diff --git a/changelog/fragments/1770690643-add-verifierreceiver.yaml b/changelog/fragments/1770690643-add-verifierreceiver.yaml new file mode 100644 index 00000000000..d1706618d97 --- /dev/null +++ b/changelog/fragments/1770690643-add-verifierreceiver.yaml @@ -0,0 +1,35 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user's deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: feature + +# Change summary; a 80ish characters long description of the change. +summary: Add verifierreceiver for cloud integration permission verification + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +description: | + Add verifierreceiver to EDOT collector. This receiver verifies integration + permissions (Cloud Connector integrations) and emits structured logs + with permission verification results. + +# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc. +component: "elastic-agent" + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +#pr: https://github.com/elastic/elastic-agent/pull/XXXX + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +#issue: https://github.com/elastic/opentelemetry-dev/issues/XXX diff --git a/docs/reference/edot-collector/component-docs.yml b/docs/reference/edot-collector/component-docs.yml index c13410369b1..6f2590e2925 100644 --- a/docs/reference/edot-collector/component-docs.yml +++ b/docs/reference/edot-collector/component-docs.yml @@ -13,6 +13,10 @@ components: doc_path: "/reference/edot-collector/components/elasticapmintakereceiver.md" title: "Elastic APM intake receiver" + verifierreceiver: + doc_path: "/reference/edot-collector/components/verifierreceiver.md" + title: "Verifier receiver" + elasticapmprocessor: doc_path: "/reference/edot-collector/components/elasticapmprocessor.md" title: "Elastic APM processor" diff --git a/docs/reference/edot-collector/components.md b/docs/reference/edot-collector/components.md index 487853f2c2f..4b78ebc1fec 100644 --- a/docs/reference/edot-collector/components.md +++ b/docs/reference/edot-collector/components.md @@ -41,6 +41,7 @@ These components are included in EDOT Collector version 9.3.0. | [awss3receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/awss3receiver) | [OTel Contrib Repo](https://github.com/open-telemetry/opentelemetry-collector-contrib) | [Extended] | v0.141.0 | | [dockerstatsreceiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/dockerstatsreceiver) | [OTel Contrib Repo](https://github.com/open-telemetry/opentelemetry-collector-contrib) | [Extended] | v0.141.0 | | [elasticapmintakereceiver](/reference/edot-collector/components/elasticapmintakereceiver.md) | [Elastic Repo](https://github.com/elastic/opentelemetry-collector-components) | [Core] | v0.24.0 | +| [verifierreceiver](/reference/edot-collector/components/verifierreceiver.md) | [Elastic Repo](https://github.com/elastic/opentelemetry-collector-components) | [Core] | v0.0.0 | | [filelogreceiver](/reference/edot-collector/components/filelogreceiver.md) | [OTel Contrib Repo](https://github.com/open-telemetry/opentelemetry-collector-contrib) | [Core] | v0.141.0 | | [hostmetricsreceiver](/reference/edot-collector/components/hostmetricsreceiver.md) | [OTel Contrib Repo](https://github.com/open-telemetry/opentelemetry-collector-contrib) | [Core] | v0.141.0 | | [httpcheckreceiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/httpcheckreceiver) | [OTel Contrib Repo](https://github.com/open-telemetry/opentelemetry-collector-contrib) | [Extended] | v0.141.0 | diff --git a/docs/reference/edot-collector/components/verifierreceiver.md