refactor codebase, add tooling, add client mocking and tdd tests

Author: ndakkoune

aws/logs_monitoring_go/Makefile

@@ -1,15 +1,12 @@
-.PHONY: build package test lint clean sam-build sam-invoke sam-deploy build-ForwarderFunction
-
 BINARY_NAME := bootstrap
 ZIP_NAME := forwarder.zip
 
+# Go
+.PHONY: build package test lint clean audit
+
 build:
 	GOOS=linux GOARCH=arm64 go build -o $(BINARY_NAME) ./cmd/forwarder/
 
-# Used by `sam build`
-build-ForwarderFunction:
-	GOOS=linux GOARCH=arm64 go build -o $(ARTIFACTS_DIR)/bootstrap ./cmd/forwarder/
-
 package: build
 	zip $(ZIP_NAME) $(BINARY_NAME)
 
@@ -19,15 +16,26 @@ test:
 lint:
 	golangci-lint run ./...
 
+audit:
+	go vet ./...
+	go tool staticcheck ./...
+	go tool govulncheck
+
 clean:
 	rm -f $(BINARY_NAME) $(ZIP_NAME)
 
+# SAM
+.PHONY: build-ForwarderFunction sam-build sam-invoke sam-deploy 
+
+build-ForwarderFunction:
+	GOOS=linux GOARCH=arm64 go build -o $(ARTIFACTS_DIR)/bootstrap ./cmd/forwarder/
+
 sam-build:
 	sam build
 
+sam-deploy: sam-build
+	sam deploy
+
 EVENT ?= events/cloudwatch_logs.json
 sam-invoke: sam-build
 	sam local invoke ForwarderFunction -e $(EVENT)
-
-sam-deploy: sam-build
-	sam deploy

aws/logs_monitoring_go/cmd/forwarder/main.go

@@ -8,49 +8,28 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"log"
 	"log/slog"
-	"os"
-	"strings"
 
 	"github.com/DataDog/datadog-serverless-functions/aws/logs_monitoring_go/internal/config"
 
 	"github.com/aws/aws-lambda-go/lambda"
 )
 
-func initLogger(level string) {
-	var slogLevel slog.Level
-	switch strings.ToUpper(level) {
-	case "DEBUG":
-		slogLevel = slog.LevelDebug
-	case "INFO":
-		slogLevel = slog.LevelInfo
-	case "WARNING", "WARN":
-		slogLevel = slog.LevelWarn
-	case "ERROR":
-		slogLevel = slog.LevelError
-	default:
-		slogLevel = slog.LevelInfo
+func main() {
+	ctx := context.Background()
+	cfg, err := config.Load(ctx)
+	if err != nil {
+		slog.Error("config load failed", slog.String("error", err.Error()))
+		return
 	}
-	slog.SetDefault(slog.New(slog.NewJSONHandler(os.Stderr, &slog.HandlerOptions{
-		Level: slogLevel,
-	})))
+
+	lambda.Start(handleRequest(cfg))
 }
 
+// cfg not used for now, will be when forwarding logic added
 func handleRequest(cfg *config.Config) func(context.Context, json.RawMessage) error {
 	return func(ctx context.Context, event json.RawMessage) error {
-		slog.Info("received event", "event", string(event))
+		slog.Info("received event", slog.String("event", string(event)))
 		return nil
 	}
 }
-
-func main() {
-	ctx := context.Background()
-	cfg, err := config.Load(ctx)
-	if err != nil {
-		log.Fatalf("config: %v", err)
-	}
-	// TODO: exit if forwading disabled ?
-	initLogger(cfg.LogLevel)
-	lambda.Start(handleRequest(cfg))
-}

aws/logs_monitoring_go/go.mod

@@ -6,7 +6,8 @@ require (
 	github.com/aws/aws-lambda-go v1.53.0
 	github.com/aws/aws-sdk-go-v2 v1.41.4
 	github.com/aws/aws-sdk-go-v2/config v1.32.12
-	github.com/stretchr/testify v1.11.1
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.4
+	github.com/google/go-cmp v0.7.0
 )
 
 require (
@@ -22,7 +23,18 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 // indirect
 	github.com/aws/smithy-go v1.24.2 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	github.com/stretchr/testify v1.11.1 // indirect
+	go.uber.org/mock v0.6.0 // indirect
+	golang.org/x/mod v0.34.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/telemetry v0.0.0-20260311193753-579e4da9a98c // indirect
+	golang.org/x/tools v0.43.0 // indirect
+	golang.org/x/vuln v1.1.4 // indirect
+)
+
+tool (
+	go.uber.org/mock/mockgen
+	golang.org/x/tools/cmd/goimports
+	golang.org/x/vuln/cmd/govulncheck
 )

aws/logs_monitoring_go/go.sum

@@ -18,6 +18,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhL
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 h1:2HvVAIq+YqgGotK6EkMf+KIEqTISmTYh5zLpYyeTo1Y=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20/go.mod h1:V4X406Y666khGa8ghKmphma/7C0DAtEQYhkq9z4vpbk=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.4 h1:9aZbO86sraeCIHHCpZhxwN9tnVy9POkSKzi4/TpT54A=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.4/go.mod h1:cxiXDhEzIq7Xx1BtmC4lGBK3SwAZ79+EUWiKawYHo14=
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 h1:0GFOLzEbOyZABS3PhYfBIx2rNBACYcKty+XGkTgw1ow=
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.8/go.mod h1:LXypKvk85AROkKhOG6/YEcHFPoX+prKTowKnVdcaIxE=
 github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 h1:kiIDLZ005EcKomYYITtfsjn7dtOwHDOFy7IbPXKek2o=
@@ -30,11 +32,31 @@ github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
 github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/telemetry v0.0.0-20260311193753-579e4da9a98c h1:6a8FdnNk6bTXBjR4AGKFgUKuo+7GnR3FX5L7CbveeZc=
+golang.org/x/telemetry v0.0.0-20260311193753-579e4da9a98c/go.mod h1:TpUTTEp9frx7rTdLpC9gFG9kdI7zVLFTFFlqaH2Cncw=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
+golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I=
+golang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

aws/logs_monitoring_go/internal/config/apikey.go

@@ -7,161 +7,82 @@ package config
 
 import (
 	"context"
-	"crypto/tls"
 	"errors"
 	"fmt"
+	"io"
 	"log/slog"
 	"net/http"
 	"os"
-	"strings"
 	"time"
 
-	"github.com/aws/aws-sdk-go-v2/aws"
 	awshttp "github.com/aws/aws-sdk-go-v2/aws/transport/http"
 	awsconfig "github.com/aws/aws-sdk-go-v2/config"
 )
 
-const (
-	httpClientTimeout  = 10 * time.Second
-	maxRetries         = 5
-	retryBackoffFactor = 1 * time.Second
+var (
+	ErrMissingAPIKey = errors.New("missing Datadog API key")
+	ErrInvalidAPIKey = errors.New("invalid Datadog API key format")
 )
 
-type resolveOptions struct {
-	AWSCfg aws.Config
-	Value  string
-}
-
-type apiKeyResolver func(ctx context.Context, opts resolveOptions) (string, error)
-
-var retryableStatusCodes = map[int]bool{
-	429: true,
-	500: true,
-	502: true,
-	503: true,
-	504: true,
-}
-
-var resolvers = []struct {
-	envVar  string
-	resolve apiKeyResolver
-}{
-	{"DD_API_KEY_SECRET_ARN", resolveFromSecretsManager},
-	{"DD_API_KEY_SSM_NAME", resolveFromSSM},
-	{"DD_KMS_API_KEY", resolveFromKMS},
-	{"DD_API_KEY", resolveFromEnv},
-}
+const (
+	httpClientTimeout = 3 * time.Second
+)
 
 func (c *Config) resolveAPIKey(ctx context.Context) error {
-	awsCfg, err := awsconfig.LoadDefaultConfig(ctx,
-		awsconfig.WithHTTPClient(awshttp.NewBuildableClient().WithTimeout(httpClientTimeout)),
-	)
-
+	awsCfg, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithHTTPClient(awshttp.NewBuildableClient().WithTimeout(httpClientTimeout)))
 	if err != nil {
 		return fmt.Errorf("loading AWS config: %w", err)
 	}
 
-	for _, resolver := range resolvers {
-		if v, ok := os.LookupEnv(resolver.envVar); ok {
-			slog.Debug("resolving API key", "source", resolver.envVar)
-			key, err := resolver.resolve(ctx, resolveOptions{
-				AWSCfg: awsCfg,
-				Value:  v,
-			})
-			if err != nil {
-				return fmt.Errorf("resolving API key from %s: %w", resolver.envVar, err)
-			}
-			c.APIKey = strings.TrimSpace(key)
-			slog.Debug("API key resolved", "source", resolver.envVar)
-			return nil
-		}
+	if v, ok := os.LookupEnv("DD_API_KEY_SECRET_ARN"); ok {
+		return c.resolveFromSecretsManager(ctx, awsCfg, v)
+	}
+
+	if v, ok := os.LookupEnv("DD_API_KEY_SSM_NAME"); ok {
+		return c.resolveFromSSM(ctx, awsCfg, v)
+	}
+
+	if v, ok := os.LookupEnv("DD_KMS_API_KEY"); ok {
+		return c.resolveFromKMS(ctx, awsCfg, v)
 	}
-	return errors.New("no API key configured: set DD_API_KEY_SECRET_ARN, DD_API_KEY_SSM_NAME, DD_KMS_API_KEY, or DD_API_KEY. See: https://docs.datadoghq.com/serverless/forwarder/")
+
+	return errors.New("no API key configured: set DD_API_KEY_SECRET_ARN, DD_API_KEY_SSM_NAME or DD_KMS_API_KEY. See: https://docs.datadoghq.com/serverless/forwarder/")
 }
 
