[AWSX-2144] feat(go-forwarder): add basic api key and config logic

Author: ndakkoune

aws/logs_monitoring_go/cmd/forwarder/main.go

@@ -9,15 +9,48 @@ import (
 	"context"
 	"encoding/json"
 	"log"
+	"log/slog"
+	"os"
+	"strings"
+
+	"github.com/DataDog/datadog-serverless-functions/aws/logs_monitoring_go/internal/config"
 
 	"github.com/aws/aws-lambda-go/lambda"
 )
 
-func handleRequest(ctx context.Context, event json.RawMessage) error {
-	log.Printf("Received event: %s", string(event))
-	return nil
+func initLogger(level string) {
+	var slogLevel slog.Level
+	switch strings.ToUpper(level) {
+	case "DEBUG":
+		slogLevel = slog.LevelDebug
+	case "INFO":
+		slogLevel = slog.LevelInfo
+	case "WARNING", "WARN":
+		slogLevel = slog.LevelWarn
+	case "ERROR":
+		slogLevel = slog.LevelError
+	default:
+		slogLevel = slog.LevelInfo
+	}
+	slog.SetDefault(slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
+		Level: slogLevel,
+	})))
+}
+
+func handleRequest(cfg *config.Config) func(context.Context, json.RawMessage) error {
+	return func(ctx context.Context, event json.RawMessage) error {
+		slog.Info("received event", "event", string(event))
+		return nil
+	}
 }
 
 func main() {
-	lambda.Start(handleRequest)
+	ctx := context.Background()
+	cfg, err := config.Load(ctx)
+	if err != nil {
+		log.Fatalf("config: %v", err)
+	}
+	// TODO: exit if forwading disabled ?
+	initLogger(cfg.LogLevel)
+	lambda.Start(handleRequest(cfg))
 }

aws/logs_monitoring_go/go.mod

@@ -3,3 +3,23 @@ module github.com/DataDog/datadog-serverless-functions/aws/logs_monitoring_go
 go 1.26
 
 require github.com/aws/aws-lambda-go v1.53.0
+
+require (
+	github.com/aws/aws-sdk-go-v2 v1.41.4 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.32.12 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.12 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.50.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.68.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 // indirect
+	github.com/aws/smithy-go v1.24.2 // indirect
+)

aws/logs_monitoring_go/go.sum

@@ -1,5 +1,39 @@
 github.com/aws/aws-lambda-go v1.53.0 h1:uAMv6W/vCP/L494BAUSxe+8KVBIPK+SGPyapFt3FuMk=
 github.com/aws/aws-lambda-go v1.53.0/go.mod h1:dpMpZgvWx5vuQJfBt0zqBha60q7Dd7RfgJv23DymV8A=
+github.com/aws/aws-sdk-go-v2 v1.41.4 h1:10f50G7WyU02T56ox1wWXq+zTX9I1zxG46HYuG1hH/k=
+github.com/aws/aws-sdk-go-v2 v1.41.4/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
+github.com/aws/aws-sdk-go-v2/config v1.32.12 h1:O3csC7HUGn2895eNrLytOJQdoL2xyJy0iYXhoZ1OmP0=
+github.com/aws/aws-sdk-go-v2/config v1.32.12/go.mod h1:96zTvoOFR4FURjI+/5wY1vc1ABceROO4lWgWJuxgy0g=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.12 h1:oqtA6v+y5fZg//tcTWahyN9PEn5eDU/Wpvc2+kJ4aY8=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.12/go.mod h1:U3R1RtSHx6NB0DvEQFGyf/0sbrpJrluENHdPy1j/3TE=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 h1:zOgq3uezl5nznfoK3ODuqbhVg1JzAGDUhXOsU0IDCAo=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20/go.mod h1:z/MVwUARehy6GAg/yQ1GO2IMl0k++cu1ohP9zo887wE=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20 h1:CNXO7mvgThFGqOFgbNAP2nol2qAWBOGfqR/7tQlvLmc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.20/go.mod h1:oydPDJKcfMhgfcgBUZaG+toBbwy8yPWubJXBVERtI4o=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20 h1:tN6W/hg+pkM+tf9XDkWUbDEjGLb+raoBMFsTodcoYKw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.20/go.mod h1:YJ898MhD067hSHA6xYCx5ts/jEd8BSOLtQDL3iZsvbc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 h1:qYQ4pzQ2Oz6WpQ8T3HvGHnZydA72MnLuFK9tJwmrbHw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20 h1:2HvVAIq+YqgGotK6EkMf+KIEqTISmTYh5zLpYyeTo1Y=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.20/go.mod h1:V4X406Y666khGa8ghKmphma/7C0DAtEQYhkq9z4vpbk=
+github.com/aws/aws-sdk-go-v2/service/kms v1.50.3 h1:s/zDSG/a/Su9aX+v0Ld9cimUCdkr5FWPmBV8owaEbZY=
+github.com/aws/aws-sdk-go-v2/service/kms v1.50.3/go.mod h1:/iSgiUor15ZuxFGQSTf3lA2FmKxFsQoc2tADOarQBSw=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.4 h1:9aZbO86sraeCIHHCpZhxwN9tnVy9POkSKzi4/TpT54A=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.4/go.mod h1:cxiXDhEzIq7Xx1BtmC4lGBK3SwAZ79+EUWiKawYHo14=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.8 h1:0GFOLzEbOyZABS3PhYfBIx2rNBACYcKty+XGkTgw1ow=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.8/go.mod h1:LXypKvk85AROkKhOG6/YEcHFPoX+prKTowKnVdcaIxE=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.68.3 h1:bBoWhx8lsFLTXintRX64ZBXcmFZbGqUmaPUrjXECqIc=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.68.3/go.mod h1:rcRkKbUJ2437WuXdq9fbj+MjTudYWzY9Ct8kiBbN8a8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.13 h1:kiIDLZ005EcKomYYITtfsjn7dtOwHDOFy7IbPXKek2o=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.13/go.mod h1:2h/xGEowcW/g38g06g3KpRWDlT+OTfxxI0o1KqayAB8=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17 h1:jzKAXIlhZhJbnYwHbvUQZEB8KfgAEuG0dc08Bkda7NU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.17/go.mod h1:Al9fFsXjv4KfbzQHGe6V4NZSZQXecFcvaIF4e70FoRA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.9 h1:Cng+OOwCHmFljXIxpEVXAGMnBia8MSU6Ch5i9PgBkcU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.9/go.mod h1:LrlIndBDdjA/EeXeyNBle+gyCwTlizzW5ycgWnvIxkk=
+github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
+github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

