Skip to content

Commit

Permalink
fix(subscriber): set role ARN
Browse files Browse the repository at this point in the history
We were not correctly configuring the role ARN when setting a
subscription filter. This is only necessary when the destination is a
Kinesis Firehose delivery stream. Added unit test to verify the role ARN
is passed to cloudwatchlogs:PutSubscriptionFilter
  • Loading branch information
jta committed Dec 12, 2023
1 parent 016257a commit 042ec2f
Show file tree
Hide file tree
Showing 6 changed files with 40 additions and 11 deletions.
2 changes: 1 addition & 1 deletion cmd/subscriber/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ var env struct {
FilterName string `env:"FILTER_NAME"`
FilterPattern string `env:"FILTER_PATTERN"`
DestinationARN string `env:"DESTINATION_ARN"`
RoleARN string `env:"ROLE_ARN"`
RoleARN *string `env:"ROLE_ARN"`
LogGroupNamePatterns []string `env:"LOG_GROUP_NAME_PATTERNS"`
LogGroupNamePrefixes []string `env:"LOG_GROUP_NAME_PREFIXES"`
QueueURL string `env:"QUEUE_URL,required"`
Expand Down
10 changes: 6 additions & 4 deletions handler/subscriber/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,10 @@ type Config struct {
// DestinationARN to subscribe log groups to.
// If empty, delete any subscription filters we manage.
DestinationARN string
// RoleARN for subscription filter
RoleARN string

// RoleARN for subscription filter.
// Only required if destination is a firehose delivery stream
RoleARN *string

// LogGroupNamePrefixes contains a list of prefixes which restricts the log
// groups we operate on.
Expand Down Expand Up @@ -68,12 +70,12 @@ func (c *Config) Validate() error {
}
}

if c.RoleARN != "" {
if c.RoleARN != nil {
if c.DestinationARN == "" {
errs = append(errs, ErrMissingDestinationARN)
}

roleARN, err := arn.Parse(c.RoleARN)
roleARN, err := arn.Parse(*c.RoleARN)
if err != nil || roleARN.Service != "iam" || !strings.HasPrefix(roleARN.Resource, "role/") {
errs = append(errs, fmt.Errorf("failed to parse role: %w", ErrInvalidARN))
}
Expand Down
5 changes: 3 additions & 2 deletions handler/subscriber/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"github.com/observeinc/aws-sam-testing/handler/handlertest"
"github.com/observeinc/aws-sam-testing/handler/subscriber"

"github.com/aws/aws-sdk-go-v2/aws"
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
)
Expand Down Expand Up @@ -45,7 +46,7 @@ func TestConfig(t *testing.T) {
Config: subscriber.Config{
CloudWatchLogsClient: &handlertest.CloudWatchLogsClient{},
FilterName: "observe-logs-subscription",
RoleARN: "arn:aws:iam::123456789012:role/test",
RoleARN: aws.String("arn:aws:iam::123456789012:role/test"),
},
ExpectError: subscriber.ErrMissingDestinationARN,
},
Expand All @@ -55,7 +56,7 @@ func TestConfig(t *testing.T) {
CloudWatchLogsClient: &handlertest.CloudWatchLogsClient{},
FilterName: "observe-logs-subscription",
DestinationARN: "arn:aws:firehose:us-west-2:123456789012:deliverystream/test",
RoleARN: "arn:aws:iam::123456789012:role/test",
RoleARN: aws.String("arn:aws:iam::123456789012:role/test"),
},
},
{
Expand Down
2 changes: 1 addition & 1 deletion handler/subscriber/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ func New(cfg *Config) (*Handler, error) {
FilterName: aws.String(cfg.FilterName),
FilterPattern: aws.String(cfg.FilterPattern),
DestinationArn: aws.String(cfg.DestinationARN),
RoleArn: aws.String(cfg.RoleARN),
RoleArn: cfg.RoleARN,
},
logGroupNameFilter: cfg.LogGroupFilter(),
}
Expand Down
4 changes: 2 additions & 2 deletions handler/subscriber/subscription.go
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ func (h *Handler) SubscriptionFilterDiff(subscriptionFilters []types.Subscriptio
FilterName: h.subscriptionFilter.FilterName,
FilterPattern: h.subscriptionFilter.FilterPattern,
DestinationArn: h.subscriptionFilter.DestinationArn,
RoleArn: h.subscriptionFilter.LogGroupName,
RoleArn: h.subscriptionFilter.RoleArn,
})
}
}
Expand All @@ -133,7 +133,7 @@ func (h *Handler) SubscriptionFilterDiff(subscriptionFilters []types.Subscriptio
FilterName: h.subscriptionFilter.FilterName,
FilterPattern: h.subscriptionFilter.FilterPattern,
DestinationArn: h.subscriptionFilter.DestinationArn,
RoleArn: h.subscriptionFilter.LogGroupName,
RoleArn: h.subscriptionFilter.RoleArn,
})
}

Expand Down
28 changes: 27 additions & 1 deletion handler/subscriber/subscription_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,32 @@ func TestSubscriptionFilterDiff(t *testing.T) {
},
},
},
{
Configure: types.SubscriptionFilter{
FilterName: aws.String("observe"),
DestinationArn: aws.String("arn:aws:firehose:us-west-2:123456789012:deliverystream/example"),
RoleArn: aws.String("arn:aws:iam::123456789012:role/example"),
},
Existing: []types.SubscriptionFilter{
{
FilterName: aws.String("foo"),
},
{
FilterName: aws.String("observe-logs-subscription"),
},
},
ExpectedActions: []any{
&cloudwatchlogs.DeleteSubscriptionFilterInput{
FilterName: aws.String("observe-logs-subscription"),
},
&cloudwatchlogs.PutSubscriptionFilterInput{
FilterName: aws.String("observe"),
FilterPattern: aws.String(""),
DestinationArn: aws.String("arn:aws:firehose:us-west-2:123456789012:deliverystream/example"),
RoleArn: aws.String("arn:aws:iam::123456789012:role/example"),
},
},
},
{
/*
Do nothing if we exceed the two subscription filter limit
Expand Down Expand Up @@ -201,7 +227,7 @@ func TestSubscriptionFilterDiff(t *testing.T) {
CloudWatchLogsClient: &handlertest.CloudWatchLogsClient{},
FilterName: aws.ToString(tt.Configure.FilterName),
DestinationARN: aws.ToString(tt.Configure.DestinationArn),
RoleARN: aws.ToString(tt.Configure.RoleArn),
RoleARN: tt.Configure.RoleArn,
})
if err != nil {
t.Fatal(err)
Expand Down

0 comments on commit 042ec2f

Please sign in to comment.