cfn-guardian 0.1.0

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/cfn-guardian.gemspec

@@ -0,0 +1,39 @@
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "cfnguardian/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "cfn-guardian"
+  spec.version       = CfnGuardian::VERSION
+  spec.authors       = ["Guslington"]
+  spec.email         = ["itsupport@base2services.com"]
+
+  spec.summary       = %q{Manages AWS cloudwatch alarms with default templates using cloudformation}
+  spec.description   = %q{Manages AWS cloudwatch alarms with default templates using cloudformation}
+  spec.homepage      = "https://github.com/base2Services/cfn-guardian"
+  spec.license       = "MIT"
+
+  spec.metadata["allowed_push_host"] = "https://rubygems.org"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/base2Services/cfn-guardian"
+  spec.metadata["changelog_uri"] = "https://github.com/base2Services/cfn-guardian"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "thor", "~> 0.20"
+  spec.add_dependency 'cfndsl', '~> 1.0', '<2'
+  spec.add_dependency "terminal-table", '~> 1', '<2'
+  spec.add_dependency 'aws-sdk-s3', '~> 1', '<2'
+  spec.add_dependency 'aws-sdk-cloudformation', '~> 1', '<2'
+  
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 10.0"
+end

data/exe/cfn-guardian

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require "cfnguardian"
+
+CfnGuardian::Cli.start( ARGV )

data/lib/cfnguardian.rb

@@ -0,0 +1,146 @@
+require 'thor'
+require 'terminal-table'
+require "cfnguardian/log"
+require "cfnguardian/version"
+require "cfnguardian/compile"
+require "cfnguardian/validate"
+require "cfnguardian/deploy"
+
+module CfnGuardian
+  class Cli < Thor
+    include Logging
+    
+    map %w[--version -v] => :__print_version
+    desc "--version, -v", "print the version"
+    def __print_version
+      puts CfnGuardian::VERSION
+    end
+    
+    desc "compile", "Generate monitoring CloudFormation templates"
+    long_desc <<-LONG
+    Generates CloudFormation templates from the alarm configuration and output to the out/ directory.
+    LONG
+    method_option :config, aliases: :c, type: :string, desc: "yaml config file", required: true
+    method_option :validate, type: :boolean, default: true, desc: "validate cfn templates"
+    method_option :bucket, type: :string, desc: "provide custom bucket name, will create a default bucket if not provided"
+    method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
+
+    def compile
+      set_region(options[:region],options[:validate])
+      s3 = CfnGuardian::S3.new(options[:bucket])
+      
+      compiler = CfnGuardian::Compile.new(options,s3.bucket)
+      compiler.get_resources
+      compiler.compile_templates
+      logger.info "Clouformation templates compiled successfully in out/ directory"
+      if options[:validate]
+        s3.create_bucket_if_not_exists()
+        validator = CfnGuardian::Validate.new(s3.bucket)
+        if validator.validate
+          logger.error("One or more templates failed to validate")
+          exit(1)
+        else
+          logger.info "Clouformation templates were validated successfully"
+        end
+      end
+      logger.warn "AWS cloudwatch alarms defined in the templates will cost roughly $#{'%.2f' % compiler.cost} per month"
+    end
+
+    desc "deploy", "Generates and deploys monitoring CloudFormation templates"
+    long_desc <<-LONG
+    Generates CloudFormation templates from the alarm configuration and output to the out/ directory.
+    Then copies the files to the s3 bucket and deploys the cloudformation.
+    LONG
+    method_option :config, aliases: :c, type: :string, desc: "yaml config file", required: true
+    method_option :bucket, type: :string, desc: "provide custom bucket name, will create a default bucket if not provided"
+    method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
+    method_option :stack_name, aliases: :r, type: :string, desc: "set the Cloudformation stack name. Defaults to `guardian`"
+    method_option :sns_critical, type: :string, desc: "sns topic arn for the critical alamrs"
+    method_option :sns_warning, type: :string, desc: "sns topic arn for the warning alamrs"
+    method_option :sns_task, type: :string, desc: "sns topic arn for the task alamrs"
+    method_option :sns_informational, type: :string, desc: "sns topic arn for the informational alamrs"
+
+    def deploy
+      set_region(options[:region],true)
+      s3 = CfnGuardian::S3.new(options[:bucket])
+      
+      compiler = CfnGuardian::Compile.new(options,s3.bucket)
+      compiler.get_resources
+      compiler.compile_templates
+      logger.info "Clouformation templates compiled successfully in out/ directory"
+
+      s3.create_bucket_if_not_exists
+      validator = CfnGuardian::Validate.new(s3.bucket)
+      if validator.validate
+        logger.error("One or more templates failed to validate")
+        exit(1)
+      else
+        logger.info "Clouformation templates were validated successfully"
+      end
+      
+      deployer = CfnGuardian::Deploy.new(options,s3.bucket)
+      deployer.upload_templates
+      change_set, change_set_type = deployer.create_change_set()
+      deployer.wait_for_changeset(change_set.id)
+      deployer.execute_change_set(change_set.id)
+      deployer.wait_for_execute(change_set_type)
+    end
+    
+    desc "show-alarms", "Shows alarm settings"
+    long_desc <<-LONG
+    Displays the configured settings for each alarm. Can be filtered by resource group and alarm name.
+    Defaults to show all configured alarms.
+    LONG
+    method_option :config, aliases: :c, type: :string, desc: "yaml config file", required: true
+    method_option :group, aliases: :g, type: :string, desc: "resource group"
+    method_option :name, aliases: :n, type: :string, desc: "alarm name"
+    method_option :resource, aliases: :r, type: :string, desc: "resource id"
+    def show_alarms
+      compiler = CfnGuardian::Compile.new(options,'no-bucket')
+      compiler.get_resources
+      
+      alarms = compiler.resources.select{|h| h[:type] == 'Alarm'}
+      groups = alarms.group_by{|h| h[:class]}
+      
+      if options[:group]
+        groups = groups.fetch(options[:group],{}).group_by{|h| h[:class]}
+        if options[:resource]
+            groups = groups[options[:group]].select{|h| h[:resource] == options[:resource]}.group_by{|h| h[:class]}
+        end
+        if options[:name]
+          groups = groups[options[:group]].select{|h| h[:name] == options[:name]}.group_by{|h| h[:class]}
+        end
+      end
+      
+      groups.each do |grp,alarms|
+        puts "\n\s\s#{grp}\n"
+        alarms.each do |alarm|
+          rows = alarm.reject {|k,v| [:type,:class,:name].include?(k)}
+                      .sort_by {|k,v| k}
+          puts Terminal::Table.new( 
+                  :title => alarm[:name], 
+                  :headings => ['property', 'Value'], 
+                  :rows => rows.map! {|k,v| [k,v.to_s]})
+        end
+      end
+    end
+    
+    private
+    
+    def set_region(region,required)
+      if !region.nil?
+        Aws.config.update({region: region})
+      elsif !ENV['AWS_REGION'].nil?
+        Aws.config.update({region: ENV['AWS_REGION']})
+      elsif !ENV['AWS_DEFAULT_REGION'].nil?
+        Aws.config.update({region: ENV['AWS_DEFAULT_REGION']})
+      else
+        if required
+          logger.error("No AWS region found. Please suppy the region using option `--region` or setting environment variables `AWS_REGION` `AWS_DEFAULT_REGION`")
+          exit(1)
+        end
+      end
+    end
+    
+  end
+end

