Merge pull request #12 from PostHog/tom/fix

Send analytics to posthog

Author: Piccirello

README.md

@@ -787,6 +787,8 @@ settings:
 | <a name="input_logs_retention_in_days"></a> [logs\_retention\_in\_days](#input\_logs\_retention\_in\_days) | The number of days you want to retain log events in the log group for both Lambda functions and API Gateway. | `number` | `365` | no |
 | <a name="input_max_permissions_duration_time"></a> [max\_permissions\_duration\_time](#input\_max\_permissions\_duration\_time) | Maximum duration (in hours) for permissions granted by Elevator. Max number - 48 hours.<br/>  Due to Slack's dropdown limit of 100 items, anything above 48 hours will cause issues when generating half-hour increments<br/>  and Elevator will not display more then 48 hours in the dropdown. | `number` | `24` | no |
 | <a name="input_permission_duration_list_override"></a> [permission\_duration\_list\_override](#input\_permission\_duration\_list\_override) | An explicit list of duration values to appear in the drop-down menu users use to select how long to request permissions for.<br/>  Each entry in the list should be formatted as "hh:mm", e.g. "01:30" for an hour and a half. Note that while the number of minutes<br/>  must be between 0-59, the number of hours can be any number.<br/>  If this variable is set, the max\_permission\_duration\_time is ignored. | `list(string)` | `[]` | no |
+| <a name="input_posthog_api_key"></a> [posthog\_api\_key](#input\_posthog\_api\_key) | PostHog API key for analytics. Leave empty to disable analytics tracking. | `string` | `""` | no |
+| <a name="input_posthog_host"></a> [posthog\_host](#input\_posthog\_host) | PostHog host URL for analytics. | `string` | `"https://us.i.posthog.com"` | no |
 | <a name="input_request_expiration_hours"></a> [request\_expiration\_hours](#input\_request\_expiration\_hours) | After how many hours should the request expire? If set to 0, the request will never expire. | `number` | `8` | no |
 | <a name="input_requester_lambda_name"></a> [requester\_lambda\_name](#input\_requester\_lambda\_name) | value for the requester lambda name | `string` | `"access-requester"` | no |
 | <a name="input_revoker_lambda_name"></a> [revoker\_lambda\_name](#input\_revoker\_lambda\_name) | value for the revoker lambda name | `string` | `"access-revoker"` | no |

attribute_syncer_lambda.tf

@@ -48,26 +48,32 @@ module "attribute_syncer" {
     module.sso_elevator_dependencies[0].lambda_layer_arn,
   ]
 
-  environment_variables = {
-    LOG_LEVEL = var.log_level
-
-    SLACK_BOT_TOKEN  = var.slack_bot_token
-    SLACK_CHANNEL_ID = var.slack_channel_id
-
-    SSO_INSTANCE_ARN            = local.sso_instance_arn
-    IDENTITY_STORE_ID           = local.identity_store_id
-    POWERTOOLS_LOGGER_LOG_EVENT = true
-
-    S3_BUCKET_FOR_AUDIT_ENTRY_NAME  = local.s3_bucket_name
-    S3_BUCKET_PREFIX_FOR_PARTITIONS = var.s3_bucket_partition_prefix
-
-    # Attribute sync specific configuration
-    ATTRIBUTE_SYNC_ENABLED                  = "true"
-    ATTRIBUTE_SYNC_MANAGED_GROUPS           = jsonencode(var.attribute_sync_managed_groups)
-    ATTRIBUTE_SYNC_RULES                    = jsonencode(var.attribute_sync_rules)
-    ATTRIBUTE_SYNC_MANUAL_ASSIGNMENT_POLICY = var.attribute_sync_manual_assignment_policy
-    ATTRIBUTE_SYNC_SCHEDULE                 = var.attribute_sync_schedule
-  }
+  environment_variables = merge(
+    {
+      LOG_LEVEL = var.log_level
+
+      SLACK_BOT_TOKEN  = var.slack_bot_token
+      SLACK_CHANNEL_ID = var.slack_channel_id
+
+      SSO_INSTANCE_ARN            = local.sso_instance_arn
+      IDENTITY_STORE_ID           = local.identity_store_id
+      POWERTOOLS_LOGGER_LOG_EVENT = true
+
+      S3_BUCKET_FOR_AUDIT_ENTRY_NAME  = local.s3_bucket_name
+      S3_BUCKET_PREFIX_FOR_PARTITIONS = var.s3_bucket_partition_prefix
+
+      # Attribute sync specific configuration
+      ATTRIBUTE_SYNC_ENABLED                  = "true"
+      ATTRIBUTE_SYNC_MANAGED_GROUPS           = jsonencode(var.attribute_sync_managed_groups)
+      ATTRIBUTE_SYNC_RULES                    = jsonencode(var.attribute_sync_rules)
+      ATTRIBUTE_SYNC_MANUAL_ASSIGNMENT_POLICY = var.attribute_sync_manual_assignment_policy
+      ATTRIBUTE_SYNC_SCHEDULE                 = var.attribute_sync_schedule
+    },
+    var.posthog_api_key != "" ? {
+      POSTHOG_API_KEY = var.posthog_api_key
+      POSTHOG_HOST    = var.posthog_host
+    } : {}
+  )
 
