logstash-mixin-aws 4.2.3 → 5.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +19 -0
- data/Gemfile +8 -0
- data/LICENSE +199 -10
- data/README.md +1 -1
- data/lib/logstash/plugin_mixins/aws_config.rb +0 -14
- data/lib/logstash/plugin_mixins/aws_config/generic.rb +16 -4
- data/lib/logstash/plugin_mixins/aws_config/v2.rb +48 -36
- data/logstash-mixin-aws.gemspec +3 -3
- data/spec/plugin_mixin/aws_config_spec.rb +95 -64
- metadata +18 -17
- data/lib/logstash/plugin_mixins/aws_config/v1.rb +0 -56
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 5f0ffda43078e41e39ca90e34f89a212e95164a3dd40b47b98a141d4c20d4b14
|
4
|
+
data.tar.gz: 9d252aad0445ec9f49b78708eccf61d4caff1b0808e5a4f3fa45d634f7b4b2ad
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 45e12f518ddc54c3fa6d9775511ec3fb4f01fe86b7f311858349d5f93a7e307a555edad97b80487de7e73cd5b8ec8508a7baf3adf0a0aaba4256fa761fb322a4
|
7
|
+
data.tar.gz: fbf5d5b3dd042b2af41e670126b9b65c5562b0cd84d8f62e5a4bf6baef7f0e72d22f29dac7e9850cc8d6af4c95a1e2e7babea81bda31df1342b2b1e6aa37be76
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,22 @@
|
|
1
|
+
## 5.0.0
|
2
|
+
- Drop support for aws-sdk-v1
|
3
|
+
|
4
|
+
## 4.4.1
|
5
|
+
- Fix: proxy with assumed role (properly) [#50](https://github.com/logstash-plugins/logstash-mixin-aws/pull/50).
|
6
|
+
|
7
|
+
## 4.4.0
|
8
|
+
- Fix: credentials/proxy with assumed role [#48](https://github.com/logstash-plugins/logstash-mixin-aws/pull/48).
|
9
|
+
Plugin no longer assumes `access_key_id`/`secret_access_key` credentials not to be set when `role_arn` specified.
|
10
|
+
|
11
|
+
## 4.3.0
|
12
|
+
- Drop strict value validation for region option #36
|
13
|
+
- Add endpoint option to customize the endpoint uri #32
|
14
|
+
- Allow user to provide a role to assume #27
|
15
|
+
- Update aws-sdk dependency to '~> 2'
|
16
|
+
|
17
|
+
## 4.2.4
|
18
|
+
- Minor config validation fixes
|
19
|
+
|
1
20
|
## 4.2.3
|
2
21
|
- Fix some documentation issues
|
3
22
|
|
data/Gemfile
CHANGED
@@ -1,3 +1,11 @@
|
|
1
1
|
source 'https://rubygems.org'
|
2
2
|
|
3
3
|
gemspec
|
4
|
+
|
5
|
+
logstash_path = ENV["LOGSTASH_PATH"] || "../../logstash"
|
6
|
+
use_logstash_source = ENV["LOGSTASH_SOURCE"] && ENV["LOGSTASH_SOURCE"].to_s == "1"
|
7
|
+
|
8
|
+
if Dir.exist?(logstash_path) && use_logstash_source
|
9
|
+
gem 'logstash-core', :path => "#{logstash_path}/logstash-core"
|
10
|
+
gem 'logstash-core-plugin-api', :path => "#{logstash_path}/logstash-core-plugin-api"
|
11
|
+
end
|
data/LICENSE
CHANGED
@@ -1,13 +1,202 @@
|
|
1
|
-
Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
|
2
1
|
|
3
|
-
|
4
|
-
|
5
|
-
|
2
|
+
Apache License
|
3
|
+
Version 2.0, January 2004
|
4
|
+
http://www.apache.org/licenses/
|
6
5
|
|
7
|
-
|
6
|
+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
8
7
|
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
8
|
+
1. Definitions.
|
9
|
+
|
10
|
+
"License" shall mean the terms and conditions for use, reproduction,
|
11
|
+
and distribution as defined by Sections 1 through 9 of this document.
|
12
|
+
|
13
|
+
"Licensor" shall mean the copyright owner or entity authorized by
|
14
|
+
the copyright owner that is granting the License.
|
15
|
+
|
16
|
+
"Legal Entity" shall mean the union of the acting entity and all
|
17
|
+
other entities that control, are controlled by, or are under common
|
18
|
+
control with that entity. For the purposes of this definition,
|
19
|
+
"control" means (i) the power, direct or indirect, to cause the
|
20
|
+
direction or management of such entity, whether by contract or
|
21
|
+
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
22
|
+
outstanding shares, or (iii) beneficial ownership of such entity.
|
23
|
+
|
24
|
+
"You" (or "Your") shall mean an individual or Legal Entity
|
25
|
+
exercising permissions granted by this License.
|
26
|
+
|
27
|
+
"Source" form shall mean the preferred form for making modifications,
|
28
|
+
including but not limited to software source code, documentation
|
29
|
+
source, and configuration files.
|
30
|
+
|
31
|
+
"Object" form shall mean any form resulting from mechanical
|
32
|
+
transformation or translation of a Source form, including but
|
33
|
+
not limited to compiled object code, generated documentation,
|
34
|
+
and conversions to other media types.
|
35
|
+
|
36
|
+
"Work" shall mean the work of authorship, whether in Source or
|
37
|
+
Object form, made available under the License, as indicated by a
|
38
|
+
copyright notice that is included in or attached to the work
|
39
|
+
(an example is provided in the Appendix below).
|
40
|
+
|
41
|
+
"Derivative Works" shall mean any work, whether in Source or Object
|
42
|
+
form, that is based on (or derived from) the Work and for which the
|
43
|
+
editorial revisions, annotations, elaborations, or other modifications
|
44
|
+
represent, as a whole, an original work of authorship. For the purposes
|
45
|
+
of this License, Derivative Works shall not include works that remain
|
46
|
+
separable from, or merely link (or bind by name) to the interfaces of,
|
47
|
+
the Work and Derivative Works thereof.
|
48
|
+
|
49
|
+
"Contribution" shall mean any work of authorship, including
|
50
|
+
the original version of the Work and any modifications or additions
|
51
|
+
to that Work or Derivative Works thereof, that is intentionally
|
52
|
+
submitted to Licensor for inclusion in the Work by the copyright owner
|
53
|
+
or by an individual or Legal Entity authorized to submit on behalf of
|
54
|
+
the copyright owner. For the purposes of this definition, "submitted"
|
55
|
+
means any form of electronic, verbal, or written communication sent
|
56
|
+
to the Licensor or its representatives, including but not limited to
|
57
|
+
communication on electronic mailing lists, source code control systems,
|
58
|
+
and issue tracking systems that are managed by, or on behalf of, the
|
59
|
+
Licensor for the purpose of discussing and improving the Work, but
|
60
|
+
excluding communication that is conspicuously marked or otherwise
|
61
|
+
designated in writing by the copyright owner as "Not a Contribution."
|
62
|
+
|
63
|
+
"Contributor" shall mean Licensor and any individual or Legal Entity
|
64
|
+
on behalf of whom a Contribution has been received by Licensor and
|
65
|
+
subsequently incorporated within the Work.
|
66
|
+
|
67
|
+
2. Grant of Copyright License. Subject to the terms and conditions of
|
68
|
+
this License, each Contributor hereby grants to You a perpetual,
|
69
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
70
|
+
copyright license to reproduce, prepare Derivative Works of,
|
71
|
+
publicly display, publicly perform, sublicense, and distribute the
|
72
|
+
Work and such Derivative Works in Source or Object form.
|
73
|
+
|
74
|
+
3. Grant of Patent License. Subject to the terms and conditions of
|
75
|
+
this License, each Contributor hereby grants to You a perpetual,
|
76
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
77
|
+
(except as stated in this section) patent license to make, have made,
|
78
|
+
use, offer to sell, sell, import, and otherwise transfer the Work,
|
79
|
+
where such license applies only to those patent claims licensable
|
80
|
+
by such Contributor that are necessarily infringed by their
|
81
|
+
Contribution(s) alone or by combination of their Contribution(s)
|
82
|
+
with the Work to which such Contribution(s) was submitted. If You
|
83
|
+
institute patent litigation against any entity (including a
|
84
|
+
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
85
|
+
or a Contribution incorporated within the Work constitutes direct
|
86
|
+
or contributory patent infringement, then any patent licenses
|
87
|
+
granted to You under this License for that Work shall terminate
|
88
|
+
as of the date such litigation is filed.
|
89
|
+
|
90
|
+
4. Redistribution. You may reproduce and distribute copies of the
|
91
|
+
Work or Derivative Works thereof in any medium, with or without
|
92
|
+
modifications, and in Source or Object form, provided that You
|
93
|
+
meet the following conditions:
|
94
|
+
|
95
|
+
(a) You must give any other recipients of the Work or
|
96
|
+
Derivative Works a copy of this License; and
|
97
|
+
|
98
|
+
(b) You must cause any modified files to carry prominent notices
|
99
|
+
stating that You changed the files; and
|
100
|
+
|
101
|
+
(c) You must retain, in the Source form of any Derivative Works
|
102
|
+
that You distribute, all copyright, patent, trademark, and
|
103
|
+
attribution notices from the Source form of the Work,
|
104
|
+
excluding those notices that do not pertain to any part of
|
105
|
+
the Derivative Works; and
|
106
|
+
|
107
|
+
(d) If the Work includes a "NOTICE" text file as part of its
|
108
|
+
distribution, then any Derivative Works that You distribute must
|
109
|
+
include a readable copy of the attribution notices contained
|
110
|
+
within such NOTICE file, excluding those notices that do not
|
111
|
+
pertain to any part of the Derivative Works, in at least one
|
112
|
+
of the following places: within a NOTICE text file distributed
|
113
|
+
as part of the Derivative Works; within the Source form or
|
114
|
+
documentation, if provided along with the Derivative Works; or,
|
115
|
+
within a display generated by the Derivative Works, if and
|
116
|
+
wherever such third-party notices normally appear. The contents
|
117
|
+
of the NOTICE file are for informational purposes only and
|
118
|
+
do not modify the License. You may add Your own attribution
|
119
|
+
notices within Derivative Works that You distribute, alongside
|
120
|
+
or as an addendum to the NOTICE text from the Work, provided
|
121
|
+
that such additional attribution notices cannot be construed
|
122
|
+
as modifying the License.
