Skip to content

Commit

Permalink
Adding secret token for Splunk log driver
Browse files Browse the repository at this point in the history
  • Loading branch information
@upparekh
upparekh committed Jul 8, 2021
1 parent 2a0c9f9 commit fd5cbb3
Show file tree
Hide file tree
Showing 2 changed files with 129 additions and 17 deletions.
48 changes: 31 additions & 17 deletions packages/@aws-cdk/aws-ecs/lib/log-drivers/splunk-log-driver.ts
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
import { SecretValue } from '@aws-cdk/core';
import { ContainerDefinition } from '../container-definition';
import { ContainerDefinition, Secret } from '../container-definition';
import { BaseLogDriverProps } from './base-log-driver';
import { LogDriver, LogDriverConfig } from './log-driver';
import { ensureInRange, renderCommonLogDriverOptions, stringifyOptions } from './utils';
import { ensureInRange, renderCommonLogDriverOptions, renderLogDriverSecretOptions, stringifyOptions } from './utils';

// v2 - keep this import as a separate section to reduce merge conflict when forward merging with the v2 branch.
// eslint-disable-next-line
Expand All @@ -25,9 +25,16 @@ export enum SplunkLogFormat {
export interface SplunkLogDriverProps extends BaseLogDriverProps {
/**
* Splunk HTTP Event Collector token.
* @deprecated Use `secretToken` instead.
*/
readonly token: SecretValue;

/**
* Splunk HTTP Event Collector token (Secret).
* @default - Secret token not provided.
*/
readonly secretToken?: Secret;

/**
* Path to your Splunk Enterprise, self-service Splunk Cloud instance, or Splunk
* Cloud managed cluster (including port and scheme used by HTTP Event Collector)
Expand Down Expand Up @@ -130,23 +137,30 @@ export class SplunkLogDriver extends LogDriver {
* Called when the log driver is configured on a container
*/
public bind(_scope: CoreConstruct, _containerDefinition: ContainerDefinition): LogDriverConfig {
const options = stringifyOptions({
'splunk-token': this.props.token,
'splunk-url': this.props.url,
'splunk-source': this.props.source,
'splunk-sourcetype': this.props.sourceType,
'splunk-index': this.props.index,
'splunk-capath': this.props.caPath,
'splunk-caname': this.props.caName,
'splunk-insecureskipverify': this.props.insecureSkipVerify,
'splunk-format': this.props.format,
'splunk-verify-connection': this.props.verifyConnection,
'splunk-gzip': this.props.gzip,
'splunk-gzip-level': this.props.gzipLevel,
...renderCommonLogDriverOptions(this.props),
});

if (this.props.secretToken) {
delete options['splunk-token'];
}

return {
logDriver: 'splunk',
options: stringifyOptions({
'splunk-token': this.props.token,
'splunk-url': this.props.url,
'splunk-source': this.props.source,
'splunk-sourcetype': this.props.sourceType,
'splunk-index': this.props.index,
'splunk-capath': this.props.caPath,
'splunk-caname': this.props.caName,
'splunk-insecureskipverify': this.props.insecureSkipVerify,
'splunk-format': this.props.format,
'splunk-verify-connection': this.props.verifyConnection,
'splunk-gzip': this.props.gzip,
'splunk-gzip-level': this.props.gzipLevel,
...renderCommonLogDriverOptions(this.props),
}),
options,
secretOptions: this.props.secretToken && renderLogDriverSecretOptions({ 'splunk-token': this.props.secretToken }, _containerDefinition.taskDefinition),
};
}
}
98 changes: 98 additions & 0 deletions packages/@aws-cdk/aws-ecs/test/splunk-log-driver.test.ts
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
import { expect, haveResourceLike } from '@aws-cdk/assert-internal';
import * as cdk from '@aws-cdk/core';
import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
import * as ssm from '@aws-cdk/aws-ssm';
import { nodeunitShim, Test } from 'nodeunit-shim';
import * as ecs from '../lib';

Expand Down Expand Up @@ -103,4 +105,100 @@ nodeunitShim({

test.done();
},

'create a splunk log driver using secret splunk token from secrets manager'(test: Test) {
const secret = new secretsmanager.Secret(stack, 'Secret');
// WHEN
td.addContainer('Container', {
image,
logging: ecs.LogDrivers.splunk({
token: cdk.SecretValue.secretsManager('my-splunk-token'),
secretToken: ecs.Secret.fromSecretsManager(secret),
url: 'my-splunk-url',
}),
memoryLimitMiB: 128,
});

// THEN
expect(stack).to(haveResourceLike('AWS::ECS::TaskDefinition', {
ContainerDefinitions: [
{
LogConfiguration: {
LogDriver: 'splunk',
Options: {
'splunk-url': 'my-splunk-url',
},
SecretOptions: [
{
Name: 'splunk-token',
ValueFrom: {
Ref: 'SecretA720EF05',
},
},
],
},
},
],
}));

test.done();
},

'create a splunk log driver using secret splunk token from systems manager parameter store'(test: Test) {
const parameter = ssm.StringParameter.fromSecureStringParameterAttributes(stack, 'Parameter', {
parameterName: '/token',
version: 1,
});
// WHEN
td.addContainer('Container', {
image,
logging: ecs.LogDrivers.splunk({
token: cdk.SecretValue.secretsManager('my-splunk-token'),
secretToken: ecs.Secret.fromSsmParameter(parameter),
url: 'my-splunk-url',
}),
memoryLimitMiB: 128,
});

// THEN
expect(stack).to(haveResourceLike('AWS::ECS::TaskDefinition', {
ContainerDefinitions: [
{
LogConfiguration: {
LogDriver: 'splunk',
Options: {
'splunk-url': 'my-splunk-url',
},
SecretOptions: [
{
Name: 'splunk-token',
ValueFrom: {
'Fn::Join': [
'',
[
'arn:',
{
Ref: 'AWS::Partition',
},
':ssm:',
{
Ref: 'AWS::Region',
},
':',
{
Ref: 'AWS::AccountId',
},
':parameter/token',
],
],
},
},
],
},
},
],
}));

test.done();
},
});

0 comments on commit fd5cbb3

Please sign in to comment.