feat(SecretsManager): Add support for secrets count metric (#333)

zqumei0 · web-flow · commit cdf8bd04003e · 2023-07-06T19:23:57.000Z
Added new Secrets Manager Monitor to support Account-Level Secrets Count. This includes a new SecretsManagerMonitor, a new SecretsManagerMetricsFactory, and a new SecretsManagerAlarmFactory. There is alarm support for Min/Max Secrets count and change in secrets count. Closes #137 --- _By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license_
diff --git a/API.md b/API.md
diff --git a/README.md b/README.md
@@ -89,7 +89,8 @@ You can browse the documentation at https://constructs.dev/packages/cdk-monitori
 | AWS RDS (`.monitorRdsCluster()`) | Query duration, connections, latency, disk/CPU usage | Connections, disk and CPU usage | |
 | AWS Redshift (`.monitorRedshiftCluster()`) | Query duration, connections, latency, disk/CPU usage | Query duration, connections, disk and CPU usage | |
 | AWS S3 Bucket (`.monitorS3Bucket()`) | Bucket size and number of objects | | |
-| AWS SecretsManager (`.monitorSecretsManagerSecret()`) | Days since last rotation | Days since last change or rotation | |
+| AWS SecretsManager (`.monitorSecretsManager()`) | Max secret count, min secret sount, secret count change | Min/max secret count or change in secret count | |
+| AWS SecretsManager Secret (`.monitorSecretsManagerSecret()`) | Days since last rotation | Days since last change or rotation | |
 | AWS SNS Topic (`.monitorSnsTopic()`) | Message count, size, failed notifications | Failed notifications, min/max published messages | |
 | AWS SQS Queue (`.monitorSqsQueue()`, `.monitorSqsQueueWithDlq()`) | Message count, age, size | Message count, age, DLQ incoming messages | |
 | AWS Step Functions (`.monitorStepFunction()`, `.monitorStepFunctionActivity()`, `monitorStepFunctionLambdaIntegration()`, `.monitorStepFunctionServiceIntegration()`) | Execution count and breakdown per state | Duration, failed, failed rate, aborted, throttled, timed out executions | |
diff --git a/lib/common/monitoring/alarms/SecretsManagerAlarmFactory.ts b/lib/common/monitoring/alarms/SecretsManagerAlarmFactory.ts
@@ -0,0 +1,118 @@
+import {
+  ComparisonOperator,
+  TreatMissingData,
+} from "aws-cdk-lib/aws-cloudwatch";
+
+import { AlarmFactory, CustomAlarmThreshold } from "../../alarm";
+import { MetricWithAlarmSupport } from "../../metric";
+
+const NUMBER_OF_DATAPOINTS = 1;
+
+export interface MinSecretCountThreshold extends CustomAlarmThreshold {
+  readonly minSecretCount: number;
+}
+
+export interface MaxSecretCountThreshold extends CustomAlarmThreshold {
+  readonly maxSecretCount: number;
+}
+
+export interface ChangeInSecretCountThreshold extends CustomAlarmThreshold {
+  readonly requiredSecretCount: number;
+  readonly alarmWhenIncreased: boolean;
+  readonly alarmWhenDecreased: boolean;
+  readonly additionalDescription?: string;
+}
+
+export class SecretsManagerAlarmFactory {
+  protected readonly alarmFactory: AlarmFactory;
+
+  constructor(alarmFactory: AlarmFactory) {
+    this.alarmFactory = alarmFactory;
+  }
+
+  addMinSecretCountAlarm(
+    metric: MetricWithAlarmSupport,
+    props: MinSecretCountThreshold,
+    disambiguator?: string
+  ) {
+    return this.alarmFactory.addAlarm(metric, {
+      treatMissingData:
+        props.treatMissingDataOverride ?? TreatMissingData.MISSING,
+      datapointsToAlarm: props.datapointsToAlarm ?? NUMBER_OF_DATAPOINTS,
+      comparisonOperator:
+        props.comparisonOperatorOverride ??
