cfn-guardian 0.11.1 → 0.11.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfnguardian/compile.rb +12 -2
- data/lib/cfnguardian/models/event_subscription.rb +17 -14
- data/lib/cfnguardian/resources/cloudfront_distribution.rb +4 -9
- data/lib/cfnguardian/resources/rds_cluster.rb +12 -5
- data/lib/cfnguardian/resources/rds_cluster_instance.rb +17 -0
- data/lib/cfnguardian/resources/rds_instance.rb +52 -23
- data/lib/cfnguardian/stacks/resources.rb +1 -1
- data/lib/cfnguardian/version.rb +1 -1
- data/lib/cfnguardian.rb +2 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8c7f596e3d86871577a9efafbd26c80f361ef13af5e839f47a080a9e7886d403
|
4
|
+
data.tar.gz: d0968727d7c824a8717a706d1d0e6c07b483d93fd349338dca7327e60ee7fe6a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8e658b4799b9c8ca8a3f52961a005d6448a57295a3ca1a64acb7760468d7e03a3bc8af69f730b2c8b396493f97c142d9e05971b7c153152701d94af287b2f50d
|
7
|
+
data.tar.gz: '019146838ba1bb03eb90b7534b8cda6230f91d5a2d0cf0bb4ff6e97628a420e6d1232ed206944c8acbeb85f41eb4e6bb650cf752d380c5178ad71a812bb99727'
|
data/lib/cfnguardian/compile.rb
CHANGED
@@ -90,8 +90,18 @@ module CfnGuardian
|
|
90
90
|
@resource_groups.each do |group,resources|
|
91
91
|
resources.each do |resource|
|
92
92
|
if !resource.has_key?('Id')
|
93
|
-
|
94
|
-
|
93
|
+
if !resource.has_key?('Hosts')
|
94
|
+
@errors << "CfnGuardian::NoIdKeyForResourceError - resource: #{resource} in resource group: #{group} doesn't have the `Id:` key"
|
95
|
+
next
|
96
|
+
else
|
97
|
+
resource['Hosts'].each { |host|
|
98
|
+
if !host.has_key?('Id')
|
99
|
+
@errors << "CfnGuardian::NoIdKeyForResourceError - resource: #{resource} in resource group: #{group} doesn't have the `Id:` key"
|
100
|
+
next
|
101
|
+
end
|
102
|
+
}
|
103
|
+
|
104
|
+
end
|
95
105
|
end
|
96
106
|
|
97
107
|
begin
|
@@ -35,39 +35,42 @@ module CfnGuardian
|
|
35
35
|
end
|
36
36
|
|
37
37
|
class RDSEventSubscription < BaseEventSubscription
|
38
|
-
attr_accessor :
|
38
|
+
attr_accessor :event_id
|
39
39
|
|
40
40
|
def initialize(resource)
|
41
41
|
super(resource)
|
42
42
|
@source = 'aws.rds'
|
43
|
-
@
|
44
|
-
@source_id = ''
|
45
|
-
@rds_event_category = ''
|
46
|
-
@message = ''
|
43
|
+
@event_id = nil
|
47
44
|
end
|
48
45
|
|
49
46
|
def detail
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
}
|
47
|
+
if @event_id.nil?
|
48
|
+
raise "#{self.class} missing `EventID` property"
|
49
|
+
end
|
50
|
+
|
51
|
+
return { EventID: [@event_id] }
|
56
52
|
end
|
57
53
|
end
|
58
54
|
|
59
55
|
class RDSInstanceEventSubscription < RDSEventSubscription
|
60
56
|
def initialize(resource)
|
61
57
|
super(resource)
|
62
|
-
@
|
58
|
+
@resource_arn = "arn:aws:rds:${AWS::Region}:${AWS::AccountId}:db:#{@resource_id}"
|
63
59
|
end
|
64
60
|
end
|
65
61
|
|
66
62
|
class RDSClusterEventSubscription < RDSEventSubscription
|
67
63
|
def initialize(resource)
|
68
64
|
super(resource)
|
69
|
-
@
|
70
|
-
|
65
|
+
@resource_arn = "arn:aws:rds:${AWS::Region}:${AWS::AccountId}:cluster:#{@resource_id}"
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
|
70
|
+
class RDSClusterInstanceEventSubscription < RDSEventSubscription
|
71
|
+
def initialize(resource)
|
72
|
+
super(resource)
|
73
|
+
@resource_arn = "arn:aws:rds:${AWS::Region}:${AWS::AccountId}:db:#{@resource_id}"
|
71
74
|
end
|
72
75
|
end
|
73
76
|
|
@@ -5,20 +5,15 @@ module CfnGuardian::Resource
|
|
5
5
|
alarm = CfnGuardian::Models::CloudFrontDistributionAlarm.new(@resource)
|
6
6
|
alarm.name = '4xxErrorRate'
|
7
7
|
alarm.metric_name = '4xxErrorRate'
|
8
|
-
alarm.threshold =
|
9
|
-
alarm.statistic = '
|
8
|
+
alarm.threshold = 10
|
9
|
+
alarm.statistic = 'Average'
|
10
10
|
@alarms.push(alarm)
|
11
11
|
|
12
12
|
alarm = CfnGuardian::Models::CloudFrontDistributionAlarm.new(@resource)
|
13
13
|
alarm.name = '5xxErrorRate'
|
14
14
|
alarm.metric_name = '5xxErrorRate'
|
15
|
-
alarm.
