cfn-guardian 0.4.0 → 0.6.6

data/lib/cfnguardian/cloudwatch.rb

@@ -9,50 +9,61 @@ module CfnGuardian
       alarm_id = alarm.resource_name.nil? ? alarm.resource_id : alarm.resource_name
       return "guardian-#{alarm.group}-#{alarm_id}-#{alarm.name}"
     end
-    
-    def self.get_alarms(alarms)
-      alarm_names = alarms.map {|alarm| self.get_alarm_name(alarm)}
-      
+        
+    def self.get_alarms_by_prefix(prefix:, state: nil, action_prefix: nil)
       client = Aws::CloudWatch::Client.new()
+      options = {max_records: 100}
+      options[:alarm_name_prefix] = prefix
+
+      unless state.nil?
+        options[:state_value] = state
+      end
+
+      unless action_prefix.nil?
+        options[:action_prefix] = action_prefix
+      end
+
+      resp = client.describe_alarms(options)
+      return resp.metric_alarms
+    end
+
+    def self.get_alarms_by_name(alarm_names:, state: nil, action_prefix: nil)
+      client = Aws::CloudWatch::Client.new()
+      options = {max_records: 100}
+
+      unless state.nil?
+        options[:state_value] = state
+      end
+
+      unless action_prefix.nil?
+        options[:action_prefix] = "arn:aws:sns:#{Aws.config[:region]}:#{aws_account_id()}:#{action_prefix}"
+      end
+
       metric_alarms = []
       alarm_names.each_slice(100) do |batch|
-        resp = client.describe_alarms({alarm_names: batch, max_records: 100})
+        options[:alarm_names] = batch
+        resp = client.describe_alarms(options)
         metric_alarms.push(*resp.metric_alarms)
       end
-      
+
       return metric_alarms
     end
-    
-    def self.get_alarm_state(config_alarms: [], alarm_names: [], alarm_prefix: nil, state: nil)
-      rows = []
-      
-      if config_alarms.any?
-        alarm_names = config_alarms.map {|alarm| self.get_alarm_name(alarm)}
-      end
-      
-      client = Aws::CloudWatch::Client.new()
-      
-      options = {max_records: 100}
-      options[:state_value] = state if !state.nil?
-      
-      cw_alarms = []
-      if !alarm_prefix.nil?
-        options[:alarm_name_prefix] = alarm_prefix
-        resp = client.describe_alarms(options)
-        cw_alarms = resp.metric_alarms
-      else
-        alarm_names.each_slice(100) do |batch|
-          options[:alarm_names] = batch
-          resp = client.describe_alarms(options)
-          cw_alarms.push(*resp.metric_alarms)
+
+    def self.filter_alarms(filters:, alarms:)
+      return alarms unless filters.is_a?(Hash)
+      filters = filters.slice('group', 'resource', 'alarm', 'stack-id')
+
+      filtered_alarms = []
+      alarms.each do |alarm|
+        if filters.values.all? {|filter| alarm.alarm_name.include? (filter)}
+          filtered_alarms << alarm
         end
       end
-      
-      return cw_alarms
+
+      return filtered_alarms
     end
     
     def self.get_alarm_history(alarm_name,type)
-      rows = []
       client = Aws::CloudWatch::Client.new()
       
       logger.debug "Searching #{type} history for #{alarm_name}"

data/lib/cfnguardian/codecommit.rb

@@ -19,9 +19,18 @@ module CfnGuardian
       return resp.branch.commit_id
     end
     
-    def get_commit_history(branch='master',count=10)
+    def get_commit_history(branch,count)
       history = []
-      commit = get_last_commit(branch)
+
+      begin
+        commit = get_last_commit(branch)
+      rescue Aws::CodeCommit::Errors::BranchDoesNotExistException => e
+        logger.error "Branch #{branch} does not exist in the #{@repo_name} repository"
+        return []
+      rescue Aws::CodeCommit::Errors::RepositoryDoesNotExistException => e
+        logger.error "Respository #{@repo_name} does not exist in this AWS account or region"
+        return []
+      end
       
       count.times do
         

data/lib/cfnguardian/compile.rb

@@ -35,6 +35,13 @@ require 'cfnguardian/resources/log_group'
 require 'cfnguardian/resources/sftp'
 require 'cfnguardian/resources/internal_sftp'
 require 'cfnguardian/resources/tls'
+require 'cfnguardian/resources/azure_file'
+require 'cfnguardian/resources/amazonmq_rabbitmq'
+require 'cfnguardian/resources/batch'
+require 'cfnguardian/resources/glue'
+require 'cfnguardian/resources/step_functions'
+require 'cfnguardian/version'
+require 'cfnguardian/error'
 
 module CfnGuardian
   class Compile
@@ -50,9 +57,10 @@ module CfnGuardian
       @templates = config.fetch('Templates',{})
       @topics = config.fetch('Topics',{})
       @maintenance_groups = config.fetch('MaintenaceGroups', {})
+      @event_subscriptions = config.fetch('EventSubscriptions', {})
       
       # Make sure the default topics exist if they aren't supplied in the alarms.yaml
-      %w(Critical Warning Task Informational).each do |topic|
+      %w(Critical Warning Task Informational Events).each do |topic|
         @topics[topic] = '' unless @topics.has_key?(topic)
       end
 
@@ -86,10 +94,15 @@ module CfnGuardian
             end
           end
           
-          overides = @templates.has_key?(group) ? @templates[group] : {}
-          @resources.concat resource_class.get_alarms(resource,group,overides)
+          template_overides = @templates.has_key?(group) ? @templates[group] : {}
+          @resources.concat resource_class.get_alarms(group,template_overides)
+
           @resources.concat resource_class.get_metric_filters()
           @resources.concat resource_class.get_events()
+
+          event_subscriptions = @event_subscriptions.has_key?(group) ? @event_subscriptions[group] : {}
+          @resources.concat resource_class.get_event_subscriptions(group,event_subscriptions)
+          
           @checks.concat resource_class.get_checks()
 
           @cost += resource_class.get_cost
@@ -100,13 +113,16 @@ module CfnGuardian
         resource_groups.each do |group, alarms|
           alarms.each do |alarm, resources|
             resources.each do |resource|
+
               res = @resources.find {|r| 
                 (r.type == 'Alarm') && 
-                (r.class == group && r.name == alarm) &&
+                (r.group == group && r.name == alarm) &&
                 (r.resource_id == resource['Id'] || r.resource_name == resource['Name'])}
+
               unless res.nil?
                 res.maintenance_groups.append("#{maintenance_group}MaintenanceGroup")
               end
+              
             end
           end
         end
@@ -118,11 +134,39 @@ module CfnGuardian
       end
       
       @ssm_parameters = @resources.select {|resource| resource.type == 'Event'}.map {|event| event.ssm_parameters}.flatten.uniq
+
+      validate_resources()
     end
     
     def alarms
       @resources.select {|resource| resource.type == 'Alarm'}
     end
+
+    def validate_resources()
+      errors = []
+      @resources.each do |resource|
+        case resource.type
+        when 'Alarm'
+          %w(metric_name namespace).each do |property|
+            if resource.send(property).nil?
+              errors << "Alarm #{resource.name} for resource #{resource.resource_id} has nil value for property #{property.to_camelcase}"
+            end
+          end
+        when 'Check'
+          # no validation check yet
+        when 'Event'
+          # no validation check yet
+        when 'Composite'
+          # no validation check yet
+        when 'EventSubscription'
+          # no validation check yet
+        when 'MetricFilter'
+          # no validation check yet
+        end
+      end
+
+      raise CfnGuardian::ValidationError, "#{errors.size} errors found\n[*] #{errors.join("\n[*] ")}" if errors.any?
+    end
     
     def split_resources(bucket,path)
       split = @resources.each_slice(200).to_a
@@ -147,7 +191,7 @@ module CfnGuardian
       File.write("out/guardian.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
       
