RubyGems - cfn-guardian - Versions diffs - 0.4.0 → 0.6.6 - Mend

cfn-guardian 0.4.0 → 0.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

checksums.yaml +4 -4
data/.github/workflows/build-gem.yml +25 -0
data/.github/workflows/release-gem.yml +25 -0
data/.github/workflows/release-image.yml +33 -0
data/.rspec +1 -0
data/Gemfile.lock +13 -13
data/README.md +4 -820
data/cfn-guardian.gemspec +1 -3
data/docs/alarm_templates.md +130 -0
data/docs/cli.md +182 -0
data/docs/composite_alarms.md +24 -0
data/docs/custom_checks/azure_file_check.md +28 -0
data/docs/custom_checks/domain_expiry.md +10 -0
data/docs/custom_checks/http.md +59 -0
data/docs/custom_checks/log_group_metric_filters.md +27 -0
data/docs/custom_checks/nrpe.md +29 -0
data/docs/custom_checks/port.md +40 -0
data/docs/custom_checks/sftp.md +73 -0
data/docs/custom_checks/sql.md +44 -0
data/docs/custom_checks/tls.md +25 -0
data/docs/custom_metrics.md +71 -0
data/docs/event_subscriptions.md +67 -0
data/docs/maintenance_mode.md +85 -0
data/docs/notifiers.md +33 -0
data/docs/overview.md +22 -0
data/docs/resources.md +93 -0
data/docs/variables.md +58 -0
data/lib/cfnguardian.rb +84 -66
data/lib/cfnguardian/cloudwatch.rb +43 -32
data/lib/cfnguardian/codecommit.rb +11 -2
data/lib/cfnguardian/compile.rb +86 -5
data/lib/cfnguardian/config/defaults.yaml +9 -0
data/lib/cfnguardian/deploy.rb +2 -16
data/lib/cfnguardian/display_formatter.rb +1 -2
data/lib/cfnguardian/error.rb +4 -0
data/lib/cfnguardian/models/alarm.rb +99 -29
data/lib/cfnguardian/models/check.rb +30 -12
data/lib/cfnguardian/models/event.rb +43 -15
data/lib/cfnguardian/models/event_subscription.rb +111 -0
data/lib/cfnguardian/resources/amazonmq_rabbitmq.rb +136 -0
data/lib/cfnguardian/resources/azure_file.rb +20 -0
data/lib/cfnguardian/resources/base.rb +111 -26
data/lib/cfnguardian/resources/batch.rb +14 -0
data/lib/cfnguardian/resources/ec2_instance.rb +11 -0
data/lib/cfnguardian/resources/glue.rb +23 -0
data/lib/cfnguardian/resources/http.rb +1 -0
data/lib/cfnguardian/resources/rds_cluster.rb +14 -0
data/lib/cfnguardian/resources/rds_instance.rb +80 -0
data/lib/cfnguardian/resources/redshift_cluster.rb +2 -2
data/lib/cfnguardian/resources/step_functions.rb +41 -0
data/lib/cfnguardian/stacks/main.rb +7 -6
data/lib/cfnguardian/stacks/resources.rb +34 -5
data/lib/cfnguardian/version.rb +1 -1
metadata +39 -10

