Use FIPs endpoint for SecretManager when in Govcloud region (#634)

nhulston · web-flow · commit ccf67c79359c · 2025-03-11T10:35:08.000-04:00
diff --git a/src/metrics/listener.spec.ts b/src/metrics/listener.spec.ts
@@ -118,6 +118,37 @@ describe("MetricsListener", () => {
     await expect(listener.onCompleteInvocation()).resolves.toEqual(undefined);
   });
 
+  it("configures FIPS endpoint for GovCloud regions", async () => {
+    try {
+      process.env.AWS_REGION = "us-gov-west-1";
+      const secretsManagerModule = require("@aws-sdk/client-secrets-manager");
+      const secretsManagerSpy = jest.spyOn(secretsManagerModule, "SecretsManager");
+
+      const kms = new MockKMS("kms-api-key-decrypted");
+      const listener = new MetricsListener(kms as any, {
+        apiKey: "",
+        apiKeyKMS: "",
+        apiKeySecretARN: "api-key-secret-arn",
+        enhancedMetrics: false,
+        logForwarding: false,
+        shouldRetryMetrics: false,
+        localTesting: false,
+        siteURL,
+      });
+
+      await listener.onStartInvocation({});
+      await listener.onCompleteInvocation();
+
+      expect(secretsManagerSpy).toHaveBeenCalledWith({
+        useFipsEndpoint: true,
+      });
+
+      secretsManagerSpy.mockRestore();
+    } finally {
+      process.env.AWS_REGION = "us-east-1";
+    }
+  });
+
   it("logs metrics when logForwarding is enabled", async () => {
     const spy = jest.spyOn(process.stdout, "write");
     jest.spyOn(Date, "now").mockImplementation(() => 1487076708000);
diff --git a/src/metrics/listener.ts b/src/metrics/listener.ts
@@ -7,6 +7,7 @@ import { writeMetricToStdout } from "./metric-log";
 import { Distribution } from "./model";
 import { Context } from "aws-lambda";
 import { getEnhancedMetricTags } from "./enhanced-metrics";
+import { SecretsManagerClientConfig } from "@aws-sdk/client-secrets-manager";
 
 const METRICS_BATCH_SEND_INTERVAL = 10000; // 10 seconds
 const HISTORICAL_METRICS_THRESHOLD_HOURS = 4 * 60 * 60 * 1000; // 4 hours
@@ -223,7 +224,11 @@ export class MetricsListener {
     if (config.apiKeySecretARN !== "") {
       try {
         const { SecretsManager } = await import("@aws-sdk/client-secrets-manager");
-        const secretsManager = new SecretsManager();
+        const region = process.env.AWS_REGION;
+        const isGovRegion = region !== undefined && region.startsWith("us-gov-");
+        const secretsManager = new SecretsManager({
+          useFipsEndpoint: isGovRegion,
+        });
         const secret = await secretsManager.getSecretValue({ SecretId: config.apiKeySecretARN });
         return secret?.SecretString ?? "";
       } catch (error) {