+        ComparisonOperator.LESS_THAN_THRESHOLD,
+      ...props,
+      disambiguator,
+      threshold: props.minSecretCount,
+      alarmNameSuffix: "Secrets-Count-Min",
+      alarmDescription: "Number of secrets is too low.",
+    });
+  }
+
+  addMaxSecretCountAlarm(
+    metric: MetricWithAlarmSupport,
+    props: MaxSecretCountThreshold,
+    disambiguator?: string
+  ) {
+    return this.alarmFactory.addAlarm(metric, {
+      treatMissingData:
+        props.treatMissingDataOverride ?? TreatMissingData.MISSING,
+      comparisonOperator:
+        props.comparisonOperatorOverride ??
+        ComparisonOperator.GREATER_THAN_THRESHOLD,
+      datapointsToAlarm: props.datapointsToAlarm ?? NUMBER_OF_DATAPOINTS,
+      ...props,
+      disambiguator,
+      threshold: props.maxSecretCount,
+      alarmNameSuffix: "Secrets-Count-Max",
+      alarmDescription: "Number of secrets is too high.",
+    });
+  }
+
+  addChangeInSecretCountAlarm(
+    metric: MetricWithAlarmSupport,
+    props: ChangeInSecretCountThreshold,
+    disambiguator?: string
+  ) {
+    return this.alarmFactory.addAlarm(metric, {
+      ...props,
+      disambiguator,
+      treatMissingData:
+        props.treatMissingDataOverride ?? TreatMissingData.MISSING,
+      threshold: props.requiredSecretCount,
+      comparisonOperator: this.getComparisonOperator(props),
+      datapointsToAlarm: props.datapointsToAlarm ?? NUMBER_OF_DATAPOINTS,
+      alarmNameSuffix: "Secrets-Count-Change",
+      alarmDescription: this.getDefaultDescription(props),
+    });
+  }
+
+  private getDefaultDescription(props: ChangeInSecretCountThreshold) {
+    if (props.alarmWhenIncreased && props.alarmWhenDecreased) {
+      return "Secret count: Secret count has changed.";
+    } else if (props.alarmWhenIncreased) {
+      return "Secret count: Secret count has increased.";
+    } else if (props.alarmWhenDecreased) {
+      return "Secret count: Secret count has decreased.";
+    } else {
+      throw new Error(
+        "You need to alarm when the value has increased, decreased, or both."
+      );
+    }
+  }
+
+  private getComparisonOperator(props: ChangeInSecretCountThreshold) {
+    if (props.alarmWhenIncreased && props.alarmWhenDecreased) {
+      return ComparisonOperator.LESS_THAN_LOWER_OR_GREATER_THAN_UPPER_THRESHOLD;
+    } else if (props.alarmWhenDecreased) {
+      return ComparisonOperator.LESS_THAN_THRESHOLD;
+    } else if (props.alarmWhenIncreased) {
+      return ComparisonOperator.GREATER_THAN_THRESHOLD;
+    } else {
+      throw new Error(
+        "You need to alarm when the value has increased, decreased, or both."
+      );
+    }
+  }
+}
diff --git a/lib/common/monitoring/alarms/index.ts b/lib/common/monitoring/alarms/index.ts
@@ -11,6 +11,7 @@ export * from "./LatencyAlarmFactory";
 export * from "./LogLevelAlarmFactory";
 export * from "./OpenSearchClusterAlarmFactory";
 export * from "./QueueAlarmFactory";
+export * from "./SecretsManagerAlarmFactory";
 export * from "./TaskHealthAlarmFactory";
 export * from "./ThroughputAlarmFactory";
 export * from "./TopicAlarmFactory";
diff --git a/lib/facade/MonitoringFacade.ts b/lib/facade/MonitoringFacade.ts
@@ -94,6 +94,8 @@ import {
   RedshiftClusterMonitoringProps,
   S3BucketMonitoring,
   S3BucketMonitoringProps,
+  SecretsManagerMonitoring,
+  SecretsManagerMonitoringProps,
   SecretsManagerSecretMonitoring,
   SecretsManagerSecretMonitoringProps,
   SimpleEc2ServiceMonitoringProps,
@@ -637,6 +639,12 @@ export class MonitoringFacade extends MonitoringScope {
     return this;
   }
 
+  monitorSecretsManager(props: SecretsManagerMonitoringProps) {
+    const segment = new SecretsManagerMonitoring(this, props);
+    this.addSegment(segment, props);
+    return this;
+  }
+
   monitorSecretsManagerSecret(props: SecretsManagerSecretMonitoringProps) {
     const segment = new SecretsManagerSecretMonitoring(this, props);
     this.addSegment(segment, props);
diff --git a/lib/monitoring/aws-secretsmanager/SecretsManagerMetricFactory.ts b/lib/monitoring/aws-secretsmanager/SecretsManagerMetricFactory.ts
@@ -0,0 +1,37 @@
+import { Duration } from "aws-cdk-lib";
+import { MetricFactory, MetricStatistic } from "../../common";
+
+const CLASS = "None";
+const DEFAULT_METRIC_PERIOD = Duration.hours(1);
+const METRICNAMESECRETCOUNT = "ResourceCount";
+const NAMESPACE = "AWS/SecretsManager";
+const RESOURCE = "SecretCount";
+const SERVICE = "Secrets Manager";
+const TYPE = "Resource";
+
+export class SecretsManagerMetricFactory {
+  protected readonly metricFactory: MetricFactory;
+
+  constructor(metricFactory: MetricFactory) {
+    this.metricFactory = metricFactory;
+  }
+
+  metricSecretCount() {
+    const dimensionsMap = {
+      Class: CLASS,
+      Resource: RESOURCE,
+      Service: SERVICE,
+      Type: TYPE,
+    };
+
+    return this.metricFactory.createMetric(
+      METRICNAMESECRETCOUNT,
+      MetricStatistic.AVERAGE,
+      "Count",
+      dimensionsMap,
+      undefined,
+      NAMESPACE,
+      DEFAULT_METRIC_PERIOD
+    );
+  }
+}
diff --git a/lib/monitoring/aws-secretsmanager/SecretsManagerMonitoring.ts b/lib/monitoring/aws-secretsmanager/SecretsManagerMonitoring.ts
@@ -0,0 +1,139 @@
+import {
+  GraphWidget,
+  HorizontalAnnotation,
+  IWidget,
+} from "aws-cdk-lib/aws-cloudwatch";
+import { SecretsManagerMetricFactory } from "./SecretsManagerMetricFactory";
+import {
+  BaseMonitoringProps,
+  ChangeInSecretCountThreshold,
+  CountAxisFromZero,
+  DefaultGraphWidgetHeight,
+  DefaultSummaryWidgetHeight,
+  HalfWidth,
+  MaxSecretCountThreshold,
+  MetricWithAlarmSupport,
+  MinSecretCountThreshold,
+  Monitoring,
+  MonitoringScope,
+  SecretsManagerAlarmFactory,
+  ThirdWidth,
+} from "../../common";
+import {
+  MonitoringHeaderWidget,
+  MonitoringNamingStrategy,
+} from "../../dashboard";
+
+export interface SecretsManagerMonitoringOptions extends BaseMonitoringProps {
+  readonly addMinNumberSecretsAlarm?: Record<string, MinSecretCountThreshold>;
+  readonly addMaxNumberSecretsAlarm?: Record<string, MaxSecretCountThreshold>;
+  readonly addChangeInSecretsAlarm?: Record<
+    string,
+    ChangeInSecretCountThreshold
+  >;
+}
+
+export interface SecretsManagerMonitoringProps
+  extends SecretsManagerMonitoringOptions {}
+
+export class SecretsManagerMonitoring extends Monitoring {
+  readonly title: string;
+
