cfn-guardian 0.6.3 → 0.6.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7998606f2ce8404ce0b55dddb9e5d1f4936cd5529364e0b909b1ea3133163ac8
-  data.tar.gz: 82f582858ae75993fc77966e2ae42d9142a1b16a428f74f67f5c1afb2b74854e
+  metadata.gz: fbdee8de2045f846a77f73303f61d13fbf8f9110d54d053ff78ad157f0ba96b7
+  data.tar.gz: 1aa05cff0d3bfa15d296adc0d508161ca80360f0cb1bcee454c9668ca65bd8b5
 SHA512:
-  metadata.gz: f3bda3d2c3c6665749843206c10f3260a5862d87b9f8e066c17eb2b52b996a2911dd619435a16f52336c6aa534a2a0cc39caa03859f1f5f32f6b31182736b44c
-  data.tar.gz: '0665209c6f4e74710383cf37be0a63446e38ed1b89fe6072b8efd030b0b4a010e31f7b54bfed456ea0bd866929b8d769b77506de2e4b5199357bd91fc8ae6213'
+  metadata.gz: db29791aaf3771a0013d77dfef99683be75cf3093ccc121531e92adf37316d0d4a2e22ddb65652297a86674f07784383a01510f23d3c79534a431a97eccc5906
+  data.tar.gz: 4d568808e86bf1e4e3effb6ee3b4e6270093ac3a8ea4ac809bac3126e343271989e0932afdb811eebfaa7d2b8381c7a89084f5b3c7937b81701bc96ab1e40424

data/Dockerfile

@@ -1,6 +1,6 @@
 FROM ruby:2.7-alpine
 
-ARG GUARDIAN_VERSION="0.2.2"
+ARG GUARDIAN_VERSION="0.6.7"
 
 COPY . /src
 
@@ -16,4 +16,4 @@ RUN addgroup -g 1000 guardian && \
 
 USER guardian
 
-RUN cfndsl -u 11.5.0
+RUN cfndsl -u 11.5.0

data/docs/custom_checks/ecs_container_instance_check.md

@@ -0,0 +1,18 @@
+# ECS Container Instance Check
+
+Source: https://github.com/base2Services/aws-lambda-ecs-container-instance-check
+
+Checks the agent status of a ECS container instance for a ECS cluster. 
+This check and alarms are created by default when a ECS cluster resource is specified in the config.
+
+```yaml
+Resources:
+  ECSCluster:
+  - Id: my-cluster
+
+Templates:
+  ECSCluster:
+    # override the alarm defaults
+    ECSContianerInstancesDisconnected:
+      ...
+```

data/docs/overview.md

@@ -14,6 +14,7 @@
     7. [SQL](custom_checks/sql.md)
     8. [TLS](custom_checks/tls.md)
     9. [Azure File Check](custom_checks/azure_file_check.md)
+    10. [ECS Container Instance Check](custom_checks/ecs_container_instance_check.md)
 5. [Event Subscriptions](event_subscriptions.md)
 6. [Notifiers](notifiers.md)
 7. [Maintenance Mode](maintenance_mode.md)

data/lib/cfnguardian.rb

@@ -299,14 +299,18 @@ module CfnGuardian
     LONG
     method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
     method_option :repository, type: :string, default: 'guardian', desc: "codecommit repository name"
+    method_option :branch, type: :string, default: 'master', desc: "codecommit branch"
+    method_option :count, type: :numeric, default: 10, desc: "number of last commits to retrieve"
     
     def show_config_history
       set_region(options[:region],true)
     
-      history = CfnGuardian::CodeCommit.new(options[:repository]).get_commit_history()
-      puts Terminal::Table.new(
-        :headings => history.first.keys.map{|h| h.to_s.to_heading}, 
-        :rows => history.map(&:values))
+      history = CfnGuardian::CodeCommit.new(options[:repository]).get_commit_history(options[:branch], options[:count])
+      if history.any?
+        puts Terminal::Table.new(
+          :headings => history.first.keys.map{|h| h.to_s.to_heading}, 
+          :rows => history.map(&:values))
+      end
     end
     
     desc "show-pipeline", "Shows the current state of the AWS code pipeline"

data/lib/cfnguardian/codecommit.rb

@@ -19,9 +19,18 @@ module CfnGuardian
       return resp.branch.commit_id
     end
     
-    def get_commit_history(branch='master',count=10)
+    def get_commit_history(branch,count)
       history = []
-      commit = get_last_commit(branch)
+
+      begin
+        commit = get_last_commit(branch)
+      rescue Aws::CodeCommit::Errors::BranchDoesNotExistException => e
+        logger.error "Branch #{branch} does not exist in the #{@repo_name} repository"
+        return []
+      rescue Aws::CodeCommit::Errors::RepositoryDoesNotExistException => e
+        logger.error "Respository #{@repo_name} does not exist in this AWS account or region"
+        return []
+      end
       
       count.times do
         

data/lib/cfnguardian/compile.rb

@@ -37,6 +37,10 @@ require 'cfnguardian/resources/internal_sftp'
 require 'cfnguardian/resources/tls'
 require 'cfnguardian/resources/azure_file'
 require 'cfnguardian/resources/amazonmq_rabbitmq'
+require 'cfnguardian/resources/batch'
+require 'cfnguardian/resources/glue'
+require 'cfnguardian/resources/step_functions'
+require 'cfnguardian/resources/vpn_tunnel'
 require 'cfnguardian/version'
 require 'cfnguardian/error'
 

data/lib/cfnguardian/config/defaults.yaml

@@ -100,4 +100,6 @@ Resources:
         Query: Default
   SQSQueue:
   - Id: Default
+  VPNTunnel:
+  - Id: Default
   

data/lib/cfnguardian/models/alarm.rb

@@ -343,7 +343,31 @@ module CfnGuardian
         @dimensions = { DBInstanceIdentifier: resource['Id'] }
       end
     end
-    
+
+    class StepFunctionsAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'StepFunctions'
+        @namespace = 'AWS/States'
+        @dimensions = { StateMachineArn: { "Fn::Sub" => "arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:#{resource['Id']}"} }
+      end
+    end
+
+    class BatchAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'Batch'
+      end
+    end
+
+    class GlueAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'Batch'
+        @namespace = 'Glue'
+      end
+    end
+
     class SqlAlarm < BaseAlarm
       def initialize(resource)
         super(resource)
@@ -421,6 +445,17 @@ module CfnGuardian
         @dimensions = { StorageAccount: resource['Id'], StorageContainer: resource['Container'] }
       end
     end
+
+    class VPNTunnelAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'VPNTunnel'
+        @namespace = 'AWS/VPN'
+        @dimensions = {
+          TunnelIpAddress: resource['Id']
+        }
+      end
+    end
     
   end
 end

data/lib/cfnguardian/models/event_subscription.rb

@@ -1,96 +1,112 @@
 module CfnGuardian
-    module Models
-        class BaseEventSubscription
-            
-            attr_reader :type, :group
-            attr_writer :detail
-            attr_accessor :name,
-                :enabled,
-                :hash,
-                :topic,
-                :resource_id,
-                :resource_arn,
-                :source,
-                :detail_type,
-                :detail
+  module Models
+    class BaseEventSubscription
+        
+      attr_reader :type, :group
+      attr_writer :detail
+      attr_accessor :name,
+        :enabled,
+        :hash,
+        :topic,
+        :resource_id,
+        :resource_arn,
+        :source,
+        :detail_type,
+        :detail
 
-            def initialize(resource)
-                @type = 'EventSubscription'
-                @group = self.class.name.split('::').last
-                @name = ''
-                @hash = Digest::MD5.hexdigest resource['Id']
-                @enabled = true
-                @events = []
-                @topic = 'Events'
-                @resource_id = resource['Id']
-                @resource_arn = ''
-                @source = ''
-                @detail_type = ''
-                @detail = {}
-            end
+      def initialize(resource)
+        @type = 'EventSubscription'
+        @group = self.class.name.split('::').last
+        @name = ''
+        @hash = Digest::MD5.hexdigest resource['Id']
+        @enabled = true
+        @events = []
+        @topic = 'Events'
+        @resource_id = resource['Id']
+        @resource_arn = ''
+        @source = ''
+        @detail_type = ''
+        @detail = {}
+      end
 
-            def detail
-                return @detail
-            end
-        end
+      def detail
+        return @detail
+      end
+    end
+
+    class RDSEventSubscription < BaseEventSubscription
+      attr_accessor :source_id, :rds_event_category, :message
 
-        class RDSEventSubscription < BaseEventSubscription
-            attr_accessor :source_id, :rds_event_category, :message
+      def initialize(resource)
+        super(resource)
+        @source = 'aws.rds'
+        @detail_type = 'RDS DB Instance Event'
+        @source_id = ''
+        @rds_event_category = ''
+        @message = ''
+      end
 
