cfn-guardian 0.1.0 → 0.3.3

data/lib/cfnguardian/codecommit.rb

@@ -0,0 +1,54 @@
+require 'aws-sdk-codecommit'
+require 'time'
+require 'cfnguardian/log'
+
+module CfnGuardian
+  class CodeCommit
+    include Logging
+  
+    def initialize(repo_name)
+      @repo_name = repo_name
+      @client = Aws::CodeCommit::Client.new()
+    end
+    
+    def get_last_commit(branch='master')
+      resp = @client.get_branch({
+        repository_name: @repo_name,
+        branch_name: branch,
+      })
+      return resp.branch.commit_id
+    end
+    
+    def get_commit_history(branch='master',count=10)
+      history = []
+      commit = get_last_commit(branch)
+      
+      count.times do
+        
+        resp = @client.get_commit({
+          repository_name: @repo_name,
+          commit_id: commit
+        })
+        
+        time = Time.strptime(resp.commit.committer.date,'%s')
+        
+        history << {
+          message: resp.commit.message,
+          author: resp.commit.author.name,
+          date: time.localtime.strftime("%d/%m/%Y %I:%M %p"),
+          id: resp.commit.commit_id
+        }
+        
+        if resp.commit.parents.any?
+          commit = resp.commit.parents.first
+        else
+          break
+        end
+        
+      end
+      
+      return history
+    end
+    
+  end
+end

data/lib/cfnguardian/codepipeline.rb

@@ -0,0 +1,138 @@
+require 'aws-sdk-codepipeline'
+require 'time'
+require 'cfnguardian/log'
+
+module CfnGuardian
+  class CodePipeline
+    include Logging
+    
+    def initialize(pipeline_name)
+      @pipeline_name = pipeline_name
+      client = Aws::CodePipeline::Client.new()
+      @pipeline = client.get_pipeline_state({
+        name: @pipeline_name
+      })
+    end
+    
+    def retry()
+      resp = client.start_pipeline_execution({
+        name: @pipeline_name,
+        client_request_token: "ClientRequestToken",
+      })
+    end
+    
+    def get_stage(stage_name)
+      return @pipeline.stage_states.find {|stage| stage.stage_name == stage_name}
+    end
+    
+    def colour_rows(rows, status)
+      if status == 'Failed'
+        rows.map! {|row| row.map! {|r| r.red } }
+      elsif status == 'Succeeded'
+        rows.map! {|row| row.map! {|r| r.green } }
+      elsif status == 'InProgress'
+        rows.map! {|row| row.map! {|r| r.blue } }
+      elsif ["Stopped", "Stopping"].include? status
+        rows.map! {|row| row.map! {|r| r.yellow } }
+      end
+    end
+    
+    def get_source()
+      source_stage = get_stage("Source")
+      action = source_stage.action_states.first
+      status = source_stage.latest_execution.status
+      state = {
+        stage: action.action_name,
+        rows: [
+          ['Status', status],
+          ['Commit', action.current_revision.revision_id],
+          ['Last Status Change', action.latest_execution.last_status_change.localtime.strftime("%d/%m/%Y %I:%M %p")]
+        ]
+      }
+      
+      unless action.latest_execution.error_details.nil?
+        state[:rows].push(
+          ['Error Message', action.latest_execution.error_details.message]
+        )
+      end
+      
+      colour_rows(state[:rows],status)
+      
+      return state
+    end
+    
+    def get_build()
+      source_stage = get_stage("Build")
+      action = source_stage.action_states.first
+      status = source_stage.latest_execution.status
+      state = {
+        stage: action.action_name,
+        rows: [
+          ['Status', status],
+          ['Build Id', action.latest_execution.external_execution_id],
+          ['Last Status Change', action.latest_execution.last_status_change.localtime.strftime("%d/%m/%Y %I:%M %p")],
+          ['Logs', action.latest_execution.external_execution_url]
+        ]
+      }
+      
+      unless action.latest_execution.error_details.nil?
+        state[:rows].push(
+          ['Error Message', action.latest_execution.error_details.message]
+        )
+      end
+      
+      colour_rows(state[:rows],status)
+      
+      return state
+    end
+    
+    def get_create_changeset()
+      source_stage = get_stage("Deploy")
+      action = source_stage.action_states.find {|action| action.action_name == "CreateChangeSet"}
+      status = source_stage.latest_execution.status
+      state = {
+        stage: action.action_name,
+        rows: [
+          ['Status', status],
+          ['Summary', action.latest_execution.summary],
+          ['Last Status Change', action.latest_execution.last_status_change.localtime.strftime("%d/%m/%Y %I:%M %p")],
+        ]
+      }
+      
+      unless action.latest_execution.error_details.nil?
+        state[:rows].push(
+          ['Error Message', action.latest_execution.error_details.message]
+        )
+      end
+      
+      colour_rows(state[:rows],status)
+      
+      return state
+    end
+    
+    def get_deploy_changeset()
+      source_stage = get_stage("Deploy")
+      action = source_stage.action_states.find {|action| action.action_name == "DeployChangeSet"}
+      status = source_stage.latest_execution.status
+      state = {
+        stage: action.action_name,
+        rows: [
+          ['Status', status],
+          ['Summary', action.latest_execution.summary],
+          ['Last Status Change', action.latest_execution.last_status_change.localtime.strftime("%d/%m/%Y %I:%M %p")],
+        ]
+      }
+      
+      unless action.latest_execution.error_details.nil?
+        state[:rows].push(
+          ['Error Message', action.latest_execution.error_details.message]
+        )
+      end
+      
+      colour_rows(state[:rows],status)
+      
+      return state
+    end
+    
+  end
+end

