cfn-guardian 0.3.4 → 0.6.5

data/lib/cfnguardian/resources/azure_file.rb

@@ -0,0 +1,20 @@
+module CfnGuardian::Resource
+    class AzureFile < Base
+
+      def default_alarms
+        alarm = CfnGuardian::Models::AzureFileAlarm.new(@resource)
+        alarm.name = 'FileExpired'
+        alarm.metric_name = 'FileExpired'
+        @alarms.push(alarm)
+      end
+
+      def default_events
+        @events.push(CfnGuardian::Models::AzureFileEvent.new(@resource))
+      end
+
+      def default_checks
+        @checks.push(CfnGuardian::Models::AzureFileCheck.new(@resource))
+      end
+
+    end
+  end

data/lib/cfnguardian/resources/base.rb

@@ -4,6 +4,7 @@ require 'cfnguardian/models/alarm'
 require 'cfnguardian/models/event'
 require 'cfnguardian/models/check'
 require 'cfnguardian/models/metric_filter'
+require 'cfnguardian/models/event_subscription'
 
 module CfnGuardian::Resource
   class Base
@@ -16,6 +17,7 @@ module CfnGuardian::Resource
       @events = []
       @checks = []
       @metric_filters = []
+      @event_subscriptions = []
     end
     
     # Overidden by inheritted classes to define default alarms
@@ -23,57 +25,78 @@ module CfnGuardian::Resource
       return @alarms
     end
     
-    def get_alarms(overides={},resource={})
+    def get_alarms(group,overides={})
       # generate default alarms
       default_alarms()
-      
+
+      # override any group properties
+      group_overrides = overides.has_key?('GroupOverrides') ? overides['GroupOverrides'] : {}
+      overides.delete('GroupOverrides')
+      if group_overrides.any?
+        @alarms.each do |alarm|
+          logger.debug("overriding #{alarm.name} alarm properties for resource #{alarm.resource_id} in resource group #{group} via group overrides") 
+          group_overrides.each {|attr,value| update_object(alarm,attr,value)}
+        end
+      end
+
       # loop over each override template for the service
-      overides.each do |name,properties|
-        
+      overides.each do |name,properties|       
         # disable default alarms
         if [false].include?(properties)
-          alarm = find_alarm(name)
+          alarms = find_alarms(name)
           
-          if !alarm.nil?
-            alarm.enabled = false 
-            logger.debug "Disabling alarm '#{name}' for resource #{alarm.resource_id}"
+          if !alarms.nil?
+            alarms.each do |alarm| 
+              alarm.enabled = false
+              logger.info "disabling alarm '#{name}' for resource #{alarm.resource_id}"
+            end
             next
           end
         end
-        
+
         # continue if the override is in the incorrect format
         unless properties.is_a?(Hash)
           if name != 'Inherit'
-            logger.warn "Incorrect format for alarm '#{name}'. Should be of type 'Hash', instead got type '#{properties.group}'"
+            logger.warn "incorrect format for alarm '#{name}'. Should be of type 'Hash', instead got type '#{properties.group}'"
           end
           next
         end
-        
+
+        properties.merge!(group_overrides)
+
         # Create a new alarm inheriting the defaults of an existing alarm
         if properties.has_key?('Inherit')
           alarm = find_alarm(properties['Inherit'])
           if !alarm.nil?
+            logger.debug("creating new alarm #{name} for alarm group #{self.class.to_s.split('::').last} inheriting properties from alarm #{properties['Inherit']}")
             inheritited_alarm = alarm.clone
             alarm.name = name
-            properties.each {|attr,value| update_alarm(inheritited_alarm,attr,value)}
+            properties.each {|attr,value| update_object(inheritited_alarm,attr,value)}
             @alarms.push(inheritited_alarm)
           else
-            logger.warn "Alarm '#{properties['Inherit']}' doesn't exists and cannot be inherited"
+            logger.warn "alarm '#{properties['Inherit']}' doesn't exists and cannot be inherited"
           end
           next
         end
         
-        alarm = find_alarm(name)
-        
-        if alarm.nil?
-          # if alarm doesn't exist create a new one
-          alarm = Kernel.const_get("CfnGuardian::Models::#{self.class.to_s.split('::').last}Alarm").new(resource)
-          properties.each {|attr,value| update_alarm(alarm,attr,value)}
-          alarm.name = name
-          @alarms.push(alarm)
+        alarms = find_alarms(name)
+
+        if alarms.empty?
+          # if the alarm doesn't exist and it's not being inherited from another alarm create a new alarm
+          resources = @resource.has_key?('Hosts') ? @resource['Hosts'] : [@resource]
+          resources.each do |res|
+            alarm = Kernel.const_get("CfnGuardian::Models::#{self.class.to_s.split('::').last}Alarm").new(res)
+            properties.each {|attr,value| update_object(alarm,attr,value)}
+            alarm.name = name
+            logger.debug("created new alarm #{alarm.name} for resource #{alarm.resource_id} in resource group #{group}")
+            @alarms.push(alarm)
+          end
         else
           # if there is an existing alarm update the properties
-          properties.each {|attr,value| update_alarm(alarm,attr,value)}
+          alarms.each do |alarm|
+            logger.debug("overriding #{alarm.name} alarm properties for resource #{alarm.resource_id} in resource group #{group} via alarm overrides") 
+            properties.each {|attr,value| update_object(alarm,attr,value)}
+          end
         end
       end
       
@@ -81,6 +104,20 @@ module CfnGuardian::Resource
         @alarms.each {|a| a.group = @override_group}
       end
       
+      # String interpolation for alarm dimensions
+      @alarms.each do |alarm|
+        next if alarm.dimensions.nil?
+        alarm.dimensions.each do |k,v|
+          if v.is_a?(String) && v.match?(/^\${Resource::.*[A-Za-z]}$/)
+            resource_key = v.tr('${}', '').split('Resource::').last
+            if @resource.has_key?(resource_key)
+              logger.debug "overriding alarm #{alarm.name} dimension key '#{k}' with value '#{@resource[resource_key]}'" 
+              alarm.dimensions[k] = @resource[resource_key]
+            end
+          end
+        end
+      end
+
       return @alarms.select{|a| a.enabled}
     end
     
@@ -113,6 +150,60 @@ module CfnGuardian::Resource
       default_metric_filters()
       return @metric_filters
     end
+
+    # Overidden by inheritted classes to define default checks
+    def default_event_subscriptions()
+      return @event_subscriptions
+    end
+    
+    def get_event_subscriptions(group, overides)
+      # generate defailt event subscriptions
+      default_event_subscriptions()
+
+      # overide the defaults
+      overides.each do |name, properties|
+        event_subscription = find_event_subscriptions(name)
+
+        # disbable the event subscription if the value is false
+        if [false].include?(properties)
+          unless event_subscription.nil?
+            event_subscription.enabled = false
+            logger.info "Disabling event subscription #{name} for #{group} #{event_subscription.resource_id}"
+          end
+
+          next
+        end
+
+        # ignore all properties not in a proper format
+        next unless properties.is_a?(Hash) 
+
+        # Create a new event subscription by inheriting an existing one
+        if properties.has_key?('Inherit')
+          inherit_event_subscription = find_event_subscriptions(properties['Inherit'])
+          
+          if inherit_event_subscription.nil?
+            logger.warn "Unable to create #{topic} RDSEventSubscription by inheriting #{properties['Inherit']} as it cannot be found"
+            next
+          end
+
+          event_subscription = inherit_event_subscription.clone
+          event_subscription.enabled = true
+          event_subscription.name = name
+          @event_subscriptions.push(event_subscription) 
+          logger.debug "Inheriting RDSEventSubscription #{properties['Inherit']}"
+        end
+
+        if event_subscription.nil?
+          event_subscription = Kernel.const_get("CfnGuardian::Models::#{self.class.to_s.split('::').last}EventSubscription").new(@resource)
+          event_subscription.name = name
+          @event_subscriptions.push(event_subscription) 
+        end
+
+        properties.each {|attr,value| update_object(event_subscription,attr,value)}
+      end
+
+      return @event_subscriptions.select {|es| es.enabled }
+    end
     