|
123
|
+
|
124
|
+
You may add Your own copyright statement to Your modifications and
|
125
|
+
may provide additional or different license terms and conditions
|
126
|
+
for use, reproduction, or distribution of Your modifications, or
|
127
|
+
for any such Derivative Works as a whole, provided Your use,
|
128
|
+
reproduction, and distribution of the Work otherwise complies with
|
129
|
+
the conditions stated in this License.
|
130
|
+
|
131
|
+
5. Submission of Contributions. Unless You explicitly state otherwise,
|
132
|
+
any Contribution intentionally submitted for inclusion in the Work
|
133
|
+
by You to the Licensor shall be under the terms and conditions of
|
134
|
+
this License, without any additional terms or conditions.
|
135
|
+
Notwithstanding the above, nothing herein shall supersede or modify
|
136
|
+
the terms of any separate license agreement you may have executed
|
137
|
+
with Licensor regarding such Contributions.
|
138
|
+
|
139
|
+
6. Trademarks. This License does not grant permission to use the trade
|
140
|
+
names, trademarks, service marks, or product names of the Licensor,
|
141
|
+
except as required for reasonable and customary use in describing the
|
142
|
+
origin of the Work and reproducing the content of the NOTICE file.
|
143
|
+
|
144
|
+
7. Disclaimer of Warranty. Unless required by applicable law or
|
145
|
+
agreed to in writing, Licensor provides the Work (and each
|
146
|
+
Contributor provides its Contributions) on an "AS IS" BASIS,
|
147
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
148
|
+
implied, including, without limitation, any warranties or conditions
|
149
|
+
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
150
|
+
PARTICULAR PURPOSE. You are solely responsible for determining the
|
151
|
+
appropriateness of using or redistributing the Work and assume any
|
152
|
+
risks associated with Your exercise of permissions under this License.
|
153
|
+
|
154
|
+
8. Limitation of Liability. In no event and under no legal theory,
|
155
|
+
whether in tort (including negligence), contract, or otherwise,
|
156
|
+
unless required by applicable law (such as deliberate and grossly
|
157
|
+
negligent acts) or agreed to in writing, shall any Contributor be
|
158
|
+
liable to You for damages, including any direct, indirect, special,
|
159
|
+
incidental, or consequential damages of any character arising as a
|
160
|
+
result of this License or out of the use or inability to use the
|
161
|
+
Work (including but not limited to damages for loss of goodwill,
|
162
|
+
work stoppage, computer failure or malfunction, or any and all
|
163
|
+
other commercial damages or losses), even if such Contributor
|
164
|
+
has been advised of the possibility of such damages.
|
165
|
+
|
166
|
+
9. Accepting Warranty or Additional Liability. While redistributing
|
167
|
+
the Work or Derivative Works thereof, You may choose to offer,
|
168
|
+
and charge a fee for, acceptance of support, warranty, indemnity,
|
169
|
+
or other liability obligations and/or rights consistent with this
|
170
|
+
License. However, in accepting such obligations, You may act only
|
171
|
+
on Your own behalf and on Your sole responsibility, not on behalf
|
172
|
+
of any other Contributor, and only if You agree to indemnify,
|
173
|
+
defend, and hold each Contributor harmless for any liability
|
174
|
+
incurred by, or claims asserted against, such Contributor by reason
|
175
|
+
of your accepting any such warranty or additional liability.
|
176
|
+
|
177
|
+
END OF TERMS AND CONDITIONS
|
178
|
+
|
179
|
+
APPENDIX: How to apply the Apache License to your work.
|
180
|
+
|
181
|
+
To apply the Apache License to your work, attach the following
|
182
|
+
boilerplate notice, with the fields enclosed by brackets "[]"
|
183
|
+
replaced with your own identifying information. (Don't include
|
184
|
+
the brackets!) The text should be enclosed in the appropriate
|
185
|
+
comment syntax for the file format. We also recommend that a
|
186
|
+
file or class name and description of purpose be included on the
|
187
|
+
same "printed page" as the copyright notice for easier
|
188
|
+
identification within third-party archives.
|
189
|
+
|
190
|
+
Copyright 2020 Elastic and contributors
|
191
|
+
|
192
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
193
|
+
you may not use this file except in compliance with the License.
|
194
|
+
You may obtain a copy of the License at
|
195
|
+
|
196
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
197
|
+
|
198
|
+
Unless required by applicable law or agreed to in writing, software
|
199
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
200
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
201
|
+
See the License for the specific language governing permissions and
|
202
|
+
limitations under the License.
|
data/README.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# Logstash Plugin
|
2
2
|
|
3
|
-
[![Travis Build Status](https://travis-ci.
|
3
|
+
[![Travis Build Status](https://travis-ci.com/logstash-plugins/logstash-mixin-aws.svg)](https://travis-ci.com/logstash-plugins/logstash-mixin-aws)
|
4
4
|
|
5
5
|
This is a plugin for [Logstash](https://github.com/elastic/logstash).
|
6
6
|
|
@@ -1,22 +1,8 @@
|
|
1
1
|
# encoding: utf-8
|
2
2
|
require "logstash/config/mixin"
|
3
3
|
|
4
|
-
# This module provides helper for the `AWS-SDK` v1,
|
5
|
-
# and it will be deprecated in the near future, please use the V2 module
|
6
|
-
# for any new development.
|
7
4
|
module LogStash::PluginMixins::AwsConfig
|
8
|
-
require "logstash/plugin_mixins/aws_config/v1"
|
9
5
|
require "logstash/plugin_mixins/aws_config/v2"
|
10
6
|
|
11
7
|
US_EAST_1 = "us-east-1"
|
12
|
-
REGIONS_ENDPOINT = [US_EAST_1, "us-east-2", "us-west-1", "us-west-2",
|
13
|
-
"eu-central-1", "eu-west-1", "eu-west-2",
|
14
|
-
"ap-southeast-1", "ap-southeast-2", "ap-northeast-1",
|
15
|
-
"ap-northeast-2", "sa-east-1", "us-gov-west-1",
|
16
|
-
"cn-north-1", "ap-south-1", "ca-central-1"]
|
17
|
-
|
18
|
-
def self.included(base)
|
19
|
-
# Add these methods to the 'base' given.
|
20
|
-
base.send(:include, V1)
|
21
|
-
end
|
22
8
|
end
|
@@ -6,11 +6,11 @@ module LogStash::PluginMixins::AwsConfig::Generic
|
|
6
6
|
|
7
7
|
def generic_aws_config
|
8
8
|
# The AWS Region
|
9
|
-
config :region, :validate =>
|
9
|
+
config :region, :validate => :string, :default => LogStash::PluginMixins::AwsConfig::US_EAST_1
|
10
10
|
|
11
11
|
# This plugin uses the AWS SDK and supports several ways to get credentials, which will be tried in this order:
|
12
12
|
#
|
13
|
-
# 1. Static configuration, using `access_key_id` and `secret_access_key` params in logstash plugin config
|
13
|
+
# 1. Static configuration, using `access_key_id` and `secret_access_key` params in the logstash plugin config
|
14
14
|
# 2. External credentials file specified by `aws_credentials_file`
|
15
15
|
# 3. Environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
|
16
16
|
# 4. Environment variables `AMAZON_ACCESS_KEY_ID` and `AMAZON_SECRET_ACCESS_KEY`
|
@@ -18,14 +18,26 @@ module LogStash::PluginMixins::AwsConfig::Generic
|
|
18
18
|
config :access_key_id, :validate => :string
|
19
19
|
|
20
20
|
# The AWS Secret Access Key
|
21
|
-
config :secret_access_key, :validate => :
|
21
|
+
config :secret_access_key, :validate => :password
|
22
22
|
|
23
23
|
# The AWS Session token for temporary credential
|
24
|
-
config :session_token, :validate => :
|
24
|
+
config :session_token, :validate => :password
|
25
25
|
|
26
26
|
# URI to proxy server if required
|
27
27
|
config :proxy_uri, :validate => :string
|
28
28
|
|
29
|
+
# Custom endpoint to connect to s3
|
30
|
+
config :endpoint, :validate => :string
|
31
|
+
|
32
|
+
# The AWS IAM Role to assume, if any.
|
33
|
+
# This is used to generate temporary credentials typically for cross-account access.
|
34
|
+
# See https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html for more information.
|
35
|
+
# When `role_arn` is set, AWS (`access_key_id`/`secret_access_key`) credentials still get used if they're configured.
|
36
|
+
config :role_arn, :validate => :string
|
37
|
+
|
38
|
+
# Session name to use when assuming an IAM role
|
39
|
+
config :role_session_name, :validate => :string, :default => "logstash"
|
40
|
+
|
29
41
|
# Path to YAML file containing a hash of AWS credentials.
|
30
42
|
# This file will only be loaded if `access_key_id` and
|
31
43
|
# `secret_access_key` aren't set. The contents of the
|
@@ -11,51 +11,63 @@ module LogStash::PluginMixins::AwsConfig::V2
|
|
11
11
|
def aws_options_hash
|
12
12
|
opts = {}
|
13
13
|
|
14
|
-
if @access_key_id.is_a?(NilClass) ^ @secret_access_key.is_a?(NilClass)
|
15
|
-
@logger.warn("Likely config error: Only one of access_key_id or secret_access_key was provided but not both.")
|
16
|
-
end
|
17
|
-
|
18
|
-
opts[:credentials] = credentials if credentials
|
19
|
-
|
20
14
|
opts[:http_proxy] = @proxy_uri if @proxy_uri
|
21
15
|
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
# For a list, see https://github.com/aws/aws-sdk-ruby/blob/master/lib/aws/core/configuration.rb
|
16
|
+
if @role_arn
|
17
|
+
credentials = assume_role(opts.dup)
|
18
|
+
opts[:credentials] = credentials
|
19
|
+
else
|
20
|
+
credentials = aws_credentials
|
21
|
+
opts[:credentials] = credentials if credentials
|
22
|
+
end
|
23
|
+
|
31
24
|
if self.respond_to?(:aws_service_endpoint)
|
25
|
+
# used by CloudWatch to basically do the same as bellow (returns { region: region })
|
32
26
|
opts.merge!(self.aws_service_endpoint(@region))
|
33
27
|
else
|
34
|
-
|
28
|
+
# NOTE: setting :region works with the aws sdk (resolves correct endpoint)
|
29
|
+
opts[:region] = @region
|
35
30
|
end
|
36
31
|
|
32
|
+
opts[:endpoint] = @endpoint unless @endpoint.nil?
