cfn-guardian 0.1.0

data/lib/cfnguardian/stacks/main.rb

@@ -0,0 +1,149 @@
+require 'cfndsl'
+
+module CfnGuardian
+  module Stacks
+    class Main
+      include CfnDsl::CloudFormation
+      
+      def build_template(stacks,checks)
+        @template = CloudFormation("Guardian main stack")
+        
+        %w(Critical Warning Task Informational).each do |name|
+          parameter = @template.Parameter(name)
+          parameter.Type 'String'
+          parameter.Description "SNS topic ARN for #{name} notifications"
+        end
+        
+        parameters = {
+          Critical: Ref(:Critical),
+          Warning: Ref(:Warning),
+          Task: Ref(:Task),
+          Informational: Ref(:Informational)
+        }
+        
+        build_iam_role()
+        
+        checks.each {|check| parameters["#{check[:name]}Function#{check[:environment]}"] = add_lambda(check)}
+        stacks.each {|stack| add_stack(stack['Name'],stack['TemplateURL'],parameters)}
+        
+        return @template
+      end
+      
+      def build_iam_role()
+        @template.declare do
+          IAM_Role(:LambdaExecutionRole) do
+            AssumeRolePolicyDocument({
+              Version: '2012-10-17',
+              Statement: [{
+                Effect: 'Allow',
+                Principal: { Service: [ 'lambda.amazonaws.com' ] },
+                Action: [ 'sts:AssumeRole' ]
+              }]
+            })
+            Path '/'
+            Policies([
+              {
+                PolicyName: 'logging',
+                PolicyDocument: {
+                  Version: '2012-10-17',
+                  Statement: [{
+                    Effect: 'Allow',
+                    Action: [ 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents' ],
+                    Resource: 'arn:aws:logs:*:*:*'
+                  }]
+                }
+              },
+              {
+                PolicyName: 'metrics',
+                PolicyDocument: {
+                  Version: '2012-10-17',
+                  Statement: [{
+                    Effect: 'Allow',
+                    Action: [ 'cloudwatch:PutMetricData' ],
+                    Resource: '*'
+                  }]
+                }
+              },
+              {
+                PolicyName: 'attach-network-interface',
+                PolicyDocument: {
+                  Version: '2012-10-17',
+                  Statement: [{
+                    Effect: 'Allow',
+                    Action: [ 'ec2:CreateNetworkInterface', 'ec2:DescribeNetworkInterfaces', 'ec2:DeleteNetworkInterface' ],
+                    Resource: '*'
+                  }]
+                }
+              }
+            ])
+            Tags([
+              { Key: 'Name', Value: 'guardian-lambda-role' },
+              { Key: 'Environment', Value: 'guardian' }
+            ])
+          end
+        end
+      end
+      
+      def add_lambda(check)
+        vpc_config = {}
+        
+        if check.has_key?(:vpc)
+          @template.declare do
+            EC2_SecurityGroup("#{check[:name]}SecurityGroup#{check[:environment]}") do
+              VpcId check[:vpc]
+              GroupDescription "Guardian lambda function #{check[:class]} check"
+              Tags([
+                { Key: 'Name', Value: "guardian-#{check[:name]}-#{check[:environment]}" },
+                { Key: 'Environment', Value: 'guardian' }
+              ])
+            end
+          end
+          
+          vpc_config[:SecurityGroupIds] = Ref("#{check[:name]}SecurityGroup#{check[:environment]}")
+          vpc_config[:SubnetIds] = check[:subnets]
+        end
+        
+        @template.declare do
+          Lambda_Function("#{check[:name]}Function#{check[:environment]}") do
+            Code({ 
+              S3Bucket: FnSub("base2.lambda.${AWS::Region}"), 
+              S3Key: "#{check[:package]}/#{check[:version]}/handler.zip"
+            })
+            Handler check[:handler]
+            MemorySize 128
+            Runtime check[:runtime]
+            Timeout 120
+            Role FnGetAtt(:LambdaExecutionRole, :Arn)
+            VpcConfig vpc_config unless vpc_config.empty?
+            Tags([
+              { Key: 'Name', Value: "guardian-#{check[:name]}-#{check[:class]}" },
+              { Key: 'Environment', Value: 'guardian' }
+            ])
+          end
+          
+          Lambda_Permission("#{check[:name]}Permissions#{check[:environment]}") do
+            FunctionName Ref("#{check[:name]}Function#{check[:environment]}")
+            Action 'lambda:InvokeFunction'
+            Principal 'events.amazonaws.com'
+          end
+        end
+
+        return FnGetAtt("#{check[:name]}Function#{check[:environment]}", :Arn)
+      end
+      
+      def add_stack(name,url,stack_parameters)
+        @template.declare do
+          CloudFormation_Stack(name) do
+            Parameters stack_parameters
+            TemplateURL url
+            TimeoutInMinutes 15
+            Tags([
+              { Key: 'Name', Value: "guardian-stack-#{name}" }
+            ])
+          end
+        end
+      end
+      
+    end
+  end
+end

