cdk-monitoring-constructs icon indicating copy to clipboard operation
cdk-monitoring-constructs copied to clipboard

Published 20 hours ago verified publisher icon cdklabs

[secrets] Add support for secrets count metric

Open echeung-amzn opened this issue 3 years ago • 2 comments

Feature scope

AWS Secrets Manager

Describe your suggested feature

Announced in https://aws.amazon.com/about-aws/whats-new/2022/05/aws-secrets-manager-publishes-usage-metrics-to-amazon-cloudwatch/

Docs: https://docs.aws.amazon.com/secretsmanager/latest/userguide/monitoring-cloudwatch.html

echeung-amzn avatar May 11 '22 20:05 echeung-amzn

Interesting. Do you have any example of a use case? When I would like to get an alarm?

voho avatar Jul 05 '22 13:07 voho

I personally haven't had a need for it, so I'm not too sure. The announcement does note:

You can also set alarms for an unexpected increase or decrease in number of secrets.

...which may be interesting. If anyone has a need for this, do let us know in this issue!

echeung-amzn avatar Jul 05 '22 14:07 echeung-amzn

I was thinking of working on this issue as a first issue on this repository, would the direction for this type of a feature be creating its own module like aws-secretmanager-usage or adding another monitoring ts file under aws-secretsmanager (like how aws-sqs has two monitoring files)?

zqumei0 avatar Feb 15 '23 21:02 zqumei0

SecretsManagerSecretMetricFactory and SecretsManagerSecretMonitoring would be appropriate places to do it.

SQS is a bit unique since we'd want slightly different metrics/dashboards for a DLQ vs. a regular queue.

echeung-amzn avatar Feb 15 '23 22:02 echeung-amzn

Just for a little more clarity, wouldn't SecretsManagerSecretMonitoring be specifically setting up metrics on a specific secret? A metric like secrets count would be some monitor that does not take in a secret only a scope since its a metric encompassing all secrets. I could make the secret parameter optional for SecretsManagerSecretMonitoring and if no secret is passed to the monitor then it will just do a secrets count, but not sure if that would be the right way to go.

zqumei0 avatar Feb 16 '23 04:02 zqumei0

Ah, got it. Yes you're right, it'd seem appropriate to have a separate set of classes to handle these global-level metrics.

echeung-amzn avatar Feb 16 '23 16:02 echeung-amzn

Great, thanks for the response! Mind if you assign this to me? I'll get work on it this week.

zqumei0 avatar Feb 16 '23 20:02 zqumei0

Comment on the change: I created an alarm to detect any change on secret counts (addChangeInSecretCountAlarm). It works when set to just checking for an increase or a decrease in count, but when both are enabled it suffers from the same issue as the AnomalyAlarm bug in issue 332.

Let me know what you think about the alarms created and if maybe creating a separate issue than this for the anomaly check when the bug is resolved.

zqumei0 avatar Feb 27 '23 03:02 zqumei0