cfn-guardian 0.6.13 → 0.7.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ed07cb07793213554d2611f693312d285d672d54146a8188c6b178f56d946aa7
-  data.tar.gz: 2322c8908d7239288fb689e0a102ccd9ab5af32a702a6aa6af3df76c90f6c740
+  metadata.gz: f06747af0d401c54e458d9becbe4ce2f9e217b2c363fbddf89d5a3e09d65c03b
+  data.tar.gz: bd7782ab5b234ebf259bdc6ada2ee0717fe89121fe487e79ea45a13286b16a8b
 SHA512:
-  metadata.gz: 35f90c8f88dafa4092f3b44adb604f794ced719fc8d1b72252b8013d9c7420df66981d40435c96c7176a46623b98f701e0d725ed866adcb93bcfdb2d4b31843b
-  data.tar.gz: 887fac6d120e13890639341295a97f54955e7de67875e554c2806177daacf3abe2542a0ec5ab45d73166eed71e63327d31e2e123329e93910324e43cc0eff58e
+  metadata.gz: e5d3227e82977a8f4878d42cae70e5280238004fc72e1fffcc49080d70cd14592c45179fab4c0ea78a54b3fac18f4499c145cbf01895c99a8dc46da041c78ec5
+  data.tar.gz: c38cc4edef74b46dd58a13332f03c5cce1d783556d2ec58e109316792bec4b2c709a2165a19543d340869940a586e98c64ff405260bbf06731630644a01a602a

data/.gitignore

@@ -9,4 +9,5 @@
 
 cfn-guardian-*.gem
 
-out/
+out/
+alarms.yaml

data/Dockerfile

@@ -1,6 +1,6 @@
 FROM ruby:2.7-alpine
 
-ARG GUARDIAN_VERSION="0.6.9"
+ARG GUARDIAN_VERSION="0.7.1"
 
 COPY . /src
 

data/docs/custom_checks/http.md

@@ -32,6 +32,8 @@ Resources:
     Method: post
     # specify headers using "key=value key=value"
     Headers: content-type=application/json
+    # specify a useragent that contains spaces
+    UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Base2/Lambda
     # pass in custom payload for the request
     Payload: '{"name": "john"}'
 ```

data/docs/custom_checks/log_group_metric_filters.md

@@ -15,10 +15,20 @@ Resources:
     # Name of the cloud watch metric
     - MetricName: MyFunctionErrors
       # search pattern, see aws docs for syntax
-      Pattern: error
+      Pattern: 'error'
       # metric to push to cloudwatch. Optional as it defaults to 1
       MetricValue: 1
-      
+  - Id: /prod/custom/app
+    # List of metric filters
+    MetricFilters:
+    # Name of the cloud watch metric
+    - MetricName: MyAppErrors
+      # search pattern, see aws docs for syntax
+      # note; any non-alphanumeric characters have to be wrapped in double quotes WITHIN single quotes
+      Pattern: '"Connection to ssl://mail.google.com:465 Timed Out"'
+      # metric to push to cloudwatch. Optional as it defaults to 1
+      MetricValue: 1      
+
 Templates:
   LogGroup:
     # use the MetricName name to override the alarm defaults

data/docs/maintenance_mode.md

@@ -8,8 +8,8 @@ Alarms can be provided to the function the following ways
 Alarm names be provided by a space delimited list using the `--alarms` switch.
 
 ```bash
-cfn-guardian disable-alarms --group alarm-1 alarm-2
-cfn-guardian enable-alarms --group alarm-1 alarm-2
+cfn-guardian disable-alarms --alarms alarm-1 alarm-2
+cfn-guardian enable-alarms --alarms alarm-1 alarm-2
 ```
 
 ## Alarm Name Prefix
@@ -60,10 +60,16 @@ Resources:
     StatusCode: 200
 
 # Define the top level key
-MaintenaceGroups:
+MaintenanceGroups:
   
   # Define the group name
   AppUpdate:
+    # Optionally set a schedule for enabling/disabling
+    Schedules:
+      Disable: '30 0 * * ? *'
+      Enable: '00 1 * * ? *'
+      #Optionally specify and set to true to enable logging on lambda
+      Debug: true
     # Define the resource group
     ECSService:
       # define the alarms in the resource group
@@ -82,4 +88,6 @@ MaintenaceGroups:
 ```bash
 cfn-guardian disable-alarms --group AppUpdate
 cfn-guardian enable-alarms --group AppUpdate
-```
+```
+
+Optionally add a Schedule for disabling and enabling alarm actions as shown in the example above to deploy a lambda function that will be invoked by event rules created with the given cron expressions.

data/lib/cfnguardian/compile.rb

@@ -44,6 +44,7 @@ require 'cfnguardian/resources/step_functions'
 require 'cfnguardian/resources/vpn_tunnel'
 require 'cfnguardian/resources/vpn_connection'
 require 'cfnguardian/resources/elastic_search'
+require 'cfnguardian/resources/jenkins'
 require 'cfnguardian/version'
 require 'cfnguardian/error'
 
@@ -61,7 +62,7 @@ module CfnGuardian
       @composites = config.fetch('Composites',{})
       @templates = config.fetch('Templates',{})
       @topics = config.fetch('Topics',{})
-      @maintenance_groups = config.fetch('MaintenaceGroups', {})
+      @maintenance_groups = config.fetch('MaintenanceGroups', {})
       @event_subscriptions = config.fetch('EventSubscriptions', {})
       
       # Make sure the default topics exist if they aren't supplied in the alarms.yaml
@@ -69,7 +70,6 @@ module CfnGuardian
         @topics[topic] = '' unless @topics.has_key?(topic)
       end
 
-      @maintenance_group_list = @maintenance_groups.keys.map {|group| "#{group}MaintenanceGroup"}
       @resources = []
       @stacks = []
       @checks = []
@@ -116,6 +116,9 @@ module CfnGuardian
       
       @maintenance_groups.each do |maintenance_group,resource_groups|
         resource_groups.each do |group, alarms|
+          if group == 'Schedules' 
+            next
+          end
           alarms.each do |alarm, resources|
             resources.each do |resource|
 
@@ -190,7 +193,7 @@ module CfnGuardian
       resources = split_resources(bucket,path)
       
       main_stack = CfnGuardian::Stacks::Main.new()
-      main_stack.build_template(@stacks,@checks,@topics,@maintenance_group_list,@ssm_parameters)
+      main_stack.build_template(@stacks,@checks,@topics,@maintenance_groups,@ssm_parameters)
       valid = main_stack.template.validate
       FileUtils.mkdir_p 'out'
       File.write("out/guardian.compiled.yaml", JSON.parse(valid.to_json).to_yaml)

data/lib/cfnguardian/models/alarm.rb

@@ -485,6 +485,15 @@ module CfnGuardian
       end
     end
 
+    class JenkinsAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'Jenkins'
+        @namespace = 'Ciinabox/Jenkins'
+        @dimensions = { Jenkins: resource['Id'], Monitoring: 'JenkMon' }
+      end
+    end
+
     class VPNTunnelAlarm < BaseAlarm
       def initialize(resource)
         super(resource)

data/lib/cfnguardian/models/check.rb

@@ -40,7 +40,7 @@ module CfnGuardian
         @name = 'HttpCheck'
         @package = 'http-check'
         @handler = 'handler.http_check'
-        @version = 'f739631de74f1a882163b7e584a8b4710ccbc134'
+        @version = '0e945240f9d93242f807e86d1a9b3383a1764b96'
         @runtime = 'python3.7'
       end
     end
@@ -205,5 +205,16 @@ module CfnGuardian
       end
     end
 
+    class MaintenanceGroupCheck < BaseCheck
+      def initialize(resource)
+        super(resource)
+        @name = 'MaintenanceGroupCheck'
+        @package = 'maintenance-group-check'
+        @handler = 'handler.maintenance_group_check'
+        @version = '5b795e6509068d1767e4be80f2e6868cbeb3b425'
+        @runtime = 'python3.7'
+      end 
+    end
+
   end
-end
+end

data/lib/cfnguardian/models/event.rb

@@ -52,6 +52,7 @@ module CfnGuardian
         @status_code = resource.fetch('StatusCode',200)
         @body_regex = resource.fetch('BodyRegex',nil)
         @headers = resource.fetch('Headers',nil)
+        @user_agent = resource.fetch('UserAgent',nil)
         @payload = resource.fetch('Payload',nil)
         @compressed = resource.fetch('Compressed',false)
       end
@@ -65,6 +66,7 @@ module CfnGuardian
         }
         payload['BODY_REGEX_MATCH'] = @body_regex unless @body_regex.nil?
         payload['HEADERS'] = @headers unless @headers.nil?
+        payload['USER_AGENT'] = @user_agent unless @user_agent.nil?
         payload['PAYLOAD'] = @payload unless @payload.nil?
         payload['COMPRESSED'] = '1' if @compressed
         return payload.to_json

data/lib/cfnguardian/resources/elastic_search.rb

@@ -70,6 +70,7 @@ module CfnGuardian::Resource
         alarm.threshold = 25000
         alarm.evaluation_periods = 1
         alarm.alarm_action = 'Critical'
+        alarm.statistic = 'Minimum'
         alarm.comparison_operator = 'LessThanOrEqualToThreshold'
         @alarms.push(alarm)  
        

data/lib/cfnguardian/resources/jenkins.rb

@@ -0,0 +1,17 @@
+module CfnGuardian::Resource
+    class Jenkins < Base
+
+        def default_alarms
+            alarm = CfnGuardian::Models::JenkinsAlarm.new(@resource)
+            alarm.name = 'NoSuccess'
+            alarm.metric_name = 'Success'
+            alarm.statistic = 'Maximum'
+            alarm.treat_missing_data = 'breaching'
+            alarm.alarm_action = 'Warning'
+            alarm.period = 3600
+            alarm.comparison_operator = 'LessThanThreshold'
+            alarm.threshold = 1
+            @alarms.push(alarm)
+        end
+    end
+end

data/lib/cfnguardian/resources/lambda.rb

@@ -24,6 +24,7 @@ module CfnGuardian::Resource
       alarm.name = 'IteratorAge'
       alarm.metric_name = 'IteratorAge'
       alarm.threshold = 600000
+      alarm.treat_missing_data = 'notBreaching'
       @alarms.push(alarm)
       
       alarm = CfnGuardian::Models::LambdaAlarm.new(@resource)
@@ -31,6 +32,7 @@ module CfnGuardian::Resource
       alarm.metric_name = 'Duration'
       alarm.statistic = 'Average'
       alarm.threshold = 30
+      alarm.treat_missing_data = 'notBreaching'
       @alarms.push(alarm)
     end
     

data/lib/cfnguardian/resources/vpn_connection.rb

@@ -3,7 +3,18 @@ module CfnGuardian::Resource
       
       def default_alarms    
         alarm = CfnGuardian::Models::VPNConnectionAlarm.new(@resource)
-        alarm.name = 'VPNConnectionState'
+        alarm.name = 'VPNConnectionStateNonRedundant'
+        alarm.metric_name = 'TunnelState'
+        alarm.comparison_operator = 'LessThanThreshold'
+        alarm.statistic = 'Average'
+        alarm.threshold = 1.0
+        alarm.evaluation_periods = 3
+        alarm.treat_missing_data = 'breaching'
+        alarm.datapoints_to_alarm = 3
+        @alarms.push(alarm)
+
+        alarm = CfnGuardian::Models::VPNConnectionAlarm.new(@resource)
+        alarm.name = 'VPNConnectionStateAllDown'
         alarm.metric_name = 'TunnelState'
         alarm.comparison_operator = 'LessThanThreshold'
         alarm.statistic = 'Average'