+  readonly secretsManagerAlarmFactory: SecretsManagerAlarmFactory;
+  readonly secretsCountAnnotation: HorizontalAnnotation[];
+
+  readonly secretsCountMetric: MetricWithAlarmSupport;
+
+  constructor(scope: MonitoringScope, props: SecretsManagerMonitoringProps) {
+    super(scope);
+
+    const namingStrategy = new MonitoringNamingStrategy({
+      ...props,
+      fallbackConstructName: "SecretsManager",
+    });
+
+    this.title = namingStrategy.resolveHumanReadableName();
+
+    const alarmFactory = this.createAlarmFactory(
+      namingStrategy.resolveAlarmFriendlyName()
+    );
+    this.secretsManagerAlarmFactory = new SecretsManagerAlarmFactory(
+      alarmFactory
+    );
+    this.secretsCountAnnotation = [];
+
+    const metricFactory = new SecretsManagerMetricFactory(
+      scope.createMetricFactory()
+    );
+    this.secretsCountMetric = metricFactory.metricSecretCount();
+
+    for (const disambiguator in props.addMaxNumberSecretsAlarm) {
+      const alarmProps = props.addMaxNumberSecretsAlarm[disambiguator];
+      const createdAlarm =
+        this.secretsManagerAlarmFactory.addMaxSecretCountAlarm(
+          this.secretsCountMetric,
+          alarmProps,
+          disambiguator
+        );
+      this.secretsCountAnnotation.push(createdAlarm.annotation);
+      this.addAlarm(createdAlarm);
+    }
+
+    for (const disambiguator in props.addMinNumberSecretsAlarm) {
+      const alarmProps = props.addMinNumberSecretsAlarm[disambiguator];
+      const createdAlarm =
+        this.secretsManagerAlarmFactory.addMinSecretCountAlarm(
+          this.secretsCountMetric,
+          alarmProps,
+          disambiguator
+        );
+      this.secretsCountAnnotation.push(createdAlarm.annotation);
+      this.addAlarm(createdAlarm);
+    }
+
+    for (const disambiguator in props.addChangeInSecretsAlarm) {
+      const alarmProps = props.addChangeInSecretsAlarm[disambiguator];
+      const createdAlarm =
+        this.secretsManagerAlarmFactory.addChangeInSecretCountAlarm(
+          this.secretsCountMetric,
+          alarmProps,
+          disambiguator
+        );
+      this.secretsCountAnnotation.push(createdAlarm.annotation);
+      this.addAlarm(createdAlarm);
+    }
+    props.useCreatedAlarms?.consume(this.createdAlarms());
+  }
+
+  summaryWidgets(): IWidget[] {
+    return [
+      this.createTitleWidget(),
+      this.createSecretsCountWidget(HalfWidth, DefaultSummaryWidgetHeight),
+    ];
+  }
+
+  widgets(): IWidget[] {
+    return [
+      this.createTitleWidget(),
+      this.createSecretsCountWidget(ThirdWidth, DefaultGraphWidgetHeight),
+    ];
+  }
+
+  createTitleWidget() {
+    return new MonitoringHeaderWidget({
+      family: "Secrets Manager Secrets",
+      title: this.title,
+    });
+  }
+
+  createSecretsCountWidget(width: number, height: number) {
+    return new GraphWidget({
+      width,
+      height,
+      title: "Secret Count",
+      left: [this.secretsCountMetric],
+      leftYAxis: CountAxisFromZero,
+      leftAnnotations: this.secretsCountAnnotation,
+    });
+  }
+}
diff --git a/lib/monitoring/aws-secretsmanager/index.ts b/lib/monitoring/aws-secretsmanager/index.ts
@@ -1,3 +1,5 @@
+export * from "./SecretsManagerMetricFactory";
 export * from "./SecretsManagerMetricsPublisher";
 export * from "./SecretsManagerSecretMetricFactory";
+export * from "./SecretsManagerMonitoring";
 export * from "./SecretsManagerSecretMonitoring";
diff --git a/test/monitoring/aws-secretsmanager/SecretsManagerMonitoring.test.ts b/test/monitoring/aws-secretsmanager/SecretsManagerMonitoring.test.ts
diff --git a/test/monitoring/aws-secretsmanager/__snapshots__/SecretsManagerMonitoring.test.ts.snap b/test/monitoring/aws-secretsmanager/__snapshots__/SecretsManagerMonitoring.test.ts.snap
