feat: add AWS S3 sidelining (aka claim check)

Add feature to extract and send (sideline) EventBridge event value, which is
the content of the Kafka record value, to S3 by a given JSON Path. The event
with the transformed value is send to EventBridge with the reference to the S3
object and the used JSON Path.

The feature is activated if the S3 bucket (e.g. 'my-bucket') is configured for
the connector by:
```json5
{
  "config": {
    // other required configuration
    "aws.eventbridge.offloading.s3.default.bucket": "my-bucket"
  }
}
```

The user must have write access to the configured bucket.

The default JSON Path is `$.detail.value` referencing a EventBridge entry. A
valid JSON Path must start with `$.detail.value` and must reference a single
JSON object, array or value.

The JSON Path can be configured for the connector by:
```json5
{
  "config": {
    // other required configuration
    "aws.eventbridge.offloading.default.fieldref": "$.detail.value"
  }
}
```

If the JSON Path does not match, nothing is send to S3. Otherwise, if the JSON
Path matches a non `null` JSON object, array or value, this value is send to S3
and the JSON attribute is removed. If the value is `null` and matches the JSON
Path, the JSON attribute with it's `null` value is keept and nothing send to
S3.

If the feature is activated and a value was send to S3, the EventBridge event
contains the attribute `$.detail.datarefJsonPath` with the configured JSON Path
and the S3 object reference at `$.detail.dataref`. Otherwise the EventBridge
event is unchanged.

A FIFO cache with a maximum size of 10.000 is used to look the uploaded content
to S3 by it's SHA512 and re-use the S3 object key whenever possible.

Closes #110.

Author: agebhar1

e2e/connect-config-s3.json

@@ -0,0 +1,17 @@
+{
+    "name": "eventbridge-e2e-s3",
+    "config": {
+        "auto.offset.reset": "earliest",
+        "connector.class": "software.amazon.event.kafkaconnector.EventBridgeSinkConnector",
+        "topics": "eventbridge-e2e",
+        "aws.eventbridge.connector.id": "eventbridge-e2e-connector",
+        "aws.eventbridge.eventbus.arn": "arn:aws:events:us-east-1:000000000000:event-bus/eventbridge-e2e",
+        "aws.eventbridge.region": "us-east-1",
+        "aws.eventbridge.endpoint.uri": "http://localstack:4566",
+        "aws.eventbridge.offloading.s3.default.bucket": "test-bucket",
+        "aws.eventbridge.offloading.default.fieldref": "$.detail.value.message",
+        "key.converter": "org.apache.kafka.connect.storage.StringConverter",
+        "value.converter": "org.apache.kafka.connect.json.JsonConverter",
+        "value.converter.schemas.enable": false
+    }
+}

pom.xml

@@ -27,6 +27,7 @@
         <commons-codec.version>1.17.0</commons-codec.version>
         <commons-logging.version>1.3.1</commons-logging.version>
         <connect.api.version>3.7.0</connect.api.version>
+        <equalsverifier.version>3.16.1</equalsverifier.version>
         <joda-time.version>2.12.7</joda-time.version>
         <org.apache.commons.version>3.14.0</org.apache.commons.version>
         <org.assertj.version>3.25.3</org.assertj.version>
@@ -36,6 +37,7 @@
         <org.junit.jupiter.version>5.10.2</org.junit.jupiter.version>
         <org.mockito.version>5.11.0</org.mockito.version>
         <org.slf4j.version>2.0.13</org.slf4j.version>
+        <org.skyscreamer.version>1.5.1</org.skyscreamer.version>
         <org.testcontainers.version>1.19.7</org.testcontainers.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
@@ -46,11 +48,20 @@
             <artifactId>logback-classic</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.jayway.jsonpath</groupId>
+            <artifactId>json-path</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.jayway.jsonpath</groupId>
             <artifactId>json-path-assert</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>nl.jqno.equalsverifier</groupId>
+            <artifactId>equalsverifier</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
@@ -100,6 +111,11 @@
             <artifactId>testcontainers</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.skyscreamer</groupId>
+            <artifactId>jsonassert</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>auth-crt</artifactId>
@@ -122,6 +138,10 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>s3</artifactId>
+        </dependency>
         <dependency>
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>http-client-spi</artifactId>
@@ -157,6 +177,11 @@
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>
+            <dependency>
+                <groupId>com.jayway.jsonpath</groupId>
+                <artifactId>json-path</artifactId>
+                <version>${com.jayway.jsonpath.version}</version>
+            </dependency>
             <dependency>
                 <groupId>com.jayway.jsonpath</groupId>
                 <artifactId>json-path-assert</artifactId>
@@ -177,6 +202,11 @@
                 <artifactId>joda-time</artifactId>
                 <version>${joda-time.version}</version>
             </dependency>
+            <dependency>
+                <groupId>nl.jqno.equalsverifier</groupId>
+                <artifactId>equalsverifier</artifactId>
+                <version>${equalsverifier.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-lang3</artifactId>
@@ -240,6 +270,11 @@
                 <artifactId>testcontainers</artifactId>
                 <version>${org.testcontainers.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.skyscreamer</groupId>
+                <artifactId>jsonassert</artifactId>
+                <version>${org.skyscreamer.version}</version>
+            </dependency>
             <dependency>
                 <groupId>software.amazon.awssdk</groupId>
                 <artifactId>auth-crt</artifactId>

src/main/java/software/amazon/event/kafkaconnector/EventBridgeSinkConfig.java

@@ -13,9 +13,13 @@
 import org.apache.kafka.common.config.ConfigDef.Type;
 import org.slf4j.Logger;
 import software.amazon.event.kafkaconnector.logging.ContextAwareLoggerFactory;
+import software.amazon.event.kafkaconnector.offloading.S3EventBridgeEventDetailValueOffloading;
 
 public class EventBridgeSinkConfig extends AbstractConfig {
 
+  private static final Logger log =
+      ContextAwareLoggerFactory.getLogger(EventBridgeSinkConfig.class);
+
   // used in event source and IAM session role name
   static final String AWS_CONNECTOR_ID_CONFIG = "aws.eventbridge.connector.id";
   static final String AWS_REGION_CONFIG = "aws.eventbridge.region";
@@ -33,6 +37,11 @@ public class EventBridgeSinkConfig extends AbstractConfig {
   static final String AWS_DETAIL_TYPES_CONFIG = "aws.eventbridge.detail.types";
   static final String AWS_DETAIL_TYPES_MAPPER_CLASS = "aws.eventbridge.detail.types.mapper.class";
   static final String AWS_EVENTBUS_RESOURCES_CONFIG = "aws.eventbridge.eventbus.resources";
+  static final String AWS_OFFLOADING_S3_DEFAULT_BUCKET =
+      "aws.eventbridge.offloading.s3.default.bucket";
+  static final String AWS_OFFLOADING_DEFAULT_FIELDREF =
+      "aws.eventbridge.offloading.default.fieldref";
+
   private static final String AWS_CONNECTOR_ID_DOC =
       "The unique ID of this connector (used in the event source field to uniquely identify a connector).";
   private static final String AWS_REGION_DOC = "The AWS region of the event bus.";
@@ -53,6 +62,12 @@ public class EventBridgeSinkConfig extends AbstractConfig {
   private static final String AWS_PROFILE_NAME_CONFIG_DOC =
       "The profile to use from the configuration and credentials files to retrieve IAM credentials";
   public static final String AWS_DETAIL_TYPES_DEFAULT = "kafka-connect-${topic}";
+  public static final String AWS_OFFLOADING_S3_DEFAULT_BUCKET_DOC =
+      "The S3 bucket to offload matched record value by JSON Path";
+  public static final String AWS_OFFLOADING_DEFAULT_FIELDREF_DOC =
+      "The JSON Path to offload record value";
+  public static final String AWS_OFFLOADING_DEFAULT_FIELDREF_DEFAULT =
+      S3EventBridgeEventDetailValueOffloading.JSON_PATH_PREFIX;
 
   private static final String AWS_DETAIL_TYPES_MAPPER_CLASS_DEFAULT =
       "software.amazon.event.kafkaconnector.mapping.DefaultDetailTypeMapper";
@@ -81,10 +96,11 @@ public class EventBridgeSinkConfig extends AbstractConfig {
   public final List<String> resources;
   public final int maxRetries;
   public final long retriesDelay;
-  private final Logger log = ContextAwareLoggerFactory.getLogger(EventBridgeSinkConfig.class);
   public Map<String, String> detailTypeByTopic;
   public String detailType;
   public String detailTypeMapperClass;
+  public String offloadingS3defaultBucket;
+  public String offloadingDefaultFieldRef;
 
   public EventBridgeSinkConfig(final Map<?, ?> originalProps) {
     super(CONFIG_DEF, originalProps);
@@ -100,6 +116,8 @@ public EventBridgeSinkConfig(final Map<?, ?> originalProps) {
     this.retriesDelay = getInt(AWS_RETRIES_DELAY_CONFIG);
     this.resources = getList(AWS_EVENTBUS_RESOURCES_CONFIG);
     this.detailTypeMapperClass = getString(AWS_DETAIL_TYPES_MAPPER_CLASS);
+    this.offloadingS3defaultBucket = getString(AWS_OFFLOADING_S3_DEFAULT_BUCKET);
+    this.offloadingDefaultFieldRef = getString(AWS_OFFLOADING_DEFAULT_FIELDREF);
 
