[serverless] add cspm metering functionality

[CohenIdo]

solves

• https://github.com/elastic/security-team/issues/7020

First usage of the shared task manager class for the security serverless project:

• Registered CSPM metering callback
• Add logs to the task manager service
• Updated the interfaces

How to test it?

1. Follow the instructions provided in: https://github.com/elastic/security-team/issues/7025 to deploy the development serverless environment.
2. Checkout the branch
3. Start Kibana using the following command: yarn start --serverless=security (Make sure Elasticsearch is already running before).
4. Check the Kibana logs.
   Look for the specified logger: plugins.securitySolutionServerless.serverless-security:cspm-usage-reporting-task:1
   Review the logs associated with the specified logger to gather the required information.

[2023-07-20T17:50:38.552+03:00][INFO ][plugins.securitySolutionServerless.serverless-security:cspm-usage-reporting-task:1] usage records report was sent successfully
[2023-07-20T17:51:11.365+03:00][INFO ][plugins.securitySolutionServerless.serverless-security:cspm-usage-reporting-task:1] received usage records: [{"id":"serverless-security:cspm-usage-report","usage_timestamp":"2023-07-20T10:47:54.506Z","creation_timestamp":"7/20/2023, 5:51:11 PM","usage":{"type":"cspm-resource","quantity":1219,"period_seconds":3600,"cause":"CIS Amazon Web Services Foundations"},"source":{"id":"serverless-security:cspm-usage-reporting-task:1","instance_group_id":"missing project id"}}]
[2023-07-20T17:51:11.572+03:00][INFO ][plugins.securitySolutionServerless.serverless-security:cspm-usage-reporting-task:1] usage records report was sent successfully

[joeypoon]

looking good, just some small things

[joeypoon]

is this on purpose? I believe we need the /usage: https://github.com/elastic/usage-api/blob/5414a1c5f170b81552deb2140307e135ad93c7e0/api/user-v1-spec.yml#L50

[CohenIdo]

you right:)

[joeypoon]

let's rename this to: SecurityUsageReportingTaskStartContract

[CohenIdo]

done:)

[joeypoon]

I'm thinking it might make sense to log the response and some of the usage record data on success for compliance and billing debugging.

[CohenIdo]

it's good idea to add the response, regarding the usage record data, we already have it in line 127

[joeypoon]

I worry about the extra resources/cost we would incur here, especially if it's a lot of records. maybe logger.debug instead?

[CohenIdo]

I agree

[CohenIdo]

precision treshold should be added here

[eyalkraft]

Let's add this comment in the code for now

[CohenIdo]

I planned to add a value as part of this PR, I am going add it today.

[eyalkraft]

Good Job Ido!
For the first iteration the most important comments are:

1. Necessary Decoupling of benchmarks and bucket
2. Necessary documentation of the core of the metering function

[eyalkraft]

Let's add this comment in the code for now

[eyalkraft]

Currently, It doesn't seem like there's going to be a bucket per benchmark.
For example, KSPM and CSPM belong to the same bucket. Additionally, CNVM isn't benchmark related at all.
I suggest decoupling benchmarks and buckets in terminology and implementation.

[CohenIdo]

KSPM and CSPM belong to the same bucket

wdym? We are going to charge per sulotion, so we will have a billing bucket for KSPM, CSPM and Vul mngm. This PR handling CPSM only.

I mean here to the CSPM benchmark which for now is cis_aws (and soon we will support GCP as well) I did it to provide more context on the charge, it used in the cause field.

[eyalkraft]

To my understanding, we have a single bucket for KSPM + CSPM + CNVM as @MikePaquette described here https://github.com/elastic/security-team/issues/6497#issuecomment-1627719606

[CohenIdo]

Sounds weird to me, in this case KSPM resource will be equal from price perspective as an EC2 instance on vulnerability mngm?

Anyway, this implementation method will enable us to support also the method you mentioned via the billing transform function and will enable also decouple the collectors tasks which I think will be easier to maintain it that way.

[eyalkraft]

I tend to disagree.
We know Kibana, Kibana tests and so on way better than we know whatever infrastructure that would be provided by the transform function. I think we should keep the transform function as lean and stupid as possible.
Additionally, Bucket is a metering specific term that isn't related to benchmarks.
We have no reason for counting separately which complicates the metering for no reason.

[CohenIdo]

I already updated the code to one single bucket for cloud security

[eyalkraft]

We've discussed why querying isn't enough, and additional processing in the code is necessary. Please include the reasoning here as a comment with relevant links and an (very short) explanation why the alternative approach of querying directly isn't used. (https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-cardinality-aggregation.html#_counts_are_approximate)

[CohenIdo]

@eyalkraft I researched that and learned that behind the scenes term aggregation using the same logic as cardinality. (terms-agg-doc-count-error)
So as you suggested in our discussion, querying is indeed enough -without another iteration in Kibana.

[eyalkraft]

Good 👍
Is the code updated then and I didn't realize it? Why are there still iterations over the query results in the code?

[CohenIdo]

For the benchmarks...
https://github.com/elastic/kibana/pull/162019/files#r1271927221

[eyalkraft]

can we use the actual task interval variable here? to make sure things won't brake in case it changes

[CohenIdo]

👍

[eyalkraft]

again, not sure why the breaking down by benchmarks to later sum all together.

[CohenIdo]

The purpose of this was to provide more context about the charge, which was used in the cause field.

The total number of benchmarks that the customer may have will be in future no more than three or four (today it will be a maximum of ~2) , so it will be a very small array iteration and I believe it is worth it.

[eyalkraft]

I'm not sure this should be the minTimestamp, and not the time when the billing query happens.
What are the implications of this value?
What happens if a user uninstalls all the benchmarks and this value is the same (the last finding time before the un-installment) for the entire 24 hours after?
What is this value used for?

[CohenIdo]

usage_timestamp
This represents when the usage occurred, or the beginning of the range of usage that this record captures. If the usage is based on an aggregation of other data stored in another system, it should be based on the earliest of those records so we can tie this usage record back to the source data (for troubleshooting or presentation purposes).

taken from usage record schema v2.

[eyalkraft]

TODO what?

[eyalkraft]

wouldn't this be worth logging?

[CohenIdo]

Necessary documentation of the core of the metering function

@eyalkraft, I planned to document the work, can you elaborate more about what you mean in "the core of the metering function"

[eyalkraft]

Talking about the file cspm_metring_task.ts and specifically the query and the code responsible for the metring itself

[eyalkraft]

Required changes:

1. On no resources, don't send anything to the metering service (don't send an empty array). Make sure that not sending is equivalent to sending count 0.

Following PR:

1. tests

[eyalkraft]

LGTM, please add the tests ASAP

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 096a4d6

Metrics [docs]

✅ unchanged

History

• 💔 Build #144345 failed f0ecd32afaacc9651d3ea8c88e784791525e4e23
• 💔 Build #144300 failed 4ffa868
• 💔 Build #144223 failed 270abfb4234e54cc44f01107cdb607736390f5ac
• 💔 Build #143929 failed aae097fd7fe5bed1cfac0a08c19b1f57052ad0ef
• 💔 Build #143880 failed b015f355b2a86c3cb47721c8a891c6d14874394c

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream