Add Google Cloud Platform support (#13598)

This PR introduces the support for Google Cloud Platform to Functionbeat. This branch is located in the `elastic/beats` repository, so anyone on our team has access to it. 

### Manager

#### Authentication

To use the API to deploy, remove and update functions, users need to set the environment variable `GOOGLE_APPLICATION_CREDENTIALS`. This variable should point to a JSON file which contains all the relevant information for Google to authenticate.

(About authentication for GCP libs: https://cloud.google.com/docs/authentication/getting-started)

#### Required roles

* Cloud Functions Developer 
* Cloud Functions Service Agent
* Service Account User
* Storage Admin
* Storage Object Admin

Note: Cloud Functions Developer role is in beta. We should not make GCP support GA, until it becomes stable.

#### Configuration

```yaml
# Configure functions to run on Google Cloud Platform, currently, we assume that the credentials
# are present in the environment to correctly create the function when using the CLI.
#
# Configure which region your project is located in.
functionbeat.provider.gcp.location_id: "europe-west1"
# Configure which Google Cloud project to deploy your functions.
functionbeat.provider.gcp.project_id: "my-project-123456"
# Configure the Google Cloud Storage we should upload the function artifact.
functionbeat.provider.gcp.storage_name: "functionbeat-deploy"

functionbeat.provider.gcp.functions:
```

#### Export

Function templates can be exported into YAML. With this YAML configuration, users can deploy the function using the [Google Cloud Deployment Manager](https://cloud.google.com/deployment-manager/).

### New functions

#### Google Pub/Sub

A function under the folder `pkg/pubsub` is available to get events from Google Pub/Sub.

##### Configuration

```yaml
  # Define the list of function availables, each function required to have a unique name.
  # Create a function that accepts events coming from Google Pub/Sub.
  - name: pubsub
    enabled: false
    type: pubsub

    # Description of the method to help identify them when you run multiples functions.
    description: "Google Cloud Function for Pub/Sub"

    # The maximum memory allocated for this function, the configured size must be a factor of 64.
    # Default is 256MiB.
    #memory_size: 256MiB

    # Execution timeout in seconds. If the function does not finish in time,
    # it is considered failed and terminated. Default is 60s.
    #timeout: 60s

    # Email of the service account of the function. Defaults to {projectid}@appspot.gserviceaccount.com
    #service_account_email: {projectid}@appspot.gserviceaccount.com

    # Labels of the function.
    #labels:
    # mylabel: label

    # VPC Connector this function can connect to.
    # Format: projects/*/locations/*/connectors/* or fully-qualified URI
    #vpc_connector: ""

    # Number of maximum instances running at the same time. Default is unlimited.
    #maximum_instances: 0

    trigger:
      event_type: "providers/cloud.pubsub/eventTypes/topic.publish"
      resource: "projects/_/pubsub/myPubSub"
      #service: "pubsub.googleapis.com"

    # Optional fields that you can specify to add additional information to the
    # output. Fields can be scalar values, arrays, dictionaries, or any nested
    # combination of these.
    #fields:
    #  env: staging

    # Define custom processors for this function.
    #processors:
    #  - dissect:
    #      tokenizer: "%{key1} %{key2}"
```

#### Google Cloud Storage

A function under the folder pkg/storage is available to get events from Google Cloud Storage.

##### Configuration
```yaml
 # Create a function that accepts events coming from Google Cloud Storage.
 - name: storage
   enabled: false
   type: storage

   # Description of the method to help identify them when you run multiples functions.
   description: "Google Cloud Function for Cloud Storage"

   # The maximum memory allocated for this function, the configured size must be a factor of 64.
   # Default is 256MiB.
   #memory_size: 256MiB

   # Execution timeout in seconds. If the function does not finish in time,
   # it is considered failed and terminated. Default is 60s.
   #timeout: 60s

   # Email of the service account of the function. Defaults to {projectid}@appspot.gserviceaccount.com
   #service_account_email: {projectid}@appspot.gserviceaccount.com

   # Labels of the function.
   #labels:
   # mylabel: label

   # VPC Connector this function can connect to.
   # Format: projects/*/locations/*/connectors/* or fully-qualified URI
   #vpc_connector: ""

   # Number of maximum instances running at the same time. Default is unlimited.
   #maximum_instances: 0

   # Optional fields that you can specify to add additional information to the
   # output. Fields can be scalar values, arrays, dictionaries, or any nested
   # combination of these.
   #fields:
   #  env: staging

   # Define custom processors for this function.
   #processors:
   #  - dissect:
   #      tokenizer: "%{key1} %{key2}"
```

