feat: Add a param isFIPSEnabled

README.md

@@ -66,6 +66,7 @@ To further configure your plugin, use the following custom parameters in your `s
 | `enableStepFunctionsTracing`    | Enable automatic subscription of the Datadog Forwarder to Step Function log groups and Step Functions tracing. If no Step Function log groups are configured, then they are automatically created. Requires setting `forwarderArn`. Defaults to `false`.                                                                                                                                                                  |
 | `propagateUpstreamTrace` | When set to `true`, downstream Stepfunction invocation traces merge with upstream Stepfunction invocations. Defaults to `false`. |
 | `redirectHandlers`    | Optionally disable handler redirection if set to `false`. This should only be set to `false` when APM is fully disabled. Defaults to `true`.                                                                                                                                                                  |
+| `isFIPSEnabled`    |  When set to `true`, a FIPS-compliant Lambda extension layer is used. This only works if `addExtension` is `true`. Defaults to `true` if `addExtension` is `true`, and AWS region starts with `us-gov-`. Defaults to `false` otherwise.                                                                                                                                                                  |
 To use any of these parameters, add a `custom` > `datadog` section to your `serverless.yml` similar to this example:
 
 ```yaml

src/env.ts

@@ -123,6 +123,10 @@ export interface Configuration {
   // Used for testing or for someone exclusively forwarding logs
   // or including the library only for metrics.
   redirectHandlers?: boolean;
+
+  // When set to `true`, a FIPS-compliant lambda extension layer will be used.
+  // Only works if `addExtension` is `true`.
+  isFIPSEnabled?: boolean;
 }
 const webpackPluginName = "serverless-webpack";
 const apiKeyEnvVar = "DD_API_KEY";

src/index.spec.ts

@@ -347,6 +347,58 @@ describe("ServerlessPlugin", () => {
         },
       });
     });
+
+    it("adds FIPS extension layer by default for GovCloud regions", async () => {
+      mock({});
+      const serverless = {
+        cli: {
+          log: () => {},
+        },
+        getProvider: (_name: string) => awsMock(),
+        service: {
+          getServiceName: () => "dev",
+          provider: {
+            region: "us-gov-east-1",
+          },
+          functions: {
+            node1: {
+              handler: "my-func.ev",
+              layers: [],
+              runtime: "nodejs20.x",
+            },
+          },
+          custom: {
+            datadog: {
+              addExtension: true,
+              site: "ddog-gov.com",
+              apiKey: 1234,
+            },
+          },
+        },
+      };
+
+      const plugin = new ServerlessPlugin(serverless, {});
+      await plugin.hooks["before:package:createDeploymentArtifacts"]();
+      expect(serverless).toMatchObject({
+        service: {
+          functions: {
+            node1: {
+              handler: "my-func.ev",
+              layers: [
+                expect.stringMatching(/arn\:aws\-us\-gov\:lambda\:us\-gov\-east\-1\:.*\:layer\:.*/),
+                expect.stringMatching(
+                  /arn\:aws\-us\-gov\:lambda\:us\-gov\-east\-1\:.*\:layer\:Datadog-Extension-FIPS\:.*/,
+                ),
+              ],
+              runtime: "nodejs20.x",
+            },
+          },
+          provider: {
+            region: "us-gov-east-1",
+          },
+        },
+      });
+    });
   });
 
   it("Adds tracing layer for dotnet", async () => {

src/index.ts

@@ -33,7 +33,14 @@ import {
   addStepFunctionLogGroupSubscription,
 } from "./forwarder";
 import { newSimpleGit } from "./git";
-import { applyExtensionLayer, applyLambdaLibraryLayers, findHandlers, FunctionInfo, RuntimeType } from "./layer";
+import {
+  applyExtensionLayer,
+  applyLambdaLibraryLayers,
+  findHandlers,
+  FunctionInfo,
+  RuntimeType,
+  getDefaultIsFIPSEnabledFlag,
+} from "./layer";
 import * as govLayers from "./layers-gov.json";
 import * as layers from "./layers.json";
 import { getCloudFormationStackId } from "./monitor-api-requests";
@@ -139,7 +146,9 @@ module.exports = class ServerlessPlugin {
     if (config.addExtension) {
       this.serverless.cli.log("Adding Datadog Lambda Extension Layer to functions");
       this.debugLogHandlers(handlers);
-      applyExtensionLayer(this.serverless.service, handlers, allLayers, accountId);
+      const isFIPSEnabled =
+        config.isFIPSEnabled ?? getDefaultIsFIPSEnabledFlag(config, this.serverless.service.provider.region);
+      applyExtensionLayer(this.serverless.service, handlers, allLayers, accountId, isFIPSEnabled);
     } else {
