cfn-guardian 0.11.0 → 0.11.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/docs/custom_checks/sftp.md +3 -0
  3. data/lib/cfnguardian/models/check.rb +1 -1
  4. data/lib/cfnguardian/models/event.rb +2 -0
  5. data/lib/cfnguardian/models/event_subscription.rb +17 -14
  6. data/lib/cfnguardian/resources/cloudfront_distribution.rb +4 -9
  7. data/lib/cfnguardian/resources/rds_cluster.rb +12 -5
  8. data/lib/cfnguardian/resources/rds_cluster_instance.rb +17 -0
  9. data/lib/cfnguardian/resources/rds_instance.rb +52 -23
  10. data/lib/cfnguardian/stacks/resources.rb +1 -1
  11. data/lib/cfnguardian/version.rb +1 -1
  12. data/lib/cfnguardian.rb +2 -1
  13. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 597eff7904e03dd773f5d3b2c5e9928b03ce3081f76c7dd0cf33d95e0020af3e
4
- data.tar.gz: 97ad25a41db6e7c6b88d4afd5c02560a2a114e6343ad27a001ca4dde87eeef97
3
+ metadata.gz: df845cc5dda684abf92cc6b71c4f285f370026389fe494510ecf5b6bca5062a8
4
+ data.tar.gz: 5549dd5b6070d88c8fe153aab86b15890d61cea88bfe650fd41cd9e2497b0dfb
5
5
  SHA512:
6
- metadata.gz: e8f6556b639e720418edf32faf4e19e1421636ef9835e85b2f6a61de40a26712affd4d4d9f63f4d1e83f6fad6da1461c7ffcd7fb845a16f4dfffda8c285b7853
7
- data.tar.gz: '068ddd35b4996594a05189ca9d6c3c232e362c951b37405e2ed9dbb0f747b77967637595a4f584177404814a77fe48268a71ce484621c42903723326bb6a0e1f'
6
+ metadata.gz: 1dee7c9fff0a49ffcfaf4455912ce6b324f34b79323a816660e0573840a9c35b1b2229b1e8fbed5460b2dd496802eb1b45ddecd1dbf604928b3c080c54de82b0
7
+ data.tar.gz: 82d325e4b19e862eee2b28c11acdfbedc0d96d7fbcaf392cb87642c42d2f31fd0a589b19abfe08de85e117e510ad02543bc169986e2121cb182c1b198eb7b7c1
data/docs/custom_checks/sftp.md CHANGED
@@ -39,6 +39,8 @@ Resources:
39
39
  File: file.txt
40
40
  # optionally check for a regex match pattern in the body of the file
41
41
  FileBodyMatch: ok
42
+ # optionally override the default connection timeout of 10 seconds
43
+ Timeout: 10
42
44
  ```
43
45
 
44
46
  ## Private SFTP Check
@@ -70,4 +72,5 @@ Resources:
70
72
  PrivateKeyPass: /ssm/path/privatekey/password
71
73
  File: file.txt
72
74
  FileBodyMatch: ok
75
+ Timeout: 10
73
76
  ```
data/lib/cfnguardian/models/check.rb CHANGED
@@ -189,7 +189,7 @@ module CfnGuardian
189
189
  @name = 'SFTPCheck'
190
190
  @package = 'sftp-check'
191
191
  @handler = 'handler.sftp_check'
192
- @version = '987e71f2607347e13e3f156535059d6d3ce1ceed'
192
+ @version = '901a63a0b9bbb4f09d1efae7049b20de4a1a22e2'
193
193
  @runtime = 'python3.7'
194
194
  end
195
195
  end
data/lib/cfnguardian/models/event.rb CHANGED
@@ -287,6 +287,7 @@ module CfnGuardian
287
287
  @private_key_pass = resource.fetch('PrivateKeyPass', nil)
288
288
  @file = resource.fetch('File', nil)
289
289
  @file_regex_match = resource.fetch('FileRegexMatch', nil)
290
+ @timeout = resource.fetch('Timeout', nil)
290
291
  end
291
292
 
292
293
  def payload
@@ -301,6 +302,7 @@ module CfnGuardian
301
302
  payload['PRIVATEKEY_PASSWORD'] = @private_key_pass unless @private_key_pass.nil?
302
303
  payload['FILE'] = @file unless @file.nil?
303
304
  payload['FILE_REGEX_MATCH'] = @file_regex_match unless @file_regex_match.nil?
305
+ payload['TIMEOUT'] = @timeout unless @timeout.nil?
304
306
  return payload.to_json
305
307
  end
306
308
 
data/lib/cfnguardian/models/event_subscription.rb CHANGED
@@ -35,39 +35,42 @@ module CfnGuardian
35
35
  end
36
36
 
37
37
  class RDSEventSubscription < BaseEventSubscription
38
- attr_accessor :source_id, :rds_event_category, :message
38
+ attr_accessor :event_id
39
39
 
40
40
  def initialize(resource)
41
41
  super(resource)
42
42
  @source = 'aws.rds'
43
- @detail_type = 'RDS DB Instance Event'
44
- @source_id = ''
45
- @rds_event_category = ''
46
- @message = ''
43
+ @event_id = nil
47
44
  end
48
45
 
49
46
  def detail
50
- return {
51
- EventCategories: [@rds_event_category],
52
- SourceType: [@source_type],
53
- SourceIdentifier: ["rds:#{@resource_id}"],
54
- Message: [@message]
55
- }
47
+ if @event_id.nil?
48
+ raise "#{self.class} missing `EventID` property"
49
+ end
50
+
51
+ return { EventID: [@event_id] }
56
52
  end
57
53
  end
58
54
 
59
55
  class RDSInstanceEventSubscription < RDSEventSubscription
60
56
  def initialize(resource)
61
57
  super(resource)
62
- @source_type = 'DB_INSTANCE'
58
+ @resource_arn = "arn:aws:rds:${AWS::Region}:${AWS::AccountId}:db:#{@resource_id}"
63
59
  end
64
60
  end
65
61
 
66
62
  class RDSClusterEventSubscription < RDSEventSubscription
67
63
  def initialize(resource)
68
64
  super(resource)
69
- @detail_type = 'RDS DB Cluster Event'
70
- @source_type = 'DB_CLUSTER'
65
+ @resource_arn = "arn:aws:rds:${AWS::Region}:${AWS::AccountId}:cluster:#{@resource_id}"
66
+ end
67
+ end
68
+
69
+
70
+ class RDSClusterInstanceEventSubscription < RDSEventSubscription
71
+ def initialize(resource)
72
+ super(resource)
73
+ @resource_arn = "arn:aws:rds:${AWS::Region}:${AWS::AccountId}:db:#{@resource_id}"
71
74
  end
72
75
  end
73
76
 
data/lib/cfnguardian/resources/cloudfront_distribution.rb CHANGED
@@ -5,20 +5,15 @@ module CfnGuardian::Resource
5
5
  alarm = CfnGuardian::Models::CloudFrontDistributionAlarm.new(@resource)
6
6
  alarm.name = '4xxErrorRate'
7
7
  alarm.metric_name = '4xxErrorRate'
8
- alarm.threshold = 2
9
- alarm.statistic = 'Sum'
8
+ alarm.threshold = 10
9
+ alarm.statistic = 'Average'
10
10
  @alarms.push(alarm)
11
11
 
12
12
  alarm = CfnGuardian::Models::CloudFrontDistributionAlarm.new(@resource)
13
13
  alarm.name = '5xxErrorRate'
14
14
  alarm.metric_name = '5xxErrorRate'
15
- alarm.threshold = 5
16
- @alarms.push(alarm)
17
-
18
- alarm = CfnGuardian::Models::CloudFrontDistributionAlarm.new(@resource)
19
- alarm.name = 'TotalErrorRate'
20
- alarm.metric_name = 'TotalErrorRate'
21
- alarm.threshold = 5
15
+ alarm.statistic = 'Average'
16
+ alarm.threshold = 10
22
17
  @alarms.push(alarm)
23
18
  end
24
19
 
data/lib/cfnguardian/resources/rds_cluster.rb CHANGED
@@ -4,15 +4,22 @@ module CfnGuardian::Resource
4
4
  def default_event_subscriptions()
5
5
  event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
6
6
  event_subscription.name = 'FailoverFailed'
7
- event_subscription.rds_event_category = 'failover'
8
- event_subscription.message = 'A failover for the DB cluster has failed.'
7
+ event_subscription.event_id = 'RDS-EVENT-0069'
9
8
  @event_subscriptions.push(event_subscription)
10
9
 
11
10
  event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
12
11
  event_subscription.name = 'FailoverFinished'
13
- event_subscription.rds_event_category = 'failover'
14
- event_subscription.message = 'A failover for the DB cluster has finished.'
15
- event_subscription.enabled = false
12
+ event_subscription.event_id = 'RDS-EVENT-0071'
13
+ @event_subscriptions.push(event_subscription)
14
+
15
+ event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
16
+ event_subscription.name = 'FailoverStartedSameAZ'
17
+ event_subscription.event_id = 'RDS-EVENT-0072'
18
+ @event_subscriptions.push(event_subscription)
19
+
20
+ event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
21
+ event_subscription.name = 'FailoverStartedDifferentAZ'
22
+ event_subscription.event_id = 'RDS-EVENT-0073'
16
23
  @event_subscriptions.push(event_subscription)
17
24
  end
18
25
 
