cfn-guardian 0.1.0 → 0.3.3

data/cfn-guardian.gemspec

@@ -31,8 +31,12 @@ Gem::Specification.new do |spec|
   spec.add_dependency "thor", "~> 0.20"
   spec.add_dependency 'cfndsl', '~> 1.0', '<2'
   spec.add_dependency "terminal-table", '~> 1', '<2'
-  spec.add_dependency 'aws-sdk-s3', '~> 1', '<2'
-  spec.add_dependency 'aws-sdk-cloudformation', '~> 1', '<2'
+  spec.add_dependency 'term-ansicolor', '~> 1', '<2'
+  spec.add_dependency 'aws-sdk-s3', '~> 1.60', '<2'
+  spec.add_dependency 'aws-sdk-cloudformation', '~> 1.31', '<2'
+  spec.add_dependency 'aws-sdk-cloudwatch', '~> 1.28', '<2'
+  spec.add_dependency 'aws-sdk-codecommit', '~> 1.28', '<2'
+  spec.add_dependency 'aws-sdk-codepipeline', '~> 1.28', '<2'
   
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 10.0"

data/lib/cfnguardian.rb

@@ -1,10 +1,16 @@
 require 'thor'
 require 'terminal-table'
+require 'term/ansicolor'
 require "cfnguardian/log"
 require "cfnguardian/version"
 require "cfnguardian/compile"
 require "cfnguardian/validate"
 require "cfnguardian/deploy"
+require "cfnguardian/cloudwatch"
+require "cfnguardian/display_formatter"
+require "cfnguardian/drift"
+require "cfnguardian/codecommit"
+require "cfnguardian/codepipeline"
 
 module CfnGuardian
   class Cli < Thor
@@ -16,6 +22,8 @@ module CfnGuardian
       puts CfnGuardian::VERSION
     end
     
+    class_option :debug, type: :boolean, default: false, desc: "enable debug logging"
+    
     desc "compile", "Generate monitoring CloudFormation templates"
     long_desc <<-LONG
     Generates CloudFormation templates from the alarm configuration and output to the out/ directory.
@@ -23,15 +31,18 @@ module CfnGuardian
     method_option :config, aliases: :c, type: :string, desc: "yaml config file", required: true
     method_option :validate, type: :boolean, default: true, desc: "validate cfn templates"
     method_option :bucket, type: :string, desc: "provide custom bucket name, will create a default bucket if not provided"
+    method_option :path, type: :string, default: "guardian", desc: "S3 path location for nested stacks"
     method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
 
     def compile
+      set_log_level(options[:debug])
+      
       set_region(options[:region],options[:validate])
-      s3 = CfnGuardian::S3.new(options[:bucket])
+      s3 = CfnGuardian::S3.new(options[:bucket],options[:path])
       
-      compiler = CfnGuardian::Compile.new(options,s3.bucket)
+      compiler = CfnGuardian::Compile.new(options[:config])
       compiler.get_resources
-      compiler.compile_templates
+      compiler.compile_templates(s3.bucket,s3.path)
       logger.info "Clouformation templates compiled successfully in out/ directory"
       if options[:validate]
         s3.create_bucket_if_not_exists()
@@ -53,20 +64,23 @@ module CfnGuardian
     LONG
     method_option :config, aliases: :c, type: :string, desc: "yaml config file", required: true
     method_option :bucket, type: :string, desc: "provide custom bucket name, will create a default bucket if not provided"
+    method_option :path, type: :string, default: "guardian", desc: "S3 path location for nested stacks"
     method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
-    method_option :stack_name, aliases: :r, type: :string, desc: "set the Cloudformation stack name. Defaults to `guardian`"
+    method_option :stack_name, aliases: :s, type: :string, desc: "set the Cloudformation stack name. Defaults to `guardian`"
     method_option :sns_critical, type: :string, desc: "sns topic arn for the critical alamrs"
     method_option :sns_warning, type: :string, desc: "sns topic arn for the warning alamrs"
     method_option :sns_task, type: :string, desc: "sns topic arn for the task alamrs"
     method_option :sns_informational, type: :string, desc: "sns topic arn for the informational alamrs"
 
     def deploy
+      set_log_level(options[:debug])
+      
       set_region(options[:region],true)
-      s3 = CfnGuardian::S3.new(options[:bucket])
+      s3 = CfnGuardian::S3.new(options[:bucket],options[:path])
       
-      compiler = CfnGuardian::Compile.new(options,s3.bucket)
+      compiler = CfnGuardian::Compile.new(options[:config])
       compiler.get_resources
-      compiler.compile_templates
+      compiler.compile_templates(s3.bucket,s3.path)
       logger.info "Clouformation templates compiled successfully in out/ directory"
 
       s3.create_bucket_if_not_exists
@@ -85,46 +99,291 @@ module CfnGuardian
       deployer.execute_change_set(change_set.id)
       deployer.wait_for_execute(change_set_type)
     end
+        
+    desc "show-drift", "Cloudformation drift detection"
+    long_desc <<-LONG
+    Displays any cloudformation drift detection in the cloudwatch alarms from the deployed stacks
+    LONG
+    method_option :stack_name, aliases: :s, type: :string, default: 'guardian', desc: "set the Cloudformation stack name"
+    method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
+    
+    def show_drift
+      set_region(options[:region],true)
+      
+      rows = []
+      drift = CfnGuardian::Drift.new(options[:stack_name])
+      nested_stacks = drift.find_nested_stacks
+      nested_stacks.each do |stack|
+        drift.detect_drift(stack)
+        rows << drift.get_drift(stack)
+      end
+      
+      if rows.any?
+        puts Terminal::Table.new( 
+                :title => "Guardian Alarm Drift".green, 
+                :headings => ['Alarm Name', 'Property', 'Expected', 'Actual', 'Type'], 
+                :rows => rows.flatten(1))
+        exit(1)
+      end
+    end
     
     desc "show-alarms", "Shows alarm settings"
     long_desc <<-LONG
     Displays the configured settings for each alarm. Can be filtered by resource group and alarm name.
     Defaults to show all configured alarms.
     LONG
-    method_option :config, aliases: :c, type: :string, desc: "yaml config file", required: true
+    method_option :config, aliases: :c, type: :string, desc: "yaml config file"
+    method_option :defaults, type: :boolean, desc: "display default alarms and properties"
+    method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
     method_option :group, aliases: :g, type: :string, desc: "resource group"
-    method_option :name, aliases: :n, type: :string, desc: "alarm name"
-    method_option :resource, aliases: :r, type: :string, desc: "resource id"
+    method_option :alarm, aliases: :a, type: :string, desc: "alarm name"
+    method_option :id, type: :string, desc: "resource id"
+    method_option :compare, type: :boolean, default: false, desc: "compare config to deployed alarms"
+    
     def show_alarms
-      compiler = CfnGuardian::Compile.new(options,'no-bucket')
+      set_log_level(options[:debug])
+      
+      set_region(options[:region],options[:compare])
+      
+      if options[:config]
+        config_file = options[:config]
+      elsif options[:defaults]
+        config_file = default_config()
+      else
+        logger.error('one of `--config YAML` or `--defaults` must be supplied')
+        exit -1
+      end
+      
+      compiler = CfnGuardian::Compile.new(config_file)
       compiler.get_resources
+      alarms = filter_alarms(compiler.alarms,options)
+
+      if alarms.empty?
+        logger.error "No matches found" 
+        exit 1
+      end
+      
+      headings = ['Property', 'Config']
+      formatter = CfnGuardian::DisplayFormatter.new(alarms)
       
-      alarms = compiler.resources.select{|h| h[:type] == 'Alarm'}
-      groups = alarms.group_by{|h| h[:class]}
+      if options[:compare] && !options[:defaults]
+        metric_alarms = CfnGuardian::CloudWatch.get_alarms(alarms)
+        formatted_alarms = formatter.compare_alarms(metric_alarms)
+        headings.push('Deployed')
+      else
+        formatted_alarms = formatter.alarms()
+      end
       
-      if options[:group]
-        groups = groups.fetch(options[:group],{}).group_by{|h| h[:class]}
-        if options[:resource]
-            groups = groups[options[:group]].select{|h| h[:resource] == options[:resource]}.group_by{|h| h[:class]}
+      if formatted_alarms.any?
+        formatted_alarms.each do |fa|
+          puts Terminal::Table.new( 
+                  :title => fa[:title], 
+                  :headings => headings, 
+                  :rows => fa[:rows])
         end
-        if options[:name]
-          groups = groups[options[:group]].select{|h| h[:name] == options[:name]}.group_by{|h| h[:class]}
+      else
+        if options[:compare] && !options[:defaults]
+          logger.info "No difference found between you config and alarms in deployed AWS"
+        else
+          logger.warn "No alarms found"
         end
       end
+    end
+    
+    desc "show-state", "Shows alarm state in cloudwatch"
+    long_desc <<-LONG
+    Displays the current cloudwatch alarm state
+    LONG
+    method_option :config, aliases: :c, type: :string, desc: "yaml config file"
+    method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
+    method_option :group, aliases: :g, type: :string, desc: "resource group"
+    method_option :alarm, aliases: :a, type: :string, desc: "alarm name"
+    method_option :id, type: :string, desc: "resource id"
+    method_option :state, aliases: :s, type: :string, enum: %w(OK ALARM INSUFFICIENT_DATA), desc: "filter by alarm state"
+    method_option :alarm_names, type: :array, desc: "CloudWatch alarm name if not providing config"
+    method_option :alarm_prefix, type: :string, desc: "CloudWatch alarm name prefix if not providing config"
+    
+    def show_state
+      set_log_level(options[:debug])
+      set_region(options[:region],true)
+      
+      formatter = CfnGuardian::DisplayFormatter.new()
+      
+      if !options[:config].nil?
+        compiler = CfnGuardian::Compile.new(options[:config])
+        compiler.get_resources
+        alarms = filter_alarms(compiler.alarms,options)
+        metric_alarms = CfnGuardian::CloudWatch.get_alarm_state(config_alarms: alarms, state: options[:state])
+      elsif !options[:alarm_names].nil?
+        metric_alarms = CfnGuardian::CloudWatch.get_alarm_state(alarm_names: options[:alarm_names], state: options[:state])
+      elsif !options[:alarm_prefix].nil?
+        metric_alarms = CfnGuardian::CloudWatch.get_alarm_state(alarm_prefix: options[:alarm_prefix], state: options[:state])
+      else
+        logger.error "one of `--config` `--alarm-prefix` `--alarm-names` must be supplied"
+        exit 1
+      end
+      
+      rows = formatter.alarm_state(metric_alarms)
       
-      groups.each do |grp,alarms|
-        puts "\n\s\s#{grp}\n"
-        alarms.each do |alarm|
-          rows = alarm.reject {|k,v| [:type,:class,:name].include?(k)}
-                      .sort_by {|k,v| k}
+      if rows.any?
+        puts Terminal::Table.new( 
+              :title => "Alarm State", 
+              :headings => ['Alarm Name', 'State', 'Changed', 'Notifications'], 
+              :rows => rows)
+      else
+        logger.warn "No alarms found"
+      end
+    end
+    
+    desc "show-history", "Shows alarm history for the last 7 days"
+    long_desc <<-LONG
+    Displays the alarm state or config history for the last 7 days
+    LONG
+    method_option :config, aliases: :c, type: :string, desc: "yaml config file"
+    method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
+    method_option :group, aliases: :g, type: :string, desc: "resource group"
+    method_option :alarm, aliases: :a, type: :string, desc: "alarm name"
+    method_option :alarm_names, type: :array, desc: "CloudWatch alarm name if not providing config"
+    method_option :id, type: :string, desc: "resource id"
+    method_option :type, aliases: :t, type: :string, 
+        enum: %w(state config), default: 'state', desc: "filter by alarm state"
+    
+    def show_history
+      set_log_level(options[:debug])
+      set_region(options[:region],true)
+      
+      if !options[:config].nil?
+        compiler = CfnGuardian::Compile.new(options[:config])
+        compiler.get_resources
+        config_alarms = filter_alarms(compiler.alarms,options)
+        alarms = config_alarms.map {|alarm| CfnGuardian::CloudWatch.get_alarm_name(alarm)}
+      elsif !options[:alarm_names].nil?
+        alarms = options[:alarm_names]
+      else
+        logger.error "one of `--config` `--alarm-names` must be supplied"
+        exit 1
+      end
+        
+      
+      case options[:type]
+      when 'state'
+        type = 'StateUpdate'
+        headings = ['Date', 'Summary', 'Reason']
+      when 'config'
+        type = 'ConfigurationUpdate'
+        headings = ['Date', 'Summary', 'Type']
+      end
+      
+      formatter = CfnGuardian::DisplayFormatter.new()
+      
+      alarms.each do |alarm|
+        history = CfnGuardian::CloudWatch.get_alarm_history(alarm,type)
+        rows = formatter.alarm_history(history,type)
+        if rows.any?     
           puts Terminal::Table.new( 
-                  :title => alarm[:name], 
-                  :headings => ['property', 'Value'], 
-                  :rows => rows.map! {|k,v| [k,v.to_s]})
+                  :title => alarm.green, 
+                  :headings => headings, 
+                  :rows => rows)
+          puts "\n"
         end
       end
     end
     
