fix SecretsManager attribute extraction and add negative test cases for SecretsManager and SNS

Author: ezhang6811

src/OpenTelemetry.Instrumentation.AWS/Implementation/AWSServiceHelper.cs

@@ -14,6 +14,7 @@ internal class AWSServiceHelper
         { AWSServiceType.S3Service, new List<string> { "BucketName" } },
         { AWSServiceType.KinesisService, new List<string> { "StreamName" } },
         { AWSServiceType.LambdaService, new List<string> { "UUID" } },
+        { AWSServiceType.SecretsManagerService, new List<string> { "SecretId" } },
         { AWSServiceType.SNSService, new List<string> { "TopicArn" } },
         { AWSServiceType.StepFunctionsService, new List<string> { "ActivityArn", "StateMachineArn" } },
         { AWSServiceType.BedrockRuntimeService, new List<string> { "ModelId" } },
@@ -37,6 +38,7 @@ internal class AWSServiceHelper
         { "StreamName", AWSSemanticConventions.AttributeAWSKinesisStreamName },
         { "TopicArn", AWSSemanticConventions.AttributeAWSSNSTopicArn },
         { "ARN", AWSSemanticConventions.AttributeAWSSecretsManagerSecretArn },
+        { "SecretId", AWSSemanticConventions.AttributeAWSSecretsManagerSecretArn },
         { "ActivityArn", AWSSemanticConventions.AttributeAWSStepFunctionsActivityArn },
         { "StateMachineArn", AWSSemanticConventions.AttributeAWSStepFunctionsStateMachineArn },
         { "UUID", AWSSemanticConventions.AttributeAWSLambdaResourceMappingId },

src/OpenTelemetry.Instrumentation.AWS/Implementation/AWSTracingPipelineHandler.cs

@@ -173,6 +173,20 @@ private static void AddRequestSpecificInformation(Activity activity, IRequestCon
                             }
                         }
 
+                        // for secrets manager, only extract SecretId from request if it is a secret ARN.
+                        if (AWSServiceType.IsSecretsManagerService(service) && parameter == "SecretId")
+                        {
+                            var secretId = property.GetValue(request);
+                            if (secretId != null)
+                            {
+                                var secretIdString = secretId.ToString();
+                                if (secretIdString != null && !secretIdString.StartsWith("arn:aws:secretsmanager:"))
+                                {
+                                    continue;
+                                }
+                            }
+                        }
+
                         if (AWSServiceHelper.ParameterAttributeMap.TryGetValue(parameter, out var attribute))
                         {
                             activity.SetTag(attribute, property.GetValue(request));

test/contract-tests/images/applications/TestSimpleApp.AWSSDK.Core/Program.cs

@@ -139,6 +139,9 @@
     .WithName("get-secret-value")
     .WithOpenApi();
 
+app.MapGet("secretsmanager/fault", (SecretsManagerTests secretsManager) => secretsManager.Fault()).WithName("secretsmanager-fault").WithOpenApi();
+app.MapGet("secretsmanager/error", (SecretsManagerTests secretsManager) => secretsManager.Error()).WithName("secretsmanager-error").WithOpenApi();
+
 app.MapGet("sns/createtopic/some-topic", (SNSTests sns) => sns.CreateTopic())
     .WithName("create-topic")
     .WithOpenApi();
@@ -147,6 +150,9 @@
     .WithName("publish")
     .WithOpenApi();
 
+app.MapGet("sns/fault", (SNSTests sns) => sns.Fault()).WithName("sns-fault").WithOpenApi();
+app.MapGet("sns/error", (SNSTests sns) => sns.Error()).WithName("sns-error").WithOpenApi();
+
 app.MapGet("bedrock/getguardrail/get-guardrail", (BedrockTests bedrock) => bedrock.GetGuardrail())
     .WithName("get-guardrail")
     .WithOpenApi();

test/contract-tests/images/applications/TestSimpleApp.AWSSDK.Core/SNSTests.cs

@@ -26,6 +26,6 @@ protected override Task CreateFault(CancellationToken cancellationToken)
 
     protected override Task CreateError(CancellationToken cancellationToken)
     {
-        return errorSns.DeleteTopicAsync(new DeleteTopicRequest { TopicArn = "arn:aws:sns:us-east-1:000000000000:test-topic-error" });
+        return errorSns.PublishAsync(new PublishRequest { TopicArn = "arn:aws:sns:us-east-1:000000000000:test-topic-error" });
     }
 }

test/contract-tests/images/applications/TestSimpleApp.AWSSDK.Core/SecretsManagerTests.cs