data/lib/cfnguardian/resources/rds_cluster_instance.rb CHANGED
@@ -25,6 +25,23 @@ module CfnGuardian::Resource
25
25
  alarm.evaluation_periods = 10
26
26
  @alarms.push(alarm)
27
27
  end
28
+
29
+ def default_event_subscriptions()
30
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
31
+ event_subscription.name = 'MasterPasswordReset'
32
+ event_subscription.event_id = 'RDS-EVENT-0016'
33
+ @event_subscriptions.push(event_subscription)
34
+
35
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
36
+ event_subscription.name = 'MasterPasswordResetFailure'
37
+ event_subscription.event_id = 'RDS-EVENT-0067'
38
+ @event_subscriptions.push(event_subscription)
39
+
40
+ event_subscription = CfnGuardian::Models::RDSClusterInstanceEventSubscription.new(@resource)
41
+ event_subscription.name = 'AuroraStorageLow'
42
+ event_subscription.event_id = 'RDS-EVENT-0227'
43
+ @event_subscriptions.push(event_subscription)
44
+ end
28
45
 
29
46
  end
30
47
  end
data/lib/cfnguardian/resources/rds_instance.rb CHANGED
@@ -57,71 +57,100 @@ module CfnGuardian::Resource
57
57
  def default_event_subscriptions()
58
58
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
59
59
  event_subscription.name = 'MasterPasswordReset'
60
- event_subscription.rds_event_category = 'configuration change'
61
- event_subscription.message = 'The master password for the DB instance has been reset.'
60
+ event_subscription.event_id = 'RDS-EVENT-0016'
62
61
  @event_subscriptions.push(event_subscription)
63
62
 
64
63
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
65
64
  event_subscription.name = 'MasterPasswordResetFailure'
66
- event_subscription.rds_event_category = 'configuration change'
67
- event_subscription.message = 'An attempt to reset the master password for the DB instance has failed.'
65
+ event_subscription.event_id = 'RDS-EVENT-0067'
68
66
  @event_subscriptions.push(event_subscription)
69
67
 
70
68
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
71
69
  event_subscription.name = 'Deletion'
72
- event_subscription.rds_event_category = 'deletion'
73
- event_subscription.message = 'The DB instance has been deleted.'
70
+ event_subscription.event_id = 'RDS-EVENT-0003'
71
+ @event_subscriptions.push(event_subscription)
72
+
73
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
74
+ event_subscription.name = 'StorageFullShutDown'
75
+ event_subscription.event_id = 'RDS-EVENT-0221'
76
+ @event_subscriptions.push(event_subscription)
77
+
78
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
79
+ event_subscription.name = 'StorageCapacityLow'
80
+ event_subscription.event_id = 'RDS-EVENT-0222'
81
+ @event_subscriptions.push(event_subscription)
82
+
83
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
84
+ event_subscription.name = 'InvalidState'
85
+ event_subscription.event_id = 'RDS-EVENT-0219'
86
+ @event_subscriptions.push(event_subscription)
87
+
88
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
89
+ event_subscription.name = 'StorageScalingReachedThreshold'
90
+ event_subscription.event_id = 'RDS-EVENT-0224'
91
+ @event_subscriptions.push(event_subscription)
92
+
93
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
94
+ event_subscription.name = 'StorageScalingFailed'
95
+ event_subscription.event_id = 'RDS-EVENT-0223'
96
+ @event_subscriptions.push(event_subscription)
97
+
98
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
99
+ event_subscription.name = 'MultiAZStandByFailoverStarted'
100
+ event_subscription.event_id = 'RDS-EVENT-0013'
101
+ @event_subscriptions.push(event_subscription)
102
+
103
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
104
+ event_subscription.name = 'MultiAZStandByFailoverCompleted'
105
+ event_subscription.event_id = 'RDS-EVENT-0015'
74
106
  @event_subscriptions.push(event_subscription)
75
107
 
76
108
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
77
109
  event_subscription.name = 'MultiAZFailoverStarted'
78
- event_subscription.rds_event_category = 'failover'
79
- event_subscription.message = 'A Multi-AZ failover that resulted in the promotion of a standby instance has started.'
110
+ event_subscription.event_id = 'RDS-EVENT-0050'
111
+ @event_subscriptions.push(event_subscription)
112
+
113
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
114
+ event_subscription.name = 'MultiAZFailoverCompleted'
115
+ event_subscription.event_id = 'RDS-EVENT-0049'
80
116
  @event_subscriptions.push(event_subscription)
81
117
 
82
118
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
83
- event_subscription.name = 'MultiAZFailoverComplete'
84
- event_subscription.rds_event_category = 'failover'
85
- event_subscription.message = 'A Multi-AZ failover has completed.'
119
+ event_subscription.name = 'NotAttemptingFailover'
120
+ event_subscription.event_id = 'RDS-EVENT-0034'
86
121
  @event_subscriptions.push(event_subscription)
87
122
 
88
123
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
89
124
  event_subscription.name = 'DBFailure'
90
- event_subscription.rds_event_category = 'failure'
91
- event_subscription.message = 'The DB instance has failed due to an incompatible configuration or an underlying storage issue. Begin a point-in-time-restore for the DB instance.'
125
+ event_subscription.event_id = 'RDS-EVENT-0031'
92
126
  @event_subscriptions.push(event_subscription)
93
127
 
94
128
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
95
129
  event_subscription.name = 'TableCountExceedsRecommended'
96
- event_subscription.rds_event_category = 'notification'
97
- event_subscription.message = 'The number of tables you have for your DB instance exceeds the recommended best practices for Amazon RDS.'
130
+ event_subscription.event_id = 'RDS-EVENT-0055'
98
131
  @event_subscriptions.push(event_subscription)
99
132
 
100
133
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
101
134
  event_subscription.name = 'DatabasesCountExceedsRecommended'
102
- event_subscription.rds_event_category = 'notification'
103
- event_subscription.message = 'The number of databases you have for your DB instance exceeds the recommended best practices for Amazon RDS.'
135
+ event_subscription.event_id = 'RDS-EVENT-0056'
104
136
  @event_subscriptions.push(event_subscription)
105
137
 
106
138
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
107
139
  event_subscription.name = 'ReplicationFailure'
108
140
  event_subscription.enabled = false
109
- event_subscription.rds_event_category = 'read replica'
110
- event_subscription.message = 'An error has occurred in the read replication process.'
141
+ event_subscription.event_id = 'RDS-EVENT-0045'
111
142
  @event_subscriptions.push(event_subscription)
112
143
 
113
144
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
114
145
  event_subscription.name = 'ReplicationTerminated'
115
146
  event_subscription.enabled = false
116
- event_subscription.rds_event_category = 'read replica'
117
- event_subscription.message = 'Replication on the read replica was terminated.'
147
+ event_subscription.event_id = 'RDS-EVENT-0057'
118
148
  @event_subscriptions.push(event_subscription)
119
149
 
120
150
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
121
151
  event_subscription.name = 'ReplicationStopped'
122
152
  event_subscription.enabled = false
123
- event_subscription.rds_event_category = 'read replica'
124
- event_subscription.message = 'Replication on the read replica was manually stopped.'
153
+ event_subscription.event_id = 'RDS-EVENT-0062'
125
154
  @event_subscriptions.push(event_subscription)
126
155
  end
127
156
 
data/lib/cfnguardian/stacks/resources.rb CHANGED
@@ -112,7 +112,7 @@ module CfnGuardian
112
112
 
113
113
  def add_event_subscription(subscription)
114
114
  event_pattern = {}
115
- event_pattern['detail-type'] = [subscription.detail_type]
115
+ event_pattern['detail-type'] = [subscription.detail_type] unless subscription.detail_type.empty?
116
116
  event_pattern['source'] = [subscription.source]
117
117
  event_pattern['resources'] = [subscription.resource_arn] unless subscription.resource_arn.empty?
118
118
  event_pattern['detail'] = subscription.detail unless subscription.detail.empty?
data/lib/cfnguardian/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  module CfnGuardian
2
- VERSION = "0.11.0"
2
+ VERSION = "0.11.2"
3
3
  CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
4
4
  end
data/lib/cfnguardian.rb CHANGED
@@ -215,6 +215,7 @@ module CfnGuardian
215
215
  method_option :config, aliases: :c, type: :array, desc: "yaml config files", required: true
216
216
  method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
217
217
  method_option :tags, type: :hash, desc: "additional tags on the cloudformation stack"
218
+ method_option :check_resources_exist, type: :boolean, default: true, desc: "check each resource exists in the aws account"
218
219
 
219
220
  def tag_alarms
220
221
  set_log_level(options[:debug])
@@ -233,7 +234,7 @@ module CfnGuardian
233
234
  tags[:'guardian:config:yaml'] = config
234
235
 
235
236
  logger.info "tagging alarms from config file #{config}"
236
- compiler = CfnGuardian::Compile.new(config)
237
+ compiler = CfnGuardian::Compile.new(config, options[:check_resources_exist])
237
238
  compiler.get_resources
238
239
  alarms = compiler.alarms
239
240
  global_tags = compiler.global_tags.merge(tags)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-guardian
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.11.0
4
+ version: 0.11.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Guslington
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-03-30 00:00:00.000000000 Z
11
+ date: 2023-04-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: thor