data/lib/cfnguardian/compile.rb

@@ -0,0 +1,116 @@
+require 'yaml'
+require 'cfnguardian/string'
+require 'cfnguardian/stacks/resources'
+require 'cfnguardian/stacks/main'
+require 'cfnguardian/resources/base'
+require 'cfnguardian/resources/apigateway'
+require 'cfnguardian/resources/application_targetgroup'
+require 'cfnguardian/resources/amazonmq_broker'
+require 'cfnguardian/resources/autoscaling_group'
+require 'cfnguardian/resources/cloudfront_distribution'
+require 'cfnguardian/resources/autoscaling_group'
+require 'cfnguardian/resources/domain_expiry'
+require 'cfnguardian/resources/dynamodb_table'
+require 'cfnguardian/resources/ec2_instance'
+require 'cfnguardian/resources/ecs_cluster'
+require 'cfnguardian/resources/ecs_service'
+require 'cfnguardian/resources/elastic_file_system'
+require 'cfnguardian/resources/elasticache_replication_group'
+require 'cfnguardian/resources/elastic_loadbalancer'
+require 'cfnguardian/resources/http'
+require 'cfnguardian/resources/nrpe'
+require 'cfnguardian/resources/lambda'
+require 'cfnguardian/resources/network_targetgroup'
+require 'cfnguardian/resources/rds_cluster_instance'
+require 'cfnguardian/resources/rds_instance'
+require 'cfnguardian/resources/redshift_cluster'
+require 'cfnguardian/resources/sql'
+require 'cfnguardian/resources/sqs_queue'
+
+module CfnGuardian
+  class Compile
+    include Logging
+    
+    attr_reader :cost, :resources
+    
+    def initialize(opts,bucket)
+      @prefix = opts.fetch(:stack_name,'guardian')
+      @bucket = bucket
+      
+      config = YAML.load_file(opts.fetch(:config))
+      @resource_groups = config.fetch('Resources',{})
+      @templates = config.fetch('Templates',{})
+      
+      @resources = []
+      @stacks = []
+      @checks = []
+      
+      @cost = 0
+    end
+    
+    def get_resources
+      @resource_groups.each do |group,resources|
+        resources.each do |resource|
+          
+          begin
+            resource_class = Kernel.const_get("CfnGuardian::Resource::#{group}").new(resource)
+          rescue NameError => e
+            if @templates.has_key?(group) && @templates[group].has_key?('Inherit')
+              begin
+                resource_class = Kernel.const_get("CfnGuardian::Resource::#{@templates[group]['Inherit']}").new(resource)
+                logger.debug "Inheritited resource group #{@templates[group]['Inherit']} for group #{group}"
+              rescue NameError => e
+                logger.warn "'#{@templates[group]['Inherit']}' resource group doesn't exist and is unable to be inherited from"
+                next
+              end
+            else
+              logger.error(e)
+              next
+            end
+          end
+          
+          overides = @templates.has_key?(group) ? @templates[group] : {}
+          @resources.concat resource_class.get_alarms(overides)
+          @resources.concat resource_class.get_events()
+          @checks.concat resource_class.get_checks()
+
+          @cost += resource_class.get_cost
+        end
+      end
+    end
+    
+    def split_resources
+      split = @resources.each_slice(200).to_a
+      split.each_with_index do |resources,index|
+        @stacks.push({
+          'Name' => "GuardianStack#{index}",
+          'TemplateURL' => "https://#{@bucket}.s3.amazonaws.com/#{@prefix}/guardian-stack-#{index}.compiled.yaml",
+          'Reference' => index
+        })
+      end
+      return split
+    end
+    
+    def compile_templates
+      clean_out_directory()
+      resources = split_resources()
+      
+      main_stack = CfnGuardian::Stacks::Main.new()
+      template = main_stack.build_template(@stacks,@checks)
+      valid = template.validate
+      File.write("out/guardian.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
+      
+      resources.each_with_index do |resources,index|
+        stack = CfnGuardian::Stacks::Resources.new()
+        template = stack.build_template(resources)
+        valid = template.validate
+        File.write("out/guardian-stack-#{index}.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
+      end
+    end
+    
+    def clean_out_directory
+      Dir["out/*.yaml"].each {|file| File.delete(file)}
+    end
+        
+  end
+end

data/lib/cfnguardian/deploy.rb

@@ -0,0 +1,144 @@
+require 'aws-sdk-cloudformation'
+require 'fileutils'
+require 'cfnguardian/version'
+require 'cfnguardian/log'
+
+module CfnGuardian
+  class Deploy
+    include Logging
+
+    def initialize(opts,bucket)
+      @stack_name = opts.fetch(:stack_name,'guardian')
+      @bucket = bucket
+      @prefix = @stack_name
+      @template_path = "out/guardian.compiled.yaml"
+      @template_url = "https://#{@bucket}.s3.amazonaws.com/#{@prefix}/guardian.compiled.yaml"
+      @parameters = {}
+      
+      config = YAML.load_file(opts[:config])
+      if config.has_key?('Topics')
+        @parameters['Critical'] = config['Topics'].fetch('Critical','')
+        @parameters['Warning'] = config['Topics'].fetch('Warning','')
+        @parameters['Task'] = config['Topics'].fetch('Task','')
+        @parameters['Informational'] = config['Topics'].fetch('Informational','')
+      end
+
+      @parameters['Critical'] = opts.fetch(:sns_critical,@parameters['Critical'])
+      @parameters['Warning'] = opts.fetch(:sns_warning,@parameters['Warning'])
+      @parameters['Task'] = opts.fetch(:sns_task,@parameters['Task'])
+      @parameters['Informational'] = opts.fetch(:sns_informational,@parameters['Informational'])
+      
+      @client = Aws::CloudFormation::Client.new()
+    end
+
+    def upload_templates
+      Dir["out/*.yaml"].each do |template|
+        prefix = "#{@prefix}/#{template.split('/').last}"
+        body = File.read(template)
+        client = Aws::S3::Client.new()
+        client.put_object({
+          body: body,
+          bucket: @bucket,
+          key: prefix
+        })
+      end
+    end
+
+    # TODO: check for REVIEW_IN_PROGRESS
+    def does_cf_stack_exist()
+      begin
+        resp = @client.describe_stacks({
+          stack_name: @stack_name,
+        })
+      rescue Aws::CloudFormation::Errors::ValidationError
+        return false
+      end
+      return resp.size > 0
+    end
+
+    def get_change_set_type()
+      return does_cf_stack_exist() ? 'UPDATE' : 'CREATE'
+    end
+
+    def create_change_set()
+      change_set_name = "#{@stack_name}-#{CfnGuardian::CHANGE_SET_VERSION}-#{Time.now.utc.strftime("%Y%m%d%H%M%S")}"
+      change_set_type = get_change_set_type()
+
+      if change_set_type == 'CREATE'
+        params = get_parameters_from_template()
+      else
+        params = get_parameters_from_stack()
+      end
+
+      params.each do |param|
+        if !@parameters[param[:parameter_key]].nil?
+          param[:parameter_value] = @parameters[param[:parameter_key]]
+          param[:use_previous_value] = false
+        end
+      end
+
+      logger.debug "Creating changeset"
+      change_set = @client.create_change_set({
+        stack_name: @stack_name,
+        template_url: @template_url,
+        capabilities: ["CAPABILITY_IAM"],
+        parameters: params,
+        tags: [
+          {
+            key: "guardian:version",
+            value: CfnGuardian::VERSION,
+          },
+          { 
+            key: 'Environment', 
+            value: 'guardian' 
+          }
+        ],
+        change_set_name: change_set_name,
+        change_set_type: change_set_type
+      })
+      return change_set, change_set_type
+    end
+
+    def wait_for_changeset(change_set_id)
+      logger.debug "Waiting for changeset to be created"
+      begin
+        @client.wait_until :change_set_create_complete, change_set_name: change_set_id
+      rescue Aws::Waiters::Errors::FailureStateError => e
+        change_set = get_change_set(change_set_id)
+        logger.error("change set status: #{change_set.status} reason: #{change_set.status_reason}")
+        exit 1
+      end
+    end
+
+    def get_change_set(change_set_id)
+      @client.describe_change_set({
+        change_set_name: change_set_id,
+      })
+    end
+
+    def execute_change_set(change_set_id)
+      logger.debug "Executing the changeset"
+      stack = @client.execute_change_set({
+        change_set_name: change_set_id
+      })
+    end
+
+    def wait_for_execute(change_set_type)
+      waiter = change_set_type == 'CREATE' ? :stack_create_complete : :stack_update_complete
+      logger.info "Waiting for changeset to #{change_set_type}"
+      resp = @client.wait_until waiter, stack_name: @stack_name
+    end
+
+    def get_parameters_from_stack()
+      resp = @client.get_template_summary({ stack_name: @stack_name })
+      return resp.parameters.collect { |p| { parameter_key: p.parameter_key, use_previous_value: true }  }
+    end
+
+    def get_parameters_from_template()
+      template_body = File.read(@template_path)
+      resp = @client.get_template_summary({ template_body: template_body })
+      return resp.parameters.collect { |p| { parameter_key: p.parameter_key, parameter_value: p.default_value }  }
+    end
+
+  end
+end