[aws] Bump package-spec version to 3.3.1 #11893
Conversation
|
/test |
zmoog
added
the
Team:obs-ds-hosted-services
|
|
There's a pipeline test that's failing: $ elastic-package test pipeline -v -g -d waf
2024/11/27 15:31:26 DEBUG Enable verbose logging
2024/11/27 15:31:26 DEBUG latest version (cached): v0.107.2. Download from: https://github.com/elastic/elastic-package/releases/tag/v0.107.2 (Timestamp 2024-11-27 15:05:35.306206 +0100 CET)
Run pipeline tests for the package
2024/11/27 15:31:26 DEBUG output command: /usr/local/bin/docker ps -a --filter label=com.docker.compose.project=elastic-package-stack --format {{.ID}}
2024/11/27 15:31:26 DEBUG output command: /usr/local/bin/docker inspect 26d10450efc2 c938e8167ef5 4e302d384676 25399154b62d 1bd06f0e5097 6b4172b6d166 8cde670d589a a6f8b175f74e e3d933ab0fe4 c7175d8cb22c
2024/11/27 15:31:26 DEBUG Connecting with Elasticsearch host from current profile (profile: default, host: "https://127.0.0.1:9200")
2024/11/27 15:31:26 DEBUG Running tests sequentially
2024/11/27 15:31:27 DEBUG Imported ECS fields definition from external schema for validation (embedded in package: false, stack uses ecs@mappings template: true)
2024/11/27 15:31:27 DEBUG Dump Elastic stack data
2024/11/27 15:31:27 DEBUG Dump stack logs (location: )
2024/11/27 15:31:27 DEBUG output command: /usr/local/bin/docker ps -a --filter label=com.docker.compose.project=elastic-package-stack --format {{.ID}}
2024/11/27 15:31:27 DEBUG output command: /usr/local/bin/docker inspect 26d10450efc2 c938e8167ef5 4e302d384676 25399154b62d 1bd06f0e5097 6b4172b6d166 8cde670d589a a6f8b175f74e e3d933ab0fe4 c7175d8cb22c
2024/11/27 15:31:27 DEBUG Dump stack logs for elasticsearch
2024/11/27 15:31:27 DEBUG running command: /usr/local/bin/docker compose version --short
2024/11/27 15:31:27 DEBUG Determined Docker Compose version: 2.29.7-desktop.1
2024/11/27 15:31:27 DEBUG running command: /usr/local/bin/docker compose -f /Users/zmoog/.elastic-package/profiles/default/stack/docker-compose.yml -p elastic-package-stack logs --since 2024-11-27T14:31:26Z elasticsearch
--- Test results for package: aws - START ---
FAILURE DETAILS:
aws/waf test-waf.log:
[0] parsing field value failed: [0] field "aws.waf.non_terminating_matching_rules.action" is undefined
[1] field "aws.waf.non_terminating_matching_rules.ruleId" is undefined
[2] field "aws.waf.non_terminating_matching_rules.ruleMatchDetails" is used as array of objects, expected explicit definition with type group or nested
[1] parsing field value failed: [0] field "aws.waf.rule_group_list.terminatingRule.ruleId" is undefined
[1] field "aws.waf.rule_group_list.terminatingRule.action" is undefined
[2] field "aws.waf.rule_group_list.nonTerminatingMatchingRules" is used as array of objects, expected explicit definition with type group or nested
[3] field "aws.waf.rule_group_list.ruleGroupId" is undefined
[2] parsing field value failed: [0] field "aws.waf.terminating_rule_match_details.conditionType" is undefined
[1] field "aws.waf.terminating_rule_match_details.location" is undefined
[2] field "aws.waf.terminating_rule_match_details.matchedData" is undefined
[3] parsing field value failed: [0] field "aws.waf.terminating_rule_match_details.matchedData" is undefined
[1] field "aws.waf.terminating_rule_match_details.conditionType" is undefined
[2] field "aws.waf.terminating_rule_match_details.location" is undefined
╭─────────┬─────────────┬───────────┬─────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼─────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────────┼──────────────┤
│ aws │ waf │ pipeline │ (ingest pipeline warnings test-waf.log) │ PASS │ 533.444292ms │
│ aws │ waf │ pipeline │ test-waf.log │ FAIL: test case failed: one or more problems with fields found in documents │ 150.739417ms │
╰─────────┴─────────────┴───────────┴─────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────┴──────────────╯
--- Test results for package: aws - END ---
Done
Error: one or more test cases failedThe |
|
Yes, it's related to package-spec 3.3.0, probably there are new validation rules. |
|
Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as |
zmoog
force-pushed
the
zmoog/aws-package-spec-3.3.0
branch
from
c2be1b3 to
223ced5
Compare
zmoog
changed the title
|
Starting from package-spec version 3.0.1, I get the following validation errors on nested fields:
The 3.0.1 changelog doesn’t seem to mention changes related to this type |
package-spec 3.0.1+ requires explicit subfields definition
🚀 Benchmarks reportPackage
|
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
securityhub_insights |
942.51 | 798.08 | -144.43 (-15.32%) | 💔 |
To see the full report comment with /test benchmark fullreport
💚 Build Succeeded
History
cc @zmoog |
|
The |
andrewkroh
added
the
Team:Security-Service Integrations
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
| - remove: | ||
| field: message | ||
| ignore_missing: true | ||
| if: 'ctx.event?.original != null' | ||
| description: 'The `message` field is no longer required if the document has an `event.original` field.' |
There was a problem hiding this comment.
The logic of the rename processor above and the added remove processor is not straightforward to read. It looks like they may influence each other (but they don't):
Rename message to event.original (if we only have message).
Remove message (if we have both message and event.original, which is only true if both were present in the pipeline input).
I think it's slightly better if the remove is before the rename:
Remove message (if we have both message and event.original)
Rename message to event.original (if we only have message)
| @@ -77,13 +77,27 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | |||
| | aws.s3.object.key | The AWS S3 Object key. | keyword | | |||
| | aws.waf.arn | AWS ARN of ACL | keyword | | |||
| | aws.waf.id | ID of ACL | keyword | | |||
| | aws.waf.non_terminating_matching_rules | The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match) | nested | | |||
| | aws.waf.non_terminating_matching_rules.action | | keyword | | |||
There was a problem hiding this comment.
Since it is a public documentation - we shouldn't leave those fields without description
https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html
wondering if it is maybe better to split version bump and waf PRs
Proposed commit message
Bump package-spec version to 3.3.1.
We want to get all the latest validations and features available from the latest package-spec version. Upgrading from package spec 3.0.0 to 3.3.1 required the following changes:
messagefield whenevent.originalis notnullnestedfields (see Relax validation of subobject leaves for flattened fields elastic-package#2090 more more)Checklist
changelog.ymlfile.I have verified that any added dashboard complies with Kibana's Dashboard good practicesRelated issues