-            def initialize(resource)
-                super(resource)
-                @source = 'aws.rds'
-                @detail_type = 'RDS DB Instance Event'
-                @source_id = ''
-                @rds_event_category = ''
-                @message = ''
-            end
+      def detail
+        return {
+          EventCategories: [@rds_event_category],
+          SourceType: [@source_type],
+          SourceIdentifier: ["rds:#{@resource_id}"],
+          Message: [@message]
+        }
+      end
+    end
 
-            def detail
-                return {
-                    EventCategories: [@rds_event_category],
-                    SourceType: [@source_type],
-                    SourceIdentifier: ["rds:#{@resource_id}"],
-                    Message: [@message]
-                }
-            end
-        end
+    class RDSInstanceEventSubscription < RDSEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source_type = 'DB_INSTANCE'
+      end
+    end
 
-        class RDSInstanceEventSubscription < RDSEventSubscription
-            def initialize(resource)
-                super(resource)
-                @source_type = 'DB_INSTANCE'
-            end
-        end
+    class RDSClusterEventSubscription < RDSEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source_type = 'DB_CLUSTER'
+      end
+    end
 
-        class RDSClusterEventSubscription < RDSEventSubscription
-            def initialize(resource)
-                super(resource)
-                @source_type = 'DB_CLUSTER'
-            end
-        end
+    class Ec2InstanceEventSubscription < BaseEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source = 'aws.ec2'
+      end
+    end
 
-        class Ec2InstanceEventSubscription < BaseEventSubscription
-            def initialize(resource)
-                super(resource)
-                @source = 'aws.ec2'
-            end
-        end
+    class BatchEventSubscription < BaseEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source = 'aws.batch'
+      end
+    end
 
-        class ApiGatewayEventSubscription < BaseEventSubscription; end
-        class ApplicationTargetGroupEventSubscription < BaseEventSubscription; end
-        class AmazonMQBrokerEventSubscription < BaseEventSubscription; end
-        class CloudFrontDistributionEventSubscription < BaseEventSubscription; end
-        class AutoScalingGroupEventSubscription < BaseEventSubscription; end
-        class DynamoDBTableEventSubscription < BaseEventSubscription; end
-        class Ec2InstanceEventSubscription < BaseEventSubscription; end
-        class ECSClusterEventSubscription < BaseEventSubscription; end
-        class ECSServiceEventSubscription < BaseEventSubscription; end
-        class ElastiCacheReplicationGroupEventSubscription < BaseEventSubscription; end
-        class ElasticLoadBalancerEventSubscription < BaseEventSubscription; end
-        class ElasticFileSystemEventSubscription < BaseEventSubscription; end
-        class LambdaEventSubscription < BaseEventSubscription; end
-        class NetworkTargetGroupEventSubscription < BaseEventSubscription; end
-        class RedshiftClusterEventSubscription < BaseEventSubscription; end
+    class GlueEventSubscription < BaseEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source = 'aws.glue'
+      end
     end
+
+    class ApiGatewayEventSubscription < BaseEventSubscription; end
+    class ApplicationTargetGroupEventSubscription < BaseEventSubscription; end
+    class AmazonMQBrokerEventSubscription < BaseEventSubscription; end
+    class CloudFrontDistributionEventSubscription < BaseEventSubscription; end
+    class AutoScalingGroupEventSubscription < BaseEventSubscription; end
+    class DynamoDBTableEventSubscription < BaseEventSubscription; end
+    class Ec2InstanceEventSubscription < BaseEventSubscription; end
+    class ECSClusterEventSubscription < BaseEventSubscription; end
+    class ECSServiceEventSubscription < BaseEventSubscription; end
+    class ElastiCacheReplicationGroupEventSubscription < BaseEventSubscription; end
+    class ElasticLoadBalancerEventSubscription < BaseEventSubscription; end
+    class ElasticFileSystemEventSubscription < BaseEventSubscription; end
+    class LambdaEventSubscription < BaseEventSubscription; end
+    class NetworkTargetGroupEventSubscription < BaseEventSubscription; end
+    class RedshiftClusterEventSubscription < BaseEventSubscription; end
+    class StepFunctionsSubscription < BaseEventSubscription; end
+    class VPNTunnelEventSubscription < BaseEventSubscription; end
+  end
 end

data/lib/cfnguardian/resources/base.rb

@@ -108,7 +108,7 @@ module CfnGuardian::Resource
       @alarms.each do |alarm|
         next if alarm.dimensions.nil?
         alarm.dimensions.each do |k,v|
-          if v.match?(/^\${Resource::.*[A-Za-z]}$/)
+          if v.is_a?(String) && v.match?(/^\${Resource::.*[A-Za-z]}$/)
             resource_key = v.tr('${}', '').split('Resource::').last
             if @resource.has_key?(resource_key)
               logger.debug "overriding alarm #{alarm.name} dimension key '#{k}' with value '#{@resource[resource_key]}'" 

data/lib/cfnguardian/resources/batch.rb

@@ -0,0 +1,14 @@
+module CfnGuardian::Resource
+  class Batch < Base
+    def default_event_subscriptions()
+      event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
+      event_subscription.name = 'FailedBatch'
+      event_subscription.detail_type = 'Batch Job State Change'
+      event_subscription.detail = {
+        'status': ['FAILED'],
+        'jobQueue': ["arn:aws:batch:${AWS::Region}:${AWS::AccountId}:job-queue/#{@resource['Id']}"]
+      }
+      @event_subscriptions.push(event_subscription)
+    end
+  end
+end

data/lib/cfnguardian/resources/glue.rb

@@ -0,0 +1,23 @@
+module CfnGuardian::Resource
+  class Glue < Base
+    def default_event_subscriptions()
+      event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
+      event_subscription.name = 'FailedGlueJob'
+      event_subscription.detail_type = 'Glue Job State Change'
+      event_subscription.detail = {
+        'state': ['FAILED'],
+        'jobName': [{'prefix': @resource['Id']}]
+      }
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
+      event_subscription.name = 'TimeoutGlueJob'
+      event_subscription.detail_type = 'Glue Job State Change'
+      event_subscription.detail = {
+        'state': ['TIMEOUT'],
+        'jobName': [{'prefix': @resource['Id']}]
+      }
+      @event_subscriptions.push(event_subscription)
+    end
+  end
+end

data/lib/cfnguardian/resources/rds_instance.rb

@@ -41,6 +41,15 @@ module CfnGuardian::Resource
       alarm.threshold = 45
       alarm.evaluation_periods = 10
       @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::RDSInstanceAlarm.new(@resource)
+      alarm.name = 'ReplicaLag'
+      alarm.metric_name = 'ReplicaLag'
+      alarm.threshold = 30 # seconds
+      alarm.evaluation_periods = 5
+      alarm.alarm_action = 'Warning'
+      alarm.enabled = false
+      @alarms.push(alarm)
     end
     
     def default_event_subscriptions()

data/lib/cfnguardian/resources/redshift_cluster.rb

@@ -1,14 +1,14 @@
 module CfnGuardian::Resource
   class RedshiftCluster < Base
-      
-    def default_alarms    
+
+    def default_alarms
       alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
       alarm.name = 'CPUUtilizationHighSpike'
       alarm.metric_name = 'CPUUtilization'
       alarm.threshold = 95
       alarm.evaluation_periods = 10
       @alarms.push(alarm)
-      
+
       alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
       alarm.name = 'CPUUtilizationHighBase'
       alarm.metric_name = 'CPUUtilization'
@@ -16,7 +16,7 @@ module CfnGuardian::Resource
       alarm.evaluation_periods = 60
       alarm.alarm_action = 'Warning'
       @alarms.push(alarm)
-      
+
       alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
       alarm.name = 'UnHealthyCluster'
       alarm.metric_name = 'HealthStatus'
@@ -24,7 +24,24 @@ module CfnGuardian::Resource
       alarm.threshold = 1
       alarm.evaluation_periods = 10
       @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
+      alarm.name = 'DiskSpaceUsedCrit'
+      alarm.metric_name = 'PercentageDiskSpaceUsed'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.threshold = 90
+      alarm.evaluation_periods = 10
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::RedshiftClusterAlarm.new(@resource)
+      alarm.name = 'DiskSpaceUsedWarm'
+      alarm.metric_name = 'PercentageDiskSpaceUsed'
+      alarm.comparison_operator = 'GreaterThanThreshold'
+      alarm.threshold = 80
+      alarm.evaluation_periods = 10
+      alarm.alarm_action = 'Warning'
+      @alarms.push(alarm)
     end
-    
+
   end
 end

data/lib/cfnguardian/resources/step_functions.rb

@@ -0,0 +1,41 @@
+module CfnGuardian::Resource
+  class StepFunctions < Base
+      
+    def default_alarms    
+      alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
+      alarm.name = 'ExecutionsFailed'
+      alarm.metric_name = 'ExecutionsFailed'
+      alarm.threshold = 1
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
+      alarm.name = 'ExecutionsTimedOut'
+      alarm.metric_name = 'ExecutionsTimedOut'
+      alarm.threshold = 1
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
+      alarm.name = 'ExecutionThrottled'
+      alarm.metric_name = 'ExecutionThrottled'
+      alarm.threshold = 1
+      alarm.evaluation_periods = 5
+      alarm.alarm_action = 'Warning'
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
+      alarm.name = 'ExecutionTime'
+      alarm.metric_name = 'ExecutionTime'
+      alarm.threshold = 60
+      alarm.evaluation_periods = 5
+      alarm.alarm_action = 'Warning'
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+    end
+      
+  end
+end

data/lib/cfnguardian/resources/vpn_tunnel.rb

@@ -0,0 +1,18 @@
+module CfnGuardian::Resource
+    class VPNTunnel < Base
+      
+      def default_alarms    
+        alarm = CfnGuardian::Models::VPNTunnelAlarm.new(@resource)
+        alarm.name = 'VPNTunnelState'
+        alarm.metric_name = 'TunnelState'
+        alarm.comparison_operator = 'LessThanThreshold'
+        alarm.statistic = 'Minimum'
+        alarm.threshold = 1
+        alarm.evaluation_periods = 5
+        alarm.treat_missing_data = 'breaching'
+        alarm.datapoints_to_alarm = 5
+        @alarms.push(alarm)
+      end
+      
+    end
+end

data/lib/cfnguardian/stacks/resources.rb

@@ -132,7 +132,7 @@ module CfnGuardian
           Events_Rule("#{subscription.group}#{subscription.name}#{subscription.hash}"[0..255]) do
             State subscription.enabled ? 'ENABLED' : 'DISABLED'
             Description "Guardian event subscription #{subscription.group} #{subscription.name} for resource #{subscription.resource_id}"
-            EventPattern event_pattern
+            EventPattern FnSub(event_pattern.to_json)
             Targets [
               {
                 Arn: Ref(subscription.topic),

data/lib/cfnguardian/version.rb

@@ -1,4 +1,4 @@
 module CfnGuardian
-  VERSION = "0.6.3"
+  VERSION = "0.6.8"
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-guardian
 version: !ruby/object:Gem::Version
-  version: 0.6.3
+  version: 0.6.8
 platform: ruby
 authors:
 - Guslington
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-02-05 00:00:00.000000000 Z
+date: 2021-05-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -238,6 +238,7 @@ files:
 - docs/composite_alarms.md
 - docs/custom_checks/azure_file_check.md
 - docs/custom_checks/domain_expiry.md
+- docs/custom_checks/ecs_container_instance_check.md
 - docs/custom_checks/http.md
 - docs/custom_checks/log_group_metric_filters.md
 - docs/custom_checks/nrpe.md
@@ -277,6 +278,7 @@ files:
 - lib/cfnguardian/resources/autoscaling_group.rb
 - lib/cfnguardian/resources/azure_file.rb
 - lib/cfnguardian/resources/base.rb
+- lib/cfnguardian/resources/batch.rb
 - lib/cfnguardian/resources/cloudfront_distribution.rb
 - lib/cfnguardian/resources/domain_expiry.rb
 - lib/cfnguardian/resources/dynamodb_table.rb
@@ -286,6 +288,7 @@ files:
 - lib/cfnguardian/resources/elastic_file_system.rb
 - lib/cfnguardian/resources/elastic_loadbalancer.rb
 - lib/cfnguardian/resources/elasticache_replication_group.rb
+- lib/cfnguardian/resources/glue.rb
 - lib/cfnguardian/resources/http.rb
 - lib/cfnguardian/resources/internal_http.rb
 - lib/cfnguardian/resources/internal_port.rb
@@ -302,7 +305,9 @@ files:
 - lib/cfnguardian/resources/sftp.rb
 - lib/cfnguardian/resources/sql.rb
 - lib/cfnguardian/resources/sqs_queue.rb
+- lib/cfnguardian/resources/step_functions.rb
 - lib/cfnguardian/resources/tls.rb
+- lib/cfnguardian/resources/vpn_tunnel.rb
 - lib/cfnguardian/s3.rb
 - lib/cfnguardian/stacks/main.rb
 - lib/cfnguardian/stacks/resources.rb
@@ -331,7 +336,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Manages AWS cloudwatch alarms with default templates using cloudformation