cfn-guardian 0.6.12 → 0.7.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6086513d45028d39a8fd14045920fd86bb24d1567e7d583d7849aa8608a0fc30
-  data.tar.gz: 611bec25f666dc95e14b800cc94a7c81bbe4c329229b32cb4354f68aa8419683
+  metadata.gz: 1417ef4853dc20a776837ec1fee0433449dd1f4fd5601081ca2602c8cc6b9f06
+  data.tar.gz: 5ff99a91ba3c512dca2cde401b0ce8c1ada0127c9e56928f7fde9ead8c4cc5b6
 SHA512:
-  metadata.gz: 75bf1a7ce2e42f7fb253d1be1e9c7ba09ecf4af6839820685587d2f8949d00027af462e25d454b68b1df9a5c7e7376605f3e8e50119db374c92cfc7d8df80d0d
-  data.tar.gz: 983989310f60014fe6197ae5b94310ffa8568aa84b7287a1533844e59ae2994fc7b7b364e4fed7ea125723f17eff93d4a693a8fc96c7707d5f3857aede5398fa
+  metadata.gz: b3eed6e24561d7927408b771317a93d1fe421f784fd3b0e3260df790d710c90e1abe1749e856c0cbc3ec0ebe30a4842d40c3714f2943843e19c1f7eac215010d
+  data.tar.gz: 3851fe0ad73593f25bd0eff3a62031345b4214d5bff9384c072a11af93192308d548aca7f83525935602b4c794077f24462bccccf547cb8801d2b52cdc1d5de1

data/Dockerfile

@@ -1,6 +1,6 @@
 FROM ruby:2.7-alpine
 
-ARG GUARDIAN_VERSION="0.6.9"
+ARG GUARDIAN_VERSION="0.7.1"
 
 COPY . /src
 

data/docs/custom_checks/http.md

@@ -32,6 +32,8 @@ Resources:
     Method: post
     # specify headers using "key=value key=value"
     Headers: content-type=application/json
+    # specify a useragent that contains spaces
+    UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Base2/Lambda
     # pass in custom payload for the request
     Payload: '{"name": "john"}'
 ```

data/docs/custom_checks/log_group_metric_filters.md

@@ -15,10 +15,20 @@ Resources:
     # Name of the cloud watch metric
     - MetricName: MyFunctionErrors
       # search pattern, see aws docs for syntax
-      Pattern: error
+      Pattern: 'error'
       # metric to push to cloudwatch. Optional as it defaults to 1
       MetricValue: 1
-      
+  - Id: /prod/custom/app
+    # List of metric filters
+    MetricFilters:
+    # Name of the cloud watch metric
+    - MetricName: MyAppErrors
+      # search pattern, see aws docs for syntax
+      # note; any non-alphanumeric characters have to be wrapped in double quotes WITHIN single quotes
+      Pattern: '"Connection to ssl://mail.google.com:465 Timed Out"'
+      # metric to push to cloudwatch. Optional as it defaults to 1
+      MetricValue: 1      
+
 Templates:
   LogGroup:
     # use the MetricName name to override the alarm defaults

data/docs/maintenance_mode.md

@@ -8,8 +8,8 @@ Alarms can be provided to the function the following ways
 Alarm names be provided by a space delimited list using the `--alarms` switch.
 
 ```bash
-cfn-guardian disable-alarms --group alarm-1 alarm-2
-cfn-guardian enable-alarms --group alarm-1 alarm-2
+cfn-guardian disable-alarms --alarms alarm-1 alarm-2
+cfn-guardian enable-alarms --alarms alarm-1 alarm-2
 ```
 
 ## Alarm Name Prefix
@@ -60,10 +60,16 @@ Resources:
     StatusCode: 200
 
 # Define the top level key
-MaintenaceGroups:
+MaintenanceGroups:
   
   # Define the group name
   AppUpdate:
+    # Optionally set a schedule for enabling/disabling
+    Schedules:
+      Disable: '30 0 * * ? *'
+      Enable: '00 1 * * ? *'
+      #Optionally specify and set to true to enable logging on lambda
+      Debug: true
     # Define the resource group
     ECSService:
       # define the alarms in the resource group
@@ -82,4 +88,6 @@ MaintenaceGroups:
 ```bash
 cfn-guardian disable-alarms --group AppUpdate
 cfn-guardian enable-alarms --group AppUpdate
-```
+```
+
+Optionally add a Schedule for disabling and enabling alarm actions as shown in the example above to deploy a lambda function that will be invoked by event rules created with the given cron expressions.