       resources.each_with_index do |resources,index|
-        stack = CfnGuardian::Stacks::Resources.new(main_stack.parameters)
+        stack = CfnGuardian::Stacks::Resources.new(main_stack.parameters,index)
         stack.build_template(resources)
         valid = stack.template.validate
         File.write("out/guardian-stack-#{index}.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
@@ -157,6 +201,43 @@ module CfnGuardian
     def clean_out_directory
       Dir["out/*.yaml"].each {|file| File.delete(file)}
     end
+
+    def load_parameters(options)
+      parameters = {}
+      # Load sns topic parameters in order of preference
+      @topics.each do |key, value|
+        # if parameter is passed in as a command line option
+        if options.has_key?("sns_#{key.downcase}")
+          parameters[key.to_sym] = options["sns_#{key.downcase}"]
+        # if parameter is in config
+        elsif !value.empty?
+          parameters[key.to_sym] = value
+        # if parameter is set as environment variable
+        elsif ENV.has_key?("GUARDIAN_TOPIC_#{key.upcase}")
+          parameters[key.to_sym] = ENV["GUARDIAN_TOPIC_#{key.upcase}"]
+        end
+      end
+
+      return parameters
+    end
+
+    def genrate_template_config(parameters)
+      template = {
+        Tags: {
+          'guardian:version': CfnGuardian::VERSION
+        }
+      }
+
+      if ENV.has_key?('CODEBUILD_RESOLVED_SOURCE_VERSION')
+        template[:Tags][:'guardian:config:commit'] = ENV['CODEBUILD_RESOLVED_SOURCE_VERSION']
+      end
+
+      unless parameters.empty?
+        template[:Parameters] = parameters
+      end
+
+      File.write("out/template-config.guardian.json", template.to_json)
+    end
         
   end
 end

data/lib/cfnguardian/config/defaults.yaml

@@ -1,6 +1,15 @@
 Resources:
   AmazonMQBroker:
   - Id: Default
+  AmazonMQRabbitMQBroker:
+  - Id: Default
+  AmazonMQRabbitMQNode:
+  - Id: Default
+    Node: Default
+  AmazonMQRabbitMQQueue:
+  - Id: Default
+    Queue: Default
+    Vhost: Default
   ApiGateway:
   - Id: Default
   ApplicationTargetGroup:

data/lib/cfnguardian/deploy.rb

@@ -7,27 +7,13 @@ module CfnGuardian
   class Deploy
     include Logging
 
-    def initialize(opts,bucket)
+    def initialize(opts,bucket,parameters)
       @stack_name = opts.fetch(:stack_name,'guardian')
       @bucket = bucket
       @prefix = @stack_name
       @template_path = "out/guardian.compiled.yaml"
       @template_url = "https://#{@bucket}.s3.amazonaws.com/#{@prefix}/guardian.compiled.yaml"
-      @parameters = {}
-      
-      config = YAML.load_file(opts[:config])
-      if config.has_key?('Topics')
-        @parameters['Critical'] = config['Topics'].fetch('Critical','')
-        @parameters['Warning'] = config['Topics'].fetch('Warning','')
-        @parameters['Task'] = config['Topics'].fetch('Task','')
-        @parameters['Informational'] = config['Topics'].fetch('Informational','')
-      end
-
-      @parameters['Critical'] = opts.fetch(:sns_critical,@parameters['Critical'])
-      @parameters['Warning'] = opts.fetch(:sns_warning,@parameters['Warning'])
-      @parameters['Task'] = opts.fetch(:sns_task,@parameters['Task'])
-      @parameters['Informational'] = opts.fetch(:sns_informational,@parameters['Informational'])
-      
+      @parameters = parameters
       @client = Aws::CloudFormation::Client.new()
     end
 

data/lib/cfnguardian/display_formatter.rb

@@ -14,7 +14,6 @@ module CfnGuardian
       
       @alarms.each do |alarm|
         alarm_name = CfnGuardian::CloudWatch.get_alarm_name(alarm)
-        puts alarm_name
         rows = [
           ['ResourceId', alarm.resource_id],
           ['ResourceHash', alarm.resource_hash],
@@ -52,7 +51,7 @@ module CfnGuardian
       
