Match FIPS implementation between sdk v1 and sdk v2 (#1119)

Co-authored-by: Cristian Greco <[email protected]>
prometheus-community · Aug 23, 2023 · 3525d64 · 3525d64
1 parent 655a202
commit 3525d64
Show file tree

Hide file tree

Showing 4 changed files with 206 additions and 76 deletions.
diff --git a/pkg/clients/v1/factory.go b/pkg/clients/v1/factory.go
@@ -225,6 +225,9 @@ func createCloudWatchClient(logger logging.Logger, s *session.Session, region *s
 }
 
 func createTaggingClient(logger logging.Logger, session *session.Session, region *string, role config.Role, fips bool) tagging.Client {
+	// The createSession function for a service which does not support FIPS does not take a fips parameter
+	// This currently applies to createTagSession(Resource Groups Tagging), ASG (EC2 autoscaling), and Prometheus (Amazon Managed Prometheus)
+	// AWS FIPS Reference: https://aws.amazon.com/compliance/fips/
 	return tagging_v1.NewClient(
 		logger,
 		createTagSession(session, region, role, logger.IsDebugEnabled()),
@@ -233,7 +236,7 @@ func createTaggingClient(logger logging.Logger, session *session.Session, region
 		createAPIGatewayV2Session(session, region, role, fips, logger.IsDebugEnabled()),
 		createEC2Session(session, region, role, fips, logger.IsDebugEnabled()),
 		createDMSSession(session, region, role, fips, logger.IsDebugEnabled()),
-		createPrometheusSession(session, region, role, fips, logger.IsDebugEnabled()),
+		createPrometheusSession(session, region, role, logger.IsDebugEnabled()),
 		createStorageGatewaySession(session, region, role, fips, logger.IsDebugEnabled()),
 		createShieldSession(session, region, role, fips, logger.IsDebugEnabled()),
 	)
@@ -415,12 +418,9 @@ func createEC2Session(sess *session.Session, region *string, role config.Role, f
 	return ec2.New(sess, setSTSCreds(sess, config, role))
 }
 
-func createPrometheusSession(sess *session.Session, region *string, role config.Role, fips bool, isDebugEnabled bool) prometheusserviceiface.PrometheusServiceAPI {
+func createPrometheusSession(sess *session.Session, region *string, role config.Role, isDebugEnabled bool) prometheusserviceiface.PrometheusServiceAPI {
 	maxPrometheusAPIRetries := 10
 	config := &aws.Config{Region: region, MaxRetries: &maxPrometheusAPIRetries}
-	if fips {
-		config.UseFIPSEndpoint = endpoints.FIPSEndpointStateEnabled
-	}
 
 	if isDebugEnabled {
 		config.LogLevel = aws.LogLevel(aws.LogDebugWithHTTPBody)

diff --git a/pkg/clients/v1/factory_test.go b/pkg/clients/v1/factory_test.go
@@ -1030,7 +1030,7 @@ func TestCreatePrometheusSession(t *testing.T) {
 		t,
 		"Prometheus",
 		func(t *testing.T, s *session.Session, region *string, role config.Role, fips bool) {
-			iface := createPrometheusSession(s, region, role, fips, false)
+			iface := createPrometheusSession(s, region, role, false)
 			if iface == nil {
 				t.Fail()
 			}

diff --git a/pkg/clients/v2/factory.go b/pkg/clients/v2/factory.go
@@ -38,12 +38,13 @@ import (
 type awsRegion = string
 
 type CachingFactory struct {
-	logger    logging.Logger
-	stsRegion string
-	clients   map[config.Role]map[awsRegion]*cachedClients
-	mu        sync.Mutex
-	refreshed bool
-	cleared   bool
+	logger      logging.Logger
+	stsRegion   string
+	clients     map[config.Role]map[awsRegion]*cachedClients
+	mu          sync.Mutex
+	refreshed   bool
+	cleared     bool
+	fipsEnabled bool
 }
 
 type cachedClients struct {
@@ -86,10 +87,6 @@ func NewFactory(cfg config.ScrapeConf, fips bool, logger logging.Logger) (*Cachi
 		})))
 	}
 
-	if fips {
-		options = append(options, aws_config.WithUseFIPSEndpoint(aws.FIPSEndpointStateEnabled))
-	}
-
 	options = append(options, aws_config.WithRetryMaxAttempts(5))
 
 	c, err := aws_config.LoadDefaultConfig(context.TODO(), options...)
@@ -150,9 +147,10 @@ func NewFactory(cfg config.ScrapeConf, fips bool, logger logging.Logger) (*Cachi
 	}
 
 	return &CachingFactory{
-		logger:    logger,
-		clients:   cache,
-		stsRegion: cfg.StsRegion,
+		logger:      logger,
+		clients:     cache,
+		stsRegion:   cfg.StsRegion,
+		fipsEnabled: fips,
 	}, nil
 }
 
@@ -280,13 +278,21 @@ func (c *CachingFactory) createCloudwatchClient(regionConfig *aws.Config) *cloud
 			options.MaxAttempts = 5
 			options.MaxBackoff = 3 * time.Second
 		})
+
+		if c.fipsEnabled {
+			options.EndpointOptions.UseFIPSEndpoint = aws.FIPSEndpointStateEnabled
+		}
 	})
 }
 
 func (c *CachingFactory) createTaggingClient(regionConfig *aws.Config) *resourcegroupstaggingapi.Client {
 	return resourcegroupstaggingapi.NewFromConfig(*regionConfig, func(options *resourcegroupstaggingapi.Options) {
 		if c.logger.IsDebugEnabled() {
 			options.ClientLogMode = aws.LogRequestWithBody | aws.LogResponseWithBody
+
+			// The FIPS setting is ignored because FIPS is not available for resource groups tagging apis
+			// If enabled the SDK will try to use non-existent FIPS URLs, https://github.com/aws/aws-sdk-go-v2/issues/2138#issuecomment-1570791988
+			// AWS FIPS Reference: https://aws.amazon.com/compliance/fips/
 		}
 	})
 }
@@ -295,6 +301,12 @@ func (c *CachingFactory) createAutoScalingClient(assumedConfig *aws.Config) *aut
 	return autoscaling.NewFromConfig(*assumedConfig, func(options *autoscaling.Options) {
 		if c.logger.IsDebugEnabled() {
 			options.ClientLogMode = aws.LogRequestWithBody | aws.LogResponseWithBody
+
+			// The FIPS setting is ignored because FIPS is not available for EC2 autoscaling apis
+			// If enabled the SDK will try to use non-existent FIPS URLs, https://github.com/aws/aws-sdk-go-v2/issues/2138#issuecomment-1570791988
+			// AWS FIPS Reference: https://aws.amazon.com/compliance/fips/
+			// 	EC2 autoscaling has FIPS compliant URLs for govcloud, but they do not use any FIPS prefixing.
+			// 	Tests ensure that this configuration will produce the correct URLs for the govcloud regions
 		}
 	})
 }
@@ -304,6 +316,9 @@ func (c *CachingFactory) createEC2Client(assumedConfig *aws.Config) *ec2.Client
 		if c.logger.IsDebugEnabled() {
 			options.ClientLogMode = aws.LogRequestWithBody | aws.LogResponseWithBody
 		}
+		if c.fipsEnabled {
+			options.EndpointOptions.UseFIPSEndpoint = aws.FIPSEndpointStateEnabled
+		}
 	})
 }
 
@@ -312,6 +327,9 @@ func (c *CachingFactory) createDMSClient(assumedConfig *aws.Config) *databasemig
 		if c.logger.IsDebugEnabled() {
 			options.ClientLogMode = aws.LogRequestWithBody | aws.LogResponseWithBody
 		}
+		if c.fipsEnabled {
+			options.EndpointOptions.UseFIPSEndpoint = aws.FIPSEndpointStateEnabled
+		}
 	})
 }
 
@@ -320,6 +338,9 @@ func (c *CachingFactory) createAPIGatewayClient(assumedConfig *aws.Config) *apig
 		if c.logger.IsDebugEnabled() {
 			options.ClientLogMode = aws.LogRequestWithBody | aws.LogResponseWithBody
 		}
+		if c.fipsEnabled {
+			options.EndpointOptions.UseFIPSEndpoint = aws.FIPSEndpointStateEnabled
+		}
 	})
 }
 
@@ -328,6 +349,9 @@ func (c *CachingFactory) createAPIGatewayV2Client(assumedConfig *aws.Config) *ap
 		if c.logger.IsDebugEnabled() {
 			options.ClientLogMode = aws.LogRequestWithBody | aws.LogResponseWithBody
 		}
+		if c.fipsEnabled {
+			options.EndpointOptions.UseFIPSEndpoint = aws.FIPSEndpointStateEnabled
+		}
 	})
 }
 
@@ -336,6 +360,9 @@ func (c *CachingFactory) createStorageGatewayClient(assumedConfig *aws.Config) *
 		if c.logger.IsDebugEnabled() {
 			options.ClientLogMode = aws.LogRequestWithBody | aws.LogResponseWithBody
 		}
+		if c.fipsEnabled {
+			options.EndpointOptions.UseFIPSEndpoint = aws.FIPSEndpointStateEnabled
+		}
 	})
 }
 
@@ -344,6 +371,10 @@ func (c *CachingFactory) createPrometheusClient(assumedConfig *aws.Config) *amp.
 		if c.logger.IsDebugEnabled() {
 			options.ClientLogMode = aws.LogRequestWithBody | aws.LogResponseWithBody
 		}
+
+		// The FIPS setting is ignored because FIPS is not available for amp apis
+		// If enabled the SDK will try to use non-existent FIPS URLs, https://github.com/aws/aws-sdk-go-v2/issues/2138#issuecomment-1570791988
+		// AWS FIPS Reference: https://aws.amazon.com/compliance/fips/
 	})
 }
 
@@ -352,6 +383,9 @@ func (c *CachingFactory) createStsClient(awsConfig *aws.Config) *sts.Client {
 		if c.stsRegion != "" {
 			options.Region = c.stsRegion
 		}
+		if c.fipsEnabled {
+			options.EndpointOptions.UseFIPSEndpoint = aws.FIPSEndpointStateEnabled
+		}
 	})
 }
 
@@ -360,6 +394,9 @@ func (c *CachingFactory) createShieldClient(awsConfig *aws.Config) *shield.Clien
 		if c.logger.IsDebugEnabled() {
 			options.ClientLogMode = aws.LogRequestWithBody | aws.LogResponseWithBody
 		}
+		if c.fipsEnabled {
+			options.EndpointOptions.UseFIPSEndpoint = aws.FIPSEndpointStateEnabled
+		}
 	})
 }