use fips endpoints in govcloud regions

Author: nhulston

datadog_lambda/api.py

@@ -64,16 +64,36 @@ def get_api_key() -> str:
     DD_KMS_API_KEY = os.environ.get("DD_KMS_API_KEY", "")
     DD_API_KEY = os.environ.get("DD_API_KEY", os.environ.get("DATADOG_API_KEY", ""))
 
+    REGION = os.environ.get("AWS_REGION", "")
+    is_gov_region = REGION.startswith("us-gov-")
+
     if DD_API_KEY_SECRET_ARN:
-        api_key = boto3.client("secretsmanager").get_secret_value(
+        # Secrets manager endpoints: https://docs.aws.amazon.com/general/latest/gr/asm.html
+        fips_endpoint = f"https://secretsmanager-fips.{REGION}.amazonaws.com" if is_gov_region else None
+        secrets_manager_client = boto3.client(
+            "secretsmanager",
+            endpoint_url=fips_endpoint
+        )
+        api_key = secrets_manager_client.get_secret_value(
             SecretId=DD_API_KEY_SECRET_ARN
         )["SecretString"]
     elif DD_API_KEY_SSM_NAME:
-        api_key = boto3.client("ssm").get_parameter(
+        # SSM endpoints: https://docs.aws.amazon.com/general/latest/gr/ssm.html
+        fips_endpoint = f"https://ssm-fips.{REGION}.amazonaws.com" if is_gov_region else None
+        ssm_client = boto3.client(
+            "ssm",
+            endpoint_url=fips_endpoint
+        )
+        api_key = ssm_client.get_parameter(
             Name=DD_API_KEY_SSM_NAME, WithDecryption=True
         )["Parameter"]["Value"]
     elif DD_KMS_API_KEY:
-        kms_client = boto3.client("kms")
+        # KMS endpoints: https://docs.aws.amazon.com/general/latest/gr/kms.html
+        fips_endpoint = f"https://kms-fips.{REGION}.amazonaws.com" if is_gov_region else None
+        kms_client = boto3.client(
+            "kms",
+            endpoint_url=fips_endpoint
+        )
         api_key = decrypt_kms_api_key(kms_client, DD_KMS_API_KEY)
     else:
         api_key = DD_API_KEY