Skip to content

Use FIPs endpoints in Govcloud regions #575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nhulston merged 11 commits into from
Mar 12, 2025
Merged

Use FIPs endpoints in Govcloud regions #575

Changes from 3 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
a41cbb3
use fips endpoints in govcloud regions
nhulston Mar 11, 2025
ca7e5c5
lint
nhulston Mar 11, 2025
bbf8042
log when using fips endpoints
nhulston Mar 11, 2025
0c4fdc4
lint
nhulston Mar 11, 2025
6d5ff78
lint
nhulston Mar 11, 2025
f054e22
lint again
nhulston Mar 11, 2025
af87910
change to debug
nhulston Mar 12, 2025
7fdd7e8
add unit test
nhulston Mar 12, 2025
6396cef
lint
nhulston Mar 12, 2025
7411cf2
fix `test_no_fips_for_standard_regions`
nhulston Mar 12, 2025
2b02f02
lint
nhulston Mar 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 18 additions & 3 deletions datadog_lambda/api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,16 +64,31 @@ def get_api_key() -> str:
DD_KMS_API_KEY = os.environ.get("DD_KMS_API_KEY", "")
DD_API_KEY = os.environ.get("DD_API_KEY", os.environ.get("DATADOG_API_KEY", ""))

REGION = os.environ.get("AWS_REGION", "")
is_gov_region = REGION.startswith("us-gov-")
if is_gov_region:
logger.info("Govcloud region detected. Using FIPs endpoints for secrets management.")
Copy link
Copy Markdown
Contributor Author

@nhulston nhulston Mar 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logging on info level here makes sense because this only runs once per Lambda execution context, and this only occurs in Govcloud regions where FIPs endpoints does matter to our users


Comment on lines +69 to +73
Copy link
Copy Markdown
Contributor

@duncanista duncanista Mar 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you really want to log it, use debug, I don't think we should add info logs to our customers. We've had them complain in the past about us adding logs like this.

Copy link
Copy Markdown
Contributor Author

@nhulston nhulston Mar 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm open to changing it to debug, but just in case you didn't see my justification:

Logging on info level here makes sense because this only runs once per Lambda execution context, and this only occurs in Govcloud regions where FIPs endpoints does matter to our users

Copy link
Copy Markdown
Contributor

@duncanista duncanista Mar 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did see it, I still stand by the same point. This still directly impacts billing, even though the scope is just once per (I imagine cold starts) execution context on GovCloud.

if DD_API_KEY_SECRET_ARN:
api_key = boto3.client("secretsmanager").get_secret_value(
# Secrets manager endpoints: https://docs.aws.amazon.com/general/latest/gr/asm.html
fips_endpoint = f"https://secretsmanager-fips.{REGION}.amazonaws.com" if is_gov_region else None
secrets_manager_client = boto3.client(
"secretsmanager", endpoint_url=fips_endpoint
)
api_key = secrets_manager_client.get_secret_value(
SecretId=DD_API_KEY_SECRET_ARN
)["SecretString"]
elif DD_API_KEY_SSM_NAME:
api_key = boto3.client("ssm").get_parameter(
# SSM endpoints: https://docs.aws.amazon.com/general/latest/gr/ssm.html
fips_endpoint = f"https://ssm-fips.{REGION}.amazonaws.com" if is_gov_region else None
ssm_client = boto3.client("ssm", endpoint_url=fips_endpoint)
api_key = ssm_client.get_parameter(
Name=DD_API_KEY_SSM_NAME, WithDecryption=True
)["Parameter"]["Value"]
elif DD_KMS_API_KEY:
kms_client = boto3.client("kms")
# KMS endpoints: https://docs.aws.amazon.com/general/latest/gr/kms.html
fips_endpoint = f"https://kms-fips.{REGION}.amazonaws.com" if is_gov_region else None
kms_client = boto3.client("kms",endpoint_url=fips_endpoint)
api_key = decrypt_kms_api_key(kms_client, DD_KMS_API_KEY)
else:
api_key = DD_API_KEY
Expand Down
Loading