|
16
|
-
|
17
|
-
|
18
|
-
alarm = CfnGuardian::Models::CloudFrontDistributionAlarm.new(@resource)
|
19
|
-
alarm.name = 'TotalErrorRate'
|
20
|
-
alarm.metric_name = 'TotalErrorRate'
|
21
|
-
alarm.threshold = 5
|
15
|
+
alarm.statistic = 'Average'
|
16
|
+
alarm.threshold = 10
|
22
17
|
@alarms.push(alarm)
|
23
18
|
end
|
24
19
|
|
@@ -4,15 +4,22 @@ module CfnGuardian::Resource
|
|
4
4
|
def default_event_subscriptions()
|
5
5
|
event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
|
6
6
|
event_subscription.name = 'FailoverFailed'
|
7
|
-
event_subscription.
|
8
|
-
event_subscription.message = 'A failover for the DB cluster has failed.'
|
7
|
+
event_subscription.event_id = 'RDS-EVENT-0069'
|
9
8
|
@event_subscriptions.push(event_subscription)
|
10
9
|
|
11
10
|
event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
|
12
11
|
event_subscription.name = 'FailoverFinished'
|
13
|
-
event_subscription.
|
14
|
-
event_subscription
|
15
|
-
|
12
|
+
event_subscription.event_id = 'RDS-EVENT-0071'
|
13
|
+
@event_subscriptions.push(event_subscription)
|
14
|
+
|
15
|
+
event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
|
16
|
+
event_subscription.name = 'FailoverStartedSameAZ'
|
17
|
+
event_subscription.event_id = 'RDS-EVENT-0072'
|
18
|
+
@event_subscriptions.push(event_subscription)
|
19
|
+
|
20
|
+
event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
|
21
|
+
event_subscription.name = 'FailoverStartedDifferentAZ'
|
22
|
+
event_subscription.event_id = 'RDS-EVENT-0073'
|
16
23
|
@event_subscriptions.push(event_subscription)
|
17
24
|
end
|
18
25
|
|
@@ -25,6 +25,23 @@ module CfnGuardian::Resource
|
|
25
25
|
alarm.evaluation_periods = 10
|
26
26
|
@alarms.push(alarm)
|
27
27
|
end
|
28
|
+
|
29
|
+
def default_event_subscriptions()
|
30
|
+
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
31
|
+
event_subscription.name = 'MasterPasswordReset'
|
32
|
+
event_subscription.event_id = 'RDS-EVENT-0016'
|
33
|
+
@event_subscriptions.push(event_subscription)
|
34
|
+
|
35
|
+
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
36
|
+
event_subscription.name = 'MasterPasswordResetFailure'
|
37
|
+
event_subscription.event_id = 'RDS-EVENT-0067'
|
38
|
+
@event_subscriptions.push(event_subscription)
|
39
|
+
|
40
|
+
event_subscription = CfnGuardian::Models::RDSClusterInstanceEventSubscription.new(@resource)
|
41
|
+
event_subscription.name = 'AuroraStorageLow'
|
42
|
+
event_subscription.event_id = 'RDS-EVENT-0227'
|
43
|
+
@event_subscriptions.push(event_subscription)
|
44
|
+
end
|
28
45
|
|
29
46
|
end
|
30
47
|
end
|
@@ -57,71 +57,100 @@ module CfnGuardian::Resource
|
|
57
57
|
def default_event_subscriptions()
|
58
58
|
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
59
59
|
event_subscription.name = 'MasterPasswordReset'
|
60
|
-
event_subscription.
|
61
|
-
event_subscription.message = 'The master password for the DB instance has been reset.'
|
60
|
+
event_subscription.event_id = 'RDS-EVENT-0016'
|
62
61
|
@event_subscriptions.push(event_subscription)
|
63
62
|
|
64
63
|
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
65
64
|
event_subscription.name = 'MasterPasswordResetFailure'
|
66
|
-
event_subscription.
|
67
|
-
event_subscription.message = 'An attempt to reset the master password for the DB instance has failed.'
|
65
|
+
event_subscription.event_id = 'RDS-EVENT-0067'
|
68
66
|
@event_subscriptions.push(event_subscription)
|
69
67
|
|
70
68
|
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
71
69
|
event_subscription.name = 'Deletion'
|
72
|
-
event_subscription.
|
73
|
-
event_subscription
|
70
|
+
event_subscription.event_id = 'RDS-EVENT-0003'
|
71
|
+
@event_subscriptions.push(event_subscription)
|
72
|
+
|
73
|
+
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
74
|
+
event_subscription.name = 'StorageFullShutDown'
|
75
|
+
event_subscription.event_id = 'RDS-EVENT-0221'
|
76
|
+
@event_subscriptions.push(event_subscription)
|
77
|
+
|
78
|
+
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
79
|
+
event_subscription.name = 'StorageCapacityLow'
|
80
|
+
event_subscription.event_id = 'RDS-EVENT-0222'
|
81
|
+
@event_subscriptions.push(event_subscription)
|
82
|
+
|
83
|
+
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
84
|
+
event_subscription.name = 'InvalidState'
|
85
|
+
event_subscription.event_id = 'RDS-EVENT-0219'
|
86
|
+
@event_subscriptions.push(event_subscription)
|
87
|
+
|
88
|
+
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
89
|
+
event_subscription.name = 'StorageScalingReachedThreshold'
|
90
|
+
event_subscription.event_id = 'RDS-EVENT-0224'
|
91
|
+
@event_subscriptions.push(event_subscription)
|
92
|
+
|
93
|
+
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
94
|
+
event_subscription.name = 'StorageScalingFailed'
|
95
|
+
event_subscription.event_id = 'RDS-EVENT-0223'
|
96
|
+
@event_subscriptions.push(event_subscription)
|
97
|
+
|
98
|
+
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
99
|
+
event_subscription.name = 'MultiAZStandByFailoverStarted'
|
100
|
+
event_subscription.event_id = 'RDS-EVENT-0013'
|
101
|
+
@event_subscriptions.push(event_subscription)
|
102
|
+
|
103
|
+
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
104
|
+
event_subscription.name = 'MultiAZStandByFailoverCompleted'
|
105
|
+
event_subscription.event_id = 'RDS-EVENT-0015'
|
74
106
|
@event_subscriptions.push(event_subscription)
|
75
107
|
|
76
108
|
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
77
109
|
event_subscription.name = 'MultiAZFailoverStarted'
|
78
|
-
event_subscription.
|
79
|
-
event_subscription
|
110
|
+
event_subscription.event_id = 'RDS-EVENT-0050'
|
111
|
+
@event_subscriptions.push(event_subscription)
|
112
|
+
|
113
|
+
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
114
|
+
event_subscription.name = 'MultiAZFailoverCompleted'
|
115
|
+
event_subscription.event_id = 'RDS-EVENT-0049'
|
80
116
|
@event_subscriptions.push(event_subscription)
|
81
117
|
|
82
118
|
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
83
|
-
event_subscription.name = '
|
84
|
-
event_subscription.
|
85
|
-
event_subscription.message = 'A Multi-AZ failover has completed.'
|
119
|
+
event_subscription.name = 'NotAttemptingFailover'
|
120
|
+
event_subscription.event_id = 'RDS-EVENT-0034'
|
86
121
|
@event_subscriptions.push(event_subscription)
|
87
122
|
|
88
123
|
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
89
124
|
event_subscription.name = 'DBFailure'
|
90
|
-
event_subscription.
|
91
|
-
event_subscription.message = 'The DB instance has failed due to an incompatible configuration or an underlying storage issue. Begin a point-in-time-restore for the DB instance.'
