Skip to content

feat: add CloudWatch Metric Stream tag enrichment Lambda#155

Open
karthikeyangs9 wants to merge 3 commits into
mainfrom
feat/aws-cloudwatch-metric-enrichment
Open

feat: add CloudWatch Metric Stream tag enrichment Lambda#155
karthikeyangs9 wants to merge 3 commits into
mainfrom
feat/aws-cloudwatch-metric-enrichment

Conversation

@karthikeyangs9
Copy link
Copy Markdown
Contributor

@karthikeyangs9 karthikeyangs9 commented Apr 3, 2026
edited
Loading

Summary

  • Adds aws/cloudwatch-metric-enrichment/ — a Go Lambda that enriches CloudWatch Metric Stream OTLP data with AWS resource tags via Kinesis Data Firehose transformation
  • Tag enrichment requires OTel 1.0 format (KvlistValue dimensions needed for resource matching). OTel 0.7 data is decoded gracefully but cannot be enriched (dimensions are absent)
  • Includes cross-account tag lookups via STS role assumption and file-based tag caching for warm Lambda invocations
  • Ported from product-integrations/lambdas/cloudwatch-metric-enrichment with CLAUDE.md compliance fixes:
    • Excluded binaries (bootstrap, bootstrap.zip), build artifacts (.aws-sam/), and deployment config (samconfig.toml)
    • Split otlp/compat.go (315 lines) into compat_strip.go + compat_inject.go to meet 300-line limit
    • Added .gitignore, .env.example, and restructured README
    • Excluded cmd/testinvoke/ developer utility
    • Updated Go module path to github.com/last9/opentelemetry-examples/aws/cloudwatch-metric-enrichment
    • Fixed CodeQL path traversal finding: sanitized cache file paths from OTLP-derived namespace/accountID values

Test plan

  • go test -v -race ./... — 29/29 tests pass across all 5 packages
  • go vet ./... — clean
  • go mod tidy — no extraneous dependencies
  • All production files under 300-line limit (max: 228 lines)
  • No binaries, secrets, or build artifacts in commit

@karthikeyangs9
feat: add CloudWatch Metric Stream tag enrichment Lambda
4ec2558 
Go Lambda that enriches CloudWatch Metric Stream OTLP data with AWS
resource tags via Kinesis Data Firehose transformation. Supports OTel
1.0 and 0.7 formats, cross-account tag lookups, and file-based caching.
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 3, 2026
View reviewed changes
Comment thread aws/cloudwatch-metric-enrichment/enricher/tags.go Fixed
Comment thread aws/cloudwatch-metric-enrichment/enricher/tags.go Fixed
Comment thread aws/cloudwatch-metric-enrichment/enricher/tags.go Fixed
@karthikeyangs9
fix: sanitize cache file paths to prevent path traversal
f191688 
Addresses CodeQL finding: namespace and accountID from OTLP data are
used in file paths. Now strips non-alphanumeric characters and validates
the resolved path stays within the cache directory.
@karthikeyangs9
fix: inline path validation to satisfy CodeQL taint analysis
2b6538d 
Move filepath.Abs + strings.HasPrefix check into GetResources directly
so the validated path and file operations are in the same function scope.
CodeQL requires the sanitizer and sink to be in the same data flow.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@karthikeyangs9 @github-advanced-security