Skip to content

Commit ccf67c7

Browse files
nhulstonnhulston
authored
Use FIPs endpoint for SecretManager when in Govcloud region (#634)
1 parent 04f429d commit ccf67c7

File tree

2 files changed

+37
-1
lines changed

2 files changed

+37
-1
lines changed

src/metrics/listener.spec.ts

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,37 @@ describe("MetricsListener", () => {
118118
await expect(listener.onCompleteInvocation()).resolves.toEqual(undefined);
119119
});
120120

121+
it("configures FIPS endpoint for GovCloud regions", async () => {
122+
try {
123+
process.env.AWS_REGION = "us-gov-west-1";
124+
const secretsManagerModule = require("@aws-sdk/client-secrets-manager");
125+
const secretsManagerSpy = jest.spyOn(secretsManagerModule, "SecretsManager");
126+
127+
const kms = new MockKMS("kms-api-key-decrypted");
128+
const listener = new MetricsListener(kms as any, {
129+
apiKey: "",
130+
apiKeyKMS: "",
131+
apiKeySecretARN: "api-key-secret-arn",
132+
enhancedMetrics: false,
133+
logForwarding: false,
134+
shouldRetryMetrics: false,
135+
localTesting: false,
136+
siteURL,
137+
});
138+
139+
await listener.onStartInvocation({});
140+
await listener.onCompleteInvocation();
141+
142+
expect(secretsManagerSpy).toHaveBeenCalledWith({
143+
useFipsEndpoint: true,
144+
});
145+
146+
secretsManagerSpy.mockRestore();
147+
} finally {
148+
process.env.AWS_REGION = "us-east-1";
149+
}
150+
});
151+
121152
it("logs metrics when logForwarding is enabled", async () => {
122153
const spy = jest.spyOn(process.stdout, "write");
123154
jest.spyOn(Date, "now").mockImplementation(() => 1487076708000);

src/metrics/listener.ts

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import { writeMetricToStdout } from "./metric-log";
77
import { Distribution } from "./model";
88
import { Context } from "aws-lambda";
99
import { getEnhancedMetricTags } from "./enhanced-metrics";
10+
import { SecretsManagerClientConfig } from "@aws-sdk/client-secrets-manager";
1011

1112
const METRICS_BATCH_SEND_INTERVAL = 10000; // 10 seconds
1213
const HISTORICAL_METRICS_THRESHOLD_HOURS = 4 * 60 * 60 * 1000; // 4 hours
@@ -223,7 +224,11 @@ export class MetricsListener {
223224
if (config.apiKeySecretARN !== "") {
224225
try {
225226
const { SecretsManager } = await import("@aws-sdk/client-secrets-manager");
226-
const secretsManager = new SecretsManager();
227+
const region = process.env.AWS_REGION;
228+
const isGovRegion = region !== undefined && region.startsWith("us-gov-");
229+
const secretsManager = new SecretsManager({
230+
useFipsEndpoint: isGovRegion,
231+
});
227232
const secret = await secretsManager.getSecretValue({ SecretId: config.apiKeySecretARN });
228233
return secret?.SecretString ?? "";
229234
} catch (error) {

0 commit comments

Comments
 (0)