Removed Cloudwatch client

stevebux · stevebux · commit 680ae8106c75 · 2025-11-07T09:15:19.000Z
diff --git a/lambdas/authorizer/package.json b/lambdas/authorizer/package.json
@@ -1,9 +1,6 @@
 {
   "dependencies": {
-    "@aws-sdk/client-cloudwatch": "^3.922.0",
-    "esbuild": "^0.25.11",
-    "pino": "^10.1.0",
-    "zod": "^4.1.12"
+    "esbuild": "^0.25.11"
   },
   "devDependencies": {
     "@tsconfig/node22": "^22.0.2",
diff --git a/lambdas/authorizer/src/__tests__/index.test.ts b/lambdas/authorizer/src/__tests__/index.test.ts
@@ -11,9 +11,6 @@ const mockedDeps: jest.Mocked<Deps> = {
       CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS: 14,
       APIM_APPLICATION_ID_HEADER: 'apim-application-id'
     } as unknown as EnvVars,
-    cloudWatchClient: {
-      send: jest.fn().mockResolvedValue({}),
-    } as any,
     supplierRepo: {
       getSupplierByApimId: jest.fn(),
     } as any,
@@ -49,49 +46,48 @@ describe('Authorizer Lambda Function', () => {
       jest.useRealTimers();
     })
 
-    // it('Should not send CloudWatch metric when certificate is null', async () => {
-    //   mockEvent.requestContext.identity.clientCert = null;
+    it('Should not log CloudWatch metric when certificate is null', async () => {
+      mockEvent.requestContext.identity.clientCert = null;
 
-    //   const handler = createAuthorizerHandler(mockedDeps);
-    //   handler(mockEvent, mockContext, mockCallback);
-    //   await new Promise(process.nextTick);
+      const handler = createAuthorizerHandler(mockedDeps);
+      handler(mockEvent, mockContext, mockCallback);
+      await new Promise(process.nextTick);
 
-    //   expect(mockedDeps.cloudWatchClient.send).not.toHaveBeenCalled();
-    // });
+      const mockedInfo = mockedDeps.logger.info as jest.Mock;
+      expect(mockedInfo.mock.calls).not.toContainEqual(
+        expect.stringContaining('CloudWatchMetrics'));
+    });
 
-    it('Should send CloudWatch metric when the certificate expiry threshold is reached', async () => {
+    it('Should log CloudWatch metric when the certificate expiry threshold is reached', async () => {
       mockEvent.requestContext.identity.clientCert = buildCertWithExpiry('2025-11-17T14:19:00Z');
 
       const handler = createAuthorizerHandler(mockedDeps);
       handler(mockEvent, mockContext, mockCallback);
       await new Promise(process.nextTick);
 
-      expect(mockedDeps.cloudWatchClient.send).toHaveBeenCalledWith(
-        expect.objectContaining({
-          input: {
+      const mockedInfo = mockedDeps.logger.info as jest.Mock;
+      expect(mockedInfo.mock.calls.map(call => call[0])).toContain(JSON.stringify(
+        {_aws: {Timestamp: 1762179540000,
+          CloudWatchMetrics: [{
             Namespace: 'cloudwatch-namespace',
-            MetricData: [
-              {
-                MetricName: 'apim-client-certificate-near-expiry',
-                Dimensions: [
-                  { Name: 'SUBJECT_DN', Value: 'CN=test-subject' },
-                  { Name: 'NOT_AFTER', Value: '2025-11-17T14:19:00Z' },
-                ],
-              },
-            ],
-          },
-        })
-      );
+            Dimensions: ['SUBJECT_DN', 'NOT_AFTER'],
+            Metrics: [{Name: 'apim-client-certificate-near-expiry', Unit: 'Count', Value: 1}]
+          }]},
+          SUBJECT_DN: 'CN=test-subject',
+          NOT_AFTER: '2025-11-17T14:19:00Z',
+          'apim-client-certificate-near-expiry': 1}));
     });
 
-    it('Should not send CloudWatch metric when the certificate expiry threshold is not yet reached', async () => {
+    it('Should not log CloudWatch metric when the certificate expiry threshold is not yet reached', async () => {
       mockEvent.requestContext.identity.clientCert = buildCertWithExpiry('2025-11-18T14:19:00Z');
 
       const handler = createAuthorizerHandler(mockedDeps);
       handler(mockEvent, mockContext, mockCallback);
       await new Promise(process.nextTick);
 
-      expect(mockedDeps.cloudWatchClient.send).not.toHaveBeenCalled();
+      const mockedInfo = mockedDeps.logger.info as jest.Mock;
+      expect(mockedInfo.mock.calls).not.toContainEqual(
+        expect.stringContaining('CloudWatchMetrics'));
     });
   });
 
@@ -105,110 +101,110 @@ describe('Authorizer Lambda Function', () => {
     } as APIGatewayEventClientCertificate;
   }
 
-    describe('Supplier ID lookup', () => {
+  describe('Supplier ID lookup', () => {
 
-      it('Should deny the request when no headers are present', async () => {
-        mockEvent.headers = null;
+    it('Should deny the request when no headers are present', async () => {
+      mockEvent.headers = null;
 
-        const handler = createAuthorizerHandler(mockedDeps);
-        handler(mockEvent, mockContext, mockCallback);
-        await new Promise(process.nextTick);
+      const handler = createAuthorizerHandler(mockedDeps);
+      handler(mockEvent, mockContext, mockCallback);
+      await new Promise(process.nextTick);
 
-        expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
-          policyDocument: expect.objectContaining({
-            Statement: [
-              expect.objectContaining({
-                Effect: 'Deny',
-              }),
-            ],
-          }),
-        }));
-      });
+      expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+        policyDocument: expect.objectContaining({
+          Statement: [
+            expect.objectContaining({
+              Effect: 'Deny',
+            }),
+          ],
+        }),
+      }));
+    });
 
-      it('Should deny the request when the APIM application ID header is absent', async () => {
-        mockEvent.headers = {'x-apim-correlation-id': 'correlation-id'};
+    it('Should deny the request when the APIM application ID header is absent', async () => {
+      mockEvent.headers = {'x-apim-correlation-id': 'correlation-id'};
 
-        const handler = createAuthorizerHandler(mockedDeps);
-        handler(mockEvent, mockContext, mockCallback);
-        await new Promise(process.nextTick);
+      const handler = createAuthorizerHandler(mockedDeps);
+      handler(mockEvent, mockContext, mockCallback);
+      await new Promise(process.nextTick);
 
-        expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
-          policyDocument: expect.objectContaining({
-            Statement: [
-              expect.objectContaining({
-                Effect: 'Deny',
-              }),
-            ],
-          }),
-        }));
-      });
+      expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+        policyDocument: expect.objectContaining({
+          Statement: [
+            expect.objectContaining({
+              Effect: 'Deny',
+            }),
+          ],
+        }),
+      }));
+    });
 
-      it('Should deny the request when no supplier ID is found', async () => {
-        mockEvent.headers = { 'apim-application-id': 'unknown-apim-id' };
-        (mockedDeps.supplierRepo.getSupplierByApimId as jest.Mock).mockRejectedValue(new Error('Supplier not found'));
-
-        const handler = createAuthorizerHandler(mockedDeps);
-        handler(mockEvent, mockContext, mockCallback);
-        await new Promise(process.nextTick);
-
-        expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
-          policyDocument: expect.objectContaining({
-            Statement: [
-              expect.objectContaining({
-                Effect: 'Deny',
-              }),
-            ],
-          }),
-        }));
-      });
+    it('Should deny the request when no supplier ID is found', async () => {
+      mockEvent.headers = { 'apim-application-id': 'unknown-apim-id' };
+      (mockedDeps.supplierRepo.getSupplierByApimId as jest.Mock).mockRejectedValue(new Error('Supplier not found'));
 
