cfn-guardian 0.1.0 → 0.6.3

data/lib/cfnguardian/resources/sql.rb

@@ -4,8 +4,8 @@ require 'cfnguardian/string'
 module CfnGuardian::Resource
   class Sql < Base
     
-    def initialize(resource)
-      super(resource)
+    def initialize(resource, override_group = nil)
+      super(resource, override_group)
       @resource_list = resource['Hosts']
       @environment = resource['Environment']
     end
@@ -24,7 +24,7 @@ module CfnGuardian::Resource
     def default_events()
       @resource_list.each do |host|
         host['Queries'].each do |query|
-          @events.push(CfnGuardian::Models::SqlEvent.new(host,query['Query']))
+          @events.push(CfnGuardian::Models::SqlEvent.new(host,query['Query'],@environment))
         end
       end
     end

data/lib/cfnguardian/resources/tls.rb

@@ -0,0 +1,66 @@
+module CfnGuardian::Resource
+  class TLS < Base
+    
+    def default_alarms
+      
+      versions = @resource.fetch('Versions',['SSLv2','SSLv3','TLSv1','TLSv1.1','TLSv1.2'])
+      
+      if versions.include? "SSLv2"
+        alarm = CfnGuardian::Models::TLSAlarm.new(@resource)
+        alarm.name = "TLSVersionSSLv2"
+        alarm.metric_name = "SSLv2"
+        alarm.comparison_operator = 'GreaterThanThreshold'
+        alarm.threshold = 0
+        @alarms.push(alarm)
+      end
+      
+      if versions.include? "SSLv3"
+        alarm = CfnGuardian::Models::TLSAlarm.new(@resource)
+        alarm.name = "TLSVersionSSLv3"
+        alarm.metric_name = "SSLv3"
+        alarm.comparison_operator = 'GreaterThanThreshold'
+        alarm.threshold = 0
+        @alarms.push(alarm)
+      end
+      
+      if versions.include? "SSLv3"
+        alarm = CfnGuardian::Models::TLSAlarm.new(@resource)
+        alarm.name = "TLSVersionTLSv1"
+        alarm.metric_name = "TLSv1"
+        @alarms.push(alarm)
+      end
+      
+      if versions.include? "SSLv3"
+        alarm = CfnGuardian::Models::TLSAlarm.new(@resource)
+        alarm.name = "TLSVersionTLSv1.1"
+        alarm.metric_name = "TLSv1.1"
+        @alarms.push(alarm)
+      end
+      
+      if versions.include? "SSLv3"
+        alarm = CfnGuardian::Models::TLSAlarm.new(@resource)
+        alarm.name = "TLSVersionTLSv1.2"
+        alarm.metric_name = "TLSv1.2"
+        @alarms.push(alarm)
+      end
+    
+      if @resource.has_key?('CheckMax')
+        alarm = CfnGuardian::Models::TLSAlarm.new(@resource)
+        alarm.name = "TLSVersionMax"
+        alarm.metric_name = 'MaxVersion'
+        alarm.threshold = 3
+        alarm.evaluation_periods = 2
+        @alarms.push(alarm)
+      end
+    end
+    
+    def default_events
+      @events.push(CfnGuardian::Models::TLSEvent.new(@resource))
+    end
+    
+    def default_checks
+      @checks.push(CfnGuardian::Models::TLSCheck.new(@resource))
+    end
+    
+  end
+end

data/lib/cfnguardian/s3.rb

@@ -4,10 +4,11 @@ module CfnGuardian
   class S3
     include Logging
 
-    attr_reader :bucket
+    attr_reader :bucket, :path
 
-    def initialize(bucket)
+    def initialize(bucket,path='')
       @bucket = set_bucket_name(bucket)
+      @path = path
     end
 
     def set_bucket_name(bucket)

data/lib/cfnguardian/stacks/main.rb

@@ -5,31 +5,87 @@ module CfnGuardian
     class Main
       include CfnDsl::CloudFormation
       