data/lib/cfnguardian/stacks/resources.rb

@@ -0,0 +1,80 @@
+require 'cfndsl'
+
+module CfnGuardian
+  module Stacks
+    class Resources
+      include CfnDsl::CloudFormation
+      
+      def build_template(resources)
+        @template = CloudFormation("Guardian nested stack")
+        
+        %w(Critical Warning Task Informational).each do |name|
+          parameter = @template.Parameter(name)
+          parameter.Type 'String'
+          parameter.Description "SNS topic ARN for #{name} notifications"
+        end
+        
+        resources.each do |resource|
+          case resource[:type]
+          when 'Alarm'
+            add_alarm(resource)
+          when 'Event'
+            add_event(resource)
+          else
+            puts "Warn: #{resource[:type]} is a unsuported resource type"
+          end
+        end
+        
+        return @template
+      end
+      
+      def add_alarm(resource)
+        @template.declare do
+          CloudWatch_Alarm("#{resource[:resource_name]}#{resource[:class]}#{resource[:name]}#{resource[:type]}"[0..255]) do
+            ActionsEnabled true
+            AlarmDescription "Guardian alarm #{resource[:class]} #{resource[:resource]} #{resource[:name]}"
+            AlarmName "#{resource[:class]}-#{resource[:resource]}-#{resource[:name]}"
+            ComparisonOperator resource[:comparison_operator]
+            Dimensions resource[:dimensions].map {|k,v| {Name: k, Value: v}}
+            EvaluationPeriods resource[:evaluation_periods]
+            Statistic resource[:statistic]
+            Period resource[:period]
+            Threshold resource[:threshold]
+            MetricName resource[:metric_name]
+            Namespace resource[:namespace]
+            AlarmActions [Ref(resource[:alarm_action])]
+            OKActions [Ref(resource[:alarm_action])]
+            TreatMissingData resource[:treat_missing_data] unless resource[:treat_missing_data].nil?
+            DatapointsToAlarm resource[:datapoints_to_alarm] unless resource[:datapoints_to_alarm].nil?
+            ExtendedStatistic resource[:extended_statistic] unless resource[:extended_statistic].nil?
+            EvaluateLowSampleCountPercentile resource[:evaluate_low_sample_count_percentile] unless resource[:evaluate_low_sample_count_percentile].nil?
+            Unit resource[:unit] unless resource[:unit].nil?
+          end
+        end
+      end
+      
+      def add_event(resource)
+        @template.declare do
+          Parameter(resource[:target]) do
+            Type 'String'
+            Description "Lamba funtion Arn for #{resource[:class]} #{resource[:type]}"
+          end
+          
+          Events_Rule("#{resource[:class]}#{resource[:type]}#{resource[:hash]}"[0..255]) do
+            State 'ENABLED'
+            Description "Guardian scheduled #{resource[:class]} #{resource[:type]}"
+            ScheduleExpression "cron(#{resource[:cron]})"
+            Targets([
+              { 
+                Arn: Ref(resource[:target]),
+                Id: resource[:hash],
+                Input: FnSub(resource[:payload])
+              }
+            ])
+          end
+        end
+      end
+      
+    end
+  end
+end

data/lib/cfnguardian/string.rb

@@ -0,0 +1,19 @@
+class String
+  def to_underscore
+    self.gsub(/::/, '/').
+    gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
+    gsub(/([a-z\d])([A-Z])/,'\1_\2').
+    tr("-", "_").
+    downcase
+  end
+  
+  def to_camelcase
+    self.split('_').collect(&:capitalize).join
+  end
+  
+  def to_resource_name
+    self.split(/(\.|-|_)/).
+    map(&:capitalize).join.
+    gsub(/[^0-9A-Za-z]/, '')
+  end
+end