-      it('Should allow the request when the supplier ID is found', async () => {
-        mockEvent.headers = { 'apim-application-id': 'valid-apim-id' };
-        (mockedDeps.supplierRepo.getSupplierByApimId as jest.Mock).mockResolvedValue({
-          id: 'supplier-123',
-          apimApplicationId: 'valid-apim-id',
-          name: 'Test Supplier',
-          status: 'ENABLED'
-        });
-
-        const handler = createAuthorizerHandler(mockedDeps);
-        handler(mockEvent, mockContext, mockCallback);
-        await new Promise(process.nextTick);
-
-        expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
-          policyDocument: expect.objectContaining({
-            Statement: [
-              expect.objectContaining({
-                Effect: 'Allow',
-              }),
-            ],
-          }),
-          principalId: 'supplier-123',
-        }));
+      const handler = createAuthorizerHandler(mockedDeps);
+      handler(mockEvent, mockContext, mockCallback);
+      await new Promise(process.nextTick);
+
+      expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+        policyDocument: expect.objectContaining({
+          Statement: [
+            expect.objectContaining({
+              Effect: 'Deny',
+            }),
+          ],
+        }),
+      }));
+    });
+
+    it('Should allow the request when the supplier ID is found', async () => {
+      mockEvent.headers = { 'apim-application-id': 'valid-apim-id' };
+      (mockedDeps.supplierRepo.getSupplierByApimId as jest.Mock).mockResolvedValue({
+        id: 'supplier-123',
+        apimApplicationId: 'valid-apim-id',
+        name: 'Test Supplier',
+        status: 'ENABLED'
       });
+
+      const handler = createAuthorizerHandler(mockedDeps);
+      handler(mockEvent, mockContext, mockCallback);
+      await new Promise(process.nextTick);
+
+      expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+        policyDocument: expect.objectContaining({
+          Statement: [
+            expect.objectContaining({
+              Effect: 'Allow',
+            }),
+          ],
+        }),
+        principalId: 'supplier-123',
+      }));
     });
+  });
 
-      it('Should deny the request the supplier is disabled', async () => {
-        mockEvent.headers = { 'apim-application-id': 'unknown-apim-id' };
-          (mockedDeps.supplierRepo.getSupplierByApimId as jest.Mock).mockResolvedValue({
-            id: 'supplier-123',
-            apimApplicationId: 'valid-apim-id',
-            name: 'Test Supplier',
-            status: 'DISABLED'
-        });
-
-        const handler = createAuthorizerHandler(mockedDeps);
-        handler(mockEvent, mockContext, mockCallback);
-        await new Promise(process.nextTick);
-
-        expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
-          policyDocument: expect.objectContaining({
-            Statement: [
-              expect.objectContaining({
-                Effect: 'Deny',
-              }),
-            ],
+  it('Should deny the request the supplier is disabled', async () => {
+    mockEvent.headers = { 'apim-application-id': 'unknown-apim-id' };
+      (mockedDeps.supplierRepo.getSupplierByApimId as jest.Mock).mockResolvedValue({
+        id: 'supplier-123',
+        apimApplicationId: 'valid-apim-id',
+        name: 'Test Supplier',
+        status: 'DISABLED'
+    });
+
+    const handler = createAuthorizerHandler(mockedDeps);
+    handler(mockEvent, mockContext, mockCallback);
+    await new Promise(process.nextTick);
+
+    expect(mockCallback).toHaveBeenCalledWith(null, expect.objectContaining({
+      policyDocument: expect.objectContaining({
+        Statement: [
+          expect.objectContaining({
+            Effect: 'Deny',
           }),
-        }));
-      });
+        ],
+      }),
+    }));
+  });
 });
diff --git a/lambdas/authorizer/src/authorizer.ts b/lambdas/authorizer/src/authorizer.ts
@@ -14,7 +14,6 @@
 import {APIGatewayAuthorizerResult, APIGatewayEventClientCertificate, APIGatewayRequestAuthorizerEvent, APIGatewayRequestAuthorizerEventHeaders, APIGatewayRequestAuthorizerHandler,
   Callback, Context } from 'aws-lambda';
 import { Deps } from './deps';
-import { PutMetricDataCommand } from '@aws-sdk/client-cloudwatch';
 import { Supplier } from '@internal/datastore';
 
 export function createAuthorizerHandler(deps: Deps): APIGatewayRequestAuthorizerHandler {
@@ -27,8 +26,9 @@ export function createAuthorizerHandler(deps: Deps): APIGatewayRequestAuthorizer
     deps.logger.info(event, 'Received event');
 
 
-    checkCertificateExpiry(event.requestContext.identity.clientCert, deps)
-      .then(() => getSupplier(event.headers, deps))
+    checkCertificateExpiry(event.requestContext.identity.clientCert, deps);
+
+    getSupplier(event.headers, deps)
       .then((supplier: Supplier) => {
         deps.logger.info('Allow event');
         callback(null, generateAllow(event.methodArn, supplier.id));
@@ -100,31 +100,38 @@ async function checkCertificateExpiry(certificate: APIGatewayEventClientCertific
     validity: certificate?.validity,
   });
 
-  certificate = certificate || {subjectDN: 'CN=123', validity: {notAfter: '2025-11-06T12:00:00Z'}} as unknown as APIGatewayEventClientCertificate;
+  if (!certificate) {
+    // In a real production environment, we won't have got this far if there wasn't a cert
+    return;
+  }
 
   const expiry = getCertificateExpiryInDays(certificate);
 
   if (expiry <= deps.env.CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS) {
-    const { subjectDN, validity } = certificate;
-
-    deps.logger.info({
-      description: 'Client certificate near expiry',
-      certificateExpiry: validity.notAfter,
-      subjectDN,
-    });
-    await deps.cloudWatchClient.send(buildCloudWatchCommand(deps.env.CLOUDWATCH_NAMESPACE, certificate));
+    deps.logger.info(JSON.stringify(buildCloudWatchMetric(deps.env.CLOUDWATCH_NAMESPACE, certificate)));
   }
 
-  function buildCloudWatchCommand(namespace: string, certificate: APIGatewayEventClientCertificate): PutMetricDataCommand {
-    return new PutMetricDataCommand({
-      MetricData: [{
-        MetricName: 'apim-client-certificate-near-expiry',
-        Dimensions: [
-          {Name: 'SUBJECT_DN', Value: certificate.subjectDN},
-          {Name: 'NOT_AFTER', Value: certificate.validity.notAfter}
-        ]
-      }],
-      Namespace: namespace
-    });
+  function buildCloudWatchMetric(namespace: string, certificate: APIGatewayEventClientCertificate) {
+    return {
+      _aws: {
+        Timestamp: new Date().valueOf(),
+        CloudWatchMetrics: [
+          {
+            Namespace: namespace,
+            Dimensions: ['SUBJECT_DN', 'NOT_AFTER'],
+            Metrics: [
+              {
+                Name: 'apim-client-certificate-near-expiry',
+                Unit: 'Count',
+                Value: 1,
+              },
+            ],
+          },
+        ],
+      },
+      'SUBJECT_DN': certificate.subjectDN,
+      'NOT_AFTER':  certificate.validity.notAfter,
+      'apim-client-certificate-near-expiry': 1,
+    };
   }
 };
diff --git a/lambdas/authorizer/src/deps.ts b/lambdas/authorizer/src/deps.ts
@@ -1,4 +1,3 @@
-import { CloudWatchClient } from "@aws-sdk/client-cloudwatch";
 import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
 import { DynamoDBDocumentClient } from "@aws-sdk/lib-dynamodb";
 import pino from 'pino';
@@ -7,7 +6,6 @@ import { SupplierRepository } from '@internal/datastore';
 
 export type Deps = {
   supplierRepo: SupplierRepository;
-  cloudWatchClient: CloudWatchClient;
   logger: pino.Logger;
   env: EnvVars;
 };
@@ -30,7 +28,6 @@ export function createDependenciesContainer(): Deps {
 
   return {
     supplierRepo: createSupplierRepository(createDocumentClient(), log, envVars),
-    cloudWatchClient: new CloudWatchClient({}),
     logger: log,
     env: envVars
   };