-// Note: the API key verification could fail (e.g. Datadog verification endpoint or network problem)
-// Instead of failing the whole lambda at startup, it should run up to the log sending part and verify the
-// key at this moment, adding the run to the future retry logic in such case.
-// The method may disappear in the future.
-func (c *Config) validateAPIKey() error {
-	if c.APIKey == "" || c.APIKey == "<YOUR_DATADOG_API_KEY>" {
-		return errors.New("missing Datadog API key. Set DD_API_KEY environment variable. See: https://docs.datadoghq.com/serverless/forwarder/")
+func (c *Config) validateAPIKey(ctx context.Context) error {
+	if c.APIKey == "" {
+		return fmt.Errorf("%w: set DD_API_KEY_SECRET_ARN, DD_API_KEY_SSM_NAME or DD_KMS_API_KEY. See: https://docs.datadoghq.com/serverless/forwarder/", ErrMissingAPIKey)
 	}
 
 	if len(c.APIKey) != 32 {
-		return fmt.Errorf("invalid Datadog API key format: expected 32 characters, got %d. Verify your API key at https://app.%s/organization-settings/api-keys", len(c.APIKey), c.Site)
+		return fmt.Errorf("%w: expected 32 characters, got %d. Verify your API key at https://app.%s/organization-settings/api-keys", ErrInvalidAPIKey, len(c.APIKey), c.Site)
 	}
 
 	slog.Debug("validating Datadog API key")
 
-	client := &http.Client{
-		Timeout: httpClientTimeout,
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: c.SkipSSLValidation,
-			},
-		},
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.APIURL+"/api/v1/validate", nil)
+	if err != nil {
+		slog.Warn("failed to build API key validation request", slog.String("error", err.Error()))
+		return nil
 	}
+	req.Header.Set("DD-API-KEY", c.APIKey)
 
-	url := fmt.Sprintf("%s/api/v1/validate?api_key=%s", c.APIURL, c.APIKey)
-
-	var lastErr error
-	var lastStatus int
-	for attempt := range maxRetries {
-		resp, err := client.Get(url)
-		if err != nil {
-			lastErr = err
-			slog.Debug("API key validation request failed, retrying", "attempt", attempt+1, "error", err)
-			time.Sleep(retryBackoffFactor * time.Duration(1<<attempt))
-			continue
-		}
-		if err := resp.Body.Close(); err != nil {
-			slog.Debug("failed to close response body", "error", err)
-		}
-
-		if resp.StatusCode >= 200 && resp.StatusCode < 300 {
-			slog.Debug("API key validated successfully")
-			return nil
-		}
-
-		if !retryableStatusCodes[resp.StatusCode] {
-			slog.Warn("API key validation failed. Verify your API key is correct and DD_SITE matches your Datadog account region. See: https://docs.datadoghq.com/getting_started/site/",
-				"status", resp.StatusCode,
-				"site", c.Site,
-			)
-			return nil
-		}
-
-		lastStatus = resp.StatusCode
-		slog.Debug("API key validation returned retryable status, retrying", "attempt", attempt+1, "status", resp.StatusCode)
-		time.Sleep(retryBackoffFactor * time.Duration(1<<attempt))
+	client := &http.Client{Timeout: httpClientTimeout}
+	resp, err := client.Do(req)
+	if err != nil {
+		slog.Warn("failed to validate API key", slog.String("error", err.Error()))
+		return nil
 	}
-
-	if lastErr != nil {
-		slog.Warn("API key validation failed after retries, continuing anyway", "attempts", maxRetries, "error", lastErr)
-	} else {
-		slog.Warn("API key validation failed after retries. Verify your API key is correct and DD_SITE matches your Datadog account region. See: https://docs.datadoghq.com/getting_started/site/",
-			"attempts", maxRetries,
-			"lastStatus", lastStatus,
-			"site", c.Site,
-		)
+	defer func() {
+		io.Copy(io.Discard, resp.Body)
+		resp.Body.Close()
+	}()
+
+	if resp.StatusCode == http.StatusForbidden {
+		slog.Warn("invalid Datadog API key", slog.String("url", "https://app."+c.Site+"/organization-settings/api-keys"))
+	} else if resp.StatusCode != http.StatusOK {
+		slog.Warn("unexpected response from validation endpoint", slog.String("status", resp.Status))
 	}
 
 	return nil
 }
-
-func resolveFromSecretsManager(ctx context.Context, opts resolveOptions) (string, error) {
-	return "", nil
-}
-
-func resolveFromSSM(ctx context.Context, opts resolveOptions) (string, error) {
-	return "", nil
-}
-
-func resolveFromKMS(ctx context.Context, opts resolveOptions) (string, error) {
-	return "", nil
-}
-
-func resolveFromEnv(ctx context.Context, opts resolveOptions) (string, error) {
-	return opts.Value, nil
-}