data/lib/cfnguardian/compile.rb

@@ -1,7 +1,9 @@
 require 'yaml'
+require 'fileutils'
 require 'cfnguardian/string'
 require 'cfnguardian/stacks/resources'
 require 'cfnguardian/stacks/main'
+require 'cfnguardian/models/composite'
 require 'cfnguardian/resources/base'
 require 'cfnguardian/resources/apigateway'
 require 'cfnguardian/resources/application_targetgroup'
@@ -18,6 +20,9 @@ require 'cfnguardian/resources/elastic_file_system'
 require 'cfnguardian/resources/elasticache_replication_group'
 require 'cfnguardian/resources/elastic_loadbalancer'
 require 'cfnguardian/resources/http'
+require 'cfnguardian/resources/internal_http'
+require 'cfnguardian/resources/port'
+require 'cfnguardian/resources/internal_port'
 require 'cfnguardian/resources/nrpe'
 require 'cfnguardian/resources/lambda'
 require 'cfnguardian/resources/network_targetgroup'
@@ -26,24 +31,31 @@ require 'cfnguardian/resources/rds_instance'
 require 'cfnguardian/resources/redshift_cluster'
 require 'cfnguardian/resources/sql'
 require 'cfnguardian/resources/sqs_queue'
+require 'cfnguardian/resources/log_group'
+require 'cfnguardian/resources/sftp'
+require 'cfnguardian/resources/internal_sftp'
+require 'cfnguardian/resources/tls'
 
 module CfnGuardian
   class Compile
     include Logging
     
-    attr_reader :cost, :resources
+    attr_reader :cost, :resources, :topics
     
-    def initialize(opts,bucket)
-      @prefix = opts.fetch(:stack_name,'guardian')
-      @bucket = bucket
-      
-      config = YAML.load_file(opts.fetch(:config))
+    def initialize(config_file)
+      config = YAML.load_file(config_file)
+            
       @resource_groups = config.fetch('Resources',{})
+      @composites = config.fetch('Composites',{})
       @templates = config.fetch('Templates',{})
+      @topics = config.fetch('Topics',{})
+      @maintenance_groups = config.fetch('MaintenaceGroups', {})
       
+      @maintenance_group_list = @maintenance_groups.keys.map {|group| "#{group}MaintenanceGroup"}
       @resources = []
       @stacks = []
       @checks = []
+      @ssm_parameters = []
       
