
+ "AWS": "arn:aws:sts::ACCOUNT:assumed-role/ROLE/SESSION_ID"
108
+ },
109
+ "Action": "es:*",
110
+ "Resource": "arn:aws:es:eu-west-1:ACCOUNT:domain/ES_DOMAIN/*"
111
+ }
112
+ ]
113
+ }
114
+ ```
115
+
116
+ You'll need to ensure that the environment in which the fluentd plugin runs has the capability to assume this role, by attaching a policy something like this to the instance profile:
117
+
118
+ ```json
119
+ {
120
+ "Version": "2012-10-17",
121
+ "Statement": {
122
+ "Effect": "Allow",
123
+ "Action": "sts:AssumeRole",
124
+ "Resource": "arn:aws:iam::ACCOUNT:role/ROLE"
125
+ }
126
+ }
127
+ ```
51
128
 
52
129
  ## Development
53
130
 
data/fluent-plugin-aws-elasticsearch-service.gemspec CHANGED
@@ -5,7 +5,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
5
5
 
6
6
  Gem::Specification.new do |spec|
7
7
  spec.name = "fluent-plugin-aws-elasticsearch-service"
8
- spec.version = "0.1.4"
8
+ spec.version = "0.1.6"
9
9
  spec.authors = ["atomita"]
10
10
  spec.email = ["sleeping.cait.sith+gh@gmail.com"]
11
11
 
data/lib/fluent/plugin/out_aws-elasticsearch-service.rb CHANGED
@@ -16,6 +16,8 @@ module Fluent
16
16
  config_param :url, :string
17
17
  config_param :access_key_id, :string, :default => ""
18
18
  config_param :secret_access_key, :string, :default => ""
19
+ config_param :assume_role_arn, :string, :default => nil
20
+ config_param :assume_role_session_name, :string, :default => "fluentd"
19
21
  end
20
22
 
21
23
 
@@ -24,7 +26,7 @@ module Fluent
24
26
  #
25
27
  def get_connection_options
26
28
  raise "`endpoint` require." if @endpoint.empty?
27
-
29
+
28
30
  hosts =
29
31
  begin
30
32
  @endpoint.map do |ep|
@@ -35,14 +37,14 @@ module Fluent
35
37
  end
36
38
 
37
39
  host[:aws_elasticsearch_service] = {
38
- :credentials => credentials(ep[:access_key_id], ep[:secret_access_key]),
40
+ :credentials => credentials(ep),
39
41
  :region => ep[:region]
40
42
  }
41
-
43
+
42
44
  host
43
45
  end
44
46
  end
45
-
47
+
46
48
  {
47
49
  hosts: hosts
48
50
  }
@@ -54,14 +56,26 @@ module Fluent
54
56
  #
55
57
  # get AWS Credentials
56
58
  #
57
- def credentials(access_key, secret_key)
59
+ def credentials(opts)
58
60
  calback = lambda do
59
61
  credentials = nil
60
- if access_key.empty? or secret_key.empty?
61
- credentials = Aws::InstanceProfileCredentials.new.credentials
62
- credentials ||= Aws::SharedCredentials.new.credentials
62
+ unless opts[:access_key_id].empty? or opts[:secret_access_key].empty?
63
+ credentials = Aws::Credentials.new opts[:access_key_id], opts[:secret_access_key]
64
+ else
65
+ if opts[:assume_role_arn].nil?
66
+ credentials = Aws::SharedCredentials.new({
67
+ retries: 2
68
+ }).credentials
69
+ credentials ||= Aws::InstanceProfileCredentials.new.credentials
70
+ else
71
+ credentials = sts_credential_provider({
72
+ role_arn: opts[:assume_role_arn],
73
+ role_session_name: opts[:assume_role_session_name],
74
+ region: opts[:region]
75
+ }).credentials
76
+ end
63
77
  end
64
- credentials ||= Aws::Credentials.new access_key, secret_key
78
+ raise "No valid AWS credentials found." unless credentials.set?
65
79
  credentials
66
80
  end
67
81
  def calback.inspect
@@ -71,6 +85,11 @@ module Fluent
71
85
  calback
72
86
  end
73
87
 
88
+ def sts_credential_provider(opts)
89
+ # AssumeRoleCredentials is an auto-refreshing credential provider
90
+ @sts ||= Aws::AssumeRoleCredentials.new(opts)
91
+ end
92
+
74
93
  end
75
94
 
76
95
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-aws-elasticsearch-service
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.4
4
+ version: 0.1.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - atomita
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2015-11-20 00:00:00.000000000 Z
11
+ date: 2016-06-23 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler