cfn-guardian 0.1.0

data/lib/cfnguardian/log.rb

@@ -0,0 +1,40 @@
+require 'logger'
+
+module Logging
+  class << self
+    def colors
+      @colors ||= {
+        ERROR: 31, # red
+        WARN: 33, # yellow
+        INFO: 0,
+        DEBUG: 32 # green
+      }
+    end
+    
+    def logger
+      @logger ||= Logger.new($stdout)
+      @logger.level = Logger::DEBUG
+      @logger.formatter = proc do |severity, datetime, progname, msg|
+        "\e[#{colors[severity.to_sym]}m#{severity}: #{msg}\e[0m\n"
+      end
+      @logger
+    end
+
+    def logger=(logger)
+      @logger = logger
+    end
+  end
+
+  # Addition
+  def self.included(base)
+    class << base
+      def logger
+        Logging.logger
+      end
+    end
+  end
+
+  def logger
+    Logging.logger
+  end
+end

data/lib/cfnguardian/models/alarm.rb

@@ -0,0 +1,292 @@
+require 'cfnguardian/string'
+
+module CfnGuardian
+  module Models
+    class Alarm
+      
+      attr_reader :type
+      attr_accessor :class,
+        :name,
+        :metric_name,
+        :namespace,
+        :dimensions,
+        :threshold,
+        :period,
+        :evaluation_periods,
+        :comparison_operator,
+        :statistic,
+        :actions_enabled,
+        :enabled,
+        :resource,
+        :alarm_action,
+        :treat_missing_data,
+        :datapoints_to_alarm,
+        :extended_statistic,
+        :evaluate_low_sample_count_percentile,
+        :unit
+      
+      def initialize(resource)
+        @type = 'Alarm'
+        @class = nil
+        @name = ''
+        @metric_name = nil
+        @namespace = nil
+        @dimensions = {}
+        @threshold = 0
+        @period = 60
+        @evaluation_periods = 1
+        @comparison_operator = 'GreaterThanThreshold'
+        @statistic = 'Maximum'
+        @actions_enabled = true
+        @datapoints_to_alarm = nil
+        @extended_statistic = nil
+        @evaluate_low_sample_count_percentile = nil
+        @unit = nil
+        @enabled = true
+        @resource_name = Digest::MD5.hexdigest resource['Id']
+        @resource = resource['Id']
+        @alarm_action = 'Critical'
+        @treat_missing_data = nil
+      end
+      
+      def metric_name=(metric_name)
+        raise ArgumentError.new("metric_name '#{metric_name}' must be of type String, provided type '#{metric_name.class}'") unless metric_name.is_a?(String)
+        @metric_name=metric_name
+      end
+      
+      def to_h
+        Hash[instance_variables.map { |name| [name[1..-1].to_sym, instance_variable_get(name)] } ]
+      end
+      
+    end
+    
+    
+    class ApiGatewayAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'ApiGateway'
+        @namespace = 'AWS/ApiGateway'
+        @dimensions = { ApiName: resource['Id'] }
+      end
+    end
+    
+    class ApplicationTargetGroupAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'ApplicationTargetGroup'
+        @namespace = 'AWS/ApplicationELB'
+        @dimensions = { 
+          TargetGroup: resource['Id'],
+          LoadBalancer: resource['LoadBalancer']
+        }
+      end
+    end
+    
+    class AmazonMQBrokerAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'AmazonMQBroker'
+        @namespace = 'AWS/AmazonMQ'
+        @dimensions = { Broker: resource['Id'] }
+      end
+    end
+    
+    class CloudFrontDistributionAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'CloudFrontDistribution'
+        @namespace = 'AWS/CloudFront'
+        @dimensions = { 
+          DistributionId: resource['Id'],
+          Region: 'Global'
+        }
+        @statistic = 'Average'
+        @evaluation_periods = 5
+      end
+    end
+    
+    class AutoScalingGroupAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'AutoScalingGroup'
+        @namespace = 'AWS/EC2'
+        @dimensions = { AutoScalingGroupName: resource['Id'] }
+      end
+    end
+    
+    class DomainExpiryAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'DomainExpiry'
+        @namespace = 'DNS'
+        @dimensions = { Domain: resource['Id'] }
+        @comparison_operator = 'LessThanThreshold'
+      end
+    end
+    
+    class DynamoDBTableAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'DynamoDBTable'
+        @namespace = 'AWS/DynamoDB'
+        @dimensions = { TableName: resource['Id'] }
+      end
+    end
+    
+    class Ec2InstanceAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'Ec2Instance'
+        @namespace = 'AWS/EC2'
+        @dimensions = { InstanceId: resource['Id'] }
+      end
+    end
+    
+    class ECSClusterAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'ECSCluster'
+        @namespace = 'AWS/ECS'
+        @dimensions = { ClusterName: resource['Id'] }
+        @threshold = 75
+        @alarm_action = 'Warning'
+        @evaluation_periods = 10
+      end
+    end
+    
+    class ECSServiceAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'ECSService'
+        @namespace = 'AWS/ECS'
+        @dimensions = {
+          ServiceName: resource['Id'],
+          ClusterName: resource['Cluster'] 
+        }
+      end
+    end
+    
+    class ElastiCacheReplicationGroupAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'ElastiCacheReplicationGroup'
+        @namespace = 'AWS/ElastiCache'
+        @dimensions = { CacheClusterId: resource['Id'] }
+      end
+    end
+    
+    class ElasticLoadBalancerAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'ElasticLoadBalancer'
+        @namespace = 'AWS/ELB'
+        @dimensions = { LoadBalancerName: resource['Id'] }
+      end
+    end
+    
+    class ElasticFileSystemAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'ElasticFileSystem'
+        @namespace = 'AWS/EFS'
+        @dimensions = { FileSystemId: resource['Id'] }
+      end
+    end
+    
+    class HttpAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'Http'
+        @namespace = 'HttpCheck'
+        @dimensions = { Endpoint: resource['Id'] }
+        @comparison_operator = 'LessThanThreshold'
+        @threshold = 1
+        @evaluation_periods = 2
+      end
+    end
+    
+    class NrpeAlarm < Alarm
+      def initialize(resource,environment)
+        super(resource)
+        @class = 'Nrpe'
+        @namespace = 'NRPE'
+        @dimensions = { Host: "#{environment}-#{resource['Id']}" }
+        @treat_missing_data = 'breaching'
+        @evaluation_periods = 2
+      end
+    end
+
+    class LambdaAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'Lambda'
+        @namespace = 'AWS/Lambda'
+        @dimensions = { FunctionName: resource['Id'] }
+        @statistic = 'Average'
+        @evaluation_periods = 5
+      end
+    end
+    
+    class NetworkTargetGroupAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'NetworkTargetGroup'
+        @namespace = 'AWS/NetworkELB'
+        @dimensions = { 
+          TargetGroup: resource['Id'],
+          LoadBalancer: resource['LoadBalancer']
+        }
+      end
+    end
+    
+    class RedshiftClusterAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'RedshiftCluster'
+        @namespace = 'AWS/Redshift'
+        @dimensions = { ClusterIdentifier: resource['Id'] }
+      end
+    end
+    
+    class RDSClusterInstanceAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'RDSClusterInstance'
+        @namespace = 'AWS/RDS'
+        @dimensions = { DBInstanceIdentifier: resource['Id'] }
+      end
+    end
+    
+    class RDSInstanceAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'RDSInstance'
+        @namespace = 'AWS/RDS'
+        @dimensions = { DBInstanceIdentifier: resource['Id'] }
+      end
+    end
+    
+    class SqlAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'Sql'
+        @namespace = 'SQL'
+        @dimensions = { Host: resource['Id'] }
+        @treat_missing_data = 'breaching'
+        @evaluation_periods = 1
+      end
+    end
+    
+    class SQSQueueAlarm < Alarm
+      def initialize(resource)
+        super(resource)
+        @class = 'SQSQueue'
+        @namespace = 'AWS/SQS'
+        @dimensions = { QueueName: resource['Id'] }
+        @statistic = 'Average'
+        @period = 300
+      end
+    end
+    
+  end
+end

data/lib/cfnguardian/models/check.rb

@@ -0,0 +1,114 @@
+require 'cfnguardian/string'
+
+module CfnGuardian
+  module Models
+    class Check
+      
+      attr_reader :type
+      attr_accessor :class,
+        :name,
+        :handler,
+        :version,
+        :runtime,
+        :environment
+        
+      def initialize(resource)
+        @type = 'Check'
+        @class = nil
+        @name = nil
+        @package = nil
+        @handler = nil
+        @version = nil
+        @runtime = nil
+        @environment = ''
+      end
+      
+      def to_h
+        Hash[instance_variables.map { |name| [name[1..-1].to_sym, instance_variable_get(name)] } ]
+      end
+    end
+    
+    class HttpCheck < Check      
+      def initialize(resource)
+        super(resource)
+        @class = 'Http'
+        @name = 'HttpCheck'
+        @package = 'aws-lambda-http-check'
+        @handler = 'handler.main'
+        @version = '0.1'
+        @runtime = 'python3.6'
+      end
+    end
+    
+    class NrpeCheck < Check
+      attr_accessor :subnets, :vpc
+      
+      def initialize(resource)
+        super(resource)
+        @class = 'Nrpe'
+        @name = 'NrpeCheck'
+        @package = 'aws-lambda-nrpe-check'
+        @handler = 'main'
+        @version = '0.2'
+        @runtime = 'go1.x'
+        @subnets = resource['Subnets']
+        @vpc = resource['VpcId']
+        @environment = resource['Environment']
+      end
+    end
+    
+    class SslCheck < Check
+      def initialize(resource)
+        super(resource)
+        @class = 'Ssl'
+        @name = 'SslCheck'
+        @package = 'aws-lambda-ssl-check'
+        @handler = 'main'
+        @version = '0.1'
+        @runtime = 'go1.x'
+      end
+    end
+    
+    class DomainExpiryCheck < Check
+      def initialize(resource)
+        super(resource)
+        @class = 'DomainExpiry'
+        @name = 'DomainExpiryCheck'
+        @package = 'aws-lambda-dns-check'
+        @handler = 'main'
+        @version = '0.1'
+        @runtime = 'go1.x'
+      end
+    end
+    
+    class SqlCheck < Check
+      attr_accessor :subnets, :vpc
+      
+      def initialize(resource)
+        super(resource)
+        @class = 'Sql'
+        @name = 'SqlCheck'
+        @package = 'aws-lambda-sql-check'
+        @handler = 'main'
+        @version = '0.1'
+        @runtime = 'go1.x'
+        @subnets = resource['Subnets']
+        @vpc = resource['VpcId']
+        @environment = resource['Environment']
+      end
+    end
+    
+    class ContainerInstanceCheck < Check
+      def initialize(resource)
+        super(resource)
+        @class = 'ContainerInstance'
+        @name = 'ContainerInstanceCheck'
+        @package = 'aws-lambda-ecs-container-instance-check'
+        @handler = 'handler.run_check'
+        @version = '0.1'
+        @runtime = 'python3.6'
+      end
+    end
+
+  end
+end

