cfn-guardian 0.6.11 → 0.7.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +1 -0
- data/docs/maintenance_mode.md +12 -4
- data/docs/resources.md +1 -0
- data/lib/cfnguardian/compile.rb +5 -3
- data/lib/cfnguardian/config/defaults.yaml +1 -1
- data/lib/cfnguardian/models/alarm.rb +6 -3
- data/lib/cfnguardian/models/check.rb +13 -2
- data/lib/cfnguardian/resources/elastic_search.rb +7 -8
- data/lib/cfnguardian/resources/vpn_connection.rb +12 -1
- data/lib/cfnguardian/stacks/main.rb +47 -7
- data/lib/cfnguardian/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 72248fcb349fb266e18552dd36dcff37b4757574fb91583092dad34037c8be5f
|
|
4
|
+
data.tar.gz: f3db4dfb6d7d91e4e39a6832b832d6b2dc75537b0de0a31aaa2ad0837389a4bd
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d8bc7d02245dde79df68affc7bc910b7c9657172b0473bb48e71e03e39cd83d6869e649ec362cc7592c31900bf5338f809001f2efac177c2c0b3a33fe326f333
|
|
7
|
+
data.tar.gz: 6b7789eca2cbfeefe60d997de944d004bc481d27db7b8c49bfb016ed0924bff971503d34288caf56d787cc4145426988734b146ec9cdcd7addc8eebf5049fe29
|
data/README.md
CHANGED
data/docs/maintenance_mode.md
CHANGED
|
@@ -8,8 +8,8 @@ Alarms can be provided to the function the following ways
|
|
|
8
8
|
Alarm names be provided by a space delimited list using the `--alarms` switch.
|
|
9
9
|
|
|
10
10
|
```bash
|
|
11
|
-
cfn-guardian disable-alarms --
|
|
12
|
-
cfn-guardian enable-alarms --
|
|
11
|
+
cfn-guardian disable-alarms --alarms alarm-1 alarm-2
|
|
12
|
+
cfn-guardian enable-alarms --alarms alarm-1 alarm-2
|
|
13
13
|
```
|
|
14
14
|
|
|
15
15
|
## Alarm Name Prefix
|
|
@@ -60,10 +60,16 @@ Resources:
|
|
|
60
60
|
StatusCode: 200
|
|
61
61
|
|
|
62
62
|
# Define the top level key
|
|
63
|
-
|
|
63
|
+
MaintenanceGroups:
|
|
64
64
|
|
|
65
65
|
# Define the group name
|
|
66
66
|
AppUpdate:
|
|
67
|
+
# Optionally set a schedule for enabling/disabling
|
|
68
|
+
Schedules:
|
|
69
|
+
Disable: '30 0 * * ? *'
|
|
70
|
+
Enable: '00 1 * * ? *'
|
|
71
|
+
#Optionally specify and set to true to enable logging on lambda
|
|
72
|
+
Debug: true
|
|
67
73
|
# Define the resource group
|
|
68
74
|
ECSService:
|
|
69
75
|
# define the alarms in the resource group
|
|
@@ -82,4 +88,6 @@ MaintenaceGroups:
|
|
|
82
88
|
```bash
|
|
83
89
|
cfn-guardian disable-alarms --group AppUpdate
|
|
84
90
|
cfn-guardian enable-alarms --group AppUpdate
|
|
85
|
-
```
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
Optionally add a Schedule for disabling and enabling alarm actions as shown in the example above to deploy a lambda function that will be invoked by event rules created with the given cron expressions.