data/lib/cfnguardian/models/check.rb CHANGED Viewed

@@ -2,7 +2,7 @@ require 'cfnguardian/string'
 module CfnGuardian
   module Models
-    class Check
+    class BaseCheck
       attr_reader :type
       attr_accessor :group,
@@ -13,7 +13,9 @@ module CfnGuardian
         :runtime,
         :environment,
         :subnets,
-        :vpc
+        :vpc,
+        :memory,
+        :timeout
       def initialize(resource)
         @type = 'Check'
@@ -26,17 +28,19 @@ module CfnGuardian
         @environment = ''
         @subnets = nil
         @vpc = nil
+        @memory = 128
+        @timeout = 120
       end
     end
-    class HttpCheck < Check
+    class HttpCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'Http'
         @name = 'HttpCheck'
         @package = 'http-check'
         @handler = 'handler.http_check'
-        @version = '0bc33e51abb1f27729ecb170611bf6b440e71a0e'
+        @version = 'f739631de74f1a882163b7e584a8b4710ccbc134'
         @runtime = 'python3.7'
       end
     end
@@ -52,7 +56,7 @@ module CfnGuardian
       end
     end
-    class PortCheck < Check
+    class PortCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'Port'
@@ -75,7 +79,7 @@ module CfnGuardian
       end
     end
-    class NrpeCheck < Check
+    class NrpeCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'Nrpe'
@@ -90,7 +94,7 @@ module CfnGuardian
       end
     end
-    class SslCheck < Check
+    class SslCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'Ssl'
@@ -113,7 +117,7 @@ module CfnGuardian
       end
     end
-    class DomainExpiryCheck < Check
+    class DomainExpiryCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'DomainExpiry'
@@ -125,7 +129,7 @@ module CfnGuardian
       end
     end
-    class SqlCheck < Check
+    class SqlCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'Sql'
@@ -140,7 +144,7 @@ module CfnGuardian
       end
     end
-    class ContainerInstanceCheck < Check
+    class ContainerInstanceCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'ContainerInstance'
@@ -152,7 +156,7 @@ module CfnGuardian
       end
     end
-    class TLSCheck < Check
+    class TLSCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'TLS'
@@ -164,7 +168,7 @@ module CfnGuardian
       end
     end
-    class SFTPCheck < Check
+    class SFTPCheck < BaseCheck
       def initialize(resource)
         super(resource)
         @group = 'SFTP'
@@ -187,5 +191,19 @@ module CfnGuardian
       end
     end
+    class AzureFileCheck < BaseCheck
+      def initialize(resource)
+        super(resource)
+        @group = 'AzureFile'
+        @name = 'AzureFileCheck'
+        @package = 'azure-file-check'
+        @handler = 'handler.file_check'
+        @version = 'cc37aa8fe4855570132431611b507274b390f4c1'
+        @runtime = 'python3.7'
+        @memory = 256
+        @timeout = 600
+      end
+    end
   end
 end

data/lib/cfnguardian/models/event.rb CHANGED Viewed

@@ -2,7 +2,7 @@ require 'cfnguardian/string'
 module CfnGuardian
   module Models
-    class Event
+    class BaseEvent
       attr_reader :type
       attr_accessor :group,
@@ -31,7 +31,7 @@ module CfnGuardian
       end
     end
-    class HttpEvent < Event
+    class HttpEvent < BaseEvent
       attr_accessor :endpoint,
         :method,
@@ -81,7 +81,7 @@ module CfnGuardian
       end
     end
-    class PortEvent < Event
+    class PortEvent < BaseEvent
       def initialize(resource)
         super(resource)
         @group = 'Port'
@@ -112,7 +112,7 @@ module CfnGuardian
       end
     end
-    class NrpeEvent < Event
+    class NrpeEvent < BaseEvent
       def initialize(resource,environment,command)
         super(resource)
         @group = 'Nrpe'
@@ -121,6 +121,7 @@ module CfnGuardian
         @host = resource['Id']
         @environment = environment
         @region = resource.fetch('Region',"${AWS::Region}")
+        @hash = Digest::MD5.hexdigest "#{resource['Id']}#{command}"
         @command = command
       end
@@ -134,13 +135,13 @@ module CfnGuardian
       end
     end
-    class SslEvent < Event
+    class SslEvent < BaseEvent
       def initialize(resource)
         super(resource)
         @group = 'Ssl'
         @name = 'SslEvent'
         @target = 'SslCheckFunction'
-        @cron = "0 12 * * ? *"
+        @cron = resource.fetch('Schedule', "0 12 * * ? *")
         @url = resource['Id']
         @region = resource.fetch('Region',"${AWS::Region}")
       end
@@ -163,7 +164,7 @@ module CfnGuardian
       end
     end
-    class DomainExpiryEvent < Event
+    class DomainExpiryEvent < BaseEvent
       attr_accessor :domain,
         :region
@@ -173,7 +174,7 @@ module CfnGuardian
         @group = 'DomainExpiry'
         @name = 'DomainExpiryEvent'
         @target = 'DomainExpiryCheckFunction'
-        @cron = "0 12 * * ? *"
+        @cron = resource.fetch('Schedule', "0 12 * * ? *")
         @domain = resource['Id']
         @region = resource.fetch('Region',"${AWS::Region}")
       end
@@ -183,7 +184,7 @@ module CfnGuardian
       end
     end
-    class SqlEvent < Event
+    class SqlEvent < BaseEvent
       def initialize(resource,query,environment)
         super(resource)
         @group = 'Sql'
@@ -221,13 +222,13 @@ module CfnGuardian
       end
     end
-    class ContainerInstanceEvent < Event
+    class ContainerInstanceEvent < BaseEvent
       def initialize(resource)
         super(resource)
         @group = 'ContainerInstance'
         @name = 'ContainerInstanceEvent'
         @target = 'ContainerInstanceCheckFunction'
-        @cron = "0/5 * * * ? *"
+        @cron = resource.fetch('Schedule', "0/5 * * * ? *")
         @cluster = resource['Id']
       end
@@ -236,13 +237,13 @@ module CfnGuardian
       end
     end
-    class SFTPEvent < Event
+    class SFTPEvent < BaseEvent
       def initialize(resource)
         super(resource)
         @group = 'SFTP'
         @name = 'SFTPEvent'
         @target = 'SFTPCheckFunction'
-        @cron = "0/5 * * * ? *"
+        @cron = resource.fetch('Schedule', "0/5 * * * ? *")
         @host = resource['Id']
         @user = resource['User']
         @port = resource.fetch('Port', nil)
@@ -288,13 +289,13 @@ module CfnGuardian
       end
     end
-    class TLSEvent < Event
+    class TLSEvent < BaseEvent
       def initialize(resource)
         super(resource)
         @group = 'TLS'
         @name = 'TLSEvent'
         @target = 'TLSCheckFunction'
-        @cron = "0/5 * * * ? *"
+        @cron = resource.fetch('Schedule', "0/5 * * * ? *")
         @host = resource['Id']
         @port = resource.fetch('Port', 443)
         @check_max = resource.fetch('MaxSupported', nil)
@@ -312,5 +313,32 @@ module CfnGuardian
       end
     end
+    class AzureFileEvent < BaseEvent
+      def initialize(resource)
+        super(resource)
+        @group = 'AzureFile'
+        @name = 'AzureFileEvent'
+        @target = 'AzureFileCheckFunction'
+        @cron = resource.fetch('Schedule', "0/5 * * * ? *")
+        @storage_account = resource['Id']
+        @container = resource['Container']
+        @connection_string = resource['ConnectionString']
+        @search = resource['Search']
+      end
+      def payload
+        return {
+          'STORAGE_ACCOUNT' => @storage_account,
+          'CONTAINER' => @container,
+          'CONNECTION_STRING' => @connection_string,
+          'SEARCH' => @search
+        }.to_json
+      end
+      def ssm_parameters
+        return [@connection_string]
+      end
+    end
   end
 end

