aws-inventory 0.2.0

data/lib/inventory/iam/summary.rb

@@ -0,0 +1,16 @@
+class Inventory::Iam
+  class Summary < Inventory::Base
+    include Shared
+
+    def header
+      ["Summary", "Count"]
+    end
+
+    def data
+      [
+        ["Groups", groups.size],
+        ["Users", users.size]
+      ]
+    end
+  end
+end

data/lib/inventory/iam/user.rb

@@ -0,0 +1,21 @@
+class Inventory::Iam
+  class User < Inventory::Base
+    include Shared
+
+    def header
+      ["User", "Password Last Used"]
+    end
+
+    def data
+      users.map do |user|
+        group_names = group_names(user).join(',')
+
+        [user.user_name, group_names]
+      end
+    end
+
+    def sort(data)
+      data.sort_by { |item| item[1].to_i }.reverse
+    end
+  end
+end

data/lib/inventory/keypair.rb

@@ -0,0 +1,25 @@
+class Inventory::Keypair < Inventory::Base
+  def header
+    ["Key Name", "Instance Count"]
+  end
+
+  def data
+    key_pairs.map do |key|
+      instance_count = instance_count(key)
+
+      [key.key_name, instance_count]
+    end
+  end
+
+  def sort(data)
+    data.sort_by { |i| i[1] }.reverse
+  end
+
+  def key_pairs
+    @key_pairs ||= ec2.describe_key_pairs.key_pairs
+  end
+
+  def instance_count(key)
+    instances.count { |i| i.key_name == key.key_name }
+  end
+end

data/lib/inventory/presenter.rb

@@ -0,0 +1,20 @@
+class Inventory::Presenter
+  autoload :Base, "inventory/presenters/base"
+  autoload :Tab, "inventory/presenters/tab"
+  autoload :Table, "inventory/presenters/table"
+
+  def initialize(data)
+    @data = data
+  end
+
+  def display
+    presenter_class = "Inventory::Presenter::#{format.classify}".constantize
+    presenter = presenter_class.new(@data)
+    presenter.display
+  end
+
+  # Formats: tabs, markdown
+  def format
+    ENV['AWS_INVENTORY_FORMAT'] || "table"
+  end
+end

data/lib/inventory/presenters/base.rb

@@ -0,0 +1,5 @@
+class Inventory::Presenter::Base
+  def initialize(data)
+    @data = data
+  end
+end

data/lib/inventory/presenters/tab.rb

@@ -0,0 +1,7 @@
+class Inventory::Presenter::Tab < Inventory::Presenter::Base
+  def display
+    @data.each do |row|
+      puts row.join("\t")
+    end
+  end
+end

data/lib/inventory/presenters/table.rb

@@ -0,0 +1,10 @@
+require 'text-table'
+
+class Inventory::Presenter::Table < Inventory::Presenter::Base
+  def display
+    table = Text::Table.new
+    table.head = @data.shift
+    table.rows = @data
+    puts table
+  end
+end

data/lib/inventory/rds.rb

@@ -0,0 +1,11 @@
+class Inventory::Rds < Inventory::Base
+  autoload :Shared, "inventory/rds/shared"
+  autoload :Summary, "inventory/rds/summary"
+  autoload :Port, "inventory/rds/port"
+
+  # Default is the open report because it seems like the most useful report
+  def report
+    Summary.new(@options).report if show(:summary)
+    Port.new(@options).report if show(:port)
+  end
+end

data/lib/inventory/rds/port.rb

@@ -0,0 +1,53 @@
+class Inventory::Rds
+  class Port < Inventory::Base
+    include Shared
+
+    def header
+      ["RDS Db Name", "Security Group", "Range/Source", "Port"]
+    end
+
+    def data
+      data = []
+      db_instances.each do |db|
+        db_security_groups = vpc_security_groups(db)
+        db_security_groups.each do |sg|
+
+          sg.ip_permissions.each do |permission|
+            data << [
+              db.db_name,
+              "#{sg.group_id} (#{sg.group_name})",
+              ip_range_and_source(permission),
+              port(permission)
+            ]
+          end
+
+        end
+      end
+      data
+    end
+
+    def port(permission)
+      ports = [permission.from_port, permission.to_port].uniq
+      if ports.size > 1
+        raise "TODO: account for port ranges"
+      else
+        ports.first
+      end
+    end
+
+    def ip_range_and_source(permission)
+      cidr_ips = permission.ip_ranges.map {|range| range.cidr_ip }
+      user_id_group_pairs = permission.user_id_group_pairs.map do |pair|
+        # pair.group_name is always returning nil :( Might be AWS bug
+        # so fetching it from security groups themselves
+        sg = security_groups.find {|sg| sg.group_id == pair.group_id }
+        sg_name = " (#{sg.group_name})" if sg
+
+        "#{pair.group_id}#{sg_name}" # pretty format
+      end
+      result = cidr_ips + user_id_group_pairs
+      result.join(', ')
+    end
+
+  end
+end

