feat: DD_LAMBDA_FIPS_MODE handling for metrics

Author: apiarian-datadog

ddlambda.go

@@ -70,6 +70,8 @@ type (
 		// the counter will get totally reset after CircuitBreakerInterval
 		// default: 4
 		CircuitBreakerTotalFailures uint32
+		// FIPSMode enables FIPS mode. Defaults to true in GovCloud regions and false elsewhere.
+		FIPSMode *bool
 		// TraceContextExtractor is the function that extracts a root/parent trace context from the Lambda event body.
 		// See trace.DefaultTraceExtractor for an example.
 		TraceContextExtractor trace.ContextExtractor
@@ -97,6 +99,9 @@ const (
 	UniversalInstrumentation = "DD_UNIVERSAL_INSTRUMENTATION"
 	// Initialize otel tracer provider if enabled
 	OtelTracerEnabled = "DD_TRACE_OTEL_ENABLED"
+	// FIPSModeEnvVar is the environment variable that determines whether to enable FIPS mode.
+	// Defaults to true in GovCloud regions and false otherwise.
+	FIPSModeEnvVar = "DD_LAMBDA_FIPS_MODE"
 
 	// DefaultSite to send API messages to.
 	DefaultSite = "datadoghq.com"
@@ -268,6 +273,7 @@ func (cfg *Config) toMetricsConfig(isExtensionRunning bool) metrics.Config {
 
 	mc := metrics.Config{
 		ShouldRetryOnFailure: false,
+		FIPSMode:             cfg.calculateFipsMode(),
 	}
 
 	if cfg != nil {
@@ -325,6 +331,34 @@ func (cfg *Config) toMetricsConfig(isExtensionRunning bool) metrics.Config {
 	return mc
 }
 
+func (cfg *Config) calculateFipsMode() bool {
+	if cfg != nil && cfg.FIPSMode != nil {
+		return *cfg.FIPSMode
+	}
+
+	region := os.Getenv("AWS_REGION")
+	isGovCloud := strings.HasPrefix(region, "us-gov-")
+
+	fipsMode := isGovCloud
+
+	fipsModeEnv := os.Getenv(FIPSModeEnvVar)
+	if fipsModeEnv != "" {
+		if parsedFipsMode, err := strconv.ParseBool(fipsModeEnv); err == nil {
+			fipsMode = parsedFipsMode
+		}
+	}
+
+	if fipsMode || isGovCloud {
+		if fipsMode {
+			logger.Debug("Go Lambda Layer FIPS mode enabled")
+		} else {
+			logger.Debug("Go Lambda Layer FIPS mode disabled")
+		}
+	}
+
+	return fipsMode
+}
+
 // setupAppSec checks if DD_SERVERLESS_APPSEC_ENABLED is set (to true) and when that
 // is the case, redirects `AWS_LAMBDA_RUNTIME_API` to the agent extension, and turns
 // on universal instrumentation unless it was already configured by the customer, so