       @cost = 0
     end
@@ -57,7 +69,7 @@ module CfnGuardian
           rescue NameError => e
             if @templates.has_key?(group) && @templates[group].has_key?('Inherit')
               begin
-                resource_class = Kernel.const_get("CfnGuardian::Resource::#{@templates[group]['Inherit']}").new(resource)
+                resource_class = Kernel.const_get("CfnGuardian::Resource::#{@templates[group]['Inherit']}").new(resource, group)
                 logger.debug "Inheritited resource group #{@templates[group]['Inherit']} for group #{group}"
               rescue NameError => e
                 logger.warn "'#{@templates[group]['Inherit']}' resource group doesn't exist and is unable to be inherited from"
@@ -70,40 +82,69 @@ module CfnGuardian
           end
           
           overides = @templates.has_key?(group) ? @templates[group] : {}
-          @resources.concat resource_class.get_alarms(overides)
+          @resources.concat resource_class.get_alarms(overides,resource)
+          @resources.concat resource_class.get_metric_filters()
           @resources.concat resource_class.get_events()
           @checks.concat resource_class.get_checks()
 
           @cost += resource_class.get_cost
         end
       end
+      
+      @maintenance_groups.each do |maintenance_group,resource_groups|
+        resource_groups.each do |group, alarms|
+          alarms.each do |alarm, resources|
+            resources.each do |resource|
+              res = @resources.find {|r| 
+                (r.type == 'Alarm') && 
+                (r.class == group && r.name == alarm) &&
+                (r.resource_id == resource['Id'] || r.resource_name == resource['Name'])}
+              unless res.nil?
+                res.maintenance_groups.append("#{maintenance_group}MaintenanceGroup")
+              end
+            end
+          end
+        end
+      end
+      
+      @composites.each do |name,params|
+        @resources.push CfnGuardian::Models::Composite.new(name,params)
+        @cost += 0.50
+      end
+      
+      @ssm_parameters = @resources.select {|resource| resource.type == 'Event'}.map {|event| event.ssm_parameters}.flatten.uniq
+    end
+    
+    def alarms
+      @resources.select {|resource| resource.type == 'Alarm'}
     end
     
-    def split_resources
+    def split_resources(bucket,path)
       split = @resources.each_slice(200).to_a
       split.each_with_index do |resources,index|
         @stacks.push({
           'Name' => "GuardianStack#{index}",
-          'TemplateURL' => "https://#{@bucket}.s3.amazonaws.com/#{@prefix}/guardian-stack-#{index}.compiled.yaml",
+          'TemplateURL' => "https://#{bucket}.s3.amazonaws.com/#{path}/guardian-stack-#{index}.compiled.yaml",
           'Reference' => index
         })
       end
       return split
     end
     
-    def compile_templates
+    def compile_templates(bucket,path)
       clean_out_directory()
-      resources = split_resources()
+      resources = split_resources(bucket,path)
       
       main_stack = CfnGuardian::Stacks::Main.new()
-      template = main_stack.build_template(@stacks,@checks)
-      valid = template.validate
+      main_stack.build_template(@stacks,@checks,@topics,@maintenance_group_list,@ssm_parameters)
+      valid = main_stack.template.validate
+      FileUtils.mkdir_p 'out'
       File.write("out/guardian.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
       
       resources.each_with_index do |resources,index|
-        stack = CfnGuardian::Stacks::Resources.new()
-        template = stack.build_template(resources)
-        valid = template.validate
+        stack = CfnGuardian::Stacks::Resources.new(main_stack.parameters)
+        stack.build_template(resources)
+        valid = stack.template.validate
         File.write("out/guardian-stack-#{index}.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
       end
     end

