Move common routines to a library. Switch to using AWS Secrets Manager

Author: Steven Nemetz

src/slack/config.json

@@ -1,12 +1,13 @@
 {
   "aws_region": "us-west-2",
-  "datadog_api_key": "",
-  "datadog_app_key": "",
   "environment": "",
   "log_level": "DEBUG",
   "s3_bucket_parts": "wiser-one-ci",
-  "secret_name": "slack_webhook_datadog",
   "secret_endpoint_url": "https://secretsmanager.us-west-2.amazonaws.com",
+  "secrets": {
+    "datadog_api": "datadog_api_keys",
+    "slack_webhook": "slack_webhook_datadog"
+  },
   "slack_token": "",
   "path_parts": "datadog/integration/slack",
   "parts_pattern": "channel-*.json"

src/slack/datadog-slack-integration.py

@@ -2,6 +2,7 @@
 import boto3
 import fnmatch
 import json
+import lambda_lib
 import logging
 import os
 import requests
@@ -16,84 +17,6 @@
 logger.setLevel(logging.DEBUG)
 states = {}
 
-def get_config():
-    # Allow different config file to be specified
-    if 'LAMBDA_CONFIG' in os.environ and len(os.getenv('LAMBDA_CONFIG')) > 0:
-        config_file = os.getenv('LAMBDA_CONFIG')
-        if config_file.find("s3://") == 0:
-            # read from S3 or copy default to s3
-            s3_bucket = config_file[5:len(config_file)].split("/")[0]
-            sep = "/"
-            s3_object = sep.join(config_file[5:len(config_file)].split("/")[1:])
-            s3 = boto3.client('s3')
-            try:
-                config_result = s3.get_object(Bucket=s3_bucket, Key=s3_object)
-                logger.debug("S3 get config: {}".format(config_result))
-                config_raw = config_result["Body"].read()
-                config = json.loads(config_raw)
-            except ClientError as e:
-                logger.warn("Config not found in S3: {}".format(e))
-                logger.warn("Copying default config to S3")
-                with open('config.json') as f:
-                    config = json.load(f)
-                    s3.put_object(Bucket=s3_bucket, Key=s3_object, Body=json.dumps(config, indent=2))
-        else:
-            logger.debug("Reading config file: {}".format(config_file))
-            with open(config_file) as f:
-                config = json.load(f)
-    else:
-        logger.debug("Reading config file: config.json")
-        with open('config.json') as f:
-            config = json.load(f)
-
-    logger.debug("Config before overrides: {}".format(json.dumps(config, indent=2)))
-    # Replace config data with environment data if it exists
-    # Environment variables are keys uppercased
-    for key in config.keys():
-        if key.upper() in os.environ:
-            value = os.getenv(key.upper())
-            try:
-                value_json = json.loads(value)
-                logger.debug("Got json: {}".format(json.dumps(value_json)))
-                if len(value_json.keys()) > 0:
-                    config[key] = value_json
-            except:
-                if len(value) > 0:
-                    config[key] = value
-    logger.debug("Config after overrides: {}".format(json.dumps(config, indent=2)))
-    return config
-
-def get_secret(secret_name, endpoint_url, region_name):
-    session = boto3.session.Session()
-    client = session.client(
-        service_name='secretsmanager',
-        region_name=region_name,
-        endpoint_url=endpoint_url
-    )
-
-    try:
-        get_secret_value_response = client.get_secret_value(
-            SecretId=secret_name
-        )
-    except ClientError as e:
-        if e.response['Error']['Code'] == 'ResourceNotFoundException':
-            print("The requested secret " + secret_name + " was not found")
-        elif e.response['Error']['Code'] == 'InvalidRequestException':
-            print("The request was invalid due to:", e)
-        elif e.response['Error']['Code'] == 'InvalidParameterException':
-            print("The request had invalid params:", e)
-    else:
-        # Decrypted secret using the associated KMS CMK
-        # Depending on whether the secret was a string or binary, one of these fields will be populated
-        if 'SecretString' in get_secret_value_response:
-            secret = get_secret_value_response['SecretString']
-            #print(json.dumps(json.loads(secret), indent=2))
-            #print(secret)
-            return secret
-        else:
-            binary_secret_data = get_secret_value_response['SecretBinary']
-            return binary_secret_data
-
 def get_slack_channels(s3_bucket, prefix, pattern):
     # Return: list of channel names
     channels = []
@@ -296,31 +219,15 @@ def get_slack_hooks(url):
     return hooks
 
 def write_datadog_slack(config, channels, service_hooks):
-    # Datadog: url, api_key, app_key
-    # POST: Create integration: Does add, not delete or update. Can have duplicate entries
-    # PUT: Create/Update integration: updates, deletes
     data = {}
     data["channels"]      = channels
     data["service_hooks"] = service_hooks
     #print(json.dumps(data, indent=2))
-    url_base = "https://api.datadoghq.com/api/v1/integration/slack"
-    api = "?api_key=" + config["datadog_api_key"]
-    app = "&application_key=" + config["datadog_app_key"]
-    url = url_base + api + app + "&run_check=true"
-    headers = {"Content-type": "application/json"}
-    print("URL: {}".format(url))
-    #result = requests.delete(url_base + api + app)
-    #print(result)
-    #result = requests.post(url, data=json.dumps(data), headers=headers)
-    result = requests.put(url, data=json.dumps(data), headers=headers)
-    print(result)
-    if result.status_code != 204:
-        logger.error("Datadog Slack integration update failed with status: {}".format(result.status_code))
-        #logger.debug("HTTP response header {}".format(json.dumps(result.headers, indent=2)))
+    lambda_lib.write_datadog_integration(config, 'slack', data)
 
 def lambda_handler(event, context):
     global states
-    config = get_config()
+    config = lambda_lib.get_config()
 
     # Setup logging
     log_level = getattr(logging, config["log_level"].upper(), None)
@@ -331,10 +238,12 @@ def lambda_handler(event, context):
     logger.debug("Event: {}".format(json.dumps(event, indent=2)))
     logger.debug("Context: {}".format(json.dumps(context, indent=2)))
     channels = get_slack_channels(config["s3_bucket_parts"], config["path_parts"], config["parts_pattern"])
-    slack_webhook = get_secret(config["secret_name"], config["secret_endpoint_url"], config["aws_region"])
+    # Secrets: DD api, DD app, slack webhook
+    datadog_keys = json.loads(lambda_lib.get_secret(config["secrets"]["datadog_api"], config["secret_endpoint_url"], config["aws_region"]))
+    slack_webhook = lambda_lib.get_secret(config["secrets"]["slack_webhook"], config["secret_endpoint_url"], config["aws_region"])
     slack_hooks = get_slack_hooks(slack_webhook)
     #update_slack_channels(channels)
-    write_datadog_slack(config, channels, slack_hooks)
+    write_datadog_slack(datadog_keys, channels, slack_hooks)
 
     return 'Done'
 

