cfn-guardian 0.4.0 → 0.6.2

data/lib/cfnguardian/models/check.rb

@@ -2,7 +2,7 @@ require 'cfnguardian/string'
 
 module CfnGuardian
   module Models
-    class Check
+    class BaseCheck
       
       attr_reader :type
       attr_accessor :group,
@@ -13,7 +13,9 @@ module CfnGuardian
         :runtime,
         :environment,
         :subnets, 
-        :vpc
+        :vpc,
+        :memory,
+        :timeout
         
       def initialize(resource)
         @type = 'Check'
@@ -26,17 +28,19 @@ module CfnGuardian
         @environment = ''
         @subnets = nil
         @vpc = nil
+        @memory = 128
+        @timeout = 120
       end
     end
     
-    class HttpCheck < Check      
+    class HttpCheck < BaseCheck      
       def initialize(resource)
         super(resource)
         @group = 'Http'
         @name = 'HttpCheck'
         @package = 'http-check'
         @handler = 'handler.http_check'
-        @version = '0bc33e51abb1f27729ecb170611bf6b440e71a0e'
+        @version = 'f739631de74f1a882163b7e584a8b4710ccbc134'
         @runtime = 'python3.7'
       end
     end
@@ -52,7 +56,7 @@ module CfnGuardian
       end
     end
     
-    class PortCheck < Check      
+    class PortCheck < BaseCheck      
       def initialize(resource)
         super(resource)
         @group = 'Port'
@@ -75,7 +79,7 @@ module CfnGuardian
       end
     end
     
-    class NrpeCheck < Check
+    class NrpeCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'Nrpe'
@@ -90,7 +94,7 @@ module CfnGuardian
       end
     end
     
-    class SslCheck < Check
+    class SslCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'Ssl'
@@ -113,7 +117,7 @@ module CfnGuardian
       end
     end
     
-    class DomainExpiryCheck < Check
+    class DomainExpiryCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'DomainExpiry'
@@ -125,7 +129,7 @@ module CfnGuardian
       end
     end
     
-    class SqlCheck < Check
+    class SqlCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'Sql'
@@ -140,7 +144,7 @@ module CfnGuardian
       end
     end
     
-    class ContainerInstanceCheck < Check
+    class ContainerInstanceCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'ContainerInstance'
@@ -152,7 +156,7 @@ module CfnGuardian
       end
     end
     
-    class TLSCheck < Check
+    class TLSCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'TLS'
@@ -164,7 +168,7 @@ module CfnGuardian
       end
     end
     
-    class SFTPCheck < Check
+    class SFTPCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'SFTP'
@@ -187,5 +191,19 @@ module CfnGuardian
       end
     end
 
+    class AzureFileCheck < BaseCheck
+      def initialize(resource)
+        super(resource)
+        @group = 'AzureFile'
+        @name = 'AzureFileCheck'
+        @package = 'azure-file-check'
+        @handler = 'handler.file_check'
+        @version = 'cc37aa8fe4855570132431611b507274b390f4c1'
+        @runtime = 'python3.7'
+        @memory = 256
+        @timeout = 600
+      end
+    end
+
   end
 end

data/lib/cfnguardian/models/event.rb

@@ -2,7 +2,7 @@ require 'cfnguardian/string'
 
 module CfnGuardian
   module Models
-    class Event
+    class BaseEvent
       
       attr_reader :type
       attr_accessor :group,
@@ -31,7 +31,7 @@ module CfnGuardian
       end      
     end
     
-    class HttpEvent < Event
+    class HttpEvent < BaseEvent
       
       attr_accessor :endpoint,
         :method,
@@ -81,7 +81,7 @@ module CfnGuardian
       end
     end
     
-    class PortEvent < Event      
+    class PortEvent < BaseEvent      
       def initialize(resource)
         super(resource)
         @group = 'Port'
@@ -112,7 +112,7 @@ module CfnGuardian
       end
     end
     
-    class NrpeEvent < Event      
+    class NrpeEvent < BaseEvent      
       def initialize(resource,environment,command)
         super(resource)
         @group = 'Nrpe'
@@ -121,6 +121,7 @@ module CfnGuardian
         @host = resource['Id']
         @environment = environment
         @region = resource.fetch('Region',"${AWS::Region}")
+        @hash = Digest::MD5.hexdigest "#{resource['Id']}#{command}"
         @command = command
       end
       
