Add metrics in SecretsRefreshJob for SecretsManager exceptions (#6252)

* Add metrics for SecretsManager ResourceNotFound and LimitExceeded exception

Author: bninishi

data-prepper-plugins/aws-plugin/src/main/java/org/opensearch/dataprepper/plugins/aws/SecretsRefreshJob.java

@@ -11,12 +11,18 @@
 import org.opensearch.dataprepper.model.plugin.PluginConfigPublisher;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import software.amazon.awssdk.services.secretsmanager.model.SecretsManagerException;
+import software.amazon.awssdk.services.secretsmanager.model.ResourceNotFoundException;
+import software.amazon.awssdk.services.secretsmanager.model.LimitExceededException;
 
 public class SecretsRefreshJob implements Runnable {
     private static final Logger LOG = LoggerFactory.getLogger(SecretsRefreshJob.class);
     static final String SECRETS_REFRESH_SUCCESS = "secretsRefreshSuccess";
     static final String SECRETS_REFRESH_FAILURE = "secretsRefreshFailure";
     static final String SECRETS_REFRESH_DURATION = "secretsRefreshDuration";
+    static final String SECRETS_SECRET_NOT_FOUND = "secretsSecretNotFound";
+    static final String SECRETS_LIMIT_EXCEEDED = "secretsLimitExceeded";
+    static final String SECRETS_ACCESS_DENIED = "secretsAccessDenied";
     static final String SECRET_CONFIG_ID_TAG = "secretConfigId";
     private final String secretConfigId;
     private final SecretsSupplier secretsSupplier;
@@ -25,6 +31,9 @@ public class SecretsRefreshJob implements Runnable {
     private final Counter secretsRefreshSuccessCounter;
     private final Counter secretsRefreshFailureCounter;
     private final Timer secretsRefreshTimer;
+    private final Counter secretsSecretNotFoundCounter;
+    private final Counter secretsLimitExceededCounter;
+    private final Counter secretsAccessDeniedCounter;
 
     public SecretsRefreshJob(final String secretConfigId,
                              final SecretsSupplier secretsSupplier,
@@ -40,6 +49,12 @@ public SecretsRefreshJob(final String secretConfigId,
                 SECRETS_REFRESH_FAILURE, SECRET_CONFIG_ID_TAG, secretConfigId);
         this.secretsRefreshTimer = pluginMetrics.timerWithTags(
                 SECRETS_REFRESH_DURATION, SECRET_CONFIG_ID_TAG, secretConfigId);
+        this.secretsSecretNotFoundCounter = pluginMetrics.counterWithTags(
+                SECRETS_SECRET_NOT_FOUND, SECRET_CONFIG_ID_TAG, secretConfigId);
+        this.secretsLimitExceededCounter = pluginMetrics.counterWithTags(
+                SECRETS_LIMIT_EXCEEDED, SECRET_CONFIG_ID_TAG, secretConfigId);
+        this.secretsAccessDeniedCounter = pluginMetrics.counterWithTags(
+                SECRETS_ACCESS_DENIED, SECRET_CONFIG_ID_TAG, secretConfigId);
     }
 
     @Override
@@ -50,6 +65,17 @@ public void run() {
                 secretsRefreshSuccessCounter.increment();
                 pluginConfigPublisher.notifyAllPluginConfigObservable();
             } catch(Exception e) {
+                if (e instanceof SecretsManagerException) {
+                    SecretsManagerException sme = (SecretsManagerException) e;
+                    if (sme instanceof ResourceNotFoundException) {
+                        secretsSecretNotFoundCounter.increment();
+                    } else if (sme instanceof LimitExceededException) {
+                        secretsLimitExceededCounter.increment();
+                    } else if (sme.awsErrorDetails() != null && 
+                               "AccessDeniedException".equals(sme.awsErrorDetails().errorCode())) {
+                        secretsAccessDeniedCounter.increment();
+                    }
+                }
                 LOG.error("Failed to refresh secrets in aws:secrets:{}.", secretConfigId, e);
                 secretsRefreshFailureCounter.increment();
             }

data-prepper-plugins/aws-plugin/src/test/java/org/opensearch/dataprepper/plugins/aws/SecretsRefreshJobTest.java

@@ -14,6 +14,10 @@
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.opensearch.dataprepper.metrics.PluginMetrics;
 import org.opensearch.dataprepper.model.plugin.PluginConfigPublisher;
+import software.amazon.awssdk.awscore.exception.AwsErrorDetails;
+import software.amazon.awssdk.services.secretsmanager.model.ResourceNotFoundException;
+import software.amazon.awssdk.services.secretsmanager.model.LimitExceededException;
+import software.amazon.awssdk.services.secretsmanager.model.InvalidRequestException;
 
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
@@ -25,6 +29,9 @@
 import static org.opensearch.dataprepper.plugins.aws.SecretsRefreshJob.SECRETS_REFRESH_DURATION;
 import static org.opensearch.dataprepper.plugins.aws.SecretsRefreshJob.SECRETS_REFRESH_FAILURE;
 import static org.opensearch.dataprepper.plugins.aws.SecretsRefreshJob.SECRETS_REFRESH_SUCCESS;
+import static org.opensearch.dataprepper.plugins.aws.SecretsRefreshJob.SECRETS_SECRET_NOT_FOUND;
+import static org.opensearch.dataprepper.plugins.aws.SecretsRefreshJob.SECRETS_LIMIT_EXCEEDED;
+import static org.opensearch.dataprepper.plugins.aws.SecretsRefreshJob.SECRETS_ACCESS_DENIED;
 import static org.opensearch.dataprepper.plugins.aws.SecretsRefreshJob.SECRET_CONFIG_ID_TAG;
 
