Resolve and log endpoints of AWS services

Includes the AWS endpoints in log output to allow easier inspection of which URIs are being hit based on configuration. Closes gravitational/customer-sensitive-requests#333.
gravitational · Nov 12, 2024 · 63c1131 · 63c1131
1 parent 3e06be0
commit 63c1131
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 5 deletions.
diff --git a/lib/backend/dynamo/dynamodbbk.go b/lib/backend/dynamo/dynamodbbk.go
@@ -23,6 +23,7 @@ import (
 	"errors"
 	"log/slog"
 	"net/http"
+	"net/url"
 	"sort"
 	"strconv"
 	"sync/atomic"
@@ -49,6 +50,7 @@ import (
 	"github.com/gravitational/teleport/lib/modules"
 	awsmetrics "github.com/gravitational/teleport/lib/observability/metrics/aws"
 	dynamometrics "github.com/gravitational/teleport/lib/observability/metrics/dynamo"
+	logutils "github.com/gravitational/teleport/lib/utils/log"
 )
 
 func init() {
@@ -283,19 +285,52 @@ func New(ctx context.Context, params backend.Params) (*Backend, error) {
 
 	otelaws.AppendMiddlewares(&awsConfig.APIOptions, otelaws.WithAttributeSetter(otelaws.DynamoDBAttributeSetter))
 
+	dynamoClient := dynamodb.NewFromConfig(awsConfig, dynamoOpts...)
+	streamsClient := dynamodbstreams.NewFromConfig(awsConfig)
 	b := &Backend{
 		logger:  l,
 		Config:  *cfg,
 		clock:   clockwork.NewRealClock(),
 		buf:     backend.NewCircularBuffer(backend.BufferCapacity(cfg.BufferSize)),
-		svc:     dynamodb.NewFromConfig(awsConfig, dynamoOpts...),
-		streams: dynamodbstreams.NewFromConfig(awsConfig),
+		svc:     dynamoClient,
+		streams: streamsClient,
 	}
 
 	if err := b.configureTable(ctx, applicationautoscaling.NewFromConfig(awsConfig)); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
+	// Perform an initial endpoint resolution to retrieve the URI of the DynamoDB services
+	// so that it can be included in the logging output below.
+	var dynamoEndpoint url.URL
+	clientOpts := dynamoClient.Options()
+	resolved, err := clientOpts.EndpointResolverV2.ResolveEndpoint(ctx, dynamodb.EndpointParameters{
+		Region:   aws.String(clientOpts.Region),
+		UseFIPS:  aws.Bool(clientOpts.EndpointOptions.UseFIPSEndpoint == aws.FIPSEndpointStateEnabled),
+		Endpoint: clientOpts.BaseEndpoint,
+	})
+	if err == nil {
+		dynamoEndpoint = resolved.URI
+	}
+
+	var streamsEndpoint url.URL
+	streamOpts := streamsClient.Options()
+	resolved, err = streamOpts.EndpointResolverV2.ResolveEndpoint(ctx, dynamodbstreams.EndpointParameters{
+		Region:   aws.String(clientOpts.Region),
+		UseFIPS:  aws.Bool(clientOpts.EndpointOptions.UseFIPSEndpoint == aws.FIPSEndpointStateEnabled),
+		Endpoint: clientOpts.BaseEndpoint,
+	})
+	if err == nil {
+		streamsEndpoint = resolved.URI
+	}
+
+	l.InfoContext(ctx, "Connection established to DynamoDB state database",
+		"table", cfg.TableName,
+		"region", clientOpts.Region,
+		"dynamodb_endpoint", logutils.StringerAttr(&dynamoEndpoint),
+		"dynamodb_streams_endpoint", logutils.StringerAttr(&streamsEndpoint),
+	)
+
 	go func() {
 		if err := b.asyncPollStreams(ctx); err != nil {
 			b.logger.ErrorContext(ctx, "Stream polling loop exited", "error", err)

diff --git a/lib/events/dynamoevents/dynamoevents.go b/lib/events/dynamoevents/dynamoevents.go
@@ -60,6 +60,7 @@ import (
 	awsmetrics "github.com/gravitational/teleport/lib/observability/metrics/aws"
 	dynamometrics "github.com/gravitational/teleport/lib/observability/metrics/dynamo"
 	"github.com/gravitational/teleport/lib/utils"
+	logutils "github.com/gravitational/teleport/lib/utils/log"
 )
 
 const (
@@ -264,7 +265,7 @@ const (
 // It's an implementation of backend API's NewFunc
 func New(ctx context.Context, cfg Config) (*Log, error) {
 	l := slog.With(teleport.ComponentKey, teleport.ComponentDynamoDB)
-	l.InfoContext(ctx, "Initializing event backend.")
+	l.InfoContext(ctx, "Initializing event backend")
 
 	err := cfg.CheckAndSetDefaults()
 	if err != nil {
@@ -316,16 +317,35 @@ func New(ctx context.Context, cfg Config) (*Log, error) {
 
 	otelaws.AppendMiddlewares(&awsConfig.APIOptions, otelaws.WithAttributeSetter(otelaws.DynamoDBAttributeSetter))
 
+	client := dynamodb.NewFromConfig(awsConfig, dynamoOpts...)
 	b := &Log{
 		logger: l,
 		Config: cfg,
-		svc:    dynamodb.NewFromConfig(awsConfig, dynamoOpts...),
+		svc:    client,
 	}
 
 	if err := b.configureTable(ctx, applicationautoscaling.NewFromConfig(awsConfig)); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
+	// Perform an initial endpoint resolution to retrieve the URI of the DynamoDB service
+	// so that it can be included in the logging output below.
+	var endpoint url.URL
+	clientOpts := client.Options()
+	resolved, err := clientOpts.EndpointResolverV2.ResolveEndpoint(ctx, dynamodb.EndpointParameters{
+		Region:   aws.String(clientOpts.Region),
+		UseFIPS:  aws.Bool(clientOpts.EndpointOptions.UseFIPSEndpoint == aws.FIPSEndpointStateEnabled),
+		Endpoint: clientOpts.BaseEndpoint,
+	})
+	if err == nil {
+		endpoint = resolved.URI
+	}
+
+	l.InfoContext(ctx, "Connection established to DynamoDB events database",
+		"table", cfg.Tablename,
+		"region", clientOpts.Region,
+		"endpoint", logutils.StringerAttr(&endpoint))
+
 	return b, nil
 }
 

diff --git a/lib/events/s3sessions/s3handler.go b/lib/events/s3sessions/s3handler.go
@@ -47,6 +47,7 @@ import (
 	awsmetrics "github.com/gravitational/teleport/lib/observability/metrics/aws"
 	"github.com/gravitational/teleport/lib/session"
 	awsutils "github.com/gravitational/teleport/lib/utils/aws"
+	logutils "github.com/gravitational/teleport/lib/utils/log"
 )
 
 // s3AllowedACL is the set of canned ACLs that S3 accepts
@@ -233,7 +234,26 @@ func NewHandler(ctx context.Context, cfg Config) (*Handler, error) {
 	if err := h.ensureBucket(ctx); err != nil {
 		return nil, trace.Wrap(err)
 	}
-	h.logger.InfoContext(ctx, "Setting up bucket S3 completed.", "bucket", h.Bucket, "duration", time.Since(start))
+
+	// Perform an initial endpoint resolution to retrieve the URI of the S3 service
+	// so that it can be included in the logging output below.
+	var endpoint url.URL
+	clientOpts := client.Options()
+	resolved, err := clientOpts.EndpointResolverV2.ResolveEndpoint(ctx, s3.EndpointParameters{
+		Region:         aws.String(clientOpts.Region),
+		UseFIPS:        aws.Bool(clientOpts.EndpointOptions.UseFIPSEndpoint == aws.FIPSEndpointStateEnabled),
+		Endpoint:       clientOpts.BaseEndpoint,
+		ForcePathStyle: aws.Bool(clientOpts.UsePathStyle),
+	})
+	if err == nil {
+		endpoint = resolved.URI
+	}
+
+	h.logger.InfoContext(ctx, "Setting up bucket S3 completed",
+		"bucket", h.Bucket,
+		"duration", time.Since(start),
+		"endpoint", logutils.StringerAttr(&endpoint),
+	)
 	return h, nil
 }