Skip to content

Commit

Permalink
Instead of blacklisting chars in the resource name for cloudformation…
Browse files Browse the repository at this point in the history
… use whitelisting. (#10087) (#10120)

* Instead of blacklisting chars in the resource name for cloudformation
use whitelisting.

Only [a-zA-Z0-9] are permitted as resource name

Fixes: #9420
(cherry picked from commit 56c6857)
  • Loading branch information
ph authored Jan 21, 2019
1 parent 0f6e918 commit fdbfb10
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 13 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]
*Functionbeat*

- The CLI will now log CloudFormation Stack events. {issue}8912[8912]
- Correctly normalize Cloudformation resource name. {issue}10087[10087]

==== Bugfixes

Expand Down
21 changes: 11 additions & 10 deletions x-pack/functionbeat/provider/aws/cli_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"encoding/base64"
"errors"
"fmt"
"regexp"

"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/aws/external"
Expand All @@ -26,13 +27,13 @@ const (
// AWS lambda currently support go 1.x as a runtime.
runtime = "go1.x"
handlerName = "functionbeat"

// invalidChars for resource name
invalidChars = ":-/"
)

// AWSLambdaFunction add 'dependsOn' as a serializable parameters, for no good reason it's
// not supported.
// Chars for resource name anything else will be replaced.
var validChars = regexp.MustCompile("[^a-zA-Z0-9]")

// AWSLambdaFunction add 'dependsOn' as a serializable parameters, goformation doesn't currently
// serialize this field.
type AWSLambdaFunction struct {
*cloudformation.AWSLambdaFunction
DependsOn []string
Expand Down Expand Up @@ -71,7 +72,7 @@ func (c *CLIManager) template(function installer, name, codeLoc string) *cloudfo
lambdaConfig := function.LambdaConfig()

prefix := func(s string) string {
return "fnb" + name + s
return normalizeResourceName("fnb" + name + s)
}

// AWS variables references:.
Expand All @@ -86,7 +87,7 @@ func (c *CLIManager) template(function installer, name, codeLoc string) *cloudfo
// Create the roles for the lambda.
template := cloudformation.NewTemplate()
// doc: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html
template.Resources["IAMRoleLambdaExecution"] = &cloudformation.AWSIAMRole{
template.Resources[prefix("")+"IAMRoleLambdaExecution"] = &cloudformation.AWSIAMRole{
AssumeRolePolicyDocument: map[string]interface{}{
"Statement": []interface{}{
map[string]interface{}{
Expand Down Expand Up @@ -149,14 +150,14 @@ func (c *CLIManager) template(function installer, name, codeLoc string) *cloudfo
},
DeadLetterConfig: dlc,
FunctionName: name,
Role: cloudformation.GetAtt("IAMRoleLambdaExecution", "Arn"),
Role: cloudformation.GetAtt(prefix("")+"IAMRoleLambdaExecution", "Arn"),
Runtime: runtime,
Handler: handlerName,
MemorySize: lambdaConfig.MemorySize.Megabytes(),
ReservedConcurrentExecutions: lambdaConfig.Concurrency,
Timeout: int(lambdaConfig.Timeout.Seconds()),
},
DependsOn: []string{"IAMRoleLambdaExecution"},
DependsOn: []string{prefix("") + "IAMRoleLambdaExecution"},
}

// Create the log group for the specific function lambda.
Expand Down Expand Up @@ -366,7 +367,7 @@ func mergeTemplate(to, from *cloudformation.Template) error {
}

func normalizeResourceName(s string) string {
return common.RemoveChars(s, invalidChars)
return validChars.ReplaceAllString(s, "")
}

func checksum(data []byte) string {
Expand Down
5 changes: 5 additions & 0 deletions x-pack/functionbeat/provider/aws/cli_manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@ func TestNormalize(t *testing.T) {
candidate: "hello",
expected: "hello",
},
{
title: "when the string contains underscore",
candidate: "/var/log-alpha/tmp:ok_moreok",
expected: "varlogalphatmpokmoreok",
},
}

for _, test := range tests {
Expand Down
4 changes: 2 additions & 2 deletions x-pack/functionbeat/provider/aws/cloudwatch_logs.go
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ func (r *AWSLogsSubscriptionFilter) AWSCloudFormationType() string {
// Template returns the cloudformation template for configuring the service with the specified triggers.
func (c *CloudwatchLogs) Template() *cloudformation.Template {
prefix := func(suffix string) string {
return "fnb" + c.config.Name + suffix
return normalizeResourceName("fnb" + c.config.Name + suffix)
}

template := cloudformation.NewTemplate()
Expand Down Expand Up @@ -197,7 +197,7 @@ func (c *CloudwatchLogs) Template() *cloudformation.Template {
}

// doc: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-subscriptionfilter.html
template.Resources[prefix("SubscriptionFilter"+normalizeResourceName(string(trigger.LogGroupName)))] = &AWSLogsSubscriptionFilter{
template.Resources[prefix("SF")+normalizeResourceName(string(trigger.LogGroupName))] = &AWSLogsSubscriptionFilter{
DestinationArn: cloudformation.GetAtt(prefix(""), "Arn"),
FilterPattern: trigger.FilterPattern,
LogGroupName: string(trigger.LogGroupName),
Expand Down
2 changes: 1 addition & 1 deletion x-pack/functionbeat/provider/aws/sqs.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ func (s *SQS) Template() *cloudformation.Template {
template := cloudformation.NewTemplate()

prefix := func(suffix string) string {
return "fnb" + s.config.Name + suffix
return normalizeResourceName("fnb" + s.config.Name + suffix)
}

for _, trigger := range s.config.Triggers {
Expand Down

0 comments on commit fdbfb10

Please sign in to comment.