|
data/docs/resources.md
CHANGED
data/lib/cfnguardian/compile.rb
CHANGED
|
@@ -61,7 +61,7 @@ module CfnGuardian
|
|
|
61
61
|
@composites = config.fetch('Composites',{})
|
|
62
62
|
@templates = config.fetch('Templates',{})
|
|
63
63
|
@topics = config.fetch('Topics',{})
|
|
64
|
-
@maintenance_groups = config.fetch('
|
|
64
|
+
@maintenance_groups = config.fetch('MaintenanceGroups', {})
|
|
65
65
|
@event_subscriptions = config.fetch('EventSubscriptions', {})
|
|
66
66
|
|
|
67
67
|
# Make sure the default topics exist if they aren't supplied in the alarms.yaml
|
|
@@ -69,7 +69,6 @@ module CfnGuardian
|
|
|
69
69
|
@topics[topic] = '' unless @topics.has_key?(topic)
|
|
70
70
|
end
|
|
71
71
|
|
|
72
|
-
@maintenance_group_list = @maintenance_groups.keys.map {|group| "#{group}MaintenanceGroup"}
|
|
73
72
|
@resources = []
|
|
74
73
|
@stacks = []
|
|
75
74
|
@checks = []
|
|
@@ -116,6 +115,9 @@ module CfnGuardian
|
|
|
116
115
|
|
|
117
116
|
@maintenance_groups.each do |maintenance_group,resource_groups|
|
|
118
117
|
resource_groups.each do |group, alarms|
|
|
118
|
+
if group == 'Schedules'
|
|
119
|
+
next
|
|
120
|
+
end
|
|
119
121
|
alarms.each do |alarm, resources|
|
|
120
122
|
resources.each do |resource|
|
|
121
123
|
|
|
@@ -190,7 +192,7 @@ module CfnGuardian
|
|
|
190
192
|
resources = split_resources(bucket,path)
|
|
191
193
|
|
|
192
194
|
main_stack = CfnGuardian::Stacks::Main.new()
|
|
193
|
-
main_stack.build_template(@stacks,@checks,@topics,@
|
|
195
|
+
main_stack.build_template(@stacks,@checks,@topics,@maintenance_groups,@ssm_parameters)
|
|
194
196
|
valid = main_stack.template.validate
|
|
195
197
|
FileUtils.mkdir_p 'out'
|
|
196
198
|
File.write("out/guardian.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
|
|
@@ -238,9 +238,12 @@ module CfnGuardian
|
|
|
238
238
|
def initialize(resource)
|
|
239
239
|
super(resource)
|
|
240
240
|
@group = 'ElasticSearch'
|
|
241
|
-
@namespace = 'AWS/
|
|
242
|
-
@dimensions = {
|
|
243
|
-
|
|
241
|
+
@namespace = 'AWS/ES'
|
|
242
|
+
@dimensions = {
|
|
243
|
+
DomainName: resource['Domain'],
|
|
244
|
+
ClientId: resource['Id']
|
|
245
|
+
}
|
|
246
|
+
@comparison_operator = 'GreaterThanOrEqualToThreshold'
|
|
244
247
|
@threshold = 1
|
|
245
248
|
@evaluation_periods = 5
|
|
246
249
|
@treat_missing_data = 'breaching'
|
|
@@ -40,7 +40,7 @@ module CfnGuardian
|
|
|
40
40
|
@name = 'HttpCheck'
|
|
41
41
|
@package = 'http-check'
|
|
42
42
|
@handler = 'handler.http_check'
|
|
43
|
-
@version = '
|
|
43
|
+
@version = 'dba2670c753d0d3386937fbcc1fc89499a4a0fa7'
|
|
44
44
|
@runtime = 'python3.7'
|
|
45
45
|
end
|
|
46
46
|
end
|
|
@@ -205,5 +205,16 @@ module CfnGuardian
|
|
|
205
205
|
end
|
|
206
206
|
end
|
|
207
207
|
|
|
208
|
+
class MaintenanceGroupCheck < BaseCheck
|
|
209
|
+
def initialize(resource)
|
|
210
|
+
super(resource)
|
|
211
|
+
@name = 'MaintenanceGroupCheck'
|
|
212
|
+
@package = 'maintenance-group-check'
|
|
213
|
+
@handler = 'handler.maintenance_group_check'
|
|
214
|
+
@version = '5b795e6509068d1767e4be80f2e6868cbeb3b425'
|
|
215
|
+
@runtime = 'python3.7'
|
|
216
|
+
end
|
|
217
|
+
end
|
|
218
|
+
|
|
208
219
|
end
|
|
209
|
-
end
|
|
220
|
+
end
|
|
@@ -7,7 +7,7 @@ module CfnGuardian::Resource
|
|
|
7
7
|
alarm.metric_name = 'Nodes'
|
|
8
8
|
alarm.threshold = 3
|
|
9
9
|
alarm.evaluation_periods = 1440 # 24 hours
|
|
10
|
-
alarm.
