Move fips_enabled setting to AWS Common

[legoguy1000]

What does this PR do?

Moves the fips_enabled config option from the aws-s3 input to the AWS Common module to allow for any AWS related module to be able to use FIPS endpoints. Also updated all FIPS capable services to use the above config to set the endpoint. The only service that didn't support FIPS was tagging. Also adds TLS configuration to the AWS common module.

Why is it important?

Currently with the aws-s3 input the S3 bucket operations are able to use the FIPS endpoints but there is a single SQS API call that doesn't utilize FIPS if the setting is configured. Also the Cloudwatch input nor the AWS Metricbeat module are able to use FIPS currently. Reference https://discuss.elastic.co/t/sqs-client-ignores-the-fips-flag-for-the-service-endpoint/288687

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

[mergify]

This pull request does not have a backport label. Could you fix it @legoguy1000? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[legoguy1000]

@kaiyan-sheng THoughts? Changes from the Discuss post above.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2021-12-14T02:25:27.098+0000

• Duration: 142 min 24 sec

• Commit: 79e29a7

Test stats 🧪

Test	Results
Failed	0
Passed	28307
Skipped	3038
Total	31345

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[kaiyan-sheng]

@legoguy1000 +1 on moving this config to aws common! Thanks for working on it!

[legoguy1000]

I think I just need to update the docs and default config files and then should be ready for review.

[legoguy1000]

I did find 1 thing that may be problematic. If you look at https://aws.amazon.com/compliance/fips/, all the US East/West regions support the -fips endpoints but for the US GovCloud regions, some add the -fips and some don't. The SQS FIPS endpoint for GovCloud is sqs.us-gov-..... but the S3 is s3-fips.us-gov-.... so the current logic would break because sqs-fips.us-gov..... endpoint doesn't exist. I can add logic to check for that if we think that makes sense?

[elasticmachine]

Pinging @elastic/integrations (Team:Platforms)

[legoguy1000]

@kaiyan-sheng I think its ready for review. I added a new TLS config to the AWS common module so if there is a need to change the trusted root certs, set insecure, ..... (mainly for self hosted/3rd party services). Also can be used for testing with something like https://localstack.cloud/.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b aws-fips upstream/aws-fips
git merge upstream/master
git push upstream aws-fips

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b aws-fips upstream/aws-fips
git merge upstream/master
git push upstream aws-fips

[kaiyan-sheng]

@legoguy1000 Sorry I just came back from vacation. Will review this today!!

[kaiyan-sheng]

/test

[kaiyan-sheng]

Overall it looks good to me besides make update needs to be ran everywhere seems like 😬 @leehinman Could you also take a look at this PR please?

[legoguy1000]

@kaiyan-sheng I think i ran all the make updates that I needed too.

[leehinman]

Nice.

One minor comment below. I'm ok with merging if the comment doesn't resonate with you.

[leehinman]

Minor nit. If you switch to a Map, you can get rid of the Find function. Also might be nice to have the OptionalGovCloudFIPS var be package level with a godoc comment.

[legoguy1000]

I can change it to a map.

[legoguy1000]

as for where to put the variable, i'm not a GoLang expert to know what is best but I can't see the variable being used outside of this function.

[legoguy1000]

I added the map

[leehinman]

Reasoning behind moving variable to top level is for doc comments That way the comment shows up in the godoc output. Again not a big deal, and I'm ok with merging without moving.

[legoguy1000]

I think i moved it correctly. Please let me know otherwise.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b aws-fips upstream/aws-fips
git merge upstream/master
git push upstream aws-fips

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b aws-fips upstream/aws-fips
git merge upstream/master
git push upstream aws-fips

[kaiyan-sheng]

/test

[legoguy1000]

@kaiyan-sheng @leehinman Anything more I need to do for this PR?

[kaiyan-sheng]

/test

[kaiyan-sheng]

@legoguy1000 Sorry I fixed the merge conflict and then realized lint is not happy 😂 Could you take a look when you get a chance please? TIA!!

[legoguy1000]

@legoguy1000 Sorry I fixed the merge conflict and then realized lint is not happy 😂 Could you take a look when you get a chance please? TIA!!

Are you able to tell what's causing the linter to fail?

[legoguy1000]

@legoguy1000 Sorry I fixed the merge conflict and then realized lint is not happy 😂 Could you take a look when you get a chance please? TIA!!

Are you able to tell what's causing the linter to fail?

nevermind, I think I found it.

[legoguy1000]

@kaiyan-sheng Looks like AWS tests had issues due to the us-east-1 region issues today. May need to rerun the tests.

[kaiyan-sheng]

/test

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b aws-fips upstream/aws-fips
git merge upstream/master
git push upstream aws-fips

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b aws-fips upstream/aws-fips
git merge upstream/master
git push upstream aws-fips