Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: Correct FIPS-mode metrics #588

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
May 6, 2025
Merged

feat: Correct FIPS-mode metrics #588

merged 10 commits into from
May 6, 2025

Conversation

apiarian-datadog
Copy link
Contributor

  • Our dogstatsd client now supports timestamps for the metrics that it will send.
  • This unblocks us to always send metrics to the extension, even if they have a timestamp. Confirmed that this actually works now with both bottlecap and the go agent.
  • Refactored the metrics workflow to have an explicit choice of metrics handlers (Extension, Forwarder, Datadog API, or, for some FIPS usecases, No Handler).
  • Added a DD_LAMBDA_FIPS_MODE flag which allows FIPS-mode logic to be enabled in commercial regions or disabled in govcloud regions.
  • The new FIPS mode is used for Datadog API Key secret lookup and for metrics handling decisions.

Breaking Change

Since the DD_LAMBDA_FIPS_MODE defaults to true in govcloud, direct metrics submission there (without an Extension or a Forwarder) will now be disabled.

Testing Guidelines

Unit tests were added or updated. Also confirmed with test apps that this logic works as expected.

Types of Changes

  • Bug fix
  • New feature
  • Breaking change
  • Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

  • This PR's description is comprehensive
  • This PR contains breaking changes that are documented in the description
  • This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
  • This PR impacts documentation, and it has been updated (or a ticket has been logged)
  • This PR's changes are covered by the automated tests
  • This PR collects user input/sensitive content into Datadog
  • This PR passes the integration tests (ask a Datadog member to run the tests)

@apiarian-datadog
Copy link
Contributor Author

Probably easiest to review this one commit at a time.

apiarian-datadog
apiarian-datadog commented May 2, 2025
View reviewed changes
datadog_lambda/metric.py


metrics_handler = _select_metrics_handler()
logger.debug("identified primary metrics handler as %s", metrics_handler)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it would be nice to fire off a metric here, similar to the way we do for dynamodb stream settings. but since the most interesting value, NO_METRICS would actually be unavailable, i chose not to do this. let me know if you think we should still send the metric anyway, despite the NO_METRICS blind spot.

@apiarian-datadog
Copy link
Contributor Author

confirmed that this is working as expected across the following combinations:

  • bottlecap
  • bottlecap fipsish
  • go extension
  • go extension fipsish
  • forwarder
  • forwarder fips-ish
  • no extension and no forwarder

(all of the above correctly send metrics with and without timestamps)

the no extension and no forwarder case in fipsish mode does not send metrics as expected.

@apiarian-datadog apiarian-datadog marked this pull request as ready for review May 5, 2025 15:18
@apiarian-datadog apiarian-datadog requested a review from a team as a code owner May 5, 2025 15:18
duncanista
duncanista reviewed May 5, 2025
View reviewed changes
duncanista
duncanista reviewed May 5, 2025
View reviewed changes
datadog_lambda/metric.py
if extension_thread_stats is not None:
tags = None
if lambda_context is not None:
tags = get_enhanced_metrics_tags(lambda_context)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we using the get_enhanced_metrics_tags again? Or else this would be breaking?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we still use it as part of the submit_enhanced_metric call. but the extension_thread_stats was never None with the changes i put in and thus this code was not being called anymore anyway. this get function have important side effects we need to bring back somewhere?

@apiarian-datadog apiarian-datadog mentioned this pull request May 5, 2025
Merged
@apiarian-datadog apiarian-datadog force-pushed the aleksandr.pasechnik/svls-6235-direct-metrics-in-gov-only-through-extension branch from d1acc58 to f187a1b Compare May 5, 2025 20:39
@apiarian-datadog apiarian-datadog merged commit 1f8d3fd into main May 6, 2025
60 checks passed
@apiarian-datadog apiarian-datadog deleted the aleksandr.pasechnik/svls-6235-direct-metrics-in-gov-only-through-extension branch May 6, 2025 15:45
@apiarian-datadog apiarian-datadog mentioned this pull request May 6, 2025
Closed
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@purple4reina purple4reina purple4reina approved these changes

@duncanista duncanista duncanista approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@apiarian-datadog @purple4reina @duncanista