data/lib/cfnguardian/compile.rb

@@ -61,7 +61,7 @@ module CfnGuardian
       @composites = config.fetch('Composites',{})
       @templates = config.fetch('Templates',{})
       @topics = config.fetch('Topics',{})
-      @maintenance_groups = config.fetch('MaintenaceGroups', {})
+      @maintenance_groups = config.fetch('MaintenanceGroups', {})
       @event_subscriptions = config.fetch('EventSubscriptions', {})
       
       # Make sure the default topics exist if they aren't supplied in the alarms.yaml
@@ -69,7 +69,6 @@ module CfnGuardian
         @topics[topic] = '' unless @topics.has_key?(topic)
       end
 
-      @maintenance_group_list = @maintenance_groups.keys.map {|group| "#{group}MaintenanceGroup"}
       @resources = []
       @stacks = []
       @checks = []
@@ -116,6 +115,9 @@ module CfnGuardian
       
       @maintenance_groups.each do |maintenance_group,resource_groups|
         resource_groups.each do |group, alarms|
+          if group == 'Schedules' 
+            next
+          end
           alarms.each do |alarm, resources|
             resources.each do |resource|
 
@@ -190,7 +192,7 @@ module CfnGuardian
       resources = split_resources(bucket,path)
       
       main_stack = CfnGuardian::Stacks::Main.new()
-      main_stack.build_template(@stacks,@checks,@topics,@maintenance_group_list,@ssm_parameters)
+      main_stack.build_template(@stacks,@checks,@topics,@maintenance_groups,@ssm_parameters)
       valid = main_stack.template.validate
       FileUtils.mkdir_p 'out'
       File.write("out/guardian.compiled.yaml", JSON.parse(valid.to_json).to_yaml)

data/lib/cfnguardian/models/alarm.rb

@@ -238,7 +238,7 @@ module CfnGuardian
       def initialize(resource)
         super(resource)
         @group = 'ElasticSearch'
-        @namespace = 'AWS/ElasticSearch'
+        @namespace = 'AWS/ES'
         @dimensions = { 
           DomainName: resource['Domain'], 
           ClientId: resource['Id'] 

data/lib/cfnguardian/models/check.rb

@@ -40,7 +40,7 @@ module CfnGuardian
         @name = 'HttpCheck'
         @package = 'http-check'
         @handler = 'handler.http_check'
-        @version = 'f739631de74f1a882163b7e584a8b4710ccbc134'
+        @version = '0e945240f9d93242f807e86d1a9b3383a1764b96'
         @runtime = 'python3.7'
       end
     end
@@ -205,5 +205,16 @@ module CfnGuardian
       end
     end
 
+    class MaintenanceGroupCheck < BaseCheck
+      def initialize(resource)
+        super(resource)
+        @name = 'MaintenanceGroupCheck'
+        @package = 'maintenance-group-check'
+        @handler = 'handler.maintenance_group_check'
+        @version = '5b795e6509068d1767e4be80f2e6868cbeb3b425'
+        @runtime = 'python3.7'
+      end 
+    end
+
   end
-end
+end

data/lib/cfnguardian/models/event.rb

@@ -52,6 +52,7 @@ module CfnGuardian
         @status_code = resource.fetch('StatusCode',200)
         @body_regex = resource.fetch('BodyRegex',nil)
         @headers = resource.fetch('Headers',nil)
+        @user_agent = resource.fetch('UserAgent',nil)
         @payload = resource.fetch('Payload',nil)
         @compressed = resource.fetch('Compressed',false)
       end
@@ -65,6 +66,7 @@ module CfnGuardian
         }
         payload['BODY_REGEX_MATCH'] = @body_regex unless @body_regex.nil?
         payload['HEADERS'] = @headers unless @headers.nil?
+        payload['USER_AGENT'] = @user_agent unless @user_agent.nil?
         payload['PAYLOAD'] = @payload unless @payload.nil?
         payload['COMPRESSED'] = '1' if @compressed
         return payload.to_json

data/lib/cfnguardian/resources/elastic_search.rb

@@ -70,6 +70,7 @@ module CfnGuardian::Resource
         alarm.threshold = 25000
         alarm.evaluation_periods = 1
         alarm.alarm_action = 'Critical'
+        alarm.statistic = 'Minimum'
         alarm.comparison_operator = 'LessThanOrEqualToThreshold'
         @alarms.push(alarm)  
        

data/lib/cfnguardian/resources/lambda.rb

@@ -24,6 +24,7 @@ module CfnGuardian::Resource
       alarm.name = 'IteratorAge'
       alarm.metric_name = 'IteratorAge'
       alarm.threshold = 600000
+      alarm.treat_missing_data = 'notBreaching'
       @alarms.push(alarm)
       
       alarm = CfnGuardian::Models::LambdaAlarm.new(@resource)
@@ -31,6 +32,7 @@ module CfnGuardian::Resource
       alarm.metric_name = 'Duration'
       alarm.statistic = 'Average'
       alarm.threshold = 30
+      alarm.treat_missing_data = 'notBreaching'
       @alarms.push(alarm)
     end
     