ddlambda_test.go

@@ -104,3 +104,102 @@ func TestToMetricConfigLocalTest(t *testing.T) {
 		})
 	}
 }
+
+func TestCalculateFipsMode(t *testing.T) {
+	// Save original environment to restore later
+	originalRegion := os.Getenv("AWS_REGION")
+	originalFipsMode := os.Getenv(FIPSModeEnvVar)
+	defer func() {
+		os.Setenv("AWS_REGION", originalRegion)
+		os.Setenv(FIPSModeEnvVar, originalFipsMode)
+	}()
+
+	testCases := []struct {
+		name           string
+		configFIPSMode *bool
+		region         string
+		fipsModeEnv    string
+		expected       bool
+	}{
+		{
+			name:           "Config explicit true",
+			configFIPSMode: boolPtr(true),
+			region:         "us-east-1",
+			fipsModeEnv:    "",
+			expected:       true,
+		},
+		{
+			name:           "Config explicit false",
+			configFIPSMode: boolPtr(false),
+			region:         "us-gov-west-1",
+			fipsModeEnv:    "",
+			expected:       false,
+		},
+		{
+			name:           "GovCloud default true",
+			configFIPSMode: nil,
+			region:         "us-gov-east-1",
+			fipsModeEnv:    "",
+			expected:       true,
+		},
+		{
+			name:           "Non-GovCloud default false",
+			configFIPSMode: nil,
+			region:         "us-east-1",
+			fipsModeEnv:    "",
+			expected:       false,
+		},
+		{
+			name:           "Env var override to true",
+			configFIPSMode: nil,
+			region:         "us-east-1",
+			fipsModeEnv:    "true",
+			expected:       true,
+		},
+		{
+			name:           "Env var override to false",
+			configFIPSMode: nil,
+			region:         "us-gov-west-1",
+			fipsModeEnv:    "false",
+			expected:       false,
+		},
+		{
+			name:           "Invalid env var in GovCloud",
+			configFIPSMode: nil,
+			region:         "us-gov-west-1",
+			fipsModeEnv:    "invalid",
+			expected:       true,
+		},
+		{
+			name:           "Invalid env var in non-GovCloud",
+			configFIPSMode: nil,
+			region:         "us-east-1",
+			fipsModeEnv:    "invalid",
+			expected:       false,
+		},
+		{
+			name:           "Config takes precedence over env and region",
+			configFIPSMode: boolPtr(true),
+			region:         "us-east-1",
+			fipsModeEnv:    "false",
+			expected:       true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			os.Setenv("AWS_REGION", tc.region)
+			os.Setenv(FIPSModeEnvVar, tc.fipsModeEnv)
+
+			cfg := &Config{FIPSMode: tc.configFIPSMode}
+			result := cfg.calculateFipsMode()
+
+			assert.Equal(t, tc.expected, result, "calculateFipsMode returned incorrect value")
+		})
+	}
+}
+
+// Helper function to create bool pointers
+func boolPtr(b bool) *bool {
+	return &b
+}

internal/metrics/kms_decrypter.go

@@ -13,7 +13,6 @@ import (
 	"fmt"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"os"
-	"strings"
 
 	"github.com/DataDog/datadog-lambda-go/internal/logger"
 	"github.com/aws/aws-sdk-go-v2/config"
@@ -45,12 +44,11 @@ const regionEnvVar string = "AWS_REGION"
 const encryptionContextKey string = "LambdaFunctionName"
 
 // MakeKMSDecrypter creates a new decrypter which uses the AWS KMS service to decrypt variables
-func MakeKMSDecrypter() Decrypter {
-	region := os.Getenv(regionEnvVar)
+func MakeKMSDecrypter(fipsMode bool) Decrypter {
 	fipsEndpoint := aws.FIPSEndpointStateUnset
-	if strings.HasPrefix(region, "us-gov-") {
+	if fipsMode {
 		fipsEndpoint = aws.FIPSEndpointStateEnabled
-		logger.Debug("GovCloud region detected. Using FIPS endpoint for KMS decryption.")
+		logger.Debug("Using FIPS endpoint for KMS decryption.")
 	}
 
 	cfg, err := config.LoadDefaultConfig(context.Background(), config.WithUseFIPSEndpoint(fipsEndpoint))

internal/metrics/listener.go

@@ -50,6 +50,7 @@ type (
 		CircuitBreakerTimeout       time.Duration
 		CircuitBreakerTotalFailures uint32
 		LocalTest                   bool
+		FIPSMode                    bool
 	}
 
 	logMetric struct {
@@ -63,13 +64,17 @@ type (
 // MakeListener initializes a new metrics lambda listener
 func MakeListener(config Config, extensionManager *extension.ExtensionManager) Listener {
 
-	apiClient := MakeAPIClient(context.Background(), APIClientOptions{
-		baseAPIURL:        config.Site,
-		apiKey:            config.APIKey,
-		decrypter:         MakeKMSDecrypter(),
-		kmsAPIKey:         config.KMSAPIKey,
-		httpClientTimeout: config.HTTPClientTimeout,
-	})
+	var apiClient *APIClient
+	if !config.FIPSMode {
+		apiClient = MakeAPIClient(context.Background(), APIClientOptions{
+			baseAPIURL:        config.Site,
+			apiKey:            config.APIKey,
+			decrypter:         MakeKMSDecrypter(config.FIPSMode),
+			kmsAPIKey:         config.KMSAPIKey,
+			httpClientTimeout: config.HTTPClientTimeout,
+		})
+	}
+
 	if config.HTTPClientTimeout <= 0 {
 		config.HTTPClientTimeout = defaultHttpClientTimeout
 	}
@@ -109,7 +114,7 @@ func MakeListener(config Config, extensionManager *extension.ExtensionManager) L
 