data/lib/cfnguardian/models/event.rb

@@ -0,0 +1,192 @@
+require 'cfnguardian/string'
+
+module CfnGuardian
+  module Models
+    class Event
+      
+      attr_reader :type
+      attr_accessor :class,
+        :target,
+        :hash,
+        :name,
+        :cron,
+        :enabled,
+        :resource
+      
+      def initialize(resource)
+        @type = 'Event'
+        @class = nil
+        @target = nil
+        @hash = Digest::MD5.hexdigest resource['Id']
+        @name = @hash
+        @cron = "* * * * ? *"
+        @enabled = true
+        @resource = resource['Id'].to_resource_name
+      end
+      
+      def to_h
+        return {
+          type: @type,
+          class: @class,
+          target: @target,
+          hash: @hash,
+          name: @name,
+          cron: @cron,
+          enabled: @enabled,
+          resource: @resource,
+          payload: event_payload()
+        }
+      end
+      
+      def event_payload
+        {}.to_json
+      end
+      
+    end
+    
+    class HttpEvent < Event
+      
+      attr_accessor :endpoint,
+        :method,
+        :timeout,
+        :status_code,
+        :body_regex,
+        :headers,
+        :payload
+      
+      def initialize(resource)
+        super(resource)
+        @class = 'Http'
+        @name = 'HttpEvent'
+        @target = 'HttpCheckFunction'
+        @endpoint = resource['Id']
+        @method = resource.fetch('Method','GET')
+        @timeout = resource.fetch('Timeout',50)
+        @status_code = resource.fetch('StatusCode',200)
+        @body_regex = resource.fetch('BodyRegex',nil)
+        @headers = resource.fetch('Headers',nil)
+        @payload = resource.fetch('Payload',nil)
+      end
+      
+      def event_payload
+        payload = {
+          'ENDPOINT' => @endpoint,
+          'METHOD' => @method,
+          'TIMEOUT' => @timeout,
+          'STATUS_CODE_MATCH' => @status_code
+        }
+        payload['BODY_REGEX_MATCH'] = @body_regex unless @body_regex.nil?
+        payload['HEADERS'] = @headers unless @headers.nil?
+        payload['PAYLOAD'] = @payload unless @payload.nil?
+        return payload.to_json
+      end
+    end
+    
+    class NrpeEvent < Event
+      def initialize(resource,environment,command)
+        super(resource)
+        @class = 'Nrpe'
+        @name = 'NrpeEvent'
+        @target = "NrpeCheckFunction#{environment}"
+        @host = resource['Id']
+        @environment = environment
+        @region = resource.fetch('Region',"${AWS::Region}")
+        @command = command
+      end
+      
+      def event_payload
+        return {
+          'host' => @host,
+          'environment' => @environment,
+          'region' => @region,
+          'cmd' => @command
+        }.to_json
+      end
+    end
+    
+    class SslEvent < Event
+      def initialize(resource)
+        super(resource)
+        @class = 'Ssl'
+        @name = 'SslEvent'
+        @target = 'SslCheckFunction'
+        @cron = "0 12 * * ? *" 
+        @url = resource['Id']
+        @region = resource.fetch('Region',"${AWS::Region}")
+      end
+      
+      def event_payload
+        return {
+          'Url' => @url,
+          'Region' => @region
+        }.to_json
+      end
+    end
+    
+    class DomainExpiryEvent < Event
+      
+      attr_accessor :domain,
+        :region
+      
+      def initialize(resource)
+        super(resource)
+        @class = 'DomainExpiry'
+        @name = 'DomainExpiryEvent'
+        @target = 'DomainExpiryCheckFunction'
+        @cron = "0 12 * * ? *" 
+        @domain = resource['Id']
+        @region = resource.fetch('Region',"${AWS::Region}")
+      end
+      
+      def event_payload
+        {'Domain' => @domain}.to_json
+      end
+    end
+    
+    class SqlEvent < Event
+      def initialize(resource,query)
+        super(resource)
+        @class = 'Sql'
+        @name = 'SqlEvent'
+        @target = 'SqlCheckFunction'
+        @host = resource['Id']
+        @engine = resource['Engine']
+        @port = resource['Port']
+        @ssm_username = resource['SSMUsername']
+        @ssm_password = resource['SSMPassword']
+        @query = query
+        @region = resource.fetch('Region',"${AWS::Region}")
+        @test_type = '1-row-1-value-zero-is-good'
+      end
+      
+      def event_payload
+        return {
+          'Host' => @host,
+          'Engine' => @engine,
+          'Port' => @port,
+          'SqlCall' => @query,
+          'SSMUsername' => @ssm_username,
+          'SSMPassword' => @ssm_password,
+          'Region' => @region,
+          'TestType' => @test_type
+        }.to_json
+      end
+    end
+    
+    class ContainerInstanceEvent < Event
+      def initialize(resource)
+        super(resource)
+        @class = 'ContainerInstance'
+        @name = 'ContainerInstanceEvent'
+        @target = 'ContainerInstanceCheckFunction'
+        @cron = "0/5 * * * ? *"
+        @cluster = resource['Id']
+      end
+      
+      def event_payload
+        {'CLUSTER' => @cluster}.to_json
+      end
+    end
+
+  end
+end