-      def build_template(stacks,checks)
+      attr_reader :parameters, :template
+      
+      def initialize()
+        @parameters = []
         @template = CloudFormation("Guardian main stack")
-        
-        %w(Critical Warning Task Informational).each do |name|
+      end
+      
+      def build_template(stacks,checks,topics,maintenance_groups,ssm_parameters)     
+        parameters = {}
+           
+        topics.each do |name, sns|
           parameter = @template.Parameter(name)
           parameter.Type 'String'
           parameter.Description "SNS topic ARN for #{name} notifications"
+          parameter.Default sns
+          parameters[name] = Ref(name)
         end
         
-        parameters = {
-          Critical: Ref(:Critical),
-          Warning: Ref(:Warning),
-          Task: Ref(:Task),
-          Informational: Ref(:Informational)
-        }
-        
-        build_iam_role()
+        maintenance_groups.each do |group|
+          topic = @template.SNS_Topic(group)
+          topic.TopicName group
+          topic.Tags([{ Key: 'Environment', Value: 'guardian' }])
+          parameters[group] = Ref(group)
+        end
         
-        checks.each {|check| parameters["#{check[:name]}Function#{check[:environment]}"] = add_lambda(check)}
-        stacks.each {|stack| add_stack(stack['Name'],stack['TemplateURL'],parameters)}
+        add_iam_role(ssm_parameters)
+                
+        checks.each {|check| parameters["#{check.name}Function#{check.environment}"] = add_lambda(check)}
+        stacks.each {|stack| add_stack(stack['Name'],stack['TemplateURL'],parameters,stack['Reference'])}
         
-        return @template
+        @parameters = parameters.keys
       end
       
-      def build_iam_role()
+      def add_iam_role(ssm_parameters)
+        policies = []
+        policies << {
+          PolicyName: 'logging',
+          PolicyDocument: {
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Action: [ 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents' ],
+              Resource: 'arn:aws:logs:*:*:*'
+            }]
+          }
+        }
+        policies << {
+          PolicyName: 'metrics',
+          PolicyDocument: {
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Action: [ 'cloudwatch:PutMetricData' ],
+              Resource: '*'
+            }]
+          }
+        }
+        policies << {
+          PolicyName: 'attach-network-interface',
+          PolicyDocument: {
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Action: [ 'ec2:CreateNetworkInterface', 'ec2:DescribeNetworkInterfaces', 'ec2:DeleteNetworkInterface' ],
+              Resource: '*'
+            }]
+          }
+        }
+        if ssm_parameters.any?
+          policies << {
+            PolicyName: 'ssm-parameters',
+            PolicyDocument: {
+              Version: '2012-10-17',
+              Statement: [{
+                Effect: 'Allow',
+                Action: [ 'ssm:GetParameter', 'ssm:GetParametersByPath', 'ssm:GetParameters' ],
+                Resource: ssm_parameters.map {|param| FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{param}") }
+              }]
+            }
+          }
+        end
         @template.declare do
           IAM_Role(:LambdaExecutionRole) do
             AssumeRolePolicyDocument({
@@ -40,42 +96,8 @@ module CfnGuardian
                 Action: [ 'sts:AssumeRole' ]
               }]
             })
-            Path '/'
-            Policies([
-              {
-                PolicyName: 'logging',
-                PolicyDocument: {
-                  Version: '2012-10-17',
-                  Statement: [{
-                    Effect: 'Allow',
-                    Action: [ 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents' ],
-                    Resource: 'arn:aws:logs:*:*:*'
-                  }]
-                }
-              },
-              {
-                PolicyName: 'metrics',
-                PolicyDocument: {
-                  Version: '2012-10-17',
-                  Statement: [{
-                    Effect: 'Allow',
-                    Action: [ 'cloudwatch:PutMetricData' ],
-                    Resource: '*'
-                  }]
-                }
-              },
-              {
-                PolicyName: 'attach-network-interface',
-                PolicyDocument: {
-                  Version: '2012-10-17',
-                  Statement: [{
-                    Effect: 'Allow',
-                    Action: [ 'ec2:CreateNetworkInterface', 'ec2:DescribeNetworkInterfaces', 'ec2:DeleteNetworkInterface' ],
-                    Resource: '*'
-                  }]
-                }
-              }
-            ])
+            Path '/guardian/'
+            Policies(policies)
             Tags([
               { Key: 'Name', Value: 'guardian-lambda-role' },
               { Key: 'Environment', Value: 'guardian' }
@@ -86,59 +108,59 @@ module CfnGuardian
       
