[AWSINTS-3594] feat(go-forwarder): add CloudTrail (#1116)

Co-authored-by: Vincent Boutour <vincent.boutour@datadoghq.com>

Author: ndakkoune

aws/logs_monitoring_go/internal/handling/cloudtrail.go

@@ -0,0 +1,118 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026-Present Datadog, Inc.
+
+package handling
+
+import (
+	"compress/gzip"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"iter"
+	"log/slog"
+	"regexp"
+	"strings"
+)
+
+const (
+	cloudTrailARNKey          = "arn"
+	cloudTrailUserIdentityKey = "userIdentity"
+)
+
+var (
+	cloudTrailRegex   = regexp.MustCompile(`\d+_CloudTrail(|-Digest|-Insight)_\w{2}(|-gov|-cn)-\w{4,9}-\d_(|.+)\d{8}T\d{4,6}Z(|.+)\.json\.gz$`)
+	ec2InstanceRegexp = regexp.MustCompile(`^arn:aws:sts::.*?:assumed-role/(?P<role>.*?)/(?P<host>i-([0-9a-f]{8}|[0-9a-f]{17}))$`)
+)
+
+func decodeCloudTrail(r io.Reader) iter.Seq2[string, error] {
+	return func(yield func(string, error) bool) {
+		gz, err := gzip.NewReader(r)
+		if err != nil {
+			yield("", fmt.Errorf("decode cloudtrail gzip: %w", err))
+			return
+		}
+		defer gz.Close() //nolint:errcheck
+
+		dec := json.NewDecoder(gz)
+
+		if t, err := dec.Token(); err != nil || t != json.Delim('{') {
+			yield("", errors.New("decode cloudtrail: expected '{' at start of JSON"))
+			return
+		}
+		if t, err := dec.Token(); err != nil || t != "Records" {
+			yield("", errors.New("decode cloudtrail: expected 'Records' key"))
+			return
+		}
+		if t, err := dec.Token(); err != nil || t != json.Delim('[') {
+			yield("", errors.New("decode cloudtrail: expected '[' at start of Records array"))
+			return
+		}
+
+		for dec.More() {
+			var raw json.RawMessage
+			if err := dec.Decode(&raw); err != nil {
+				yield("", fmt.Errorf("decode cloudtrail record: %w", err))
+				return
+			}
+			if !yield(string(raw), nil) {
+				return
+			}
+		}
+	}
+}
+
+func cloudtrailHost(message string) string {
+	dec := json.NewDecoder(strings.NewReader(message))
+	if t, err := dec.Token(); err != nil || t != json.Delim('{') {
+		return ""
+	}
+
+	for dec.More() {
+		key, err := dec.Token()
+		if err != nil {
+			return ""
+		}
+		if key != cloudTrailUserIdentityKey {
+			var skip json.RawMessage
+			if err := dec.Decode(&skip); err != nil {
+				return ""
+			}
+			continue
+		}
+
+		if t, err := dec.Token(); err != nil || t != json.Delim('{') {
+			return ""
+		}
+
+		for dec.More() {
+			innerKey, err := dec.Token()
+			if err != nil {
+				return ""
+			}
+			if innerKey != cloudTrailARNKey {
+				var skip json.RawMessage
+				if err := dec.Decode(&skip); err != nil {
+					return ""
+				}
+				continue
+			}
+
+			var arn string
+			if err := dec.Decode(&arn); err != nil {
+				return ""
+			}
+
+			matches := ec2InstanceRegexp.FindStringSubmatch(arn)
+			if matches == nil {
+				slog.Debug(arn + " arn did not match an EC2 host instance, cloudtrail host extraction skipped")
+				return ""
+			}
+			return matches[ec2InstanceRegexp.SubexpIndex("host")]
+		}
+		return ""
+	}
+	return ""
+}