### Vendor
* `cloud.google.com/go/functions/metadata`
*  `cloud.google.com/go/storage`

CHANGELOG.next.asciidoc

@@ -616,6 +616,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Make `bulk_max_size` configurable in outputs. {pull}13493[13493]
 - Add `index` option to all functions to directly set a per-function index value. {issue}15064[15064] {pull}15101[15101]
 - Add monitoring info about triggered functions. {pull}14876[14876]
+- Add Google Cloud Platform support. {pull}13598[13598]
 
 *Winlogbeat*
 

dev-tools/mage/gotool/go.go

@@ -52,6 +52,13 @@ func ListPackages(pkgs ...string) ([]string, error) {
 	return getLines(callGo(nil, "list", pkgs...))
 }
 
+// ListDeps calls `go list -dep` for every package spec given.
+func ListDeps(pkg string) ([]string, error) {
+	const tmpl = `{{if not .Standard}}{{.ImportPath}}{{end}}`
+
+	return getLines(callGo(nil, "list", "-deps", "-f", tmpl, pkg))
+}
+
 // ListTestFiles lists all go and cgo test files available in a package.
 func ListTestFiles(pkg string) ([]string, error) {
 	const tmpl = `{{ range .TestGoFiles }}{{ printf "%s\n" . }}{{ end }}` +

libbeat/common/transport/tlscommon/tls_test.go

@@ -131,8 +131,8 @@ func TestApplyEmptyConfig(t *testing.T) {
 	}
 
 	cfg := tmp.BuildModuleConfig("")
-	assert.Equal(t, int(tls.VersionTLS11), int(cfg.MinVersion))
-	assert.Equal(t, int(tls.VersionTLS13), int(cfg.MaxVersion))
+	assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion))
+	assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion))
 	assert.Len(t, cfg.Certificates, 0)
 	assert.Nil(t, cfg.RootCAs)
 	assert.Equal(t, false, cfg.InsecureSkipVerify)
@@ -163,8 +163,8 @@ func TestApplyWithConfig(t *testing.T) {
 	assert.NotNil(t, cfg.RootCAs)
 	assert.Equal(t, true, cfg.InsecureSkipVerify)
 	assert.Len(t, cfg.CipherSuites, 2)
-	assert.Equal(t, int(tls.VersionTLS11), int(cfg.MinVersion))
-	assert.Equal(t, int(tls.VersionTLS13), int(cfg.MaxVersion))
+	assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion))
+	assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion))
 	assert.Len(t, cfg.CurvePreferences, 1)
 	assert.Equal(t, tls.RenegotiateOnceAsClient, cfg.Renegotiation)
 }
@@ -188,8 +188,8 @@ func TestServerConfigDefaults(t *testing.T) {
 		assert.Len(t, cfg.CurvePreferences, 0)
 		// values set by default
 		assert.Equal(t, false, cfg.InsecureSkipVerify)
-		assert.Equal(t, int(tls.VersionTLS11), int(cfg.MinVersion))
-		assert.Equal(t, int(tls.VersionTLS13), int(cfg.MaxVersion))
+		assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion))
+		assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion))
 		assert.Equal(t, tls.NoClientCert, cfg.ClientAuth)
 	})
 	t.Run("when CA is explicitly set", func(t *testing.T) {
@@ -214,8 +214,8 @@ func TestServerConfigDefaults(t *testing.T) {
 		assert.Len(t, cfg.CurvePreferences, 0)
 		// values set by default
 		assert.Equal(t, false, cfg.InsecureSkipVerify)
-		assert.Equal(t, int(tls.VersionTLS11), int(cfg.MinVersion))
-		assert.Equal(t, int(tls.VersionTLS13), int(cfg.MaxVersion))
+		assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion))
+		assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion))
 		assert.Equal(t, tls.RequireAndVerifyClientCert, cfg.ClientAuth)
 	})
 }
@@ -227,14 +227,17 @@ func TestApplyWithServerConfig(t *testing.T) {
     certificate_authorities: [ca_test.pem]
     verification_mode: none
     client_authentication: optional
-    supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
     cipher_suites:
       - "ECDHE-ECDSA-AES-256-CBC-SHA"
       - "ECDHE-ECDSA-AES-256-GCM-SHA384"
     curve_types: [P-384]
   `
 	var c ServerConfig
 	config, err := common.NewConfigWithYAML([]byte(yamlStr), "")
+	for i, ver := range TLSDefaultVersions {
+		config.SetString("supported_protocols", i, ver.String())
+	}
+
 	if !assert.NoError(t, err) {
 		return
 	}
@@ -254,8 +257,8 @@ func TestApplyWithServerConfig(t *testing.T) {
 	assert.NotNil(t, cfg.ClientCAs)
 	assert.Equal(t, true, cfg.InsecureSkipVerify)
 	assert.Len(t, cfg.CipherSuites, 2)
-	assert.Equal(t, int(tls.VersionTLS11), int(cfg.MinVersion))
-	assert.Equal(t, int(tls.VersionTLS13), int(cfg.MaxVersion))
+	assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion))
+	assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion))
 	assert.Len(t, cfg.CurvePreferences, 1)
 	assert.Equal(t, tls.VerifyClientCertIfGiven, cfg.ClientAuth)
 }

libbeat/common/transport/tlscommon/types.go

@@ -99,25 +99,6 @@ var tlsRenegotiationSupportTypes = map[string]tlsRenegotiationSupport{
 	"freely": tlsRenegotiationSupport(tls.RenegotiateFreelyAsClient),
 }
 
-// TLSVersion type for TLS version.
-type TLSVersion uint16
-
-// Define all the possible TLS version.
-const (
-	TLSVersionSSL30 TLSVersion = tls.VersionSSL30
-	TLSVersion10    TLSVersion = tls.VersionTLS10
-	TLSVersion11    TLSVersion = tls.VersionTLS11
-	TLSVersion12    TLSVersion = tls.VersionTLS12
-	TLSVersion13    TLSVersion = tls.VersionTLS13
-)
-
-// TLSDefaultVersions list of versions of TLS we should support.
-var TLSDefaultVersions = []TLSVersion{
-	TLSVersion11,
-	TLSVersion12,
-	TLSVersion13,
-}
-
 type tlsClientAuth int
 
 const (
@@ -132,24 +113,6 @@ var tlsClientAuthTypes = map[string]tlsClientAuth{
 	"required": tlsClientAuthRequired,
 }
 
-var tlsProtocolVersions = map[string]TLSVersion{
-	"SSLv3":   TLSVersionSSL30,
-	"SSLv3.0": TLSVersionSSL30,
-	"TLSv1":   TLSVersion10,
-	"TLSv1.0": TLSVersion10,
-	"TLSv1.1": TLSVersion11,
-	"TLSv1.2": TLSVersion12,
-	"TLSv1.3": TLSVersion13,
-}
-
-var tlsProtocolVersionsInverse = map[TLSVersion]string{
-	TLSVersionSSL30: "SSLv3",
-	TLSVersion10:    "TLSv1.0",
-	TLSVersion11:    "TLSv1.1",
-	TLSVersion12:    "TLSv1.2",
-	TLSVersion13:    "TLSv1.3",
-}
-
 // TLSVerificationMode represents the type of verification to do on the remote host,
 // `none` or `full` and we default to `full`, internally this option is transformed into the
 // `insecure` field in the `tls.Config` struct.
@@ -166,24 +129,6 @@ const (
 	// VerifyCertificate
 )
 
-func (v TLSVersion) String() string {
-	if s, ok := tlsProtocolVersionsInverse[v]; ok {
-		return s
-	}
-	return "unknown"
-}
-
-//Unpack transforms the string into a constant.
-func (v *TLSVersion) Unpack(s string) error {
-	version, found := tlsProtocolVersions[s]
-	if !found {
-		return fmt.Errorf("invalid tls version '%v'", s)
-	}
-
-	*v = version
-	return nil
-}
-
 var tlsVerificationModes = map[string]TLSVerificationMode{
 	"":     VerifyFull,
 	"full": VerifyFull,

libbeat/common/transport/tlscommon/versions.go

@@ -0,0 +1,41 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package tlscommon
+
+import "fmt"
+
+// TLSVersion type for TLS version.
+type TLSVersion uint16
+
+func (v TLSVersion) String() string {
+	if s, ok := tlsProtocolVersionsInverse[v]; ok {
+		return s
+	}
+	return "unknown"
+}
+
+//Unpack transforms the string into a constant.
+func (v *TLSVersion) Unpack(s string) error {
+	version, found := tlsProtocolVersions[s]
+	if !found {
+		return fmt.Errorf("invalid tls version '%v'", s)
+	}
+
+	*v = version
+	return nil
+}