     var detailTypes = getList(AWS_DETAIL_TYPES_CONFIG);
     if (detailTypes.size() > 1 || detailTypes.get(0).contains(":")) {
@@ -113,7 +131,8 @@ public EventBridgeSinkConfig(final Map<?, ?> originalProps) {
     log.info(
         "EventBridge properties: connectorId={} eventBusArn={} eventBusRegion={} eventBusEndpointURI={} "
             + "eventBusMaxRetries={} eventBusRetriesDelay={} eventBusResources={} "
-            + "eventBusEndpointID={} roleArn={} roleSessionName={} roleExternalID={}",
+            + "eventBusEndpointID={} roleArn={} roleSessionName={} roleExternalID={}"
+            + "offloadingS3defaultBucket={} offloadingDefaultFieldRef={}",
         connectorId,
         eventBusArn,
         region,
@@ -124,7 +143,9 @@ public EventBridgeSinkConfig(final Map<?, ?> originalProps) {
         endpointID,
         roleArn,
         connectorId,
-        externalId);
+        externalId,
+        offloadingS3defaultBucket,
+        offloadingDefaultFieldRef);
   }
 
   private static ConfigDef createConfigDef() {
@@ -154,7 +175,6 @@ private static void addParams(final ConfigDef configDef) {
         AWS_ROLE_EXTERNAL_ID_CONFIG_DOC);
     configDef.define(
         AWS_PROFILE_NAME_CONFIG, Type.STRING, "", Importance.MEDIUM, AWS_PROFILE_NAME_CONFIG_DOC);
-    ;
     configDef.define(
         AWS_RETRIES_CONFIG, Type.INT, AWS_RETRIES_DEFAULT, Importance.MEDIUM, AWS_RETRIES_DOC);
     configDef.define(
@@ -181,5 +201,17 @@ private static void addParams(final ConfigDef configDef) {
         AWS_DETAIL_TYPES_MAPPER_CLASS_DEFAULT,
         Importance.MEDIUM,
         AWS_DETAIL_TYPES_MAPPER_DOC);
+    configDef.define(
+        AWS_OFFLOADING_S3_DEFAULT_BUCKET,
+        Type.STRING,
+        "",
+        Importance.MEDIUM,
+        AWS_OFFLOADING_S3_DEFAULT_BUCKET_DOC);
+    configDef.define(
+        AWS_OFFLOADING_DEFAULT_FIELDREF,
+        Type.STRING,
+        AWS_OFFLOADING_DEFAULT_FIELDREF_DEFAULT,
+        Importance.MEDIUM,
+        AWS_OFFLOADING_DEFAULT_FIELDREF_DOC);
   }
 }

src/main/java/software/amazon/event/kafkaconnector/EventBridgeSinkConfigValidator.java

@@ -19,6 +19,7 @@
 import org.apache.kafka.common.config.ConfigValue;
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.regions.RegionMetadata;
+import software.amazon.event.kafkaconnector.offloading.S3EventBridgeEventDetailValueOffloading;
 
 public class EventBridgeSinkConfigValidator {
 
@@ -92,6 +93,18 @@ public static void validate(ConfigValue configValue, EnvVarGetter getenv) {
           validateDetailTypeMapperClass(configValue);
           break;
         }
+
+      case AWS_OFFLOADING_S3_DEFAULT_BUCKET:
+        {
+          nonStrictValidateOffloadingS3DefaultBucket(configValue);
+          break;
+        }
+
+      case AWS_OFFLOADING_DEFAULT_FIELDREF:
+        {
+          validateOffloadingDefaultFieldRef(configValue);
+          break;
+        }
     }
   }
 
@@ -208,4 +221,25 @@ private static void validateValueWithPattern(String key, String value, Pattern p
               key, value, pattern));
     }
   }
+
+  private static void nonStrictValidateOffloadingS3DefaultBucket(ConfigValue configValue) {
+    var value = (String) configValue.value();
+    if (value == null || value.isBlank()) return;
+
+    // https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
+    var sufficient = Pattern.compile("^[a-z0-9][a-z0-9.-]{1,61}?[a-z0-9]$");
+    if (!sufficient.matcher(value).find()) {
+      throw new ConfigException(String.format("\"%s\" is not a valid S3 bucket name", value));
+    }
+  }
+
+  private static void validateOffloadingDefaultFieldRef(ConfigValue configValue) {
+    var value = (String) configValue.value();
+    if (value == null || value.isBlank()) return;
+    try {
+      S3EventBridgeEventDetailValueOffloading.validateJsonPath(value);
+    } catch (IllegalArgumentException e) {
+      throw new ConfigException(String.format("\"%s\" is not a valid offload JSON Path", value), e);
+    }
+  }
 }