       def add_lambda(check)
         vpc_config = {}
-        
-        if check.has_key?(:vpc)
+        if !check.vpc.nil?
           @template.declare do
-            EC2_SecurityGroup("#{check[:name]}SecurityGroup#{check[:environment]}") do
-              VpcId check[:vpc]
-              GroupDescription "Guardian lambda function #{check[:class]} check"
+            EC2_SecurityGroup("#{check.name}SecurityGroup#{check.environment}") do
+              VpcId check.vpc
+              GroupDescription "Guardian lambda function #{check.group} check"
               Tags([
-                { Key: 'Name', Value: "guardian-#{check[:name]}-#{check[:environment]}" },
+                { Key: 'Name', Value: "guardian-#{check.name}-#{check.environment}" },
                 { Key: 'Environment', Value: 'guardian' }
               ])
             end
           end
           
-          vpc_config[:SecurityGroupIds] = Ref("#{check[:name]}SecurityGroup#{check[:environment]}")
-          vpc_config[:SubnetIds] = check[:subnets]
+          vpc_config[:SecurityGroupIds] = [Ref("#{check.name}SecurityGroup#{check.environment}")]
+          vpc_config[:SubnetIds] = check.subnets
         end
         
         @template.declare do
-          Lambda_Function("#{check[:name]}Function#{check[:environment]}") do
+          Lambda_Function("#{check.name}Function#{check.environment}") do
             Code({ 
-              S3Bucket: FnSub("base2.lambda.${AWS::Region}"), 
-              S3Key: "#{check[:package]}/#{check[:version]}/handler.zip"
+              S3Bucket: FnSub("base2.guardian.lambda.checks.${AWS::Region}"), 
+              S3Key: "#{check.package}/master/#{check.version}.zip"
             })
-            Handler check[:handler]
-            MemorySize 128
-            Runtime check[:runtime]
-            Timeout 120
+            Handler check.handler
+            MemorySize check.memory
+            Runtime check.runtime
+            Timeout check.timeout
             Role FnGetAtt(:LambdaExecutionRole, :Arn)
             VpcConfig vpc_config unless vpc_config.empty?
             Tags([
-              { Key: 'Name', Value: "guardian-#{check[:name]}-#{check[:class]}" },
+              { Key: 'Name', Value: "guardian-#{check.name}-#{check.group}" },
               { Key: 'Environment', Value: 'guardian' }
             ])
           end
           
-          Lambda_Permission("#{check[:name]}Permissions#{check[:environment]}") do
-            FunctionName Ref("#{check[:name]}Function#{check[:environment]}")
+          Lambda_Permission("#{check.name}Permissions#{check.environment}") do
+            FunctionName Ref("#{check.name}Function#{check.environment}")
             Action 'lambda:InvokeFunction'
             Principal 'events.amazonaws.com'
           end
         end
 
-        return FnGetAtt("#{check[:name]}Function#{check[:environment]}", :Arn)
+        return FnGetAtt("#{check.name}Function#{check.environment}", :Arn)
       end
       
-      def add_stack(name,url,stack_parameters)
+      def add_stack(name,url,stack_parameters,stack_id)
         @template.declare do
           CloudFormation_Stack(name) do
             Parameters stack_parameters
             TemplateURL url
             TimeoutInMinutes 15
             Tags([
-              { Key: 'Name', Value: "guardian-stack-#{name}" }
+              { Key: 'Name', Value: "guardian-stack-#{name}" },
+              { Key: 'guardian:stack-id', Value: "stk#{stack_id}"}
             ])
           end
         end

data/lib/cfnguardian/stacks/resources.rb

@@ -1,80 +1,148 @@
 require 'cfndsl'
+require 'digest/md5'
+require 'cfnguardian/cloudwatch'
 
 module CfnGuardian
   module Stacks
     class Resources
       include CfnDsl::CloudFormation
       