     def get_cost()
       return @alarms.length * 0.10
@@ -123,13 +214,22 @@ module CfnGuardian::Resource
     def find_alarm(name)
       @alarms.detect {|alarm| alarm.name == name}
     end
-    
-    def update_alarm(alarm,attr,value)
+
+    def find_alarms(name)
+      @alarms.find_all {|alarm| alarm.name == name}
+    end
+
+    def find_event_subscriptions(name)
+      @event_subscriptions.detect {|es| es.name == name}
+    end
+
+    def update_object(obj,attr,value)
+      logger.debug("overriding #{obj.type} property '#{attr}' with value #{value} for resource id: #{obj.resource_id}")
       begin
-        alarm.send("#{attr.to_underscore}=",value)
+        obj.send("#{attr.to_underscore}=",value.clone)
       rescue NoMethodError => e
         if !e.message.match?(/inherit/)
-          logger.warn "Unknown key '#{attr}' for #{alarm.resource_id} alarm #{alarm.name}"
+          logger.warn "Unknown property '#{attr}' for type: #{obj.type} and resource id: #{obj.resource_id}"
         end
       end
     end

data/lib/cfnguardian/resources/batch.rb

@@ -0,0 +1,14 @@
+module CfnGuardian::Resource
+  class Batch < Base
+    def default_event_subscriptions()
+      event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
+      event_subscription.name = 'FailedBatch'
+      event_subscription.detail_type = 'Batch Job State Change'
+      event_subscription.detail = {
+        'status': ['FAILED'],
+        'jobQueue': ["arn:aws:batch:${AWS::Region}:${AWS::AccountId}:job-queue/#{@resource['Id']}"]
+      }
+      @event_subscriptions.push(event_subscription)
+    end
+  end
+end

data/lib/cfnguardian/resources/ec2_instance.rb

@@ -19,6 +19,17 @@ module CfnGuardian
         @alarms.push(alarm)
       end
       
+      def default_event_subscriptions()
+        event_subscription = CfnGuardian::Models::Ec2InstanceEventSubscription.new(@resource)
+        event_subscription.name = 'InstanceTerminated'
+        event_subscription.detail_type = 'EC2 Instance State-change Notification'
+        event_subscription.detail = {
+          'instance-id' => [@resource['Id']],
+          'state' => ['terminated']
+        }
+        @event_subscriptions.push(event_subscription)
+      end
+
     end
   end
 end

data/lib/cfnguardian/resources/glue.rb

@@ -0,0 +1,23 @@
+module CfnGuardian::Resource
+  class Glue < Base
+    def default_event_subscriptions()
+      event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
+      event_subscription.name = 'FailedGlueJob'
+      event_subscription.detail_type = 'Glue Job State Change'
+      event_subscription.detail = {
+        'state': ['FAILED'],
+        'jobName': [{'prefix': @resource['Id']}]
+      }
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
+      event_subscription.name = 'TimeoutGlueJob'
+      event_subscription.detail_type = 'Glue Job State Change'
+      event_subscription.detail = {
+        'state': ['TIMEOUT'],
+        'jobName': [{'prefix': @resource['Id']}]
+      }
+      @event_subscriptions.push(event_subscription)
+    end
+  end
+end

data/lib/cfnguardian/resources/http.rb

@@ -41,6 +41,7 @@ module CfnGuardian::Resource
         alarm = CfnGuardian::Models::SslAlarm.new(@resource)
         alarm.name = 'ExpiresInDaysTask'
         alarm.metric_name = 'ExpiresInDays'
+        alarm.alarm_action = 'Task'
         alarm.threshold = 30
         @alarms.push(alarm)
       end

data/lib/cfnguardian/resources/rds_cluster.rb

@@ -0,0 +1,14 @@
+module CfnGuardian::Resource
+    class RDSCluster < Base
+           
+      def default_event_subscriptions()
+        event_subscription = CfnGuardian::Models::RDSClusterEventSubscription.new(@resource)
+        event_subscription.name = 'FailoverFailed'
+        event_subscription.rds_event_category = 'failover'
+        event_subscription.message = 'A failover for the DB cluster has failed.'
+        @event_subscriptions.push(event_subscription)
+      end
+  
+    end
+  end
+  

data/lib/cfnguardian/resources/rds_instance.rb

@@ -41,7 +41,87 @@ module CfnGuardian::Resource
       alarm.threshold = 45
       alarm.evaluation_periods = 10
       @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::RDSInstanceAlarm.new(@resource)
+      alarm.name = 'ReplicaLag'
+      alarm.metric_name = 'ReplicaLag'
+      alarm.threshold = 30 # seconds
+      alarm.evaluation_periods = 5
+      alarm.alarm_action = 'Warning'
+      alarm.enabled = false
+      @alarms.push(alarm)
     end
     
+    def default_event_subscriptions()
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'MasterPasswordReset'
+      event_subscription.rds_event_category = 'configuration change'
+      event_subscription.message = 'The master password for the DB instance has been reset.'
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'MasterPasswordResetFailure'
+      event_subscription.rds_event_category = 'configuration change'
+      event_subscription.message = 'An attempt to reset the master password for the DB instance has failed.'
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'Deletion'
+      event_subscription.rds_event_category = 'deletion'
+      event_subscription.message = 'The DB instance has been deleted.'
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'MultiAZFailoverStarted'
+      event_subscription.rds_event_category = 'failover'
+      event_subscription.message = 'A Multi-AZ failover that resulted in the promotion of a standby instance has started.'
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'MultiAZFailoverComplete'
+      event_subscription.rds_event_category = 'failover'
+      event_subscription.message = 'A Multi-AZ failover has completed.'
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'DBFailure'
+      event_subscription.rds_event_category = 'failure'
+      event_subscription.message = 'The DB instance has failed due to an incompatible configuration or an underlying storage issue. Begin a point-in-time-restore for the DB instance.'
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'TableCountExceedsRecommended'
+      event_subscription.rds_event_category = 'notification'
+      event_subscription.message = 'The number of tables you have for your DB instance exceeds the recommended best practices for Amazon RDS.'
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'DatabasesCountExceedsRecommended'
+      event_subscription.rds_event_category = 'notification'
+      event_subscription.message = 'The number of databases you have for your DB instance exceeds the recommended best practices for Amazon RDS.'
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'ReplicationFailure'
+      event_subscription.enabled = false
+      event_subscription.rds_event_category = 'read replica'
+      event_subscription.message = 'An error has occurred in the read replication process.'
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'ReplicationTerminated'
+      event_subscription.enabled = false
+      event_subscription.rds_event_category = 'read replica'
+      event_subscription.message = 'Replication on the read replica was terminated.'
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::RDSInstanceEventSubscription.new(@resource)
+      event_subscription.name = 'ReplicationStopped'
+      event_subscription.enabled = false
+      event_subscription.rds_event_category = 'read replica'
+      event_subscription.message = 'Replication on the read replica was manually stopped.'
+      @event_subscriptions.push(event_subscription)
+    end
+
   end
 end

data/lib/cfnguardian/resources/redshift_cluster.rb

@@ -20,9 +20,9 @@ module CfnGuardian::Resource
       alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
       alarm.name = 'UnHealthyCluster'
       alarm.metric_name = 'HealthStatus'
-      alarm.threshold = 0
+      alarm.comparison_operator = 'LessThanThreshold'
+      alarm.threshold = 1
       alarm.evaluation_periods = 10
-      alarm.treat_missing_data = 'notBreaching'
       @alarms.push(alarm)
     end
     

data/lib/cfnguardian/resources/step_functions.rb

@@ -0,0 +1,41 @@
+module CfnGuardian::Resource
+  class StepFunctions < Base
+      
+    def default_alarms    
+      alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
+      alarm.name = 'ExecutionsFailed'
+      alarm.metric_name = 'ExecutionsFailed'
+      alarm.threshold = 1
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
+      alarm.name = 'ExecutionsTimedOut'
+      alarm.metric_name = 'ExecutionsTimedOut'
+      alarm.threshold = 1
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
+      alarm.name = 'ExecutionThrottled'
+      alarm.metric_name = 'ExecutionThrottled'
+      alarm.threshold = 1
+      alarm.evaluation_periods = 5
+      alarm.alarm_action = 'Warning'
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
+      alarm.name = 'ExecutionTime'
+      alarm.metric_name = 'ExecutionTime'
+      alarm.threshold = 60
+      alarm.evaluation_periods = 5
+      alarm.alarm_action = 'Warning'
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+    end
+      
+  end
+end