|
125
|
+
event_subscription.event_id = 'RDS-EVENT-0031'
|
92
126
|
@event_subscriptions.push(event_subscription)
|
93
127
|
|
94
128
|
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
95
129
|
event_subscription.name = 'TableCountExceedsRecommended'
|
96
|
-
event_subscription.
|
97
|
-
event_subscription.message = 'The number of tables you have for your DB instance exceeds the recommended best practices for Amazon RDS.'
|
130
|
+
event_subscription.event_id = 'RDS-EVENT-0055'
|
98
131
|
@event_subscriptions.push(event_subscription)
|
99
132
|
|
100
133
|
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
101
134
|
event_subscription.name = 'DatabasesCountExceedsRecommended'
|
102
|
-
event_subscription.
|
103
|
-
event_subscription.message = 'The number of databases you have for your DB instance exceeds the recommended best practices for Amazon RDS.'
|
135
|
+
event_subscription.event_id = 'RDS-EVENT-0056'
|
104
136
|
@event_subscriptions.push(event_subscription)
|
105
137
|
|
106
138
|
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
107
139
|
event_subscription.name = 'ReplicationFailure'
|
108
140
|
event_subscription.enabled = false
|
109
|
-
event_subscription.
|
110
|
-
event_subscription.message = 'An error has occurred in the read replication process.'
|
141
|
+
event_subscription.event_id = 'RDS-EVENT-0045'
|
111
142
|
@event_subscriptions.push(event_subscription)
|
112
143
|
|
113
144
|
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
114
145
|
event_subscription.name = 'ReplicationTerminated'
|
115
146
|
event_subscription.enabled = false
|
116
|
-
event_subscription.
|
117
|
-
event_subscription.message = 'Replication on the read replica was terminated.'
|
147
|
+
event_subscription.event_id = 'RDS-EVENT-0057'
|
118
148
|
@event_subscriptions.push(event_subscription)
|
119
149
|
|
120
150
|
event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
|
121
151
|
event_subscription.name = 'ReplicationStopped'
|
122
152
|
event_subscription.enabled = false
|
123
|
-
event_subscription.
|
124
|
-
event_subscription.message = 'Replication on the read replica was manually stopped.'
|
153
|
+
event_subscription.event_id = 'RDS-EVENT-0062'
|
125
154
|
@event_subscriptions.push(event_subscription)
|
126
155
|
end
|
127
156
|
|
@@ -112,7 +112,7 @@ module CfnGuardian
|
|
112
112
|
|
113
113
|
def add_event_subscription(subscription)
|
114
114
|
event_pattern = {}
|
115
|
-
event_pattern['detail-type'] = [subscription.detail_type]
|
115
|
+
event_pattern['detail-type'] = [subscription.detail_type] unless subscription.detail_type.empty?
|
116
116
|
event_pattern['source'] = [subscription.source]
|
117
117
|
event_pattern['resources'] = [subscription.resource_arn] unless subscription.resource_arn.empty?
|
118
118
|
event_pattern['detail'] = subscription.detail unless subscription.detail.empty?
|
data/lib/cfnguardian/version.rb
CHANGED
data/lib/cfnguardian.rb
CHANGED
@@ -215,6 +215,7 @@ module CfnGuardian
|
|
215
215
|
method_option :config, aliases: :c, type: :array, desc: "yaml config files", required: true
|
216
216
|
method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
|
217
217
|
method_option :tags, type: :hash, desc: "additional tags on the cloudformation stack"
|
218
|
+
method_option :check_resources_exist, type: :boolean, default: true, desc: "check each resource exists in the aws account"
|
218
219
|
|
219
220
|
def tag_alarms
|
220
221
|
set_log_level(options[:debug])
|
@@ -233,7 +234,7 @@ module CfnGuardian
|
|
233
234
|
tags[:'guardian:config:yaml'] = config
|
234
235
|
|
235
236
|
logger.info "tagging alarms from config file #{config}"
|
236
|
-
compiler = CfnGuardian::Compile.new(config)
|
237
|
+
compiler = CfnGuardian::Compile.new(config, options[:check_resources_exist])
|
237
238
|
compiler.get_resources
|
238
239
|
alarms = compiler.alarms
|
239
240
|
global_tags = compiler.global_tags.merge(tags)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-guardian
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.11.
|
4
|
+
version: 0.11.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Guslington
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-06-20 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: thor
|