-      def build_template(resources)
-        @template = CloudFormation("Guardian nested stack")
-        
-        %w(Critical Warning Task Informational).each do |name|
+      attr_reader :template
+      
+      def initialize(parameters,stack_id)
+        @stack_id = stack_id
+
+        @template = CloudFormation("Guardian nested - stack-id:stk#{@stack_id}")
+        parameters.each do |name|
           parameter = @template.Parameter(name)
           parameter.Type 'String'
-          parameter.Description "SNS topic ARN for #{name} notifications"
         end
-        
+      end
+      
+      def build_template(resources)
         resources.each do |resource|
-          case resource[:type]
+          case resource.type
           when 'Alarm'
             add_alarm(resource)
           when 'Event'
             add_event(resource)
+          when 'Composite'
+            add_composite_alarm(resource)
+          when 'MetricFilter'
+            add_metric_filter(resource)
+          when 'EventSubscription'
+            add_event_subscription(resource)
           else
-            puts "Warn: #{resource[:type]} is a unsuported resource type"
+            puts "Warn: #{resource.type} is a unsuported resource type"
           end
         end
-        
-        return @template
       end
-      
-      def add_alarm(resource)
+
+      def add_alarm(alarm)
+        actions = alarm.alarm_action.kind_of?(Array) ? alarm.alarm_action.map{|action| Ref(action)} : [Ref(alarm.alarm_action)]
+        actions.concat alarm.maintenance_groups.map {|mg| Ref(mg)} if alarm.maintenance_groups.any?
+        stack_id = @stack_id
+
         @template.declare do
-          CloudWatch_Alarm("#{resource[:resource_name]}#{resource[:class]}#{resource[:name]}#{resource[:type]}"[0..255]) do
+          CloudWatch_Alarm("#{alarm.resource_hash}#{alarm.group}#{alarm.name.gsub(/[^0-9a-zA-Z]/i, '')}#{alarm.type}"[0..255]) do
             ActionsEnabled true
-            AlarmDescription "Guardian alarm #{resource[:class]} #{resource[:resource]} #{resource[:name]}"
-            AlarmName "#{resource[:class]}-#{resource[:resource]}-#{resource[:name]}"
-            ComparisonOperator resource[:comparison_operator]
-            Dimensions resource[:dimensions].map {|k,v| {Name: k, Value: v}}
-            EvaluationPeriods resource[:evaluation_periods]
-            Statistic resource[:statistic]
-            Period resource[:period]
-            Threshold resource[:threshold]
-            MetricName resource[:metric_name]
-            Namespace resource[:namespace]
-            AlarmActions [Ref(resource[:alarm_action])]
-            OKActions [Ref(resource[:alarm_action])]
-            TreatMissingData resource[:treat_missing_data] unless resource[:treat_missing_data].nil?
-            DatapointsToAlarm resource[:datapoints_to_alarm] unless resource[:datapoints_to_alarm].nil?
-            ExtendedStatistic resource[:extended_statistic] unless resource[:extended_statistic].nil?
-            EvaluateLowSampleCountPercentile resource[:evaluate_low_sample_count_percentile] unless resource[:evaluate_low_sample_count_percentile].nil?
-            Unit resource[:unit] unless resource[:unit].nil?
+            AlarmDescription "Guardian alarm #{alarm.name} for the resource #{alarm.resource_id} in alarm group #{alarm.group}"
+            AlarmName CfnGuardian::CloudWatch.get_alarm_name(alarm) + "-stk#{stack_id}"
+            ComparisonOperator alarm.comparison_operator
+            Dimensions alarm.dimensions.map {|k,v| {Name: k, Value: v}} unless alarm.dimensions.nil?
+            EvaluationPeriods alarm.evaluation_periods
+            Statistic alarm.statistic if alarm.extended_statistic.nil?
+            Period alarm.period
+            Threshold alarm.threshold
+            MetricName alarm.metric_name
+            Namespace alarm.namespace
+            AlarmActions actions
+            OKActions actions
+            TreatMissingData alarm.treat_missing_data unless alarm.treat_missing_data.nil?
+            DatapointsToAlarm alarm.datapoints_to_alarm unless alarm.datapoints_to_alarm.nil?
+            ExtendedStatistic alarm.extended_statistic unless alarm.extended_statistic.nil?
+            EvaluateLowSampleCountPercentile alarm.evaluate_low_sample_count_percentile unless alarm.evaluate_low_sample_count_percentile.nil?
+            Unit alarm.unit unless alarm.unit.nil?
           end
         end
       end
       