 // canSendMetrics reports whether l can send metrics.
 func (l *Listener) canSendMetrics() bool {
-	return l.isAgentRunning || l.apiClient.apiKey != "" || l.config.KMSAPIKey != "" || l.config.ShouldUseLogForwarder
+	return l.isAgentRunning || l.config.ShouldUseLogForwarder || !l.config.FIPSMode || l.apiClient.apiKey != "" || l.config.KMSAPIKey != ""
 }
 
 // HandlerStarted adds metrics service to the context
@@ -118,16 +123,20 @@ func (l *Listener) HandlerStarted(ctx context.Context, msg json.RawMessage) cont
 		logger.Error(fmt.Errorf("datadog api key isn't set, won't be able to send metrics"))
 	}
 
-	ts := MakeTimeService()
-	pr := MakeProcessor(ctx, l.apiClient, ts, l.config.BatchInterval, l.config.ShouldRetryOnFailure, l.config.CircuitBreakerInterval, l.config.CircuitBreakerTimeout, l.config.CircuitBreakerTotalFailures)
-	l.processor = pr
-
 	ctx = AddListener(ctx, l)
-	// Setting the context on the client will mean that future requests will be cancelled correctly
-	// if the lambda times out.
-	l.apiClient.context = ctx
 
-	pr.StartProcessing()
+	if !l.config.FIPSMode {
+		ts := MakeTimeService()
+		pr := MakeProcessor(ctx, l.apiClient, ts, l.config.BatchInterval, l.config.ShouldRetryOnFailure, l.config.CircuitBreakerInterval, l.config.CircuitBreakerTimeout, l.config.CircuitBreakerTotalFailures)
+		l.processor = pr
+
+		// Setting the context on the client will mean that future requests will be cancelled correctly
+		// if the lambda times out.
+		l.apiClient.context = ctx
+
+		pr.StartProcessing()
+	}
+
 	l.submitEnhancedMetrics("invocations", ctx)
 
 	return ctx
@@ -192,6 +201,12 @@ func (l *Listener) AddDistributionMetric(metric string, value float64, timestamp
 		logger.Raw(payload)
 		return
 	}
+
+	if l.config.FIPSMode {
+		logger.Debug(fmt.Sprintf("skipping metric %s due to FIPS mode - direct API calls are disabled", metric))
+		return
+	}
+
 	m := Distribution{
 		Name:   metric,
 		Tags:   tags,

internal/metrics/listener_test.go

@@ -99,6 +99,49 @@ func TestAddDistributionMetricWithForceLogForwarder(t *testing.T) {
 	assert.False(t, called)
 }
 
+func TestAddDistributionMetricWithFIPSMode(t *testing.T) {
+	// Setup a test server to detect if any API calls are made
+	apiCallAttempted := false
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		apiCallAttempted = true
+		w.WriteHeader(http.StatusCreated)
+	}))
+	defer server.Close()
+
+	// Create a listener with FIPS mode enabled
+	listener := MakeListener(Config{
+		APIKey:    "12345",
+		Site:      server.URL,
+		FIPSMode:  true,
+	}, &extension.ExtensionManager{})
+
+	// Verify the API client wasn't created
+	assert.Nil(t, listener.apiClient, "API client should be nil when FIPS mode is enabled")
+
+	// Initialize the listener
+	ctx := listener.HandlerStarted(context.Background(), json.RawMessage{})
+
+	// Verify processor wasn't initialized
+	assert.Nil(t, listener.processor, "Processor should be nil when FIPS mode is enabled")
+
+	// Log calls to validate we're getting the expected log message
+	var logOutput string
+	logger.SetLogLevel(logger.LevelDebug)
+	logOutput = captureOutput(func() {
+		listener.AddDistributionMetric("fips-test-metric", 42, time.Now(), false, "tag:fips")
+	})
+
+	// Check that we logged the skipping message
+	assert.Contains(t, logOutput, "skipping metric fips-test-metric due to FIPS mode", "Expected log about skipping metric")
+	assert.Contains(t, logOutput, "direct API calls are disabled", "Expected log about disabled API calls")
+
+	// Finish the handler
+	listener.HandlerFinished(ctx, nil)
+
+	// Check that no API call was attempted
+	assert.False(t, apiCallAttempted, "No API call should be attempted when FIPS mode is enabled")
+}
+
 func TestGetEnhancedMetricsTags(t *testing.T) {
 	//nolint
 	ctx := context.WithValue(context.Background(), "cold_start", false)