cfn-guardian 0.11.0 → 0.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/docs/custom_checks/sftp.md +3 -0
  3. data/lib/cfnguardian/models/check.rb +1 -1
  4. data/lib/cfnguardian/models/event.rb +2 -0
  5. data/lib/cfnguardian/models/event_subscription.rb +17 -14
  6. data/lib/cfnguardian/resources/cloudfront_distribution.rb +4 -9
  7. data/lib/cfnguardian/resources/rds_cluster.rb +12 -5
  8. data/lib/cfnguardian/resources/rds_cluster_instance.rb +17 -0
  9. data/lib/cfnguardian/resources/rds_instance.rb +52 -23
  10. data/lib/cfnguardian/stacks/resources.rb +1 -1
  11. data/lib/cfnguardian/version.rb +1 -1
  12. data/lib/cfnguardian.rb +2 -1
  13. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 597eff7904e03dd773f5d3b2c5e9928b03ce3081f76c7dd0cf33d95e0020af3e
4
- data.tar.gz: 97ad25a41db6e7c6b88d4afd5c02560a2a114e6343ad27a001ca4dde87eeef97
3
+ metadata.gz: df845cc5dda684abf92cc6b71c4f285f370026389fe494510ecf5b6bca5062a8
4
+ data.tar.gz: 5549dd5b6070d88c8fe153aab86b15890d61cea88bfe650fd41cd9e2497b0dfb
5
5
  SHA512:
6
- metadata.gz: e8f6556b639e720418edf32faf4e19e1421636ef9835e85b2f6a61de40a26712affd4d4d9f63f4d1e83f6fad6da1461c7ffcd7fb845a16f4dfffda8c285b7853
7
- data.tar.gz: '068ddd35b4996594a05189ca9d6c3c232e362c951b37405e2ed9dbb0f747b77967637595a4f584177404814a77fe48268a71ce484621c42903723326bb6a0e1f'
6
+ metadata.gz: 1dee7c9fff0a49ffcfaf4455912ce6b324f34b79323a816660e0573840a9c35b1b2229b1e8fbed5460b2dd496802eb1b45ddecd1dbf604928b3c080c54de82b0
7
+ data.tar.gz: 82d325e4b19e862eee2b28c11acdfbedc0d96d7fbcaf392cb87642c42d2f31fd0a589b19abfe08de85e117e510ad02543bc169986e2121cb182c1b198eb7b7c1
data/docs/custom_checks/sftp.md CHANGED
@@ -39,6 +39,8 @@ Resources:
39
39
  File: file.txt
40
40
  # optionally check for a regex match pattern in the body of the file
41
41
  FileBodyMatch: ok
42
+ # optionally override the default connection timeout of 10 seconds
43
+ Timeout: 10
42
44
  ```
43
45
 
44
46
  ## Private SFTP Check
@@ -70,4 +72,5 @@ Resources:
70
72
  PrivateKeyPass: /ssm/path/privatekey/password
71
73
  File: file.txt
72
74
  FileBodyMatch: ok
75
+ Timeout: 10
73
76
  ```
data/lib/cfnguardian/models/check.rb CHANGED
@@ -189,7 +189,7 @@ module CfnGuardian
189
189
  @name = 'SFTPCheck'
190
190
  @package = 'sftp-check'
191
191
  @handler = 'handler.sftp_check'
192
- @version = '987e71f2607347e13e3f156535059d6d3ce1ceed'
192
+ @version = '901a63a0b9bbb4f09d1efae7049b20de4a1a22e2'
193
193
  @runtime = 'python3.7'
194
194
  end
195
195
  end
data/lib/cfnguardian/models/event.rb CHANGED
@@ -287,6 +287,7 @@ module CfnGuardian
287
287
  @private_key_pass = resource.fetch('PrivateKeyPass', nil)
288
288
  @file = resource.fetch('File', nil)
289
289
  @file_regex_match = resource.fetch('FileRegexMatch', nil)
290
+ @timeout = resource.fetch('Timeout', nil)
290
291
  end
291
292
 
292
293
  def payload
@@ -301,6 +302,7 @@ module CfnGuardian
301
302
  payload['PRIVATEKEY_PASSWORD'] = @private_key_pass unless @private_key_pass.nil?
302
303
  payload['FILE'] = @file unless @file.nil?
303
304
  payload['FILE_REGEX_MATCH'] = @file_regex_match unless @file_regex_match.nil?
305
+ payload['TIMEOUT'] = @timeout unless @timeout.nil?
304
306
  return payload.to_json
305
307
  end
306
308
 
data/lib/cfnguardian/models/event_subscription.rb CHANGED
@@ -35,39 +35,42 @@ module CfnGuardian
35
35
  end
36
36
 