data/lib/cfnguardian/stacks/main.rb

@@ -4,6 +4,7 @@ module CfnGuardian
   module Stacks
     class Main
       include CfnDsl::CloudFormation
+      include Logging
       
       attr_reader :parameters, :template
       
@@ -22,12 +23,10 @@ module CfnGuardian
           parameter.Default sns
           parameters[name] = Ref(name)
         end
-        
-        maintenance_groups.each do |group|
-          topic = @template.SNS_Topic(group)
-          topic.TopicName group
-          topic.Tags([{ Key: 'Environment', Value: 'guardian' }])
-          parameters[group] = Ref(group)
+
+        if maintenance_groups.any?
+          add_lambda(CfnGuardian::Models::MaintenanceGroupCheck.new(maintenance_groups))
+          maintenance_groups.each {|group,config| add_maintenance_group(group,config,parameters)}
         end
         
         add_iam_role(ssm_parameters)
@@ -73,6 +72,17 @@ module CfnGuardian
             }]
           }
         }
+        policies << {
+          PolicyName: 'maintenance-group-actions',
+          PolicyDocument: {
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Action: [ 'cloudwatch:DescribeAlarms', 'cloudwatch:DisableAlarmActions', 'cloudwatch:EnableAlarmActions', 'cloudwatch:SetAlarmState' ],
+              Resource: FnSub("arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:*")
+            }]
+          }
+        }
         if ssm_parameters.any?
           policies << {
             PolicyName: 'ssm-parameters',
@@ -165,7 +175,37 @@ module CfnGuardian
           end
         end
       end
-      
+
+      def add_maintenance_group(group,config,parameters)
+        group_name = "#{group}MaintenanceGroup"
+        schedules = config.fetch('Schedules', {})
+        logging = config.dig('Schedules', 'Debug').to_s
+
+        topic = @template.SNS_Topic(group_name)
+        topic.TopicName group_name
+        topic.Tags([{ Key: 'Environment', Value: 'guardian' }])
+        parameters[group_name] = Ref(group_name)
+
+        if schedules.any?
+          event = @template.Events_Rule("#{group_name}EnableEvent")
+          event.Name "#{group_name}EnableEvent"
+          event.ScheduleExpression "cron(#{schedules['Enable']})"
+          event.Targets([{ 
+            Arn: FnGetAtt('MaintenanceGroupCheckFunction', 'Arn'), 
+            Id: "#{group_name}EnableTarget", 
+            Input: {action:"enable_alarms", maintenance_group: group_name, logging: logging}.to_json
+          }])
+
+          event = @template.Events_Rule("#{group_name}DisableEvent")
+          event.Name "#{group_name}DisableEvent"
+          event.ScheduleExpression "cron(#{schedules['Disable']})"            
+          event.Targets([{ 
+            Arn: FnGetAtt('MaintenanceGroupCheckFunction', 'Arn'), 
+            Id: "#{group_name}DisableTarget", 
+            Input: {action:"disable_alarms", maintenance_group: group_name, logging: logging}.to_json
+          }])
+        end
+      end
     end
   end
 end

data/lib/cfnguardian/version.rb

@@ -1,4 +1,4 @@
 module CfnGuardian
-  VERSION = "0.6.13"
+  VERSION = "0.7.3"
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-guardian
 version: !ruby/object:Gem::Version
-  version: 0.6.13
+  version: 0.7.3
 platform: ruby
 authors:
 - Guslington
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-07-06 00:00:00.000000000 Z
+date: 2021-10-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -295,6 +295,7 @@ files:
 - lib/cfnguardian/resources/internal_http.rb
 - lib/cfnguardian/resources/internal_port.rb
 - lib/cfnguardian/resources/internal_sftp.rb
+- lib/cfnguardian/resources/jenkins.rb
 - lib/cfnguardian/resources/lambda.rb
 - lib/cfnguardian/resources/log_group.rb
 - lib/cfnguardian/resources/network_targetgroup.rb