@@ -134,13 +135,13 @@ module CfnGuardian
       end
     end
     
-    class SslEvent < Event
+    class SslEvent < BaseEvent
       def initialize(resource)
         super(resource)
         @group = 'Ssl'
         @name = 'SslEvent'
         @target = 'SslCheckFunction'
-        @cron = "0 12 * * ? *" 
+        @cron = resource.fetch('Schedule', "0 12 * * ? *")
         @url = resource['Id']
         @region = resource.fetch('Region',"${AWS::Region}")
       end
@@ -163,7 +164,7 @@ module CfnGuardian
       end
     end
     
-    class DomainExpiryEvent < Event
+    class DomainExpiryEvent < BaseEvent
       
       attr_accessor :domain,
         :region
@@ -173,7 +174,7 @@ module CfnGuardian
         @group = 'DomainExpiry'
         @name = 'DomainExpiryEvent'
         @target = 'DomainExpiryCheckFunction'
-        @cron = "0 12 * * ? *" 
+        @cron = resource.fetch('Schedule', "0 12 * * ? *")
         @domain = resource['Id']
         @region = resource.fetch('Region',"${AWS::Region}")
       end
@@ -183,7 +184,7 @@ module CfnGuardian
       end
     end
     
-    class SqlEvent < Event
+    class SqlEvent < BaseEvent
       def initialize(resource,query,environment)
         super(resource)
         @group = 'Sql'
@@ -221,13 +222,13 @@ module CfnGuardian
       end
     end
     
-    class ContainerInstanceEvent < Event
+    class ContainerInstanceEvent < BaseEvent
       def initialize(resource)
         super(resource)
         @group = 'ContainerInstance'
         @name = 'ContainerInstanceEvent'
         @target = 'ContainerInstanceCheckFunction'
-        @cron = "0/5 * * * ? *"
+        @cron = resource.fetch('Schedule', "0/5 * * * ? *")
         @cluster = resource['Id']
       end
       
@@ -236,13 +237,13 @@ module CfnGuardian
       end
     end
     
-    class SFTPEvent < Event
+    class SFTPEvent < BaseEvent
       def initialize(resource)
         super(resource)
         @group = 'SFTP'
         @name = 'SFTPEvent'
         @target = 'SFTPCheckFunction'
-        @cron = "0/5 * * * ? *"
+        @cron = resource.fetch('Schedule', "0/5 * * * ? *")
         @host = resource['Id']
         @user = resource['User']
         @port = resource.fetch('Port', nil)
@@ -288,13 +289,13 @@ module CfnGuardian
       end
     end
     
-    class TLSEvent < Event
+    class TLSEvent < BaseEvent
       def initialize(resource)
         super(resource)
         @group = 'TLS'
         @name = 'TLSEvent'
         @target = 'TLSCheckFunction'
-        @cron = "0/5 * * * ? *"
+        @cron = resource.fetch('Schedule', "0/5 * * * ? *")
         @host = resource['Id']
         @port = resource.fetch('Port', 443)
         @check_max = resource.fetch('MaxSupported', nil)
@@ -312,5 +313,32 @@ module CfnGuardian
       end
     end
 
+    class AzureFileEvent < BaseEvent
+      def initialize(resource)
+        super(resource)
+        @group = 'AzureFile'
+        @name = 'AzureFileEvent'
+        @target = 'AzureFileCheckFunction'
+        @cron = resource.fetch('Schedule', "0/5 * * * ? *")
+        @storage_account = resource['Id']
+        @container = resource['Container']
+        @connection_string = resource['ConnectionString']
+        @search = resource['Search']
+      end
+
+      def payload
+        return {
+          'STORAGE_ACCOUNT' => @storage_account,
+          'CONTAINER' => @container,
+          'CONNECTION_STRING' => @connection_string,
+          'SEARCH' => @search
+        }.to_json
+      end
+
+      def ssm_parameters
+        return [@connection_string]
+      end
+    end
+
   end
 end

data/lib/cfnguardian/models/event_subscription.rb

@@ -0,0 +1,96 @@
+module CfnGuardian
+    module Models
+        class BaseEventSubscription
+            
+            attr_reader :type, :group
+            attr_writer :detail
+            attr_accessor :name,
+                :enabled,
+                :hash,
+                :topic,
+                :resource_id,
+                :resource_arn,
+                :source,
+                :detail_type,
+                :detail
+
+            def initialize(resource)
+                @type = 'EventSubscription'
+                @group = self.class.name.split('::').last
+                @name = ''
+                @hash = Digest::MD5.hexdigest resource['Id']
+                @enabled = true
+                @events = []
+                @topic = 'Events'
+                @resource_id = resource['Id']
+                @resource_arn = ''
+                @source = ''
+                @detail_type = ''
+                @detail = {}
+            end
+
+            def detail
+                return @detail
+            end
+        end
+
+        class RDSEventSubscription < BaseEventSubscription
+            attr_accessor :source_id, :rds_event_category, :message
+
+            def initialize(resource)
+                super(resource)
+                @source = 'aws.rds'
+                @detail_type = 'RDS DB Instance Event'
+                @source_id = ''
+                @rds_event_category = ''
+                @message = ''
+            end
+
+            def detail
+                return {
+                    EventCategories: [@rds_event_category],
+                    SourceType: [@source_type],
+                    SourceIdentifier: ["rds:#{@resource_id}"],
+                    Message: [@message]
+                }
+            end
+        end
+
+        class RDSInstanceEventSubscription < RDSEventSubscription
+            def initialize(resource)
+                super(resource)
+                @source_type = 'DB_INSTANCE'
+            end
+        end
+
+        class RDSClusterEventSubscription < RDSEventSubscription
+            def initialize(resource)
+                super(resource)
+                @source_type = 'DB_CLUSTER'
+            end
+        end
+
+        class Ec2InstanceEventSubscription < BaseEventSubscription
+            def initialize(resource)
+                super(resource)
+                @source = 'aws.ec2'
+            end
+        end
+
+        class ApiGatewayEventSubscription < BaseEventSubscription; end
+        class ApplicationTargetGroupEventSubscription < BaseEventSubscription; end
+        class AmazonMQBrokerEventSubscription < BaseEventSubscription; end
+        class CloudFrontDistributionEventSubscription < BaseEventSubscription; end
+        class AutoScalingGroupEventSubscription < BaseEventSubscription; end
+        class DynamoDBTableEventSubscription < BaseEventSubscription; end
+        class Ec2InstanceEventSubscription < BaseEventSubscription; end
+        class ECSClusterEventSubscription < BaseEventSubscription; end
+        class ECSServiceEventSubscription < BaseEventSubscription; end
+        class ElastiCacheReplicationGroupEventSubscription < BaseEventSubscription; end
+        class ElasticLoadBalancerEventSubscription < BaseEventSubscription; end
+        class ElasticFileSystemEventSubscription < BaseEventSubscription; end
+        class LambdaEventSubscription < BaseEventSubscription; end
+        class NetworkTargetGroupEventSubscription < BaseEventSubscription; end
+        class RedshiftClusterEventSubscription < BaseEventSubscription; end
+    end
+end

data/lib/cfnguardian/resources/azure_file.rb

@@ -0,0 +1,20 @@
+module CfnGuardian::Resource
+    class AzureFile < Base
+
+      def default_alarms
+        alarm = CfnGuardian::Models::AzureFileAlarm.new(@resource)
+        alarm.name = 'FileExpired'
+        alarm.metric_name = 'FileExpired'
+        @alarms.push(alarm)
+      end
+
+      def default_events
+        @events.push(CfnGuardian::Models::AzureFileEvent.new(@resource))
+      end
+
+      def default_checks
+        @checks.push(CfnGuardian::Models::AzureFileCheck.new(@resource))
+      end
+
+    end
+  end

data/lib/cfnguardian/resources/base.rb

@@ -4,6 +4,7 @@ require 'cfnguardian/models/alarm'
 require 'cfnguardian/models/event'
 require 'cfnguardian/models/check'
 require 'cfnguardian/models/metric_filter'
+require 'cfnguardian/models/event_subscription'
 
 module CfnGuardian::Resource
   class Base
@@ -16,6 +17,7 @@ module CfnGuardian::Resource
       @events = []
       @checks = []
       @metric_filters = []
+      @event_subscriptions = []
     end
     
     # Overidden by inheritted classes to define default alarms
@@ -23,7 +25,7 @@ module CfnGuardian::Resource
       return @alarms
     end
     
-    def get_alarms(resource,group,overides={})
+    def get_alarms(group,overides={})
       # generate default alarms
       default_alarms()
 
@@ -32,20 +34,22 @@ module CfnGuardian::Resource
       overides.delete('GroupOverrides')
       if group_overrides.any?
         @alarms.each do |alarm|
-          group_overrides.each {|attr,value| update_alarm(alarm,attr,value)}
+          logger.debug("overriding #{alarm.name} alarm properties for resource #{alarm.resource_id} in resource group #{group} via group overrides") 
+          group_overrides.each {|attr,value| update_object(alarm,attr,value)}
         end
       end
 
       # loop over each override template for the service
-      overides.each do |name,properties|
-        
+      overides.each do |name,properties|       
         # disable default alarms
         if [false].include?(properties)
-          alarm = find_alarm(name)
+          alarms = find_alarms(name)
           
-          if !alarm.nil?
-            alarm.enabled = false 
-            logger.debug "Disabling alarm '#{name}' for resource #{alarm.resource_id}"
+          if !alarms.nil?
+            alarms.each do |alarm| 
+              alarm.enabled = false
+              logger.info "disabling alarm '#{name}' for resource #{alarm.resource_id}"
+            end
             next
           end
         end
@@ -53,7 +57,7 @@ module CfnGuardian::Resource
         # continue if the override is in the incorrect format
         unless properties.is_a?(Hash)
           if name != 'Inherit'
-            logger.warn "Incorrect format for alarm '#{name}'. Should be of type 'Hash', instead got type '#{properties.group}'"
+            logger.warn "incorrect format for alarm '#{name}'. Should be of type 'Hash', instead got type '#{properties.group}'"
           end
           next
         end
@@ -64,31 +68,35 @@ module CfnGuardian::Resource
         if properties.has_key?('Inherit')
           alarm = find_alarm(properties['Inherit'])
           if !alarm.nil?
+            logger.debug("creating new alarm #{name} for alarm group #{self.class.to_s.split('::').last} inheriting properties from alarm #{properties['Inherit']}")
             inheritited_alarm = alarm.clone
             alarm.name = name
-            properties.each {|attr,value| update_alarm(inheritited_alarm,attr,value)}
+            properties.each {|attr,value| update_object(inheritited_alarm,attr,value)}
             @alarms.push(inheritited_alarm)
           else
-            logger.warn "Alarm '#{properties['Inherit']}' doesn't exists and cannot be inherited"
+            logger.warn "alarm '#{properties['Inherit']}' doesn't exists and cannot be inherited"
           end
           next
         end
         
-        alarm = find_alarm(name)
+        alarms = find_alarms(name)
 
-        if alarm.nil?
-          if @resource.has_key?('Hosts')
-            logger.warn("this resource doesn't support adding new alarms")
-            next
+        if alarms.empty?
+          # if the alarm doesn't exist and it's not being inherited from another alarm create a new alarm
+          resources = @resource.has_key?('Hosts') ? @resource['Hosts'] : [@resource]
+          resources.each do |res|
+            alarm = Kernel.const_get("CfnGuardian::Models::#{self.class.to_s.split('::').last}Alarm").new(res)
+            properties.each {|attr,value| update_object(alarm,attr,value)}
+            alarm.name = name
+            logger.debug("created new alarm #{alarm.name} for resource #{alarm.resource_id} in resource group #{group}")
+            @alarms.push(alarm)
           end
-          # if alarm doesn't exist create a new one
-          alarm = Kernel.const_get("CfnGuardian::Models::#{self.class.to_s.split('::').last}Alarm").new(@resource)
-          properties.each {|attr,value| update_alarm(alarm,attr,value)}
-          alarm.name = name
-          @alarms.push(alarm)
         else
           # if there is an existing alarm update the properties
-          properties.each {|attr,value| update_alarm(alarm,attr,value)}
+          alarms.each do |alarm|
+            logger.debug("overriding #{alarm.name} alarm properties for resource #{alarm.resource_id} in resource group #{group} via alarm overrides") 
+            properties.each {|attr,value| update_object(alarm,attr,value)}
+          end
         end
       end
       
@@ -96,6 +104,20 @@ module CfnGuardian::Resource
         @alarms.each {|a| a.group = @override_group}
       end
       
+      # String interpolation for alarm dimensions
+      @alarms.each do |alarm|
+        next if alarm.dimensions.nil?
+        alarm.dimensions.each do |k,v|
+          if v.match?(/^\${Resource::.*[A-Za-z]}$/)
+            resource_key = v.tr('${}', '').split('Resource::').last
+            if @resource.has_key?(resource_key)
+              logger.debug "overriding alarm #{alarm.name} dimension key '#{k}' with value '#{@resource[resource_key]}'" 
+              alarm.dimensions[k] = @resource[resource_key]
+            end
+          end
+        end
+      end
+
       return @alarms.select{|a| a.enabled}
     end
     
@@ -128,6 +150,60 @@ module CfnGuardian::Resource
       default_metric_filters()
       return @metric_filters
     end
+
+    # Overidden by inheritted classes to define default checks
+    def default_event_subscriptions()
+      return @event_subscriptions
+    end
+    
+    def get_event_subscriptions(group, overides)
+      # generate defailt event subscriptions
+      default_event_subscriptions()
+
+      # overide the defaults
+      overides.each do |name, properties|
+        event_subscription = find_event_subscriptions(name)
+
+        # disbable the event subscription if the value is false
+        if [false].include?(properties)
+          unless event_subscription.nil?
+            event_subscription.enabled = false
+            logger.info "Disabling event subscription #{name} for #{group} #{event_subscription.resource_id}"
+          end
+
+          next
+        end
+
+        # ignore all properties not in a proper format
+        next unless properties.is_a?(Hash) 
+
+        # Create a new event subscription by inheriting an existing one
+        if properties.has_key?('Inherit')
+          inherit_event_subscription = find_event_subscriptions(properties['Inherit'])
+          
+          if inherit_event_subscription.nil?
+            logger.warn "Unable to create #{topic} RDSEventSubscription by inheriting #{properties['Inherit']} as it cannot be found"
+            next
+          end
+
+          event_subscription = inherit_event_subscription.clone
+          event_subscription.enabled = true
+          event_subscription.name = name
+          @event_subscriptions.push(event_subscription) 
+          logger.debug "Inheriting RDSEventSubscription #{properties['Inherit']}"
+        end
+
+        if event_subscription.nil?
+          event_subscription = Kernel.const_get("CfnGuardian::Models::#{self.class.to_s.split('::').last}EventSubscription").new(@resource)
+          event_subscription.name = name
+          @event_subscriptions.push(event_subscription) 
+        end
+
+        properties.each {|attr,value| update_object(event_subscription,attr,value)}
+      end
+
+      return @event_subscriptions.select {|es| es.enabled }
+    end
     
     def get_cost()
       return @alarms.length * 0.10
@@ -138,13 +214,22 @@ module CfnGuardian::Resource
     def find_alarm(name)
       @alarms.detect {|alarm| alarm.name == name}
     end
-    
-    def update_alarm(alarm,attr,value)
+
+    def find_alarms(name)
+      @alarms.find_all {|alarm| alarm.name == name}
+    end
+
+    def find_event_subscriptions(name)
+      @event_subscriptions.detect {|es| es.name == name}
+    end
+
+    def update_object(obj,attr,value)
+      logger.debug("overriding #{obj.type} property '#{attr}' with value #{value} for resource id: #{obj.resource_id}")
       begin
-        alarm.send("#{attr.to_underscore}=",value)
+        obj.send("#{attr.to_underscore}=",value.clone)
       rescue NoMethodError => e
         if !e.message.match?(/inherit/)
-          logger.warn "Unknown key '#{attr}' for #{alarm.resource_id} alarm #{alarm.name}"
+          logger.warn "Unknown property '#{attr}' for type: #{obj.type} and resource id: #{obj.resource_id}"
         end
       end
     end