refactor: kms decrypt analytics config (#3984)

Cargo.lock

@@ -349,6 +349,7 @@ dependencies = [
  "error-stack",
  "external_services",
  "futures 0.3.28",
+ "hyperswitch_interfaces",
  "masking",
  "once_cell",
  "reqwest",

crates/analytics/Cargo.toml

@@ -13,6 +13,7 @@ api_models = { version = "0.1.0", path = "../api_models" , features = ["errors"]
 storage_impl = { version = "0.1.0", path = "../storage_impl", default-features = false }
 common_utils = { version = "0.1.0", path = "../common_utils" }
 external_services = { version = "0.1.0", path = "../external_services", default-features = false }
+hyperswitch_interfaces = { version = "0.1.0", path = "../hyperswitch_interfaces" }
 masking = { version = "0.1.0", path = "../masking" }
 router_env = { version = "0.1.0", path = "../router_env", features = ["log_extra_implicit_fields", "log_custom_entries_to_extra"] }
 diesel_models = { version = "0.1.0", path = "../diesel_models", features = ["kv_store"] }

crates/analytics/src/lib.rs

@@ -15,7 +15,13 @@ pub mod sdk_events;
 mod sqlx;
 mod types;
 use api_event::metrics::{ApiEventMetric, ApiEventMetricRow};
+use common_utils::errors::CustomResult;
 use disputes::metrics::{DisputeMetric, DisputeMetricRow};
+use hyperswitch_interfaces::secrets_interface::{
+    secret_handler::SecretsHandler,
+    secret_state::{RawSecret, SecretStateContainer, SecuredSecret},
+    SecretManagementInterface, SecretsManagementError,
+};
 pub use types::AnalyticsDomain;
 pub mod lambda_utils;
 pub mod utils;
@@ -598,6 +604,51 @@ pub enum AnalyticsConfig {
     },
 }
 
+#[async_trait::async_trait]
+impl SecretsHandler for AnalyticsConfig {
+    async fn convert_to_raw_secret(
+        value: SecretStateContainer<Self, SecuredSecret>,
+        secret_management_client: &dyn SecretManagementInterface,
+    ) -> CustomResult<SecretStateContainer<Self, RawSecret>, SecretsManagementError> {
+        let analytics_config = value.get_inner();
+        let decrypted_password = match analytics_config {
+            // Todo: Perform kms decryption of clickhouse password
+            Self::Clickhouse { .. } => masking::Secret::new(String::default()),
+            Self::Sqlx { sqlx }
+            | Self::CombinedCkh { sqlx, .. }
+            | Self::CombinedSqlx { sqlx, .. } => {
+                secret_management_client
+                    .get_secret(sqlx.password.clone())
+                    .await?
+            }
+        };
+
+        Ok(value.transition_state(|conf| match conf {
+            Self::Sqlx { sqlx } => Self::Sqlx {
+                sqlx: Database {
+                    password: decrypted_password,
+                    ..sqlx
+                },
+            },
+            Self::Clickhouse { clickhouse } => Self::Clickhouse { clickhouse },
+            Self::CombinedCkh { sqlx, clickhouse } => Self::CombinedCkh {
+                sqlx: Database {
+                    password: decrypted_password,
+                    ..sqlx
+                },
+                clickhouse,
+            },
+            Self::CombinedSqlx { sqlx, clickhouse } => Self::CombinedSqlx {
+                sqlx: Database {
+                    password: decrypted_password,
+                    ..sqlx
+                },
+                clickhouse,
+            },
+        }))
+    }
+}
+
 impl Default for AnalyticsConfig {
     fn default() -> Self {
         Self::Sqlx {

crates/router/src/configs/secrets_transformers.rs

@@ -233,6 +233,13 @@ pub(crate) async fn fetch_raw_secrets(
             .await
             .expect("Failed to decrypt master database configuration");
 
+    #[cfg(feature = "olap")]
+    #[allow(clippy::expect_used)]
+    let analytics =
+        analytics::AnalyticsConfig::convert_to_raw_secret(conf.analytics, secret_management_client)
+            .await
+            .expect("Failed to decrypt analytics configuration");
+
     #[cfg(feature = "olap")]
     #[allow(clippy::expect_used)]
     let replica_database =
@@ -342,7 +349,7 @@ pub(crate) async fn fetch_raw_secrets(
         temp_locker_enable_config: conf.temp_locker_enable_config,
         payment_link: conf.payment_link,
         #[cfg(feature = "olap")]
-        analytics: conf.analytics,
+        analytics,
         #[cfg(feature = "kv_store")]
         kv_config: conf.kv_config,
         #[cfg(feature = "frm")]

crates/router/src/configs/settings.rs

@@ -105,7 +105,7 @@ pub struct Settings<S: SecretState> {
     pub temp_locker_enable_config: TempLockerEnableConfig,
     pub payment_link: PaymentLink,
     #[cfg(feature = "olap")]
-    pub analytics: AnalyticsConfig,
+    pub analytics: SecretStateContainer<AnalyticsConfig, S>,
     #[cfg(feature = "kv_store")]
     pub kv_config: KvConfig,
     #[cfg(feature = "frm")]

crates/router/src/routes/app.rs

@@ -200,7 +200,8 @@ impl AppState {
             };
 
             #[cfg(feature = "olap")]
-            let pool = crate::analytics::AnalyticsProvider::from_conf(&conf.analytics).await;
+            let pool =
+                crate::analytics::AnalyticsProvider::from_conf(conf.analytics.get_inner()).await;
 
             #[cfg(feature = "email")]
             let email_client = Arc::new(create_email_client(&conf).await);