37
37
  class RDSEventSubscription < BaseEventSubscription
38
- attr_accessor :source_id, :rds_event_category, :message
38
+ attr_accessor :event_id
39
39
 
40
40
  def initialize(resource)
41
41
  super(resource)
42
42
  @source = 'aws.rds'
43
- @detail_type = 'RDS DB Instance Event'
44
- @source_id = ''
45
- @rds_event_category = ''
46
- @message = ''
43
+ @event_id = nil
47
44
  end
48
45
 
49
46
  def detail
50
- return {
51
- EventCategories: [@rds_event_category],
52
- SourceType: [@source_type],
53
- SourceIdentifier: ["rds:#{@resource_id}"],
54
- Message: [@message]
55
- }
47
+ if @event_id.nil?
48
+ raise "#{self.class} missing `EventID` property"
49
+ end
50
+
51
+ return { EventID: [@event_id] }
56
52
  end
57
53
  end
58
54
 
59
55
  class RDSInstanceEventSubscription < RDSEventSubscription
60
56
  def initialize(resource)
61
57
  super(resource)
62
- @source_type = 'DB_INSTANCE'
58
+ @resource_arn = "arn:aws:rds:${AWS::Region}:${AWS::AccountId}:db:#{@resource_id}"
63
59
  end
64
60
  end
65
61
 
66
62
  class RDSClusterEventSubscription < RDSEventSubscription
67
63
  def initialize(resource)
68
64
  super(resource)
69
- @detail_type = 'RDS DB Cluster Event'
70
- @source_type = 'DB_CLUSTER'
65
+ @resource_arn = "arn:aws:rds:${AWS::Region}:${AWS::AccountId}:cluster:#{@resource_id}"
66
+ end
67
+ end
68
+
69
+
70
+ class RDSClusterInstanceEventSubscription < RDSEventSubscription
71
+ def initialize(resource)
72
+ super(resource)
73
+ @resource_arn = "arn:aws:rds:${AWS::Region}:${AWS::AccountId}:db:#{@resource_id}"
71
74
  end
72
75
  end
73
76
 
data/lib/cfnguardian/resources/cloudfront_distribution.rb CHANGED
@@ -5,20 +5,15 @@ module CfnGuardian::Resource
5
5
  alarm = CfnGuardian::Models::CloudFrontDistributionAlarm.new(@resource)
6
6
  alarm.name = '4xxErrorRate'
7
7
  alarm.metric_name = '4xxErrorRate'
8
- alarm.threshold = 2
9
- alarm.statistic = 'Sum'
8
+ alarm.threshold = 10
9
+ alarm.statistic = 'Average'
10
10
  @alarms.push(alarm)
11
11
 
12
12
  alarm = CfnGuardian::Models::CloudFrontDistributionAlarm.new(@resource)
13
13
  alarm.name = '5xxErrorRate'
14
14
  alarm.metric_name = '5xxErrorRate'
15
- alarm.threshold = 5
16
- @alarms.push(alarm)
17
-
18
- alarm = CfnGuardian::Models::CloudFrontDistributionAlarm.new(@resource)
19
- alarm.name = 'TotalErrorRate'
20
- alarm.metric_name = 'TotalErrorRate'
21
- alarm.threshold = 5
15
+ alarm.statistic = 'Average'
16
+ alarm.threshold = 10
22
17
  @alarms.push(alarm)
23
18
  end
24
19
 
data/lib/cfnguardian/resources/rds_cluster.rb CHANGED
@@ -4,15 +4,22 @@ module CfnGuardian::Resource
4
4
  def default_event_subscriptions()
5
5
  event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
6
6
  event_subscription.name = 'FailoverFailed'
7
- event_subscription.rds_event_category = 'failover'
8
- event_subscription.message = 'A failover for the DB cluster has failed.'
7
+ event_subscription.event_id = 'RDS-EVENT-0069'
9
8
  @event_subscriptions.push(event_subscription)
10
9
 
11
10
  event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
12
11
  event_subscription.name = 'FailoverFinished'
13
- event_subscription.rds_event_category = 'failover'
14
- event_subscription.message = 'A failover for the DB cluster has finished.'
15
- event_subscription.enabled = false
12
+ event_subscription.event_id = 'RDS-EVENT-0071'
13
+ @event_subscriptions.push(event_subscription)
14
+
15
+ event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
16
+ event_subscription.name = 'FailoverStartedSameAZ'
17
+ event_subscription.event_id = 'RDS-EVENT-0072'
18
+ @event_subscriptions.push(event_subscription)
19
+
20
+ event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
21
+ event_subscription.name = 'FailoverStartedDifferentAZ'
22
+ event_subscription.event_id = 'RDS-EVENT-0073'
16
23
  @event_subscriptions.push(event_subscription)
17
24
  end
18
25
 
data/lib/cfnguardian/resources/rds_cluster_instance.rb CHANGED
@@ -25,6 +25,23 @@ module CfnGuardian::Resource
25
25
  alarm.evaluation_periods = 10
26
26
  @alarms.push(alarm)
27
27
  end
28
+
29
+ def default_event_subscriptions()
30
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
31
+ event_subscription.name = 'MasterPasswordReset'
32
+ event_subscription.event_id = 'RDS-EVENT-0016'
33
+ @event_subscriptions.push(event_subscription)
34
+
35
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
36
+ event_subscription.name = 'MasterPasswordResetFailure'
37
+ event_subscription.event_id = 'RDS-EVENT-0067'
38
+ @event_subscriptions.push(event_subscription)
39
+
40
+ event_subscription = CfnGuardian::Models::RDSClusterInstanceEventSubscription.new(@resource)
41
+ event_subscription.name = 'AuroraStorageLow'
42
+ event_subscription.event_id = 'RDS-EVENT-0227'
43
+ @event_subscriptions.push(event_subscription)
44
+ end
28
45
 
29
46
  end
30
47
  end
data/lib/cfnguardian/resources/rds_instance.rb CHANGED
@@ -57,71 +57,100 @@ module CfnGuardian::Resource
57
57
  def default_event_subscriptions()
58
58
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
59
59
  event_subscription.name = 'MasterPasswordReset'
60
- event_subscription.rds_event_category = 'configuration change'
61
- event_subscription.message = 'The master password for the DB instance has been reset.'
60
+ event_subscription.event_id = 'RDS-EVENT-0016'
62
61
  @event_subscriptions.push(event_subscription)
63
62
 
64
63
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
65
64
  event_subscription.name = 'MasterPasswordResetFailure'
66
- event_subscription.rds_event_category = 'configuration change'
67
- event_subscription.message = 'An attempt to reset the master password for the DB instance has failed.'
65
+ event_subscription.event_id = 'RDS-EVENT-0067'
68
66
  @event_subscriptions.push(event_subscription)
69
67
 
70
68
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
71
69
  event_subscription.name = 'Deletion'
72
- event_subscription.rds_event_category = 'deletion'
73
- event_subscription.message = 'The DB instance has been deleted.'
70
+ event_subscription.event_id = 'RDS-EVENT-0003'
71
+ @event_subscriptions.push(event_subscription)
72
+
73
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
74
+ event_subscription.name = 'StorageFullShutDown'
75
+ event_subscription.event_id = 'RDS-EVENT-0221'
76
+ @event_subscriptions.push(event_subscription)
77
+
78
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
79
+ event_subscription.name = 'StorageCapacityLow'
80
+ event_subscription.event_id = 'RDS-EVENT-0222'
81
+ @event_subscriptions.push(event_subscription)
82
+
83
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
84
+ event_subscription.name = 'InvalidState'
85
+ event_subscription.event_id = 'RDS-EVENT-0219'
86
+ @event_subscriptions.push(event_subscription)
87
+
88
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
89
+ event_subscription.name = 'StorageScalingReachedThreshold'
90
+ event_subscription.event_id = 'RDS-EVENT-0224'
91
+ @event_subscriptions.push(event_subscription)
92
+
93
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
94
+ event_subscription.name = 'StorageScalingFailed'
95
+ event_subscription.event_id = 'RDS-EVENT-0223'
96
+ @event_subscriptions.push(event_subscription)
97
+
98
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
99
+ event_subscription.name = 'MultiAZStandByFailoverStarted'
100
+ event_subscription.event_id = 'RDS-EVENT-0013'
101
+ @event_subscriptions.push(event_subscription)
102
+
103
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
104
+ event_subscription.name = 'MultiAZStandByFailoverCompleted'
105
+ event_subscription.event_id = 'RDS-EVENT-0015'
74
106
  @event_subscriptions.push(event_subscription)
75
107
 
76
108
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
77
109
  event_subscription.name = 'MultiAZFailoverStarted'
78
- event_subscription.rds_event_category = 'failover'
79
- event_subscription.message = 'A Multi-AZ failover that resulted in the promotion of a standby instance has started.'
110
+ event_subscription.event_id = 'RDS-EVENT-0050'
111
+ @event_subscriptions.push(event_subscription)
112
+
113
+ event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
114
+ event_subscription.name = 'MultiAZFailoverCompleted'
115
+ event_subscription.event_id = 'RDS-EVENT-0049'
80
116
  @event_subscriptions.push(event_subscription)
81
117
 