|
33
|
+
|
37
34
|
return opts
|
38
35
|
end
|
39
36
|
|
40
37
|
private
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
38
|
+
|
39
|
+
def aws_credentials
|
40
|
+
if @access_key_id && @secret_access_key
|
41
|
+
Aws::Credentials.new(@access_key_id, @secret_access_key.value, @session_token ? @session_token.value : nil)
|
42
|
+
elsif @access_key_id.nil? ^ @secret_access_key.nil?
|
43
|
+
@logger.warn("Likely config error: Only one of access_key_id or secret_access_key was provided but not both.")
|
44
|
+
secret_access_key = @secret_access_key ? @secret_access_key.value : nil
|
45
|
+
Aws::Credentials.new(@access_key_id, secret_access_key, @session_token ? @session_token.value : nil)
|
46
|
+
elsif @aws_credentials_file
|
47
|
+
credentials_opts = YAML.load_file(@aws_credentials_file)
|
48
|
+
credentials_opts.default_proc = lambda { |hash, key| hash.fetch(key.to_s, nil) }
|
49
|
+
Aws::Credentials.new(credentials_opts[:access_key_id],
|
50
|
+
credentials_opts[:secret_access_key],
|
51
|
+
credentials_opts[:session_token])
|
52
|
+
else
|
53
|
+
nil # AWS client will read ENV or ~/.aws/credentials
|
54
|
+
end
|
55
|
+
end
|
56
|
+
alias credentials aws_credentials
|
57
|
+
|
58
|
+
def assume_role(opts = {})
|
59
|
+
unless opts.key?(:credentials)
|
60
|
+
credentials = aws_credentials
|
61
|
+
opts[:credentials] = credentials if credentials
|
62
|
+
end
|
63
|
+
|
64
|
+
# for a regional endpoint :region is always required by AWS
|
65
|
+
opts[:region] = @region
|
66
|
+
|
67
|
+
Aws::AssumeRoleCredentials.new(
|
68
|
+
:client => Aws::STS::Client.new(opts),
|
69
|
+
:role_arn => @role_arn,
|
70
|
+
:role_session_name => @role_session_name
|
71
|
+
)
|
60
72
|
end
|
61
|
-
end
|
73
|
+
end
|
data/logstash-mixin-aws.gemspec
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
s.name = 'logstash-mixin-aws'
|
3
|
-
s.version = '
|
3
|
+
s.version = '5.0.0'
|
4
4
|
s.licenses = ['Apache License (2.0)']
|
5
5
|
s.summary = "AWS mixins to provide a unified interface for Amazon Webservice"
|
6
6
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
@@ -18,8 +18,8 @@ Gem::Specification.new do |s|
|
|
18
18
|
# Gem dependencies
|
19
19
|
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
|
20
20
|
s.add_runtime_dependency 'logstash-codec-plain'
|
21
|
-
s.add_runtime_dependency 'aws-sdk
|
22
|
-
s.add_runtime_dependency 'aws-sdk', '~> 2.3.0'
|
21
|
+
s.add_runtime_dependency 'aws-sdk', '~> 2'
|
23
22
|
s.add_development_dependency 'logstash-devutils'
|
23
|
+
s.add_development_dependency 'timecop'
|
24
24
|
end
|
25
25
|
|
@@ -2,6 +2,7 @@
|
|
2
2
|
require "logstash/devutils/rspec/spec_helper"
|
3
3
|
require "logstash/plugin_mixins/aws_config"
|
4
4
|
require 'aws-sdk'
|
5
|
+
require 'timecop'
|
5
6
|
|
6
7
|
class DummyInputAwsConfigV2 < LogStash::Inputs::Base
|
7
8
|
include LogStash::PluginMixins::AwsConfig::V2
|
@@ -15,26 +16,20 @@ class DummyInputAwsConfigV2NoRegionMethod < LogStash::Inputs::Base
|
|
15
16
|
include LogStash::PluginMixins::AwsConfig::V2
|
16
17
|
end
|
17
18
|
|
18
|
-
|
19
|
-
include LogStash::PluginMixins::AwsConfig
|
20
|
-
|
21
|
-
def aws_service_endpoint(region)
|
22
|
-
{ :dummy_input_aws_config_region => "#{region}.awswebservice.local" }
|
23
|
-
end
|
24
|
-
end
|
25
|
-
|
26
|
-
describe LogStash::PluginMixins::AwsConfig do
|
19
|
+
describe LogStash::PluginMixins::AwsConfig::V2 do
|
27
20
|
let(:settings) { {} }
|
28
21
|
|
29
|
-
subject {
|
22
|
+
subject { DummyInputAwsConfigV2.new(settings).aws_options_hash }
|
30
23
|
|
31
24
|
describe 'config credential' do
|
25
|
+
subject { DummyInputAwsConfigV2.new(settings).aws_options_hash[:credentials] }
|
32
26
|
|
33
27
|
context 'in credential file' do
|
34
28
|
let(:settings) { { 'aws_credentials_file' => File.join(File.dirname(__FILE__), '..', 'fixtures/aws_credentials_file_sample_test.yml') } }
|
35
29
|
|
36
30
|