aws/logs_monitoring_go/internal/handling/cloudtrail_test.go

@@ -0,0 +1,189 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026-Present Datadog, Inc.
+
+package handling
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/DataDog/datadog-serverless-functions/aws/logs_monitoring_go/internal/testutil"
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestCloudTrailRegex(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		key  string
+		want bool
+	}{
+		"standard cloudtrail": {
+			key:  "601427279990_CloudTrail_us-east-1_20210503T0000Z_QrttGEk4ZcBTLwj5.json.gz",
+			want: true,
+		},
+		"cloudtrail digest": {
+			key:  "601427279990_CloudTrail-Digest_us-east-1_20210503T0000Z_digest.json.gz",
+			want: true,
+		},
+		"cloudtrail insight": {
+			key:  "601427279990_CloudTrail-Insight_us-east-1_20210503T0000Z_insight.json.gz",
+			want: true,
+		},
+		"gov region": {
+			key:  "601427279990_CloudTrail_us-gov-west-1_20210503T0000Z_abc.json.gz",
+			want: true,
+		},
+		"cn region": {
+			key:  "601427279990_CloudTrail_cn-north-1_20210503T0000Z_abc.json.gz",
+			want: true,
+		},
+		"not cloudtrail": {
+			key:  "some-random-log-file.json.gz",
+			want: false,
+		},
+		"waf log": {
+			key:  "aws-waf-logs-something.json.gz",
+			want: false,
+		},
+		"plain text file": {
+			key:  "access.log",
+			want: false,
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			got := cloudTrailRegex.MatchString(tc.key)
+			if got != tc.want {
+				t.Errorf("cloudTrailRegex().MatchString(%q) = %v, want %v", tc.key, got, tc.want)
+			}
+		})
+	}
+}
+
+func TestCloudtrailHost(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		message string
+		want    string
+	}{
+		"ec2 instance (17)": {
+			message: `{"userIdentity":{"arn":"arn:aws:sts::601427279990:assumed-role/MyRole/i-08014e4f62ccf762d"}}`,
+			want:    "i-08014e4f62ccf762d",
+		},
+		"ec2 instance (8)": {
+			message: `{"userIdentity":{"arn":"arn:aws:sts::601427279990:assumed-role/MyRole/i-abcd1234"}}`,
+			want:    "i-abcd1234",
+		},
+		"non ec2 arn": {
+			message: `{"userIdentity":{"arn":"arn:aws:sts::601427279990:assumed-role/MyRole/my-session"}}`,
+			want:    "",
+		},
+		"missing userIdentity": {
+			message: `{"eventName":"DescribeTable"}`,
+			want:    "",
+		},
+		"missing arn": {
+			message: `{"userIdentity":{"type":"AssumedRole"}}`,
+			want:    "",
+		},
+		"invalid json": {
+			message: "not json",
+			want:    "",
+		},
+		"empty message": {
+			message: "",
+			want:    "",
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			if got := cloudtrailHost(tc.message); got != tc.want {
+				t.Errorf("want %q, got %q", tc.want, got)
+			}
+		})
+	}
+}
+
+func TestDecodeCloudTrail(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		input   []byte
+		want    []string
+		wantErr bool
+	}{
+		"single record": {
+			input: testutil.MustGzipJSON(t, map[string]any{
+				"Records": []any{
+					map[string]any{
+						"eventName": "DescribeTable",
+						"userIdentity": map[string]any{
+							"arn": "arn:aws:sts::601427279990:assumed-role/MyRole/i-08014e4f62ccf762d",
+						},
+					},
+				},
+			}),
+			want: []string{
+				`{"eventName":"DescribeTable","userIdentity":{"arn":"arn:aws:sts::601427279990:assumed-role/MyRole/i-08014e4f62ccf762d"}}`,
+			},
+		},
+		"multiple records": {
+			input: testutil.MustGzipJSON(t, map[string]any{
+				"Records": []any{
+					map[string]any{"eventName": "event1"},
+					map[string]any{"eventName": "event2"},
+				},
+			}),
+			want: []string{
+				`{"eventName":"event1"}`,
+				`{"eventName":"event2"}`,
+			},
+		},
+		"empty records array": {
+			input: testutil.MustGzipJSON(t, map[string]any{
+				"Records": []any{},
+			}),
+			want: nil,
+		},
+		"invalid gzip": {
+			input:   []byte("not gzip"),
+			wantErr: true,
+		},
+		"invalid json": {
+			input:   testutil.MustGzipJSON(t, "not an object"),
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			var got []string
+			for msg, err := range decodeCloudTrail(bytes.NewReader(tc.input)) {
+				if err != nil {
+					if !tc.wantErr {
+						t.Fatalf("unexpected error: %v", err)
+					}
+					return
+				}
+				got = append(got, msg)
+			}
+
+			if tc.wantErr {
+				t.Fatal("expected error, got none")
+			}
+			if diff := cmp.Diff(tc.want, got); diff != "" {
+				t.Errorf("mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

aws/logs_monitoring_go/internal/handling/cloudwatch.go

@@ -134,6 +134,11 @@ func (h CloudwatchHandler) newCloudwatchLogEntry(event events.CloudwatchLogsLogE
 	entry.Message = message
 	entry.ID = event.ID
 	entry.Timestamp = event.Timestamp
+
+	if entry.Source == sourceCloudtrail {
+		entry.Host = cloudtrailHost(event.Message)
+	}
+
 	return entry
 }
 

aws/logs_monitoring_go/internal/handling/cloudwatch_test.go

@@ -118,6 +118,78 @@ func TestCloudwatchHandler_Handle(t *testing.T) {
 				},
 			},
 		},
+		"cloudtrail with ec2 host": {
+			event: testutil.MustCloudwatchEvent(t, testutil.MustGzipJSON(t, map[string]any{
+				"messageType": "DATA_MESSAGE",
+				"owner":       "601427279990",
+				"logGroup":    "cloudtrail-logs",
+				"logStream":   "601427279990_CloudTrail_us-east-1",
+				"logEvents": []map[string]any{
+					{
+						"id":        "ct1",
+						"timestamp": 1620000000000,
+						"message":   `{"eventName":"DescribeTable","userIdentity":{"arn":"arn:aws:sts::601427279990:assumed-role/MyRole/i-08014e4f62ccf762d"}}`,
+					},
+				},
+			})),
+			config:   testutil.EmptyConfig(),
+			chanSize: 1,
+			want: []model.LogEntry{
+				{
+					Message:        `{"eventName":"DescribeTable","userIdentity":{"arn":"arn:aws:sts::601427279990:assumed-role/MyRole/i-08014e4f62ccf762d"}}`,
+					Source:         "cloudtrail",
+					SourceCategory: "aws",
+					Service:        "cloudtrail",
+					Host:           "i-08014e4f62ccf762d",
+					ID:             "ct1",
+					Timestamp:      1620000000000,
+					Metadata: model.CloudwatchMetadata{
+						LambdaOrigin: model.LambdaOrigin{ARN: testutil.ARN},
+						Origin: model.CloudwatchOrigin{
+							LogGroup:  "cloudtrail-logs",
+							LogStream: "601427279990_CloudTrail_us-east-1",
+							Owner:     "601427279990",
+						},
+					},
+				},
+			},
+		},
+		"cloudtrail without ec2 host": {
+			event: testutil.MustCloudwatchEvent(t, testutil.MustGzipJSON(t, map[string]any{
+				"messageType": "DATA_MESSAGE",
+				"owner":       "601427279990",
+				"logGroup":    "cloudtrail-logs",
+				"logStream":   "601427279990_CloudTrail_us-east-1",
+				"logEvents": []map[string]any{
+					{
+						"id":        "ct2",
+						"timestamp": 1620000000000,
+						"message":   `{"eventName":"DescribeTable","userIdentity":{"arn":"arn:aws:iam::601427279990:user/admin"}}`,
+					},
+				},
+			})),
+			config:   testutil.EmptyConfig(),
+			chanSize: 1,
+			want: []model.LogEntry{
+				{
+					Message:        `{"eventName":"DescribeTable","userIdentity":{"arn":"arn:aws:iam::601427279990:user/admin"}}`,
+					Source:         "cloudtrail",
+					SourceCategory: "aws",
+					Service:        "cloudtrail",
+					Host:           "",
+					ID:             "ct2",
+					Timestamp:      1620000000000,
+					Metadata: model.CloudwatchMetadata{
+						LambdaOrigin: model.LambdaOrigin{ARN: testutil.ARN},
+						Origin: model.CloudwatchOrigin{
+							LogGroup:  "cloudtrail-logs",
+							LogStream: "601427279990_CloudTrail_us-east-1",
+							Owner:     "601427279990",
+						},
+					},
+				},
+			},
+		},
 		"config overrides source, host, service and tags": {
 			event: testutil.MustCloudwatchEvent(t, testutil.MustGzipJSON(t, map[string]any{
 				"messageType": "DATA_MESSAGE",