cfn-guardian 0.6.2 → 0.6.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Dockerfile +2 -2
- data/README.md +1 -1
- data/lib/cfnguardian.rb +12 -8
- data/lib/cfnguardian/codecommit.rb +11 -2
- data/lib/cfnguardian/compile.rb +4 -0
- data/lib/cfnguardian/config/defaults.yaml +9 -0
- data/lib/cfnguardian/models/alarm.rb +59 -1
- data/lib/cfnguardian/models/event_subscription.rb +99 -84
- data/lib/cfnguardian/resources/amazonmq_rabbitmq.rb +136 -0
- data/lib/cfnguardian/resources/base.rb +1 -1
- data/lib/cfnguardian/resources/batch.rb +14 -0
- data/lib/cfnguardian/resources/glue.rb +23 -0
- data/lib/cfnguardian/resources/rds_instance.rb +9 -0
- data/lib/cfnguardian/resources/redshift_cluster.rb +24 -7
- data/lib/cfnguardian/resources/step_functions.rb +41 -0
- data/lib/cfnguardian/stacks/resources.rb +1 -1
- data/lib/cfnguardian/version.rb +1 -1
- metadata +7 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 53722b34244bb95ed843872058e736248af2c62c0ca574542cf92fffa19ac851
|
|
4
|
+
data.tar.gz: 82761250e49f3246c115b89a60d2e6c2bceb62b1e555f69fc1d3d2aff523d92c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f9c9a209b886d4988c7b8174000b9513212d173e51ccb35e29dd1ea859c3f666c74fef108457483ba0af9a96cf2c636e79858c92c69801f01d53a512d4361bc9
|
|
7
|
+
data.tar.gz: 22b7fd68e38bdb54cfe6a28f936182a4aa79c895e283a17afe31746f55ee2c4c6a149914d5870ac378a69147f53381da3e589b261d581036197bb9fcf03bd46e
|
data/Dockerfile
CHANGED
data/README.md
CHANGED
data/lib/cfnguardian.rb
CHANGED
|
@@ -50,7 +50,7 @@ module CfnGuardian
|
|
|
50
50
|
compiler = CfnGuardian::Compile.new(options[:config])
|
|
51
51
|
compiler.get_resources
|
|
52
52
|
compiler.compile_templates(s3.bucket,s3.path)
|
|
53
|
-
logger.info "
|
|
53
|
+
logger.info "Cloudformation templates compiled successfully in out/ directory"
|
|
54
54
|
if options[:validate]
|
|
55
55
|
s3.create_bucket_if_not_exists()
|
|
56
56
|
validator = CfnGuardian::Validate.new(s3.bucket)
|
|
@@ -58,7 +58,7 @@ module CfnGuardian
|
|
|
58
58
|
logger.error("One or more templates failed to validate")
|
|
59
59
|
exit(1)
|
|
60
60
|
else
|
|
61
|
-
logger.info "
|
|
61
|
+
logger.info "Cloudformation templates were validated successfully"
|
|
62
62
|
end
|
|
63
63
|
end
|
|
64
64
|
logger.warn "AWS cloudwatch alarms defined in the templates will cost roughly $#{'%.2f' % compiler.cost} per month"
|
|
@@ -96,7 +96,7 @@ module CfnGuardian
|
|
|
96
96
|
compiler.get_resources
|
|
97
97
|
compiler.compile_templates(s3.bucket,s3.path)
|
|
98
98
|
parameters = compiler.load_parameters(options)
|
|
99
|
-
logger.info "
|
|
99
|
+
logger.info "Cloudformation templates compiled successfully in out/ directory"
|
|
100
100
|
|
|
101
101
|
s3.create_bucket_if_not_exists
|
|
102
102
|
validator = CfnGuardian::Validate.new(s3.bucket)
|
|
@@ -104,7 +104,7 @@ module CfnGuardian
|
|
|
104
104
|
logger.error("One or more templates failed to validate")
|
|
105
105
|
exit(1)
|
|
106
106
|
else
|
|
107
|
-
logger.info "
|
|
107
|
+
logger.info "Cloudformation templates were validated successfully"
|
|
108
108
|
end
|
|
109
109
|
|
|
110
110
|
deployer = CfnGuardian::Deploy.new(options,s3.bucket,parameters)
|
|
@@ -299,14 +299,18 @@ module CfnGuardian
|
|
|
299
299
|
LONG
|
|
300
300
|
method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
|
|
301
301
|
method_option :repository, type: :string, default: 'guardian', desc: "codecommit repository name"
|
|
302
|
+
method_option :branch, type: :string, default: 'master', desc: "codecommit branch"
|
|
303
|
+
method_option :count, type: :numeric, default: 10, desc: "number of last commits to retrieve"
|
|
302
304
|
|
|
303
305
|
def show_config_history
|
|
304
306
|
set_region(options[:region],true)
|
|
305
307
|
|
|
306
|
-
history = CfnGuardian::CodeCommit.new(options[:repository]).get_commit_history()
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
308
|
+
history = CfnGuardian::CodeCommit.new(options[:repository]).get_commit_history(options[:branch], options[:count])
|
|
309
|
+
if history.any?
|
|
310
|
+
puts Terminal::Table.new(
|
|
311
|
+
:headings => history.first.keys.map{|h| h.to_s.to_heading},
|
|
312
|
+
:rows => history.map(&:values))
|
|
313
|
+
end
|
|
310
314
|
end
|
|
311
315
|
|
|
312
316
|
desc "show-pipeline", "Shows the current state of the AWS code pipeline"
|
|
@@ -19,9 +19,18 @@ module CfnGuardian
|
|
|
19
19
|
return resp.branch.commit_id
|
|
20
20
|
end
|
|
21
21
|
|
|
22
|
-
def get_commit_history(branch
|
|
22
|
+
def get_commit_history(branch,count)
|
|
23
23
|
history = []
|
|
24
|
-
|
|
24
|
+
|
|
25
|
+
begin
|
|
26
|
+
commit = get_last_commit(branch)
|
|
27
|
+
rescue Aws::CodeCommit::Errors::BranchDoesNotExistException => e
|
|
28
|
+
logger.error "Branch #{branch} does not exist in the #{@repo_name} repository"
|
|
29
|
+
return []
|
|
30
|
+
rescue Aws::CodeCommit::Errors::RepositoryDoesNotExistException => e
|
|
31
|
+
logger.error "Respository #{@repo_name} does not exist in this AWS account or region"
|
|
32
|
+
return []
|
|
33
|
+
end
|
|
25
34
|
|
|
26
35
|
count.times do
|
|
27
36
|
|
data/lib/cfnguardian/compile.rb
CHANGED
|
@@ -36,6 +36,10 @@ require 'cfnguardian/resources/sftp'
|
|
|
36
36
|
require 'cfnguardian/resources/internal_sftp'
|
|
37
37
|
require 'cfnguardian/resources/tls'
|
|
38
38
|
require 'cfnguardian/resources/azure_file'
|
|
39
|
+
require 'cfnguardian/resources/amazonmq_rabbitmq'
|
|
40
|
+
require 'cfnguardian/resources/batch'
|
|
41
|
+
require 'cfnguardian/resources/glue'
|
|
42
|
+
require 'cfnguardian/resources/step_functions'
|
|
39
43
|
require 'cfnguardian/version'
|
|
40
44
|
require 'cfnguardian/error'
|
|
41
45
|
|
|
@@ -1,6 +1,15 @@
|
|
|
1
1
|
Resources:
|
|
2
2
|
AmazonMQBroker:
|
|
3
3
|
- Id: Default
|
|
4
|
+
AmazonMQRabbitMQBroker:
|
|
5
|
+
- Id: Default
|
|
6
|
+
AmazonMQRabbitMQNode:
|
|
7
|
+
- Id: Default
|
|
8
|
+
Node: Default
|
|
9
|
+
AmazonMQRabbitMQQueue:
|
|
10
|
+
- Id: Default
|
|
11
|
+
Queue: Default
|
|
12
|
+
Vhost: Default
|
|
4
13
|
ApiGateway:
|
|
5
14
|
- Id: Default
|
|
6
15
|
ApplicationTargetGroup:
|
|
@@ -94,6 +94,40 @@ module CfnGuardian
|
|
|
94
94
|
@dimensions = { Broker: resource['Id'] }
|
|
95
95
|
end
|
|
96
96
|
end
|
|
97
|
+
|
|
98
|
+
class AmazonMQRabbitMQBrokerAlarm < BaseAlarm
|
|
99
|
+
def initialize(resource)
|
|
100
|
+
super(resource)
|
|
101
|
+
@group = 'AmazonMQRabbitMQBroker'
|
|
102
|
+
@namespace = 'AWS/AmazonMQ'
|
|
103
|
+
@dimensions = { Broker: resource['Id'] }
|
|
104
|
+
end
|
|
105
|
+
end
|
|
106
|
+
|
|
107
|
+
class AmazonMQRabbitMQNodeAlarm < BaseAlarm
|
|
108
|
+
def initialize(resource)
|
|
109
|
+
super(resource)
|
|
110
|
+
@group = 'AmazonMQRabbitMQNode'
|
|
111
|
+
@namespace = 'AWS/AmazonMQ'
|
|
112
|
+
@dimensions = {
|
|
113
|
+
Broker: resource['Id'],
|
|
114
|
+
Node: resource['Node']
|
|
115
|
+
}
|
|
116
|
+
end
|
|
117
|
+
end
|
|
118
|
+
|
|
119
|
+
class AmazonMQRabbitMQQueueAlarm < BaseAlarm
|
|
120
|
+
def initialize(resource)
|
|
121
|
+
super(resource)
|
|
122
|
+
@group = 'AmazonMQRabbitMQQueue'
|
|
123
|
+
@namespace = 'AWS/AmazonMQ'
|
|
124
|
+
@dimensions = {
|
|
125
|
+
Broker: resource['Id'],
|
|
126
|
+
Queue: resource['Queue'],
|
|
127
|
+
VirtualHost: resource['Vhost']
|
|
128
|
+
}
|
|
129
|
+
end
|
|
130
|
+
end
|
|
97
131
|
|
|
98
132
|
class CloudFrontDistributionAlarm < BaseAlarm
|
|
99
133
|
def initialize(resource)
|
|
@@ -309,7 +343,31 @@ module CfnGuardian
|
|
|
309
343
|
@dimensions = { DBInstanceIdentifier: resource['Id'] }
|
|
310
344
|
end
|
|
311
345
|
end
|
|
312
|
-
|
|
346
|
+
|
|
347
|
+
class StepFunctionsAlarm < BaseAlarm
|
|
348
|
+
def initialize(resource)
|
|
349
|
+
super(resource)
|
|
350
|
+
@group = 'StepFunctions'
|
|
351
|
+
@namespace = 'AWS/States'
|
|
352
|
+
@dimensions = { StateMachineArn: { "Fn::Sub" => "arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:#{resource['Id']}"} }
|
|
353
|
+
end
|
|
354
|
+
end
|
|
355
|
+
|
|
356
|
+
class BatchAlarm < BaseAlarm
|
|
357
|
+
def initialize(resource)
|
|
358
|
+
super(resource)
|
|
359
|
+
@group = 'Batch'
|
|
360
|
+
end
|
|
361
|
+
end
|
|
362
|
+
|
|
363
|
+
class GlueAlarm < BaseAlarm
|
|
364
|
+
def initialize(resource)
|
|
365
|
+
super(resource)
|
|
366
|
+
@group = 'Batch'
|
|
367
|
+
@namespace = 'Glue'
|
|
368
|
+
end
|
|
369
|
+
end
|
|
370
|
+
|
|
313
371
|
class SqlAlarm < BaseAlarm
|
|
314
372
|
def initialize(resource)
|
|
315
373
|
super(resource)
|
|
@@ -1,96 +1,111 @@
|
|
|
1
1
|
module CfnGuardian
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
2
|
+
module Models
|
|
3
|
+
class BaseEventSubscription
|
|
4
|
+
|
|
5
|
+
attr_reader :type, :group
|
|
6
|
+
attr_writer :detail
|
|
7
|
+
attr_accessor :name,
|
|
8
|
+
:enabled,
|
|
9
|
+
:hash,
|
|
10
|
+
:topic,
|
|
11
|
+
:resource_id,
|
|
12
|
+
:resource_arn,
|
|
13
|
+
:source,
|
|
14
|
+
:detail_type,
|
|
15
|
+
:detail
|
|
16
16
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
17
|
+
def initialize(resource)
|
|
18
|
+
@type = 'EventSubscription'
|
|
19
|
+
@group = self.class.name.split('::').last
|
|
20
|
+
@name = ''
|
|
21
|
+
@hash = Digest::MD5.hexdigest resource['Id']
|
|
22
|
+
@enabled = true
|
|
23
|
+
@events = []
|
|
24
|
+
@topic = 'Events'
|
|
25
|
+
@resource_id = resource['Id']
|
|
26
|
+
@resource_arn = ''
|
|
27
|
+
@source = ''
|
|
28
|
+
@detail_type = ''
|
|
29
|
+
@detail = {}
|
|
30
|
+
end
|
|
31
31
|
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
32
|
+
def detail
|
|
33
|
+
return @detail
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
class RDSEventSubscription < BaseEventSubscription
|
|
38
|
+
attr_accessor :source_id, :rds_event_category, :message
|
|
36
39
|
|
|
37
|
-
|
|
38
|
-
|
|
40
|
+
def initialize(resource)
|
|
41
|
+
super(resource)
|
|
42
|
+
@source = 'aws.rds'
|
|
43
|
+
@detail_type = 'RDS DB Instance Event'
|
|
44
|
+
@source_id = ''
|
|
45
|
+
@rds_event_category = ''
|
|
46
|
+
@message = ''
|
|
47
|
+
end
|
|
39
48
|
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
49
|
+
def detail
|
|
50
|
+
return {
|
|
51
|
+
EventCategories: [@rds_event_category],
|
|
52
|
+
SourceType: [@source_type],
|
|
53
|
+
SourceIdentifier: ["rds:#{@resource_id}"],
|
|
54
|
+
Message: [@message]
|
|
55
|
+
}
|
|
56
|
+
end
|
|
57
|
+
end
|
|
48
58
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
}
|
|
56
|
-
end
|
|
57
|
-
end
|
|
59
|
+
class RDSInstanceEventSubscription < RDSEventSubscription
|
|
60
|
+
def initialize(resource)
|
|
61
|
+
super(resource)
|
|
62
|
+
@source_type = 'DB_INSTANCE'
|
|
63
|
+
end
|
|
64
|
+
end
|
|
58
65
|
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
66
|
+
class RDSClusterEventSubscription < RDSEventSubscription
|
|
67
|
+
def initialize(resource)
|
|
68
|
+
super(resource)
|
|
69
|
+
@source_type = 'DB_CLUSTER'
|
|
70
|
+
end
|
|
71
|
+
end
|
|
65
72
|
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
73
|
+
class Ec2InstanceEventSubscription < BaseEventSubscription
|
|
74
|
+
def initialize(resource)
|
|
75
|
+
super(resource)
|
|
76
|
+
@source = 'aws.ec2'
|
|
77
|
+
end
|
|
78
|
+
end
|
|
72
79
|
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
80
|
+
class BatchEventSubscription < BaseEventSubscription
|
|
81
|
+
def initialize(resource)
|
|
82
|
+
super(resource)
|
|
83
|
+
@source = 'aws.batch'
|
|
84
|
+
end
|
|
85
|
+
end
|
|
79
86
|
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
class DynamoDBTableEventSubscription < BaseEventSubscription; end
|
|
86
|
-
class Ec2InstanceEventSubscription < BaseEventSubscription; end
|
|
87
|
-
class ECSClusterEventSubscription < BaseEventSubscription; end
|
|
88
|
-
class ECSServiceEventSubscription < BaseEventSubscription; end
|
|
89
|
-
class ElastiCacheReplicationGroupEventSubscription < BaseEventSubscription; end
|
|
90
|
-
class ElasticLoadBalancerEventSubscription < BaseEventSubscription; end
|
|
91
|
-
class ElasticFileSystemEventSubscription < BaseEventSubscription; end
|
|
92
|
-
class LambdaEventSubscription < BaseEventSubscription; end
|
|
93
|
-
class NetworkTargetGroupEventSubscription < BaseEventSubscription; end
|
|
94
|
-
class RedshiftClusterEventSubscription < BaseEventSubscription; end
|
|
87
|
+
class GlueEventSubscription < BaseEventSubscription
|
|
88
|
+
def initialize(resource)
|
|
89
|
+
super(resource)
|
|
90
|
+
@source = 'aws.glue'
|
|
91
|
+
end
|
|
95
92
|
end
|
|
93
|
+
|
|
94
|
+
class ApiGatewayEventSubscription < BaseEventSubscription; end
|
|
95
|
+
class ApplicationTargetGroupEventSubscription < BaseEventSubscription; end
|
|
96
|
+
class AmazonMQBrokerEventSubscription < BaseEventSubscription; end
|
|
97
|
+
class CloudFrontDistributionEventSubscription < BaseEventSubscription; end
|
|
98
|
+
class AutoScalingGroupEventSubscription < BaseEventSubscription; end
|
|
99
|
+
class DynamoDBTableEventSubscription < BaseEventSubscription; end
|
|
100
|
+
class Ec2InstanceEventSubscription < BaseEventSubscription; end
|
|
101
|
+
class ECSClusterEventSubscription < BaseEventSubscription; end
|
|
102
|
+
class ECSServiceEventSubscription < BaseEventSubscription; end
|
|
103
|
+
class ElastiCacheReplicationGroupEventSubscription < BaseEventSubscription; end
|
|
104
|
+
class ElasticLoadBalancerEventSubscription < BaseEventSubscription; end
|
|
105
|
+
class ElasticFileSystemEventSubscription < BaseEventSubscription; end
|
|
106
|
+
class LambdaEventSubscription < BaseEventSubscription; end
|
|
107
|
+
class NetworkTargetGroupEventSubscription < BaseEventSubscription; end
|
|
108
|
+
class RedshiftClusterEventSubscription < BaseEventSubscription; end
|
|
109
|
+
class StepFunctionsSubscription < BaseEventSubscription; end
|
|
110
|
+
end
|
|
96
111
|
end
|
|
@@ -0,0 +1,136 @@
|
|
|
1
|
+
module CfnGuardian::Resource
|
|
2
|
+
class AmazonMQRabbitMQBroker < Base
|
|
3
|
+
|
|
4
|
+
def default_alarms
|
|
5
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQBrokerAlarm.new(@resource)
|
|
6
|
+
alarm.name = 'ConnectionCountCritical'
|
|
7
|
+
alarm.metric_name = 'ConnectionCount'
|
|
8
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
9
|
+
alarm.statistic = 'Maximum'
|
|
10
|
+
alarm.threshold = 50
|
|
11
|
+
alarm.evaluation_periods = 5
|
|
12
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
13
|
+
@alarms.push(alarm)
|
|
14
|
+
|
|
15
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQBrokerAlarm.new(@resource)
|
|
16
|
+
alarm.name = 'ConnectionCountWarn'
|
|
17
|
+
alarm.metric_name = 'ConnectionCount'
|
|
18
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
19
|
+
alarm.statistic = 'Maximum'
|
|
20
|
+
alarm.threshold = 25
|
|
21
|
+
alarm.evaluation_periods = 5
|
|
22
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
23
|
+
alarm.alarm_action = 'Warning'
|
|
24
|
+
@alarms.push(alarm)
|
|
25
|
+
|
|
26
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQBrokerAlarm.new(@resource)
|
|
27
|
+
alarm.name = 'MessageCountCritical'
|
|
28
|
+
alarm.metric_name = 'MessageCount'
|
|
29
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
30
|
+
alarm.statistic = 'Maximum'
|
|
31
|
+
alarm.threshold = 500
|
|
32
|
+
alarm.evaluation_periods = 5
|
|
33
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
34
|
+
@alarms.push(alarm)
|
|
35
|
+
|
|
36
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQBrokerAlarm.new(@resource)
|
|
37
|
+
alarm.name = 'MessageCountWarn'
|
|
38
|
+
alarm.metric_name = 'MessageCount'
|
|
39
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
40
|
+
alarm.statistic = 'Maximum'
|
|
41
|
+
alarm.threshold = 250
|
|
42
|
+
alarm.evaluation_periods = 5
|
|
43
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
44
|
+
alarm.alarm_action = 'Warning'
|
|
45
|
+
@alarms.push(alarm)
|
|
46
|
+
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
class AmazonMQRabbitMQQueue < Base
|
|
51
|
+
|
|
52
|
+
def default_alarms
|
|
53
|
+
|
|
54
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQQueueAlarm.new(@resource)
|
|
55
|
+
alarm.name = 'MessageCountHighWarn'
|
|
56
|
+
alarm.metric_name = 'MessageCount'
|
|
57
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
58
|
+
alarm.statistic = 'Maximum'
|
|
59
|
+
alarm.threshold = 100
|
|
60
|
+
alarm.evaluation_periods = 5
|
|
61
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
62
|
+
alarm.alarm_action = 'Warning'
|
|
63
|
+
@alarms.push(alarm)
|
|
64
|
+
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
class AmazonMQRabbitMQNode < Base
|
|
69
|
+
|
|
70
|
+
def default_alarms
|
|
71
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
|
|
72
|
+
alarm.name = 'SystemCpuUtilizationCritical'
|
|
73
|
+
alarm.metric_name = 'SystemCpuUtilization'
|
|
74
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
75
|
+
alarm.statistic = 'Maximum'
|
|
76
|
+
alarm.threshold = 95
|
|
77
|
+
alarm.evaluation_periods = 10
|
|
78
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
79
|
+
@alarms.push(alarm)
|
|
80
|
+
|
|
81
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
|
|
82
|
+
alarm.name = 'SystemCpuUtilizationHighBase'
|
|
83
|
+
alarm.metric_name = 'SystemCpuUtilization'
|
|
84
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
85
|
+
alarm.statistic = 'Maximum'
|
|
86
|
+
alarm.threshold = 75
|
|
87
|
+
alarm.evaluation_periods = 30
|
|
88
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
89
|
+
alarm.alarm_action = 'Warning'
|
|
90
|
+
@alarms.push(alarm)
|
|
91
|
+
|
|
92
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
|
|
93
|
+
alarm.name = 'RabbitMQMemUsedCritical'
|
|
94
|
+
alarm.metric_name = 'RabbitMQMemUsed'
|
|
95
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
96
|
+
alarm.statistic = 'Maximum'
|
|
97
|
+
alarm.threshold = 390000000
|
|
98
|
+
alarm.evaluation_periods = 5
|
|
99
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
100
|
+
@alarms.push(alarm)
|
|
101
|
+
|
|
102
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
|
|
103
|
+
alarm.name = 'RabbitMQMemUsedWarn'
|
|
104
|
+
alarm.metric_name = 'RabbitMQMemUsed'
|
|
105
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
106
|
+
alarm.statistic = 'Maximum'
|
|
107
|
+
alarm.threshold = 350000000
|
|
108
|
+
alarm.evaluation_periods = 5
|
|
109
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
110
|
+
alarm.alarm_action = 'Warning'
|
|
111
|
+
@alarms.push(alarm)
|
|
112
|
+
|
|
113
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
|
|
114
|
+
alarm.name = 'RabbitMQDiskFreeLimitCritical'
|
|
115
|
+
alarm.metric_name = 'RabbitMQDiskFreeLimit'
|
|
116
|
+
alarm.comparison_operator = 'LessThanThreshold'
|
|
117
|
+
alarm.statistic = 'Maximum'
|
|
118
|
+
alarm.threshold = 1200000000
|
|
119
|
+
alarm.evaluation_periods = 5
|
|
120
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
121
|
+
@alarms.push(alarm)
|
|
122
|
+
|
|
123
|
+
alarm = CfnGuardian::Models::AmazonMQRabbitMQNodeAlarm.new(@resource)
|
|
124
|
+
alarm.name = 'RabbitMQDiskFreeLimitWarn'
|
|
125
|
+
alarm.metric_name = 'RabbitMQDiskFreeLimit'
|
|
126
|
+
alarm.comparison_operator = 'LessThanThreshold'
|
|
127
|
+
alarm.statistic = 'Maximum'
|
|
128
|
+
alarm.threshold = 1200000000
|
|
129
|
+
alarm.evaluation_periods = 5
|
|
130
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
131
|
+
alarm.alarm_action = 'Warning'
|
|
132
|
+
@alarms.push(alarm)
|
|
133
|
+
|
|
134
|
+
end
|
|
135
|
+
end
|
|
136
|
+
end
|
|
@@ -108,7 +108,7 @@ module CfnGuardian::Resource
|
|
|
108
108
|
@alarms.each do |alarm|
|
|
109
109
|
next if alarm.dimensions.nil?
|
|
110
110
|
alarm.dimensions.each do |k,v|
|
|
111
|
-
if v.match?(/^\${Resource::.*[A-Za-z]}$/)
|
|
111
|
+
if v.is_a?(String) && v.match?(/^\${Resource::.*[A-Za-z]}$/)
|
|
112
112
|
resource_key = v.tr('${}', '').split('Resource::').last
|
|
113
113
|
if @resource.has_key?(resource_key)
|
|
114
114
|
logger.debug "overriding alarm #{alarm.name} dimension key '#{k}' with value '#{@resource[resource_key]}'"
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
module CfnGuardian::Resource
|
|
2
|
+
class Batch < Base
|
|
3
|
+
def default_event_subscriptions()
|
|
4
|
+
event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
|
|
5
|
+
event_subscription.name = 'FailedBatch'
|
|
6
|
+
event_subscription.detail_type = 'Batch Job State Change'
|
|
7
|
+
event_subscription.detail = {
|
|
8
|
+
'status': ['FAILED'],
|
|
9
|
+
'jobQueue': ["arn:aws:batch:${AWS::Region}:${AWS::AccountId}:job-queue/#{@resource['Id']}"]
|
|
10
|
+
}
|
|
11
|
+
@event_subscriptions.push(event_subscription)
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
end
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
module CfnGuardian::Resource
|
|
2
|
+
class Glue < Base
|
|
3
|
+
def default_event_subscriptions()
|
|
4
|
+
event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
|
|
5
|
+
event_subscription.name = 'FailedGlueJob'
|
|
6
|
+
event_subscription.detail_type = 'Glue Job State Change'
|
|
7
|
+
event_subscription.detail = {
|
|
8
|
+
'state': ['FAILED'],
|
|
9
|
+
'jobName': [{'prefix': @resource['Id']}]
|
|
10
|
+
}
|
|
11
|
+
@event_subscriptions.push(event_subscription)
|
|
12
|
+
|
|
13
|
+
event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
|
|
14
|
+
event_subscription.name = 'TimeoutGlueJob'
|
|
15
|
+
event_subscription.detail_type = 'Glue Job State Change'
|
|
16
|
+
event_subscription.detail = {
|
|
17
|
+
'state': ['TIMEOUT'],
|
|
18
|
+
'jobName': [{'prefix': @resource['Id']}]
|
|
19
|
+
}
|
|
20
|
+
@event_subscriptions.push(event_subscription)
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
@@ -41,6 +41,15 @@ module CfnGuardian::Resource
|
|
|
41
41
|
alarm.threshold = 45
|
|
42
42
|
alarm.evaluation_periods = 10
|
|
43
43
|
@alarms.push(alarm)
|
|
44
|
+
|
|
45
|
+
alarm = CfnGuardian::Models::RDSInstanceAlarm.new(@resource)
|
|
46
|
+
alarm.name = 'ReplicaLag'
|
|
47
|
+
alarm.metric_name = 'ReplicaLag'
|
|
48
|
+
alarm.threshold = 30 # seconds
|
|
49
|
+
alarm.evaluation_periods = 5
|
|
50
|
+
alarm.alarm_action = 'Warning'
|
|
51
|
+
alarm.enabled = false
|
|
52
|
+
@alarms.push(alarm)
|
|
44
53
|
end
|
|
45
54
|
|
|
46
55
|
def default_event_subscriptions()
|
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
module CfnGuardian::Resource
|
|
2
2
|
class RedshiftCluster < Base
|
|
3
|
-
|
|
4
|
-
def default_alarms
|
|
3
|
+
|
|
4
|
+
def default_alarms
|
|
5
5
|
alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
|
|
6
6
|
alarm.name = 'CPUUtilizationHighSpike'
|
|
7
7
|
alarm.metric_name = 'CPUUtilization'
|
|
8
8
|
alarm.threshold = 95
|
|
9
9
|
alarm.evaluation_periods = 10
|
|
10
10
|
@alarms.push(alarm)
|
|
11
|
-
|
|
11
|
+
|
|
12
12
|
alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
|
|
13
13
|
alarm.name = 'CPUUtilizationHighBase'
|
|
14
14
|
alarm.metric_name = 'CPUUtilization'
|
|
@@ -16,15 +16,32 @@ module CfnGuardian::Resource
|
|
|
16
16
|
alarm.evaluation_periods = 60
|
|
17
17
|
alarm.alarm_action = 'Warning'
|
|
18
18
|
@alarms.push(alarm)
|
|
19
|
-
|
|
19
|
+
|
|
20
20
|
alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
|
|
21
21
|
alarm.name = 'UnHealthyCluster'
|
|
22
22
|
alarm.metric_name = 'HealthStatus'
|
|
23
|
-
alarm.
|
|
23
|
+
alarm.comparison_operator = 'LessThanThreshold'
|
|
24
|
+
alarm.threshold = 1
|
|
24
25
|
alarm.evaluation_periods = 10
|
|
25
|
-
alarm
|
|
26
|
+
@alarms.push(alarm)
|
|
27
|
+
|
|
28
|
+
alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
|
|
29
|
+
alarm.name = 'DiskSpaceUsedCrit'
|
|
30
|
+
alarm.metric_name = 'PercentageDiskSpaceUsed'
|
|
31
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
32
|
+
alarm.threshold = 90
|
|
33
|
+
alarm.evaluation_periods = 10
|
|
34
|
+
@alarms.push(alarm)
|
|
35
|
+
|
|
36
|
+
alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
|
|
37
|
+
alarm.name = 'DiskSpaceUsedWarm'
|
|
38
|
+
alarm.metric_name = 'PercentageDiskSpaceUsed'
|
|
39
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
40
|
+
alarm.threshold = 80
|
|
41
|
+
alarm.evaluation_periods = 10
|
|
42
|
+
alarm.alarm_action = 'Warning'
|
|
26
43
|
@alarms.push(alarm)
|
|
27
44
|
end
|
|
28
|
-
|
|
45
|
+
|
|
29
46
|
end
|
|
30
47
|
end
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
module CfnGuardian::Resource
|
|
2
|
+
class StepFunctions < Base
|
|
3
|
+
|
|
4
|
+
def default_alarms
|
|
5
|
+
alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
|
|
6
|
+
alarm.name = 'ExecutionsFailed'
|
|
7
|
+
alarm.metric_name = 'ExecutionsFailed'
|
|
8
|
+
alarm.threshold = 1
|
|
9
|
+
alarm.evaluation_periods = 5
|
|
10
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
11
|
+
@alarms.push(alarm)
|
|
12
|
+
|
|
13
|
+
alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
|
|
14
|
+
alarm.name = 'ExecutionsTimedOut'
|
|
15
|
+
alarm.metric_name = 'ExecutionsTimedOut'
|
|
16
|
+
alarm.threshold = 1
|
|
17
|
+
alarm.evaluation_periods = 5
|
|
18
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
19
|
+
@alarms.push(alarm)
|
|
20
|
+
|
|
21
|
+
alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
|
|
22
|
+
alarm.name = 'ExecutionThrottled'
|
|
23
|
+
alarm.metric_name = 'ExecutionThrottled'
|
|
24
|
+
alarm.threshold = 1
|
|
25
|
+
alarm.evaluation_periods = 5
|
|
26
|
+
alarm.alarm_action = 'Warning'
|
|
27
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
28
|
+
@alarms.push(alarm)
|
|
29
|
+
|
|
30
|
+
alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
|
|
31
|
+
alarm.name = 'ExecutionTime'
|
|
32
|
+
alarm.metric_name = 'ExecutionTime'
|
|
33
|
+
alarm.threshold = 60
|
|
34
|
+
alarm.evaluation_periods = 5
|
|
35
|
+
alarm.alarm_action = 'Warning'
|
|
36
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
37
|
+
@alarms.push(alarm)
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
end
|
|
41
|
+
end
|
|
@@ -132,7 +132,7 @@ module CfnGuardian
|
|
|
132
132
|
Events_Rule("#{subscription.group}#{subscription.name}#{subscription.hash}"[0..255]) do
|
|
133
133
|
State subscription.enabled ? 'ENABLED' : 'DISABLED'
|
|
134
134
|
Description "Guardian event subscription #{subscription.group} #{subscription.name} for resource #{subscription.resource_id}"
|
|
135
|
-
EventPattern event_pattern
|
|
135
|
+
EventPattern FnSub(event_pattern.to_json)
|
|
136
136
|
Targets [
|
|
137
137
|
{
|
|
138
138
|
Arn: Ref(subscription.topic),
|
data/lib/cfnguardian/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-guardian
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.6.
|
|
4
|
+
version: 0.6.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Guslington
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-04-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: thor
|
|
@@ -271,11 +271,13 @@ files:
|
|
|
271
271
|
- lib/cfnguardian/models/event_subscription.rb
|
|
272
272
|
- lib/cfnguardian/models/metric_filter.rb
|
|
273
273
|
- lib/cfnguardian/resources/amazonmq_broker.rb
|
|
274
|
+
- lib/cfnguardian/resources/amazonmq_rabbitmq.rb
|
|
274
275
|
- lib/cfnguardian/resources/apigateway.rb
|
|
275
276
|
- lib/cfnguardian/resources/application_targetgroup.rb
|
|
276
277
|
- lib/cfnguardian/resources/autoscaling_group.rb
|
|
277
278
|
- lib/cfnguardian/resources/azure_file.rb
|
|
278
279
|
- lib/cfnguardian/resources/base.rb
|
|
280
|
+
- lib/cfnguardian/resources/batch.rb
|
|
279
281
|
- lib/cfnguardian/resources/cloudfront_distribution.rb
|
|
280
282
|
- lib/cfnguardian/resources/domain_expiry.rb
|
|
281
283
|
- lib/cfnguardian/resources/dynamodb_table.rb
|
|
@@ -285,6 +287,7 @@ files:
|
|
|
285
287
|
- lib/cfnguardian/resources/elastic_file_system.rb
|
|
286
288
|
- lib/cfnguardian/resources/elastic_loadbalancer.rb
|
|
287
289
|
- lib/cfnguardian/resources/elasticache_replication_group.rb
|
|
290
|
+
- lib/cfnguardian/resources/glue.rb
|
|
288
291
|
- lib/cfnguardian/resources/http.rb
|
|
289
292
|
- lib/cfnguardian/resources/internal_http.rb
|
|
290
293
|
- lib/cfnguardian/resources/internal_port.rb
|
|
@@ -301,6 +304,7 @@ files:
|
|
|
301
304
|
- lib/cfnguardian/resources/sftp.rb
|
|
302
305
|
- lib/cfnguardian/resources/sql.rb
|
|
303
306
|
- lib/cfnguardian/resources/sqs_queue.rb
|
|
307
|
+
- lib/cfnguardian/resources/step_functions.rb
|
|
304
308
|
- lib/cfnguardian/resources/tls.rb
|
|
305
309
|
- lib/cfnguardian/s3.rb
|
|
306
310
|
- lib/cfnguardian/stacks/main.rb
|
|
@@ -330,7 +334,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
330
334
|
- !ruby/object:Gem::Version
|
|
331
335
|
version: '0'
|
|
332
336
|
requirements: []
|
|
333
|
-
rubygems_version: 3.1.
|
|
337
|
+
rubygems_version: 3.1.6
|
|
334
338
|
signing_key:
|
|
335
339
|
specification_version: 4
|
|
336
340
|
summary: Manages AWS cloudwatch alarms with default templates using cloudformation
|