-      def add_event(resource)
-        @template.declare do
-          Parameter(resource[:target]) do
-            Type 'String'
-            Description "Lamba funtion Arn for #{resource[:class]} #{resource[:type]}"
-          end
-          
-          Events_Rule("#{resource[:class]}#{resource[:type]}#{resource[:hash]}"[0..255]) do
+      def add_event(event)
+        @template.declare do          
+          Events_Rule("#{event.group}#{event.type}#{event.hash}"[0..255]) do
             State 'ENABLED'
-            Description "Guardian scheduled #{resource[:class]} #{resource[:type]}"
-            ScheduleExpression "cron(#{resource[:cron]})"
+            Description "Guardian scheduled #{event.group} #{event.type}"
+            ScheduleExpression "cron(#{event.cron})"
             Targets([
               { 
-                Arn: Ref(resource[:target]),
-                Id: resource[:hash],
-                Input: FnSub(resource[:payload])
+                Arn: Ref(event.target),
+                Id: event.hash,
+                Input: FnSub(event.payload)
               }
             ])
           end
         end
       end
       
+      def add_composite_alarm(alarm)
+        stack_id = @stack_id
+
+        @template.declare do
+          CloudWatch_CompositeAlarm(alarm.name.gsub(/[^0-9a-zA-Z]/i, '')) do
+            
+            AlarmDescription alarm.description
+            AlarmName "guardian-#{alarm.name}-stk#{stack_id}"
+            AlarmRule alarm.rule
+            
+            unless alarm.alarm_action.nil?
+              ActionsEnabled true
+              AlarmActions [Ref(alarm.alarm_action)]
+              # InsufficientDataActions [Ref(alarm.alarm_action)]
+              # OKActions [Ref(alarm.alarm_action)]
+            end
+            
+          end
+        end
+      end
+      
+      def add_metric_filter(filter)
+        @template.declare do
+          Logs_MetricFilter("#{filter.name.gsub(/[^0-9a-zA-Z]/i, '')}#{filter.type}") do
+            LogGroupName filter.log_group
+            FilterPattern filter.pattern
+            MetricTransformations([
+              {
+                MetricValue: filter.metric_value,
+                MetricName: filter.metric_name,
+                MetricNamespace: filter.metric_namespace
+              }
+            ])
+          end
+        end
+      end
+
+      def add_event_subscription(subscription)
+        event_pattern = {}
+        event_pattern['detail-type'] = [subscription.detail_type]
+        event_pattern['source'] = [subscription.source]
+        event_pattern['resources'] = [subscription.resource_arn] unless subscription.resource_arn.empty?
+        event_pattern['detail'] = subscription.detail unless subscription.detail.empty?
+
+        @template.declare do
+          Events_Rule("#{subscription.group}#{subscription.name}#{subscription.hash}"[0..255]) do
+            State subscription.enabled ? 'ENABLED' : 'DISABLED'
+            Description "Guardian event subscription #{subscription.group} #{subscription.name} for resource #{subscription.resource_id}"
+            EventPattern event_pattern
+            Targets [
+              {
+                Arn: Ref(subscription.topic),
+                Id: "#{subscription.topic}Notifier"
+              }
+            ]
+          end
+        end
+      end
+      
     end
   end
 end