feat(remote/aws): support AWS Secrets Manager as remote component

[hainenber]

PR Description

Which issue(s) this PR fixes

Closes #689

Notes to the Reviewer

• Should I poll the Secrets Manager API continuously to fetch latest secret. Pricing per API calls for Secrets Manager is much expensive compared to AWS SSM Parameter Store and AWS S3 API calls so I'm hesitant to implement poller. Would like to hear everyone thoughts about it.
• I expose the inner component.Component in componenttest in order to verify the component's health status. Is this A-OK?

PR Checklist

• CHANGELOG.md updated
• Documentation added
• Tests added

[mattdurham]

I think it would be nice if it could poll but set the default to not poll. Most of our pulling mechanisms support it so it would be odd if this one did not have that capability.

[hainenber]

Thanks Matt! I'll implement the poller and fix whatever makes the tests failed.

Maybe in the long run, we can have a reusable implementation. But that's for another day, I suppose :D

[hainenber]

@rfratto pinging 'cause you authored this in the past. Do you know why this returns nil in the present of non-nil error? 👀

[rfratto]

I think remote.s3 is originally from @mattdurham; do you remember if this is intentional? It does look a little like a typo to silently ignore the error here.

[mattdurham]

Ooof, I cant think of a good reason why I did that.

[clayton-cornell]

Docs look ok.

[clayton-cornell]

Approving for docs. Still needs a code review fom @grafana/grafana-alloy-maintainers

[rfratto]

I think it would be nice if it could poll but set the default to not poll. Most of our pulling mechanisms support it so it would be odd if this one did not have that capability.

@mattdurham Can you help me understand setting the default to not poll for updates? Don't all of our components default to polling in the background?

[rfratto]

Nice! Few questions (for both you and @mattdurham) but this is coming along nicely :)

[rfratto]

Can we add a test for decoding this? I don't think alloy/syntax supports anonymous fields like this, and they have to be named like

type Client struct {
  CommonConfig aws_common_config.Client `alloy:",squash"` 
  UsePathStyle bool                     `alloy:"use_path_style,attr,optional"`
}

[rfratto]

This wasn't set before in the old code; does this break anything for remote.s3?

[rfratto]

This wasn't set before in the old code; does this break anything for remote.s3?

[rfratto]

We've started to move away from the pattern of having default arguments as a variable because in some cases (like a default map or slice) memory gets accidentally shared and the defaults get overridden.

Suggested change

	// DefaultArguments holds default settings for Arguments.
	var DefaultArguments = Arguments{
	SecretVersion: "AWSCURRENT",
	}
	// SetToDefault implements syntax.Defaulter.
	func (a *Arguments) SetToDefault() {
	*a = DefaultArguments
	}
	// SetToDefault implements syntax.Defaulter.
	func (a *Arguments) SetToDefault() {
	*a = Arguments{
	SecretVersion: "AWSCURRENT",
	}
	}

[rfratto]

There's a bug here: If the poll frequency is set to non-zero after the component was already constructed, then it will never poll.

[rfratto]

nit: technically this method gets the secret synchronously. A more fitting name might be getAndSendSecret, as the method gets the secret and then writes the result to a channel.

[rfratto]

Is there a reason we're not propagating the context here?

[mattdurham]

My thought on the default to not polling is related to this comment Pricing per API calls for Secrets Manager is much expensive compared to AWS SSM Parameter Store and AWS S3 API. if it is expensive default to no but allow it to be poll. Also fine with the other direction, default to a low poll rate.

[rfratto]

Comparing the pricing of AWS Secrets Manager to S3 does show that secrets manager is more expensive, but perhaps not significantly:

• AWS Secrets manager: $0.05 per 10,000 API calls
• S3: $0.004 per 10,000 GET calls

It will take 200,000 polls of secrets for it to cost $1 USD. If we set the polling interval to hourly, and you had 100 Alloy instances all running the same component, that would still only be 73,000 polls per month ($0.36).

It seems like the cost is reasonable enough if we used a 1h polling interval by default. If you're running Alloy in an environment where you need AWS secrets manager (likely Enterprise-like), running Alloy itself probably costs orders of magnitude more money than the secrets manager bill would be.

WDYT @mattdurham?