+    desc "show-config-history", "Shows the last 10 commits made to the codecommit repo"
+    long_desc <<-LONG
+    Shows the last 10 commits made to the codecommit repo
+    LONG
+    method_option :config, aliases: :c, type: :string, desc: "yaml config file"
+    method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
+    method_option :repository, type: :string, default: 'guardian', desc: "codecommit repository name"
+    
+    def show_config_history
+      set_region(options[:region],true)
+    
+      history = CfnGuardian::CodeCommit.new(options[:repository]).get_commit_history()
+      puts Terminal::Table.new(
+        :headings => history.first.keys.map{|h| h.to_s.to_heading}, 
+        :rows => history.map(&:values))
+    end
+    
+    desc "show-pipeline", "Shows the current state of the AWS code pipeline"
+    long_desc <<-LONG
+    Shows the current state of the AWS code pipeline
+    LONG
+    method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
+    method_option :pipeline, aliases: :p, type: :string, default: 'guardian', desc: "codepipeline name"
+    
+    def show_pipeline
+      set_region(options[:region],true)
+      pipeline = CfnGuardian::CodePipeline.new(options[:pipeline])
+      source = pipeline.get_source()
+      build = pipeline.get_build()
+      create = pipeline.get_create_changeset()
+      deploy = pipeline.get_deploy_changeset()
+
+      puts Terminal::Table.new(
+        :title => "Stage: #{source[:stage]}",
+        :rows => source[:rows])
+        
+      puts "\t|"
+      puts "\t|"
+      
+      puts Terminal::Table.new(
+        :title => "Stage: #{build[:stage]}",
+        :rows => build[:rows])
+        
+      puts "\t|"
+      puts "\t|"
+      
+      puts Terminal::Table.new(
+        :title => "Stage: #{create[:stage]}",
+        :rows => create[:rows])
+        
+      puts "\t|"
+      puts "\t|"
+      
+      puts Terminal::Table.new(
+        :title => "Stage: #{deploy[:stage]}",
+        :rows => deploy[:rows])
+    end
+    
+    desc "disable-alarms", "Disable cloudwatch alarm notifications"
+    long_desc <<-LONG
+    Disable cloudwatch alarm notifications for a maintenance group or for specific alarms.
+    LONG
+    method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
+    method_option :group, aliases: :g, type: :string, desc: "name of the maintenance group defined in the config"
+    method_option :alarm_prefix, type: :string, desc: "cloud watch alarm name prefix"
+    method_option :alarms, type: :array, desc: "List of cloudwatch alarm names"
+    
+    def disable_alarms
+      set_region(options[:region],true)
+      
+      alarm_names = CfnGuardian::CloudWatch.get_alarm_names(options[:group],options[:alarm_prefix])
+      CfnGuardian::CloudWatch.disable_alarms(alarm_names)
+      
+      logger.info "Disabled #{alarm_names.length} alarms"
+    end
+    
+    desc "enable-alarms", "Enable cloudwatch alarm notifications"
+    long_desc <<-LONG
+    Enable cloudwatch alarm notifications for a maintenance group or for specific alarms.
+    Once alarms are enable the state is set back to OK to re send notifications of any failed alarms.
+    LONG
+    method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
+    method_option :group, aliases: :g, type: :string, desc: "name of the maintenance group defined in the config"
+    method_option :alarm_prefix, type: :string, desc: "cloud watch alarm name prefix"
+    method_option :alarms, type: :array, desc: "List of cloudwatch alarm names"
+    
+    def enable_alarms
+      set_region(options[:region],true)
+      
+      alarm_names = CfnGuardian::CloudWatch.get_alarm_names(options[:group],options[:alarm_prefix])
+      CfnGuardian::CloudWatch.enable_alarms(alarm_names)
+      
+      logger.info "#{alarm_names.length} alarms enabled"
+    end
+    
     private
     
     def set_region(region,required)
@@ -142,5 +401,20 @@ module CfnGuardian
       end
     end
     
