CloudWatch
lambda
CloudWatch-Logs

CloudWatch LogsをサブスクリプションするLambdaのテスト方法

引数となるイベントの形式がこんな感じになってて

{
  "awslogs": {
    "data": "H4sIAAAAAAAAAHWPwQqCQBCGX0Xm7EFtK+smZBEUgXoLCdMhFtKV3akI8d0bLYmibvPPN3wz00CJxmQnTO41whwWQRIctmEcB6sQbFC3CjW3XW8kxpOpP+OC22d1Wml1qZkQGtoMsScxaczKN3plG8zlaHIta5KqWsozoTYw3/djzwhpLwivWFGHGpAFe7DL68JlBUk+l7KSN7tCOEJ4M3/qOI49vMHj+zCKdlFqLaU2ZHV2a4Ct/an0/ivdX8oYc1UVX860fQDQiMdxRQEAAA=="
  }
}

dataのvalueが加工されてるので、元の文字列からどうこのdataを作るか、という話。
ドキュメントによると↑の文字列を↓こうやると元の文字列が取り出せるらしい。

$ echo -n "<Content of Data>" | base64 -d | zcat

なので、逆をすれば元の文字列から引数にする文字列に変換できる。

$ echo "<Original String>" | gzip | base64

で、元の文字列は↓こんな感じのjson

{
    "owner": "111111111111",
    "logGroup": "CloudTrail",
    "logStream": "111111111111_CloudTrail_us-east-1",
    "subscriptionFilters": [
        "RecipientStream"
    ],
    "messageType": "DATA_MESSAGE",
    "logEvents": [
        {
            "id": "3195310660696698337880902507980421114328961542429EXAMPLE",
            "timestamp": 1432826855000,
            "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
        },
        {
            "id": "3195310660696698337880902507980421114328961542429EXAMPLE",
            "timestamp": 1432826855000,
            "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
        },
        {
            "id": "3195310660696698337880902507980421114328961542429EXAMPLE",
            "timestamp": 1432826855000,
            "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
        }
    ]
}

参考(再掲): https://docs.aws.amazon.com/ja_jp/AmazonCloudWatch/latest/logs/ValidateLogEventFlow.html

というわけで、

$ cat json
{
    "owner": "111111111111",
    "logGroup": "CloudTrail",
    "logStream": "111111111111_CloudTrail_us-east-1",
    "subscriptionFilters": [
        "RecipientStream"
    ],
    "messageType": "DATA_MESSAGE",
    "logEvents": [
        {
            "id": "3195310660696698337880902507980421114328961542429EXAMPLE",
            "timestamp": 1432826855000,
            "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
        },
        {
            "id": "3195310660696698337880902507980421114328961542429EXAMPLE",
            "timestamp": 1432826855000,
            "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
        },
        {
            "id": "3195310660696698337880902507980421114328961542429EXAMPLE",
            "timestamp": 1432826855000,
            "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
        }
    ]
}
$ cat json | gzip | base64
H4sIAG/axloAA+1S3WqDMBi99ylKru2If2nSO9lcGawwqozBMsTVUAJqJIkbRXz3JdY510cY+64C5+c75yO9szIDxGfDJNiugLcY4F7ASpx2UnStxW8r0ZWZLHi1QFMtWVFfy/Mfbt6pNSuUXs+eqntXR8lbzUVzzyvNpDL61xEcCQd25C1njZ7MR+RtUtdMqeLEsnPL7Na7OIvzfZKm8S5ZxEo+jPy3bT+/RhIvrTzwSBR4ECGICEIEB8EGY0igH8ENwTD0TZkw8DFBXhT6oU+Sl3j/9Pi9anbT3OTSRW0PNQp8hKMIQnjFm9Lb1T0FzKZ8Nv3NJSjYUuDdwIACl4JOMflQGpTrs0EMV5vCI+cghKZgALPx4P53/BMdL//cGZwvGEA5spoDAAA=

これを引数のdataのvalueに突っ込んだら、Lambdaのテストができる。

{
  "awslogs": {
    "data": "H4sIAG/axloAA+1S3WqDMBi99ylKru2If2nSO9lcGawwqozBMsTVUAJqJIkbRXz3JdY510cY+64C5+c75yO9szIDxGfDJNiugLcY4F7ASpx2UnStxW8r0ZWZLHi1QFMtWVFfy/Mfbt6pNSuUXs+eqntXR8lbzUVzzyvNpDL61xEcCQd25C1njZ7MR+RtUtdMqeLEsnPL7Na7OIvzfZKm8S5ZxEo+jPy3bT+/RhIvrTzwSBR4ECGICEIEB8EGY0igH8ENwTD0TZkw8DFBXhT6oU+Sl3j/9Pi9anbT3OTSRW0PNQp8hKMIQnjFm9Lb1T0FzKZ8Nv3NJSjYUuDdwIACl4JOMflQGpTrs0EMV5vCI+cghKZgALPx4P53/BMdL//cGZwvGEA5spoDAAA="
  }
}

試しにdecodeしてみる。

$ echo -n "H4sIAG/axloAA+1S3WqDMBi99ylKru2If2nSO9lcGawwqozBMsTVUAJqJIkbRXz3JdY510cY+64C5+c75yO9szIDxGfDJNiugLcY4F7ASpx2UnStxW8r0ZWZLHi1QFMtWVFfy/Mfbt6pNSuUXs+eqntXR8lbzUVzzyvNpDL61xEcCQd25C1njZ7MR+RtUtdMqeLEsnPL7Na7OIvzfZKm8S5ZxEo+jPy3bT+/RhIvrTzwSBR4ECGICEIEB8EGY0igH8ENwTD0TZkw8DFBXhT6oU+Sl3j/9Pi9anbT3OTSRW0PNQp8hKMIQnjFm9Lb1T0FzKZ8Nv3NJSjYUuDdwIACl4JOMflQGpTrs0EMV5vCI+cghKZgALPx4P53/BMdL//cGZwvGEA5spoDAAA=" | base64 -D | zcat
{
    "owner": "111111111111",
    "logGroup": "CloudTrail",
    "logStream": "111111111111_CloudTrail_us-east-1",
    "subscriptionFilters": [
        "RecipientStream"
    ],
    "messageType": "DATA_MESSAGE",
    "logEvents": [
        {
            "id": "3195310660696698337880902507980421114328961542429EXAMPLE",
            "timestamp": 1432826855000,
            "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
        },
        {
            "id": "3195310660696698337880902507980421114328961542429EXAMPLE",
            "timestamp": 1432826855000,
            "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
        },
        {
            "id": "3195310660696698337880902507980421114328961542429EXAMPLE",
            "timestamp": 1432826855000,
            "message": "{\"eventVersion\":\"1.03\",\"userIdentity\":{\"type\":\"Root\"}"
        }
    ]
}

OK。
ちなみにBSD系(Macとか)はbase64のデコードのオプションが-Dで、GNU系は-dの模様。
多分Kinesisとかも同じ。

参考(再掲含む):