data/lib/inventory/rds/shared.rb

@@ -0,0 +1,43 @@
+module Inventory::Rds::Shared
+  # pretty name of vpc
+  def vpc_name(db)
+    group_ids = db.vpc_security_groups.map(&:vpc_security_group_id)
+    resp = ec2.describe_security_groups(group_ids: group_ids)
+    groups = resp.security_groups
+    vpc_ids = groups.map(&:vpc_id)
+    vpc_ids.map do |vpc_id|
+      pretty_vpc_name = lookup_vpc_name(vpc_id)
+      "#{vpc_id} (#{pretty_vpc_name})"
+    end
+  end
+
+  def lookup_vpc_name(vpc_id)
+    inventory_vpc = Inventory::Vpc.new(@options)
+    inventory_vpc.vpc_name(vpc_id)
+  end
+
+  def vpcs
+    @vpcs ||= ec2.describe_vpcs.vpcs
+  end
+
+  def pretty_vpc_security_group(db)
+    groups = vpc_security_groups(db)
+    groups.map { |g| "#{g.group_id} (#{g.group_name})" }
+  end
+
+  # pretty name of the vpc security groups
+  def vpc_security_groups(db)
+    group_ids = db.vpc_security_groups.map(&:vpc_security_group_id)
+    group_ids.map do |db_security_group_id|
+      security_groups.find {|sg| sg.group_id == db_security_group_id }
+    end
+  end
+
+  def db_instances
+    @db_instances ||= rds.describe_db_instances.db_instances
+  end
+
+  def security_group_names(instance)
+    instance.security_groups.map {|sg| sg.group_name}.join(', ')
+  end
+end

data/lib/inventory/rds/summary.rb

@@ -0,0 +1,23 @@
+class Inventory::Rds
+  class Summary < Inventory::Base
+    include Shared
+
+    def header
+      ["Name", "Engine", "Instance Class", "Publicly Accessible", "VPC", "Security Groups"]
+      #
+    end
+
+    def data
+      db_instances.map do |db|
+        [
+          db.db_name,
+          db.engine,
+          db.db_instance_class,
+          db.publicly_accessible ? "yes" : "no",
+          vpc_name(db),
+          pretty_vpc_security_group(db),
+        ]
+      end
+    end
+  end
+end

data/lib/inventory/route53.rb

@@ -0,0 +1,29 @@
+class Inventory::Route53 < Inventory::Base
+  def header
+    ["Domain", "Record Set Count"]
+  end
+
+  def data
+    zones.map do |zone|
+      record_sets = resource_record_sets(zone)
+      [zone.name, record_sets.count]
+    end
+  end
+
+  def records
+    zones.inject([]) do |array, zone|
+      array << resource_record_sets(zone)
+    end
+  end
+
+  @@resource_record_sets = {}
+  def resource_record_sets(zone)
+    @@resource_record_sets[zone.id] ||= route53
+      .list_resource_record_sets(hosted_zone_id: zone.id)
+      .resource_record_sets
+  end
+
+  def zones
+    @zones ||= route53.list_hosted_zones.hosted_zones
+  end
+end

data/lib/inventory/security_group.rb

@@ -0,0 +1,11 @@
+class Inventory::SecurityGroup < Inventory::Base
+  autoload :Shared, "inventory/security_group/shared"
+  autoload :Summary, "inventory/security_group/summary"
+  autoload :Open, "inventory/security_group/open"
+
+  # Default is the open report because it seems like the most useful report
+  def report
+    Summary.new(@options).report if show(:summary)
+    Open.new(@options).report if show(:open)
+  end
+end

