Add Serverless Framework Plugin support for AWS SSM API Key (#653)

* Add Serverless Framework Plugin support for AWS SSM API Key

* update checkForMultipleApiKeys

* update log

* update tests

* Update index.ts to list check

Co-authored-by: Ava Silver <ava.silver@datadoghq.com>

* lint format

---------

Co-authored-by: Ava Silver <ava.silver@datadoghq.com>

Author: nina9753

README.md

@@ -30,7 +30,8 @@ To further configure your plugin, use the following custom parameters in your `s
 | `site`                        | Set which Datadog site to send data to, such as `datadoghq.com` (default), `datadoghq.eu`, `us3.datadoghq.com`, `us5.datadoghq.com`, `ap1.datadoghq.com`, `ap2.datadoghq.com`, or `ddog-gov.com`. This parameter is required when collecting telemetry using the Datadog Lambda Extension.                                                                                                                                                        |
 | `apiKey`                      | [Datadog API key][7]. This parameter is required when collecting telemetry using the Datadog Lambda Extension. Alternatively, you can also set the `DATADOG_API_KEY` environment variable in your deployment environment.                                                                                                                                                                                                    |
 | `appKey`                      | Datadog app key. Only needed when the `monitors` field is defined. Alternatively, you can also set the `DATADOG_APP_KEY` environment variable in your deployment environment.                                                                                                                                                                                                                                                |
-| `apiKeySecretArn`             | An alternative to using the `apiKey` field. The ARN of the secret that is storing the Datadog API key in AWS Secrets Manager. Remember to add the `secretsmanager:GetSecretValue` permission to the Lambda execution role.                                                                                                                                                                                                   |
+| `apiKeySecretArn`             | An alternative to using the `apiKey` field. The ARN of the secret that is storing the Datadog API key in AWS Secrets Manager. Remember to add the `secretsmanager:GetSecretValue` permission to the Lambda execution role.                                                           |
+| `apiKeySsmArn`                | An alternative to using the `apiKey` field. The ARN of the parameter that is storing the Datadog API key in AWS Systems Manager Parameter Store. Remember to add the `ssm:GetParameter` and `kms:Decrypt` (for encrypted SecureString parameters) permission to the Lambda execution role.                                                                                                                                                                                             |
 | `apiKMSKey`                   | An alternative to using the `apiKey` field. Datadog API key encrypted using KMS. Remember to add the `kms:Decrypt` permission to the Lambda execution role.                                                                                                                                                                                                                                                                  |
 | `env`                         | When set along with `addExtension`, a `DD_ENV` environment variable is added to all Lambda functions with the provided value. Otherwise, an `env` tag is added to all Lambda functions with the provided value. Defaults to the `stage` value of the serverless deployment.                                                                                                                                                  |
 | `service`                     | When set along with `addExtension`, a `DD_SERVICE` environment variable is added to all Lambda functions with the provided value. Otherwise, a `service` tag is added to all Lambda functions with the provided value. Defaults to the `service` value of the serverless project.