data/lib/cfnguardian/config/defaults.yaml

@@ -0,0 +1,94 @@
+Resources:
+  AmazonMQBroker:
+  - Id: Default
+  ApiGateway:
+  - Id: Default
+  ApplicationTargetGroup:
+  - Id: Default
+    LoadBalancer: Default
+  AutoScalingGroup:
+  - Id: Default
+  CloudFrontDistribution:
+  - Id: Default
+  DomainExpiry:
+  - Id: Default
+  DynamoDBTable:
+  - Id: Default
+  Ec2Instance:
+  - Id: Default
+  ECSCluster:
+  - Id: Default
+  ECSService:
+  - Id: Default
+    Cluster: Default
+  ElasticFileSystem:
+  - Id: Default
+  ElasticLoadBalancer:
+  - Id: Default
+  ElastiCacheReplicationGroup:
+  - Id: Default
+  Http:
+  - Id: Default
+    StatusCode: 200
+    Ssl: true
+    BodyRegex: Default
+  InternalHttp:
+  - Environment: Default
+    VpcId: vpc-default
+    Subnets:
+    - subnet-default
+    Hosts:
+    - Id: Default
+      StatusCode: 200
+      BodyRegex: Default
+  Port:
+  - Id: Default
+    Port: 0
+  InternalPort:
+  - Environment: Default
+    VpcId: vpc-default
+    Subnets:
+    - subnet-default
+    Hosts:
+    - Id: Default
+      Port: 0
+  Lambda:
+  - Id: Default
+  LogGroup:
+  - Id: Default
+    MetricFilters:
+    - MetricName: Default
+      Pattern: Default
+  NetworkTargetGroup:
+  - Id: Default
+    LoadBalancer: Default
+  Nrpe:
+  - Environment: Default
+    VpcId: vpc-default
+    Subnets:
+    - subnet-default
+    Hosts:
+    - Id: Default
+      Commands:
+      - default
+  RDSClusterInstance:
+  - Id: Default
+  RDSInstance:
+  - Id: Default
+  RedshiftCluster:
+  - Id: Default
+  Sql:
+  - Environment: Default
+    VpcId: vpc-default
+    Subnets:
+    - subnet-default
+    Hosts:
+    - Id: Default
+      SecretId: Default
+      Engine: default
+      Queries:
+      - MetricName: Default
+        Query: Default
+  SQSQueue:
+  - Id: Default
+  