       @alarms.each do |alarm|
         alarm_name = CfnGuardian::CloudWatch.get_alarm_name(alarm)
-        metric_alarm = metric_alarms.find {|ma| ma.alarm_name == alarm_name}
+        metric_alarm = metric_alarms.find {|ma| ma.alarm_name.include? alarm_name}
         dimensions = metric_alarm.dimensions.map {|dim| {dim.name.to_sym => dim.value}}.inject(:merge)
         
         rows = [

data/lib/cfnguardian/error.rb

@@ -0,0 +1,4 @@
+module CfnGuardian
+    class ValidationError < StandardError
+    end
+end

data/lib/cfnguardian/models/alarm.rb

@@ -3,7 +3,7 @@ require 'digest/md5'
 
 module CfnGuardian
   module Models
-    class Alarm
+    class BaseAlarm
       
       attr_reader :type,
         :resource_hash
@@ -65,7 +65,7 @@ module CfnGuardian
     end
     
     
-    class ApiGatewayAlarm < Alarm
+    class ApiGatewayAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ApiGateway'
@@ -74,7 +74,7 @@ module CfnGuardian
       end
     end
     
-    class ApplicationTargetGroupAlarm < Alarm
+    class ApplicationTargetGroupAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ApplicationTargetGroup'
@@ -86,7 +86,7 @@ module CfnGuardian
       end
     end
     
-    class AmazonMQBrokerAlarm < Alarm
+    class AmazonMQBrokerAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'AmazonMQBroker'
@@ -94,8 +94,42 @@ module CfnGuardian
         @dimensions = { Broker: resource['Id'] }
       end
     end
+
+    class AmazonMQRabbitMQBrokerAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'AmazonMQRabbitMQBroker'
+        @namespace = 'AWS/AmazonMQ'
+        @dimensions = { Broker: resource['Id'] }
+      end
+    end
+
+    class AmazonMQRabbitMQNodeAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'AmazonMQRabbitMQNode'
+        @namespace = 'AWS/AmazonMQ'
+        @dimensions = { 
+          Broker: resource['Id'],
+          Node: resource['Node']
+        }
+      end
+    end
+
+    class AmazonMQRabbitMQQueueAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'AmazonMQRabbitMQQueue'
+        @namespace = 'AWS/AmazonMQ'
+        @dimensions = { 
+          Broker: resource['Id'],
+          Queue: resource['Queue'],
+          VirtualHost: resource['Vhost']
+        }
+      end
+    end
     
-    class CloudFrontDistributionAlarm < Alarm
+    class CloudFrontDistributionAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'CloudFrontDistribution'
@@ -109,7 +143,7 @@ module CfnGuardian
       end
     end
     
-    class AutoScalingGroupAlarm < Alarm
+    class AutoScalingGroupAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'AutoScalingGroup'
@@ -118,7 +152,7 @@ module CfnGuardian
       end
     end
     
-    class DomainExpiryAlarm < Alarm
+    class DomainExpiryAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'DomainExpiry'
@@ -128,7 +162,7 @@ module CfnGuardian
       end
     end
     
-    class DynamoDBTableAlarm < Alarm
+    class DynamoDBTableAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'DynamoDBTable'
@@ -137,7 +171,7 @@ module CfnGuardian
       end
     end
     
-    class Ec2InstanceAlarm < Alarm
+    class Ec2InstanceAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'Ec2Instance'
@@ -146,7 +180,7 @@ module CfnGuardian
       end
     end
     
-    class ECSClusterAlarm < Alarm
+    class ECSClusterAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ECSCluster'
@@ -158,7 +192,7 @@ module CfnGuardian
       end
     end
     
-    class ECSServiceAlarm < Alarm
+    class ECSServiceAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ECSService'
@@ -170,7 +204,7 @@ module CfnGuardian
       end
     end
     