src/main/java/software/amazon/event/kafkaconnector/EventBridgeWriter.java

@@ -38,13 +38,17 @@
 import software.amazon.awssdk.services.eventbridge.model.PutEventsRequest;
 import software.amazon.awssdk.services.eventbridge.model.PutEventsRequestEntry;
 import software.amazon.awssdk.services.eventbridge.model.PutEventsResponse;
+import software.amazon.awssdk.services.s3.S3AsyncClient;
 import software.amazon.awssdk.utils.StringUtils;
 import software.amazon.event.kafkaconnector.auth.EventBridgeCredentialsProvider;
 import software.amazon.event.kafkaconnector.batch.DefaultEventBridgeBatching;
 import software.amazon.event.kafkaconnector.batch.EventBridgeBatchingStrategy;
 import software.amazon.event.kafkaconnector.logging.ContextAwareLoggerFactory;
 import software.amazon.event.kafkaconnector.mapping.DefaultEventBridgeMapper;
 import software.amazon.event.kafkaconnector.mapping.EventBridgeMapper;
+import software.amazon.event.kafkaconnector.offloading.EventBridgeEventDetailValueOffloadingStrategy;
+import software.amazon.event.kafkaconnector.offloading.NoOpEventBridgeEventDetailValueOffloading;
+import software.amazon.event.kafkaconnector.offloading.S3EventBridgeEventDetailValueOffloading;
 import software.amazon.event.kafkaconnector.util.EventBridgeEventId;
 import software.amazon.event.kafkaconnector.util.MappedSinkRecord;
 import software.amazon.event.kafkaconnector.util.PropertiesUtil;
@@ -58,6 +62,7 @@ public class EventBridgeWriter {
   private final EventBridgeAsyncClient ebClient;
   private final EventBridgeMapper eventBridgeMapper;
   private final EventBridgeBatchingStrategy batching;
+  private final EventBridgeEventDetailValueOffloadingStrategy offloading;
 
   /**
    * @param config Configuration of Sink Client (AWS Region, Eventbus ARN etc.)
@@ -101,6 +106,27 @@ public EventBridgeWriter(EventBridgeSinkConfig config) {
     this.eventBridgeMapper = new DefaultEventBridgeMapper(config);
     this.batching = new DefaultEventBridgeBatching();
 
+    if ((config.offloadingS3defaultBucket != null) && !config.offloadingS3defaultBucket.isEmpty()) {
+      var s3client =
+          S3AsyncClient.builder()
+              .credentialsProvider(credentialsProvider)
+              .endpointOverride(endpointUri)
+              .forcePathStyle(endpointUri != null)
+              .httpClientBuilder(AwsCrtAsyncHttpClient.builder())
+              .overrideConfiguration(clientConfig)
+              .region(Region.of(this.config.region))
+              .build();
+      var bucketName = StringUtils.trim(config.offloadingS3defaultBucket);
+      var jsonPathExp = StringUtils.trim(config.offloadingDefaultFieldRef);
+
+      log.info(
+          "S3 offloading is activated with bucket: {} and JSON path: {}", bucketName, jsonPathExp);
+      offloading = new S3EventBridgeEventDetailValueOffloading(s3client, bucketName, jsonPathExp);
+    } else {
+      log.info("S3 offloading is deactivated");
+      offloading = new NoOpEventBridgeEventDetailValueOffloading();
+    }
+
     log.trace(
         "EventBridgeWriter client config: {}",
         ReflectionToStringBuilder.toString(
@@ -126,6 +152,7 @@ public EventBridgeWriter(EventBridgeAsyncClient ebClient, EventBridgeSinkConfig
     this.ebClient = ebClient;
     this.eventBridgeMapper = new DefaultEventBridgeMapper(config);
     this.batching = new DefaultEventBridgeBatching();
+    this.offloading = new NoOpEventBridgeEventDetailValueOffloading();
   }
 
   /**
@@ -143,9 +170,17 @@ public List<EventBridgeResult<EventBridgeEventId>> putItems(List<SinkRecord> rec
       return mappingResult.getErrorsAsResult();
     }
 
+    // NoOpEventBridgeEventDetailValueOffloading is used if
+    // `aws.eventbridge.offloading.s3.default.bucket` is not configured
+    var offloadingResult = offloading.apply(mappingResult.success);
+    if (offloadingResult.success.isEmpty()) {
+      log.warn("Not sending events to EventBridge: offloading failed");
+      return offloadingResult.getErrorsAsResult();
+    }
+
     var sendItemResults =
         batching
-            .apply(mappingResult.success.stream())
+            .apply(offloadingResult.success.stream())
             .flatMap(this::sendToEventBridge)
             .collect(toList());
 

src/main/java/software/amazon/event/kafkaconnector/cache/Cache.java

@@ -0,0 +1,12 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package software.amazon.event.kafkaconnector.cache;
+
+import java.util.function.Function;
+
+public interface Cache<K, V> {
+
+  V computeIfAbsent(K key, Function<? super K, ? extends V> mappingFunction);
+}