aws/logs_monitoring_go/internal/config/apikey.go

@@ -0,0 +1,101 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026-Present Datadog, Inc.
+
+package config
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"os"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	awshttp "github.com/aws/aws-sdk-go-v2/aws/transport/http"
+	awsconfig "github.com/aws/aws-sdk-go-v2/config"
+)
+
+const (
+	TIMEOUT = 5
+)
+
+type resolveOptions struct {
+	AWSCfg  aws.Config
+	Value   string
+	UseFIPS bool
+}
+
+type apiKeyResolver func(ctx context.Context, opts resolveOptions) (string, error)
+
+var resolvers = []struct {
+	envVar  string
+	resolve apiKeyResolver
+}{
+	{"DD_API_KEY_SECRET_ARN", resolveFromSecretsManager},
+	{"DD_API_KEY_SSM_NAME", resolveFromSSM},
+	{"DD_KMS_API_KEY", resolveFromKMS},
+	{"DD_API_KEY", resolveFromEnv},
+}
+
+func resolveAPIKey(ctx context.Context, useFIPS bool) (string, error) {
+	awsCfg, err := awsconfig.LoadDefaultConfig(ctx,
+		awsconfig.WithHTTPClient(awshttp.NewBuildableClient().WithTimeout(time.Second*TIMEOUT)),
+	)
+
+	if err != nil {
+		return "", fmt.Errorf("loading AWS config: %w", err)
+	}
+
+	for _, resolver := range resolvers {
+		if v, ok := os.LookupEnv(resolver.envVar); ok {
+			slog.Debug("resolving API key", "source", resolver.envVar)
+			resolver.resolve(ctx, resolveOptions{
+				AWSCfg:  awsCfg,
+				Value:   v,
+				UseFIPS: useFIPS,
+			})
+		}
+	}
+	return "", errors.New("no API key configured: set DD_API_KEY, DD_API_KEY_SECRET_ARN, DD_API_KEY_SSM_NAME, or DD_KMS_API_KEY. See: https://docs.datadoghq.com/serverless/forwarder/")
+}
+
+func resolveFromSecretsManager(ctx context.Context, opts resolveOptions) (string, error) {
+	return "", nil
+}
+
+func resolveFromSSM(ctx context.Context, opts resolveOptions) (string, error) {
+	return "", nil
+}
+
+func resolveFromKMS(ctx context.Context, opts resolveOptions) (string, error) {
+	return "", nil
+}
+
+func resolveFromEnv(ctx context.Context, opts resolveOptions) (string, error) {
+	// if len(opts.Value) != 32 {
+	// 	return "", fmt.Errorf("invalid datadog api key format")
+	// }
+
+	// client := &http.Client{
+	// 	Timeout: TIMEOUT * time.Second,
+	// 	Transport: &http.Transport{
+	// 		TLSClientConfig: &tls.Config{
+	// 			InsecureSkipVerify: skipSSLValidation,
+	// 		},
+	// 	},
+	// }
+
+	// res, err := http.Get()
+	// if err != nil {
+
+	// }
+
+	return opts.Value, nil
+}
+
+func validateAPIKey(cfg Config) {
+
+}

aws/logs_monitoring_go/internal/config/config.go

@@ -0,0 +1,119 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026-Present Datadog, Inc.
+
+package config
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"strconv"
+	"strings"
+)
+
+var deprecatedEnvironmentVariables = []string{
+	"DD_ADDITIONAL_TARGET_LAMBDAS",
+	"DD_ENRICH_CLOUDWATCH_TAGS",
+	"DD_ENRICH_S3_TAGS",
+	"DD_FETCH_LAMBDA_TAGS",
+	"DD_FETCH_LOG_GROUP_TAGS",
+	"DD_FETCH_S3_TAGS",
+	"DD_FETCH_STEP_FUNCTIONS_TAGS",
+	"DD_TAGS_CACHE_TTL_SECONDS",
+	"DD_TRACE_INTAKE_URL",
+	"DD_USE_VPC",
+}
+
+type Config struct {
+	APIKey            string
+	Site              string
+	URL               string
+	Port              int
+	APIURL            string
+	ForwardLog        bool
+	UseCompression    bool
+	CompressionLevel  int
+	NoSSL             bool
+	SkipSSLValidation bool
+	Tags              string
+	Source            string
+	LogLevel          string
+	UseFIPS           bool
+}
+
+func Load(ctx context.Context) (*Config, error) {
+	cfg := &Config{
+		Site:              envOrDefault("DD_SITE", "datadoghq.com"),
+		Port:              envOrDefaultInt("DD_PORT", 443),
+		ForwardLog:        envOrDefaultBool("DD_FORWARD_LOG", true),
+		UseCompression:    envOrDefaultBool("DD_USE_COMPRESSION", true),
+		CompressionLevel:  envOrDefaultInt("DD_COMPRESSION_LEVEL", 6),
+		NoSSL:             envOrDefaultBool("DD_NO_SSL", false),
+		SkipSSLValidation: envOrDefaultBool("DD_SKIP_SSL_VALIDATION", false),
+		Tags:              envOrDefault("DD_TAGS", ""),
+		Source:            envOrDefault("DD_SOURCE", ""),
+		LogLevel:          envOrDefault("DD_LOG_LEVEL", "INFO"),
+	}
+
+	scheme := "https"
+	if cfg.NoSSL {
+		scheme = "http"
+	}
+	cfg.URL = envOrDefault("DD_URL", "http-intake.logs."+cfg.Site)
+	cfg.APIURL = envOrDefault("DD_API_URL", fmt.Sprintf("%s://api.%s", scheme, cfg.Site))
+
+	logDroppedEnvVars()
+
+	useFIPS := envOrDefaultBool("DD_USE_FIPS", false)
+	cfg.UseFIPS = useFIPS
+	apiKey, err := resolveAPIKey(ctx, useFIPS)
+	if err != nil {
+		return nil, fmt.Errorf("resolving API key: %w", err)
+	}
+	cfg.APIKey = apiKey
+
+	if err := validateAPIKey(cfg); err != nil {
+		return nil, fmt.Errorf("validating API key: %w", err)
+	}
+
+	return cfg, nil
+}
+
+func logDroppedEnvVars() {
+	for _, name := range deprecatedEnvironmentVariables {
+		if _, ok := os.LookupEnv(name); ok {
+			slog.Warn("deprecated env var set, will be ignored", "name", name)
+		}
+	}
+}
+
+func envOrDefault(key, fallback string) string {
+	if v, ok := os.LookupEnv(key); ok {
+		return v
+	}
+	return fallback
+}
+
+func envOrDefaultBool(key string, fallback bool) bool {
+	v, ok := os.LookupEnv(key)
+	if !ok {
+		return fallback
+	}
+	return strings.EqualFold(v, "true")
+}
+
+func envOrDefaultInt(key string, fallback int) int {
+	v, ok := os.LookupEnv(key)
+	if !ok {
+		return fallback
+	}
+	n, err := strconv.Atoi(v)
+	if err != nil {
+		slog.Warn("invalid integer for env var, using default", "key", key, "value", v, "default", fallback)
+		return fallback
+	}
+	return n
+}