cfn-guardian 0.3.3 → 0.6.4

data/lib/cfnguardian/cloudwatch.rb

@@ -9,50 +9,61 @@ module CfnGuardian
       alarm_id = alarm.resource_name.nil? ? alarm.resource_id : alarm.resource_name
       return "guardian-#{alarm.group}-#{alarm_id}-#{alarm.name}"
     end
-    
-    def self.get_alarms(alarms)
-      alarm_names = alarms.map {|alarm| self.get_alarm_name(alarm)}
-      
+        
+    def self.get_alarms_by_prefix(prefix:, state: nil, action_prefix: nil)
       client = Aws::CloudWatch::Client.new()
+      options = {max_records: 100}
+      options[:alarm_name_prefix] = prefix
+
+      unless state.nil?
+        options[:state_value] = state
+      end
+
+      unless action_prefix.nil?
+        options[:action_prefix] = action_prefix
+      end
+
+      resp = client.describe_alarms(options)
+      return resp.metric_alarms
+    end
+
+    def self.get_alarms_by_name(alarm_names:, state: nil, action_prefix: nil)
+      client = Aws::CloudWatch::Client.new()
+      options = {max_records: 100}
+
+      unless state.nil?
+        options[:state_value] = state
+      end
+
+      unless action_prefix.nil?
+        options[:action_prefix] = "arn:aws:sns:#{Aws.config[:region]}:#{aws_account_id()}:#{action_prefix}"
+      end
+
       metric_alarms = []
       alarm_names.each_slice(100) do |batch|
-        resp = client.describe_alarms({alarm_names: batch, max_records: 100})
+        options[:alarm_names] = batch
+        resp = client.describe_alarms(options)
         metric_alarms.push(*resp.metric_alarms)
       end
-      
+
       return metric_alarms
     end
-    
-    def self.get_alarm_state(config_alarms: [], alarm_names: [], alarm_prefix: nil, state: nil)
-      rows = []
-      
-      if config_alarms.any?
-        alarm_names = config_alarms.map {|alarm| self.get_alarm_name(alarm)}
-      end
-      
-      client = Aws::CloudWatch::Client.new()
-      
-      options = {max_records: 100}
-      options[:state_value] = state if !state.nil?
-      
-      cw_alarms = []
-      if !alarm_prefix.nil?
-        options[:alarm_name_prefix] = alarm_prefix
-        resp = client.describe_alarms(options)
-        cw_alarms = resp.metric_alarms
-      else
-        alarm_names.each_slice(100) do |batch|
-          options[:alarm_names] = batch
-          resp = client.describe_alarms(options)
-          cw_alarms.push(*resp.metric_alarms)
+
+    def self.filter_alarms(filters:, alarms:)
+      return alarms unless filters.is_a?(Hash)
+      filters = filters.slice('group', 'resource', 'alarm', 'stack-id')
+
+      filtered_alarms = []
+      alarms.each do |alarm|
+        if filters.values.all? {|filter| alarm.alarm_name.include? (filter)}
+          filtered_alarms << alarm
         end
       end
-      
-      return cw_alarms
+
+      return filtered_alarms
     end
     
     def self.get_alarm_history(alarm_name,type)
-      rows = []
       client = Aws::CloudWatch::Client.new()
       
       logger.debug "Searching #{type} history for #{alarm_name}"

data/lib/cfnguardian/compile.rb

@@ -35,6 +35,10 @@ require 'cfnguardian/resources/log_group'
 require 'cfnguardian/resources/sftp'
 require 'cfnguardian/resources/internal_sftp'
 require 'cfnguardian/resources/tls'
+require 'cfnguardian/resources/azure_file'
+require 'cfnguardian/resources/amazonmq_rabbitmq'
+require 'cfnguardian/version'
+require 'cfnguardian/error'
 
 module CfnGuardian
   class Compile
@@ -50,7 +54,13 @@ module CfnGuardian
       @templates = config.fetch('Templates',{})
       @topics = config.fetch('Topics',{})
       @maintenance_groups = config.fetch('MaintenaceGroups', {})
+      @event_subscriptions = config.fetch('EventSubscriptions', {})
       
+      # Make sure the default topics exist if they aren't supplied in the alarms.yaml
+      %w(Critical Warning Task Informational Events).each do |topic|
+        @topics[topic] = '' unless @topics.has_key?(topic)
+      end
+
       @maintenance_group_list = @maintenance_groups.keys.map {|group| "#{group}MaintenanceGroup"}
       @resources = []
       @stacks = []
@@ -81,10 +91,15 @@ module CfnGuardian
             end
           end
           
-          overides = @templates.has_key?(group) ? @templates[group] : {}
-          @resources.concat resource_class.get_alarms(overides,resource)
+          template_overides = @templates.has_key?(group) ? @templates[group] : {}
+          @resources.concat resource_class.get_alarms(group,template_overides)
+
           @resources.concat resource_class.get_metric_filters()
           @resources.concat resource_class.get_events()
+
+          event_subscriptions = @event_subscriptions.has_key?(group) ? @event_subscriptions[group] : {}
+          @resources.concat resource_class.get_event_subscriptions(group,event_subscriptions)
+          
           @checks.concat resource_class.get_checks()
 
           @cost += resource_class.get_cost
@@ -95,13 +110,16 @@ module CfnGuardian
         resource_groups.each do |group, alarms|
           alarms.each do |alarm, resources|
             resources.each do |resource|
+
               res = @resources.find {|r| 
                 (r.type == 'Alarm') && 
-                (r.class == group && r.name == alarm) &&
+                (r.group == group && r.name == alarm) &&
                 (r.resource_id == resource['Id'] || r.resource_name == resource['Name'])}
+
               unless res.nil?
                 res.maintenance_groups.append("#{maintenance_group}MaintenanceGroup")
               end
+              
             end
           end
         end
@@ -113,11 +131,39 @@ module CfnGuardian
       end
       
       @ssm_parameters = @resources.select {|resource| resource.type == 'Event'}.map {|event| event.ssm_parameters}.flatten.uniq
+
+      validate_resources()
     end
     
     def alarms
       @resources.select {|resource| resource.type == 'Alarm'}
     end
+
+    def validate_resources()
+      errors = []
+      @resources.each do |resource|
+        case resource.type
+        when 'Alarm'
+          %w(metric_name namespace).each do |property|
+            if resource.send(property).nil?
+              errors << "Alarm #{resource.name} for resource #{resource.resource_id} has nil value for property #{property.to_camelcase}"
+            end
+          end
+        when 'Check'
+          # no validation check yet
+        when 'Event'
+          # no validation check yet
+        when 'Composite'
+          # no validation check yet
+        when 'EventSubscription'
+          # no validation check yet
+        when 'MetricFilter'
+          # no validation check yet
+        end
+      end
+
+      raise CfnGuardian::ValidationError, "#{errors.size} errors found\n[*] #{errors.join("\n[*] ")}" if errors.any?
+    end
     
     def split_resources(bucket,path)
       split = @resources.each_slice(200).to_a
@@ -142,7 +188,7 @@ module CfnGuardian
       File.write("out/guardian.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
       
       resources.each_with_index do |resources,index|
-        stack = CfnGuardian::Stacks::Resources.new(main_stack.parameters)
+        stack = CfnGuardian::Stacks::Resources.new(main_stack.parameters,index)
         stack.build_template(resources)
         valid = stack.template.validate
         File.write("out/guardian-stack-#{index}.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
@@ -152,6 +198,43 @@ module CfnGuardian
     def clean_out_directory
       Dir["out/*.yaml"].each {|file| File.delete(file)}
     end
+
+    def load_parameters(options)
+      parameters = {}
+      # Load sns topic parameters in order of preference
+      @topics.each do |key, value|
+        # if parameter is passed in as a command line option
+        if options.has_key?("sns_#{key.downcase}")
+          parameters[key.to_sym] = options["sns_#{key.downcase}"]
+        # if parameter is in config
+        elsif !value.empty?
+          parameters[key.to_sym] = value
+        # if parameter is set as environment variable
+        elsif ENV.has_key?("GUARDIAN_TOPIC_#{key.upcase}")
+          parameters[key.to_sym] = ENV["GUARDIAN_TOPIC_#{key.upcase}"]
+        end
+      end
+
+      return parameters
+    end
+
+    def genrate_template_config(parameters)
+      template = {
+        Tags: {
+          'guardian:version': CfnGuardian::VERSION
+        }
+      }
+
+      if ENV.has_key?('CODEBUILD_RESOLVED_SOURCE_VERSION')
+        template[:Tags][:'guardian:config:commit'] = ENV['CODEBUILD_RESOLVED_SOURCE_VERSION']
+      end
+
+      unless parameters.empty?
+        template[:Parameters] = parameters
+      end
+
+      File.write("out/template-config.guardian.json", template.to_json)
+    end
         
   end
 end

data/lib/cfnguardian/config/defaults.yaml

@@ -1,6 +1,15 @@
 Resources:
   AmazonMQBroker:
   - Id: Default
+  AmazonMQRabbitMQBroker:
+  - Id: Default
+  AmazonMQRabbitMQNode:
+  - Id: Default
+    Node: Default
+  AmazonMQRabbitMQQueue:
+  - Id: Default
+    Queue: Default
+    Vhost: Default
   ApiGateway:
   - Id: Default
   ApplicationTargetGroup:

data/lib/cfnguardian/deploy.rb

@@ -7,27 +7,13 @@ module CfnGuardian
   class Deploy
     include Logging
 
-    def initialize(opts,bucket)
+    def initialize(opts,bucket,parameters)
       @stack_name = opts.fetch(:stack_name,'guardian')
       @bucket = bucket
       @prefix = @stack_name
       @template_path = "out/guardian.compiled.yaml"
       @template_url = "https://#{@bucket}.s3.amazonaws.com/#{@prefix}/guardian.compiled.yaml"
-      @parameters = {}
-      
-      config = YAML.load_file(opts[:config])
-      if config.has_key?('Topics')
-        @parameters['Critical'] = config['Topics'].fetch('Critical','')
-        @parameters['Warning'] = config['Topics'].fetch('Warning','')
-        @parameters['Task'] = config['Topics'].fetch('Task','')
-        @parameters['Informational'] = config['Topics'].fetch('Informational','')
-      end
-
-      @parameters['Critical'] = opts.fetch(:sns_critical,@parameters['Critical'])
-      @parameters['Warning'] = opts.fetch(:sns_warning,@parameters['Warning'])
-      @parameters['Task'] = opts.fetch(:sns_task,@parameters['Task'])
-      @parameters['Informational'] = opts.fetch(:sns_informational,@parameters['Informational'])
-      
+      @parameters = parameters
       @client = Aws::CloudFormation::Client.new()
     end
 

data/lib/cfnguardian/display_formatter.rb

@@ -14,7 +14,6 @@ module CfnGuardian
       
       @alarms.each do |alarm|
         alarm_name = CfnGuardian::CloudWatch.get_alarm_name(alarm)
-        puts alarm_name
         rows = [
           ['ResourceId', alarm.resource_id],
           ['ResourceHash', alarm.resource_hash],
@@ -52,7 +51,7 @@ module CfnGuardian
       
       @alarms.each do |alarm|
         alarm_name = CfnGuardian::CloudWatch.get_alarm_name(alarm)
-        metric_alarm = metric_alarms.find {|ma| ma.alarm_name == alarm_name}
+        metric_alarm = metric_alarms.find {|ma| ma.alarm_name.include? alarm_name}
         dimensions = metric_alarm.dimensions.map {|dim| {dim.name.to_sym => dim.value}}.inject(:merge)
         
         rows = [

data/lib/cfnguardian/error.rb

@@ -0,0 +1,4 @@
+module CfnGuardian
+    class ValidationError < StandardError
+    end
+end

data/lib/cfnguardian/models/alarm.rb

@@ -3,7 +3,7 @@ require 'digest/md5'
 
 module CfnGuardian
   module Models
-    class Alarm
+    class BaseAlarm
       
       attr_reader :type,
         :resource_hash
@@ -28,7 +28,8 @@ module CfnGuardian
         :extended_statistic,
         :evaluate_low_sample_count_percentile,
         :unit,
-        :maintenance_groups
+        :maintenance_groups,
+        :additional_notifiers
       
       def initialize(resource)
         @type = 'Alarm'
@@ -54,6 +55,7 @@ module CfnGuardian
         @alarm_action = 'Critical'
         @treat_missing_data = nil
         @maintenance_groups = []
+        @additional_notifiers = []
       end
       
       def metric_name=(metric_name)
@@ -63,7 +65,7 @@ module CfnGuardian
     end
     
     
-    class ApiGatewayAlarm < Alarm
+    class ApiGatewayAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ApiGateway'
@@ -72,7 +74,7 @@ module CfnGuardian
       end
     end
     
-    class ApplicationTargetGroupAlarm < Alarm
+    class ApplicationTargetGroupAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ApplicationTargetGroup'
@@ -84,7 +86,7 @@ module CfnGuardian
       end
     end
     
-    class AmazonMQBrokerAlarm < Alarm
+    class AmazonMQBrokerAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'AmazonMQBroker'
@@ -92,8 +94,42 @@ module CfnGuardian
         @dimensions = { Broker: resource['Id'] }
       end
     end
+
+    class AmazonMQRabbitMQBrokerAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'AmazonMQRabbitMQBroker'
+        @namespace = 'AWS/AmazonMQ'
+        @dimensions = { Broker: resource['Id'] }
+      end
+    end
+
+    class AmazonMQRabbitMQNodeAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'AmazonMQRabbitMQNode'
+        @namespace = 'AWS/AmazonMQ'
+        @dimensions = { 
+          Broker: resource['Id'],
+          Node: resource['Node']
+        }
+      end
+    end
+
+    class AmazonMQRabbitMQQueueAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'AmazonMQRabbitMQQueue'
+        @namespace = 'AWS/AmazonMQ'
+        @dimensions = { 
+          Broker: resource['Id'],
+          Queue: resource['Queue'],
+          VirtualHost: resource['Vhost']
+        }
+      end
+    end
     
-    class CloudFrontDistributionAlarm < Alarm
+    class CloudFrontDistributionAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'CloudFrontDistribution'
@@ -107,7 +143,7 @@ module CfnGuardian
       end
     end
     
-    class AutoScalingGroupAlarm < Alarm
+    class AutoScalingGroupAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'AutoScalingGroup'
@@ -116,7 +152,7 @@ module CfnGuardian
       end
     end
     
-    class DomainExpiryAlarm < Alarm
+    class DomainExpiryAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'DomainExpiry'
@@ -126,7 +162,7 @@ module CfnGuardian
       end
     end
     
-    class DynamoDBTableAlarm < Alarm
+    class DynamoDBTableAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'DynamoDBTable'
@@ -135,7 +171,7 @@ module CfnGuardian
       end
     end
     
-    class Ec2InstanceAlarm < Alarm
+    class Ec2InstanceAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'Ec2Instance'
@@ -144,7 +180,7 @@ module CfnGuardian
       end
     end
     
-    class ECSClusterAlarm < Alarm
+    class ECSClusterAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ECSCluster'
@@ -156,7 +192,7 @@ module CfnGuardian
       end
     end
     
-    class ECSServiceAlarm < Alarm
+    class ECSServiceAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ECSService'
@@ -168,7 +204,7 @@ module CfnGuardian
       end
     end
     
-    class ElastiCacheReplicationGroupAlarm < Alarm
+    class ElastiCacheReplicationGroupAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ElastiCacheReplicationGroup'
@@ -177,7 +213,7 @@ module CfnGuardian
       end
     end
     
-    class ElasticLoadBalancerAlarm < Alarm
+    class ElasticLoadBalancerAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ElasticLoadBalancer'
@@ -186,7 +222,7 @@ module CfnGuardian
       end
     end
     
-    class ElasticFileSystemAlarm < Alarm
+    class ElasticFileSystemAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ElasticFileSystem'
@@ -195,7 +231,7 @@ module CfnGuardian
       end
     end
     
-    class HttpAlarm < Alarm
+    class HttpAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'Http'
@@ -207,7 +243,13 @@ module CfnGuardian
       end
     end
 
-    class PortAlarm < Alarm
+    class InternalHttpAlarm < HttpAlarm
+      def initialize(resource)
+        super(resource)
+      end
+    end
+
+    class PortAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'Port'
@@ -218,8 +260,14 @@ module CfnGuardian
         @evaluation_periods = 2
       end
     end
+
+    class InternalPortAlarm < PortAlarm
+      def initialize(resource)
+        super(resource)
+      end
+    end
     
-    class SslAlarm < Alarm
+    class SslAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'Ssl'
@@ -228,8 +276,14 @@ module CfnGuardian
         @comparison_operator = 'LessThanThreshold'
       end
     end
+
+    class InternalSslAlarm < SslAlarm
+      def initialize(resource)
+        super(resource)
+      end
+    end
     
-    class NrpeAlarm < Alarm
+    class NrpeAlarm < BaseAlarm
       def initialize(resource,environment)
         super(resource)
         @group = 'Nrpe'
@@ -240,7 +294,7 @@ module CfnGuardian
       end
     end
 
-    class LambdaAlarm < Alarm
+    class LambdaAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'Lambda'
@@ -251,7 +305,7 @@ module CfnGuardian
       end
     end
     
-    class NetworkTargetGroupAlarm < Alarm
+    class NetworkTargetGroupAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'NetworkTargetGroup'
@@ -263,7 +317,7 @@ module CfnGuardian
       end
     end
     
-    class RedshiftClusterAlarm < Alarm
+    class RedshiftClusterAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'RedshiftCluster'
@@ -272,7 +326,7 @@ module CfnGuardian
       end
     end
     
-    class RDSClusterInstanceAlarm < Alarm
+    class RDSClusterInstanceAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'RDSClusterInstance'
@@ -281,7 +335,7 @@ module CfnGuardian
       end
     end
     
-    class RDSInstanceAlarm < Alarm
+    class RDSInstanceAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'RDSInstance'
@@ -290,7 +344,7 @@ module CfnGuardian
       end
     end
     
-    class SqlAlarm < Alarm
+    class SqlAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'Sql'
@@ -301,7 +355,7 @@ module CfnGuardian
       end
     end
     
-    class SQSQueueAlarm < Alarm
+    class SQSQueueAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'SQSQueue'
@@ -312,7 +366,7 @@ module CfnGuardian
       end
     end
     
-    class LogGroupAlarm < Alarm
+    class LogGroupAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'LogGroup'
@@ -324,7 +378,7 @@ module CfnGuardian
       end
     end
     
-    class SFTPAlarm < Alarm
+    class SFTPAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'SFTP'
@@ -335,8 +389,14 @@ module CfnGuardian
         @dimensions = { Host: resource['Id'], User: resource['User'] }
       end
     end
+
+    class InternalSFTPAlarm < SFTPAlarm
+      def initialize(resource)
+        super(resource)
+      end
+    end
     
-    class TLSAlarm < Alarm
+    class TLSAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'TLS'
@@ -349,6 +409,18 @@ module CfnGuardian
         @evaluation_periods = 1
       end
     end
+
+    class AzureFileAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'AzureFile'
+        @namespace = 'FileAgeCheck'
+        @period = 300
+        @comparison_operator = 'GreaterThanThreshold'
+        @threshold = 0
+        @dimensions = { StorageAccount: resource['Id'], StorageContainer: resource['Container'] }
+      end
+    end
     
   end
 end