RubyGems - cfn-guardian - Versions diffs - 0.1.0 → 0.6.3 - Mend

cfn-guardian 0.1.0 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

checksums.yaml +4 -4
data/.dockerignore +1 -0
data/.github/workflows/build-gem.yml +25 -0
data/.github/workflows/release-gem.yml +25 -0
data/.github/workflows/release-image.yml +33 -0
data/.rspec +1 -0
data/Dockerfile +19 -0
data/Gemfile.lock +39 -21
data/README.md +9 -378
data/cfn-guardian.gemspec +7 -5
data/docs/alarm_templates.md +130 -0
data/docs/cli.md +182 -0
data/docs/composite_alarms.md +24 -0
data/docs/custom_checks/azure_file_check.md +28 -0
data/docs/custom_checks/domain_expiry.md +10 -0
data/docs/custom_checks/http.md +59 -0
data/docs/custom_checks/log_group_metric_filters.md +27 -0
data/docs/custom_checks/nrpe.md +29 -0
data/docs/custom_checks/port.md +40 -0
data/docs/custom_checks/sftp.md +73 -0
data/docs/custom_checks/sql.md +44 -0
data/docs/custom_checks/tls.md +25 -0
data/docs/custom_metrics.md +71 -0
data/docs/event_subscriptions.md +67 -0
data/docs/maintenance_mode.md +85 -0
data/docs/notifiers.md +33 -0
data/docs/overview.md +22 -0
data/docs/resources.md +93 -0
data/docs/variables.md +58 -0
data/lib/cfnguardian.rb +325 -37
data/lib/cfnguardian/cloudwatch.rb +132 -0
data/lib/cfnguardian/codecommit.rb +54 -0
data/lib/cfnguardian/codepipeline.rb +138 -0
data/lib/cfnguardian/compile.rb +142 -18
data/lib/cfnguardian/config/defaults.yaml +103 -0
data/lib/cfnguardian/deploy.rb +2 -16
data/lib/cfnguardian/display_formatter.rb +163 -0
data/lib/cfnguardian/drift.rb +79 -0
data/lib/cfnguardian/error.rb +4 -0
data/lib/cfnguardian/log.rb +0 -1
data/lib/cfnguardian/models/alarm.rb +193 -59
data/lib/cfnguardian/models/check.rb +128 -33
data/lib/cfnguardian/models/composite.rb +21 -0
data/lib/cfnguardian/models/event.rb +201 -49
data/lib/cfnguardian/models/event_subscription.rb +96 -0
data/lib/cfnguardian/models/metric_filter.rb +28 -0
data/lib/cfnguardian/resources/amazonmq_rabbitmq.rb +136 -0
data/lib/cfnguardian/resources/application_targetgroup.rb +2 -0
data/lib/cfnguardian/resources/azure_file.rb +20 -0
data/lib/cfnguardian/resources/base.rb +155 -33
data/lib/cfnguardian/resources/ec2_instance.rb +11 -0
data/lib/cfnguardian/resources/ecs_service.rb +2 -2
data/lib/cfnguardian/resources/http.rb +17 -1
data/lib/cfnguardian/resources/internal_http.rb +74 -0
data/lib/cfnguardian/resources/internal_port.rb +33 -0
data/lib/cfnguardian/resources/internal_sftp.rb +58 -0
data/lib/cfnguardian/resources/log_group.rb +26 -0
data/lib/cfnguardian/resources/network_targetgroup.rb +1 -0
data/lib/cfnguardian/resources/port.rb +25 -0
data/lib/cfnguardian/resources/rds_cluster.rb +14 -0
data/lib/cfnguardian/resources/rds_instance.rb +73 -0
data/lib/cfnguardian/resources/redshift_cluster.rb +2 -2
data/lib/cfnguardian/resources/sftp.rb +50 -0
data/lib/cfnguardian/resources/sql.rb +3 -3
data/lib/cfnguardian/resources/tls.rb +66 -0
data/lib/cfnguardian/s3.rb +3 -2
data/lib/cfnguardian/stacks/main.rb +94 -72
data/lib/cfnguardian/stacks/resources.rb +111 -43
data/lib/cfnguardian/string.rb +12 -0
data/lib/cfnguardian/version.rb +1 -1
metadata +133 -10

data/lib/cfnguardian/resources/ec2_instance.rb CHANGED Viewed

@@ -19,6 +19,17 @@ module CfnGuardian
         @alarms.push(alarm)
       end
+      def default_event_subscriptions()
+        event_subscription = CfnGuardian::Models::Ec2InstanceEventSubscription.new(@resource)
+        event_subscription.name = 'InstanceTerminated'
+        event_subscription.detail_type = 'EC2 Instance State-change Notification'
+        event_subscription.detail = {
+          'instance-id' => [@resource['Id']],
+          'state' => ['terminated']
+        }
+        @event_subscriptions.push(event_subscription)
+      end
     end
   end
 end

data/lib/cfnguardian/resources/ecs_service.rb CHANGED Viewed

@@ -8,7 +8,7 @@ module CfnGuardian
         alarm.metric_name = 'MemoryUtilization'
         alarm.comparison_operator = 'LessThanOrEqualToThreshold'
         alarm.statistic = 'SampleCount'
-        alarm.threshold = 15
+        alarm.threshold = 0
         alarm.evaluation_periods = 10
         alarm.treat_missing_data = 'breaching'
         alarm.datapoints_to_alarm = 8
@@ -19,7 +19,7 @@ module CfnGuardian
         alarm.metric_name = 'MemoryUtilization'
         alarm.comparison_operator = 'LessThanOrEqualToThreshold'
         alarm.statistic = 'SampleCount'
-        alarm.threshold = 15
+        alarm.threshold = 1
         alarm.evaluation_periods = 10
         alarm.treat_missing_data = 'breaching'
         alarm.datapoints_to_alarm = 8

data/lib/cfnguardian/resources/http.rb CHANGED Viewed

@@ -14,8 +14,9 @@ module CfnGuardian::Resource
       alarm.metric_name = 'StatusCodeMatch'
       @alarms.push(alarm)
-      alarm = CfnGuardian::Models::ElasticLoadBalancerAlarm.new(@resource)
+      alarm = CfnGuardian::Models::HttpAlarm.new(@resource)
       alarm.name = 'EndpointTimeTaken'
+      alarm.comparison_operator = 'GreaterThanThreshold'
       alarm.metric_name = 'TimeTaken'
       alarm.statistic = 'Minimum'
       alarm.threshold = 1000
@@ -29,6 +30,21 @@ module CfnGuardian::Resource
         alarm.metric_name = 'ResponseBodyRegexMatch'
         @alarms.push(alarm)
       end
+      if @resource.has_key?('Ssl') && @resource['Ssl']
+        alarm = CfnGuardian::Models::SslAlarm.new(@resource)
+        alarm.name = 'ExpiresInDaysCritical'
+        alarm.metric_name = 'ExpiresInDays'
+        alarm.threshold = 5
+        @alarms.push(alarm)
+        alarm = CfnGuardian::Models::SslAlarm.new(@resource)
+        alarm.name = 'ExpiresInDaysTask'
+        alarm.metric_name = 'ExpiresInDays'
+        alarm.alarm_action = 'Task'
+        alarm.threshold = 30
+        @alarms.push(alarm)
+      end
     end
     def default_events()

data/lib/cfnguardian/resources/internal_http.rb ADDED Viewed

@@ -0,0 +1,74 @@
+require 'digest/md5'
+module CfnGuardian::Resource
+  class InternalHttp < Base
+    def initialize(resource, override_group = nil)
+      super(resource, override_group)
+      @resource_list = resource['Hosts']
+      @environment = resource['Environment']
+    end
+    def default_alarms
+      @resource_list.each do |host|
+        alarm = CfnGuardian::Models::InternalHttpAlarm.new(host)
+        alarm.name = 'EndpointAvailable'
+        alarm.metric_name = 'Available'
+        @alarms.push(alarm)
+        alarm = CfnGuardian::Models::InternalHttpAlarm.new(host)
+        alarm.name = 'EndpointStatusCodeMatch'
+        alarm.metric_name = 'StatusCodeMatch'
+        @alarms.push(alarm)
+        alarm = CfnGuardian::Models::InternalHttpAlarm.new(host)
+        alarm.name = 'EndpointTimeTaken'
+        alarm.comparison_operator = 'GreaterThanThreshold'
+        alarm.metric_name = 'TimeTaken'
+        alarm.statistic = 'Minimum'
+        alarm.threshold = 1000
+        alarm.period = 300
+        alarm.evaluation_periods = 1
+        @alarms.push(alarm)
+        if host.has_key?('BodyRegex')
+          alarm = CfnGuardian::Models::InternalHttpAlarm.new(host)
+          alarm.name = 'EndpointBodyRegexMatch'
+          alarm.metric_name = 'ResponseBodyRegexMatch'
+          @alarms.push(alarm)
+        end
+        if host.has_key?('Ssl') && host['Ssl']
+          alarm = CfnGuardian::Models::InternalSslAlarm.new(host)
+          alarm.name = 'ExpiresInDaysCritical'
+          alarm.metric_name = 'ExpiresInDays'
+          alarm.threshold = 5
+          @alarms.push(alarm)
+          alarm = CfnGuardian::Models::InternalSslAlarm.new(host)
+          alarm.name = 'ExpiresInDaysTask'
+          alarm.metric_name = 'ExpiresInDays'
+          alarm.threshold = 30
+          @alarms.push(alarm)
+        end
+      end
+    end
+    def default_events()
+      @resource_list.each do |host|
+        @events.push(CfnGuardian::Models::InternalHttpEvent.new(host,@environment))
+        if host.has_key?('Ssl') && host['Ssl']
+          @events.push(CfnGuardian::Models::InternalSslEvent.new(host,@environment))
+        end
+      end
+    end
+    def default_checks()
+      @checks.push(CfnGuardian::Models::InternalHttpCheck.new(@resource))
+      if @resource_list.any? {|host| host.has_key?('Ssl') && host['Ssl'] }
+        @checks.push(CfnGuardian::Models::InternalSslCheck.new(@resource))
+      end
+    end
+  end
+end

data/lib/cfnguardian/resources/internal_port.rb ADDED Viewed

@@ -0,0 +1,33 @@
+module CfnGuardian::Resource
+  class InternalPort < Base
+    def initialize(resource, override_group = nil)
+      super(resource, override_group)
+      @resource_list = resource['Hosts']
+      @environment = resource['Environment']
+    end
+    def default_alarms
+      @resource_list.each do |host|
+        alarm = CfnGuardian::Models::InternalPortAlarm.new(host)
+        alarm.name = 'EndpointAvailable'
+        alarm.metric_name = 'Available'
+        @alarms.push(alarm)
+        alarm = CfnGuardian::Models::InternalPortAlarm.new(host)
+        alarm.name = 'EndpointTimeTaken'
+        alarm.metric_name = 'TimeTaken'
+        @alarms.push(alarm)
+      end
+    end
+    def default_events()
+      @resource_list.each {|host| @events.push(CfnGuardian::Models::InternalPortEvent.new(host,@environment))}
+    end
+    def default_checks()
+      @checks.push(CfnGuardian::Models::InternalPortCheck.new(@resource))
+    end
+  end
+end

data/lib/cfnguardian/resources/internal_sftp.rb ADDED Viewed

@@ -0,0 +1,58 @@
+module CfnGuardian::Resource
+  class InternalSFTP < Base
+    def initialize(resource, override_group = nil)
+      super(resource, override_group)
+      @resource_list = resource['Hosts']
+      @environment = resource['Environment']
+    end
+    def default_alarms
+      @resource_list.each do |host|
+        alarm = CfnGuardian::Models::InternalSFTPAlarm.new(host)
+        alarm.name = 'Available'
+        alarm.metric_name = 'Available'
+        @alarms.push(alarm)
+        alarm = CfnGuardian::Models::InternalSFTPAlarm.new(host)
+        alarm.name = 'ConnectionTime'
+        alarm.metric_name = 'ConnectionTime'
+        alarm.comparison_operator = 'GreaterThanThreshold'
+        alarm.statistic = 'Minimum'
+        alarm.threshold = 1000
+        @alarms.push(alarm)
+        if host.has_key?('File')
+          alarm = CfnGuardian::Models::InternalSFTPAlarm.new(host)
+          alarm.name = 'FileExists'
+          alarm.metric_name = 'FileExists'
+          @alarms.push(alarm)
+          alarm = CfnGuardian::Models::InternalSFTPAlarm.new(host)
+          alarm.name = 'FileGetTime'
+          alarm.metric_name = 'FileGetTime'
+          alarm.comparison_operator = 'GreaterThanThreshold'
+          alarm.statistic = 'Minimum'
+          alarm.threshold = 1000
+          @alarms.push(alarm)
+          if host.has_key?('FileBodyMatch')
+            alarm = CfnGuardian::Models::InternalSFTPAlarm.new(host)
+            alarm.name = 'FileBodyMatch'
+            alarm.metric_name = 'FileBodyMatch'
+            @alarms.push(alarm)
+          end
+        end
+      end
+    end
+    def default_events
+      @resource_list.each {|host| @events.push(CfnGuardian::Models::InternalSFTPEvent.new(host,@environment)) }
+    end
+    def default_checks
+      @checks.push(CfnGuardian::Models::InternalSFTPCheck.new(@resource))
+    end
+  end
+end

data/lib/cfnguardian/resources/log_group.rb ADDED Viewed

@@ -0,0 +1,26 @@
+module CfnGuardian::Resource
+  class LogGroup < Base
+    def initialize(resource, override_group = nil)
+      super(resource, override_group)
+      @resource_list = resource['MetricFilters']
+    end
+    def default_alarms()
+      @resource_list.each do |filter|
+        alarm = CfnGuardian::Models::LogGroupAlarm.new(@resource)
+        alarm.name = filter['MetricName']
+        alarm.metric_name = filter['MetricName']
+        @alarms.push(alarm)
+      end
+    end
+    def default_metric_filters()
+      @resource_list.each do |filter|
+        metric_filter = CfnGuardian::Models::MetricFilter.new(@resource['Id'],filter)
+        @metric_filters.push(metric_filter)
+      end
+    end
+  end
+end

data/lib/cfnguardian/resources/network_targetgroup.rb CHANGED Viewed

@@ -5,6 +5,7 @@ module CfnGuardian::Resource
       alarm = CfnGuardian::Models::NetworkTargetGroupAlarm.new(@resource)
       alarm.name = 'HealthyHosts'
       alarm.metric_name = 'HealthyHostCount'
+      alarm.comparison_operator = 'LessThanThreshold'
       alarm.statistic = 'Minimum'
       alarm.threshold = 2
       alarm.evaluation_periods = 1

data/lib/cfnguardian/resources/port.rb ADDED Viewed

@@ -0,0 +1,25 @@
+module CfnGuardian::Resource
+  class Port < Base
+    def default_alarms
+      alarm = CfnGuardian::Models::PortAlarm.new(@resource)
+      alarm.name = 'EndpointAvailable'
+      alarm.metric_name = 'Available'
+      @alarms.push(alarm)
+      alarm = CfnGuardian::Models::PortAlarm.new(@resource)
+      alarm.name = 'EndpointTimeTaken'
+      alarm.metric_name = 'TimeTaken'
+      @alarms.push(alarm)
+    end
+    def default_events()
+      @events.push(CfnGuardian::Models::PortEvent.new(@resource))
+    end
+    def default_checks()
+      @checks.push(CfnGuardian::Models::PortCheck.new(@resource))
+    end
+  end
+end

data/lib/cfnguardian/resources/rds_cluster.rb ADDED Viewed

@@ -0,0 +1,14 @@
+module CfnGuardian::Resource
+    class RDSCluster < Base
+      def default_event_subscriptions()
+        event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
+        event_subscription.name = 'FailoverFailed'
+        event_subscription.rds_event_category = 'failover'
+        event_subscription.message = 'A failover for the DB cluster has failed.'
+        @event_subscriptions.push(event_subscription)
+      end
+    end
+  end

data/lib/cfnguardian/resources/rds_instance.rb CHANGED Viewed

@@ -7,6 +7,7 @@ module CfnGuardian::Resource
       alarm.metric_name = 'FreeStorageSpace'
       alarm.threshold = 50000000000
       alarm.evaluation_periods = 1
+      alarm.comparison_operator = 'LessThanThreshold'
       @alarms.push(alarm)
       alarm = CfnGuardian::Models::RDSInstanceAlarm.new(@resource)
@@ -14,6 +15,7 @@ module CfnGuardian::Resource
       alarm.metric_name = 'FreeStorageSpace'
       alarm.threshold = 100000000000
       alarm.evaluation_periods = 1
+      alarm.comparison_operator = 'LessThanThreshold'
       alarm.alarm_action = 'Task'
       @alarms.push(alarm)
@@ -41,5 +43,76 @@ module CfnGuardian::Resource
       @alarms.push(alarm)
     end
+    def default_event_subscriptions()
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'MasterPasswordReset'
+      event_subscription.rds_event_category = 'configuration change'
+      event_subscription.message = 'The master password for the DB instance has been reset.'
+      @event_subscriptions.push(event_subscription)
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'MasterPasswordResetFailure'
+      event_subscription.rds_event_category = 'configuration change'
+      event_subscription.message = 'An attempt to reset the master password for the DB instance has failed.'
+      @event_subscriptions.push(event_subscription)
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'Deletion'
+      event_subscription.rds_event_category = 'deletion'
+      event_subscription.message = 'The DB instance has been deleted.'
+      @event_subscriptions.push(event_subscription)
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'MultiAZFailoverStarted'
+      event_subscription.rds_event_category = 'failover'
+      event_subscription.message = 'A Multi-AZ failover that resulted in the promotion of a standby instance has started.'
+      @event_subscriptions.push(event_subscription)
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'MultiAZFailoverComplete'
+      event_subscription.rds_event_category = 'failover'
+      event_subscription.message = 'A Multi-AZ failover has completed.'
+      @event_subscriptions.push(event_subscription)
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'DBFailure'
+      event_subscription.rds_event_category = 'failure'
+      event_subscription.message = 'The DB instance has failed due to an incompatible configuration or an underlying storage issue. Begin a point-in-time-restore for the DB instance.'
+      @event_subscriptions.push(event_subscription)
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'TableCountExceedsRecommended'
+      event_subscription.rds_event_category = 'notification'
+      event_subscription.message = 'The number of tables you have for your DB instance exceeds the recommended best practices for Amazon RDS.'
+      @event_subscriptions.push(event_subscription)
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'DatabasesCountExceedsRecommended'
+      event_subscription.rds_event_category = 'notification'
+      event_subscription.message = 'The number of databases you have for your DB instance exceeds the recommended best practices for Amazon RDS.'
+      @event_subscriptions.push(event_subscription)
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'ReplicationFailure'
+      event_subscription.enabled = false
+      event_subscription.rds_event_category = 'read replica'
+      event_subscription.message = 'An error has occurred in the read replication process.'
+      @event_subscriptions.push(event_subscription)
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'ReplicationTerminated'
+      event_subscription.enabled = false
+      event_subscription.rds_event_category = 'read replica'
+      event_subscription.message = 'Replication on the read replica was terminated.'
+      @event_subscriptions.push(event_subscription)
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'ReplicationStopped'
+      event_subscription.enabled = false
+      event_subscription.rds_event_category = 'read replica'
+      event_subscription.message = 'Replication on the read replica was manually stopped.'
+      @event_subscriptions.push(event_subscription)
+    end
   end
 end

data/lib/cfnguardian/resources/redshift_cluster.rb CHANGED Viewed

@@ -20,9 +20,9 @@ module CfnGuardian::Resource
       alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
       alarm.name = 'UnHealthyCluster'
       alarm.metric_name = 'HealthStatus'
-      alarm.threshold = 0
+      alarm.comparison_operator = 'LessThanThreshold'
+      alarm.threshold = 1
       alarm.evaluation_periods = 10
-      alarm.treat_missing_data = 'notBreaching'
       @alarms.push(alarm)
     end

data/lib/cfnguardian/resources/sftp.rb ADDED Viewed

@@ -0,0 +1,50 @@
+module CfnGuardian::Resource
+  class SFTP < Base
+    def default_alarms
+      alarm = CfnGuardian::Models::SFTPAlarm.new(@resource)
+      alarm.name = 'Available'
+      alarm.metric_name = 'Available'
+      @alarms.push(alarm)
+      alarm = CfnGuardian::Models::SFTPAlarm.new(@resource)
+      alarm.name = 'ConnectionTime'
+      alarm.metric_name = 'ConnectionTime'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Minimum'
+      alarm.threshold = 1000
+      @alarms.push(alarm)
+      if @resource.has_key?('File')
+        alarm = CfnGuardian::Models::SFTPAlarm.new(@resource)
+        alarm.name = 'FileExists'
+        alarm.metric_name = 'FileExists'
+        @alarms.push(alarm)
+        alarm = CfnGuardian::Models::SFTPAlarm.new(@resource)
+        alarm.name = 'FileGetTime'
+        alarm.metric_name = 'FileGetTime'
+        alarm.comparison_operator = 'GreaterThanThreshold'
+        alarm.statistic = 'Minimum'
+        alarm.threshold = 1000
+        @alarms.push(alarm)
+        if @resource.has_key?('FileBodyMatch')
+          alarm = CfnGuardian::Models::SFTPAlarm.new(@resource)
+          alarm.name = 'FileBodyMatch'
+          alarm.metric_name = 'FileBodyMatch'
+          @alarms.push(alarm)
+        end
+      end
+    end
+    def default_events
+      @events.push(CfnGuardian::Models::SFTPEvent.new(@resource))
+    end
+    def default_checks
+      @checks.push(CfnGuardian::Models::SFTPCheck.new(@resource))
+    end
+  end
+end