cfn-guardian 0.1.0 → 0.3.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (40) hide show
  1. checksums.yaml +4 -4
  2. data/.dockerignore +1 -0
  3. data/Dockerfile +19 -0
  4. data/Gemfile.lock +31 -13
  5. data/README.md +441 -42
  6. data/cfn-guardian.gemspec +6 -2
  7. data/lib/cfnguardian.rb +301 -27
  8. data/lib/cfnguardian/cloudwatch.rb +121 -0
  9. data/lib/cfnguardian/codecommit.rb +54 -0
  10. data/lib/cfnguardian/codepipeline.rb +138 -0
  11. data/lib/cfnguardian/compile.rb +58 -17
  12. data/lib/cfnguardian/config/defaults.yaml +94 -0
  13. data/lib/cfnguardian/display_formatter.rb +164 -0
  14. data/lib/cfnguardian/drift.rb +79 -0
  15. data/lib/cfnguardian/log.rb +0 -1
  16. data/lib/cfnguardian/models/alarm.rb +98 -36
  17. data/lib/cfnguardian/models/check.rb +103 -26
  18. data/lib/cfnguardian/models/composite.rb +21 -0
  19. data/lib/cfnguardian/models/event.rb +164 -40
  20. data/lib/cfnguardian/models/metric_filter.rb +28 -0
  21. data/lib/cfnguardian/resources/application_targetgroup.rb +2 -0
  22. data/lib/cfnguardian/resources/base.rb +38 -16
  23. data/lib/cfnguardian/resources/ecs_service.rb +2 -2
  24. data/lib/cfnguardian/resources/http.rb +16 -1
  25. data/lib/cfnguardian/resources/internal_http.rb +74 -0
  26. data/lib/cfnguardian/resources/internal_port.rb +33 -0
  27. data/lib/cfnguardian/resources/internal_sftp.rb +58 -0
  28. data/lib/cfnguardian/resources/log_group.rb +26 -0
  29. data/lib/cfnguardian/resources/network_targetgroup.rb +1 -0
  30. data/lib/cfnguardian/resources/port.rb +25 -0
  31. data/lib/cfnguardian/resources/rds_instance.rb +2 -0
  32. data/lib/cfnguardian/resources/sftp.rb +50 -0
  33. data/lib/cfnguardian/resources/sql.rb +1 -1
  34. data/lib/cfnguardian/resources/tls.rb +66 -0
  35. data/lib/cfnguardian/s3.rb +3 -2
  36. data/lib/cfnguardian/stacks/main.rb +86 -65
  37. data/lib/cfnguardian/stacks/resources.rb +81 -42
  38. data/lib/cfnguardian/string.rb +12 -0
  39. data/lib/cfnguardian/version.rb +1 -1
  40. metadata +102 -5
data/lib/cfnguardian/resources/ecs_service.rb CHANGED
@@ -8,7 +8,7 @@ module CfnGuardian
8
8
  alarm.metric_name = 'MemoryUtilization'
9
9
  alarm.comparison_operator = 'LessThanOrEqualToThreshold'
10
10
  alarm.statistic = 'SampleCount'
11
- alarm.threshold = 15
11
+ alarm.threshold = 0
12
12
  alarm.evaluation_periods = 10
13
13
  alarm.treat_missing_data = 'breaching'
14
14
  alarm.datapoints_to_alarm = 8
@@ -19,7 +19,7 @@ module CfnGuardian
19
19
  alarm.metric_name = 'MemoryUtilization'
20
20
  alarm.comparison_operator = 'LessThanOrEqualToThreshold'
21
21
  alarm.statistic = 'SampleCount'
22
- alarm.threshold = 15
22
+ alarm.threshold = 1
23
23
  alarm.evaluation_periods = 10
24
24
  alarm.treat_missing_data = 'breaching'
25
25
  alarm.datapoints_to_alarm = 8
data/lib/cfnguardian/resources/http.rb CHANGED
@@ -14,8 +14,9 @@ module CfnGuardian::Resource
14
14
  alarm.metric_name = 'StatusCodeMatch'
15
15
  @alarms.push(alarm)
16
16
 
17
- alarm = CfnGuardian::Models::ElasticLoadBalancerAlarm.new(@resource)
17
+ alarm = CfnGuardian::Models::HttpAlarm.new(@resource)
18
18
  alarm.name = 'EndpointTimeTaken'
19
+ alarm.comparison_operator = 'GreaterThanThreshold'
19
20
  alarm.metric_name = 'TimeTaken'
20
21
  alarm.statistic = 'Minimum'
21
22
  alarm.threshold = 1000
@@ -29,6 +30,20 @@ module CfnGuardian::Resource
29
30
  alarm.metric_name = 'ResponseBodyRegexMatch'
30
31
  @alarms.push(alarm)
31
32
  end
33
+
34
+ if @resource.has_key?('Ssl') && @resource['Ssl']
35
+ alarm = CfnGuardian::Models::SslAlarm.new(@resource)
36
+ alarm.name = 'ExpiresInDaysCritical'
37
+ alarm.metric_name = 'ExpiresInDays'
38
+ alarm.threshold = 5
39
+ @alarms.push(alarm)
40
+
41
+ alarm = CfnGuardian::Models::SslAlarm.new(@resource)
42
+ alarm.name = 'ExpiresInDaysTask'
43
+ alarm.metric_name = 'ExpiresInDays'
44
+ alarm.threshold = 30
45
+ @alarms.push(alarm)
46
+ end
32
47
  end
33
48
 
34
49
  def default_events()
data/lib/cfnguardian/resources/internal_http.rb ADDED
@@ -0,0 +1,74 @@
1
+ require 'digest/md5'
2
+
3
+ module CfnGuardian::Resource
4
+ class InternalHttp < Base
5
+
6
+ def initialize(resource)
7
+ super(resource)
8
+ @resource_list = resource['Hosts']
9
+ @environment = resource['Environment']
10
+ end
11
+
12
+ def default_alarms
13
+ @resource_list.each do |host|
14
+ alarm = CfnGuardian::Models::HttpAlarm.new(host)
15
+ alarm.name = 'EndpointAvailable'
16
+ alarm.metric_name = 'Available'
17
+ @alarms.push(alarm)
18
+
19
+ alarm = CfnGuardian::Models::HttpAlarm.new(host)
20
+ alarm.name = 'EndpointStatusCodeMatch'
21
+ alarm.metric_name = 'StatusCodeMatch'
22
+ @alarms.push(alarm)
23
+
24
+ alarm = CfnGuardian::Models::HttpAlarm.new(host)
25
+ alarm.name = 'EndpointTimeTaken'
26
+ alarm.comparison_operator = 'GreaterThanThreshold'
27
+ alarm.metric_name = 'TimeTaken'
28
+ alarm.statistic = 'Minimum'
29
+ alarm.threshold = 1000
30
+ alarm.period = 300
31
+ alarm.evaluation_periods = 1
32
+ @alarms.push(alarm)
33
+
34
+ if host.has_key?('BodyRegex')
35
+ alarm = CfnGuardian::Models::HttpAlarm.new(host)
36
+ alarm.name = 'EndpointBodyRegexMatch'
37
+ alarm.metric_name = 'ResponseBodyRegexMatch'
38
+ @alarms.push(alarm)
39
+ end
40
+
41
+ if host.has_key?('Ssl') && host['Ssl']
42
+ alarm = CfnGuardian::Models::SslAlarm.new(host)
43
+ alarm.name = 'ExpiresInDaysCritical'
44
+ alarm.metric_name = 'ExpiresInDays'
45
+ alarm.threshold = 5
46
+ @alarms.push(alarm)
47
+
48
+ alarm = CfnGuardian::Models::SslAlarm.new(host)
49
+ alarm.name = 'ExpiresInDaysTask'
50
+ alarm.metric_name = 'ExpiresInDays'
51
+ alarm.threshold = 30
52
+ @alarms.push(alarm)
53
+ end
54
+ end
55
+ end
56
+
57
+ def default_events()
58
+ @resource_list.each do |host|
59
+ @events.push(CfnGuardian::Models::InternalHttpEvent.new(host,@environment))
60
+ if host.has_key?('Ssl') && host['Ssl']
61
+ @events.push(CfnGuardian::Models::InternalSslEvent.new(host,@environment))
62
+ end
63
+ end
64
+ end
65
+
66
+ def default_checks()
67
+ @checks.push(CfnGuardian::Models::InternalHttpCheck.new(@resource))
68
+ if @resource_list.any? {|host| host.has_key?('Ssl') && host['Ssl'] }
69
+ @checks.push(CfnGuardian::Models::InternalSslCheck.new(@resource))
70
+ end
71
+ end
72
+
73
+ end
74
+ end
data/lib/cfnguardian/resources/internal_port.rb ADDED
@@ -0,0 +1,33 @@
1
+ module CfnGuardian::Resource
2
+ class InternalPort < Base
3
+
4
+ def initialize(resource)
5
+ super(resource)
6
+ @resource_list = resource['Hosts']
7
+ @environment = resource['Environment']
8
+ end
9
+
10
+ def default_alarms
11
+ @resource_list.each do |host|
12
+ alarm = CfnGuardian::Models::PortAlarm.new(host)
13
+ alarm.name = 'EndpointAvailable'
14
+ alarm.metric_name = 'Available'
15
+ @alarms.push(alarm)
16
+
17
+ alarm = CfnGuardian::Models::PortAlarm.new(host)
18
+ alarm.name = 'EndpointTimeTaken'
19
+ alarm.metric_name = 'TimeTaken'
20
+ @alarms.push(alarm)
21
+ end
22
+ end
23
+
24
+ def default_events()
25
+ @resource_list.each {|host| @events.push(CfnGuardian::Models::InternalPortEvent.new(host,@environment))}
26
+ end
27
+
28
+ def default_checks()
29
+ @checks.push(CfnGuardian::Models::InternalPortCheck.new(@resource))
30
+ end
31
+
32
+ end
33
+ end
data/lib/cfnguardian/resources/internal_sftp.rb ADDED
@@ -0,0 +1,58 @@
1
+ module CfnGuardian::Resource
2
+ class InternalSFTP < Base
3
+
4
+ def initialize(resource)
5
+ super(resource)
6
+ @resource_list = resource['Hosts']
7
+ @environment = resource['Environment']
8
+ end
9
+
10
+ def default_alarms
11
+ @resource_list.each do |host|
12
+ alarm = CfnGuardian::Models::SFTPAlarm.new(host)
13
+ alarm.name = 'Available'
14
+ alarm.metric_name = 'Available'
15
+ @alarms.push(alarm)
16
+
17
+ alarm = CfnGuardian::Models::SFTPAlarm.new(host)
18
+ alarm.name = 'ConnectionTime'
19
+ alarm.metric_name = 'ConnectionTime'
20
+ alarm.comparison_operator = 'GreaterThanThreshold'
21
+ alarm.statistic = 'Minimum'
22
+ alarm.threshold = 1000
23
+ @alarms.push(alarm)
24
+
25
+ if host.has_key?('File')
26
+ alarm = CfnGuardian::Models::SFTPAlarm.new(host)
27
+ alarm.name = 'FileExists'
28
+ alarm.metric_name = 'FileExists'
29
+ @alarms.push(alarm)
30
+
31
+ alarm = CfnGuardian::Models::SFTPAlarm.new(host)
32
+ alarm.name = 'FileGetTime'
33
+ alarm.metric_name = 'FileGetTime'
34
+ alarm.comparison_operator = 'GreaterThanThreshold'
35
+ alarm.statistic = 'Minimum'
36
+ alarm.threshold = 1000
37
+ @alarms.push(alarm)
38
+
39
+ if host.has_key?('FileRegexMatch')
40
+ alarm = CfnGuardian::Models::SFTPAlarm.new(host)
41
+ alarm.name = 'FileBodyMatch'
42
+ alarm.metric_name = 'FileBodyMatch'
43
+ @alarms.push(alarm)
44
+ end
45
+ end
46
+ end
47
+ end
48
+
49
+ def default_events
50
+ @resource_list.each {|host| @events.push(CfnGuardian::Models::InternalSFTPEvent.new(host,@environment)) }
51
+ end
52
+
53
+ def default_checks
54
+ @checks.push(CfnGuardian::Models::InternalSFTPCheck.new(@resource))
55
+ end
56
+
57
+ end
58
+ end
data/lib/cfnguardian/resources/log_group.rb ADDED
@@ -0,0 +1,26 @@
1
+ module CfnGuardian::Resource
2
+ class LogGroup < Base
3
+
4
+ def initialize(resource)
5
+ super(resource)
6
+ @resource_list = resource['MetricFilters']
7
+ end
8
+
9
+ def default_alarms()
10
+ @resource_list.each do |filter|
11
+ alarm = CfnGuardian::Models::LogGroupAlarm.new(@resource)
12
+ alarm.name = filter['MetricName']
13
+ alarm.metric_name = filter['MetricName']
14
+ @alarms.push(alarm)
15
+ end
16
+ end
17
+
18
+ def default_metric_filters()
19
+ @resource_list.each do |filter|
20
+ metric_filter = CfnGuardian::Models::MetricFilter.new(@resource['Id'],filter)
21
+ @metric_filters.push(metric_filter)
22
+ end
23
+ end
24
+
25
+ end
26
+ end
data/lib/cfnguardian/resources/network_targetgroup.rb CHANGED
@@ -5,6 +5,7 @@ module CfnGuardian::Resource
5
5
  alarm = CfnGuardian::Models::NetworkTargetGroupAlarm.new(@resource)
6
6
  alarm.name = 'HealthyHosts'
7
7
  alarm.metric_name = 'HealthyHostCount'
8
+ alarm.comparison_operator = 'LessThanThreshold'
8
9
  alarm.statistic = 'Minimum'
9
10
  alarm.threshold = 2
10
11
  alarm.evaluation_periods = 1
data/lib/cfnguardian/resources/port.rb ADDED
@@ -0,0 +1,25 @@
1
+ module CfnGuardian::Resource
2
+ class Port < Base
3
+
4
+ def default_alarms
5
+ alarm = CfnGuardian::Models::PortAlarm.new(@resource)
6
+ alarm.name = 'EndpointAvailable'
7
+ alarm.metric_name = 'Available'
8
+ @alarms.push(alarm)
9
+
10
+ alarm = CfnGuardian::Models::PortAlarm.new(@resource)
11
+ alarm.name = 'EndpointTimeTaken'
12
+ alarm.metric_name = 'TimeTaken'
13
+ @alarms.push(alarm)
14
+ end
15
+
16
+ def default_events()
17
+ @events.push(CfnGuardian::Models::PortEvent.new(@resource))
18
+ end
19
+
20
+ def default_checks()
21
+ @checks.push(CfnGuardian::Models::PortCheck.new(@resource))
22
+ end
23
+
24
+ end
25
+ end
data/lib/cfnguardian/resources/rds_instance.rb CHANGED
@@ -7,6 +7,7 @@ module CfnGuardian::Resource
7
7
  alarm.metric_name = 'FreeStorageSpace'
8
8
  alarm.threshold = 50000000000
9
9
  alarm.evaluation_periods = 1
10
+ alarm.comparison_operator = 'LessThanThreshold'
10
11
  @alarms.push(alarm)
11
12
 
