[extension/awslogs_encoding] implement streaming contract for CloudWatch subscription filter (#46220)

#### Description

Based on contract introduced at
#46211,
this PR implements streaming for CloudWatch subscription filter.

CloudWatch subscription filter change is focused at commit titled
`streaming for CW subscription filter`

#### Testing

Unit tests and dedicated streaming tests 

#### Documentation

Updated documentation on streaming contract

---------

Signed-off-by: Kavindu Dodanduwa <kavindu.dodanduwa@elastic.co>
Co-authored-by: Andrew Wilkins <axwalk@gmail.com>

Author: Kavindu-Dodan

.chloggen/feat_aws-logs-cw-subscription-streaming.yaml

@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. receiver/filelog)
+component: extension/awslogs_encoding
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Adopt encoding extension streaming contract for CloudWatch Logs subscription
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [46214]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: []

extension/encoding/awslogsencodingextension/README.md

@@ -181,9 +181,10 @@ This allows streaming implementation to work independently of compression algori
 
 The table below summarizes streaming support details for each log type, along with the offset tracking mechanism,
 
-| Log Type         | Sub Log Type/Source | Offset Tracking | Notes |
-|------------------|---------------------|-----------------|-------|
-| Network Firewall | Alert/Flow/TLS      | Bytes processed |       |
+| Log Type            | Sub Log Type/Source | Offset Tracking             | Notes                                                                                        |
+|---------------------|---------------------|-----------------------------|----------------------------------------------------------------------------------------------|
+| Network Firewall    | Alert/Flow/TLS      | Bytes processed             |                                                                                              |
+| Subscription filter | -                   | Number of records processed | Supports processing multi-line inputs and offset tracks number of records that get processed |
 
 ## Produced Records per Format
 

extension/encoding/awslogsencodingextension/internal/unmarshaler/subscription-filter/testdata/stream/subscription_filter.json

@@ -0,0 +1,48 @@
+{
+    "messageType": "DATA_MESSAGE",
+    "owner": "123456789012",
+    "logGroup": "/my/first/log/group",
+    "logStream": "/my/first/log/stream",
+    "subscriptionFilters": [
+        "my-account-subscription-to-firehose"
+    ],
+    "logEvents": [
+        {
+            "id": "39494971786919662926967737244165955921131981322179969024",
+            "timestamp": 1771015786034,
+            "message": "some text"
+        }
+    ]
+}
+{
+    "messageType": "DATA_MESSAGE",
+    "owner": "123456789012",
+    "logGroup": "/my/second/log/group",
+    "logStream": "/my/second/log/stream",
+    "subscriptionFilters": [
+        "my-account-subscription-to-firehose"
+    ],
+    "logEvents": [
+        {
+            "id": "39494969221575739759196034780948230027606320717924401152",
+            "timestamp": 1771015671000,
+            "message": "some other text"
+        }
+    ]
+}
+{
+    "messageType": "DATA_MESSAGE",
+    "owner": "123456789012",
+    "logGroup": "/my/third/log/group",
+    "logStream": "/my/third/log/stream",
+    "subscriptionFilters": [
+        "my-account-subscription-to-firehose"
+    ],
+    "logEvents": [
+        {
+            "id": "39494969221575739759196034780948230027606320717924401152",
+            "timestamp": 1771015671000,
+            "message": "another log message"
+        }
+    ]
+}

extension/encoding/awslogsencodingextension/internal/unmarshaler/subscription-filter/testdata/stream/subscription_filter_expect_1.yaml

@@ -0,0 +1,30 @@
+resourceLogs:
+  - resource:
+      attributes:
+        - key: cloud.provider
+          value:
+            stringValue: aws
+        - key: cloud.account.id
+          value:
+            stringValue: "123456789012"
+        - key: aws.log.group.names
+          value:
+            arrayValue:
+              values:
+                - stringValue: /my/first/log/group
+        - key: aws.log.stream.names
+          value:
+            arrayValue:
+              values:
+                - stringValue: /my/first/log/stream
+    scopeLogs:
+      - logRecords:
+          - body:
+              stringValue: some text
+            timeUnixNano: "1771015786034000000"
+        scope:
+          attributes:
+            - key: encoding.format
+              value:
+                stringValue: aws.cloudwatch
+          name: github.com/open-telemetry/opentelemetry-collector-contrib/extension/encoding/awslogsencodingextension

extension/encoding/awslogsencodingextension/internal/unmarshaler/subscription-filter/testdata/stream/subscription_filter_expect_2.yaml

