-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The new tracing enhancement seems to break filtered SNS/SQS subscriptions #232
Comments
Hi @dls314 - unfortunately MessageAttributes is our only option to pass trace context via SNS. If you're using topic filters and Datadog, please try adding This is a limitation of AWS (as documented here: https://docs.aws.amazon.com/sns/latest/dg/and-or-logic.html) We will update our documentation to reflect this. |
I have other message attributes that don't appear in my normal filters, so adding an existence filter on the Do you have a CFN filter syntax snippet that you can share? |
Can you share your current filters? Here's a example:
|
Usually I use a filter policy that matches 2 out of the 5 attributes on a message, that one looks something like this "FilterPolicy": {
"schemaName": [
"AnEventSchemaName"
],
"schemaVersion": [
"1"
]
}, Messages that successfully pass that filter also have other attributes, and before the stringified JSON in the new Do you know if there's something special about the use of the stringified JSON that requires the addition of the exists filter for :-) This feels like a |
It's definitely worthwhile -- I wonder if "not working without an explicit filter" is AWS's plan here? I've opened a support ticket to ask that :-) |
Meanwhile, please do confirm if allowing Thanks again! |
Maybe the https://docs.aws.amazon.com/sns/latest/dg/subscription-filter-policy-constraints.html |
I see, it's interesting that there is a limit of 5 filters, when the limit for the number of message attributes is 10. We could explore using a binary data type in this context. |
After looking at our use cases, I'm sorry, but we can't add an exists filter on the In most places, our SNS topics are published to by some publishers that do come from lambda functions instrumented by the Datadog lambda layer, but those same topics are also published to by other publishers that may/do not use the Datadog lambda layer (e.g. directly from Lambda step functions, from test automation, etc). I'll complete some testing to see if the exists filter on the If the binary data type doesn't work out, could the plugin add a flag to disable the new SNS tracing so I can stay on the latest plugin versions instead of pinning? |
I know this is not the right place (but the discussion is open) to discuss the dd-trace changes, but I'm not sure that using only the first message in a batch publication as the injectPath is going to work out over here: https://github.com/DataDog/dd-trace-js/blob/master/packages/datadog-plugin-aws-sdk/src/services/sns.js#L27 With filtering, some messages might be handled by one subscriber and some by another -- if only the first message in a batch is traced, there will be some holes. |
Right, as I pointed out above if you're in a situation where some messages have datadog trace context and others don't, the solution from AWS is to create two subscriptions pointed towards your function, one with a filter including the There is a limit of 200 total filter policies per AWS account, but that can be increased via a quota request.
Yes this was subject to significant internal debate and ultimately decided against to limit overhead. We can discuss a solution where multiple messages could be instrumented, or perhaps could also provide these methods as helpers for users to inject trace context themselves (which is still an option) |
I was able to test the suggested change of adding an existence filter for the It looks like I hope that a change to the |
Hi @dls314 - I've replicated this issue, it's baffling. Please bear with me as we seek clarity from AWS.
|
That's unfortunate. I don't know if dd-trace has the hooks to de/serialize attribute content, but if so, and there's no better answer from AWS, maybe a base64 encode of the JSON would pass as a string or binary value. For working around this issue, Is version 3.6.0 of the plugin the last version before the change (downgrading there does work for me)? Is there anything else that should be pinned back? |
Yes, your versions are all correct. I've been able to get this to work using a base64 encoded string, which we'll utilize if we get no answer from AWS going forward. |
Hi @dls314 - quick update here. I spent yesterday constructing a minimally reproducible example of this bug, and sent it to AWS https://github.com/astuyve/sns-filters. The initial response from AWS Support is that they were able to confirm this is occurring, and that it is a bug. Regardless of if they fix this issue, we're going to b64 encode the trace context and pass it as Thanks again for your patience and detailed report! |
Hi @dls314, @nvinchhi-extron, @gbo-actual, and anyone else watching this issue. I've just released a new version of this library which handles trace context via b64 encoded strings in the Binary. Its version 5.72.0, and Layer version 72. Thanks! |
Testing with |
@dls314 Sounds good, I'll publish a new version of the datadog plugin today! |
Hey there @astuyve, are there any demo examples of the sqs/sns trace context propagation with |
Hi @colesiegel - No configuration changes should be required, but I'd recommend enabling debug logger for the tracer via Here's the logic (for nodejs) which injects context into sns: https://github.com/DataDog/dd-trace-js/blob/master/packages/datadog-plugin-aws-sdk/src/services/sns.js#L20-L47 as you can see there are a couple of cases (eg: your sns message already has 10 MessageAttribute items) where we won't inject context. If you're still experiencing this, please open a new issue with a minimally reproducible example so that we can triage and give more direct support. Thanks! |
Expected Behavior
Using the new tracing feature doesn't change how my system was working; even if it uses SNS/SQS message filtering
Actual Behavior
When the plugin / lambda layer adds in the SNS message attribute that enables tracing, existing SNS/SQS message filters don't seem to deliver the messages.
Steps to Reproduce the Problem
Using some SNS/SQS filters that worked when using plugin version 3.4.0 and lambda layer version Datadog-Node12-x:66
Update and re-build using plugin version 3.7.1 and lambda layer version Datadog-Node14-x:70
Subscribe something non-filtered to the SNS topic (like an email address)
Run some tests, see non-delivery to SQS that is filtered and delivery to email that is unfiltered and includes the
_datadog
message attribute(to confirm) downgrade plugin and re-build/deploy (
in progress). Downgrading the serverless-plugin-datadog to 3.6.0 fixed the issue for meSpecifications
Stacktrace
No errors are shown, SNS isn't delivering because of something in the filtering. I'm not certain that you're able to put structured text into the SNS string message attribute in the way that this change is doing
I see a message with an attribute like this (taken from a JSON-email delivery, the escaping may be an artifact of that)
The text was updated successfully, but these errors were encountered: