cfn-guardian 0.6.2 → 0.6.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Dockerfile +2 -2
- data/README.md +1 -1
- data/lib/cfnguardian.rb +12 -8
- data/lib/cfnguardian/codecommit.rb +11 -2
- data/lib/cfnguardian/compile.rb +4 -0
- data/lib/cfnguardian/config/defaults.yaml +9 -0
- data/lib/cfnguardian/models/alarm.rb +59 -1
- data/lib/cfnguardian/models/event_subscription.rb +99 -84
- data/lib/cfnguardian/resources/amazonmq_rabbitmq.rb +136 -0
- data/lib/cfnguardian/resources/base.rb +1 -1
- data/lib/cfnguardian/resources/batch.rb +14 -0
- data/lib/cfnguardian/resources/glue.rb +23 -0
- data/lib/cfnguardian/resources/rds_instance.rb +9 -0
- data/lib/cfnguardian/resources/redshift_cluster.rb +24 -7
- data/lib/cfnguardian/resources/step_functions.rb +41 -0
- data/lib/cfnguardian/stacks/resources.rb +1 -1
- data/lib/cfnguardian/version.rb +1 -1
- metadata +7 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 53722b34244bb95ed843872058e736248af2c62c0ca574542cf92fffa19ac851
|
|
4
|
+
data.tar.gz: 82761250e49f3246c115b89a60d2e6c2bceb62b1e555f69fc1d3d2aff523d92c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f9c9a209b886d4988c7b8174000b9513212d173e51ccb35e29dd1ea859c3f666c74fef108457483ba0af9a96cf2c636e79858c92c69801f01d53a512d4361bc9
|
|
7
|
+
data.tar.gz: 22b7fd68e38bdb54cfe6a28f936182a4aa79c895e283a17afe31746f55ee2c4c6a149914d5870ac378a69147f53381da3e589b261d581036197bb9fcf03bd46e
|
data/Dockerfile
CHANGED
data/README.md
CHANGED
data/lib/cfnguardian.rb
CHANGED
|
@@ -50,7 +50,7 @@ module CfnGuardian
|
|
|
50
50
|
compiler = CfnGuardian::Compile.new(options[:config])
|
|
51
51
|
compiler.get_resources
|
|
52
52
|
compiler.compile_templates(s3.bucket,s3.path)
|
|
53
|
-
logger.info "
|
|
53
|
+
logger.info "Cloudformation templates compiled successfully in out/ directory"
|
|
54
54
|
if options[:validate]
|
|
55
55
|
s3.create_bucket_if_not_exists()
|
|
56
56
|
validator = CfnGuardian::Validate.new(s3.bucket)
|
|
@@ -58,7 +58,7 @@ module CfnGuardian
|
|
|
58
58
|
logger.error("One or more templates failed to validate")
|
|
59
59
|
exit(1)
|
|
60
60
|
else
|
|
61
|
-
logger.info "
|
|
61
|
+
logger.info "Cloudformation templates were validated successfully"
|
|
62
62
|
end
|
|
63
63
|
end
|
|
64
64
|
logger.warn "AWS cloudwatch alarms defined in the templates will cost roughly $#{'%.2f' % compiler.cost} per month"
|
|
@@ -96,7 +96,7 @@ module CfnGuardian
|
|
|
96
96
|
compiler.get_resources
|
|
97
97
|
compiler.compile_templates(s3.bucket,s3.path)
|
|
98
98
|
parameters = compiler.load_parameters(options)
|
|
99
|
-
logger.info "
|
|
99
|
+
logger.info "Cloudformation templates compiled successfully in out/ directory"
|
|
100
100
|
|
|
101
101
|
s3.create_bucket_if_not_exists
|
|
102
102
|
validator = CfnGuardian::Validate.new(s3.bucket)
|
|
@@ -104,7 +104,7 @@ module CfnGuardian
|
|
|
104
104
|
logger.error("One or more templates failed to validate")
|
|
105
105
|
exit(1)
|
|
106
106
|
else
|
|
107
|
-
logger.info "
|
|
107
|
+
logger.info "Cloudformation templates were validated successfully"
|
|
108
108
|
end
|
|
109
109
|
|
|
110
110
|
deployer = CfnGuardian::Deploy.new(options,s3.bucket,parameters)
|
|
@@ -299,14 +299,18 @@ module CfnGuardian
|
|
|
299
299
|
LONG
|
|
300
300
|
method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
|
|
301
301
|
method_option :repository, type: :string, default: 'guardian', desc: "codecommit repository name"
|
|
302
|
+
method_option :branch, type: :string, default: 'master', desc: "codecommit branch"
|
|
303
|
+
method_option :count, type: :numeric, default: 10, desc: "number of last commits to retrieve"
|
|
302
304
|
|
|
303
305
|
def show_config_history
|
|
304
306
|
set_region(options[:region],true)
|
|
305
307
|
|
|
306
|
-
history = CfnGuardian::CodeCommit.new(options[:repository]).get_commit_history()
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
308
|
+
history = CfnGuardian::CodeCommit.new(options[:repository]).get_commit_history(options[:branch], options[:count])
|
|
309
|
+
if history.any?
|
|
310
|
+
puts Terminal::Table.new(
|
|
311
|
+
:headings => history.first.keys.map{|h| h.to_s.to_heading},
|
|
312
|
+
:rows => history.map(&:values))
|
|
313
|
+
end
|
|
310
314
|
end
|
|
311
315
|
|
|
312
316
|
desc "show-pipeline", "Shows the current state of the AWS code pipeline"
|
|
@@ -19,9 +19,18 @@ module CfnGuardian
|
|
|
19
19
|
return resp.branch.commit_id
|
|
20
20
|
end
|
|
21
21
|
|
|
22
|
-
def get_commit_history(branch
|
|
22
|
+
def get_commit_history(branch,count)
|
|
23
23
|
history = []
|
|
24
|
-
|
|
24
|
+
|
|
25
|
+
begin
|
|
26
|
+
commit = get_last_commit(branch)
|
|
27
|
+
rescue Aws::CodeCommit::Errors::BranchDoesNotExistException => e
|
|
28
|
+
logger.error "Branch #{branch} does not exist in the #{@repo_name} repository"
|
|
29
|
+
return []
|
|
30
|
+
rescue Aws::CodeCommit::Errors::RepositoryDoesNotExistException => e
|
|
31
|
+
logger.error "Respository #{@repo_name} does not exist in this AWS account or region"
|
|
32
|
+
return []
|
|
33
|
+
end
|
|
25
34
|
|
|
26
35
|
count.times do
|
|
27
36
|
|
data/lib/cfnguardian/compile.rb
CHANGED
|
@@ -36,6 +36,10 @@ require 'cfnguardian/resources/sftp'
|
|
|
36
36
|
require 'cfnguardian/resources/internal_sftp'
|
|
37
37
|
require 'cfnguardian/resources/tls'
|
|
38
38
|
require 'cfnguardian/resources/azure_file'
|
|
39
|
+
require 'cfnguardian/resources/amazonmq_rabbitmq'
|
|
40
|
+
require 'cfnguardian/resources/batch'
|
|
41
|
+
require 'cfnguardian/resources/glue'
|
|
42
|
+
require 'cfnguardian/resources/step_functions'
|
|
39
43
|
require 'cfnguardian/version'
|
|
40
44
|
require 'cfnguardian/error'
|
|
41
45
|
|
|
@@ -1,6 +1,15 @@
|
|
|
1
1
|
Resources:
|
|
2
2
|
AmazonMQBroker:
|
|
3
3
|
- Id: Default
|
|
4
|
+
AmazonMQRabbitMQBroker:
|
|
5
|
+
- Id: Default
|
|
6
|
+
AmazonMQRabbitMQNode:
|
|
7
|
+
- Id: Default
|
|
8
|
+
Node: Default
|
|
9
|
+
AmazonMQRabbitMQQueue:
|
|
10
|
+
- Id: Default
|
|
11
|
+
Queue: Default
|
|
12
|
+
Vhost: Default
|
|
4
13
|
ApiGateway:
|
|
5
14
|
- Id: Default
|
|
6
15
|
ApplicationTargetGroup:
|
|
@@ -94,6 +94,40 @@ module CfnGuardian
|
|
|
94
94
|
@dimensions = { Broker: resource['Id'] }
|
|
95
95
|
end
|
|
96
96
|
end
|
|
97
|
+
|
|
98
|
+
class AmazonMQRabbitMQBrokerAlarm < BaseAlarm
|
|
99
|
+
def initialize(resource)
|
|
100
|
+
super(resource)
|
|
101
|
+
@group = 'AmazonMQRabbitMQBroker'
|
|
102
|
+
@namespace = 'AWS/AmazonMQ'
|
|
103
|
+
@dimensions = { Broker: resource['Id'] }
|
|
104
|
+
end
|
|
105
|
+
end
|
|
106
|
+
|
|
107
|
+
class AmazonMQRabbitMQNodeAlarm < BaseAlarm
|
|
108
|
+
def initialize(resource)
|
|
109
|
+
super(resource)
|
|
110
|
+
@group = 'AmazonMQRabbitMQNode'
|
|
111
|
+
@namespace = 'AWS/AmazonMQ'
|
|
112
|
+
@dimensions = {
|
|
113
|
+
Broker: resource['Id'],
|
|
114
|
+
Node: resource['Node']
|
|
115
|
+
}
|
|
116
|
+
end
|
|
117
|
+
end
|
|
118
|
+
|
|
119
|
+
class AmazonMQRabbitMQQueueAlarm < BaseAlarm
|
|
120
|
+
def initialize(resource)
|
|
121
|
+
super(resource)
|
|
122
|
+
@group = 'AmazonMQRabbitMQQueue'
|
|
123
|
+
@namespace = 'AWS/AmazonMQ'
|
|
124
|
+
@dimensions = {
|
|
125
|
+
Broker: resource['Id'],
|
|
126
|
+
Queue: resource['Queue'],
|
|
127
|
+
VirtualHost: resource['Vhost']
|
|
128
|
+
}
|
|
129
|
+
end
|
|
130
|
+
end
|
|
97
131
|
|
|
98
132
|
class CloudFrontDistributionAlarm < BaseAlarm
|
|
99
133
|
def initialize(resource)
|
|
@@ -309,7 +343,31 @@ module CfnGuardian
|
|
|
309
343
|
@dimensions = { DBInstanceIdentifier: resource['Id'] }
|
|
310
344
|
end
|
|
311
345
|
end
|
|
312
|
-
|
|
346
|
+
|
|
347
|
+
class StepFunctionsAlarm < BaseAlarm
|
|
348
|
+
def initialize(resource)
|
|
349
|
+
super(resource)
|
|
350
|
+
@group = 'StepFunctions'
|
|
351
|
+
@namespace = 'AWS/States'
|
|
352
|
+
@dimensions = { StateMachineArn: { "Fn::Sub" => "arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:#{resource['Id']}"} }
|
|
353
|
+
end
|
|
354
|
+
end
|
|
355
|
+
|
|
356
|
+
class BatchAlarm < BaseAlarm
|
|
357
|
+
def initialize(resource)
|
|
358
|
+
super(resource)
|
|
359
|
+
@group = 'Batch'
|
|
360
|
+
end
|
|
361
|
+
end
|
|
362
|
+
|
|
363
|
+
class GlueAlarm < BaseAlarm
|
|
364
|
+
def initialize(resource)
|
|
365
|
+
super(resource)
|
|
366
|
+
@group = 'Batch'
|
|
367
|
+
@namespace = 'Glue'
|
|
368
|
+
end
|
|
369
|
+
end
|
|
370
|
+
|
|
313
371
|
class SqlAlarm < BaseAlarm
|
|
314
372
|
def initialize(resource)
|
|
315
373
|
super(resource)
|
|
@@ -1,96 +1,111 @@
|
|
|
1
1
|
module CfnGuardian
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
2
|
+
module Models
|
|
3
|
+
class BaseEventSubscription
|
|
4
|
+
|
|
5
|
+
attr_reader :type, :group
|
|
6
|
+
attr_writer :detail
|
|
7
|
+
attr_accessor :name,
|
|
8
|
+
:enabled,
|
|
9
|
+
:hash,
|
|
10
|
+
:topic,
|
|
11
|
+
:resource_id,
|
|
12
|
+
:resource_arn,
|
|
13
|
+
:source,
|
|
14
|
+
:detail_type,
|
|
15
|
+
:detail
|
|
16
16
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
17
|
+
def initialize(resource)
|
|
18
|
+
@type = 'EventSubscription'
|
|
19
|
+
@group = self.class.name.split('::').last
|
|
20
|
+
@name = ''
|
|
21
|
+
@hash = Digest::MD5.hexdigest resource['Id']
|
|
22
|
+
@enabled = true
|
|
23
|
+
@events = []
|
|
24
|
+
@topic = 'Events'
|
|
25
|
+
@resource_id = resource['Id']
|
|
26
|
+
@resource_arn = ''
|
|
27
|
+
@source = ''
|
|
28
|
+
@detail_type = ''
|
|
29
|
+
@detail = {}
|
|
30
|
+
end
|
|
31
31
|
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
32
|
+
def detail
|
|
33
|
+
return @detail
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
class RDSEventSubscription < BaseEventSubscription
|
|
38
|
+
attr_accessor :source_id, :rds_event_category, :message
|
|
36
39
|
|
|
37
|
-
|
|
38
|
-
|
|
40
|
+
def initialize(resource)
|
|
41
|
+
super(resource)
|
|
42
|
+
@source = 'aws.rds'
|
|
43
|
+
@detail_type = 'RDS DB Instance Event'
|
|
44
|
+
@source_id = ''
|
|
45
|
+
@rds_event_category = ''
|
|
46
|
+
@message = ''
|
|
47
|
+
end
|
|
39
48
|
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
49
|
+
def detail
|
|
50
|
+
return {
|
|
51
|
+
EventCategories: [@rds_event_category],
|
|
52
|
+
SourceType: [@source_type],
|
|
53
|
+
SourceIdentifier: ["rds:#{@resource_id}"],
|
|
54
|
+
Message: [@message]
|
|
55
|
+
}
|
|
56
|
+
end
|
|
57
|
+
end
|
|
48
58
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
}
|
|
56
|
-
end
|
|
57
|
-
end
|
|
59
|
+
class RDSInstanceEventSubscription < RDSEventSubscription
|
|
60
|
+
def initialize(resource)
|
|
61
|
+
super(resource)
|
|
62
|
+
@source_type = 'DB_INSTANCE'
|
|
63
|
+
end
|
|
64
|
+
end
|
|
58
65
|
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
66
|
+
class RDSClusterEventSubscription < RDSEventSubscription
|
|
67
|
+
def initialize(resource)
|
|
68
|
+
super(resource)
|
|
69
|
+
@source_type = 'DB_CLUSTER'
|
|
70
|
+
end
|
|
71
|
+
end
|
|
65
72
|
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
73
|
+
class Ec2InstanceEventSubscription < BaseEventSubscription
|
|
74
|
+
def initialize(resource)
|
|
75
|
+
super(resource)
|
|
76
|
+
@source = 'aws.ec2'
|
|
77
|
+
end
|
|
78
|
+
end
|
|
72
79
|
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
80
|
+
class BatchEventSubscription < BaseEventSubscription
|
|
81
|
+
def initialize(resource)
|
|
82
|
+
super(resource)
|
|
83
|
+
@source = 'aws.batch'
|
|
84
|
+
end
|
|
85
|
+
end
|
|
79
86
|
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
class DynamoDBTableEventSubscription < BaseEventSubscription; end
|
|
86
|
-
class Ec2InstanceEventSubscription < BaseEventSubscription; end
|
|
87
|
-
class ECSClusterEventSubscription < BaseEventSubscription; end
|
|
88
|
-
class ECSServiceEventSubscription < BaseEventSubscription; end
|
|
89
|
-
class ElastiCacheReplicationGroupEventSubscription < BaseEventSubscription; end
|
|
90
|
-
class ElasticLoadBalancerEventSubscription < BaseEventSubscription; end
|
|
91
|
-
class ElasticFileSystemEventSubscription < BaseEventSubscription; end
|
|
92
|
-
class LambdaEventSubscription < BaseEventSubscription; end
|
|
93
|
-
class NetworkTargetGroupEventSubscription < BaseEventSubscription; end
|
|
94
|
-
class RedshiftClusterEventSubscription < BaseEventSubscription; end
|
|
87
|
+
class GlueEventSubscription < BaseEventSubscription
|
|
88
|
+
def initialize(resource)
|
|
89
|
+
super(resource)
|
|
90
|
+
@source = 'aws.glue'
|
|
91
|
+
end
|
|
95
92
|
end
|
|
93
|
+
|
|
94
|
+
class ApiGatewayEventSubscription < BaseEventSubscription; end
|
|
95
|
+
class ApplicationTargetGroupEventSubscription < BaseEventSubscription; end
|
|
96
|
+
class AmazonMQBrokerEventSubscription < BaseEventSubscription; end
|
|
97
|
+
class CloudFrontDistributionEventSubscription < BaseEventSubscription; end
|
|
98
|
+
class AutoScalingGroupEventSubscription < BaseEventSubscription; end
|
|
99
|
+
class DynamoDBTableEventSubscription < BaseEventSubscription; end
|
|
100
|
+
class Ec2InstanceEventSubscription < BaseEventSubscription; end
|
|
101
|
+
class ECSClusterEventSubscription < BaseEventSubscription; end
|
|
102
|
+
class ECSServiceEventSubscription < BaseEventSubscription; end
|
|
103
|
+
class ElastiCacheReplicationGroupEventSubscription < BaseEventSubscription; end
|
|
104
|
+
class ElasticLoadBalancerEventSubscription < BaseEventSubscription; end
|
|
105
|
+
class ElasticFileSystemEventSubscription < BaseEventSubscription; end
|
|
106
|
+
class LambdaEventSubscription < BaseEventSubscription; end
|
|
107
|
+
class NetworkTargetGroupEventSubscription < BaseEventSubscription; end
|
|
108
|
+
class RedshiftClusterEventSubscription < BaseEventSubscription; end
|
|
109
|
+
class StepFunctionsSubscription < BaseEventSubscription; end
|
|
110
|
+
end
|
|
96
111
|
end
|
|
@@ -0,0 +1,136 @@
|
|
|
1
|
+
module CfnGuardian::Resource
|
|
2
|
+
class AmazonMQRabbitMQBroker < Base
|
|
3
|
+
|
|
4
|
+
def default_alarms
|
|
5
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQBrokerAlarm.new(@resource)
|
|
6
|
+
alarm.name = 'ConnectionCountCritical'
|
|
7
|
+
alarm.metric_name = 'ConnectionCount'
|
|
8
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
9
|
+
alarm.statistic = 'Maximum'
|
|
10
|
+
alarm.threshold = 50
|
|
11
|
+
alarm.evaluation_periods = 5
|
|
12
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
13
|
+
@alarms.push(alarm)
|
|
14
|
+
|
|
15
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQBrokerAlarm.new(@resource)
|
|
16
|
+
alarm.name = 'ConnectionCountWarn'
|
|
17
|
+
alarm.metric_name = 'ConnectionCount'
|
|
18
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
19
|
+
alarm.statistic = 'Maximum'
|
|
20
|
+
alarm.threshold = 25
|
|
21
|
+
alarm.evaluation_periods = 5
|
|
22
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
23
|
+
alarm.alarm_action = 'Warning'
|
|
24
|
+
@alarms.push(alarm)
|
|
25
|
+
|
|
26
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQBrokerAlarm.new(@resource)
|
|
27
|
+
alarm.name = 'MessageCountCritical'
|
|
28
|
+
alarm.metric_name = 'MessageCount'
|
|
29
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
30
|
+
alarm.statistic = 'Maximum'
|
|
31
|
+
alarm.threshold = 500
|
|
32
|
+
alarm.evaluation_periods = 5
|
|
33
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
34
|
+
@alarms.push(alarm)
|
|
35
|
+
|
|
36
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQBrokerAlarm.new(@resource)
|
|
37
|
+
alarm.name = 'MessageCountWarn'
|
|
38
|
+
alarm.metric_name = 'MessageCount'
|
|
39
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
40
|
+
alarm.statistic = 'Maximum'
|
|
41
|
+
alarm.threshold = 250
|
|
42
|
+
alarm.evaluation_periods = 5
|
|
43
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
44
|
+
alarm.alarm_action = 'Warning'
|
|
45
|
+
@alarms.push(alarm)
|
|
46
|
+
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
class AmazonMQRabbitMQQueue < Base
|
|
51
|
+
|
|
52
|
+
def default_alarms
|
|
53
|
+
|
|
54
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQQueueAlarm.new(@resource)
|
|
55
|
+
alarm.name = 'MessageCountHighWarn'
|
|
56
|
+
alarm.metric_name = 'MessageCount'
|
|
57
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
58
|
+
alarm.statistic = 'Maximum'
|
|
59
|
+
alarm.threshold = 100
|
|
60
|
+
alarm.evaluation_periods = 5
|
|
61
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
62
|
+
alarm.alarm_action = 'Warning'
|
|
63
|
+
@alarms.push(alarm)
|
|
64
|
+
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
class AmazonMQRabbitMQNode < Base
|
|
69
|
+
|
|
70
|
+
def default_alarms
|
|
71
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
|
|
72
|
+
alarm.name = 'SystemCpuUtilizationCritical'
|
|
73
|
+
alarm.metric_name = 'SystemCpuUtilization'
|
|
74
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
75
|
+
alarm.statistic = 'Maximum'
|
|
76
|
+
alarm.threshold = 95
|
|
77
|
+
alarm.evaluation_periods = 10
|
|
78
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
79
|
+
@alarms.push(alarm)
|
|
80
|
+
|
|
81
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
|
|
82
|
+
alarm.name = 'SystemCpuUtilizationHighBase'
|
|
83
|
+
alarm.metric_name = 'SystemCpuUtilization'
|
|
84
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
85
|
+
alarm.statistic = 'Maximum'
|
|
86
|
+
alarm.threshold = 75
|
|
87
|
+
alarm.evaluation_periods = 30
|
|
88
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
89
|
+
alarm.alarm_action = 'Warning'
|
|
90
|
+
@alarms.push(alarm)
|
|
91
|
+
|
|
92
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
|
|
93
|
+
alarm.name = 'RabbitMQMemUsedCritical'
|
|
94
|
+
alarm.metric_name = 'RabbitMQMemUsed'
|
|
95
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
96
|
+
alarm.statistic = 'Maximum'
|
|
97
|
+
alarm.threshold = 390000000
|
|
98
|
+
alarm.evaluation_periods = 5
|
|
99
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
100
|
+
@alarms.push(alarm)
|
|
101
|
+
|
|
102
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
|
|
103
|
+
alarm.name = 'RabbitMQMemUsedWarn'
|
|
104
|
+
alarm.metric_name = 'RabbitMQMemUsed'
|
|
105
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
106
|
+
alarm.statistic = 'Maximum'
|
|
107
|
+
alarm.threshold = 350000000
|
|
108
|
+
alarm.evaluation_periods = 5
|
|
109
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
110
|
+
alarm.alarm_action = 'Warning'
|
|
111
|
+
@alarms.push(alarm)
|
|
112
|
+
|
|
113
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
|
|
114
|
+
alarm.name = 'RabbitMQDiskFreeLimitCritical'
|
|
115
|
+
alarm.metric_name = 'RabbitMQDiskFreeLimit'
|
|
116
|
+
alarm.comparison_operator = 'LessThanThreshold'
|
|
117
|
+
alarm.statistic = 'Maximum'
|
|
118
|
+
alarm.threshold = 1200000000
|
|
119
|
+
alarm.evaluation_periods = 5
|
|
120
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
121
|
+
@alarms.push(alarm)
|
|
122
|
+
|
|
123
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
|
|
124
|
+
alarm.name = 'RabbitMQDiskFreeLimitWarn'
|
|
125
|
+
alarm.metric_name = 'RabbitMQDiskFreeLimit'
|
|
126
|
+
alarm.comparison_operator = 'LessThanThreshold'
|
|
127
|
+
alarm.statistic = 'Maximum'
|
|
128
|
+
alarm.threshold = 1200000000
|
|
129
|
+
alarm.evaluation_periods = 5
|
|
130
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
131
|
+
alarm.alarm_action = 'Warning'
|
|
132
|
+
@alarms.push(alarm)
|
|
133
|
+
|
|
134
|
+
end
|
|
135
|
+
end
|
|
136
|
+
end
|
|
@@ -108,7 +108,7 @@ module CfnGuardian::Resource
|
|
|
108
108
|
@alarms.each do |alarm|
|
|
109
109
|
next if alarm.dimensions.nil?
|
|
110
110
|
alarm.dimensions.each do |k,v|
|
|
111
|
-
if v.match?(/^\${Resource::.*[A-Za-z]}$/)
|
|
111
|
+
if v.is_a?(String) && v.match?(/^\${Resource::.*[A-Za-z]}$/)
|
|
112
112
|
resource_key = v.tr('${}', '').split('Resource::').last
|
|
113
113
|
if @resource.has_key?(resource_key)
|
|
114
114
|
logger.debug "overriding alarm #{alarm.name} dimension key '#{k}' with value '#{@resource[resource_key]}'"
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
module CfnGuardian::Resource
|
|
2
|
+
class Batch < Base
|
|
3
|
+
def default_event_subscriptions()
|
|
4
|
+
event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
|
|
5
|
+
event_subscription.name = 'FailedBatch'
|
|
6
|
+
event_subscription.detail_type = 'Batch Job State Change'
|
|
7
|
+
event_subscription.detail = {
|
|
8
|
+
'status': ['FAILED'],
|
|
9
|
+
'jobQueue': ["arn:aws:batch:${AWS::Region}:${AWS::AccountId}:job-queue/#{@resource['Id']}"]
|
|
10
|
+
}
|
|
11
|
+
@event_subscriptions.push(event_subscription)
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
end
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
module CfnGuardian::Resource
|
|
2
|
+
class Glue < Base
|
|
3
|
+
def default_event_subscriptions()
|
|
4
|
+
event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
|
|
5
|
+
event_subscription.name = 'FailedGlueJob'
|
|
6
|
+
event_subscription.detail_type = 'Glue Job State Change'
|
|
7
|
+
event_subscription.detail = {
|
|
8
|
+
'state': ['FAILED'],
|
|
9
|
+
'jobName': [{'prefix': @resource['Id']}]
|
|
10
|
+
}
|
|
11
|
+
@event_subscriptions.push(event_subscription)
|
|
12
|
+
|
|
13
|
+
event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
|
|
14
|
+
event_subscription.name = 'TimeoutGlueJob'
|
|
15
|
+
event_subscription.detail_type = 'Glue Job State Change'
|
|
16
|
+
event_subscription.detail = {
|
|
17
|
+
'state': ['TIMEOUT'],
|
|
18
|
+
'jobName': [{'prefix': @resource['Id']}]
|
|
19
|
+
}
|
|
20
|
+
@event_subscriptions.push(event_subscription)
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
@@ -41,6 +41,15 @@ module CfnGuardian::Resource
|
|
|
41
41
|
alarm.threshold = 45
|
|
42
42
|
alarm.evaluation_periods = 10
|
|
43
43
|
@alarms.push(alarm)
|
|
44
|
+
|
|
45
|
+
alarm = CfnGuardian::Models::RDSInstanceAlarm.new(@resource)
|
|
46
|
+
alarm.name = 'ReplicaLag'
|
|
47
|
+
alarm.metric_name = 'ReplicaLag'
|
|
48
|
+
alarm.threshold = 30 # seconds
|
|
49
|
+
alarm.evaluation_periods = 5
|
|
50
|
+
alarm.alarm_action = 'Warning'
|
|
51
|
+
alarm.enabled = false
|
|
52
|
+
@alarms.push(alarm)
|
|
44
53
|
end
|
|
45
54
|
|
|
46
55
|
def default_event_subscriptions()
|
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
module CfnGuardian::Resource
|
|
2
2
|
class RedshiftCluster < Base
|
|
3
|
-
|
|
4
|
-
def default_alarms
|
|
3
|
+
|
|
4
|
+
def default_alarms
|
|
5
5
|
alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
|
|
6
6
|
alarm.name = 'CPUUtilizationHighSpike'
|
|
7
7
|
alarm.metric_name = 'CPUUtilization'
|
|
8
8
|
alarm.threshold = 95
|
|
9
9
|
alarm.evaluation_periods = 10
|
|
10
10
|
@alarms.push(alarm)
|
|
11
|
-
|
|
11
|
+
|
|
12
12
|
alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
|
|
13
13
|
alarm.name = 'CPUUtilizationHighBase'
|
|
14
14
|
alarm.metric_name = 'CPUUtilization'
|
|
@@ -16,15 +16,32 @@ module CfnGuardian::Resource
|
|
|
16
16
|
alarm.evaluation_periods = 60
|
|
17
17
|
alarm.alarm_action = 'Warning'
|
|
18
18
|
@alarms.push(alarm)
|
|
19
|
-
|
|
19
|
+
|
|
20
20
|
alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
|
|
21
21
|
alarm.name = 'UnHealthyCluster'
|
|
22
22
|
alarm.metric_name = 'HealthStatus'
|
|
23
|
-
alarm.
|
|
23
|
+
alarm.comparison_operator = 'LessThanThreshold'
|
|
24
|
+
alarm.threshold = 1
|
|
24
25
|
alarm.evaluation_periods = 10
|
|
25
|
-
alarm
|
|
26
|
+
@alarms.push(alarm)
|
|
27
|
+
|
|
28
|
+
alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
|
|
29
|
+
alarm.name = 'DiskSpaceUsedCrit'
|
|
30
|
+
alarm.metric_name = 'PercentageDiskSpaceUsed'
|
|
31
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
32
|
+
alarm.threshold = 90
|
|
33
|
+
alarm.evaluation_periods = 10
|
|
34
|
+
@alarms.push(alarm)
|
|
35
|
+
|
|
36
|
+
alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
|
|
37
|
+
alarm.name = 'DiskSpaceUsedWarm'
|
|
38
|
+
alarm.metric_name = 'PercentageDiskSpaceUsed'
|
|
39
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
40
|
+
alarm.threshold = 80
|
|
41
|
+
alarm.evaluation_periods = 10
|
|
42
|
+
alarm.alarm_action = 'Warning'
|
|
26
43
|
@alarms.push(alarm)
|
|
27
44
|
end
|
|
28
|
-
|
|
45
|
+
|
|
29
46
|
end
|
|
30
47
|
end
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
module CfnGuardian::Resource
|
|
2
|
+
class StepFunctions < Base
|
|
3
|
+
|
|
4
|
+
def default_alarms
|
|
5
|
+
alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
|
|
6
|
+
alarm.name = 'ExecutionsFailed'
|
|
7
|
+
alarm.metric_name = 'ExecutionsFailed'
|
|
8
|
+
alarm.threshold = 1
|
|
9
|
+
alarm.evaluation_periods = 5
|
|
10
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
11
|
+
@alarms.push(alarm)
|
|
12
|
+
|
|
13
|
+
alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
|
|
14
|
+
alarm.name = 'ExecutionsTimedOut'
|
|
15
|
+
alarm.metric_name = 'ExecutionsTimedOut'
|
|
16
|
+
alarm.threshold = 1
|
|
17
|
+
alarm.evaluation_periods = 5
|
|
18
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
19
|
+
@alarms.push(alarm)
|
|
20
|
+
|
|
21
|
+
alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
|
|
22
|
+
alarm.name = 'ExecutionThrottled'
|
|
23
|
+
alarm.metric_name = 'ExecutionThrottled'
|
|
24
|
+
alarm.threshold = 1
|
|
25
|
+