src/slack/lambda_lib.py

@@ -0,0 +1,113 @@
+from __future__ import print_function
+import boto3
+import json
+import logging
+import os
+import requests
+from botocore.exceptions import ClientError
+
+
+## No handler for root when run locally
+logger = logging.getLogger()
+logger.setLevel(logging.DEBUG)
+
+def get_config():
+    # Allow different config file to be specified
+    if 'LAMBDA_CONFIG' in os.environ and len(os.getenv('LAMBDA_CONFIG')) > 0:
+        config_file = os.getenv('LAMBDA_CONFIG')
+        if config_file.find("s3://") == 0:
+            # read from S3 or copy default to s3
+            s3_bucket = config_file[5:len(config_file)].split("/")[0]
+            sep = "/"
+            s3_object = sep.join(config_file[5:len(config_file)].split("/")[1:])
+            s3 = boto3.client('s3')
+            try:
+                config_result = s3.get_object(Bucket=s3_bucket, Key=s3_object)
+                logger.debug("S3 get config: {}".format(config_result))
+                config_raw = config_result["Body"].read()
+                config = json.loads(config_raw)
+            except ClientError as e:
+                logger.warn("Config not found in S3: {}".format(e))
+                logger.warn("Copying default config to S3")
+                with open('config.json') as f:
+                    config = json.load(f)
+                    s3.put_object(Bucket=s3_bucket, Key=s3_object, Body=json.dumps(config, indent=2))
+        else:
+            logger.debug("Reading config file: {}".format(config_file))
+            with open(config_file) as f:
+                config = json.load(f)
+    else:
+        logger.debug("Reading config file: config.json")
+        with open('config.json') as f:
+            config = json.load(f)
+
+    logger.debug("Config before overrides: {}".format(json.dumps(config, indent=2)))
+    # Replace config data with environment data if it exists
+    # Environment variables are keys uppercased
+    for key in config.keys():
+        if key.upper() in os.environ:
+            value = os.getenv(key.upper())
+            try:
+                value_json = json.loads(value)
+                logger.debug("Got json: {}".format(json.dumps(value_json)))
+                if len(value_json.keys()) > 0:
+                    config[key] = value_json
+            except:
+                if len(value) > 0:
+                    config[key] = value
+    logger.debug("Config after overrides: {}".format(json.dumps(config, indent=2)))
+    return config
+
+def get_secret(secret_name, endpoint_url, region_name):
+    # TODO: add json support
+    session = boto3.session.Session()
+    client = session.client(
+        service_name='secretsmanager',
+        region_name=region_name,
+        endpoint_url=endpoint_url
+    )
+
+    print("Lookup secret: {}".format(secret_name))
+    try:
+        get_secret_value_response = client.get_secret_value(
+            SecretId=secret_name
+        )
+    except ClientError as e:
+        if e.response['Error']['Code'] == 'ResourceNotFoundException':
+            print("The requested secret " + secret_name + " was not found")
+        elif e.response['Error']['Code'] == 'InvalidRequestException':
+            # Secret name not exists?
+            print("The request was invalid due to:", e)
+        elif e.response['Error']['Code'] == 'InvalidParameterException':
+            print("The request had invalid params:", e)
+    else:
+        # Decrypted secret using the associated KMS CMK
+        # Depending on whether the secret was a string or binary, one of these fields will be populated
+        if 'SecretString' in get_secret_value_response:
+            secret = get_secret_value_response['SecretString']
+            #print(json.dumps(json.loads(secret), indent=2))
+            #print(secret)
+            return secret
+        else:
+            binary_secret_data = get_secret_value_response['SecretBinary']
+            return binary_secret_data
+
+def write_datadog_integration(datadog_keys, integration, payload):
+    # Datadog: url, api_key, app_key
+    # POST: Create integration: Does add, not delete or update. Can have duplicate entries
+    # PUT: Create/Update integration: updates, deletes
+    #print(json.dumps(payload, indent=2))
+    url_base = "https://api.datadoghq.com/api/v1/integration/" + integration
+    api = "?api_key=" + datadog_keys["api_key"]
+    app = "&application_key=" + datadog_keys["app_key"]
+    url = url_base + api + app + "&run_check=true"
+    headers = {"Content-type": "application/json"}
+    print("URL: {}".format(url))
+    #result = requests.delete(url_base + api + app)
+    #print(result)
+    #result = requests.post(url, data=json.dumps(data), headers=headers)
+    result = requests.put(url, data=json.dumps(payload), headers=headers)
+    print(result)
+    if result.status_code != 204:
+        logger.error("Datadog {} integration update failed with status: {}".format(integration, result.status_code))
+        #logger.debug("HTTP response header {}".format(json.dumps(result.headers, indent=2)))