@@ -77,7 +78,7 @@ To use any of these parameters, add a `custom` > `datadog` section to your `serv
 ```yaml
 custom:
   datadog:
-    apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}"
+    apiKeySecretArn: "{Datadog_API_Key_Secret_ARN}" # or use apiKeySsmArn for AWS Systems Manager Parameter Store
     enableXrayTracing: false
     enableDDTracing: true
     enableDDLogs: true

src/env.spec.ts

@@ -496,6 +496,7 @@ describe("setEnvConfiguration", () => {
         addLayers: false,
         apiKey: "1234",
         apiKeySecretArn: "some-resource:from:aws:secrets-manager:arn",
+        apiKeySsmArn: "some-resource:from:aws:ssm:arn",
         apiKMSKey: "0912",
         site: "datadoghq.eu",
         subdomain: "app",
@@ -525,6 +526,7 @@ describe("setEnvConfiguration", () => {
           environment: {
             DD_API_KEY: "1234",
             DD_API_KEY_SECRET_ARN: "some-resource:from:aws:secrets-manager:arn",
+            DD_API_KEY_SSM_ARN: "some-resource:from:aws:ssm:arn",
             DD_CAPTURE_LAMBDA_PAYLOAD: false,
             DD_KMS_API_KEY: "0912",
             DD_LOG_LEVEL: "debug",
@@ -544,6 +546,7 @@ describe("setEnvConfiguration", () => {
           environment: {
             DD_API_KEY: "1234",
             DD_API_KEY_SECRET_ARN: "some-resource:from:aws:secrets-manager:arn",
+            DD_API_KEY_SSM_ARN: "some-resource:from:aws:ssm:arn",
             DD_CAPTURE_LAMBDA_PAYLOAD: false,
             DD_KMS_API_KEY: "0912",
             DD_LOG_LEVEL: "debug",
@@ -564,6 +567,7 @@ describe("setEnvConfiguration", () => {
           environment: {
             DD_API_KEY: "1234",
             DD_API_KEY_SECRET_ARN: "some-resource:from:aws:secrets-manager:arn",
+            DD_API_KEY_SSM_ARN: "some-resource:from:aws:ssm:arn",
             DD_CAPTURE_LAMBDA_PAYLOAD: false,
             DD_KMS_API_KEY: "0912",
             DD_LOG_LEVEL: "debug",
@@ -583,6 +587,7 @@ describe("setEnvConfiguration", () => {
           environment: {
             DD_API_KEY: "1234",
             DD_API_KEY_SECRET_ARN: "some-resource:from:aws:secrets-manager:arn",
+            DD_API_KEY_SSM_ARN: "some-resource:from:aws:ssm:arn",
             DD_CAPTURE_LAMBDA_PAYLOAD: false,
             DD_KMS_API_KEY: "0912",
             DD_LOG_LEVEL: "debug",
@@ -1275,6 +1280,190 @@ describe("setEnvConfiguration", () => {
       "apiKeySecretArn` is not supported for Node runtimes when using Synchronous Metrics. Set DATADOG_API_KEY in your environment, or use `apiKmsKey` in the configuration.",
     );
   });
+
+  it("successfully sets DD_API_KEY_SSM_ARN for Node runtime with sync metrics", () => {
+    const handlers: FunctionInfo[] = [
+      {
+        handler: {
+          environment: {},
+          events: [],
+          runtime: "nodejs20.x",
+        },
+        name: "function",
+        type: RuntimeType.NODE,
+      },
+    ];
+
+    setEnvConfiguration(
+      {
+        addLayers: false,
+        apiKeySsmArn: "arn:aws:ssm:us-east-1:123456789012:parameter/datadog/api-key",
+        site: "datadoghq.eu",
+        subdomain: "app",
+        logLevel: "debug",
+        flushMetricsToLogs: false,
+        enableXrayTracing: true,
+        enableDDTracing: true,
+        enableDDLogs: true,
+        subscribeToAccessLogs: true,
+        subscribeToExecutionLogs: false,
+        subscribeToStepFunctionLogs: false,
+        addExtension: false,
+        enableTags: true,
+        injectLogContext: true,
+        exclude: ["dd-excluded-function"],
+        enableSourceCodeIntegration: true,
+        uploadGitMetadata: false,
+        captureLambdaPayload: false,
+        failOnError: false,
+        skipCloudformationOutputs: false,
+      },
+      handlers,
+    );
+
+    expect(handlers).toEqual([
+      {
+        handler: {
+          environment: {
+            DD_API_KEY_SSM_ARN: "arn:aws:ssm:us-east-1:123456789012:parameter/datadog/api-key",
+            DD_CAPTURE_LAMBDA_PAYLOAD: false,
+            DD_FLUSH_TO_LOG: false,
+            DD_LOGS_INJECTION: true,
+            DD_LOG_LEVEL: "debug",
+            DD_MERGE_XRAY_TRACES: true,
+            DD_SERVERLESS_LOGS_ENABLED: true,
+            DD_SITE: "datadoghq.eu",
+            DD_TRACE_ENABLED: true,
+          },
+          events: [],
+          runtime: "nodejs20.x",
+        },
+        name: "function",
+        type: RuntimeType.NODE,
+      },
+    ]);
+  });
+
+  it("successfully sets DD_API_KEY_SSM_ARN for Python runtime with extension", () => {
+    const handlers: FunctionInfo[] = [
+      {
+        handler: {
+          environment: {},
+          events: [],
+          runtime: "python3.11",
+        },
+        name: "function",
+        type: RuntimeType.PYTHON,
+      },
+    ];
+
+    setEnvConfiguration(
+      {
+        addLayers: true,
+        apiKeySsmArn: "arn:aws:ssm:us-east-1:123456789012:parameter/datadog/api-key",
+        site: "datadoghq.com",
+        subdomain: "app",
+        logLevel: "info",
+        flushMetricsToLogs: true,
+        enableXrayTracing: false,
+        enableDDTracing: true,
+        enableDDLogs: true,
+        subscribeToAccessLogs: true,
+        subscribeToExecutionLogs: false,
+        subscribeToStepFunctionLogs: false,
+        addExtension: true,
+        enableTags: true,
+        injectLogContext: false,
+        exclude: [],
+        enableSourceCodeIntegration: true,
+        uploadGitMetadata: false,
+        captureLambdaPayload: false,
+        failOnError: false,
+        skipCloudformationOutputs: false,
+      },
+      handlers,
+    );
+
+    expect(handlers).toEqual([
+      {
+        handler: {
+          environment: {
+            DD_API_KEY_SSM_ARN: "arn:aws:ssm:us-east-1:123456789012:parameter/datadog/api-key",
+            DD_CAPTURE_LAMBDA_PAYLOAD: false,
+            DD_LOGS_INJECTION: false,
+            DD_LOG_LEVEL: "info",
+            DD_MERGE_XRAY_TRACES: false,
+            DD_SERVERLESS_LOGS_ENABLED: true,
+            DD_SITE: "datadoghq.com",
+            DD_TRACE_ENABLED: true,
+          },
+          events: [],
+          runtime: "python3.11",
+        },
+        name: "function",
+        type: RuntimeType.PYTHON,
+      },
+    ]);
+  });
+
+  it("doesn't set DD_API_KEY from environment if apiKeySsmArn is defined", () => {
+    process.env = {};
+    process.env.DATADOG_API_KEY = "dd-api-key";
+    const handlers: FunctionInfo[] = [
+      {
+        handler: {
+          environment: {},
+          events: [],
+        },
+        name: "function",
+        type: RuntimeType.NODE,
+      },
+    ];
+
+    setEnvConfiguration(
+      {
+        addLayers: false,
+        apiKeySsmArn: "arn:aws:ssm:us-east-1:123456789012:parameter/datadog/api-key",
+        site: "datadoghq.com",
+        subdomain: "app",
+        logLevel: "info",
+        flushMetricsToLogs: false,
+        enableXrayTracing: true,
+        enableDDTracing: true,
+        enableDDLogs: true,
+        addExtension: true,
+        enableTags: true,
+        injectLogContext: true,
+        subscribeToAccessLogs: true,
+        subscribeToExecutionLogs: false,
+        subscribeToStepFunctionLogs: false,
+        exclude: [],
+        enableSourceCodeIntegration: true,
+        uploadGitMetadata: false,
+        failOnError: false,
+        skipCloudformationOutputs: false,
+      },
+      handlers,
+    );
+    expect(handlers).toEqual([
+      {
+        handler: {
+          environment: {
+            DD_API_KEY_SSM_ARN: "arn:aws:ssm:us-east-1:123456789012:parameter/datadog/api-key",
+            DD_LOG_LEVEL: "info",
+            DD_LOGS_INJECTION: false,
+            DD_SERVERLESS_LOGS_ENABLED: true,
+            DD_SITE: "datadoghq.com",
+            DD_TRACE_ENABLED: true,
+            DD_MERGE_XRAY_TRACES: true,
+          },
+          events: [],
+        },
+        name: "function",
+        type: RuntimeType.NODE,
+      },
+    ]);
+  });
   it("defines `DD_COLD_START_TRACING` when enableColdStartTracing is set", () => {
     const handlers: FunctionInfo[] = [
       {

src/env.ts

@@ -28,6 +28,8 @@ export interface Configuration {
   monitorsAppKey?: string;
   // The ARN of the secret in AWS Secrets Manager containing the Datadog API key.
   apiKeySecretArn?: string;
+  // The ARN of the parameter in AWS Systems Manager Parameter Store containing the Datadog API key.
+  apiKeySsmArn?: string;
   // Datadog API Key encrypted using KMS, only necessary when using metrics without log forwarding
   apiKMSKey?: string;
   // Whether to capture and store the payload and response of a lambda invocation
@@ -147,6 +149,7 @@ const webpackPluginName = "serverless-webpack";
 const apiKeyEnvVar = "DD_API_KEY";
 const apiKeyKMSEnvVar = "DD_KMS_API_KEY";
 const apiKeySecretArnEnvVar = "DD_API_KEY_SECRET_ARN";
+const apiKeySsmArnEnvVar = "DD_API_KEY_SSM_ARN";
 const siteURLEnvVar = "DD_SITE";
 const logLevelEnvVar = "DD_LOG_LEVEL";
 const logForwardingEnvVar = "DD_FLUSH_TO_LOG";
@@ -221,11 +224,12 @@ export function setEnvConfiguration(config: Configuration, handlers: FunctionInf
       environment[apiKeyEnvVar] === undefined &&
       // Only set this from the environment if all other methods of authentication
       // are not in use. This will set DATADOG_API_KEY on the lambda from the environment
-      // variable directly if they haven't set one of the below three options
+      // variable directly if they haven't set one of the below four options
       // in the configuration.
       config.apiKMSKey === undefined &&
       config.apiKey === undefined &&
-      config.apiKeySecretArn === undefined
+      config.apiKeySecretArn === undefined &&
+      config.apiKeySsmArn === undefined
     ) {
       environment[apiKeyEnvVar] = process.env.DATADOG_API_KEY;
       logMessage("Using DATADOG_API_KEY environment variable for authentication");
@@ -246,6 +250,9 @@ export function setEnvConfiguration(config: Configuration, handlers: FunctionInf
       }
       environment[apiKeySecretArnEnvVar] = config.apiKeySecretArn;
     }
+    if (config.apiKeySsmArn !== undefined && environment[apiKeySsmArnEnvVar] === undefined) {
+      environment[apiKeySsmArnEnvVar] = config.apiKeySsmArn;
+    }
     if (environment[siteURLEnvVar] === undefined) {
       environment[siteURLEnvVar] = config.site;
     }

src/index.spec.ts

@@ -886,7 +886,7 @@ describe("ServerlessPlugin", () => {
       }
       expect(threwError).toBe(true);
       expect(thrownErrorMessage).toEqual(
-        "The environment variable `DATADOG_API_KEY` or configuration variable `apiKMSKey` or `apiKeySecretArn` must be set because `addExtension` is set to true as default.",
+        "The environment variable `DATADOG_API_KEY` or configuration variable `apiKMSKey` or `apiKeySecretArn` or `apiKeySsmArn` must be set because `addExtension` is set to true as default.",
       );
     });
   });

src/index.ts

@@ -634,10 +634,11 @@ function validateConfiguration(config: Configuration): void {
       config.apiKey === undefined &&
       process.env.DATADOG_API_KEY === undefined &&
       config.apiKMSKey === undefined &&
-      config.apiKeySecretArn === undefined
+      config.apiKeySecretArn === undefined &&
+      config.apiKeySsmArn === undefined
     ) {
       throw new Error(
-        "The environment variable `DATADOG_API_KEY` or configuration variable `apiKMSKey` or `apiKeySecretArn` must be set because `addExtension` is set to true as default.",
+        "The environment variable `DATADOG_API_KEY` or configuration variable `apiKMSKey` or `apiKeySecretArn` or `apiKeySsmArn` must be set because `addExtension` is set to true as default.",
       );
     }
   }
@@ -656,18 +657,19 @@ function validateConfiguration(config: Configuration): void {
 }
 
 function checkForMultipleApiKeys(config: Configuration): void {
-  let multipleApiKeysMessage;
-  if (config.apiKey !== undefined && config.apiKMSKey !== undefined && config.apiKeySecretArn !== undefined) {
-    multipleApiKeysMessage = "`apiKey`, `apiKMSKey`, and `apiKeySecretArn`";
-  } else if (config.apiKey !== undefined && config.apiKMSKey !== undefined) {
-    multipleApiKeysMessage = "`apiKey` and `apiKMSKey`";
-  } else if (config.apiKey !== undefined && config.apiKeySecretArn !== undefined) {
-    multipleApiKeysMessage = "`apiKey` and `apiKeySecretArn`";
-  } else if (config.apiKMSKey !== undefined && config.apiKeySecretArn !== undefined) {
-    multipleApiKeysMessage = "`apiKMSKey` and `apiKeySecretArn`";
-  }
-
-  if (multipleApiKeysMessage) {
-    throw new Error(`${multipleApiKeysMessage} should not be set at the same time.`);
+  const definedKeys = ["apiKey", "apiKMSKey", "apiKeySecretArn", "apiKeySsmArn"]
+    .filter((key) => key in config)
+    .map((key) => `\`${key}\``);
+
+  if (definedKeys.length > 1) {
+    let message;
+    if (definedKeys.length === 2) {
+      message = `${definedKeys[0]} and ${definedKeys[1]}`;
+    } else {
+      const last = definedKeys[definedKeys.length - 1];
+      const rest = definedKeys.slice(0, -1).join(", ");
+      message = `${rest}, and ${last}`;
+    }
+    throw new Error(`${message} should not be set at the same time.`);
   }
 }