|
|
10
|
+
alarm.datapoints_to_alarm = 1
|
|
11
11
|
alarm.comparison_operator = 'LessThanOrEqualToThreshold'
|
|
12
12
|
alarm.alarm_action = 'Critical'
|
|
13
13
|
alarm.enabled = false
|
|
@@ -18,7 +18,7 @@ module CfnGuardian::Resource
|
|
|
18
18
|
alarm.metric_name = 'JVMMemoryPressure'
|
|
19
19
|
alarm.threshold = 72
|
|
20
20
|
alarm.evaluation_periods = 5
|
|
21
|
-
alarm.
|
|
21
|
+
alarm.datapoints_to_alarm = 3
|
|
22
22
|
alarm.alarm_action = 'Warning'
|
|
23
23
|
@alarms.push(alarm)
|
|
24
24
|
|
|
@@ -61,6 +61,7 @@ module CfnGuardian::Resource
|
|
|
61
61
|
alarm.evaluation_periods = 1
|
|
62
62
|
alarm.alarm_action = 'Warning'
|
|
63
63
|
alarm.statistic = 'Minimum'
|
|
64
|
+
alarm.comparison_operator = 'LessThanOrEqualToThreshold'
|
|
64
65
|
@alarms.push(alarm)
|
|
65
66
|
|
|
66
67
|
alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
|
|
@@ -69,6 +70,8 @@ module CfnGuardian::Resource
|
|
|
69
70
|
alarm.threshold = 25000
|
|
70
71
|
alarm.evaluation_periods = 1
|
|
71
72
|
alarm.alarm_action = 'Critical'
|
|
73
|
+
alarm.statistic = 'Minimum'
|
|
74
|
+
alarm.comparison_operator = 'LessThanOrEqualToThreshold'
|
|
72
75
|
@alarms.push(alarm)
|
|
73
76
|
|
|
74
77
|
alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
|
|
@@ -76,7 +79,7 @@ module CfnGuardian::Resource
|
|
|
76
79
|
alarm.metric_name = 'CPUUtilization'
|
|
77
80
|
alarm.threshold = 75
|
|
78
81
|
alarm.evaluation_periods = 15
|
|
79
|
-
alarm.
|
|
82
|
+
alarm.datapoints_to_alarm = 3
|
|
80
83
|
alarm.alarm_action = 'Warning'
|
|
81
84
|
alarm.statistic = 'Average'
|
|
82
85
|
@alarms.push(alarm)
|
|
@@ -86,7 +89,7 @@ module CfnGuardian::Resource
|
|
|
86
89
|
alarm.metric_name = 'CPUUtilization'
|
|
87
90
|
alarm.threshold = 95
|
|
88
91
|
alarm.evaluation_periods = 5
|
|
89
|
-
alarm.
|
|
92
|
+
alarm.datapoints_to_alarm = 3
|
|
90
93
|
alarm.alarm_action = 'Critical'
|
|
91
94
|
alarm.statistic = 'Average'
|
|
92
95
|
@alarms.push(alarm)
|
|
@@ -98,7 +101,6 @@ module CfnGuardian::Resource
|
|
|
98
101
|
alarm.evaluation_periods = 1
|
|
99
102
|
alarm.alarm_action = 'Warning'
|
|
100
103
|
alarm.statistic = 'Minimum'
|
|
101
|
-
alarm.comparison_operator = 'GreaterThanOrEqualToThreshold'
|
|
102
104
|
@alarms.push(alarm)
|
|
103
105
|
|
|
104
106
|
alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
|
|
@@ -108,7 +110,6 @@ module CfnGuardian::Resource
|
|
|
108
110
|
alarm.evaluation_periods = 1
|
|
109
111
|
alarm.alarm_action = 'Critical'
|
|
110
112
|
alarm.statistic = 'Minimum'
|
|
111
|
-
alarm.comparison_operator = 'GreaterThanOrEqualToThreshold'
|
|
112
113
|
alarm.enabled = false
|
|
113
114
|
@alarms.push(alarm)
|
|
114
115
|
|
|
@@ -119,7 +120,6 @@ module CfnGuardian::Resource
|
|
|
119
120
|
alarm.evaluation_periods = 1
|
|
120
121
|
alarm.alarm_action = 'Critical'
|
|
121
122
|
alarm.statistic = 'Minimum'
|
|
122
|
-
alarm.comparison_operator = 'GreaterThanOrEqualToThreshold'
|
|
123
123
|
@alarms.push(alarm)
|
|
124
124
|
|
|
125
125
|
alarm = CfnGuardian::Models::ElasticSearchAlarm.new(@resource)
|
|
@@ -129,7 +129,6 @@ module CfnGuardian::Resource
|
|
|
129
129
|
alarm.evaluation_periods = 1
|
|
130
130
|
alarm.alarm_action = 'Warning'
|
|
131
131
|
alarm.statistic = 'Minimum'
|
|
132
|
-
alarm.comparison_operator = 'GreaterThanOrEqualToThreshold'
|
|
133
132
|
@alarms.push(alarm)
|
|
134
133
|
|
|
135
134
|
end
|
|
@@ -3,7 +3,18 @@ module CfnGuardian::Resource
|
|
|
3
3
|
|
|
4
4
|
def default_alarms
|
|
5
5
|
alarm = CfnGuardian::Models::VPNConnectionAlarm.new(@resource)
|
|
6
|
-
alarm.name = '
|
|
6
|
+
alarm.name = 'VPNConnectionStateNonRedundant'
|
|
7
|
+
alarm.metric_name = 'TunnelState'
|
|
8
|
+
alarm.comparison_operator = 'LessThanThreshold'
|
|
9
|
+
alarm.statistic = 'Average'
|
|
10
|
+
alarm.threshold = 1.0
|
|
11
|
+
alarm.evaluation_periods = 3
|
|
12
|
+
alarm.treat_missing_data = 'breaching'
|
|
13
|
+
alarm.datapoints_to_alarm = 3
|
|
14
|
+
@alarms.push(alarm)
|
|
15
|
+
|
|
16
|
+
alarm = CfnGuardian::Models::VPNConnectionAlarm.new(@resource)
|
|
17
|
+
alarm.name = 'VPNConnectionStateAllDown'
|
|
7
18
|
alarm.metric_name = 'TunnelState'
|
|
8
19
|
alarm.comparison_operator = 'LessThanThreshold'
|
|
9
20
|
alarm.statistic = 'Average'
|
|
@@ -4,6 +4,7 @@ module CfnGuardian
|
|
|
4
4
|
module Stacks
|
|
5
5
|
class Main
|
|
6
6
|
include CfnDsl::CloudFormation
|
|
7
|
+
include Logging
|
|
7
8
|
|
|
8
9
|
attr_reader :parameters, :template
|
|
9
10
|
|
|
@@ -22,12 +23,10 @@ module CfnGuardian
|
|
|
22
23
|
parameter.Default sns
|
|
23
24
|
parameters[name] = Ref(name)
|
|
24
25
|
end
|
|
25
|
-
|
|
26
|
-
maintenance_groups.