@@ -0,0 +1,30 @@
+resourceLogs:
+  - resource:
+      attributes:
+        - key: cloud.provider
+          value:
+            stringValue: aws
+        - key: cloud.account.id
+          value:
+            stringValue: "123456789012"
+        - key: aws.log.group.names
+          value:
+            arrayValue:
+              values:
+                - stringValue: /my/second/log/group
+        - key: aws.log.stream.names
+          value:
+            arrayValue:
+              values:
+                - stringValue: /my/second/log/stream
+    scopeLogs:
+      - logRecords:
+          - body:
+              stringValue: some other text
+            timeUnixNano: "1771015671000000000"
+        scope:
+          attributes:
+            - key: encoding.format
+              value:
+                stringValue: aws.cloudwatch
+          name: github.com/open-telemetry/opentelemetry-collector-contrib/extension/encoding/awslogsencodingextension

extension/encoding/awslogsencodingextension/internal/unmarshaler/subscription-filter/testdata/stream/subscription_filter_expect_3.yaml

@@ -0,0 +1,30 @@
+resourceLogs:
+  - resource:
+      attributes:
+        - key: cloud.provider
+          value:
+            stringValue: aws
+        - key: cloud.account.id
+          value:
+            stringValue: "123456789012"
+        - key: aws.log.group.names
+          value:
+            arrayValue:
+              values:
+                - stringValue: /my/third/log/group
+        - key: aws.log.stream.names
+          value:
+            arrayValue:
+              values:
+                - stringValue: /my/third/log/stream
+    scopeLogs:
+      - logRecords:
+          - body:
+              stringValue: another log message
+            timeUnixNano: "1771015671000000000"
+        scope:
+          attributes:
+            - key: encoding.format
+              value:
+                stringValue: aws.cloudwatch
+          name: github.com/open-telemetry/opentelemetry-collector-contrib/extension/encoding/awslogsencodingextension

extension/encoding/awslogsencodingextension/internal/unmarshaler/subscription-filter/unmarshaler.go

@@ -15,42 +15,29 @@ import (
 	"go.opentelemetry.io/collector/pdata/plog"
 	conventions "go.opentelemetry.io/otel/semconv/v1.38.0"
 
+	"github.com/open-telemetry/opentelemetry-collector-contrib/extension/encoding"
 	"github.com/open-telemetry/opentelemetry-collector-contrib/extension/encoding/awslogsencodingextension/internal/constants"
 	"github.com/open-telemetry/opentelemetry-collector-contrib/extension/encoding/awslogsencodingextension/internal/metadata"
 	"github.com/open-telemetry/opentelemetry-collector-contrib/extension/encoding/awslogsencodingextension/internal/unmarshaler"
+	"github.com/open-telemetry/opentelemetry-collector-contrib/pkg/xstreamencoding"
 )
 
+const ctrlMessageType = "CONTROL_MESSAGE"
+
 var (
 	errEmptyOwner     = errors.New("cloudwatch log with message type 'DATA_MESSAGE' has empty owner field")
 	errEmptyLogGroup  = errors.New("cloudwatch log with message type 'DATA_MESSAGE' has empty log group field")
 	errEmptyLogStream = errors.New("cloudwatch log with message type 'DATA_MESSAGE' has empty log stream field")
 )
 
-func validateLog(log cloudwatchLogsData) error {
-	switch log.MessageType {
-	case "DATA_MESSAGE":
-		if log.Owner == "" {
-			return errEmptyOwner
-		}
-		if log.LogGroup == "" {
-			return errEmptyLogGroup
-		}
-		if log.LogStream == "" {
-			return errEmptyLogStream
-		}
-	case "CONTROL_MESSAGE":
-	default:
-		return fmt.Errorf("cloudwatch log has invalid message type %q", log.MessageType)
-	}
-	return nil
-}
+var _ unmarshaler.StreamingLogsUnmarshaler = (*SubscriptionFilterUnmarshaler)(nil)
 
-type subscriptionFilterUnmarshaler struct {
+type SubscriptionFilterUnmarshaler struct {
 	buildInfo component.BuildInfo
 }
 
-func NewSubscriptionFilterUnmarshaler(buildInfo component.BuildInfo) unmarshaler.AWSUnmarshaler {
-	return &subscriptionFilterUnmarshaler{
+func NewSubscriptionFilterUnmarshaler(buildInfo component.BuildInfo) *SubscriptionFilterUnmarshaler {
+	return &SubscriptionFilterUnmarshaler{
 		buildInfo: buildInfo,
 	}
 }
@@ -61,36 +48,97 @@ func NewSubscriptionFilterUnmarshaler(buildInfo component.BuildInfo) unmarshaler
 // logs are further grouped by their extracted account ID and region.
 // Logs are assumed to be gzip-compressed as specified at
 // https://docs.aws.amazon.com/firehose/latest/dev/writing-with-cloudwatch-logs.html.
-func (f *subscriptionFilterUnmarshaler) UnmarshalAWSLogs(reader io.Reader) (plog.Logs, error) {
-	logs := plog.NewLogs()
-	resourceLogsByKey := make(map[resourceGroupKey]plog.LogRecordSlice)
+func (f *SubscriptionFilterUnmarshaler) UnmarshalAWSLogs(reader io.Reader) (plog.Logs, error) {
+	// Decode as a stream but flush all at once using flush options
+	streamUnmarshaler, err := f.NewLogsDecoder(reader, encoding.WithFlushItems(0), encoding.WithFlushBytes(0))
+	if err != nil {
+		return plog.Logs{}, err
+	}
+	logs, err := streamUnmarshaler.DecodeLogs()
+	if err != nil {
+		// we must check for EOF with direct comparison and avoid wrapped EOF that can come from stream itself
+		//nolint:errorlint
+		if err == io.EOF {
+			// EOF indicates no logs were found, return any logs that's available
+			return logs, nil
+		}
+
+		return plog.Logs{}, err
+	}
 