12
13
  alarm = CfnGuardian::Models::RDSInstanceAlarm.new(@resource)
@@ -14,6 +15,7 @@ module CfnGuardian::Resource
14
15
  alarm.metric_name = 'FreeStorageSpace'
15
16
  alarm.threshold = 100000000000
16
17
  alarm.evaluation_periods = 1
18
+ alarm.comparison_operator = 'LessThanThreshold'
17
19
  alarm.alarm_action = 'Task'
18
20
  @alarms.push(alarm)
19
21
 
data/lib/cfnguardian/resources/sftp.rb ADDED
@@ -0,0 +1,50 @@
1
+ module CfnGuardian::Resource
2
+ class SFTP < Base
3
+
4
+ def default_alarms
5
+ alarm = CfnGuardian::Models::SFTPAlarm.new(@resource)
6
+ alarm.name = 'Available'
7
+ alarm.metric_name = 'Available'
8
+ @alarms.push(alarm)
9
+
10
+ alarm = CfnGuardian::Models::SFTPAlarm.new(@resource)
11
+ alarm.name = 'ConnectionTime'
12
+ alarm.metric_name = 'ConnectionTime'
13
+ alarm.comparison_operator = 'GreaterThanThreshold'
14
+ alarm.statistic = 'Minimum'
15
+ alarm.threshold = 1000
16
+ @alarms.push(alarm)
17
+
18
+ if @resource.has_key?('File')
19
+ alarm = CfnGuardian::Models::SFTPAlarm.new(@resource)
20
+ alarm.name = 'FileExists'
21
+ alarm.metric_name = 'FileExists'
22
+ @alarms.push(alarm)
23
+
24
+ alarm = CfnGuardian::Models::SFTPAlarm.new(@resource)
25
+ alarm.name = 'FileGetTime'
26
+ alarm.metric_name = 'FileGetTime'
27
+ alarm.comparison_operator = 'GreaterThanThreshold'
28
+ alarm.statistic = 'Minimum'
29
+ alarm.threshold = 1000
30
+ @alarms.push(alarm)
31
+
32
+ if @resource.has_key?('FileRegexMatch')
33
+ alarm = CfnGuardian::Models::SFTPAlarm.new(@resource)
34
+ alarm.name = 'FileBodyMatch'
35
+ alarm.metric_name = 'FileBodyMatch'
36
+ @alarms.push(alarm)
37
+ end
38
+ end
39
+ end
40
+
41
+ def default_events
42
+ @events.push(CfnGuardian::Models::SFTPEvent.new(@resource))
43
+ end
44
+
45
+ def default_checks
46
+ @checks.push(CfnGuardian::Models::SFTPCheck.new(@resource))
47
+ end
48
+
49
+ end
50
+ end
data/lib/cfnguardian/resources/sql.rb CHANGED
@@ -24,7 +24,7 @@ module CfnGuardian::Resource
24
24
  def default_events()
25
25
  @resource_list.each do |host|
26
26
  host['Queries'].each do |query|
27
- @events.push(CfnGuardian::Models::SqlEvent.new(host,query['Query']))
27
+ @events.push(CfnGuardian::Models::SqlEvent.new(host,query['Query'],@environment))
28
28
  end
29
29
  end
30
30
  end
data/lib/cfnguardian/resources/tls.rb ADDED
@@ -0,0 +1,66 @@
1
+ module CfnGuardian::Resource
2
+ class TLS < Base
3
+
4
+ def default_alarms
5
+
6
+ versions = @resource.fetch('Versions',['SSLv2','SSLv3','TLSv1','TLSv1.1','TLSv1.2'])
7
+
8
+ if versions.include? "SSLv2"
9
+ alarm = CfnGuardian::Models::TLSAlarm.new(@resource)
10
+ alarm.name = "TLSVersionSSLv2"
11
+ alarm.metric_name = "SSLv2"
12
+ alarm.comparison_operator = 'GreaterThanThreshold'
13
+ alarm.threshold = 0
14
+ @alarms.push(alarm)
15
+ end
16
+
17
+ if versions.include? "SSLv3"
18
+ alarm = CfnGuardian::Models::TLSAlarm.new(@resource)
19
+ alarm.name = "TLSVersionSSLv3"
20
+ alarm.metric_name = "SSLv3"
21
+ alarm.comparison_operator = 'GreaterThanThreshold'
22
+ alarm.threshold = 0
23
+ @alarms.push(alarm)
24
+ end
25
+
26
+ if versions.include? "SSLv3"
27
+ alarm = CfnGuardian::Models::TLSAlarm.new(@resource)
28
+ alarm.name = "TLSVersionTLSv1"
29
+ alarm.metric_name = "TLSv1"
30
+ @alarms.push(alarm)
31
+ end
32
+
33
+ if versions.include? "SSLv3"
34
+ alarm = CfnGuardian::Models::TLSAlarm.new(@resource)
35
+ alarm.name = "TLSVersionTLSv1.1"
36
+ alarm.metric_name = "TLSv1.1"
37
+ @alarms.push(alarm)
38
+ end
39
+
40
+ if versions.include? "SSLv3"
41
+ alarm = CfnGuardian::Models::TLSAlarm.new(@resource)
42
+ alarm.name = "TLSVersionTLSv1.2"
43
+ alarm.metric_name = "TLSv1.2"
44
+ @alarms.push(alarm)
45
+ end
46
+
47
+ if @resource.has_key?('CheckMax')
48
+ alarm = CfnGuardian::Models::TLSAlarm.new(@resource)
49
+ alarm.name = "TLSVersionMax"
50
+ alarm.metric_name = 'MaxVersion'
51
+ alarm.threshold = 3
52
+ alarm.evaluation_periods = 2
53
+ @alarms.push(alarm)
54
+ end
55
+ end
56
+
57
+ def default_events
58
+ @events.push(CfnGuardian::Models::TLSEvent.new(@resource))
59
+ end
60
+
61
+ def default_checks
62
+ @checks.push(CfnGuardian::Models::TLSCheck.new(@resource))
63
+ end
64
+
65
+ end
66
+ end
data/lib/cfnguardian/s3.rb CHANGED
@@ -4,10 +4,11 @@ module CfnGuardian
4
4
  class S3
5
5
  include Logging
6
6
 
7
- attr_reader :bucket
7
+ attr_reader :bucket, :path
8
8
 
9
- def initialize(bucket)
9
+ def initialize(bucket,path='')
10
10
  @bucket = set_bucket_name(bucket)
11
+ @path = path
11
12
  end
12
13
 
13
14
  def set_bucket_name(bucket)
data/lib/cfnguardian/stacks/main.rb CHANGED
@@ -5,31 +5,87 @@ module CfnGuardian
5
5
  class Main
6
6
  include CfnDsl::CloudFormation
7
7
 
8
- def build_template(stacks,checks)
8
+ attr_reader :parameters, :template
9
+
10
+ def initialize()
11
+ @parameters = []
9
12
  @template = CloudFormation("Guardian main stack")
10
-
13
+ end
14
+
15
+ def build_template(stacks,checks,topics,maintenance_groups,ssm_parameters)
16
+ parameters = {}
17
+
11
18
  %w(Critical Warning Task Informational).each do |name|
12
19
  parameter = @template.Parameter(name)
13
20
  parameter.Type 'String'
14
21
  parameter.Description "SNS topic ARN for #{name} notifications"
22
+ parameter.Default topics[name] if topics.has_key?(name)
23
+ parameters[name] = Ref(name)
15
24
  end
16
25
 
17
- parameters = {
18
- Critical: Ref(:Critical),
19
- Warning: Ref(:Warning),
20
- Task: Ref(:Task),
21
- Informational: Ref(:Informational)
22
- }
26
+ maintenance_groups.each do |group|
27
+ topic = @template.SNS_Topic(group)
28
+ topic.TopicName group
29
+ topic.Tags([{ Key: 'Environment', Value: 'guardian' }])
30
+ parameters[group] = Ref(group)
31
+ end
23
32
 
24
- build_iam_role()
33
+ add_iam_role(ssm_parameters)
25
34
 
26
- checks.each {|check| parameters["#{check[:name]}Function#{check[:environment]}"] = add_lambda(check)}
35
+ checks.each {|check| parameters["#{check.name}Function#{check.environment}"] = add_lambda(check)}
27
36
  stacks.each {|stack| add_stack(stack['Name'],stack['TemplateURL'],parameters)}
28
37
 
29
- return @template
38
+ @parameters = parameters.keys
30
39
  end
31
40
 
32
- def build_iam_role()
41
+ def add_iam_role(ssm_parameters)
42
+ policies = []
43
+ policies << {
44
+ PolicyName: 'logging',
45
+ PolicyDocument: {
46
+ Version: '2012-10-17',
47
+ Statement: [{
48
+ Effect: 'Allow',
49
+ Action: [ 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents' ],
50
+ Resource: 'arn:aws:logs:*:*:*'
51
+ }]
52
+ }
53
+ }
54
+ policies << {
55
+ PolicyName: 'metrics',
56
+ PolicyDocument: {
57
+ Version: '2012-10-17',
58
+ Statement: [{
59
+ Effect: 'Allow',
60
+ Action: [ 'cloudwatch:PutMetricData' ],
61
+ Resource: '*'
62
+ }]
63
+ }
64
+ }
65
+ policies << {
66
+ PolicyName: 'attach-network-interface',
67
+ PolicyDocument: {
68
+ Version: '2012-10-17',
69
+ Statement: [{
70
+ Effect: 'Allow',
71
+ Action: [ 'ec2:CreateNetworkInterface', 'ec2:DescribeNetworkInterfaces', 'ec2:DeleteNetworkInterface' ],
72
+ Resource: '*'
73
+ }]
74
+ }
75
+ }
76
+ if ssm_parameters.any?
77
+ policies << {
78
+ PolicyName: 'ssm-parameters',
79
+ PolicyDocument: {
80
+ Version: '2012-10-17',
81
+ Statement: [{
82
+ Effect: 'Allow',
83
+ Action: [ 'ssm:GetParameter', 'ssm:GetParametersByPath', 'ssm:GetParameters' ],
84
+ Resource: ssm_parameters.map {|param| FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{param}") }
85
+ }]
86
+ }
87
+ }
88
+ end
33
89
  @template.declare do
34
90
  IAM_Role(:LambdaExecutionRole) do
35
91
  AssumeRolePolicyDocument({
@@ -40,42 +96,8 @@ module CfnGuardian
40
96
  Action: [ 'sts:AssumeRole' ]
41
97
  }]
42
98
  })
43
- Path '/'
44
- Policies([
45
- {
46
- PolicyName: 'logging',
47
- PolicyDocument: {
48
- Version: '2012-10-17',
49
- Statement: [{
50
- Effect: 'Allow',
51
- Action: [ 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents' ],
52
- Resource: 'arn:aws:logs:*:*:*'
53
- }]
54
- }
55
- },
56
- {
57
- PolicyName: 'metrics',
58
- PolicyDocument: {
59
- Version: '2012-10-17',
60
- Statement: [{
61
- Effect: 'Allow',
62
- Action: [ 'cloudwatch:PutMetricData' ],
63
- Resource: '*'
64
- }]
65
- }
66
- },
67
- {
68
- PolicyName: 'attach-network-interface',
69
- PolicyDocument: {
70
- Version: '2012-10-17',
71
- Statement: [{
72
- Effect: 'Allow',
73
- Action: [ 'ec2:CreateNetworkInterface', 'ec2:DescribeNetworkInterfaces', 'ec2:DeleteNetworkInterface' ],
74
- Resource: '*'
75
- }]
76
- }
77
- }
78
- ])
99
+ Path '/guardian/'
100
+ Policies(policies)
79
101
  Tags([
80
102
  { Key: 'Name', Value: 'guardian-lambda-role' },
81
103
  { Key: 'Environment', Value: 'guardian' }
@@ -86,49 +108,48 @@ module CfnGuardian
86
108
 
