[Cloudflare Logpush] Add SSL configuration to aws-s3 input

[kcreddy]

The Cloudflare Logpush integration does not expose ssl configuration for the aws-s3 input type. The http_endpoint input already has it (manifest line 71), but the aws-s3 input does not.

The underlying Filebeat aws-s3 input supports SSL via awscommon.ConfigAWS (TLS *tlscommon.Config, config key ssl), and several other integrations already expose it for their aws-s3 inputs — netskope, github, amazon_security_lake, servicenow, canva, imperva_cloud_waf, sublime_security, and symantec_endpoint_security.

Without this, there is no way to configure custom certificate authorities or other TLS settings for the aws-s3 input through Fleet.

Proposed change

1. Add an ssl variable (type: yaml) to the aws-s3 input in packages/cloudflare_logpush/manifest.yml, following the pattern in packages/netskope/manifest.yml (lines 139-145):

   - name: ssl
     type: yaml
     title: SSL Configuration
     description: >-
       SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config)
       for details.
     multi: false
     required: false
     show_user: false
     default: |
       #certificate_authorities:
       #  - /path/to/custom-ca.crt

2. Add {{#if ssl}}ssl: {{ssl}}{{/if}} to all 21 data_stream/*/agent/stream/aws-s3.yml.hbs templates, matching
   the pattern in packages/netskope/data_stream/alerts_events_v2/agent/stream/aws-s3.yml.hbs.

References

• packages/netskope/manifest.yml lines 139-145 — existing example
• x-pack/libbeat/common/aws/credentials.go line 46 — Beats code
  that reads the ssl config

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[github-actions]

tl;dr: This issue is valid and not yet fixed — cloudflare_logpush exposes ssl for http_endpoint but not for aws-s3, and none of the 21 Cloudflare aws-s3 stream templates currently render ssl.

Recommendation

Implement the proposed change: add an ssl var to the aws-s3 policy template in packages/cloudflare_logpush/manifest.yml, then add {{#if ssl}}ssl: {{ssl}}{{/if}} to all Cloudflare aws-s3 stream templates (21 files), and update policy expected fixtures.

Findings

• packages/cloudflare_logpush/manifest.yml:71 defines ssl under http_endpoint.
• packages/cloudflare_logpush/manifest.yml:100 starts the aws-s3 input vars block; this block includes endpoint (:182), region (:190), default_region (:198), proxy_url (:214), but no ssl var.
• Representative aws-s3 template (packages/cloudflare_logpush/data_stream/audit/agent/stream/aws-s3.yml.hbs) renders endpoint/region/default_region/proxy_url at :113-127 and does not render ssl.
• Related precedent in other integrations:
  • packages/netskope/manifest.yml:139-146 (ssl var for aws-s3)
  • packages/netskope/data_stream/alerts_events_v2/agent/stream/aws-s3.yml.hbs:71-73 (renders ssl)
  • packages/github/data_stream/audit/agent/stream/aws-s3.yml.hbs:67-68 (renders ssl)
• Recent related Cloudflare work:
  • PR #18278 added region to all Cloudflare aws-s3 templates (same rollout shape), but did not add ssl.
  • PR #18386 / issue #18307 were docs follow-up for region behavior, not ssl support.

Verification

I ran local checks in the repo:

$ find packages/cloudflare_logpush/data_stream -path '*/agent/stream/aws-s3.yml.hbs' | wc -l
21

$ grep -R -n -E '\{\{#if ssl\}\}|ssl: \{\{ssl\}\}' packages/cloudflare_logpush/data_stream/*/agent/stream/aws-s3.yml.hbs | wc -l
0

$ grep -R -n -E '^\s+ssl:' packages/cloudflare_logpush/data_stream/*/_dev/test/policy/test-aws-s3.expected | wc -l
0

Detailed Action Plan

1. Update packages/cloudflare_logpush/manifest.yml in the policy_templates[].inputs[type=aws-s3].vars block to add:
   • name: ssl
   • type: yaml
   • same title/description/default pattern used by existing aws-s3 integrations (e.g., netskope).
2. Update all Cloudflare aws-s3 stream templates:
   • packages/cloudflare_logpush/data_stream/*/agent/stream/aws-s3.yml.hbs
   • add:

     {{#if ssl}}
     ssl: {{ssl}}
     {{/if}}

   • place near existing network options (after proxy_url is consistent with other integrations).
3. Update all expected policy fixtures:
   • packages/cloudflare_logpush/data_stream/*/_dev/test/policy/test-aws-s3.expected
   • include rendered ssl output as produced by template rendering.
4. Run policy/package tests for cloudflare_logpush and confirm expected fixtures match rendered config.

Related Items

Type	Link	Relevance
PR	#18278	Added region across 21 Cloudflare aws-s3 templates; similar multi-file pattern
PR	#18386	Docs-only follow-up for region requirement
Issue	#18307	Region docs drift issue, already closed
PR	#16688	Prior Cloudflare aws-s3 enhancement (dedup), not ssl
File	packages/cloudflare_logpush/manifest.yml	Source of missing aws-s3 ssl var
File	packages/cloudflare_logpush/data_stream/*/agent/stream/aws-s3.yml.hbs	21 templates missing ssl rendering
File	packages/netskope/manifest.yml	Good reference for aws-s3 ssl var shape

Note

🔒 Integrity filter blocked 66 items

The following items were blocked because they don't meet the GitHub integrity level.

• #18588 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [Cloudflare Logpush] Add SSL configuration to aws-s3 input #18588 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #18588 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #18483 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #18453 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #18197 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #18139 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #18279 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #8439 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #17790 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #17582 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #17509 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #17081 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #17510 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #17594 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #17388 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• ... and 50 more items

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: Issue Triage

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.