alarm.evaluation_periods = 5
|
|
26
|
+
alarm.alarm_action = 'Warning'
|
|
27
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
28
|
+
@alarms.push(alarm)
|
|
29
|
+
|
|
30
|
+
alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
|
|
31
|
+
alarm.name = 'ExecutionTime'
|
|
32
|
+
alarm.metric_name = 'ExecutionTime'
|
|
33
|
+
alarm.threshold = 60
|
|
34
|
+
alarm.evaluation_periods = 5
|
|
35
|
+
alarm.alarm_action = 'Warning'
|
|
36
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
37
|
+
@alarms.push(alarm)
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
end
|
|
41
|
+
end
|
|
@@ -132,7 +132,7 @@ module CfnGuardian
|
|
|
132
132
|
Events_Rule("#{subscription.group}#{subscription.name}#{subscription.hash}"[0..255]) do
|
|
133
133
|
State subscription.enabled ? 'ENABLED' : 'DISABLED'
|
|
134
134
|
Description "Guardian event subscription #{subscription.group} #{subscription.name} for resource #{subscription.resource_id}"
|
|
135
|
-
EventPattern event_pattern
|
|
135
|
+
EventPattern FnSub(event_pattern.to_json)
|
|
136
136
|
Targets [
|
|
137
137
|
{
|
|
138
138
|
Arn: Ref(subscription.topic),
|
data/lib/cfnguardian/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-guardian
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.6.
|
|
4
|
+
version: 0.6.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Guslington
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-04-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: thor
|
|
@@ -271,11 +271,13 @@ files:
|
|
|
271
271
|
- lib/cfnguardian/models/event_subscription.rb
|
|
272
272
|
- lib/cfnguardian/models/metric_filter.rb
|
|
273
273
|
- lib/cfnguardian/resources/amazonmq_broker.rb
|
|
274
|
+
- lib/cfnguardian/resources/amazonmq_rabbitmq.rb
|
|
274
275
|
- lib/cfnguardian/resources/apigateway.rb
|
|
275
276
|
- lib/cfnguardian/resources/application_targetgroup.rb
|
|
276
277
|
- lib/cfnguardian/resources/autoscaling_group.rb
|
|
277
278
|
- lib/cfnguardian/resources/azure_file.rb
|
|
278
279
|
- lib/cfnguardian/resources/base.rb
|
|
280
|
+
- lib/cfnguardian/resources/batch.rb
|
|
279
281
|
- lib/cfnguardian/resources/cloudfront_distribution.rb
|
|
280
282
|
- lib/cfnguardian/resources/domain_expiry.rb
|
|
281
283
|
- lib/cfnguardian/resources/dynamodb_table.rb
|
|
@@ -285,6 +287,7 @@ files:
|
|
|
285
287
|
- lib/cfnguardian/resources/elastic_file_system.rb
|
|
286
288
|
- lib/cfnguardian/resources/elastic_loadbalancer.rb
|
|
287
289
|
- lib/cfnguardian/resources/elasticache_replication_group.rb
|
|
290
|
+
- lib/cfnguardian/resources/glue.rb
|
|
288
291
|
- lib/cfnguardian/resources/http.rb
|
|
289
292
|
- lib/cfnguardian/resources/internal_http.rb
|
|
290
293
|
- lib/cfnguardian/resources/internal_port.rb
|
|
@@ -301,6 +304,7 @@ files:
|
|
|
301
304
|
- lib/cfnguardian/resources/sftp.rb
|
|
302
305
|
- lib/cfnguardian/resources/sql.rb
|
|
303
306
|
- lib/cfnguardian/resources/sqs_queue.rb
|
|
307
|
+
- lib/cfnguardian/resources/step_functions.rb
|
|
304
308
|
- lib/cfnguardian/resources/tls.rb
|
|
305
309
|
- lib/cfnguardian/s3.rb
|
|
306
310
|
- lib/cfnguardian/stacks/main.rb
|
|
@@ -330,7 +334,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
330
334
|
- !ruby/object:Gem::Version
|
|
331
335
|
version: '0'
|
|
332
336
|
requirements: []
|
|
333
|
-
rubygems_version: 3.1.
|
|
337
|
+
rubygems_version: 3.1.6
|
|
334
338
|
signing_key:
|
|
335
339
|
specification_version: 4
|
|
336
340
|
summary: Manages AWS cloudwatch alarms with default templates using cloudformation
|