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
topic.Tags([{ Key: 'Environment', Value: 'guardian' }])
|
|
30
|
-
parameters[group] = Ref(group)
|
|
26
|
+
|
|
27
|
+
if maintenance_groups.any?
|
|
28
|
+
add_lambda(CfnGuardian::Models::MaintenanceGroupCheck.new(maintenance_groups))
|
|
29
|
+
maintenance_groups.each {|group,config| add_maintenance_group(group,config,parameters)}
|
|
31
30
|
end
|
|
32
31
|
|
|
33
32
|
add_iam_role(ssm_parameters)
|
|
@@ -73,6 +72,17 @@ module CfnGuardian
|
|
|
73
72
|
}]
|
|
74
73
|
}
|
|
75
74
|
}
|
|
75
|
+
policies << {
|
|
76
|
+
PolicyName: 'maintenance-group-actions',
|
|
77
|
+
PolicyDocument: {
|
|
78
|
+
Version: '2012-10-17',
|
|
79
|
+
Statement: [{
|
|
80
|
+
Effect: 'Allow',
|
|
81
|
+
Action: [ 'cloudwatch:DescribeAlarms', 'cloudwatch:DisableAlarmActions', 'cloudwatch:EnableAlarmActions', 'cloudwatch:SetAlarmState' ],
|
|
82
|
+
Resource: FnSub("arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:*")
|
|
83
|
+
}]
|
|
84
|
+
}
|
|
85
|
+
}
|
|
76
86
|
if ssm_parameters.any?
|
|
77
87
|
policies << {
|
|
78
88
|
PolicyName: 'ssm-parameters',
|
|
@@ -165,7 +175,37 @@ module CfnGuardian
|
|
|
165
175
|
end
|
|
166
176
|
end
|
|
167
177
|
end
|
|
168
|
-
|
|
178
|
+
|
|
179
|
+
def add_maintenance_group(group,config,parameters)
|
|
180
|
+
group_name = "#{group}MaintenanceGroup"
|
|
181
|
+
schedules = config.fetch('Schedules', {})
|
|
182
|
+
logging = config.dig('Schedules', 'Debug').to_s
|
|
183
|
+
|
|
184
|
+
topic = @template.SNS_Topic(group_name)
|
|
185
|
+
topic.TopicName group_name
|
|
186
|
+
topic.Tags([{ Key: 'Environment', Value: 'guardian' }])
|
|
187
|
+
parameters[group_name] = Ref(group_name)
|
|
188
|
+
|
|
189
|
+
if schedules.any?
|
|
190
|
+
event = @template.Events_Rule("#{group_name}EnableEvent")
|
|
191
|
+
event.Name "#{group_name}EnableEvent"
|
|
192
|
+
event.ScheduleExpression "cron(#{schedules['Enable']})"
|
|
193
|
+
event.Targets([{
|
|
194
|
+
Arn: FnGetAtt('MaintenanceGroupCheckFunction', 'Arn'),
|
|
195
|
+
Id: "#{group_name}EnableTarget",
|
|
196
|
+
Input: {action:"enable_alarms", maintenance_group: group_name, logging: logging}.to_json
|
|
197
|
+
}])
|
|
198
|
+
|
|
199
|
+
event = @template.Events_Rule("#{group_name}DisableEvent")
|
|
200
|
+
event.Name "#{group_name}DisableEvent"
|
|
201
|
+
event.ScheduleExpression "cron(#{schedules['Disable']})"
|
|
202
|
+
event.Targets([{
|
|
203
|
+
Arn: FnGetAtt('MaintenanceGroupCheckFunction', 'Arn'),
|
|
204
|
+
Id: "#{group_name}DisableTarget",
|
|
205
|
+
Input: {action:"disable_alarms", maintenance_group: group_name, logging: logging}.to_json
|
|
206
|
+
}])
|
|
207
|
+
end
|
|
208
|
+
end
|
|
169
209
|
end
|
|
170
210
|
end
|
|
171
211
|
end
|
data/lib/cfnguardian/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-guardian
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.7.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Guslington
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-09-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: thor
|