data/lib/cfnguardian/models/event_subscription.rb ADDED Viewed

@@ -0,0 +1,111 @@
+module CfnGuardian
+  module Models
+    class BaseEventSubscription
+      attr_reader :type, :group
+      attr_writer :detail
+      attr_accessor :name,
+        :enabled,
+        :hash,
+        :topic,
+        :resource_id,
+        :resource_arn,
+        :source,
+        :detail_type,
+        :detail
+      def initialize(resource)
+        @type = 'EventSubscription'
+        @group = self.class.name.split('::').last
+        @name = ''
+        @hash = Digest::MD5.hexdigest resource['Id']
+        @enabled = true
+        @events = []
+        @topic = 'Events'
+        @resource_id = resource['Id']
+        @resource_arn = ''
+        @source = ''
+        @detail_type = ''
+        @detail = {}
+      end
+      def detail
+        return @detail
+      end
+    end
+    class RDSEventSubscription < BaseEventSubscription
+      attr_accessor :source_id, :rds_event_category, :message
+      def initialize(resource)
+        super(resource)
+        @source = 'aws.rds'
+        @detail_type = 'RDS DB Instance Event'
+        @source_id = ''
+        @rds_event_category = ''
+        @message = ''
+      end
+      def detail
+        return {
+          EventCategories: [@rds_event_category],
+          SourceType: [@source_type],
+          SourceIdentifier: ["rds:#{@resource_id}"],
+          Message: [@message]
+        }
+      end
+    end
+    class RDSInstanceEventSubscription < RDSEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source_type = 'DB_INSTANCE'
+      end
+    end
+    class RDSClusterEventSubscription < RDSEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source_type = 'DB_CLUSTER'
+      end
+    end
+    class Ec2InstanceEventSubscription < BaseEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source = 'aws.ec2'
+      end
+    end
+    class BatchEventSubscription < BaseEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source = 'aws.batch'
+      end
+    end
+    class GlueEventSubscription < BaseEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source = 'aws.glue'
+      end
+    end
+    class ApiGatewayEventSubscription < BaseEventSubscription; end
+    class ApplicationTargetGroupEventSubscription < BaseEventSubscription; end
+    class AmazonMQBrokerEventSubscription < BaseEventSubscription; end
+    class CloudFrontDistributionEventSubscription < BaseEventSubscription; end
+    class AutoScalingGroupEventSubscription < BaseEventSubscription; end
+    class DynamoDBTableEventSubscription < BaseEventSubscription; end
+    class Ec2InstanceEventSubscription < BaseEventSubscription; end
+    class ECSClusterEventSubscription < BaseEventSubscription; end
+    class ECSServiceEventSubscription < BaseEventSubscription; end
+    class ElastiCacheReplicationGroupEventSubscription < BaseEventSubscription; end
+    class ElasticLoadBalancerEventSubscription < BaseEventSubscription; end
+    class ElasticFileSystemEventSubscription < BaseEventSubscription; end
+    class LambdaEventSubscription < BaseEventSubscription; end
+    class NetworkTargetGroupEventSubscription < BaseEventSubscription; end
+    class RedshiftClusterEventSubscription < BaseEventSubscription; end
+    class StepFunctionsSubscription < BaseEventSubscription; end
+  end
+end