@@ -28,6 +28,6 @@ protected override Task CreateFault(CancellationToken cancellationToken)
 
     protected override Task CreateError(CancellationToken cancellationToken)
     {
-        return errorSecretsManager.DeleteSecretAsync(new DeleteSecretRequest { SecretId = "arn:aws:us-east-1:000000000000:test-secret-error" });
+        return errorSecretsManager.DescribeSecretAsync(new DescribeSecretRequest { SecretId = "arn:aws:secretsmanager:us-east-1:000000000000:secret:test-secret-error" });
     }
 }

test/contract-tests/tests/test/amazon/awssdk/awssdk_test.py

@@ -343,6 +343,43 @@ def test_secretsmanager_get_secret_value(self):
             },
             span_name="Secrets Manager.GetSecretValue",
         )
+    
+    def test_secretsmanager_error(self):
+        self.do_test_requests(
+            "secretsmanager/error",
+            "GET",
+            400,
+            1,
+            0,
+            rpc_service="Secrets Manager",
+            remote_service="AWS::SecretsManager",
+            remote_operation="DescribeSecret",
+            remote_resource_type="AWS::SecretsManager::Secret",
+            remote_resource_identifier="arn:aws:secretsmanager:us-east-1:000000000000:secret:test-secret-error",
+            request_response_specific_attributes={
+                _AWS_SECRETSMANAGER_SECRET_ARN: "arn:aws:secretsmanager:us-east-1:000000000000:secret:test-secret-error",
+            },
+            span_name="Secrets Manager.DescribeSecret",
+        )
+    
+    # TODO: https://github.com/aws-observability/aws-otel-dotnet-instrumentation/issues/83
+    # def test_secretsmanager_fault(self):
+    #     self.do_test_requests(
+    #         "secretsmanager/fault",
+    #         "GET",
+    #         500,
+    #         0,
+    #         1,
+    #         rpc_service="Secrets Manager",
+    #         remote_service="AWS::SecretsManager",
+    #         remote_operation="CreateSecret",
+    #         remote_resource_type="AWS::SecretsManager::Secret",
+    #         remote_resource_identifier="arn:aws:secretsmanager:us-east-1:000000000000:secret:test-secret-error",
+    #         request_response_specific_attributes={
+    #             _AWS_SECRETSMANAGER_SECRET_ARN: "arn:aws:secretsmanager:us-east-1:000000000000:secret:test-secret-error",
+    #         },
+    #         span_name="Secrets Manager.CreateSecret",
+    #     )
 
     def test_sns_create_topic(self):
         self.do_test_requests(
@@ -373,6 +410,37 @@ def test_sns_publish(self):
             },
             span_name="SNS.Publish",
         )
+    
+    def test_sns_error(self):
+        self.do_test_requests(
+            "sns/error",
+            "GET",
+            400,
+            1,
+            0,
+            remote_service="AWS::SNS",
+            remote_operation="Publish",
+            remote_resource_type="AWS::SNS::Topic",
+            remote_resource_identifier="arn:aws:sns:us-east-1:000000000000:test-topic-error",
+            request_response_specific_attributes={
+                _AWS_SNS_TOPIC_ARN: "arn:aws:sns:us-east-1:000000000000:test-topic-error",
+            },
+            span_name="SNS.Publish",
+        )
+
+    # TODO: https://github.com/aws-observability/aws-otel-dotnet-instrumentation/issues/83
+    # def test_sns_fault(self):
+    #     self.do_test_requests(
+    #         "sns/fault",
+    #         "GET",
+    #         500,
+    #         0,
+    #         1,
+    #         remote_service="AWS::SNS",
+    #         remote_operation="CreateTopic",
+    #         request_response_specific_attributes={},
+    #         span_name="SNS.CreateTopic"
+    #     )
 
     def test_bedrock_get_guardrail(self):
         self.do_test_requests(