[AWS] Add common variables to all SQS-based AWS inputs

[kpollich]

Summary

• Add endpoint + region variables to S3 inputs for the following policy templates
  • apigateway_logs
  • cloudfront_logs
  • cloudtrail
  • ec2_logs
  • elb_logs
  • emr_logs
  • firewall_logs
  • guardduty
  • route53_resolver_logs
  • s3access
  • vpcflow
  • waf
• Expose a custom field on all S3 inputs for the following policy templates
  • apigateway_logs
  • cloudfront_logs
  • cloudtrail
  • ec2_logs
  • elb_logs
  • emr_logs
  • firewall_logs
  • guardduty
  • route53_resolver_logs
  • s3access
  • vpcflow
  • waf
• (Stretch goal) Expose a custom field for all Cloudwatch inputs on all policy templates - [AWS] Add custom variable to all Cloudwatch inputs and at the package level #10002
• (Stretch goal) Expose a custom field at the package level - [AWS] Add custom variable to all Cloudwatch inputs and at the package level #10002

Proposed commit message

Add endpoint, region, and custom common variables to all aws-s3 inputs

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• It'd be nice if someone could help me with testing this as I'm not sure how to manually verify

How to test this PR locally

😅

Related issues

FYI this is related to an ongoing escalation related to pulling logs out of an SQS queue.

[kpollich]

Seems like this file just got changed by the linter 🤷

[strawgate]

Haiku:
Code repository,
Today, not the time to lint,
Tomorrow, perhaps.

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[strawgate]

Building on elastic/beats#38189

[strawgate]

perhaps we use this as an opportunity to make this say that endpoint can also be a domain?

[kpollich]

What do you propose for the new description value, in that case?

URL/domain of the entry point for an AWS web service

Is this sufficient?

[strawgate]

I'm actually pretty sure I lied and it can't be a domain. I'll verify on Monday

[kpollich]

@elastic/obs-ds-hosted-services @elastic/security-service-integrations @elastic/obs-infraobs-integrations - Would you be able to take a look this soon? I'd also appreciate some help testing this change as I don't have an environment setup where I can test the endpoint behavior for these data streams. Are there instructions to do this anywhere that I could reference?

[kaiyan-sheng]

Thanks for adding this parameter! I didn't realize we are missing this one for the whole time...

[kpollich]

FYI I opted to just bump to 2.15.3 rather than doing a prerelease build

[strawgate]

edit: everything i typed below is irrelevant, see next post

Looking at this, the endpoint field is required but it's not enough.

It looks like default_region isn't wired up everywhere and that we have inputs that require region to be explicitly set if it cant be parsed from the URL (which it kinda looks like it can never be parsed from the query_url...?)

In the SQS input the region pulling logic is

	if (u.Scheme == "https" || u.Scheme == "http") && u.Host != "" {
		queueHostSplit := strings.SplitN(u.Host, ".", 3)
		if len(queueHostSplit) == 3 {
			if queueHostSplit[2] == endpoint || (endpoint == "" && strings.HasPrefix(queueHostSplit[2], "amazonaws.")) {
				region = queueHostSplit[1]
				if defaultRegion != "" && region != defaultRegion {
					return defaultRegion, regionMismatchError{queueURLRegion: region, defaultRegion: defaultRegion}
				}
				return region, nil
			}
		} else if defaultRegion != "" {
			return defaultRegion, nil
		}
	}
	return "", errBadQueueURL
}

But endpoint always has a scheme and queueHostSplit[2] will never have a scheme so this cannot match.

I believe we will have to expose a "region" field or a "custom_settings" for the SQS inputs in the integration.

it also looks like the getRegionFromQueue expects the defaultRegion param but we actually just pass the region param

		regionName, err := getRegionFromQueueURL(in.config.QueueURL, in.config.AWSConfig.Endpoint, in.config.RegionName)

So based on this we have 4 options as I see it:

1. Add the endpoint and region field onto each part of the AWS integration with an SQS url and S3 bucket
2. Add the endpoint and region field onto the top-level settings of the AWS integration and apply it to all policy components
3. Add a custom settings field onto each part of the AWS integration like we have in the AWS Custom Logs integration
4. Add a custom settings field onto the top-level settings of the AWS integration and apply it to all policy components

My order of preference is 1,4,2,3 but I think all would solve the customer's problem

[strawgate]

I chatted with @faec for a bit and I think endpoint isn't even used for this flow and all we actually need is to either:

1. Expose a region field on each SQS-S3 based component of the AWS integration
2. Expose a region field at the integration level
3. Expose a custom configurations field on each component of the AWS integration like we do for aws custom_logs
4. Expose a custom configuration field at the integration level

as an aside: It's unclear to me why setting defaultregion doesn't work in this situation. If it works as a default then having defaultregion and region at the integration level seems odd but having defaultregion at the integration level and region at the component level makes some sense.

default_region: Default region to query if no other region is set. Most AWS services offer a regional endpoint that can be used to make requests. Some services, such as IAM, do not support regions. If a region is not provided by any other way (environment variable, credential or instance profile), the value set here will be used.

[strawgate]

Ok so we found a bunch of beats issues we're going to fix separately. Kyle and I agreed that we will expose region and endpoint on each aws integration component and also a custom_configuration at the top-level and at the integration component level.

Due to bugs in beats elastic/beats#39709 these will work for s3 polling but not for the sqs queue part until 8.14

[agithomas]

@elastic/obs-ds-hosted-services @elastic/security-service-integrations @elastic/obs-infraobs-integrations - Would you be able to take a look this soon? I'd also appreciate some help testing this change as I don't have an environment setup where I can test the endpoint behavior for these data streams. Are there instructions to do this anywhere that I could reference?

