feat(go-forwarder): add tests

Author: ndakkoune

aws/logs_monitoring_go/go.mod

@@ -2,24 +2,27 @@ module github.com/DataDog/datadog-serverless-functions/aws/logs_monitoring_go
 
 go 1.26
 
-require github.com/aws/aws-lambda-go v1.53.0
+require (
+	github.com/aws/aws-lambda-go v1.53.0
+	github.com/aws/aws-sdk-go-v2 v1.41.4
+	github.com/aws/aws-sdk-go-v2/config v1.32.12
+	github.com/stretchr/testify v1.11.1
+)
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.41.4 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.32.12 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.19.12 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.50.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssm v1.68.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 // indirect
 	github.com/aws/smithy-go v1.24.2 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

aws/logs_monitoring_go/go.sum

@@ -18,14 +18,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhL
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 h1:2HvVAIq+YqgGotK6EkMf+KIEqTISmTYh5zLpYyeTo1Y=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20/go.mod h1:V4X406Y666khGa8ghKmphma/7C0DAtEQYhkq9z4vpbk=
-github.com/aws/aws-sdk-go-v2/service/kms v1.50.3 h1:s/zDSG/a/Su9aX+v0Ld9cimUCdkr5FWPmBV8owaEbZY=
-github.com/aws/aws-sdk-go-v2/service/kms v1.50.3/go.mod h1:/iSgiUor15ZuxFGQSTf3lA2FmKxFsQoc2tADOarQBSw=
-github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.4 h1:9aZbO86sraeCIHHCpZhxwN9tnVy9POkSKzi4/TpT54A=
-github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.4/go.mod h1:cxiXDhEzIq7Xx1BtmC4lGBK3SwAZ79+EUWiKawYHo14=
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 h1:0GFOLzEbOyZABS3PhYfBIx2rNBACYcKty+XGkTgw1ow=
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.8/go.mod h1:LXypKvk85AROkKhOG6/YEcHFPoX+prKTowKnVdcaIxE=
-github.com/aws/aws-sdk-go-v2/service/ssm v1.68.3 h1:bBoWhx8lsFLTXintRX64ZBXcmFZbGqUmaPUrjXECqIc=
-github.com/aws/aws-sdk-go-v2/service/ssm v1.68.3/go.mod h1:rcRkKbUJ2437WuXdq9fbj+MjTudYWzY9Ct8kiBbN8a8=
 github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 h1:kiIDLZ005EcKomYYITtfsjn7dtOwHDOFy7IbPXKek2o=
 github.com/aws/aws-sdk-go-v2/service/sso v1.30.13/go.mod h1:2h/xGEowcW/g38g06g3KpRWDlT+OTfxxI0o1KqayAB8=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 h1:jzKAXIlhZhJbnYwHbvUQZEB8KfgAEuG0dc08Bkda7NU=
@@ -38,7 +32,9 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
-github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

aws/logs_monitoring_go/internal/config/apikey.go

@@ -7,9 +7,11 @@ package config
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"log/slog"
+	"net/http"
 	"os"
 	"time"
 
@@ -19,7 +21,9 @@ import (
 )
 
 const (
-	awsClientTimeout = 5 * time.Second
+	httpClientTimeout  = 10 * time.Second
+	maxRetries         = 5
+	retryBackoffFactor = 1 * time.Second
 )
 
 type resolveOptions struct {
@@ -29,6 +33,14 @@ type resolveOptions struct {
 
 type apiKeyResolver func(ctx context.Context, opts resolveOptions) (string, error)
 
+var retryableStatusCodes = map[int]bool{
+	429: true,
+	500: true,
+	502: true,
+	503: true,
+	504: true,
+}
+
 var resolvers = []struct {
 	envVar  string
 	resolve apiKeyResolver
@@ -41,7 +53,7 @@ var resolvers = []struct {
 
 func (c *Config) resolveAPIKey(ctx context.Context) error {
 	awsCfg, err := awsconfig.LoadDefaultConfig(ctx,
-		awsconfig.WithHTTPClient(awshttp.NewBuildableClient().WithTimeout(awsClientTimeout)),
+		awsconfig.WithHTTPClient(awshttp.NewBuildableClient().WithTimeout(httpClientTimeout)),
 	)
 
 	if err != nil {
@@ -65,6 +77,74 @@ func (c *Config) resolveAPIKey(ctx context.Context) error {
 	return errors.New("no API key configured: set DD_API_KEY_SECRET_ARN, DD_API_KEY_SSM_NAME, DD_KMS_API_KEY, or DD_API_KEY. See: https://docs.datadoghq.com/serverless/forwarder/")
 }
 
+// Note: the API key verification could fail (e.g. Datadog verification endpoint or network problem)
+// Instead of failing the whole lambda at startup, it should run up to the log sending part and verify the
+// key at this moment, adding the run to the future retry logic in such case.
+// The method may disappear in the future.
+func (c *Config) validateAPIKey() error {
+	if c.APIKey == "" || c.APIKey == "<YOUR_DATADOG_API_KEY>" {
+		return errors.New("missing Datadog API key. Set DD_API_KEY environment variable. See: https://docs.datadoghq.com/serverless/forwarder/")
+	}
+
+	if len(c.APIKey) != 32 {
+		return fmt.Errorf("invalid Datadog API key format: expected 32 characters, got %d. Verify your API key at https://app.%s/organization-settings/api-keys", len(c.APIKey), c.Site)
+	}
+
+	slog.Debug("validating Datadog API key")
+
+	client := &http.Client{
+		Timeout: httpClientTimeout,
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: c.SkipSSLValidation,
+			},
+		},
+	}
+
+	url := fmt.Sprintf("%s/api/v1/validate?api_key=%s", c.APIURL, c.APIKey)
+
+	var lastErr error
+	var lastStatus int
+	for attempt := range maxRetries {
+		resp, err := client.Get(url)
+		if err != nil {
+			lastErr = err
+			slog.Debug("API key validation request failed, retrying", "attempt", attempt+1, "error", err)
+			time.Sleep(retryBackoffFactor * time.Duration(1<<attempt))
+			continue
+		}
+		resp.Body.Close()
+
+		if resp.StatusCode >= 200 && resp.StatusCode < 300 {
+			return nil
+		}
+
+		if !retryableStatusCodes[resp.StatusCode] {
+			slog.Warn("API key validation failed. Verify your API key is correct and DD_SITE matches your Datadog account region. See: https://docs.datadoghq.com/getting_started/site/",
+				"status", resp.StatusCode,
+				"site", c.Site,
+			)
+			return nil
+		}
+
+		lastStatus = resp.StatusCode
+		slog.Debug("API key validation returned retryable status, retrying", "attempt", attempt+1, "status", resp.StatusCode)
+		time.Sleep(retryBackoffFactor * time.Duration(1<<attempt))
+	}
+
+	if lastErr != nil {
+		slog.Warn("API key validation failed after retries, continuing anyway", "attempts", maxRetries, "error", lastErr)
+	} else {
+		slog.Warn("API key validation failed after retries. Verify your API key is correct and DD_SITE matches your Datadog account region. See: https://docs.datadoghq.com/getting_started/site/",
+			"attempts", maxRetries,
+			"lastStatus", lastStatus,
+			"site", c.Site,
+		)
+	}
+
+	return nil
+}
+
 func resolveFromSecretsManager(ctx context.Context, opts resolveOptions) (string, error) {
 	return "", nil
 }
@@ -78,32 +158,5 @@ func resolveFromKMS(ctx context.Context, opts resolveOptions) (string, error) {
 }
 
 func resolveFromEnv(ctx context.Context, opts resolveOptions) (string, error) {
-	// if len(opts.Value) != 32 {
-	// 	return "", fmt.Errorf("invalid datadog api key format")
-	// }
-
-	// client := &http.Client{
-	// 	Timeout: TIMEOUT * time.Second,
-	// 	Transport: &http.Transport{
-	// 		TLSClientConfig: &tls.Config{
-	// 			InsecureSkipVerify: skipSSLValidation,
-	// 		},
-	// 	},
-	// }
-
-	// res, err := http.Get()
-	// if err != nil {
-
-	// }
-
 	return opts.Value, nil
 }
-
-// Note: the API key verification could fail (e.g. Datadog verification endpoint or network problem)
-// Instead of failing the whole lambda at startup, it should run up to the log sending part and verify the
-// key at this moment, adding the run to the future retry logic in such case.
-// The method may disappear in the future.
-func (c *Config) validateAPIKey() error {
-	// TODO: implement validation against Datadog API
-	return nil
-}

aws/logs_monitoring_go/internal/config/apikey_test.go

@@ -0,0 +1,120 @@
+package config
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestResolveAPIKey(t *testing.T) {
+	t.Run("no env vars set", func(t *testing.T) {
+		cfg := &Config{}
+		err := cfg.resolveAPIKey(context.Background())
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "no API key configured")
+	})
+
+	t.Run("DD_API_KEY set", func(t *testing.T) {
+		t.Setenv("DD_API_KEY", "abcdef1234567890abcdef1234567890")
+
+		cfg := &Config{}
+		err := cfg.resolveAPIKey(context.Background())
+		assert.NoError(t, err)
+		assert.Equal(t, "abcdef1234567890abcdef1234567890", cfg.APIKey)
+	})
+
+	t.Run("DD_API_KEY_SECRET_ARN takes priority over DD_API_KEY", func(t *testing.T) {
+		t.Setenv("DD_API_KEY", "abcdef1234567890abcdef1234567890")
+		t.Setenv("DD_API_KEY_SECRET_ARN", "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret")
+
+		cfg := &Config{}
+		err := cfg.resolveAPIKey(context.Background())
+		assert.NoError(t, err)
+		assert.Equal(t, "", cfg.APIKey, "should resolve from Secrets Manager, not DD_API_KEY")
+	})
+}
+
+func TestValidateAPIKey(t *testing.T) {
+	t.Parallel()
+
+	t.Run("empty API key", func(t *testing.T) {
+		t.Parallel()
+
+		cfg := &Config{APIKey: ""}
+		err := cfg.validateAPIKey()
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "missing Datadog API key")
+	})
+
+	t.Run("wrong length", func(t *testing.T) {
+		t.Parallel()
+
+		cfg := &Config{APIKey: "tooshort", Site: "datadoghq.com"}
+		err := cfg.validateAPIKey()
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "expected 32 characters, got 8")
+	})
+
+	t.Run("valid key with successful validation", func(t *testing.T) {
+		t.Parallel()
+
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			assert.Equal(t, "/api/v1/validate", r.URL.Path)
+			assert.Equal(t, "abcdef1234567890abcdef1234567890", r.URL.Query().Get("api_key"))
+			w.WriteHeader(http.StatusOK)
+		}))
+		defer server.Close()
+
+		cfg := &Config{
+			APIKey: "abcdef1234567890abcdef1234567890",
+			APIURL: server.URL,
+			Site:   "datadoghq.com",
+		}
+		err := cfg.validateAPIKey()
+		assert.NoError(t, err)
+	})
+
+	t.Run("valid key with 403 response", func(t *testing.T) {
+		t.Parallel()
+
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusForbidden)
+		}))
+		defer server.Close()
+
+		cfg := &Config{
+			APIKey: "abcdef1234567890abcdef1234567890",
+			APIURL: server.URL,
+			Site:   "datadoghq.com",
+		}
+		err := cfg.validateAPIKey()
+		assert.NoError(t, err)
+	})
+
+	t.Run("retryable 500 then recovers with 200", func(t *testing.T) {
+		t.Parallel()
+
+		callCount := 0
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			callCount++
+			if callCount <= 1 {
+				w.WriteHeader(http.StatusInternalServerError)
+				return
+			}
+			w.WriteHeader(http.StatusOK)
+		}))
+		defer server.Close()
+
+		cfg := &Config{
+			APIKey: "abcdef1234567890abcdef1234567890",
+			APIURL: server.URL,
+			Site:   "datadoghq.com",
+		}
+		err := cfg.validateAPIKey()
+		assert.NoError(t, err)
+		assert.Equal(t, 2, callCount, "should have retried once then succeeded")
+	})
+}

aws/logs_monitoring_go/internal/config/config.go

@@ -30,7 +30,7 @@ var deprecatedEnvironmentVariables = []string{
 type Config struct {
 	APIKey            string
 	Site              string
-	URL               string
+	IntakeURL         string
 	Port              int
 	APIURL            string
 	NoSSL             bool
@@ -69,7 +69,7 @@ func (c *Config) deriveURLs() {
 	if c.NoSSL {
 		scheme = "http"
 	}
-	c.URL = envOrDefault("DD_URL", "http-intake.logs."+c.Site)
+	c.IntakeURL = envOrDefault("DD_URL", "http-intake.logs."+c.Site)
 	c.APIURL = envOrDefault("DD_API_URL", fmt.Sprintf("%s://api.%s", scheme, c.Site))
 }