87
109
  def add_lambda(check)
88
110
  vpc_config = {}
89
-
90
- if check.has_key?(:vpc)
111
+ if !check.vpc.nil?
91
112
  @template.declare do
92
- EC2_SecurityGroup("#{check[:name]}SecurityGroup#{check[:environment]}") do
93
- VpcId check[:vpc]
94
- GroupDescription "Guardian lambda function #{check[:class]} check"
113
+ EC2_SecurityGroup("#{check.name}SecurityGroup#{check.environment}") do
114
+ VpcId check.vpc
115
+ GroupDescription "Guardian lambda function #{check.group} check"
95
116
  Tags([
96
- { Key: 'Name', Value: "guardian-#{check[:name]}-#{check[:environment]}" },
117
+ { Key: 'Name', Value: "guardian-#{check.name}-#{check.environment}" },
97
118
  { Key: 'Environment', Value: 'guardian' }
98
119
  ])
99
120
  end
100
121
  end
101
122
 
102
- vpc_config[:SecurityGroupIds] = Ref("#{check[:name]}SecurityGroup#{check[:environment]}")
103
- vpc_config[:SubnetIds] = check[:subnets]
123
+ vpc_config[:SecurityGroupIds] = [Ref("#{check.name}SecurityGroup#{check.environment}")]
124
+ vpc_config[:SubnetIds] = check.subnets
104
125
  end
105
126
 
106
127
  @template.declare do
107
- Lambda_Function("#{check[:name]}Function#{check[:environment]}") do
128
+ Lambda_Function("#{check.name}Function#{check.environment}") do
108
129
  Code({
109
- S3Bucket: FnSub("base2.lambda.${AWS::Region}"),
110
- S3Key: "#{check[:package]}/#{check[:version]}/handler.zip"
130
+ S3Bucket: FnSub("base2.guardian.lambda.checks.${AWS::Region}"),
131
+ S3Key: "#{check.package}/master/#{check.version}.zip"
111
132
  })
112
- Handler check[:handler]
133
+ Handler check.handler
113
134
  MemorySize 128
114
- Runtime check[:runtime]
135
+ Runtime check.runtime
115
136
  Timeout 120
116
137
  Role FnGetAtt(:LambdaExecutionRole, :Arn)
117
138
  VpcConfig vpc_config unless vpc_config.empty?
118
139
  Tags([
119
- { Key: 'Name', Value: "guardian-#{check[:name]}-#{check[:class]}" },
140
+ { Key: 'Name', Value: "guardian-#{check.name}-#{check.group}" },
120
141
  { Key: 'Environment', Value: 'guardian' }
121
142
  ])
122
143
  end
123
144
 
124
- Lambda_Permission("#{check[:name]}Permissions#{check[:environment]}") do
125
- FunctionName Ref("#{check[:name]}Function#{check[:environment]}")
145
+ Lambda_Permission("#{check.name}Permissions#{check.environment}") do
146
+ FunctionName Ref("#{check.name}Function#{check.environment}")
126
147
  Action 'lambda:InvokeFunction'
127
148
  Principal 'events.amazonaws.com'
128
149
  end
129
150
  end
130
151
 
131
- return FnGetAtt("#{check[:name]}Function#{check[:environment]}", :Arn)
152
+ return FnGetAtt("#{check.name}Function#{check.environment}", :Arn)
132
153
  end
133
154
 
134
155
  def add_stack(name,url,stack_parameters)