cfn-guardian 0.1.0 → 0.6.3

data/lib/cfnguardian/cloudwatch.rb

@@ -0,0 +1,132 @@
+require 'aws-sdk-cloudwatch'
+require 'time'
+
+module CfnGuardian
+  class CloudWatch
+    include Logging
+    
+    def self.get_alarm_name(alarm)
+      alarm_id = alarm.resource_name.nil? ? alarm.resource_id : alarm.resource_name
+      return "guardian-#{alarm.group}-#{alarm_id}-#{alarm.name}"
+    end
+        
+    def self.get_alarms_by_prefix(prefix:, state: nil, action_prefix: nil)
+      client = Aws::CloudWatch::Client.new()
+      options = {max_records: 100}
+      options[:alarm_name_prefix] = prefix
+
+      unless state.nil?
+        options[:state_value] = state
+      end
+
+      unless action_prefix.nil?
+        options[:action_prefix] = action_prefix
+      end
+
+      resp = client.describe_alarms(options)
+      return resp.metric_alarms
+    end
+
+    def self.get_alarms_by_name(alarm_names:, state: nil, action_prefix: nil)
+      client = Aws::CloudWatch::Client.new()
+      options = {max_records: 100}
+
+      unless state.nil?
+        options[:state_value] = state
+      end
+
+      unless action_prefix.nil?
+        options[:action_prefix] = "arn:aws:sns:#{Aws.config[:region]}:#{aws_account_id()}:#{action_prefix}"
+      end
+
+      metric_alarms = []
+      alarm_names.each_slice(100) do |batch|
+        options[:alarm_names] = batch
+        resp = client.describe_alarms(options)
+        metric_alarms.push(*resp.metric_alarms)
+      end
+
+      return metric_alarms
+    end
+
+    def self.filter_alarms(filters:, alarms:)
+      return alarms unless filters.is_a?(Hash)
+      filters = filters.slice('group', 'resource', 'alarm', 'stack-id')
+
+      filtered_alarms = []
+      alarms.each do |alarm|
+        if filters.values.all? {|filter| alarm.alarm_name.include? (filter)}
+          filtered_alarms << alarm
+        end
+      end
+
+      return filtered_alarms
+    end
+    
+    def self.get_alarm_history(alarm_name,type)
+      client = Aws::CloudWatch::Client.new()
+      
+      logger.debug "Searching #{type} history for #{alarm_name}"
+            
+      resp = client.describe_alarm_history({
+        alarm_name: alarm_name,
+        history_item_type: type,
+        start_date: (Time.now.utc.to_date - 7),
+        end_date: (Time.now.utc.to_date + 1),
+        max_records: 100
+      })
+      
+      return resp.alarm_history_items
+    end
+    
+    def self.get_alarm_names(action_prefix=nil,alarm_name_prefix='guardian')
+      alarms = []
+      client = Aws::CloudWatch::Client.new
+      
+      options = {
+        alarm_types: ["CompositeAlarm","MetricAlarm"],
+        alarm_name_prefix: alarm_name_prefix
+      }
+      
+      unless action_prefix.nil?
+        options[:action_prefix] = "arn:aws:sns:#{Aws.config[:region]}:#{aws_account_id()}:#{action_prefix}"
+      end
+      
+      client.describe_alarms(options).each do |response|
+        alarms.concat response.composite_alarms.map(&:alarm_name)
+        alarms.concat response.metric_alarms.map(&:alarm_name)
+      end
+      
+      return alarms
+    end
+    
+    def self.disable_alarms(alarms)
+      client = Aws::CloudWatch::Client.new
+      alarms.each_slice(100) do |batch|
+        client.disable_alarm_actions({alarm_names: batch})
+      end
+    end
+    
+    def self.enable_alarms(alarms)
+      client = Aws::CloudWatch::Client.new
+      alarms.each_slice(100) do |batch|
+        client.enable_alarm_actions({alarm_names: batch})
+      end
+      
+      alarms.each do |alarm|
+        client.set_alarm_state({
+          alarm_name: alarm,
+          state_value: "OK",
+          state_reason: "End of guardian maintenance peroid"
+        })
+      end
+    end
+    
+    def self.aws_account_id()
+      sts = Aws::STS::Client.new
+      account = sts.get_caller_identity().account
+      return account
+    end
+    
+  end
+end

data/lib/cfnguardian/codecommit.rb

@@ -0,0 +1,54 @@
+require 'aws-sdk-codecommit'
+require 'time'
+require 'cfnguardian/log'
+
+module CfnGuardian
+  class CodeCommit
+    include Logging
+  
+    def initialize(repo_name)
+      @repo_name = repo_name
+      @client = Aws::CodeCommit::Client.new()
+    end
+    
+    def get_last_commit(branch='master')
+      resp = @client.get_branch({
+        repository_name: @repo_name,
+        branch_name: branch,
+      })
+      return resp.branch.commit_id
+    end
+    
+    def get_commit_history(branch='master',count=10)
+      history = []
+      commit = get_last_commit(branch)
+      
+      count.times do
+        
+        resp = @client.get_commit({
+          repository_name: @repo_name,
+          commit_id: commit
+        })
+        
+        time = Time.strptime(resp.commit.committer.date,'%s')
+        
+        history << {
+          message: resp.commit.message,
+          author: resp.commit.author.name,
+          date: time.localtime.strftime("%d/%m/%Y %I:%M %p"),
+          id: resp.commit.commit_id
+        }
+        
+        if resp.commit.parents.any?
+          commit = resp.commit.parents.first
+        else
+          break
+        end
+        
+      end
+      
+      return history
+    end
+    
+  end
+end

data/lib/cfnguardian/codepipeline.rb

@@ -0,0 +1,138 @@
+require 'aws-sdk-codepipeline'
+require 'time'
+require 'cfnguardian/log'
+
+module CfnGuardian
+  class CodePipeline
+    include Logging
+    
+    def initialize(pipeline_name)
+      @pipeline_name = pipeline_name
+      client = Aws::CodePipeline::Client.new()
+      @pipeline = client.get_pipeline_state({
+        name: @pipeline_name
+      })
+    end
+    
+    def retry()
+      resp = client.start_pipeline_execution({
+        name: @pipeline_name,
+        client_request_token: "ClientRequestToken",
+      })
+    end
+    
+    def get_stage(stage_name)
+      return @pipeline.stage_states.find {|stage| stage.stage_name == stage_name}
+    end
+    
+    def colour_rows(rows, status)
+      if status == 'Failed'
+        rows.map! {|row| row.map! {|r| r.red } }
+      elsif status == 'Succeeded'
+        rows.map! {|row| row.map! {|r| r.green } }
+      elsif status == 'InProgress'
+        rows.map! {|row| row.map! {|r| r.blue } }
+      elsif ["Stopped", "Stopping"].include? status
+        rows.map! {|row| row.map! {|r| r.yellow } }
+      end
+    end
+    
+    def get_source()
+      source_stage = get_stage("Source")
+      action = source_stage.action_states.first
+      status = source_stage.latest_execution.status
+      state = {
+        stage: action.action_name,
+        rows: [
+          ['Status', status],
+          ['Commit', action.current_revision.revision_id],
+          ['Last Status Change', action.latest_execution.last_status_change.localtime.strftime("%d/%m/%Y %I:%M %p")]
+        ]
+      }
+      
+      unless action.latest_execution.error_details.nil?
+        state[:rows].push(
+          ['Error Message', action.latest_execution.error_details.message]
+        )
+      end
+      
+      colour_rows(state[:rows],status)
+      
+      return state
+    end
+    
+    def get_build()
+      source_stage = get_stage("Build")
+      action = source_stage.action_states.first
+      status = source_stage.latest_execution.status
+      state = {
+        stage: action.action_name,
+        rows: [
+          ['Status', status],
+          ['Build Id', action.latest_execution.external_execution_id],
+          ['Last Status Change', action.latest_execution.last_status_change.localtime.strftime("%d/%m/%Y %I:%M %p")],
+          ['Logs', action.latest_execution.external_execution_url]
+        ]
+      }
+      
+      unless action.latest_execution.error_details.nil?
+        state[:rows].push(
+          ['Error Message', action.latest_execution.error_details.message]
+        )
+      end
+      
+      colour_rows(state[:rows],status)
+      
+      return state
+    end
+    
+    def get_create_changeset()
+      source_stage = get_stage("Deploy")
+      action = source_stage.action_states.find {|action| action.action_name == "CreateChangeSet"}
+      status = source_stage.latest_execution.status
+      state = {
+        stage: action.action_name,
+        rows: [
+          ['Status', status],
+          ['Summary', action.latest_execution.summary],
+          ['Last Status Change', action.latest_execution.last_status_change.localtime.strftime("%d/%m/%Y %I:%M %p")],
+        ]
+      }
+      
+      unless action.latest_execution.error_details.nil?
+        state[:rows].push(
+          ['Error Message', action.latest_execution.error_details.message]
+        )
+      end
+      
+      colour_rows(state[:rows],status)
+      
+      return state
+    end
+    
+    def get_deploy_changeset()
+      source_stage = get_stage("Deploy")
+      action = source_stage.action_states.find {|action| action.action_name == "DeployChangeSet"}
+      status = source_stage.latest_execution.status
+      state = {
+        stage: action.action_name,
+        rows: [
+          ['Status', status],
+          ['Summary', action.latest_execution.summary],
+          ['Last Status Change', action.latest_execution.last_status_change.localtime.strftime("%d/%m/%Y %I:%M %p")],
+        ]
+      }
+      
+      unless action.latest_execution.error_details.nil?
+        state[:rows].push(
+          ['Error Message', action.latest_execution.error_details.message]
+        )
+      end
+      
+      colour_rows(state[:rows],status)
+      
+      return state
+    end
+    
+  end
+end

data/lib/cfnguardian/compile.rb

@@ -1,7 +1,9 @@
 require 'yaml'
+require 'fileutils'
 require 'cfnguardian/string'
 require 'cfnguardian/stacks/resources'
 require 'cfnguardian/stacks/main'
+require 'cfnguardian/models/composite'
 require 'cfnguardian/resources/base'
 require 'cfnguardian/resources/apigateway'
 require 'cfnguardian/resources/application_targetgroup'
@@ -18,6 +20,9 @@ require 'cfnguardian/resources/elastic_file_system'
 require 'cfnguardian/resources/elasticache_replication_group'
 require 'cfnguardian/resources/elastic_loadbalancer'
 require 'cfnguardian/resources/http'
+require 'cfnguardian/resources/internal_http'
+require 'cfnguardian/resources/port'
+require 'cfnguardian/resources/internal_port'
 require 'cfnguardian/resources/nrpe'
 require 'cfnguardian/resources/lambda'
 require 'cfnguardian/resources/network_targetgroup'
@@ -26,24 +31,41 @@ require 'cfnguardian/resources/rds_instance'
 require 'cfnguardian/resources/redshift_cluster'
 require 'cfnguardian/resources/sql'
 require 'cfnguardian/resources/sqs_queue'
+require 'cfnguardian/resources/log_group'
+require 'cfnguardian/resources/sftp'
+require 'cfnguardian/resources/internal_sftp'
+require 'cfnguardian/resources/tls'
+require 'cfnguardian/resources/azure_file'
+require 'cfnguardian/resources/amazonmq_rabbitmq'
+require 'cfnguardian/version'
+require 'cfnguardian/error'
 
 module CfnGuardian
   class Compile
     include Logging
     
-    attr_reader :cost, :resources
+    attr_reader :cost, :resources, :topics
     
-    def initialize(opts,bucket)
-      @prefix = opts.fetch(:stack_name,'guardian')
-      @bucket = bucket
-      
-      config = YAML.load_file(opts.fetch(:config))
+    def initialize(config_file)
+      config = YAML.load_file(config_file)
+            
       @resource_groups = config.fetch('Resources',{})
+      @composites = config.fetch('Composites',{})
       @templates = config.fetch('Templates',{})
+      @topics = config.fetch('Topics',{})
+      @maintenance_groups = config.fetch('MaintenaceGroups', {})
+      @event_subscriptions = config.fetch('EventSubscriptions', {})
       
+      # Make sure the default topics exist if they aren't supplied in the alarms.yaml
+      %w(Critical Warning Task Informational Events).each do |topic|
+        @topics[topic] = '' unless @topics.has_key?(topic)
+      end
+
+      @maintenance_group_list = @maintenance_groups.keys.map {|group| "#{group}MaintenanceGroup"}
       @resources = []
       @stacks = []
       @checks = []
+      @ssm_parameters = []
       
       @cost = 0
     end
@@ -57,7 +79,7 @@ module CfnGuardian
           rescue NameError => e
             if @templates.has_key?(group) && @templates[group].has_key?('Inherit')
               begin
-                resource_class = Kernel.const_get("CfnGuardian::Resource::#{@templates[group]['Inherit']}").new(resource)
+                resource_class = Kernel.const_get("CfnGuardian::Resource::#{@templates[group]['Inherit']}").new(resource, group)
                 logger.debug "Inheritited resource group #{@templates[group]['Inherit']} for group #{group}"
               rescue NameError => e
                 logger.warn "'#{@templates[group]['Inherit']}' resource group doesn't exist and is unable to be inherited from"
@@ -69,41 +91,106 @@ module CfnGuardian
             end
           end
           
-          overides = @templates.has_key?(group) ? @templates[group] : {}
-          @resources.concat resource_class.get_alarms(overides)
+          template_overides = @templates.has_key?(group) ? @templates[group] : {}
+          @resources.concat resource_class.get_alarms(group,template_overides)
+
+          @resources.concat resource_class.get_metric_filters()
           @resources.concat resource_class.get_events()
+
+          event_subscriptions = @event_subscriptions.has_key?(group) ? @event_subscriptions[group] : {}
+          @resources.concat resource_class.get_event_subscriptions(group,event_subscriptions)
+          
           @checks.concat resource_class.get_checks()
 
           @cost += resource_class.get_cost
         end
       end
+      
+      @maintenance_groups.each do |maintenance_group,resource_groups|
+        resource_groups.each do |group, alarms|
+          alarms.each do |alarm, resources|
+            resources.each do |resource|
+
+              res = @resources.find {|r| 
+                (r.type == 'Alarm') && 
+                (r.group == group && r.name == alarm) &&
+                (r.resource_id == resource['Id'] || r.resource_name == resource['Name'])}
+
+              unless res.nil?
+                res.maintenance_groups.append("#{maintenance_group}MaintenanceGroup")
+              end
+              
+            end
+          end
+        end
+      end
+      
+      @composites.each do |name,params|
+        @resources.push CfnGuardian::Models::Composite.new(name,params)
+        @cost += 0.50
+      end
+      
+      @ssm_parameters = @resources.select {|resource| resource.type == 'Event'}.map {|event| event.ssm_parameters}.flatten.uniq
+
+      validate_resources()
     end
     
-    def split_resources
+    def alarms
+      @resources.select {|resource| resource.type == 'Alarm'}
+    end
+
+    def validate_resources()
+      errors = []
+      @resources.each do |resource|
+        case resource.type
+        when 'Alarm'
+          %w(metric_name namespace).each do |property|
+            if resource.send(property).nil?
+              errors << "Alarm #{resource.name} for resource #{resource.resource_id} has nil value for property #{property.to_camelcase}"
+            end
+          end
+        when 'Check'
+          # no validation check yet
+        when 'Event'
+          # no validation check yet
+        when 'Composite'
+          # no validation check yet
+        when 'EventSubscription'
+          # no validation check yet
+        when 'MetricFilter'
+          # no validation check yet
+        end
+      end
+
+      raise CfnGuardian::ValidationError, "#{errors.size} errors found\n[*] #{errors.join("\n[*] ")}" if errors.any?
+    end
+    
+    def split_resources(bucket,path)
       split = @resources.each_slice(200).to_a
       split.each_with_index do |resources,index|
         @stacks.push({
           'Name' => "GuardianStack#{index}",
-          'TemplateURL' => "https://#{@bucket}.s3.amazonaws.com/#{@prefix}/guardian-stack-#{index}.compiled.yaml",
+          'TemplateURL' => "https://#{bucket}.s3.amazonaws.com/#{path}/guardian-stack-#{index}.compiled.yaml",
           'Reference' => index
         })
       end
       return split
     end
     
-    def compile_templates
+    def compile_templates(bucket,path)
       clean_out_directory()
-      resources = split_resources()
+      resources = split_resources(bucket,path)
       
       main_stack = CfnGuardian::Stacks::Main.new()
-      template = main_stack.build_template(@stacks,@checks)
-      valid = template.validate
+      main_stack.build_template(@stacks,@checks,@topics,@maintenance_group_list,@ssm_parameters)
+      valid = main_stack.template.validate
+      FileUtils.mkdir_p 'out'
       File.write("out/guardian.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
       
       resources.each_with_index do |resources,index|
-        stack = CfnGuardian::Stacks::Resources.new()
-        template = stack.build_template(resources)
-        valid = template.validate
+        stack = CfnGuardian::Stacks::Resources.new(main_stack.parameters,index)
+        stack.build_template(resources)
+        valid = stack.template.validate
         File.write("out/guardian-stack-#{index}.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
       end
     end
@@ -111,6 +198,43 @@ module CfnGuardian
     def clean_out_directory
       Dir["out/*.yaml"].each {|file| File.delete(file)}
     end
+
+    def load_parameters(options)
+      parameters = {}
+      # Load sns topic parameters in order of preference
+      @topics.each do |key, value|
+        # if parameter is passed in as a command line option
+        if options.has_key?("sns_#{key.downcase}")
+          parameters[key.to_sym] = options["sns_#{key.downcase}"]
+        # if parameter is in config
+        elsif !value.empty?
+          parameters[key.to_sym] = value
+        # if parameter is set as environment variable
+        elsif ENV.has_key?("GUARDIAN_TOPIC_#{key.upcase}")
+          parameters[key.to_sym] = ENV["GUARDIAN_TOPIC_#{key.upcase}"]
+        end
+      end
+
+      return parameters
+    end
+
+    def genrate_template_config(parameters)
+      template = {
+        Tags: {
+          'guardian:version': CfnGuardian::VERSION
+        }
+      }
+
+      if ENV.has_key?('CODEBUILD_RESOLVED_SOURCE_VERSION')
+        template[:Tags][:'guardian:config:commit'] = ENV['CODEBUILD_RESOLVED_SOURCE_VERSION']
+      end
+
+      unless parameters.empty?
+        template[:Parameters] = parameters
+      end
+
+      File.write("out/template-config.guardian.json", template.to_json)
+    end
         
   end
 end