libbeat/common/transport/tlscommon/versions_default.go

@@ -0,0 +1,70 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// +build go1.13
+
+package tlscommon
+
+import "crypto/tls"
+
+// Define all the possible TLS version.
+const (
+	TLSVersionSSL30 TLSVersion = tls.VersionSSL30
+	TLSVersion10    TLSVersion = tls.VersionTLS10
+	TLSVersion11    TLSVersion = tls.VersionTLS11
+	TLSVersion12    TLSVersion = tls.VersionTLS12
+	TLSVersion13    TLSVersion = tls.VersionTLS13
+
+	// TLSVersionMin is the min TLS version supported.
+	TLSVersionMin = TLSVersionSSL30
+
+	// TLSVersionMax is the max TLS version supported.
+	TLSVersionMax = TLSVersion13
+
+	// TLSVersionDefaultMin is the minimal default TLS version that is
+	// enabled by default. TLSVersionDefaultMin is >= TLSVersionMin
+	TLSVersionDefaultMin = TLSVersion11
+
+	// TLSVersionDefaultMax is the max default TLS version that
+	// is enabled by default.
+	TLSVersionDefaultMax = TLSVersionMax
+)
+
+// TLSDefaultVersions list of versions of TLS we should support.
+var TLSDefaultVersions = []TLSVersion{
+	TLSVersion11,
+	TLSVersion12,
+	TLSVersion13,
+}
+
+var tlsProtocolVersions = map[string]TLSVersion{
+	"SSLv3":   TLSVersionSSL30,
+	"SSLv3.0": TLSVersionSSL30,
+	"TLSv1":   TLSVersion10,
+	"TLSv1.0": TLSVersion10,
+	"TLSv1.1": TLSVersion11,
+	"TLSv1.2": TLSVersion12,
+	"TLSv1.3": TLSVersion13,
+}
+
+var tlsProtocolVersionsInverse = map[TLSVersion]string{
+	TLSVersionSSL30: "SSLv3",
+	TLSVersion10:    "TLSv1.0",
+	TLSVersion11:    "TLSv1.1",
+	TLSVersion12:    "TLSv1.2",
+	TLSVersion13:    "TLSv1.3",
+}

libbeat/common/transport/tlscommon/versions_legacy.go

@@ -0,0 +1,66 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// +build !go1.13
+
+package tlscommon
+
+import "crypto/tls"
+
+const (
+	TLSVersionSSL30 TLSVersion = tls.VersionSSL30
+	TLSVersion10    TLSVersion = tls.VersionTLS10
+	TLSVersion11    TLSVersion = tls.VersionTLS11
+	TLSVersion12    TLSVersion = tls.VersionTLS12
+
+	// TLSVersionMin is the min TLS version supported.
+	TLSVersionMin = TLSVersionSSL30
+
+	// TLSVersionMax is the max TLS version supported.
+	TLSVersionMax = TLSVersion12
+
+	// TLSVersionDefaultMin is the minimal default TLS version that is
+	// enabled by default. TLSVersionDefaultMin is >= TLSVersionMin
+	TLSVersionDefaultMin = TLSVersion10
+
+	// TLSVersionDefaultMax is the max default TLS version that
+	// is enabled by default.
+	TLSVersionDefaultMax = TLSVersionMax
+)
+
+// TLSDefaultVersions list of versions of TLS we should support.
+var TLSDefaultVersions = []TLSVersion{
+	TLSVersion10,
+	TLSVersion11,
+	TLSVersion12,
+}
+
+var tlsProtocolVersions = map[string]TLSVersion{
+	"SSLv3":   TLSVersionSSL30,
+	"SSLv3.0": TLSVersionSSL30,
+	"TLSv1":   TLSVersion10,
+	"TLSv1.0": TLSVersion10,
+	"TLSv1.1": TLSVersion11,
+	"TLSv1.2": TLSVersion12,
+}
+
+var tlsProtocolVersionsInverse = map[TLSVersion]string{
+	TLSVersionSSL30: "SSLv3",
+	TLSVersion10:    "TLSv1.0",
+	TLSVersion11:    "TLSv1.1",
+	TLSVersion12:    "TLSv1.2",
+}

libbeat/outputs/transport/tls.go

@@ -35,20 +35,6 @@ type TLSConfig = tlscommon.TLSConfig
 // TLSVersion type for TLS version.
 type TLSVersion = tlscommon.TLSVersion
 
-// Define all the possible TLS version.
-const (
-	TLSVersionSSL30 = tlscommon.TLSVersionSSL30
-	TLSVersion10    = tlscommon.TLSVersion10
-	TLSVersion11    = tlscommon.TLSVersion11
-	TLSVersion12    = tlscommon.TLSVersion12
-)
-
-// Constants of the supported verification mode.
-const (
-	VerifyFull = tlscommon.VerifyFull
-	VerifyNone = tlscommon.VerifyNone
-)
-
 func TLSDialer(forward Dialer, config *TLSConfig, timeout time.Duration) (Dialer, error) {
 	return TestTLSDialer(testing.NullDriver, forward, config, timeout)
 }