it 'should support reading configuration from a yaml file' do
|
37
|
-
expect(subject).to
|
31
|
+
expect(subject.access_key_id).to eq("1234")
|
32
|
+
expect(subject.secret_access_key).to eq("secret")
|
38
33
|
end
|
39
34
|
end
|
40
35
|
|
@@ -43,9 +38,9 @@ describe LogStash::PluginMixins::AwsConfig do
|
|
43
38
|
let(:settings) { { 'access_key_id' => '1234', 'secret_access_key' => 'secret', 'session_token' => 'session_token' } }
|
44
39
|
|
45
40
|
it "should support passing as key, value, and session_token" do
|
46
|
-
expect(subject
|
47
|
-
expect(subject
|
48
|
-
expect(subject
|
41
|
+
expect(subject.access_key_id).to eq(settings['access_key_id'])
|
42
|
+
expect(subject.secret_access_key).to eq(settings['secret_access_key'])
|
43
|
+
expect(subject.session_token).to eq(settings['session_token'])
|
49
44
|
end
|
50
45
|
end
|
51
46
|
|
@@ -53,74 +48,109 @@ describe LogStash::PluginMixins::AwsConfig do
|
|
53
48
|
let(:settings) { { 'access_key_id' => '1234', 'secret_access_key' => 'secret' } }
|
54
49
|
|
55
50
|
it 'should support passing credentials as key, value' do
|
56
|
-
expect(subject
|
57
|
-
expect(subject
|
51
|
+
expect(subject.access_key_id).to eq(settings['access_key_id'])
|
52
|
+
expect(subject.secret_access_key).to eq(settings['secret_access_key'])
|
58
53
|
end
|
59
54
|
end
|
60
|
-
end
|
61
|
-
end
|
62
|
-
|
63
|
-
describe 'config region' do
|
64
|
-
context 'region provided' do
|
65
|
-
let(:settings) { { 'access_key_id' => '1234', 'secret_access_key' => 'secret', 'region' => 'us-west-2' } }
|
66
55
|
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
56
|
+
context 'role arn is provided' do
|
57
|
+
let(:settings) { { 'role_arn' => 'arn:aws:iam::012345678910:role/foo', 'region' => 'us-west-2' } }
|
58
|
+
let(:sts_double) { instance_double(Aws::STS::Client) }
|
59
|
+
let(:now) { Time.now }
|
60
|
+
let(:expiration) { Time.at(now.to_i + 3600) }
|
61
|
+
let(:temp_credentials) {
|
62
|
+
double(credentials:
|
63
|
+
double(
|
64
|
+
access_key_id: '1234',
|
65
|
+
secret_access_key: 'secret',
|
66
|
+
session_token: 'session_token',
|
67
|
+
expiration: expiration.to_s,
|
68
|
+
)
|
69
|
+
)
|
70
|
+
}
|
71
|
+
let(:new_temp_credentials) {
|
72
|
+
double(credentials:
|
73
|
+
double(
|
74
|
+
access_key_id: '5678',
|
75
|
+
secret_access_key: 'secret1',
|
76
|
+
session_token: 'session_token1',
|
77
|
+
expiration: expiration.to_s,
|
78
|
+
)
|
79
|
+
)
|
80
|
+
}
|
81
|
+
|
82
|
+
before do
|
83
|
+
allow(Aws::STS::Client).to receive(:new).and_return(sts_double)
|
84
|
+
allow(sts_double).to receive(:assume_role) {
|
85
|
+
if Time.now < expiration
|
86
|
+
temp_credentials
|
87
|
+
else
|
88
|
+
new_temp_credentials
|
89
|
+
end
|
90
|
+
}
|
91
|
+
end
|
71
92
|
|
72
|
-
|
73
|
-
|
93
|
+
it 'supports passing role_arn' do
|
94
|
+
Timecop.freeze(now) do
|
95
|
+
expect(subject.credentials.access_key_id).to eq('1234')
|
96
|
+
expect(subject.credentials.secret_access_key).to eq('secret')
|
97
|
+
expect(subject.credentials.session_token).to eq('session_token')
|
98
|
+
end
|
99
|
+
end
|
74
100
|
|
75
|
-
|
76
|
-
|
101
|
+
it 'rotates the keys once they expire' do
|
102
|
+
Timecop.freeze(Time.at(expiration.to_i + 100)) do
|
103
|
+
expect(subject.credentials.access_key_id).to eq('5678')
|
104
|
+
expect(subject.credentials.secret_access_key).to eq('secret1')
|
105
|
+
expect(subject.credentials.session_token).to eq('session_token1')
|
106
|
+
end
|
107
|
+
end
|
77
108
|
end
|
78
|
-
end
|
79
|
-
end
|
80
109
|
|
81
|
-
|
82
|
-
let(:settings) { {} }
|
83
|
-
it 'should always return a hash' do
|
84
|
-
expect(subject).to eq({ :use_ssl => true, :dummy_input_aws_config_region => "us-east-1.awswebservice.local" })
|
85
|
-
end
|
86
|
-
end
|
87
|
-
end
|
110
|
+
context 'role arn with credentials' do
|
88
111
|
|
89
|
-
|
90
|
-
|
112
|
+
let(:settings) do
|
113
|
+
{
|
114
|
+
'role_arn' => 'arn:aws:iam::012345678910:role/foo',
|