data/lib/inventory/security_group/open.rb

@@ -0,0 +1,76 @@
+require 'facets/array/arrange'
+
+class Inventory::SecurityGroup
+  class Open < Inventory::Base
+    include Shared
+
+    def header
+      ["Security Group", "Open to World"]
+    end
+
+    def data
+      opened_security_groups_in_use = opened_security_groups.select do |sg|
+        group_ids_in_use = used_security_groups.map(&:group_id)
+        group_ids_in_use.include?(sg.group_id)
+      end
+
+      # Only display used security groups that have opened ports for review.
+      # will delete the unused security groups anyway.
+      opened_security_groups_in_use.map do |sg|
+        ports = ports_open_to_world(sg)
+        [
+          sg.group_name,
+          ports
+        ]
+      end
+    end
+
+    def opened_security_groups
+      security_groups.select do |sg|
+        ports = ports_open_to_world(sg)
+        !ports.empty?
+      end
+    end
+
+    # Returns an Array of ports with a cidr of 0.0.0.0/0
+    def ports_open_to_world(sg)
+      ip_permissions = sg.ip_permissions.select do |permission|
+          permission.ip_ranges.detect do |ip_range|
+            ip_range.include?('0.0.0.0/0')
+          end
+        end
+
+      ports = ip_permissions.map do |p|
+        if p.from_port == p.to_port
+          p.from_port
+        else
+          (p.from_port..p.to_port)
+        end
+      end
+
+      ports = combine_ports(ports)
+      # convert to string for printing
+      ports.map(&:to_s).join(', ')
+    end
+
+    # Examples
+    #
+    # Input:
+    #    ports: [80, 443]
+    # Output:
+    #    ports: [80, 443
+    #
+    # Input:
+    #    ports: [8001, 8000..8002]
+    # Output:
+    #    ports: [8000..8002]
+    def combine_ports(port_objects)
+      ports = port_objects.inject([]) do |array, port|
+        ports = port.is_a?(Range) ? port.to_a : [port]
+        array += ports
+        array
+      end.uniq
+      ports.arrange
+    end
+  end
+end

data/lib/inventory/security_group/shared.rb

@@ -0,0 +1,14 @@
+module Inventory::SecurityGroup::Shared
+  def used_security_groups
+    groups = instances.inject([]) do |results, i|
+      results += i.security_groups
+      results
+    end
+    groups.uniq(&:group_id)
+  end
+
+  def unused_security_groups
+    used_group_ids = used_security_groups.map(&:group_id)
+    security_groups.reject {|sg| used_group_ids.include?(sg.group_id) }
+  end
+end

data/lib/inventory/security_group/summary.rb

@@ -0,0 +1,17 @@
+class Inventory::SecurityGroup
+  class Summary < Inventory::Base
+    include Shared
+
+    def header
+      ["Security Group", "Count"]
+    end
+
+    def data
+      [
+        ["Total", security_groups.size],
+        ["Used", used_security_groups.size],
+        ["Unused", unused_security_groups.size],
+      ]
+    end
+  end
+end

data/lib/inventory/shared.rb

@@ -0,0 +1,16 @@
+module Inventory::Shared
+  def instances
+    return @instances if @instances
+
+    @instances = []
+    resp = ec2.describe_instances
+    resp.reservations.each do |res|
+      @instances += res.instances
+    end
+    @instances
+  end
+
+  def security_groups
+    @security_groups ||= ec2.describe_security_groups.security_groups
+  end
+end

data/lib/inventory/version.rb

@@ -0,0 +1,3 @@
+module Inventory
+  VERSION = "0.2.0"
+end

data/lib/inventory/vpc.rb

@@ -0,0 +1,55 @@
+class Inventory::Vpc < Inventory::Base
+  def header
+    ["Name", "Vpc ID", "CIDR", "Subnets", "Instances"]
+  end
+
+  def data
+    vpcs.map do |vpc|
+      subnets = subnets_for(vpc)
+      instances = instances_in(subnets)
+
+      [
+        vpc_name(vpc.vpc_id),
+        vpc.vpc_id,
+        vpc.cidr_block,
+        subnets.count,
+        instances.count
+      ]
+    end
+  end
+
+  # Pretty vpc name
+  # Use vpc_id as argument so other classes can use this method also
+  def vpc_name(vpc_id)
+    vpc = vpcs.find { |vpc| vpc.vpc_id == vpc_id }
+    tag = vpc.tags.find {|t| t.key == "Name"}
+    name = tag ? tag.value : "(unnamed)"
+  end
+
+  def vpcs
+    @vpcs ||= ec2.describe_vpcs.vpcs
+  end
+
+  def subnets_for(vpc)
+    ec2.describe_subnets(
+      filters: [
+        {
+          name: "vpc-id",
+          values: [
+            vpc.vpc_id,
+          ],
+        },
+    ]).subnets
+  end
+
+  def instances_in(subnets)
+    subnet_ids = subnets.map(&:subnet_id)
+    instances.select do |i|
+      subnet_ids.include?(i.subnet_id)
+    end
+  end
+
+  def subnets
+    @subnets ||= ec2.describe_subnets.subnets
+  end
+end