b/docs/reference/edot-collector/components/verifierreceiver.md new file mode 100644 index 00000000000..1c4acbc3a33 --- /dev/null +++ b/docs/reference/edot-collector/components/verifierreceiver.md @@ -0,0 +1,209 @@ +--- +navigation_title: Verifier receiver +description: The Verifier receiver is an OpenTelemetry Collector component that verifies permissions for integrations and reports results as OTEL logs. +applies_to: + stack: + serverless: + observability: + product: + edot_collector: +products: + - id: elastic-agent + - id: observability + - id: edot-collector +--- + +# Verifier receiver + +The Verifier receiver is an OpenTelemetry Collector component that verifies permissions for integrations (such as AWS CloudTrail, GuardDuty, S3 and others) and reports verification results as OTEL logs. It is used with Cloud Connectors to confirm that the configured IAM roles and credentials have the permissions required by each integration. + +:::{important} +This receiver is in **development** stability. AWS is supported; Azure, GCP, and Okta are planned. +::: + +## Get started + +To use the Verifier receiver, include it in the receiver definitions of the [Collector configuration](/reference/edot-collector/config/index.md) and wire it into a logs pipeline: + +```yaml +receivers: + verifier: + cloud_connector_id: "cc-12345" + cloud_connector_name: "Production Connector" + verification_id: "verify-abc123" + verification_type: "on_demand" + providers: + aws: + credentials: + use_default_credentials: true + default_region: "us-east-1" + policies: + - policy_id: "policy-1" + policy_name: "AWS Security Monitoring" + integrations: + - integration_id: "int-cloudtrail-001" + integration_type: "aws_cloudtrail" + integration_name: "AWS CloudTrail" + integration_version: "2.17.0" + config: + account_id: "123456789012" + region: "us-east-1" + +service: + pipelines: + logs: + receivers: [verifier] + exporters: [elasticsearch] +``` + +## Configuration + +The receiver uses a Cloud Connector-oriented configuration: you specify the connector identity, a verification session, provider credentials, and a list of policies with their integrations. The receiver looks up required permissions per integration type and version, then performs the checks. + +### Required fields + +| Option | Type | Description | +|--------|------|-------------| +| `cloud_connector_id` | `string` | Unique identifier for the Cloud Connector. | +| `verification_id` | `string` | Unique identifier for this verification session. | +| `policies` | `[]PolicyConfig` | List of policies; each policy must have at least one integration with `integration_type` set. | + +### Optional fields + +| Option | Type | Default | Description | +|--------|------|---------|-------------| +| `cloud_connector_name` | `string` | - | Human-readable name of the Cloud Connector. | +| `verification_type` | `string` | `on_demand` | `on_demand` or `scheduled`. | +| `providers` | `ProvidersConfig` | - | Credentials for AWS, and (when available) Azure, GCP, Okta. | + +### AWS credentials (`providers.aws.credentials`) + +For production use with a Cloud Connector, use STS AssumeRole: + +```yaml +receivers: + verifier: + cloud_connector_id: "${CLOUD_CONNECTOR_ID}" + verification_id: "${VERIFICATION_ID}" + providers: + aws: + credentials: + role_arn: "arn:aws:iam::123456789012:role/ElasticAgentRole" + external_id: "elastic-external-id-from-setup" + default_region: "us-east-1" + policies: [] +``` + +For local testing, you can use the default credential chain: + +```yaml +providers: + aws: + credentials: + use_default_credentials: true + default_region: "us-east-1" +``` + +| Option | Type | Required | Description | +|--------|------|----------|-------------| +| `role_arn` | `string` | Yes* | IAM role ARN to assume. | +| `external_id` | `string` | Yes* | External ID for assume-role. | +| `default_region` | `string` | No | Default AWS region (for example `us-east-1`). | +| `use_default_credentials` | `bool` | No | Use default credential chain (for testing). | + +*Required when not using `use_default_credentials`. + +### Policy and integration structure + +Each policy must have `policy_id` and at least one integration. Each integration must specify `integration_type` (for example `aws_cloudtrail`, `aws_guardduty`, `aws_s3`). Optional `integration_id`, `integration_name`, `integration_version`, and `config` provide context and provider-specific settings. + +The `integration_version` field accepts a semantic version string (for example `2.17.0`). Different versions of an integration may require different permissions. When omitted, the latest registered permission set is used. + +```yaml +policies: + - policy_id: "policy-1" + policy_name: "AWS Security Monitoring" + integrations: + - integration_id: "int-cloudtrail-001" + integration_type: "aws_cloudtrail" + integration_name: "AWS CloudTrail" + integration_version: "2.17.0" + config: + account_id: "123456789012" + region: "us-east-1" + - integration_id: "int-guardduty-001" + integration_type: "aws_guardduty" + integration_name: "AWS GuardDuty" + integration_version: "1.5.0" + config: + account_id: "123456789012" + region: "us-east-1" +``` + +## Supported integration types (AWS) + +| Integration type | Permissions verified | +|------------------|----------------------| +| `aws_cloudtrail` | CloudTrail, S3, SQS (for example `LookupEvents`, `GetObject`, `ReceiveMessage`) | +| `aws_guardduty` | GuardDuty (for example `ListDetectors`, `GetFindings`, `ListFindings`) | +| `aws_securityhub` | Security Hub (for example `GetFindings`, `DescribeHub`) | +| `aws_s3` | S3 (for example `ListBucket`, `GetObject`, `GetBucketLocation`) | +| `aws_ec2` | EC2 and CloudWatch (for example `DescribeInstances`, `DescribeRegions`, `GetMetricData`) | +| `aws_vpcflow` | VPC Flow Logs (for example `FilterLogEvents`, `DescribeLogGroups`, `DescribeFlowLogs`) | +| `aws_waf` | WAFv2 and S3 | +| `aws_route53` | Route53 and CloudWatch Logs | +| `aws_elb` | ELB and S3 | +| `aws_cloudfront` | CloudFront and S3 | + +Azure, GCP, and Okta integration types are planned. + +## Output + +The receiver emits OTEL logs. Each log record represents a permission verification result. Resource and log attributes include: + +- **Resource**: `cloud_connector.id`, `cloud_connector.name`, `verification.id`, `verification.type`, `service.name` (`permission-verifier`) +- **Log attributes**: `policy.id`, `policy.name`, `integration.id`, `integration.type`, `integration.version`, `provider.type`, `permission.action`, `permission.status` (`granted` / `denied` / `error` / `skipped`), `permission.error_code`, `permission.error_message`, `verification.method`, `verification.duration_ms` + +Export these logs to {{es}} (for example with the Elasticsearch exporter) and use the `logs-cloud_connector.permission_verification-*` data stream or a custom index for dashboards and alerts. + +## Example pipeline + +```yaml +receivers: + verifier: + cloud_connector_id: "${CLOUD_CONNECTOR_ID}" + verification_id: "${VERIFICATION_ID}" + providers: + aws: + credentials: + role_arn: "${AWS_ROLE_ARN}" + external_id: "${AWS_EXTERNAL_ID}" + default_region: "us-east-1" + policies: + - policy_id: "policy-1" + policy_name: "AWS Security Monitoring" + integrations: + - integration_id: "int-cloudtrail-001" + integration_type: "aws_cloudtrail" + integration_name: "AWS CloudTrail" + integration_version: "2.17.0" + config: + region: "us-east-1" + +exporters: + elasticsearch: + endpoints: ["${ES_ENDPOINT}"] + api_key: "${ES_API_KEY}" + logs_index: "logs-cloud_connector.permission_verification-default" + +service: + pipelines: + logs: + receivers: [verifier] + exporters: [elasticsearch] +``` + +## Resources + +* [Verifier receiver source](https://github.com/elastic/opentelemetry-collector-components/tree/main/receiver/verifierreceiver) +* [Configure logs collection in EDOT](../config/configure-logs-collection.md) diff --git a/docs/reference/edot-collector/custom-collector.md b/docs/reference/edot-collector/custom-collector.md index b212ee9e7f5..c54ae4c4212 100644 --- a/docs/reference/edot-collector/custom-collector.md +++ b/docs/reference/edot-collector/custom-collector.md @@ -75,6 +75,7 @@ receivers: - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awss3receiver v0.141.0 - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/dockerstatsreceiver v0.141.0 - gomod: github.com/elastic/opentelemetry-collector-components/receiver/elasticapmintakereceiver v0.24.0 + - gomod: github.com/elastic/opentelemetry-collector-components/receiver/verifierreceiver v0.0.0 - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/filelogreceiver v0.141.0 - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/hostmetricsreceiver v0.141.0 - gomod: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/httpcheckreceiver v0.141.0 diff --git a/docs/reference/edot-collector/toc.yml b/docs/reference/edot-collector/toc.yml index 716401befff..959e391ef84 100644 --- a/docs/reference/edot-collector/toc.yml +++ b/docs/reference/edot-collector/toc.yml @@ -29,6 +29,7 @@ toc: - file: components/k8sobjectsreceiver.md - file: components/kubeletstatsreceiver.md - file: components/prometheusremotewritereceiver.md + - file: components/verifierreceiver.md - file: customization.md children: - file: custom-collector.md diff --git a/internal/edot/README.md b/internal/edot/README.md index 08a2e7ac37a..7e1f53868f5 100644 --- a/internal/edot/README.md +++ b/internal/edot/README.md @@ -66,6 +66,7 @@ This section provides a summary of components included in the Elastic Distributi | [windowseventlogreceiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/receiver/windowseventlogreceiver/v0.144.0/receiver/windowseventlogreceiver/README.md) | v0.144.0 | | [windowsperfcountersreceiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/receiver/windowsperfcountersreceiver/v0.144.0/receiver/windowsperfcountersreceiver/README.md) | v0.144.0 | | [zipkinreceiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/receiver/zipkinreceiver/v0.144.0/receiver/zipkinreceiver/README.md) | v0.144.0 | +| [verifierreceiver](https://github.com/elastic/opentelemetry-collector-components/tree/main/receiver/verifierreceiver) | v0.0.0 | ### Exporters diff --git a/internal/edot/components.yml b/internal/edot/components.yml index 9e5cd61a2f0..541b946cc7c 100644 --- a/internal/edot/components.yml +++ b/internal/edot/components.yml @@ -28,6 +28,7 @@ core_components: # Receivers - elasticapmintakereceiver + - verifierreceiver - filelogreceiver - hostmetricsreceiver - k8sclusterreceiver diff --git a/internal/edot/go.mod b/internal/edot/go.mod index 030f714ca9c..454ca9129c0 100644 --- a/internal/edot/go.mod +++ b/internal/edot/go.mod @@ -7,6 +7,8 @@ replace github.com/elastic/elastic-agent => ../../ replace github.com/elastic/beats/v7 => ../../beats +replace github.com/elastic/opentelemetry-collector-components/receiver/verifierreceiver => ../../../opentelemetry-collector-components/receiver/verifierreceiver + require ( github.com/elastic/beats/v7 v7.0.0-alpha2.0.20260210220642-c5172fc430d2 github.com/elastic/elastic-agent v0.0.0-00010101000000-000000000000 @@ -20,6 +22,7 @@ require ( github.com/elastic/opentelemetry-collector-components/processor/elasticinframetricsprocessor v0.29.0 github.com/elastic/opentelemetry-collector-components/processor/elastictraceprocessor v0.29.0 github.com/elastic/opentelemetry-collector-components/receiver/elasticapmintakereceiver v0.29.0 + github.com/elastic/opentelemetry-collector-components/receiver/verifierreceiver v0.0.0 github.com/gofrs/uuid/v5 v5.4.0 github.com/open-telemetry/opentelemetry-collector-contrib/connector/routingconnector v0.144.0 github.com/open-telemetry/opentelemetry-collector-contrib/exporter/kafkaexporter v0.144.0 @@ -67,9 +70,13 @@ require ( ) require ( + github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/StackExchange/wmi v1.2.1 // indirect github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect + github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.43.2 // indirect github.com/aws/aws-sdk-go-v2/service/ecs v1.70.0 // indirect + github.com/aws/aws-sdk-go-v2/service/guardduty v1.48.2 // indirect + github.com/aws/aws-sdk-go-v2/service/securityhub v1.52.2 // indirect github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect github.com/bluekeyes/go-gitdiff v0.7.1 // indirect github.com/coder/websocket v1.8.14 // indirect diff --git a/internal/edot/go.sum b/internal/edot/go.sum index cd44867952f..a9253937409 100644 --- a/internal/edot/go.sum +++ b/internal/edot/go.sum @@ -161,6 +161,8 @@ github.com/IBM/sarama v1.46.3/go.mod h1:GTUYiF9DMOZVe3FwyGT+dtSPceGFIgA+sPc5u6CB github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= @@ -249,6 +251,8 @@ github.com/aws/aws-sdk-go-v2/service/apigateway v1.31.3 h1:k3hj3fFmb03BW7dh56fuc github.com/aws/aws-sdk-go-v2/service/apigateway v1.31.3/go.mod h1:feiyjU7qpOZ9BXA/BFxZ/hipgsnPtGyW/gxzr4l8WQM= github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.28.3 h1:8frWkH+rWP1joKQlWJerGCPrSvZkcvWSDbDv1smYvUE= github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.28.3/go.mod h1:7M/THRNcz6t6fMas6nZ/ldxGM/Dx2BWGRRcSJxn6X7o= +github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.43.2 h1:sLoUkwhrhogwbnQ2/nsc1MT3dia7krZHHwCMbFyYGbo= +github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.43.2/go.mod h1:ODEcuhq+MDaWP9fpgCPcYMKE12pyK5g5W2U0z0nHEiI= github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.45.2 h1:pc8D62wqqWtXlIFp5/e/rhpVPxWnA0craqovONbol5M= github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.45.2/go.mod h1:W6zagkMLyJeopkbOOzERmC4tTQD2I3vdrpw30ywOeEU= github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.50.2 h1:3/bbtfzzGkbhzMUBCwX4BcfBx7YDDjENC2sZvIySKa0= @@ -261,6 +265,8 @@ github.com/aws/aws-sdk-go-v2/service/ecs v1.70.0 h1:IZpZatHsscdOKjwmDXC6idsCXmm3 github.com/aws/aws-sdk-go-v2/service/ecs v1.70.0/go.mod h1:LQMlcWBoiFVD3vUVEz42ST0yTiaDujv2dRE6sXt1yPE= github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.45.4 h1:ZQh1DV22VtPMZQ4bIzERoXkxpxrMVk7fL2DaS7yxGFY= github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.45.4/go.mod h1:Zf0Z0J5aqN5XAIiQ2wORVxZrbot3go3S+xokidjQWSU= +github.com/aws/aws-sdk-go-v2/service/guardduty v1.48.2 