   allowed_triggers = {
     attribute_sync_schedule = {

perm_revoker_lambda.tf

@@ -43,35 +43,41 @@ module "access_revoker" {
     module.sso_elevator_dependencies[0].lambda_layer_arn,
   ]
 
-  environment_variables = {
-    LOG_LEVEL = var.log_level
+  environment_variables = merge(
+    {
+      LOG_LEVEL = var.log_level
 
-    SLACK_SIGNING_SECRET = var.slack_signing_secret
-    SLACK_BOT_TOKEN      = var.slack_bot_token
-    SLACK_CHANNEL_ID     = var.slack_channel_id
-    SCHEDULE_GROUP_NAME  = var.schedule_group_name
+      SLACK_SIGNING_SECRET = var.slack_signing_secret
+      SLACK_BOT_TOKEN      = var.slack_bot_token
+      SLACK_CHANNEL_ID     = var.slack_channel_id
+      SCHEDULE_GROUP_NAME  = var.schedule_group_name
 
-    SSO_INSTANCE_ARN            = local.sso_instance_arn
-    POWERTOOLS_LOGGER_LOG_EVENT = true
+      SSO_INSTANCE_ARN            = local.sso_instance_arn
+      POWERTOOLS_LOGGER_LOG_EVENT = true
 
-    POST_UPDATE_TO_SLACK                        = var.revoker_post_update_to_slack
-    SCHEDULE_POLICY_ARN                         = aws_iam_role.eventbridge_role.arn
-    REVOKER_FUNCTION_ARN                        = local.revoker_lambda_arn
-    REVOKER_FUNCTION_NAME                       = var.revoker_lambda_name
-    S3_BUCKET_FOR_AUDIT_ENTRY_NAME              = local.s3_bucket_name
-    S3_BUCKET_PREFIX_FOR_PARTITIONS             = var.s3_bucket_partition_prefix
-    SSO_ELEVATOR_SCHEDULED_REVOCATION_RULE_NAME = aws_cloudwatch_event_rule.sso_elevator_scheduled_revocation.name
-    REQUEST_EXPIRATION_HOURS                    = var.request_expiration_hours
-    MAX_PERMISSIONS_DURATION_TIME               = var.max_permissions_duration_time
-    PERMISSION_DURATION_LIST_OVERRIDE           = jsonencode(var.permission_duration_list_override)
-    CONFIG_BUCKET_NAME                          = local.config_bucket_name
-    CONFIG_S3_KEY                               = "config/approval-config.json"
+      POST_UPDATE_TO_SLACK                        = var.revoker_post_update_to_slack
+      SCHEDULE_POLICY_ARN                         = aws_iam_role.eventbridge_role.arn
+      REVOKER_FUNCTION_ARN                        = local.revoker_lambda_arn
+      REVOKER_FUNCTION_NAME                       = var.revoker_lambda_name
+      S3_BUCKET_FOR_AUDIT_ENTRY_NAME              = local.s3_bucket_name
+      S3_BUCKET_PREFIX_FOR_PARTITIONS             = var.s3_bucket_partition_prefix
+      SSO_ELEVATOR_SCHEDULED_REVOCATION_RULE_NAME = aws_cloudwatch_event_rule.sso_elevator_scheduled_revocation.name
+      REQUEST_EXPIRATION_HOURS                    = var.request_expiration_hours
+      MAX_PERMISSIONS_DURATION_TIME               = var.max_permissions_duration_time
+      PERMISSION_DURATION_LIST_OVERRIDE           = jsonencode(var.permission_duration_list_override)
+      CONFIG_BUCKET_NAME                          = local.config_bucket_name
+      CONFIG_S3_KEY                               = "config/approval-config.json"
 
-    APPROVER_RENOTIFICATION_INITIAL_WAIT_TIME  = var.approver_renotification_initial_wait_time
-    APPROVER_RENOTIFICATION_BACKOFF_MULTIPLIER = var.approver_renotification_backoff_multiplier
-    SECONDARY_FALLBACK_EMAIL_DOMAINS           = jsonencode(var.secondary_fallback_email_domains)
-    SEND_DM_IF_USER_NOT_IN_CHANNEL             = var.send_dm_if_user_not_in_channel
-  }
+      APPROVER_RENOTIFICATION_INITIAL_WAIT_TIME  = var.approver_renotification_initial_wait_time
+      APPROVER_RENOTIFICATION_BACKOFF_MULTIPLIER = var.approver_renotification_backoff_multiplier
+      SECONDARY_FALLBACK_EMAIL_DOMAINS           = jsonencode(var.secondary_fallback_email_domains)
+      SEND_DM_IF_USER_NOT_IN_CHANNEL             = var.send_dm_if_user_not_in_channel
+    },
+    var.posthog_api_key != "" ? {
+      POSTHOG_API_KEY = var.posthog_api_key
+      POSTHOG_HOST    = var.posthog_host
+    } : {}
+  )
 
   allowed_triggers = {
     cron = {

slack_handler_lambda.tf

@@ -43,36 +43,42 @@ module "access_requester_slack_handler" {
     module.sso_elevator_dependencies[0].lambda_layer_arn,
   ]
 
-  environment_variables = {
-    LOG_LEVEL = var.log_level
+  environment_variables = merge(
+    {
+      LOG_LEVEL = var.log_level
 
-    SLACK_SIGNING_SECRET = var.slack_signing_secret
-    SLACK_BOT_TOKEN      = var.slack_bot_token
-    SLACK_CHANNEL_ID     = var.slack_channel_id
-    SCHEDULE_GROUP_NAME  = var.schedule_group_name
+      SLACK_SIGNING_SECRET = var.slack_signing_secret
+      SLACK_BOT_TOKEN      = var.slack_bot_token
+      SLACK_CHANNEL_ID     = var.slack_channel_id
+      SCHEDULE_GROUP_NAME  = var.schedule_group_name
 
-    POST_UPDATE_TO_SLACK = var.revoker_post_update_to_slack
+      POST_UPDATE_TO_SLACK = var.revoker_post_update_to_slack
 
-    SSO_INSTANCE_ARN                            = local.sso_instance_arn
-    POWERTOOLS_LOGGER_LOG_EVENT                 = true
-    SCHEDULE_POLICY_ARN                         = aws_iam_role.eventbridge_role.arn
-    REVOKER_FUNCTION_ARN                        = local.revoker_lambda_arn
-    REVOKER_FUNCTION_NAME                       = var.revoker_lambda_name
-    S3_BUCKET_FOR_AUDIT_ENTRY_NAME              = local.s3_bucket_name
-    S3_BUCKET_PREFIX_FOR_PARTITIONS             = var.s3_bucket_partition_prefix
-    SSO_ELEVATOR_SCHEDULED_REVOCATION_RULE_NAME = aws_cloudwatch_event_rule.sso_elevator_scheduled_revocation.name
-    REQUEST_EXPIRATION_HOURS                    = var.request_expiration_hours
-    APPROVER_RENOTIFICATION_INITIAL_WAIT_TIME   = var.approver_renotification_initial_wait_time
-    APPROVER_RENOTIFICATION_BACKOFF_MULTIPLIER  = var.approver_renotification_backoff_multiplier
-    MAX_PERMISSIONS_DURATION_TIME               = var.max_permissions_duration_time
-    PERMISSION_DURATION_LIST_OVERRIDE           = jsonencode(var.permission_duration_list_override)
-    SECONDARY_FALLBACK_EMAIL_DOMAINS            = jsonencode(var.secondary_fallback_email_domains)
-    SEND_DM_IF_USER_NOT_IN_CHANNEL              = var.send_dm_if_user_not_in_channel
-    ALLOW_ANYONE_TO_END_SESSION_EARLY           = var.allow_anyone_to_end_session_early
-    CONFIG_BUCKET_NAME                          = local.config_bucket_name
-    CONFIG_S3_KEY                               = "config/approval-config.json"
-    CACHE_ENABLED                               = var.cache_enabled
-  }
+      SSO_INSTANCE_ARN                            = local.sso_instance_arn
+      POWERTOOLS_LOGGER_LOG_EVENT                 = true
+      SCHEDULE_POLICY_ARN                         = aws_iam_role.eventbridge_role.arn
+      REVOKER_FUNCTION_ARN                        = local.revoker_lambda_arn
+      REVOKER_FUNCTION_NAME                       = var.revoker_lambda_name
+      S3_BUCKET_FOR_AUDIT_ENTRY_NAME              = local.s3_bucket_name
+      S3_BUCKET_PREFIX_FOR_PARTITIONS             = var.s3_bucket_partition_prefix
+      SSO_ELEVATOR_SCHEDULED_REVOCATION_RULE_NAME = aws_cloudwatch_event_rule.sso_elevator_scheduled_revocation.name
+      REQUEST_EXPIRATION_HOURS                    = var.request_expiration_hours
+      APPROVER_RENOTIFICATION_INITIAL_WAIT_TIME   = var.approver_renotification_initial_wait_time
+      APPROVER_RENOTIFICATION_BACKOFF_MULTIPLIER  = var.approver_renotification_backoff_multiplier
+      MAX_PERMISSIONS_DURATION_TIME               = var.max_permissions_duration_time
+      PERMISSION_DURATION_LIST_OVERRIDE           = jsonencode(var.permission_duration_list_override)
+      SECONDARY_FALLBACK_EMAIL_DOMAINS            = jsonencode(var.secondary_fallback_email_domains)
+      SEND_DM_IF_USER_NOT_IN_CHANNEL              = var.send_dm_if_user_not_in_channel
+      ALLOW_ANYONE_TO_END_SESSION_EARLY           = var.allow_anyone_to_end_session_early
+      CONFIG_BUCKET_NAME                          = local.config_bucket_name
+      CONFIG_S3_KEY                               = "config/approval-config.json"
+      CACHE_ENABLED                               = var.cache_enabled
+    },
+    var.posthog_api_key != "" ? {
+      POSTHOG_API_KEY = var.posthog_api_key
+      POSTHOG_HOST    = var.posthog_host
+    } : {}
+  )
 
   # Only create API Gateway trigger on base function when provisioned concurrency is disabled.
   # When enabled, the alias module creates the trigger instead.
@@ -141,7 +147,12 @@ data "aws_iam_policy_document" "slack_handler" {
       "lambda:InvokeFunction",
       "lambda:GetFunction"
     ]
-    resources = [local.requester_lambda_arn]
+    # Include both qualified (:live alias) and unqualified ARN for lazy listener self-invocation
+    # when provisioned concurrency is enabled
+    resources = distinct([
+      local.requester_lambda_arn,
+      "arn:aws:lambda:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:function:${var.requester_lambda_name}"
+    ])
   }
   statement {
     effect = "Allow"
@@ -218,6 +229,7 @@ data "aws_iam_policy_document" "slack_handler" {
       "identitystore:ListGroups",
       "identitystore:DescribeGroup",
       "identitystore:ListGroupMemberships",
+      "identitystore:ListGroupMembershipsForMember",
       "identitystore:CreateGroupMembership",
     ]
     resources = ["*"]

src/analytics.py

@@ -0,0 +1,73 @@
+"""PostHog analytics integration for SSO Elevator.
+
+This module provides optional analytics tracking when a PostHog API key is configured.
+All events include a global "application" property for filtering.
+
+Usage:
+    import analytics
+
+    analytics.capture(
+        event="aws_access_requested",
+        distinct_id=requester.email,
+        properties={"account_id": "123456789012", ...}
+    )
+
+    # Call shutdown before Lambda freeze to flush events
+    analytics.shutdown()
+"""
+
+from __future__ import annotations
+
+import os
+from functools import lru_cache
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    import posthog as posthog_module
+
+APPLICATION = "aws-sso-elevator"
+
+
+@lru_cache(maxsize=1)
+def get_posthog_client() -> posthog_module | None:
+    """Get configured PostHog client, or None if not configured.
+
+    Returns cached client instance. The client is configured on first call
+    if POSTHOG_API_KEY environment variable is set.
+    """
+    api_key = os.environ.get("POSTHOG_API_KEY")
+    if not api_key:
+        return None
+
+    import posthog
+
+    posthog.api_key = api_key
+    posthog.host = os.environ.get("POSTHOG_HOST", "https://us.i.posthog.com")
+    return posthog
+
+
+def capture(event: str, distinct_id: str, properties: dict | None = None) -> None:
+    """Capture an analytics event if PostHog is configured.
+
+    Adds the global "application" property to all events for filtering.
+
+    Args:
+        event: The event name (e.g., "aws_access_requested").
+        distinct_id: Unique identifier for the user (typically email).
+        properties: Optional dict of event properties.
+    """
+    client = get_posthog_client()
+    if client:
+        all_properties = {"application": APPLICATION, **(properties or {})}
+        client.capture(distinct_id, event, all_properties)
+
+
+def shutdown() -> None:
+    """Flush pending events before Lambda freeze.
+
+    Should be called at the end of Lambda handler to ensure
+    all events are sent before the container is frozen.
+    """
+    client = get_posthog_client()
+    if client:
+        client.flush()

src/errors.py

@@ -4,6 +4,7 @@
 from slack_bolt import BoltContext
 from slack_sdk import WebClient
 
+import analytics
 import config
 
 
@@ -27,6 +28,15 @@ def error_handler(client: WebClient, e: Exception, logger: Logger, context: Bolt
     logger.exception("An error occurred:", exc_info=e)
     user_id = context.get("user_id", "UNKNOWN_USER")
 
+    analytics.capture(
+        event="aws_sso_elevator_error",
+        distinct_id=user_id,
+        properties={
+            "error_type": type(e).__name__,
+            "error_message": str(e),
+        },
+    )
+
     if isinstance(e, SSOUserNotFound):
         text = (
             f"<@{user_id}> Your request for AWS permissions failed because SSO Elevator could not find your user in AWS SSO. "

src/group.py

@@ -10,6 +10,7 @@
 from slack_sdk.web.slack_response import SlackResponse
 
 import access_control
+import analytics
 import config
 import entities
 import schedule
@@ -48,6 +49,17 @@ def handle_request_for_group_access_submittion(  # noqa: PLR0915
         group_id=request.group_id,
     )
 
+    analytics.capture(
+        event="aws_group_access_requested",
+        distinct_id=requester.email,
+        properties={
+            "group_id": request.group_id,
+            "group_name": group.name,
+            "requester_email": requester.email,
+            "decision_reason": decision.reason.value,
+        },
+    )
+
     show_buttons = bool(decision.approvers)
     slack_response = client.chat_postMessage(
         blocks=slack_helpers.build_approval_request_message_blocks(
@@ -142,6 +154,19 @@ def handle_request_for_group_access_submittion(  # noqa: PLR0915
     )
 
     if result.granted:
+        analytics.capture(
+            event="aws_group_access_approved",
+            distinct_id=requester.email,
+            properties={
+                "group_id": request.group_id,
+                "group_name": group.name,
+                "approver_email": requester.email,
+                "requester_email": requester.email,
+                "duration_hours": request.permission_duration.total_seconds() / 3600,
+                "self_approved": True,
+            },
+        )
+
         client.chat_postMessage(
             channel=cfg.slack_channel_id,
             text=f"Permissions granted to <@{requester.id}>",
@@ -271,6 +296,21 @@ def handle_group_button_click(body: dict, client: WebClient, context: BoltContex
         identity_store_id=identity_store_id,
         thread_ts=payload.thread_ts,
     )
+
+    if result.granted:
+        analytics.capture(
+            event="aws_group_access_approved",
+            distinct_id=requester.email,
+            properties={
+                "group_id": payload.request.group_id,
+                "group_name": group.name,
+                "approver_email": approver.email,
+                "requester_email": requester.email,
+                "duration_hours": payload.request.permission_duration.total_seconds() / 3600,
+                "self_approved": approver.email == requester.email,
+            },
+        )
+
     cache_for_dublicate_requests.clear()
     if cfg.send_dm_if_user_not_in_channel and not is_user_in_channel:
         logger.info(f"User {requester.id} is not in the channel. Sending DM with message: {dm_text}")