data/lib/cfnguardian/display_formatter.rb

@@ -0,0 +1,164 @@
+require 'cfnguardian/cloudwatch'
+require 'cfnguardian/string'
+require 'time'
+
+module CfnGuardian
+  class DisplayFormatter
+    
+    def initialize(alarms=[])
+      @alarms = alarms
+    end  
+    
+    def alarms()
+      resp = []
+      
+      @alarms.each do |alarm|
+        alarm_name = CfnGuardian::CloudWatch.get_alarm_name(alarm)
+        puts alarm_name
+        rows = [
+          ['ResourceId', alarm.resource_id],
+          ['ResourceHash', alarm.resource_hash],
+          ['ResourceName', alarm.resource_name],
+          ['Enabled', alarm.enabled],
+          ['MetricName', alarm.metric_name],
+          ['Dimensions', alarm.dimensions],
+          ['Threshold', alarm.threshold],
+          ['Period', alarm.period],
+          ['EvaluationPeriods', alarm.evaluation_periods],
+          ['ComparisonOperator', alarm.comparison_operator],
+          ['Statistic', alarm.statistic],
+          ['ActionsEnabled', alarm.actions_enabled],
+          ['DatapointsToAlarm', alarm.datapoints_to_alarm],
+          ['ExtendedStatistic', alarm.extended_statistic],
+          ['EvaluateLowSampleCountPercentile', alarm.evaluate_low_sample_count_percentile],
+          ['Unit', alarm.unit],
+          ['AlarmAction', alarm.alarm_action],
+          ['TreatMissingData', alarm.treat_missing_data]
+        ]
+        
+        rows.select! {|row| !row[1].nil?}
+        
+        resp << {
+          title: "#{alarm.group}::#{alarm.name}".green + "\n" + alarm_name.green,
+          rows: rows
+        }
+      end
+      
+      return resp
+    end
+    
+    def compare_alarms(metric_alarms)      
+      resp = []
+      
+      @alarms.each do |alarm|
+        alarm_name = CfnGuardian::CloudWatch.get_alarm_name(alarm)
+        metric_alarm = metric_alarms.find {|ma| ma.alarm_name == alarm_name}
+        dimensions = metric_alarm.dimensions.map {|dim| {dim.name.to_sym => dim.value}}.inject(:merge)
+        
+        rows = [
+          ['ResourceId', alarm.resource_id, alarm.resource_id],
+          ['ResourceHash', alarm.resource_hash, alarm.resource_hash],
+          ['ResourceName', alarm.resource_name, alarm.resource_name],
+          ['Enabled', alarm.enabled, true],
+          ['MetricName', alarm.metric_name, metric_alarm.metric_name],
+          ['Dimensions', alarm.dimensions, dimensions],
+          ['Threshold', alarm.threshold.to_f, metric_alarm.threshold],
+          ['Period', alarm.period, metric_alarm.period],
+          ['EvaluationPeriods', alarm.evaluation_periods, metric_alarm.evaluation_periods],
+          ['ComparisonOperator', alarm.comparison_operator, metric_alarm.comparison_operator],
+          ['Statistic', alarm.statistic, metric_alarm.statistic],
+          ['ActionsEnabled', alarm.actions_enabled, metric_alarm.actions_enabled],
+          ['DatapointsToAlarm', alarm.datapoints_to_alarm, metric_alarm.datapoints_to_alarm],
+          ['ExtendedStatistic', alarm.extended_statistic, metric_alarm.extended_statistic],
+          ['EvaluateLowSampleCountPercentile', alarm.evaluate_low_sample_count_percentile, metric_alarm.evaluate_low_sample_count_percentile],
+          ['Unit', alarm.unit, metric_alarm.unit],
+          ['TreatMissingData', alarm.treat_missing_data, metric_alarm.treat_missing_data],
+          ['AlarmAction', alarm.alarm_action, alarm.alarm_action]
+        ]
+        
+        rows.select! {|row| !row[1].nil?}.each {|row| colour_compare_row(row)}
+        
+        if has_config_difference?(rows)
+          resp << {
+            title: "#{alarm.group}::#{alarm.name}".green + "\n" + alarm_name.green,
+            rows: rows
+          }
+        end
+      end
+      
+      return resp
+    end
+    
+    def alarm_state(metric_alarms)
+      rows = []
+      
+      metric_alarms.each do |ma|      
+        if ma.state_value == 'ALARM'
+          state_value = ma.state_value.to_s.red
+        elsif ma.state_value == 'INSUFFICIENT_DATA'
+          state_value = ma.state_value.to_s.yellow
+        else
+          state_value = ma.state_value.to_s.green
+        end
+        
+        rows << [
+          ma.alarm_name, 
+          state_value, 
+          ma.state_updated_timestamp.localtime,
+          ma.actions_enabled ? 'ENABLED'.green : 'DISABLED'.red
+        ]
+      end
+      # sort by state_value
+      return rows.sort_by {|r| r[3]}
+    end
+    
+    def alarm_history(history,type)
+      rows = []
+      line_width = 100
+      
+      history.each do |item|
+        data = JSON.load(item.history_data)
+        
+        case type
+        when "StateUpdate" 
+          rows << [
+            item.timestamp.localtime, 
+            item.history_summary,
+            data['newState']['stateReason'].word_wrap
+          ]
+        when "ConfigurationUpdate"
+          updated = []
+          if data['type'] == 'Update'
+            data['originalUpdatedFields'].each do |k,v|
+              unless k == 'alarmConfigurationUpdatedTimestamp'
+                updated << "#{k}: #{v} -> #{data['updatedAlarm'][k]}"
+              end
+            end
+          end        
+          rows << [
+            item.timestamp.localtime, 
+            data['type'],
+            updated.join("\n").word_wrap
+          ]
+        end
+      end
+      
+      return rows
+    end
+    
+    private
+    
+    def has_config_difference?(rows)
+      rows.each do |row| 
+        unless row[1].eql?(row[2])
+          return true
+        end
+      end
+      return false 
+    end
+    
+    def colour_compare_row(row)
+      return row[1].eql?(row[2]) ? row.map! {|r| r.to_s.green} : row.map! {|r| r.to_s.red}
+    end
+  end
+end