       this.serverless.cli.log("Skipping adding Lambda Extension Layer");
     }

src/layer.spec.ts

@@ -938,6 +938,90 @@ describe("applyLambdaLibraryLayers", () => {
       runtime: "dotnet6",
     });
   });
+
+  it("adds the FIPS extension layer when isFIPSEnabled is true", () => {
+    const handler = {
+      handler: { runtime: "dotnet6" },
+      type: RuntimeType.DOTNET,
+      runtime: "dotnet6",
+    } as FunctionInfo;
+    const layers: LayerJSON = {
+      regions: {
+        "us-gov-east-1": {
+          extension: "arn:aws:lambda:us-gov-east-1:464622532012:layer:Datadog-Extension:47",
+          "extension-fips": "arn:aws:lambda:us-gov-east-1:464622532012:layer:Datadog-Extension-FIPS:47",
+        },
+      },
+    };
+    const mockService = createMockService(
+      "us-gov-east-1",
+      {
+        "dotnet-function": { handler: "AwsDotnetCsharp::AwsDotnetCsharp.Handler::HelloWorld", runtime: "dotnet6" },
+      },
+      "x86_64",
+    );
+    applyExtensionLayer(mockService, [handler], layers, undefined, true);
+    expect(handler.handler).toEqual({
+      runtime: "dotnet6",
+      layers: ["arn:aws:lambda:us-gov-east-1:464622532012:layer:Datadog-Extension-FIPS:47"],
+    });
+  });
+
+  it("adds the ARM FIPS extension layer when isFIPSEnabled is true", () => {
+    const handler = {
+      handler: { runtime: "dotnet6" },
+      type: RuntimeType.DOTNET,
+      runtime: "dotnet6",
+    } as FunctionInfo;
+    const layers: LayerJSON = {
+      regions: {
+        "us-gov-east-1": {
+          "extension-arm": "arn:aws:lambda:us-gov-east-1:464622532012:layer:Datadog-Extension:47",
+          "extension-arm-fips": "arn:aws:lambda:us-gov-east-1:464622532012:layer:Datadog-Extension-FIPS:47",
+        },
+      },
+    };
+    const mockService = createMockService(
+      "us-gov-east-1",
+      {
+        "dotnet-function": { handler: "AwsDotnetCsharp::AwsDotnetCsharp.Handler::HelloWorld", runtime: "dotnet6" },
+      },
+      "arm64",
+    );
+    applyExtensionLayer(mockService, [handler], layers, undefined, true);
+    expect(handler.handler).toEqual({
+      runtime: "dotnet6",
+      layers: ["arn:aws:lambda:us-gov-east-1:464622532012:layer:Datadog-Extension-FIPS:47"],
+    });
+  });
+
+  it("does not add the FIPS extension layer when isFIPSEnabled is false", () => {
+    const handler = {
+      handler: { runtime: "dotnet6" },
+      type: RuntimeType.DOTNET,
+      runtime: "dotnet6",
+    } as FunctionInfo;
+    const layers: LayerJSON = {
+      regions: {
+        "us-gov-east-1": {
+          extension: "arn:aws:lambda:us-gov-east-1:464622532012:layer:Datadog-Extension:47",
+          "extension-fips": "arn:aws:lambda:us-gov-east-1:464622532012:layer:Datadog-Extension-FIPS:47",
+        },
+      },
+    };
+    const mockService = createMockService(
+      "us-gov-east-1",
+      {
+        "dotnet-function": { handler: "AwsDotnetCsharp::AwsDotnetCsharp.Handler::HelloWorld", runtime: "dotnet6" },
+      },
+      "x86_64",
+    );
+    applyExtensionLayer(mockService, [handler], layers, undefined, false);
+    expect(handler.handler).toEqual({
+      runtime: "dotnet6",
+      layers: ["arn:aws:lambda:us-gov-east-1:464622532012:layer:Datadog-Extension:47"],
+    });
+  });
 });
 
 describe("pushLayerARN", () => {

src/layer.ts

@@ -7,6 +7,7 @@
  */
 import { FunctionDefinition, FunctionDefinitionHandler } from "serverless";
 import Service from "serverless/classes/Service";
+import { Configuration } from "./env";
 
 export enum RuntimeType {
   NODE = "node",
@@ -221,6 +222,7 @@ export function applyExtensionLayer(
   handlers: FunctionInfo[],
   layers: LayerJSON,
   accountId?: string,
+  isFIPSEnabled: boolean = false,
 ): void {
   const { region } = service.provider;
   // It's possible a local account layer is being used in a region we have not published to so we use a default region's ARNs
@@ -247,6 +249,10 @@ export function applyExtensionLayer(
       extensionLayerKey = ARM_RUNTIME_KEYS[extensionLayerKey];
     }
 
+    if (isFIPSEnabled) {
+      extensionLayerKey = `${extensionLayerKey}-fips`;
+    }
+
     let extensionARN = regionRuntimes[extensionLayerKey];
     if (accountId && extensionARN) {
       extensionARN = buildLocalLambdaLayerARN(extensionARN, accountId, region);
@@ -268,6 +274,14 @@ export function isFunctionDefinitionHandler(funcDef: FunctionDefinition): funcDe
   return typeof (funcDef as any).handler === "string";
 }
 
+/**
+ * The isFIPSEnabled flag defaults to `true` if `addExtension` is `true` and region
+ * starts with "us-gov-". It defaults to `false` otherwise.
+ */
+export function getDefaultIsFIPSEnabledFlag(config: Configuration, region: string): boolean {
+  return config.addExtension && region.startsWith("us-gov-");
+}
+
 function addLayer(service: Service, handler: FunctionInfo, layerArn: string): void {
   setLayers(handler, pushLayerARN(layerArn, getLayers(service, handler)));
 }