data/lib/cfnguardian/resources/vpn_connection.rb

@@ -3,7 +3,18 @@ module CfnGuardian::Resource
       
       def default_alarms    
         alarm = CfnGuardian::Models::VPNConnectionAlarm.new(@resource)
-        alarm.name = 'VPNConnectionState'
+        alarm.name = 'VPNConnectionStateNonRedundant'
+        alarm.metric_name = 'TunnelState'
+        alarm.comparison_operator = 'LessThanThreshold'
+        alarm.statistic = 'Average'
+        alarm.threshold = 1.0
+        alarm.evaluation_periods = 3
+        alarm.treat_missing_data = 'breaching'
+        alarm.datapoints_to_alarm = 3
+        @alarms.push(alarm)
+
+        alarm = CfnGuardian::Models::VPNConnectionAlarm.new(@resource)
+        alarm.name = 'VPNConnectionStateAllDown'
         alarm.metric_name = 'TunnelState'
         alarm.comparison_operator = 'LessThanThreshold'
         alarm.statistic = 'Average'

data/lib/cfnguardian/stacks/main.rb

@@ -4,6 +4,7 @@ module CfnGuardian
   module Stacks
     class Main
       include CfnDsl::CloudFormation
+      include Logging
       
       attr_reader :parameters, :template
       
@@ -22,12 +23,10 @@ module CfnGuardian
           parameter.Default sns
           parameters[name] = Ref(name)
         end
-        
-        maintenance_groups.each do |group|
-          topic = @template.SNS_Topic(group)
-          topic.TopicName group
-          topic.Tags([{ Key: 'Environment', Value: 'guardian' }])
-          parameters[group] = Ref(group)
+
+        if maintenance_groups.any?
+          add_lambda(CfnGuardian::Models::MaintenanceGroupCheck.new(maintenance_groups))
+          maintenance_groups.each {|group,config| add_maintenance_group(group,config,parameters)}
         end
         
         add_iam_role(ssm_parameters)
@@ -73,6 +72,17 @@ module CfnGuardian
             }]
           }
         }
+        policies << {
+          PolicyName: 'maintenance-group-actions',
+          PolicyDocument: {
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Action: [ 'cloudwatch:DescribeAlarms', 'cloudwatch:DisableAlarmActions', 'cloudwatch:EnableAlarmActions', 'cloudwatch:SetAlarmState' ],
+              Resource: FnSub("arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:*")
+            }]
+          }
+        }
         if ssm_parameters.any?
           policies << {
             PolicyName: 'ssm-parameters',
@@ -165,7 +175,37 @@ module CfnGuardian
           end
         end
       end
-      
+
+      def add_maintenance_group(group,config,parameters)
+        group_name = "#{group}MaintenanceGroup"
+        schedules = config.fetch('Schedules', {})
+        logging = config.dig('Schedules', 'Debug').to_s
+
+        topic = @template.SNS_Topic(group_name)
+        topic.TopicName group_name
+        topic.Tags([{ Key: 'Environment', Value: 'guardian' }])
+        parameters[group_name] = Ref(group_name)
+
+        if schedules.any?
+          event = @template.Events_Rule("#{group_name}EnableEvent")
+          event.Name "#{group_name}EnableEvent"
+          event.ScheduleExpression "cron(#{schedules['Enable']})"
+          event.Targets([{ 
+            Arn: FnGetAtt('MaintenanceGroupCheckFunction', 'Arn'), 
+            Id: "#{group_name}EnableTarget", 
+            Input: {action:"enable_alarms", maintenance_group: group_name, logging: logging}.to_json
+          }])
+
+          event = @template.Events_Rule("#{group_name}DisableEvent")
+          event.Name "#{group_name}DisableEvent"
+          event.ScheduleExpression "cron(#{schedules['Disable']})"            
+          event.Targets([{ 
+            Arn: FnGetAtt('MaintenanceGroupCheckFunction', 'Arn'), 
+            Id: "#{group_name}DisableTarget", 
+            Input: {action:"disable_alarms", maintenance_group: group_name, logging: logging}.to_json
+          }])
+        end
+      end
     end
   end
 end

data/lib/cfnguardian/version.rb

@@ -1,4 +1,4 @@
 module CfnGuardian
-  VERSION = "0.6.12"
+  VERSION = "0.7.2"
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-guardian
 version: !ruby/object:Gem::Version
-  version: 0.6.12
+  version: 0.7.2
 platform: ruby
 authors:
 - Guslington
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-06-30 00:00:00.000000000 Z
+date: 2021-10-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor