Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OOTB support AWS Eventbridge #40006

Merged
merged 19 commits into from
Sep 13, 2024
Merged

OOTB support AWS Eventbridge #40006

merged 19 commits into from
Sep 13, 2024

Conversation

mjmbischoff
Copy link
Contributor

@mjmbischoff mjmbischoff commented Jun 25, 2024
edited
Loading

Proposed commit message

Adding OOTB support AWS Eventbridge generated events for S3 changes, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/EventBridge.html

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

The logic is triggered as a fall-through and is best effort.

Author's Checklist

  • Check for idiomatic golang constructs not being used, with golang not being my primary lang there's a good chance for non-idiomatic constructs to sneak in.

How to test this PR locally

Since it relies on an AWS setup, testing locally beyond units tests is not possible.
See /beats/x-pack/filebeat/input/awss3/_meta/terraform/README.md Don't have localstack so not truly 'local' but can run against aws.

Related issues

As it was discovered as part of support ticket there should be an ER linked.

Use cases

AWS has added a new way to notify on S3 changes, next to the existing plain SQS and SNS->SQS, AWS now also support using AWS EventBridge -> SQS

This PR achieves two goals:

  • no longer need a custom script (which is the current workaround
  • Improve user experience by allowing it to 'work out of the box'

@mjmbischoff mjmbischoff requested a review from a team as a code owner June 25, 2024 02:02
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 25, 2024
@cla-checker-service CLA Checker Service
Copy link

cla-checker-service bot commented Jun 25, 2024
edited
Loading

💚 CLA has been signed

@mergify Mergify
Copy link
Contributor

mergify bot commented Jun 25, 2024

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @mjmbischoff? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

@mjmbischoff mjmbischoff added the in progress Pull request is currently in progress. label Jun 25, 2024
@mjmbischoff mjmbischoff requested a review from a team as a code owner June 25, 2024 08:04
@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Jun 25, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 25, 2024
@pierrehilbert pierrehilbert added the Team:Cloud-Monitoring Label for the Cloud Monitoring team label Jun 25, 2024
@mjmbischoff mjmbischoff requested a review from a team as a code owner June 25, 2024 08:48
@mjmbischoff mjmbischoff requested a review from a team as a code owner June 25, 2024 09:08
@mjmbischoff mjmbischoff force-pushed the ootb-aws-eventbridge branch 2 times, most recently from a5325e6 to 786192b Compare June 25, 2024 09:14
belimawr
belimawr requested changes Jun 25, 2024
View reviewed changes
filebeat/tests/system/test_autodiscover.py Outdated Show resolved Hide resolved
x-pack/filebeat/input/awss3/sqs_test.go Outdated Show resolved Hide resolved
@mjmbischoff
Copy link
Contributor Author

As a general comment; it looks like aws security-lake uses the same format for notifications but omits the detail-type field: https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-data-access.html#sample-notification

Also really liking the part where non of these protocols look like their are versioned or anything. 😞

@mjmbischoff
Copy link
Contributor Author

mjmbischoff commented Jun 26, 2024
edited
Loading

As a general comment; it looks like aws security-lake uses the same format for notifications but omits the detail-type field: https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-data-access.html#sample-notification

Also really liking the part where non of these protocols look like their are versioned or anything. 😞

We have an integration for Amazon Security Lake which currently reads:

The Amazon Security Lake integration currently supports only one mode of log collection:

AWS S3 polling mode: Amazon Security Lake writes data to S3, and Elastic Agent polls the S3 bucket by listing its contents and reading new files.

This change would also allow us to improve that integration, again the detail-type field is in question. I guess we should spin up a AWS security lake setup to verify. I hope it's there and the documentation is off as don't think it's safe to assume every event is object created when the field is not available.

The integration is now quite limited as a lot of users have a retention long enough that there's enough objects in the bucket that polling becomes prohibitively expensive.

@mjmbischoff
Copy link
Contributor Author

02cae8e to cover 'I have made corresponding changes to the documentation'

@mergify Mergify
Copy link
Contributor

mergify bot commented Jun 26, 2024

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b ootb-aws-eventbridge upstream/ootb-aws-eventbridge
git merge upstream/main
git push upstream ootb-aws-eventbridge

@mjmbischoff
Copy link
Contributor Author

and a8eb074 to cover changelog item.

@mjmbischoff mjmbischoff requested review from a team as code owners June 26, 2024 10:55
@mjmbischoff
Copy link
Contributor Author

@belimawr Can you do a final check?

@pierrehilbert
Copy link
Collaborator

Hey @mjmbischoff
@belimawr is currently in PTO.
Do we have any urgency or should we just wait for him to come back (in one more week)?

@mjmbischoff
Copy link
Contributor Author

@pierrehilbert As long as it 'stays on the radar' it should be fine.

@mergify Mergify
Copy link
Contributor

mergify bot commented Jul 28, 2024

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b ootb-aws-eventbridge upstream/ootb-aws-eventbridge
git merge upstream/main
git push upstream ootb-aws-eventbridge

belimawr
belimawr requested changes Aug 14, 2024
View reviewed changes
CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved
@mjmbischoff
Merge branch 'refs/heads/main' into ootb-aws-eventbridge
b8ad1dd 
# Conflicts:
#	x-pack/filebeat/input/awss3/input_benchmark_test.go
@mergify Mergify
Copy link
Contributor

mergify bot commented Aug 23, 2024

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b ootb-aws-eventbridge upstream/ootb-aws-eventbridge
git merge upstream/main
git push upstream ootb-aws-eventbridge

@mjmbischoff mjmbischoff enabled auto-merge (squash) August 26, 2024 18:28
@pierrehilbert
Copy link
Collaborator

@graphaelli (as Baptiste is off) @narph @lalit-satapathy could we have someone in your teams to review this PR please?
@alexsapran if you can review for the Ingest Eng Prod part it would be awesome.

@alexsapran
Copy link
Contributor

@alexsapran if you can review for the Ingest Eng Prod part it would be awesome.

I think what prevents our BK from running this PR is the following issue #40503
So, I would rely on manual testing, which I admit I am unfamiliar with this type of testing, so I am not sure my review would be of much value, as it requires only manual testing

kaiyan-sheng
kaiyan-sheng reviewed Aug 28, 2024
View reviewed changes
x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc
@@ -586,6 +586,13 @@ Please see https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-not
for more details. SQS queue will be configured as a
https://docs.aws.amazon.com/sns/latest/dg/sns-sqs-as-subscriber.html[subscriber to the SNS topic].

[float]
=== S3 -> EventBridge -> SQS setup
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a thought here: maybe we can add a cloudformation template to help setup s3 -> eventbridge -> sqs?
We are working on adding a template for the s3-sqs setup: #40642
(not required change for this pr)

@ycombinator
Copy link
Contributor

@mjmbischoff There are some merge conflicts on this PR now. Would you mind rebasing it on main and fixing those conflicts? Thanks!

@mergify Mergify
Copy link
Contributor

mergify bot commented Sep 13, 2024

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

@mergify mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Sep 13, 2024
@mjmbischoff mjmbischoff merged commit c37159e into elastic:main Sep 13, 2024
20 checks passed
mergify bot pushed a commit that referenced this pull request Sep 13, 2024
@mjmbischoff @mergify
OOTB support AWS Eventbridge (#40006)
13a7758 
Adding code to OOTB support AWS Eventbridge generated events for S3 changes, see https://docs.aws.amazon.com/AmazonS3/latest/userguide/EventBridge.html

(cherry picked from commit c37159e)
@mergify mergify bot mentioned this pull request Sep 13, 2024
Open
7 tasks
@mjmbischoff mjmbischoff deleted the ootb-aws-eventbridge branch September 13, 2024 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@belimawr belimawr belimawr approved these changes

@mjwolf mjwolf mjwolf approved these changes

@kaiyan-sheng kaiyan-sheng kaiyan-sheng approved these changes

@fearful-symmetry fearful-symmetry Awaiting requested review from fearful-symmetry fearful-symmetry was automatically assigned from elastic/elastic-agent-data-plane

@gizas gizas Awaiting requested review from gizas gizas was automatically assigned from elastic/obs-cloudnative-monitoring

@constanca-m constanca-m Awaiting requested review from constanca-m constanca-m was automatically assigned from elastic/obs-cloudnative-monitoring

Assignees

@mjmbischoff mjmbischoff

Labels
backport-8.x Automated backport to the 8.x branch with mergify enhancement Team:Cloud-Monitoring Label for the Cloud Monitoring team Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team Team:obs-ds-hosted-services Label for the Observability Hosted Services team Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution Team:Security-Linux Platform Linux Platform Team in Security Solution Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@mjmbischoff @elasticmachine @pierrehilbert @alexsapran @ycombinator @belimawr @mjwolf @kaiyan-sheng