115
|
+
'region' => 'us-west-2',
|
91
116
|
|
92
|
-
|
117
|
+
'access_key_id' => '12345678',
|
118
|
+
'secret_access_key' => 'secret',
|
119
|
+
'session_token' => 'session_token',
|
93
120
|
|
94
|
-
|
95
|
-
|
121
|
+
'proxy_uri' => 'http://a-proxy.net:1234'
|
122
|
+
}
|
123
|
+
end
|
96
124
|
|
97
|
-
|
98
|
-
let(:settings) { { 'aws_credentials_file' => File.join(File.dirname(__FILE__), '..', 'fixtures/aws_credentials_file_sample_test.yml') } }
|
125
|
+
let(:aws_options_hash) { DummyInputAwsConfigV2NoRegionMethod.new(settings).aws_options_hash }
|
99
126
|
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
end
|
104
|
-
end
|
127
|
+
before do
|
128
|
+
allow_any_instance_of(Aws::AssumeRoleCredentials).to receive(:refresh) # called from #initialize
|
129
|
+
end
|
105
130
|
|
106
|
-
|
107
|
-
|
108
|
-
|
131
|
+
it 'uses credentials' do
|
132
|
+
subject = aws_options_hash[:credentials]
|
133
|
+
expect( subject ).to be_a Aws::AssumeRoleCredentials
|
134
|
+
expect( subject.client ).to be_a Aws::STS::Client
|
135
|
+
expect( credentials = subject.client.config.credentials ).to be_a Aws::Credentials
|
136
|
+
expect( credentials.access_key_id ).to eql '12345678'
|
137
|
+
end
|
109
138
|
|
110
|
-
it
|
111
|
-
|
112
|
-
expect(subject.
|
113
|
-
expect(subject.
|
139
|
+
it 'sets up proxy on client and region' do
|
140
|
+
subject = aws_options_hash[:credentials]
|
141
|
+
expect( subject.client.config.http_proxy ).to eql 'http://a-proxy.net:1234'
|
142
|
+
expect( subject.client.config.region ).to eql 'us-west-2' # probably redundant (kept for backwards compat)
|
114
143
|
end
|
115
|
-
end
|
116
144
|
|
117
|
-
|
118
|
-
|
145
|
+
it 'sets up proxy top level' do # setting in on the client isn't enough!
|
146
|
+
expect( aws_options_hash[:http_proxy] ).to eql 'http://a-proxy.net:1234'
|
147
|
+
end
|
119
148
|
|
120
|
-
it '
|
121
|
-
|
122
|
-
expect(
|
149
|
+
it 'sets up region top-level' do
|
150
|
+
# NOTE: this one is required for real with role_arn :
|
151
|
+
expect( aws_options_hash[:region] ).to eql 'us-west-2'
|
123
152
|
end
|
153
|
+
|
124
154
|
end
|
125
155
|
end
|
126
156
|
end
|
@@ -184,4 +214,5 @@ describe LogStash::PluginMixins::AwsConfig::V2 do
|
|
184
214
|
expect(subject).to eq({ :dummy_input_aws_config_region => "us-east-1.awswebservice.local" })
|
185
215
|
end
|
186
216
|
end
|
217
|
+
|
187
218
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-mixin-aws
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 5.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-04-27 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -47,38 +47,38 @@ dependencies:
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
48
48
|
requirement: !ruby/object:Gem::Requirement
|
49
49
|
requirements:
|
50
|
-
- - "
|
50
|
+
- - "~>"
|
51
51
|
- !ruby/object:Gem::Version
|
52
|
-
version:
|
53
|
-
name: aws-sdk
|
52
|
+
version: '2'
|
53
|
+
name: aws-sdk
|
54
54
|
prerelease: false
|
55
55
|
type: :runtime
|
56
56
|
version_requirements: !ruby/object:Gem::Requirement
|
57
57
|
requirements:
|
58
|
-
- - "
|
58
|
+
- - "~>"
|
59
59
|
- !ruby/object:Gem::Version
|
60
|
-
version:
|
60
|
+
version: '2'
|
61
61
|
- !ruby/object:Gem::Dependency
|
62
62
|
requirement: !ruby/object:Gem::Requirement
|
63
63
|
requirements:
|
64
|
-
- - "
|
64
|
+
- - ">="
|
65
65
|
- !ruby/object:Gem::Version
|
66
|
-
version:
|
67
|
-
name:
|
66
|
+
version: '0'
|
67
|
+
name: logstash-devutils
|
68
68
|
prerelease: false
|
69
|
-
type: :
|
69
|
+
type: :development
|
70
70
|
version_requirements: !ruby/object:Gem::Requirement
|
71
71
|
requirements:
|
72
|
-
- - "
|
72
|
+
- - ">="
|
73
73
|
- !ruby/object:Gem::Version
|
74
|
-
version:
|
74
|
+
version: '0'
|
75
75
|
- !ruby/object:Gem::Dependency
|
76
76
|
requirement: !ruby/object:Gem::Requirement
|
77
77
|
requirements:
|
78
78
|
- - ">="
|
79
79
|
- !ruby/object:Gem::Version
|
80
80
|
version: '0'
|
81
|
-
name:
|
81
|
+
name: timecop
|
82
82
|
prerelease: false
|
83
83
|
type: :development
|
84
84
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -86,7 +86,9 @@ dependencies:
|
|
86
86
|
- - ">="
|
87
87
|
- !ruby/object:Gem::Version
|
88
88
|
version: '0'
|
89
|
-
description: This gem is a Logstash plugin required to be installed on top of the
|
89
|
+
description: This gem is a Logstash plugin required to be installed on top of the
|
90
|
+
Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
|
91
|
+
gem is not a stand-alone program
|
90
92
|
email: info@elastic.co
|
91
93
|
executables: []
|
92
94
|
extensions: []
|
@@ -100,7 +102,6 @@ files:
|
|
100
102
|
- README.md
|
101
103
|
- lib/logstash/plugin_mixins/aws_config.rb
|
102
104
|
- lib/logstash/plugin_mixins/aws_config/generic.rb
|
103
|
-
- lib/logstash/plugin_mixins/aws_config/v1.rb
|
104
105
|
- lib/logstash/plugin_mixins/aws_config/v2.rb
|
105
106
|
- logstash-mixin-aws.gemspec
|
106
107
|
- spec/fixtures/aws_credentials_file_sample_test.yml
|
@@ -126,7 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
126
127
|
version: '0'
|
127
128
|
requirements: []
|
128
129
|
rubyforge_project:
|
129
|
-
rubygems_version: 2.
|
130
|
+
rubygems_version: 2.6.13
|
130
131
|
signing_key:
|
131
132
|
specification_version: 4
|
132
133
|
summary: AWS mixins to provide a unified interface for Amazon Webservice
|
@@ -1,56 +0,0 @@
|
|
1
|
-
# encoding: utf-8
|
2
|
-
require "logstash/plugin_mixins/aws_config/generic"
|
3
|
-
|
4
|
-
module LogStash::PluginMixins::AwsConfig::V1
|
5
|
-
def self.included(base)
|
6
|
-
# Make sure we require the V1 classes when including this module.
|
7
|
-
# require 'aws-sdk' will load v2 classes.
|
8
|
-
require "aws-sdk-v1"
|
9
|
-
base.extend(self)
|
10
|
-
base.send(:include, LogStash::PluginMixins::AwsConfig::Generic)
|
11
|
-
base.setup_aws_config
|
12
|
-
end
|
13
|
-
|
14
|
-
public
|
15
|
-
def setup_aws_config
|
16
|
-
# Should we require (true) or disable (false) using SSL for communicating with the AWS API
|
17
|
-
# The AWS SDK for Ruby defaults to SSL so we preserve that
|
18
|
-
config :use_ssl, :validate => :boolean, :default => true
|
19
|
-
end
|
20
|
-
|
21
|
-
public
|
22
|
-
def aws_options_hash
|
23
|
-
opts = {}
|
24
|
-
|
25
|
-
if @access_key_id.is_a?(NilClass) ^ @secret_access_key.is_a?(NilClass)
|
26
|
-
@logger.warn("Likely config error: Only one of access_key_id or secret_access_key was provided but not both.")
|
27
|
-
end
|
28
|
-
|
29
|
-
if @access_key_id && @secret_access_key
|
30
|
-
opts = {
|
31
|
-
:access_key_id => @access_key_id,
|
32
|
-
:secret_access_key => @secret_access_key
|
33
|
-
}
|
34
|
-
opts[:session_token] = @session_token if @session_token
|
35
|
-
elsif @aws_credentials_file
|
36
|
-
opts = YAML.load_file(@aws_credentials_file)
|
37
|
-
end
|
38
|
-
|
39
|
-
opts[:proxy_uri] = @proxy_uri if @proxy_uri
|
40
|
-
opts[:use_ssl] = @use_ssl
|
41
|
-
|
42
|
-
|
43
|
-
# The AWS SDK for Ruby doesn't know how to make an endpoint hostname from a region
|
44
|
-
# for example us-west-1 -> foosvc.us-west-1.amazonaws.com
|
45
|
-
# So our plugins need to know how to generate their endpoints from a region
|
46
|
-
# Furthermore, they need to know the symbol required to set that value in the AWS SDK
|
47
|
-
# Classes using this module must implement aws_service_endpoint(region:string)
|
48
|
-
# which must return a hash with one key, the aws sdk for ruby config symbol of the service
|
49
|
-
# endpoint, which has a string value of the service endpoint hostname
|
50
|
-
# for example, CloudWatch, { :cloud_watch_endpoint => "monitoring.#{region}.amazonaws.com" }
|
51
|
-
# For a list, see https://github.com/aws/aws-sdk-ruby/blob/master/lib/aws/core/configuration.rb
|
52
|
-
opts.merge!(self.aws_service_endpoint(@region))
|
53
|
-
|
54
|
-
return opts
|
55
|
-
end # def aws_options_hash
|
56
|
-
end
|