data/lib/cfnguardian/validate.rb

@@ -0,0 +1,80 @@
+require 'aws-sdk-cloudformation'
+require 'fileutils'
+require 'cfnguardian/version'
+require 'cfnguardian/log'
+require 'cfnguardian/s3'
+
+module CfnGuardian
+  class Validate
+    include Logging
+
+    def initialize(bucket)
+      @bucket = bucket
+      @prefix = "validation"
+      @client = Aws::CloudFormation::Client.new()
+    end
+
+    def validate()
+      success = []
+      Dir["out/*.yaml"].each do |template|
+        file_size_bytes = File.size(template)
+
+        if file_size_bytes > 51200
+          success << validate_s3(template)
+        else
+          success << validate_local(template)
+        end
+      end
+      return success.include?(false)
+    end
+    
+    def validate_local(path)
+      logger.info "Validating template #{path} locally"
+      template = File.read path
+      begin
+        response = @client.validate_template({
+          template_body: template
+        })
+      rescue Aws::CloudFormation::Errors::ValidationError => e
+        logger.warn("template #{path} failed validation with error:\n====> #{e.message}")
+        return false
+      end
+      return true
+    end
+
+    def validate_s3(path)
+      success = true
+      logger.info "Validating template #{path} from s3 bucket #{@bucket}"
+      
+      template = File.read path
+      md5 = Digest::MD5.hexdigest template
+      prefix = "#{@prefix}/#{md5}"
+
+      client = Aws::S3::Client.new()
+      client.put_object({
+        body: template,
+        bucket: @bucket,
+        key: prefix
+      })
+      logger.info("uploaded #{path} to s3://#{@bucket}/#{prefix}")
+      
+      begin
+        response = @client.validate_template({
+          template_url: "https://#{@bucket}.s3.amazonaws.com/#{prefix}"
+        })
+      rescue Aws::CloudFormation::Errors::ValidationError => e
+        logger.warn("template #{path} failed validation with error:\n====> #{e.message}")
+        success = false
+      end
+
+      client.put_object({
+        bucket: @bucket,
+        key: prefix
+      })
+      logger.debug("removed validated template s3://#{@bucket}/#{prefix}")
+      
+      return success
+    end
+
+  end
+end

data/lib/cfnguardian/version.rb

@@ -0,0 +1,4 @@
+module CfnGuardian
+  VERSION = "0.1.0"
+  CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
+end

metadata

@@ -0,0 +1,215 @@
+--- !ruby/object:Gem::Specification
+name: cfn-guardian
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Guslington
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-01-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.20'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.20'
+- !ruby/object:Gem::Dependency
+  name: cfndsl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: terminal-table
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-s3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-cloudformation
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Manages AWS cloudwatch alarms with default templates using cloudformation
+email:
+- itsupport@base2services.com
+executables:
+- cfn-guardian
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- cfn-guardian.gemspec
+- exe/cfn-guardian
+- lib/cfnguardian.rb
+- lib/cfnguardian/compile.rb
+- lib/cfnguardian/deploy.rb
+- lib/cfnguardian/log.rb
+- lib/cfnguardian/models/alarm.rb
+- lib/cfnguardian/models/check.rb
+- lib/cfnguardian/models/event.rb
+- lib/cfnguardian/resources/amazonmq_broker.rb
+- lib/cfnguardian/resources/apigateway.rb
+- lib/cfnguardian/resources/application_targetgroup.rb
+- lib/cfnguardian/resources/autoscaling_group.rb
+- lib/cfnguardian/resources/base.rb
+- lib/cfnguardian/resources/cloudfront_distribution.rb
+- lib/cfnguardian/resources/domain_expiry.rb
+- lib/cfnguardian/resources/dynamodb_table.rb
+- lib/cfnguardian/resources/ec2_instance.rb
+- lib/cfnguardian/resources/ecs_cluster.rb
+- lib/cfnguardian/resources/ecs_service.rb
+- lib/cfnguardian/resources/elastic_file_system.rb
+- lib/cfnguardian/resources/elastic_loadbalancer.rb
+- lib/cfnguardian/resources/elasticache_replication_group.rb
+- lib/cfnguardian/resources/http.rb
+- lib/cfnguardian/resources/lambda.rb
+- lib/cfnguardian/resources/network_targetgroup.rb
+- lib/cfnguardian/resources/nrpe.rb
+- lib/cfnguardian/resources/rds_cluster_instance.rb
+- lib/cfnguardian/resources/rds_instance.rb
+- lib/cfnguardian/resources/redshift_cluster.rb
+- lib/cfnguardian/resources/sql.rb
+- lib/cfnguardian/resources/sqs_queue.rb
+- lib/cfnguardian/s3.rb
+- lib/cfnguardian/stacks/main.rb
+- lib/cfnguardian/stacks/resources.rb
+- lib/cfnguardian/string.rb
+- lib/cfnguardian/validate.rb
+- lib/cfnguardian/version.rb
+homepage: https://github.com/base2Services/cfn-guardian
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/base2Services/cfn-guardian
+  source_code_uri: https://github.com/base2Services/cfn-guardian
+  changelog_uri: https://github.com/base2Services/cfn-guardian
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Manages AWS cloudwatch alarms with default templates using cloudformation
+test_files: []