82
118
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
83
- event_subscription.name = 'MultiAZFailoverComplete'
84
- event_subscription.rds_event_category = 'failover'
85
- event_subscription.message = 'A Multi-AZ failover has completed.'
119
+ event_subscription.name = 'NotAttemptingFailover'
120
+ event_subscription.event_id = 'RDS-EVENT-0034'
86
121
  @event_subscriptions.push(event_subscription)
87
122
 
88
123
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
89
124
  event_subscription.name = 'DBFailure'
90
- event_subscription.rds_event_category = 'failure'
91
- event_subscription.message = 'The DB instance has failed due to an incompatible configuration or an underlying storage issue. Begin a point-in-time-restore for the DB instance.'
125
+ event_subscription.event_id = 'RDS-EVENT-0031'
92
126
  @event_subscriptions.push(event_subscription)
93
127
 
94
128
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
95
129
  event_subscription.name = 'TableCountExceedsRecommended'
96
- event_subscription.rds_event_category = 'notification'
97
- event_subscription.message = 'The number of tables you have for your DB instance exceeds the recommended best practices for Amazon RDS.'
130
+ event_subscription.event_id = 'RDS-EVENT-0055'
98
131
  @event_subscriptions.push(event_subscription)
99
132
 
100
133
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
101
134
  event_subscription.name = 'DatabasesCountExceedsRecommended'
102
- event_subscription.rds_event_category = 'notification'
103
- event_subscription.message = 'The number of databases you have for your DB instance exceeds the recommended best practices for Amazon RDS.'
135
+ event_subscription.event_id = 'RDS-EVENT-0056'
104
136
  @event_subscriptions.push(event_subscription)
105
137
 
106
138
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
107
139
  event_subscription.name = 'ReplicationFailure'
108
140
  event_subscription.enabled = false
109
- event_subscription.rds_event_category = 'read replica'
110
- event_subscription.message = 'An error has occurred in the read replication process.'
141
+ event_subscription.event_id = 'RDS-EVENT-0045'
111
142
  @event_subscriptions.push(event_subscription)
112
143
 
113
144
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
114
145
  event_subscription.name = 'ReplicationTerminated'
115
146
  event_subscription.enabled = false
116
- event_subscription.rds_event_category = 'read replica'
117
- event_subscription.message = 'Replication on the read replica was terminated.'
147
+ event_subscription.event_id = 'RDS-EVENT-0057'
118
148
  @event_subscriptions.push(event_subscription)
119
149
 
120
150
  event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
121
151
  event_subscription.name = 'ReplicationStopped'
122
152
  event_subscription.enabled = false
123
- event_subscription.rds_event_category = 'read replica'
124
- event_subscription.message = 'Replication on the read replica was manually stopped.'
153
+ event_subscription.event_id = 'RDS-EVENT-0062'
125
154
  @event_subscriptions.push(event_subscription)
126
155
  end
127
156
 
data/lib/cfnguardian/stacks/resources.rb CHANGED
@@ -112,7 +112,7 @@ module CfnGuardian
112
112
 
113
113
  def add_event_subscription(subscription)
114
114
  event_pattern = {}
115
- event_pattern['detail-type'] = [subscription.detail_type]
115
+ event_pattern['detail-type'] = [subscription.detail_type] unless subscription.detail_type.empty?
116
116
  event_pattern['source'] = [subscription.source]
117
117
  event_pattern['resources'] = [subscription.resource_arn] unless subscription.resource_arn.empty?
118
118
  event_pattern['detail'] = subscription.detail unless subscription.detail.empty?
data/lib/cfnguardian/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  module CfnGuardian
2
- VERSION = "0.11.0"
2
+ VERSION = "0.11.2"
3
3
  CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
4
4
  end
data/lib/cfnguardian.rb CHANGED
@@ -215,6 +215,7 @@ module CfnGuardian
215
215
  method_option :config, aliases: :c, type: :array, desc: "yaml config files", required: true
216
216
  method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
217
217
  method_option :tags, type: :hash, desc: "additional tags on the cloudformation stack"
218
+ method_option :check_resources_exist, type: :boolean, default: true, desc: "check each resource exists in the aws account"
218
219
 
219
220
  def tag_alarms
220
221
  set_log_level(options[:debug])
@@ -233,7 +234,7 @@ module CfnGuardian
233
234
  tags[:'guardian:config:yaml'] = config
234
235
 
235
236
  logger.info "tagging alarms from config file #{config}"
236
- compiler = CfnGuardian::Compile.new(config)
237
+ compiler = CfnGuardian::Compile.new(config, options[:check_resources_exist])
237
238
  compiler.get_resources
238
239
  alarms = compiler.alarms
239
240
  global_tags = compiler.global_tags.merge(tags)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-guardian
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.11.0
4
+ version: 0.11.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Guslington
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-03-30 00:00:00.000000000 Z
11
+ date: 2023-04-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: thor