h1:F7iPMAIiEX5xqUEhbeflkREaforxmuIkobZi9apGFKc= +github.com/aws/aws-sdk-go-v2/service/guardduty v1.48.2/go.mod h1:yL5DOvh8huFx2ZwB9kj20TnZ5DQJjnoCYUkFitas/2k= github.com/aws/aws-sdk-go-v2/service/health v1.30.3 h1:calnqWx6QS7sSy50SkYxnvw5I4hxh+4Wne/9FYYiBHo= github.com/aws/aws-sdk-go-v2/service/health v1.30.3/go.mod h1:EdJbR2a/rKOvTtMwmGuO1uvqDAw2xttLLbbyO+uaIP4= github.com/aws/aws-sdk-go-v2/service/iam v1.42.1 h1:w41T3NvOJdpMeuAd3sXKGDj9hC3Gl2l/Ijl6WRAtkWg= @@ -283,6 +289,8 @@ github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.26.5 h1:rdMiRQ4 github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.26.5/go.mod h1:UeZ53VlMQPMO/zGER+yyODug2Tl8v2nOrIX7J9fhyEw= github.com/aws/aws-sdk-go-v2/service/s3 v1.95.1 h1:C2dUPSnEpy4voWFIq3JNd8gN0Y5vYGDo44eUE58a/p8= github.com/aws/aws-sdk-go-v2/service/s3 v1.95.1/go.mod h1:5jggDlZ2CLQhwJBiZJb4vfk4f0GxWdEDruWKEJ1xOdo= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.52.2 h1:sO8Z9YGxpvPtXsVF0UBBgNOMeEZq2H/GRBdZxTBfEbE= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.52.2/go.mod h1:TccpGcVXrED4xcLhtYFs5qHJEzL8qXCCoQj+TDosCxQ= github.com/aws/aws-sdk-go-v2/service/servicediscovery v1.39.22 h1:wTvgx3mdqEworZ4vCOgpxLbk/Td43WntkmBCsrNRjIo= github.com/aws/aws-sdk-go-v2/service/servicediscovery v1.39.22/go.mod h1:hxZqho6386LxjZzY2L/d1VlETn7VhBOdVhMGkBJ/IUY= github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 h1:VrhDvQib/i0lxvr3zqlUwLwJP4fpmpyD9wYG1vfSu+Y= diff --git a/internal/edot/otelcol/components.go b/internal/edot/otelcol/components.go index b37562215ae..cccddd3f5c3 100644 --- a/internal/edot/otelcol/components.go +++ b/internal/edot/otelcol/components.go @@ -43,6 +43,7 @@ import ( otlpreceiver "go.opentelemetry.io/collector/receiver/otlpreceiver" elasticapmintakereceiver "github.com/elastic/opentelemetry-collector-components/receiver/elasticapmintakereceiver" // for collecting APM data from Elastic APM agents + verifierreceiver "github.com/elastic/opentelemetry-collector-components/receiver/verifierreceiver" // for verifying integration permissions fbreceiver "github.com/elastic/beats/v7/x-pack/filebeat/fbreceiver" mbreceiver "github.com/elastic/beats/v7/x-pack/metricbeat/mbreceiver" @@ -122,6 +123,7 @@ func components(extensionFactories ...extension.Factory) func() (otelcol.Factori receivers := []receiver.Factory{ dockerstatsreceiver.NewFactory(), elasticapmintakereceiver.NewFactory(), + verifierreceiver.NewFactory(), otlpreceiver.NewFactory(), filelogreceiver.NewFactory(), kubeletstatsreceiver.NewFactory(), diff --git a/internal/pkg/otel/testdata/all-components.yml b/internal/pkg/otel/testdata/all-components.yml index 8fc2ce6b71b..c84f1de4aa0 100644 --- a/internal/pkg/otel/testdata/all-components.yml +++ b/internal/pkg/otel/testdata/all-components.yml @@ -105,6 +105,25 @@ receivers: value_type: int scalar_oids: - oid: ".1.3.6.1.2.1.1.8.0" + verifier: + verification_type: on_demand + cloud_connector_id: test-connector + cloud_connector_name: Test Cloud Connector + verification_id: test-verification + providers: + aws: + credentials: + use_default_credentials: true + default_region: us-east-1 + policies: + - policy_id: test-policy + policy_name: Test Policy + integrations: + - integration_id: test-integration + integration_name: AWS CloudTrail + integration_type: aws_cloudtrail + integration_version: "2.17.0" + connectors: spanmetrics: @@ -164,6 +183,16 @@ service: - elasticapmintake - elasticmonitoringreceiver + logs/permission_verification: + receivers: + - verifier + exporters: + - nop + - debug + - elasticsearch + - file + - otlp + logs/forward_receive: receivers: - nop