-    class ElastiCacheReplicationGroupAlarm < Alarm
+    class ElastiCacheReplicationGroupAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ElastiCacheReplicationGroup'
@@ -179,7 +213,7 @@ module CfnGuardian
       end
     end
     
-    class ElasticLoadBalancerAlarm < Alarm
+    class ElasticLoadBalancerAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ElasticLoadBalancer'
@@ -188,7 +222,7 @@ module CfnGuardian
       end
     end
     
-    class ElasticFileSystemAlarm < Alarm
+    class ElasticFileSystemAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'ElasticFileSystem'
@@ -197,7 +231,7 @@ module CfnGuardian
       end
     end
     
-    class HttpAlarm < Alarm
+    class HttpAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'Http'
@@ -215,7 +249,7 @@ module CfnGuardian
       end
     end
 
-    class PortAlarm < Alarm
+    class PortAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'Port'
@@ -233,7 +267,7 @@ module CfnGuardian
       end
     end
     
-    class SslAlarm < Alarm
+    class SslAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'Ssl'
@@ -249,7 +283,7 @@ module CfnGuardian
       end
     end
     
-    class NrpeAlarm < Alarm
+    class NrpeAlarm < BaseAlarm
       def initialize(resource,environment)
         super(resource)
         @group = 'Nrpe'
@@ -260,7 +294,7 @@ module CfnGuardian
       end
     end
 
-    class LambdaAlarm < Alarm
+    class LambdaAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'Lambda'
@@ -271,7 +305,7 @@ module CfnGuardian
       end
     end
     
-    class NetworkTargetGroupAlarm < Alarm
+    class NetworkTargetGroupAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'NetworkTargetGroup'
@@ -283,7 +317,7 @@ module CfnGuardian
       end
     end
     
-    class RedshiftClusterAlarm < Alarm
+    class RedshiftClusterAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'RedshiftCluster'
@@ -292,7 +326,7 @@ module CfnGuardian
       end
     end
     
-    class RDSClusterInstanceAlarm < Alarm
+    class RDSClusterInstanceAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'RDSClusterInstance'
@@ -301,7 +335,7 @@ module CfnGuardian
       end
     end
     
-    class RDSInstanceAlarm < Alarm
+    class RDSInstanceAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'RDSInstance'
@@ -309,8 +343,32 @@ module CfnGuardian
         @dimensions = { DBInstanceIdentifier: resource['Id'] }
       end
     end
-    
-    class SqlAlarm < Alarm
+
+    class StepFunctionsAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'StepFunctions'
+        @namespace = 'AWS/States'
+        @dimensions = { StateMachineArn: { "Fn::Sub" => "arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:#{resource['Id']}"} }
+      end
+    end
+
+    class BatchAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'Batch'
+      end
+    end
+
+    class GlueAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'Batch'
+        @namespace = 'Glue'
+      end
+    end
+
+    class SqlAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'Sql'
@@ -321,7 +379,7 @@ module CfnGuardian
       end
     end
     
-    class SQSQueueAlarm < Alarm
+    class SQSQueueAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'SQSQueue'
@@ -332,7 +390,7 @@ module CfnGuardian
       end
     end
     
-    class LogGroupAlarm < Alarm
+    class LogGroupAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'LogGroup'
@@ -344,7 +402,7 @@ module CfnGuardian
       end
     end
     
-    class SFTPAlarm < Alarm
+    class SFTPAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'SFTP'
@@ -362,7 +420,7 @@ module CfnGuardian
       end
     end
     
-    class TLSAlarm < Alarm
+    class TLSAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
         @group = 'TLS'
@@ -375,6 +433,18 @@ module CfnGuardian
         @evaluation_periods = 1
       end
     end
+
+    class AzureFileAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'AzureFile'
+        @namespace = 'FileAgeCheck'
+        @period = 300
+        @comparison_operator = 'GreaterThanThreshold'
+        @threshold = 0
+        @dimensions = { StorageAccount: resource['Id'], StorageContainer: resource['Container'] }
+      end
+    end
     
   end
 end