@kaiyan-sheng , are there specific instructions that can be followed to test this feature?

[efd6]

This doesn't appear to be being used in this data stream.

[kpollich]

Yep this was a WIP commit. I'm still actively working on finalizing this PR. Thanks for taking a look!

[kpollich]

@efd6 - These should all be updated and accurate now. Thanks again for reviewing 🙏

[efd6]

Same here and below with exception noted.

[efd6]

This one is used.

[efd6]

I don't see endpoint in the manifest. Also, is region intentionally not added here?

[efd6]

I don't see endpoint in the manifest, and missing region?

[kpollich]

In an effort to not balloon the scope of this PR to almost the entire AWS integration, I'm taking the following stretch goals from the description and moving them into a separate issue to put on the backlog:

(Stretch goal) Expose a custom field for all Cloudwatch inputs on all policy templates
(Stretch goal) Expose a custom field at the package level

I've created #10002 to capture this work. The ingest team is okay with shipping these changes only for S3 inputs in an effort to resolve the ongoing escalation more quickly.

[efd6]

Just noting that the custom configuration field is the sharpest user-facing tool that I've seen.

[efd6]

Blank line needed? Ah, I see elastic-package check is adding it. Why?

[efd6]

Blank line.

[kpollich]

I was able to remove the blank line in the cloudtrail manifest, which I think was just erroneous, but elastic-package check always seems to add a newline after multiline YAML values like we're using in description here.

I also tried forcing the string onto multiple lines with line breaks, and the linter rewrites it to a single line with a blank line afterwards. I'm not sure why this happens. Maybe @jsoriano would know.

[efd6]

Blank line.

[efd6]

Blank line.

[strawgate]

Looking forward to getting this out the door, let me know if it looks like we can't merge by the end of the week!

[kaiyan-sheng]

@kaiyan-sheng , are there specific instructions that can be followed to test this feature?

Sorry we don't have any documented instructions for it. Maybe the AWS documentation will help?

[kpollich]

This needs a final codeowner review from @elastic/obs-infraobs-integrations.

@strawgate - You mentioned you have an environment where this could be tested. Is that something you can help with before this gets merged?

[strawgate]

One way or another I'll get this tested today!

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: c5f7f53

History

• 💚 Build #12000 succeeded 52b0ff7
• 💚 Build #11838 succeeded 572297b
• 💚 Build #11830 succeeded 52e0d49
• 💚 Build #11690 succeeded f3dc2a6
• 💚 Build #11444 succeeded 9a97542

cc @kpollich

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[strawgate]

To test this you setup an S3 bucket, enable Collect logs from S3 bucket, provide the bucket ARN, run the integration and make sure it works (or that you get some sort of ingest pipeline issue and not an agent/filebeat issue):

Then add the region and endpoint fields. If your bucket is in us-east-1 you'd set something like this in the region and endpoint fields.

region: us-east-1
endpoint: https://s3.us-east-1.amazonaws.com

works

Run the integration and make sure it works (or that you get some sort of ingest pipeline issue and not an Agent/Filebeat issue).

Next, set those two settings via the custom configurations block and make sure it still works.

Then to test the failure case, set region and endpoint to something wrong:

default_region: us-east-100
region: us-west-1
endpoint: https://sqs.us-east-1.amazonaws.com

[elastic_agent.filebeat][error] Input 'aws-s3' failed with: failed to initialize s3 poller: failed to get AWS region for bucket: operation error S3: GetBucketLocation, https response error StatusCode: 400, RequestID: ...., api error AuthorizationHeaderMalformed: The authorization header is malformed; the region 'us-east-100' is wrong; expecting 'us-east-1'

Will be fixed in 8.14

region: us-east-100
endpoint: https://sqs.us-east-1.amazonaws.com

[elastic_agent.filebeat][error] Input 'aws-s3' failed with: failed to initialize s3 poller: failed to get AWS region for bucket: operation error S3: GetBucketLocation, https response error StatusCode: 400, RequestID: QNX0GY2KEDD49X0J, HostID: 4BlyLvpZI4e27YByy870Sj9BD/AuTeWDpSJ0CmbXEReTzMt4ge1UJPB59PH1Ix8ZDtZqxVWjYAg=, api error AuthorizationHeaderMalformed: The authorization header is malformed; the region 'us-east-100' is wrong; expecting 'us-east-1'

region: us-east-1
endpoint: https://sqs.us-east-100.amazonaws.com

 Input 'aws-s3' failed with: failed to initialize s3 poller: failed to get AWS region for bucket: operation error S3: GetBucketLocation, https response error StatusCode: 0, RequestID: , HostID: , request send failed, Get "https://billeaston-sqs-bucket.s3.us-east-100.amazonaws.com/?location=": dial tcp: lookup billeaston-sqs-bucket.s3.us-east-100.amazonaws.com on 127.0.0.11:53: no such host

region: us-potato-1
endpoint: https://sqs.us-east-1.amazonaws.com

*no error, but should error, fixed in 8.14+*

region: us-potato-1
endpoint: https://weaston.org

And ensure it stops working.

[strawgate]

I performed the testing as described in the above issue. Is there any additional testing anyone wants before this gets merged?

[kpollich]

I'm satisfied with the level of testing here now. I just need codeowner review from @elastic/obs-infraobs-integrations. @lalit-satapathy can you help with landing this?