data/lib/cfnguardian/resources/amazonmq_rabbitmq.rb ADDED Viewed

@@ -0,0 +1,136 @@
+module CfnGuardian::Resource
+  class AmazonMQRabbitMQBroker < Base
+    def default_alarms
+      alarm = CfnGuardian::Models::AmazonMQRabbitMQBrokerAlarm.new(@resource)
+      alarm.name = 'ConnectionCountCritical'
+      alarm.metric_name = 'ConnectionCount'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 50
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+      alarm = CfnGuardian::Models::AmazonMQRabbitMQBrokerAlarm.new(@resource)
+      alarm.name = 'ConnectionCountWarn'
+      alarm.metric_name = 'ConnectionCount'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 25
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      alarm.alarm_action = 'Warning'
+      @alarms.push(alarm)
+      alarm = CfnGuardian::Models::AmazonMQRabbitMQBrokerAlarm.new(@resource)
+      alarm.name = 'MessageCountCritical'
+      alarm.metric_name = 'MessageCount'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 500
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+      alarm = CfnGuardian::Models::AmazonMQRabbitMQBrokerAlarm.new(@resource)
+      alarm.name = 'MessageCountWarn'
+      alarm.metric_name = 'MessageCount'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 250
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      alarm.alarm_action = 'Warning'
+      @alarms.push(alarm)
+    end
+  end
+  class AmazonMQRabbitMQQueue < Base
+    def default_alarms
+      alarm = CfnGuardian::Models::AmazonMQRabbitMQQueueAlarm.new(@resource)
+      alarm.name = 'MessageCountHighWarn'
+      alarm.metric_name = 'MessageCount'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 100
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      alarm.alarm_action = 'Warning'
+      @alarms.push(alarm)
+    end
+  end
+  class AmazonMQRabbitMQNode < Base
+    def default_alarms
+      alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
+      alarm.name = 'SystemCpuUtilizationCritical'
+      alarm.metric_name = 'SystemCpuUtilization'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 95
+      alarm.evaluation_periods = 10
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+      alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
+      alarm.name = 'SystemCpuUtilizationHighBase'
+      alarm.metric_name = 'SystemCpuUtilization'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 75
+      alarm.evaluation_periods = 30
+      alarm.treat_missing_data = 'notBreaching'
+      alarm.alarm_action = 'Warning'
+      @alarms.push(alarm)
+      alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
+      alarm.name = 'RabbitMQMemUsedCritical'
+      alarm.metric_name = 'RabbitMQMemUsed'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 390000000
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+      alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
+      alarm.name = 'RabbitMQMemUsedWarn'
+      alarm.metric_name = 'RabbitMQMemUsed'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 350000000
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      alarm.alarm_action = 'Warning'
+      @alarms.push(alarm)
+      alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
+      alarm.name = 'RabbitMQDiskFreeLimitCritical'
+      alarm.metric_name = 'RabbitMQDiskFreeLimit'
+      alarm.comparison_operator = 'LessThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 1200000000
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+      alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
+      alarm.name = 'RabbitMQDiskFreeLimitWarn'
+      alarm.metric_name = 'RabbitMQDiskFreeLimit'
+      alarm.comparison_operator = 'LessThanThreshold'
+      alarm.statistic = 'Maximum'
+      alarm.threshold = 1200000000
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      alarm.alarm_action = 'Warning'
+      @alarms.push(alarm)
+    end
+  end
+end