Pass a value of refresh_credentials_interval as duration_seconds

Signed-off-by: Hiroshi Hatake <hatake@calyptia.com>
fluent · Sep 1, 2022 · a8c825c · a8c825c
1 parent f364806
commit a8c825c
Showing 1 changed file with 19 additions and 3 deletions.
diff --git a/lib/fluent/plugin/out_opensearch.rb b/lib/fluent/plugin/out_opensearch.rb
@@ -93,6 +93,7 @@ def initialize(retry_stream)
     DEFAULT_RELOAD_AFTER = -1
     DEFAULT_TARGET_BULK_BYTES = -1
     DEFAULT_POLICY_ID = "logstash-policy"
+    DEFAULT_DURATION = "5h"
 
     config_param :host, :string,  :default => 'localhost'
     config_param :port, :integer, :default => 9200
@@ -194,7 +195,7 @@ def initialize(retry_stream)
       config_param :assume_role_session_name, :string, :default => "fluentd"
       config_param :assume_role_web_identity_token_file, :string, :default => nil
       config_param :sts_credentials_region, :string, :default => nil
-      config_param :refresh_credentials_interval, :time, :default => "5h"
+      config_param :refresh_credentials_interval, :time, :default => DEFAULT_DURATION
     end
 
     config_section :buffer do
@@ -209,6 +210,8 @@ def initialize(retry_stream)
 
     def initialize
       super
+
+      @duration_seconds = Fluent::Config.time_value(DEFAULT_DURATION)
     end
 
     ######################################################################################################
@@ -236,13 +239,15 @@ def aws_credentials(conf)
             credentials = Aws::AssumeRoleCredentials.new({
                             role_arn: conf[:assume_role_arn],
                             role_session_name: conf[:assume_role_session_name],
-                            region: sts_creds_region(conf)
+                            region: sts_creds_region(conf),
+                            duration_seconds: @duration_seconds
                           }).credentials
           else
             credentials = Aws::AssumeRoleWebIdentityCredentials.new({
                             role_arn: conf[:assume_role_arn],
                             web_identity_token_file: conf[:assume_role_web_identity_token_file],
-                            region: sts_creds_region(conf)
+                            region: sts_creds_region(conf),
+                            duration_seconds: @duration_seconds
                           }).credentials
           end
         end
@@ -343,6 +348,17 @@ class << self
         @_aws_credentials = aws_credentials(@endpoint)
 
         if @endpoint.refresh_credentials_interval
+          @duration_seconds = Fluent::Config.time_value(@endpoint.refresh_credentials_interval)
+          # 60 * 60 * 12 = 12 hours
+          if @duration_seconds > 43200
+            raise Fluent::ConfigError, "Maxiumum duration is 12 hours."
+          end
+
+          # 60 * 15 = 15 minutes
+          if @duration_seconds < 900
+            raise Fluent::ConfigError, "Minimum duration is 15 minutes."
+          end
+
           timer_execute(:out_opensearch_expire_credentials, @endpoint.refresh_credentials_interval) do
             log.debug('Recreate the AWS credentials')