+    def set_log_level(debug)
+      logger.level = debug ? Logger::DEBUG : Logger::INFO
+    end
+    
+    def filter_alarms(alarms,options)
+      alarms.select! {|alarm| alarm.group.downcase == options[:group].downcase} if options[:group]
+      alarms.select! {|alarm| alarm.resource_id.downcase == options[:id].downcase} if options[:id]
+      alarms.select! {|alarm| alarm.name.downcase.include? options[:alarm].downcase} if options[:alarm]
+      return alarms
+    end
+    
+    def default_config()
+      return "#{File.expand_path(File.dirname(__FILE__))}/cfnguardian/config/defaults.yaml"
+    end
+    
   end
 end

data/lib/cfnguardian/cloudwatch.rb

@@ -0,0 +1,121 @@
+require 'aws-sdk-cloudwatch'
+require 'time'
+
+module CfnGuardian
+  class CloudWatch
+    include Logging
+    
+    def self.get_alarm_name(alarm)
+      alarm_id = alarm.resource_name.nil? ? alarm.resource_id : alarm.resource_name
+      return "guardian-#{alarm.group}-#{alarm_id}-#{alarm.name}"
+    end
+    
+    def self.get_alarms(alarms)
+      alarm_names = alarms.map {|alarm| self.get_alarm_name(alarm)}
+      
+      client = Aws::CloudWatch::Client.new()
+      metric_alarms = []
+      alarm_names.each_slice(100) do |batch|
+        resp = client.describe_alarms({alarm_names: batch, max_records: 100})
+        metric_alarms.push(*resp.metric_alarms)
+      end
+      
+      return metric_alarms
+    end
+    
+    def self.get_alarm_state(config_alarms: [], alarm_names: [], alarm_prefix: nil, state: nil)
+      rows = []
+      
+      if config_alarms.any?
+        alarm_names = config_alarms.map {|alarm| self.get_alarm_name(alarm)}
+      end
+      
+      client = Aws::CloudWatch::Client.new()
+      
+      options = {max_records: 100}
+      options[:state_value] = state if !state.nil?
+      
+      cw_alarms = []
+      if !alarm_prefix.nil?
+        options[:alarm_name_prefix] = alarm_prefix
+        resp = client.describe_alarms(options)
+        cw_alarms = resp.metric_alarms
+      else
+        alarm_names.each_slice(100) do |batch|
+          options[:alarm_names] = batch
+          resp = client.describe_alarms(options)
+          cw_alarms.push(*resp.metric_alarms)
+        end
+      end
+      
+      return cw_alarms
+    end
+    
+    def self.get_alarm_history(alarm_name,type)
+      rows = []
+      client = Aws::CloudWatch::Client.new()
+      
+      logger.debug "Searching #{type} history for #{alarm_name}"
+            
+      resp = client.describe_alarm_history({
+        alarm_name: alarm_name,
+        history_item_type: type,
+        start_date: (Time.now.utc.to_date - 7),
+        end_date: (Time.now.utc.to_date + 1),
+        max_records: 100
+      })
+      
+      return resp.alarm_history_items
+    end
+    
+    def self.get_alarm_names(action_prefix=nil,alarm_name_prefix='guardian')
+      alarms = []
+      client = Aws::CloudWatch::Client.new
+      
+      options = {
+        alarm_types: ["CompositeAlarm","MetricAlarm"],
+        alarm_name_prefix: alarm_name_prefix
+      }
+      
+      unless action_prefix.nil?
+        options[:action_prefix] = "arn:aws:sns:#{Aws.config[:region]}:#{aws_account_id()}:#{action_prefix}"
+      end
+      
+      client.describe_alarms(options).each do |response|
+        alarms.concat response.composite_alarms.map(&:alarm_name)
+        alarms.concat response.metric_alarms.map(&:alarm_name)
+      end
+      
+      return alarms
+    end
+    
+    def self.disable_alarms(alarms)
+      client = Aws::CloudWatch::Client.new
+      alarms.each_slice(100) do |batch|
+        client.disable_alarm_actions({alarm_names: batch})
+      end
+    end
+    
+    def self.enable_alarms(alarms)
+      client = Aws::CloudWatch::Client.new
+      alarms.each_slice(100) do |batch|
+        client.enable_alarm_actions({alarm_names: batch})
+      end
+      
+      alarms.each do |alarm|
+        client.set_alarm_state({
+          alarm_name: alarm,
+          state_value: "OK",
+          state_reason: "End of guardian maintenance peroid"
+        })
+      end
+    end
+    
+    def self.aws_account_id()
+      sts = Aws::STS::Client.new
+      account = sts.get_caller_identity().account
+      return account
+    end
+    
+  end
+end