logstash-mixin-aws 4.2.4 → 4.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6bedbceb9fed81fbc39b3f594bc18f6cacde35aea4a00ebf90aa495612ee335f
-  data.tar.gz: 7f14178a1db3ae963ac2fa4c6af0c37c42e888e30dd6ed32bdbfc0cc9fd3b007
+  metadata.gz: b584d410d71c4c32fc3b1cf34e9b4836f805cdf7c6f6eb5a1ea4be3e4d8c5d91
+  data.tar.gz: 5d772f5b89e35fef12781cb647cb7ceb1d0116304a53d81628897fcce94f2e05
 SHA512:
-  metadata.gz: b6c7f25b4e78760eddf77e1b98a659110b5765a28b52699ba58eddc85e268c860efa1d520a944f43e911ed145326bffb26fb5ef9df47c283c8357e3188e8abe8
-  data.tar.gz: 2bf224f332efe3e49a8767348425ec1da7a2ee3d5820ac078e058093090011d8f199e38d80c5974eb06a9e01426a6b9a96576dd1b2cae10f060b93902b182616
+  metadata.gz: 2cbad158d9eef2eafb325b4b8e3854ecd7c86e5a65e9d86042ee0979bb6644a49923f82c9bbe3b4e26e7fe664751074709fb261bc4572fa9fae3c8bef59c22c9
+  data.tar.gz: 54eff45517da99de84a296b882d3bfa37d455823b2ce3dd3d9a42cdb6f7d593de3fd416c7f9ad84f1d5b0e136ea30944a59871fe85de68e54b5dad8e954ac788

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 4.3.0
+  - Drop strict value validation for region option #36
+  - Add endpoint option to customize the endpoint uri #32
+  - Allow user to provide a role to assume #27
+  - Update aws-sdk dependency to '~> 2'
+
 ## 4.2.4
   - Minor config validation fixes
 

data/lib/logstash/plugin_mixins/aws_config.rb

@@ -9,11 +9,6 @@ module LogStash::PluginMixins::AwsConfig
   require "logstash/plugin_mixins/aws_config/v2"
 
   US_EAST_1 = "us-east-1"
-  REGIONS_ENDPOINT = [US_EAST_1, "us-east-2", "us-west-1", "us-west-2",
-                      "eu-central-1", "eu-west-1", "eu-west-2",
-                      "ap-southeast-1", "ap-southeast-2", "ap-northeast-1",
-                      "ap-northeast-2", "sa-east-1", "us-gov-west-1",
-                      "cn-north-1", "ap-south-1", "ca-central-1"]
 
   def self.included(base)
     # Add these methods to the 'base' given.

data/lib/logstash/plugin_mixins/aws_config/generic.rb

@@ -6,11 +6,11 @@ module LogStash::PluginMixins::AwsConfig::Generic
 
   def generic_aws_config
     # The AWS Region
-    config :region, :validate => LogStash::PluginMixins::AwsConfig::REGIONS_ENDPOINT, :default => LogStash::PluginMixins::AwsConfig::US_EAST_1 
+    config :region, :validate => :string, :default => LogStash::PluginMixins::AwsConfig::US_EAST_1
 
     # This plugin uses the AWS SDK and supports several ways to get credentials, which will be tried in this order:
     #
-    # 1. Static configuration, using `access_key_id` and `secret_access_key` params in logstash plugin config
+    # 1. Static configuration, using `access_key_id` and `secret_access_key` params or `role_arn` in the logstash plugin config
     # 2. External credentials file specified by `aws_credentials_file`
     # 3. Environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
     # 4. Environment variables `AMAZON_ACCESS_KEY_ID` and `AMAZON_SECRET_ACCESS_KEY`
@@ -26,6 +26,17 @@ module LogStash::PluginMixins::AwsConfig::Generic
     # URI to proxy server if required
     config :proxy_uri, :validate => :string
 
+    # Custom endpoint to connect to s3
+    config :endpoint, :validate => :string
+
+    # The AWS IAM Role to assume, if any.
+    # This is used to generate temporary credentials typically for cross-account access.
+    # See https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html for more information.
+    config :role_arn, :validate => :string
+
+    # Session name to use when assuming an IAM role
+    config :role_session_name, :validate => :string, :default => "logstash"
+
     # Path to YAML file containing a hash of AWS credentials.
     # This file will only be loaded if `access_key_id` and
     # `secret_access_key` aren't set. The contents of the

data/lib/logstash/plugin_mixins/aws_config/v1.rb

@@ -22,6 +22,10 @@ module LogStash::PluginMixins::AwsConfig::V1
   def aws_options_hash
     opts = {}
 
+    if @role_arn || @role_session_name
+      @logger.warn("role_arn and role_session_name settings are not supported in the v1 plugin")
+    end
+
     if @access_key_id.is_a?(NilClass) ^ @secret_access_key.is_a?(NilClass)
       @logger.warn("Likely config error: Only one of access_key_id or secret_access_key was provided but not both.")
     end
@@ -51,6 +55,10 @@ module LogStash::PluginMixins::AwsConfig::V1
     # For a list, see https://github.com/aws/aws-sdk-ruby/blob/master/lib/aws/core/configuration.rb
     opts.merge!(self.aws_service_endpoint(@region))
 
+    if !@endpoint.is_a?(NilClass)
+      opts[:endpoint] = @endpoint
+    end
+
     return opts
   end # def aws_options_hash
 end

data/lib/logstash/plugin_mixins/aws_config/v2.rb

@@ -34,6 +34,10 @@ module LogStash::PluginMixins::AwsConfig::V2
       opts.merge!({ :region => @region })
     end
 
+    if !@endpoint.is_a?(NilClass)
+      opts[:endpoint] = @endpoint
+    end
+
     return opts
   end
 
@@ -47,15 +51,25 @@ module LogStash::PluginMixins::AwsConfig::V2
                    }
 
                    credentials_opts[:session_token] = @session_token.value if @session_token
+                   Aws::Credentials.new(credentials_opts[:access_key_id],
+                                        credentials_opts[:secret_access_key],
+                                        credentials_opts[:session_token])
                  elsif @aws_credentials_file
                    credentials_opts = YAML.load_file(@aws_credentials_file)
-                 end
-
-                 if credentials_opts
                    Aws::Credentials.new(credentials_opts[:access_key_id],
                                         credentials_opts[:secret_access_key],
                                         credentials_opts[:session_token])
+                 elsif @role_arn
+                   assume_role
                  end
                end
   end
+
+  def assume_role
+    Aws::AssumeRoleCredentials.new(
+      :client => Aws::STS::Client.new(:region => @region),
+      :role_arn => @role_arn,
+      :role_session_name => @role_session_name
+    )
+  end
 end

data/logstash-mixin-aws.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-mixin-aws'
-  s.version         = '4.2.4'
+  s.version         = '4.3.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "AWS mixins to provide a unified interface for Amazon Webservice"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -19,7 +19,8 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_runtime_dependency 'logstash-codec-plain'
   s.add_runtime_dependency 'aws-sdk-v1', '>= 1.61.0'
-  s.add_runtime_dependency 'aws-sdk', '~> 2.3.0'
+  s.add_runtime_dependency 'aws-sdk', '~> 2'
   s.add_development_dependency 'logstash-devutils'
+  s.add_development_dependency 'timecop'
 end
 

data/spec/plugin_mixin/aws_config_spec.rb

@@ -2,6 +2,7 @@
 require "logstash/devutils/rspec/spec_helper"
 require "logstash/plugin_mixins/aws_config"
 require 'aws-sdk'
+require 'timecop'
 
 class DummyInputAwsConfigV2 < LogStash::Inputs::Base
   include LogStash::PluginMixins::AwsConfig::V2
@@ -81,6 +82,16 @@ describe LogStash::PluginMixins::AwsConfig do
     end
   end
 
+  describe 'config endpoint' do
+    context "endpoint provided" do
+      let(:settings) { { 'access_key_id' => '1234',  'secret_access_key' => 'secret', 'endpoint' => 'http://localhost'} }
+
+      it 'should use specified endpoint' do
+          expect(subject[:endpoint]).to eq("http://localhost")
+      end
+    end
+  end
+
   context 'when we arent providing credentials' do
     let(:settings) { {} }
     it 'should always return a hash' do
@@ -125,6 +136,60 @@ describe LogStash::PluginMixins::AwsConfig::V2 do
           expect(subject.secret_access_key).to eq(settings['secret_access_key'])
         end
       end
+
+      context 'role arn is provided' do
+        let(:settings) { { 'role_arn' => 'arn:aws:iam::012345678910:role/foo', 'region' => 'us-west-2' } }
+        let(:sts_double) { instance_double(Aws::STS::Client) }
+        let(:now) { Time.now }
+        let(:expiration) { Time.at(now.to_i + 3600) }
+        let(:temp_credentials) {
+          double(credentials:
+                  double(
+                    access_key_id: '1234',
+                    secret_access_key: 'secret',
+                    session_token: 'session_token',
+                    expiration: expiration.to_s,
+                  )
+                )
+        }
+        let(:new_temp_credentials) {
+          double(credentials:
+                  double(
+                    access_key_id: '5678',
+                    secret_access_key: 'secret1',
+                    session_token: 'session_token1',
+                    expiration: expiration.to_s,
+                  )
+                )
+        }
+
+        before do
+          allow(Aws::STS::Client).to receive(:new).and_return(sts_double)
+          allow(sts_double).to receive(:assume_role)  {
+            if Time.now < expiration
+              temp_credentials
+            else
+              new_temp_credentials
+            end
+          }
+        end
+
+        it 'supports passing role_arn' do
+          Timecop.freeze(now) do
+            expect(subject.credentials.access_key_id).to eq('1234')
+            expect(subject.credentials.secret_access_key).to eq('secret')
+            expect(subject.credentials.session_token).to eq('session_token')
+          end
+        end
+
+        it 'rotates the keys once they expire' do
+          Timecop.freeze(Time.at(expiration.to_i + 100)) do
+            expect(subject.credentials.access_key_id).to eq('5678')
+            expect(subject.credentials.secret_access_key).to eq('secret1')
+            expect(subject.credentials.session_token).to eq('session_token1')
+          end
+        end       
+      end
     end
   end
 
@@ -187,4 +252,5 @@ describe LogStash::PluginMixins::AwsConfig::V2 do
       expect(subject).to eq({ :dummy_input_aws_config_region => "us-east-1.awswebservice.local" })  
     end
   end
+
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-mixin-aws
 version: !ruby/object:Gem::Version
-  version: 4.2.4
+  version: 4.3.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-02-27 00:00:00.000000000 Z
+date: 2018-03-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -63,7 +63,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.3.0
+        version: '2'
   name: aws-sdk
   prerelease: false
   type: :runtime
@@ -71,7 +71,7 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.3.0
+        version: '2'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -86,6 +86,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: timecop
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: This gem is a Logstash plugin required to be installed on top of the
   Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
   gem is not a stand-alone program