 @ExtendWith(MockitoExtension.class)
@@ -48,6 +55,15 @@ class SecretsRefreshJobTest {
     @Mock
     private Timer secretsRefreshTimer;
 
+    @Mock
+    private Counter secretsSecretNotFoundCounter;
+
+    @Mock
+    private Counter secretsLimitExceededCounter;
+
+    @Mock
+    private Counter secretsAccessDeniedCounter;
+
     private SecretsRefreshJob objectUnderTest;
 
     @BeforeEach
@@ -65,6 +81,15 @@ void setUp() {
         when(pluginMetrics.timerWithTags(
                 eq(SECRETS_REFRESH_DURATION), eq(SECRET_CONFIG_ID_TAG), eq(TEST_SECRET_CONFIG_ID)))
                 .thenReturn(secretsRefreshTimer);
+        when(pluginMetrics.counterWithTags(
+                eq(SECRETS_SECRET_NOT_FOUND), eq(SECRET_CONFIG_ID_TAG), eq(TEST_SECRET_CONFIG_ID)))
+                .thenReturn(secretsSecretNotFoundCounter);
+        when(pluginMetrics.counterWithTags(
+                eq(SECRETS_LIMIT_EXCEEDED), eq(SECRET_CONFIG_ID_TAG), eq(TEST_SECRET_CONFIG_ID)))
+                .thenReturn(secretsLimitExceededCounter);
+        when(pluginMetrics.counterWithTags(
+                eq(SECRETS_ACCESS_DENIED), eq(SECRET_CONFIG_ID_TAG), eq(TEST_SECRET_CONFIG_ID)))
+                .thenReturn(secretsAccessDeniedCounter);
         objectUnderTest = new SecretsRefreshJob(
                 TEST_SECRET_CONFIG_ID, secretsSupplier, pluginConfigPublisher, pluginMetrics);
     }
@@ -90,5 +115,59 @@ void testRunWithRefreshFailure() {
         verifyNoInteractions(pluginConfigPublisher);
         verifyNoInteractions(secretsRefreshSuccessCounter);
         verify(secretsRefreshFailureCounter).increment();
+        verifyNoInteractions(secretsSecretNotFoundCounter);
+        verifyNoInteractions(secretsLimitExceededCounter);
+        verifyNoInteractions(secretsAccessDeniedCounter);
+    }
+
+    @Test
+    void testRunWithResourceNotFoundException() {
+        doThrow(ResourceNotFoundException.class).when(secretsSupplier).refresh(eq(TEST_SECRET_CONFIG_ID));
+        objectUnderTest.run();
+
+        verify(secretsRefreshTimer).record(any(Runnable.class));
+        verify(secretsSupplier).refresh(TEST_SECRET_CONFIG_ID);
+        verifyNoInteractions(pluginConfigPublisher);
+        verifyNoInteractions(secretsRefreshSuccessCounter);
+        verify(secretsRefreshFailureCounter).increment();
+        verify(secretsSecretNotFoundCounter).increment();
+        verifyNoInteractions(secretsLimitExceededCounter);
+        verifyNoInteractions(secretsAccessDeniedCounter);
+    }
+
+    @Test
+    void testRunWithLimitExceededException() {
+        doThrow(LimitExceededException.class).when(secretsSupplier).refresh(eq(TEST_SECRET_CONFIG_ID));
+        objectUnderTest.run();
+
+        verify(secretsRefreshTimer).record(any(Runnable.class));
+        verify(secretsSupplier).refresh(TEST_SECRET_CONFIG_ID);
+        verifyNoInteractions(pluginConfigPublisher);
+        verifyNoInteractions(secretsRefreshSuccessCounter);
+        verify(secretsRefreshFailureCounter).increment();
+        verify(secretsLimitExceededCounter).increment();
+        verifyNoInteractions(secretsSecretNotFoundCounter);
+        verifyNoInteractions(secretsAccessDeniedCounter);
+    }
+
+    @Test
+    void testRunWithAccessDeniedException() {
+        final InvalidRequestException accessDeniedException = InvalidRequestException.builder()
+                .awsErrorDetails(AwsErrorDetails.builder()
+                        .errorCode("AccessDeniedException")
+                        .build())
+                .build();
+        doThrow(accessDeniedException).when(secretsSupplier).refresh(eq(TEST_SECRET_CONFIG_ID));
+        
+        objectUnderTest.run();
+
+        verify(secretsRefreshTimer).record(any(Runnable.class));
+        verify(secretsSupplier).refresh(TEST_SECRET_CONFIG_ID);
+        verifyNoInteractions(pluginConfigPublisher);
+        verifyNoInteractions(secretsRefreshSuccessCounter);
+        verify(secretsRefreshFailureCounter).increment();
+        verify(secretsAccessDeniedCounter).increment();
+        verifyNoInteractions(secretsSecretNotFoundCounter);
+        verifyNoInteractions(secretsLimitExceededCounter);
     }
 }