+	return logs, nil
+}
+
+// NewLogsDecoder returns a LogsDecoder that processes CloudWatch Logs subscription filter events.
+// Supported sub formats:
+//   - DATA_MESSAGE: Returns logs grouped by owner, log group, and stream; offset is the number of records processed
+//   - CONTROL_MESSAGE: Returns empty log; offset is the number of records processed
+func (f *SubscriptionFilterUnmarshaler) NewLogsDecoder(reader io.Reader, options ...encoding.DecoderOption) (encoding.LogsDecoder, error) {
+	batchHelper := xstreamencoding.NewBatchHelper(options...)
 	decoder := gojson.NewDecoder(reader)
-	for decoder.More() {
-		var cwLog cloudwatchLogsData
-		if err := decoder.Decode(&cwLog); err != nil {
-			return plog.Logs{}, fmt.Errorf("failed to decode decompressed reader: %w", err)
-		}
 
-		if cwLog.MessageType == "CONTROL_MESSAGE" {
-			continue
-		}
+	var offset int64
 
-		if err := validateLog(cwLog); err != nil {
-			return plog.Logs{}, fmt.Errorf("invalid cloudwatch log: %w", err)
-		}
+	if batchHelper.Options().Offset > 0 {
+		for offset < batchHelper.Options().Offset {
+			if !decoder.More() {
+				return nil, fmt.Errorf("EOF reached before offset %d records were discarded", batchHelper.Options().Offset)
+			}
 
-		f.appendLogs(logs, resourceLogsByKey, cwLog)
+			var raw gojson.RawMessage
+			if err := decoder.Decode(&raw); err != nil {
+				return nil, err
+			}
+			offset++
+		}
 	}
 
-	return logs, nil
+	return xstreamencoding.NewLogsDecoderAdapter(
+		func() (plog.Logs, error) {
+			logs := plog.NewLogs()
+			resourceLogsByKey := make(map[resourceGroupKey]plog.LogRecordSlice)
+
+			for decoder.More() {
+				var cwLog cloudwatchLogsData
+				if err := decoder.Decode(&cwLog); err != nil {
+					return plog.Logs{}, fmt.Errorf("failed to decode decompressed reader: %w", err)
+				}
+
+				offset++
+				batchHelper.IncrementItems(1)
+
+				if cwLog.MessageType == ctrlMessageType {
+					continue
+				}
+
+				if err := validateLog(cwLog); err != nil {
+					return plog.Logs{}, fmt.Errorf("invalid cloudwatch log: %w", err)
+				}
+
+				f.appendLogs(logs, resourceLogsByKey, cwLog)
+
+				if batchHelper.ShouldFlush() {
+					batchHelper.Reset()
+					return logs, nil
+				}
+			}
+
+			if logs.ResourceLogs().Len() == 0 {
+				return plog.NewLogs(), io.EOF
+			}
+
+			return logs, nil
+		}, func() int64 {
+			return offset
+		},
+	), nil
 }
 
 // appendLogs appends log records from cwLog into the given plog.Logs, reusing
 // existing ResourceLogs entries tracked by resourceLogsByKey when possible.
 // Events are grouped by their extracted fields (account ID + region) and
 // by log group/stream combination.
-func (f *subscriptionFilterUnmarshaler) appendLogs(logs plog.Logs, resourceLogsByKey map[resourceGroupKey]plog.LogRecordSlice, cwLog cloudwatchLogsData) {
+func (f *SubscriptionFilterUnmarshaler) appendLogs(logs plog.Logs, resourceLogsByKey map[resourceGroupKey]plog.LogRecordSlice, cwLog cloudwatchLogsData) {
 	for _, event := range cwLog.LogEvents {
 		key := extractResourceKey(event, cwLog.Owner, cwLog.LogGroup, cwLog.LogStream)
 
@@ -141,3 +189,22 @@ func extractResourceKey(event cloudwatchLogsLogEvent, owner, logGroup, logStream
 	}
 	return key
 }
+
+func validateLog(log cloudwatchLogsData) error {
+	switch log.MessageType {
+	case "DATA_MESSAGE":
+		if log.Owner == "" {
+			return errEmptyOwner
+		}
+		if log.LogGroup == "" {
+			return errEmptyLogGroup
+		}
+		if log.LogStream == "" {
+			return errEmptyLogStream
+		}
+	case ctrlMessageType:
+	default:
+		return fmt.Errorf("cloudwatch log has invalid message type %q", log.MessageType)
+	}
+	return nil
+}