Skip to content

Add metrics in SecretsRefreshJob for SecretsManager exceptions#6252

Merged
san81 merged 2 commits into
opensearch-project:mainfrom
bninishi:bninishi-secrets-manager-missing-metrics
Nov 11, 2025
Merged

Add metrics in SecretsRefreshJob for SecretsManager exceptions#6252
san81 merged 2 commits into
opensearch-project:mainfrom
bninishi:bninishi-secrets-manager-missing-metrics

Conversation

@bninishi

@bninishi bninishi commented Nov 7, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Updates in Rev-2:

  • Added one more metric covering AccessDeniedException
  • Simplified the code and updated metric names addressing comments on rev-1

Description

Issues Resolved

n/a

Check List

  • [-] New functionality includes testing.
  • New functionality has a documentation issue. Please link to it in this PR.
    • [-] New functionality has javadoc added
  • [-] Commits are signed with a real name per the DCO
    By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
    For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@bninishi
Add metrics for SecretsManager ResourceNotFound and LimitExceeded exc…
2f76720 
…eption

- Currently adding these two metrics as a starting point
- Reference for exceptions: https://github.com/aws/api-models-aws/blob/f622f1d5f018e4617cdc14766c3113b6a960703a/models/secrets-manager/service/2017-10-17/secrets-manager-2017-10-17.json
- Tested through unit tests

Signed-off-by: Nishita Nishita <bninishi@amazon.com>
bninishi
bninishi commented Nov 7, 2025
View reviewed changes
Comment thread ...ugins/aws-plugin/src/main/java/org/opensearch/dataprepper/plugins/aws/SecretsRefreshJob.java Outdated
SECRETS_REFRESH_FAILURE, SECRET_CONFIG_ID_TAG, secretConfigId);
this.secretsRefreshTimer = pluginMetrics.timerWithTags(
SECRETS_REFRESH_DURATION, SECRET_CONFIG_ID_TAG, secretConfigId);
this.secretsManagerResourceNotFoundCounter = pluginMetrics.counter(

@bninishi bninishi Nov 7, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm not using counterWithTags because we wanna keep the schema for these new metrics similar to the rest of the metrics, for example S3: #6245 , so, skipping the extra SecretConfigId dimension here.

@viquer viquer Nov 10, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not positive we really want to do this here. I think here we want to emit the exact same way the rest of the metric.

@dlvenable dlvenable Nov 10, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should look for consistency within this plugin over consistency with other plugins. I think the tags are ideal here.

@bninishi bninishi Nov 10, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noted, i'll update to use counterWithTags

@bninishi bninishi marked this pull request as ready for review November 7, 2025 20:19
san81
san81 reviewed Nov 7, 2025
View reviewed changes
Comment thread ...ugins/aws-plugin/src/main/java/org/opensearch/dataprepper/plugins/aws/SecretsRefreshJob.java Outdated
*
* @param e the Secrets Manager exception to record metrics for
*/
private void recordSecretsManagerException(final SecretsManagerException e) {

@san81 san81 Nov 7, 2025

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to check for AccessDeniedException as well? And the list may go on. If you are looking for a metric to track the secrets manager access failure, may be one counter for any kind of failure could do the job? Logs will have details about the kind of failure anyway.

@bninishi bninishi Nov 10, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

responded on slack

dlvenable
dlvenable requested changes Nov 10, 2025
View reviewed changes

@dlvenable dlvenable left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @bninishi for this contribution!

Comment thread ...ugins/aws-plugin/src/main/java/org/opensearch/dataprepper/plugins/aws/SecretsRefreshJob.java Outdated
SECRETS_REFRESH_FAILURE, SECRET_CONFIG_ID_TAG, secretConfigId);
this.secretsRefreshTimer = pluginMetrics.timerWithTags(
SECRETS_REFRESH_DURATION, SECRET_CONFIG_ID_TAG, secretConfigId);
this.secretsManagerResourceNotFoundCounter = pluginMetrics.counter(

@dlvenable dlvenable Nov 10, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should look for consistency within this plugin over consistency with other plugins. I think the tags are ideal here.

Comment thread ...ugins/aws-plugin/src/main/java/org/opensearch/dataprepper/plugins/aws/SecretsRefreshJob.java
secretsRefreshSuccessCounter.increment();
pluginConfigPublisher.notifyAllPluginConfigObservable();
} catch(Exception e) {
if (e instanceof SecretsManagerException) {

@dlvenable dlvenable Nov 10, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is a little odd and confusing that metrics recording is split into two places. We should probably do it all in the same place. Maybe include secretsRefreshFailureCounter.increment(); in the new method and move this conditional in there as well.

@bninishi bninishi Nov 10, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in rev-2, to keep the logic inside the catch block itself

Comment thread ...ugins/aws-plugin/src/main/java/org/opensearch/dataprepper/plugins/aws/SecretsRefreshJob.java Outdated
static final String SECRETS_REFRESH_SUCCESS = "secretsRefreshSuccess";
static final String SECRETS_REFRESH_FAILURE = "secretsRefreshFailure";
static final String SECRETS_REFRESH_DURATION = "secretsRefreshDuration";
static final String SECRETS_MANAGER_RESOURCE_NOT_FOUND = "secretsManagerResourceNotFound";

@dlvenable dlvenable Nov 10, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We currently use the prefix of secrets so let's stick with that. Also, resourceNotFound seems a little generic. Maybe these would be better: secretsSecretNotFound and secretsLimitExceeded.

@bninishi bninishi Nov 10, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'll update to add secretsSecretNotFound, secretsLimitExceeded, and secretsAccessDenied

@bninishi
address PR comments to update SecretsManager metrics
999a2f3 
Signed-off-by: Nishita Nishita <bninishi@amazon.com>
dlvenable
dlvenable approved these changes Nov 10, 2025
View reviewed changes

@dlvenable dlvenable left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @bninishi !

san81
san81 approved these changes Nov 10, 2025
View reviewed changes

@san81 san81 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution.

@bninishi bninishi closed this Nov 10, 2025
@san81 san81 reopened this Nov 10, 2025
@san81 san81 merged commit 1b4979c into opensearch-project:main Nov 11, 2025
94 of 98 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dlvenable dlvenable dlvenable approved these changes

@san81 san81 san81 approved these changes

@dinujoh dinujoh dinujoh approved these changes

@sb2k16 sb2k16 Awaiting requested review from sb2k16 sb2k16 is a code owner

@chenqi0805 chenqi0805 Awaiting requested review from chenqi0805

@engechas engechas Awaiting requested review from engechas

@srikanthjg srikanthjg Awaiting requested review from srikanthjg srikanthjg is a code owner

@graytaylor0 graytaylor0 Awaiting requested review from graytaylor0 graytaylor0 is a code owner

@kkondaka kkondaka Awaiting requested review from kkondaka kkondaka is a code owner

@KarstenSchnitter KarstenSchnitter Awaiting requested review from KarstenSchnitter KarstenSchnitter is a code owner

@oeyh oeyh Awaiting requested review from oeyh oeyh is a code owner

+1 more reviewer

@viquer viquer viquer left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@bninishi @dlvenable @san81 @dinujoh @viquer