OB-36691 feat: add secrets manager for increased security on gql token

observeinc · Oct 12, 2024 · ed39eec · ed39eec
1 parent f12c866
commit ed39eec
Show file tree

Hide file tree

Showing 55 changed files with 19,742 additions and 302 deletions.
diff --git a/.DS_Store b/.DS_Store
diff --git a/DEVELOPER.md b/DEVELOPER.md
@@ -37,7 +37,7 @@ and the most important variables, run `make help`, e.g:
 VARIABLES:
   APPS          = config configsubscription firehose forwarder logwriter metricstream stack
   AWS_REGION    = us-west-2
-  GO_BINS       = forwarder subscriber metricsrecorder
+  GO_BINS       = forwarder subscriber metricsconfigurator
   GO_BUILD_DIRS = bin/linux_arm64 .go/bin/linux_arm64 .go/cache .go/pkg
   TF_TESTS      = config configsubscription firehose forwarder forwarder_s3 logwriter metricstream simple stack
   VERSION       = v1.19.2-4-gb1238b5-dirty

diff --git a/apps/metricstream/template.yaml b/apps/metricstream/template.yaml
@@ -29,7 +29,7 @@ Parameters:
     Description: >-
       A file hosted in S3 containing list of metrics to stream.
     Default: 's3://observeinc/cloudwatchmetrics/filters/empty.yaml'
-    AllowedPattern: "^s3:\/\/.*"
+    AllowedPattern: "^(s3:\/\/.*)?$"
   OutputFormat:
     Type: String
     Description: >-
@@ -62,14 +62,41 @@ Parameters:
     Description: |
       Buffer incoming data to the specified size, in MiBs, before delivering it
       to the destination.
-
+  ObserveAccountID:
+    Type: String
+    Description: Observe Account Number
+    AllowedPattern: '\d*'
+    Default: ''
+  ObserveDomainName:
+    Type: String
+    Description: >-
+      The domain name this request is coming from.
+    Default: ''
+  UpdateTimestamp:
+    Type: String
+    Description: Timestamp when the mettric stream was created or updated
+    Default: ''
+    AllowedPattern: '^[0-9]*$'
+  DatasourceID:
+    Type: String
+    Description: >-
+      The datastream for this metric stream.
+    Default: ''
+    AllowedPattern: '\d*'
+  GQLToken:
+    Type: String
+    NoEcho: true
+    Description: >-
+      The token used to retrieve metric configuration.
+    Default: ''
 Conditions:
   UseStackName: !Equals
     - !Ref NameOverride
     - ''
-  EmptyFilterUri: !Equals
-    - !Ref FilterUri
-    - ""
+  DeployLambda: !Not
+    - !Equals
+      - !Ref DatasourceID
+      - ""
 
 Resources:
   DeliveryStreamRole:
@@ -205,8 +232,9 @@ Resources:
           Location: !Ref FilterUri
       # end of processable content for include
       OutputFormat: !Ref OutputFormat
-  MetricsRecorderExecutionRole:
+  MetricsConfiguratorRole:
     Type: AWS::IAM::Role
+    Condition: DeployLambda
     Properties:
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
@@ -216,7 +244,7 @@ Resources:
               Service: lambda.amazonaws.com
             Action: sts:AssumeRole
       Policies:
-        - PolicyName: S3andMetricStreamPutPolicy
+        - PolicyName: MetricsConfiguratorPolicy
           PolicyDocument:
             Version: '2012-10-17'
             Statement:
@@ -234,17 +262,21 @@ Resources:
                   - logs:CreateLogStream
                   - logs:PutLogEvents
                 Resource: !GetAtt LambdaLogGroup.Arn
-  MetricsRecorder:
+              - Effect: Allow
+                Action:
+                  - secretsmanager:GetSecretValue
+                Resource: !Ref GQLTokenSecret
+  MetricsConfigurator:
     Type: AWS::Serverless::Function
-    Condition: EmptyFilterUri
+    Condition: DeployLambda
     Metadata:
       BuildMethod: makefile
     Properties:
       FunctionName: !If
         - UseStackName
         - !Ref AWS::StackName
         - !Ref NameOverride
-      Role: !GetAtt MetricsRecorderExecutionRole.Arn
+      Role: !GetAtt MetricsConfiguratorRole.Arn
       CodeUri: ../../bin/linux_arm64
       Handler: bootstrap
       Runtime: provided.al2
@@ -253,21 +285,29 @@ Resources:
       Environment:
         Variables:
           VERBOSITY: 6
-          # fields needed for accessing gql
-          BEARER_TOKEN: "rlA6DnekcdW8OYxyuoaBoRhWXkOec1tC"
-          ACCOUNT_NUMBER: 124375634991
+          ACCOUNT_NUMBER: !Ref ObserveAccountID
+          OBSERVE_DOMAIN_NAME: !Ref ObserveDomainName
+          DATASOURCE_ID: !Ref DatasourceID
+          SECRET_NAME: !Ref GQLTokenSecret
           # fields are necessary to update the metric stream
           METRIC_STREAM_NAME: !Ref MetricStream
           FIREHOSE_ARN: !GetAtt DeliveryStream.Arn
           ROLE_ARN: !GetAtt MetricStreamRole.Arn
           OUTPUT_FORMAT: !Ref OutputFormat
+  GQLTokenSecret:
+    Type: AWS::SecretsManager::Secret
+    Condition: DeployLambda
+    Properties:
+      Description: GQL Token Secret
+      Name: !Sub "observe-gql-token-${AWS::StackName}"
+      SecretString: !Ref GQLToken
   StackCreationUpdateCustomResource:
     Type: Custom::StackCreationUpdateTrigger
-    Condition: EmptyFilterUri
+    Condition: DeployLambda
     Properties:
-      ServiceToken: !GetAtt MetricsRecorder.Arn
+      ServiceToken: !GetAtt MetricsConfigurator.Arn
       StackName: !Ref AWS::StackName
-      AccessToken: "rlA6DnekcdW8OYxyuoaBoRhWXkOec1tC"
+      UpdateTimestamp: !Ref UpdateTimestamp
 Outputs:
   FirehoseArn:
     Description: >-

diff --git a/apps/stack/template.yaml b/apps/stack/template.yaml
@@ -110,6 +110,33 @@ Parameters:
       Metrics Stream. If empty, no metrics will be collected.
     Default: 's3://observeinc/cloudwatchmetrics/filters/empty.yaml'
     AllowedPattern: "^(s3:\/\/.*)?$"
+  ObserveAccountID:
+    Type: String
+    Description: Observe Account Number
+    AllowedPattern: '\d*'
+    Default: ''
+  ObserveDomainName:
+    Type: String
+    Description: >-
+      The domain name this request is coming from.
+    Default: ''
+  UpdateTimestamp:
+    Type: String
+    Description: Timestamp when metric stream was created or updated
+    Default: ''
+    AllowedPattern: "^[0-9]*$"
+  DatasourceID:
+    Type: String
+    Description: >-
+      The datastream for this metric stream.
+    AllowedPattern: '\d*'
+    Default: ''
+  GQLToken:
+    Type: String
+    NoEcho: true
+    Description: >-
+      The token used to retrieve metric configuration.
+    Default: ''
   SourceBucketNames:
     Type: CommaDelimitedList
     Description: >-
@@ -161,10 +188,15 @@ Conditions:
   UseStackName: !Equals
     - !Ref NameOverride
     - ""
-  EnableMetricStream: !Not
-    - !Equals
-      - !Ref MetricStreamFilterUri
-      - ""
+  EnableMetricStream: !Or
+    - !Not
+      - !Equals
+        - !Ref MetricStreamFilterUri
+        - ""
+    - !Not
+      - !Equals
+        - !Ref DatasourceID
+        - ""
 
 Resources:
   Topic:
@@ -311,6 +343,11 @@ Resources:
       Parameters:
         BucketArn: !GetAtt Bucket.Arn
         FilterUri: !Ref MetricStreamFilterUri
+        ObserveAccountID: !Ref ObserveAccountID
+        ObserveDomainName: !Ref ObserveDomainName
+        UpdateTimestamp: !Ref UpdateTimestamp
+        GQLToken: !Ref GQLToken
+        DatasourceID: !Ref DatasourceID
         NameOverride: !If
           - UseStackName
           - !Sub "${AWS::StackName}-MetricStream"

diff --git a/cmd/metricsrecorder/main.go → cmd/metricsconfigurator/main.go b/cmd/metricsrecorder/main.go → cmd/metricsconfigurator/main.go
@@ -6,13 +6,13 @@ import (
 
 	awslambda "github.com/aws/aws-lambda-go/lambda"
 
-	handler "github.com/observeinc/aws-sam-apps/pkg/handler/metricsrecorder"
+	handler "github.com/observeinc/aws-sam-apps/pkg/handler/metricsconfigurator"
 	"github.com/observeinc/aws-sam-apps/pkg/lambda"
-	"github.com/observeinc/aws-sam-apps/pkg/lambda/metricsrecorder"
+	"github.com/observeinc/aws-sam-apps/pkg/lambda/metricsconfigurator"
 )
 
 var (
-	rec *metricsrecorder.Lambda
+	rec *metricsconfigurator.Lambda
 )
 
 func init() {
@@ -24,7 +24,7 @@ func init() {
 		panic(fmt.Errorf("failed to initialize config: %w", err))
 	}
 
-	rec, err = metricsrecorder.New(ctx, &config)
+	rec, err = metricsconfigurator.New(ctx, &config)
 	if err != nil {
 		panic(fmt.Errorf("failed to configure entrypoint: %w", err))
 	}

diff --git a/go.mod b/go.mod
@@ -12,6 +12,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.41.2
 	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.37.3
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.58.3
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.33.4
 	github.com/aws/aws-sdk-go-v2/service/sqs v1.34.3
 	github.com/aws/smithy-go v1.21.0
 	github.com/go-logr/logr v1.4.2

diff --git a/go.sum b/go.sum
@@ -38,6 +38,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.15 h1:246A4lSTXWJw/
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.15/go.mod h1:haVfg3761/WF7YPuJOER2MP0k4UAXyHaLclKXB6usDg=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.58.3 h1:hT8ZAZRIfqBqHbzKTII+CIiY8G2oC9OpLedkZ51DWl8=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.58.3/go.mod h1:Lcxzg5rojyVPU/0eFwLtcyTaek/6Mtic5B1gJo7e/zE=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.33.4 h1:EoPbZg+DGTRqKKhwk5uDviV9yvx65r1kyoNNC02ZH4Y=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.33.4/go.mod h1:WyLS5qwXHtjKAONYZq/4ewdd+hcVsa3LBu77Ow5uj3k=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.34.3 h1:Vjqy5BZCOIsn4Pj8xzyqgGmsSqzz7y/WXbN3RgOoVrc=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.34.3/go.mod h1:L0enV3GCRd5iG9B64W35C4/hwsCB00Ib+DKVGTadKHI=
 github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 h1:BXx0ZIxvrJdSgSvKTZ+yRBeSqqgPM89VPlulEcl37tM=