AWS CloudWatch Event Sink Implementation

[adnanhemani]

As per discussion at this morning's Polaris Community Sync, I am introducing this event listener that will allow users to sink events to AWS CloudWatch Logs - where they can search through events for auditing purposes, if they wish. I do intend to introduce similar changes for Azure and GCP once this is merged so that we have parity across all CSPs - but this will help nail down the exact pattern to make this work.

Below is a screenshot of a sample event sent to CloudWatch:

[snazy]

Didn't look into the whole PR, but two things I noticed:

• The PR's doing more than mentioned in the summary & description
• There's no (integration) testing for the feature (IIRC there are solutions to test cloudwatch locally)

[adnanhemani]

Hi @snazy,

The PR's doing more than mentioned in the summary & description

Yes, I'm assuming you're referring to the creation of one new event (onAfterCatalogCreated). It is much faster to use that to rapidly test new event listeners. If it is a sticking point, I'm happy to break that into a separate, few-line PR. WDYT?

There's no (integration) testing for the feature (IIRC there are solutions to test cloudwatch locally)

I didn't want to sink (no pun intended) more time trying to setup LocalStack for this repository if this approach was wildly off-the-mark. If you think the general approach is reasonable and the main things that will need change are implementation details, I will be glad to add that in the next revision. IIRC, this is also something that we only get with AWS - both Azure and GCP equivalents of CloudWatch do not have equivalent testing solutions (this could be outdated information but I can't find anything in a quick Google search). If having parity across CSPs on testing is important, maybe we settle for unit tests instead? Let me know your thoughts.

[adnanhemani]

I've added a test using LocalStack, which should help emulate CloudWatch. This PR is ready for a full review.

[snazy]

There are some thread-safety/concurrency issues and memory leaks in this change, which have to be addressed.

The implementation can also be simplified.

I'd also recommend to move this to its own module to streamline CI and testing in general.

Hey @snazy, can you take another pass over this one? It's changed a lot since we initially reviewed.

[RussellSpitzer]

A note, that I really like having this as a public class because if someone does want to write a plugin that doesn't interact with any of the Iceberg or other based libraries, they can always utilize this instead and only depend on Polaris.

[RussellSpitzer]

We are missing the negative test here, we also ned to test that it doesn't fail if the log group and stream already exists. You could just start up again after the the first asserts?

[RussellSpitzer]

I think we are just missing one test of the "already exists" branch but other than that I think this is ready to go

[eric-maynard]

nit but I would recommend putting these into constants somewhere, e.g. AwsCloudWatchEventEventListener.KEY_REALM

[adnanhemani]

Putting them as class-wide constants isn't a great idea IMO. These variables are RequestScoped, while the class as a whole is ApplicationScoped. The best we can probably do is to keep them as variables within the transformAndSendEvent function (which will run per request) - but I'm not sure what that helps to clarify.

[eric-maynard]

To be clear, I'm talking about the string literals like "realm" here. Having a constant will be useful if someone else wants to extract the value from the event, e.g. they won't have to hard-code properties.get("realm")

[eric-maynard]

Cloudwatch or CloudWatch? We are using a mix of both casings

[adnanhemani]

Good point, changed.

[singhpk234]

we would IAM that polaris is running with have permissions to write to this log group right ? i don't know where to best write it ? thoughts ?

[adnanhemani]

Added it to this page, let me know your thoughts!

[singhpk234]

LGTM, Thanks a lot @adnanhemani for all the work !

I have added some suggestions, which are optional to address and are good to have !

[singhpk234]

Suggested change

	LOGGER.debug("Log {} [{}] already exists", resourceType, resourceName);
	LOGGER.debug("Resource {} [{}] already exists", resourceType, resourceName);

[adnanhemani]

No - the resourceType here will be "stream" or "group" to make a final log line stating "Log stream [xyz] already exists"

[singhpk234]

[not a blocker] IMHO adding IAM requirement might not be right place, is there a place where IAM with Polaris runs with requirements are there ? let me check too.

[adnanhemani]

I don't see one other than the Getting Started - and I don't think that page is relevant here.

[singhpk234]

[optional] wondering if we need catalog name too in this ? lets say i have a same namespace and table in the different catalogs in the realm ?

[adnanhemani]

I agree with this but we should put this as part of the instrumentation of the event itself. I will look into this for #2480.

[adnanhemani]

Working on rebase for this - seems like it is now failing in main