cfn-guardian 0.7.8 → 0.7.12
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +1 -0
- data/docs/event_subscriptions.md +17 -5
- data/docs/resources.md +1 -0
- data/lib/cfnguardian/compile.rb +1 -0
- data/lib/cfnguardian/config/defaults.yaml +2 -0
- data/lib/cfnguardian/models/alarm.rb +10 -0
- data/lib/cfnguardian/resources/amazonmq_broker.rb +6 -2
- data/lib/cfnguardian/resources/documentdb_cluster.rb +40 -0
- data/lib/cfnguardian/resources/ec2_instance.rb +3 -2
- data/lib/cfnguardian/resources/http.rb +2 -0
- data/lib/cfnguardian/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 417f7145c2f3ed6aad68367aed3a0390079df27be61d8cf8ac32909d349b3483
|
|
4
|
+
data.tar.gz: c5626e55e419a321a3be745dabb9cedb268a6552bedbf45834ebe448c42ecaf4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 19940d4b1a253b4fd2a87994a6232ecc0e93108fb565fe1d6ad20b9f813ad7a8a05ce2c67a3307bddcbb28142f48907f246a8da1328facf8be5567c0e4a7856b
|
|
7
|
+
data.tar.gz: 99c1c4aae4a204495e47010a81e091a3ebf20a33df5746a69ba964bb23af90cfdaba322d1f948a3978893b86e419269e1f9a6da793816d1fb05b48324361b3df
|
data/README.md
CHANGED
data/docs/event_subscriptions.md
CHANGED
|
@@ -10,14 +10,14 @@ As with the default alarms in Guardian, there are default events for some resour
|
|
|
10
10
|
|
|
11
11
|
## Overriding Defaults
|
|
12
12
|
|
|
13
|
-
Default
|
|
13
|
+
Default properties of the events can be overridden through the config YAML using the `EventsSubscriptions` top level key.
|
|
14
14
|
For example here we are changing the topic the event is being send to.
|
|
15
15
|
|
|
16
16
|
```yaml
|
|
17
17
|
Topics:
|
|
18
18
|
CustomEvents: arn:aws:sns....
|
|
19
19
|
|
|
20
|
-
|
|
20
|
+
EventSubscriptions:
|
|
21
21
|
Ec2Instance:
|
|
22
22
|
InstanceTerminated:
|
|
23
23
|
Topic: CustomEvents
|
|
@@ -28,12 +28,24 @@ EventSubscription:
|
|
|
28
28
|
Default events can be disabled, the same way default alarms can be disabled through the config YAML.
|
|
29
29
|
|
|
30
30
|
```yaml
|
|
31
|
-
|
|
31
|
+
EventSubscriptions:
|
|
32
32
|
Ec2Instance:
|
|
33
33
|
# set the instance terminated event to false to disable the event
|
|
34
34
|
InstanceTerminated: false
|
|
35
35
|
```
|
|
36
36
|
|
|
37
|
+
## Enabling Default Events
|
|
38
|
+
|
|
39
|
+
Some templates may have events that are disabled by default, they can be enabled using a slightly different syntax to disabling.
|
|
40
|
+
|
|
41
|
+
```yaml
|
|
42
|
+
EventSubscriptions:
|
|
43
|
+
RDSInstance:
|
|
44
|
+
# set the replication failure event to true to enable the event
|
|
45
|
+
ReplicationFailure:
|
|
46
|
+
Enabled: true
|
|
47
|
+
```
|
|
48
|
+
|
|
37
49
|
## Creating Custom Events
|
|
38
50
|
|
|
39
51
|
Custom events can be created if there are not defaults for that event. They can be inherited from a default event or from the base event model.
|
|
@@ -44,7 +56,7 @@ This is useful if you want to create a new event and a default event already has
|
|
|
44
56
|
The following example inherits the `MasterPasswordReset` RDS event and creates a new event that captures the security group add to an rds instance event.
|
|
45
57
|
|
|
46
58
|
```yaml
|
|
47
|
-
|
|
59
|
+
EventSubscriptions:
|
|
48
60
|
RDSInstance:
|
|
49
61
|
# Create a new event name
|
|
50
62
|
DBNewSecurityGroup:
|
|
@@ -59,7 +71,7 @@ EventSubscription:
|
|
|
59
71
|
If there are no default events that match the format you require you can create an event of the base event subscription model.
|
|
60
72
|
|
|
61
73
|
```yaml
|
|
62
|
-
|
|
74
|
+
EventSubscriptions:
|
|
63
75
|
ECSCluster:
|
|
64
76
|
ContainerInstanceStateChange:
|
|
65
77
|
Source: aws.ecs
|
data/docs/resources.md
CHANGED
data/lib/cfnguardian/compile.rb
CHANGED
|
@@ -12,6 +12,7 @@ require 'cfnguardian/resources/autoscaling_group'
|
|
|
12
12
|
require 'cfnguardian/resources/cloudfront_distribution'
|
|
13
13
|
require 'cfnguardian/resources/autoscaling_group'
|
|
14
14
|
require 'cfnguardian/resources/domain_expiry'
|
|
15
|
+
require 'cfnguardian/resources/documentdb_cluster'
|
|
15
16
|
require 'cfnguardian/resources/dynamodb_table'
|
|
16
17
|
require 'cfnguardian/resources/ec2_instance'
|
|
17
18
|
require 'cfnguardian/resources/ecs_cluster'
|
|
@@ -141,6 +141,7 @@ module CfnGuardian
|
|
|
141
141
|
}
|
|
142
142
|
@statistic = 'Average'
|
|
143
143
|
@evaluation_periods = 5
|
|
144
|
+
@treat_missing_data = 'notBreaching'
|
|
144
145
|
end
|
|
145
146
|
end
|
|
146
147
|
|
|
@@ -152,6 +153,15 @@ module CfnGuardian
|
|
|
152
153
|
@dimensions = { AutoScalingGroupName: resource['Id'] }
|
|
153
154
|
end
|
|
154
155
|
end
|
|
156
|
+
|
|
157
|
+
class DocumentDBClusterAlarm < BaseAlarm
|
|
158
|
+
def initialize(resource)
|
|
159
|
+
super(resource)
|
|
160
|
+
@group = 'DocumentDBCluster'
|
|
161
|
+
@namespace = 'AWS/DocDB'
|
|
162
|
+
@dimensions = { DBClusterIdentifier: resource['Id'] }
|
|
163
|
+
end
|
|
164
|
+
end
|
|
155
165
|
|
|
156
166
|
class DomainExpiryAlarm < BaseAlarm
|
|
157
167
|
def initialize(resource)
|
|
@@ -8,7 +8,9 @@ module CfnGuardian::Resource
|
|
|
8
8
|
alarm.comparison_operator = 'LessThanThreshold'
|
|
9
9
|
alarm.statistic = 'Minimum'
|
|
10
10
|
alarm.threshold = 15
|
|
11
|
-
alarm.
|
|
11
|
+
alarm.period = 300
|
|
12
|
+
alarm.datapoints_to_alarm = 2
|
|
13
|
+
alarm.evaluation_periods = 2
|
|
12
14
|
alarm.treat_missing_data = 'notBreaching'
|
|
13
15
|
@alarms.push(alarm)
|
|
14
16
|
|
|
@@ -18,7 +20,9 @@ module CfnGuardian::Resource
|
|
|
18
20
|
alarm.comparison_operator = 'LessThanThreshold'
|
|
19
21
|
alarm.statistic = 'Minimum'
|
|
20
22
|
alarm.threshold = 30
|
|
21
|
-
alarm.
|
|
23
|
+
alarm.period = 300
|
|
24
|
+
alarm.datapoints_to_alarm = 2
|
|
25
|
+
alarm.evaluation_periods = 2
|
|
22
26
|
alarm.treat_missing_data = 'notBreaching'
|
|
23
27
|
alarm.alarm_action = 'Warning'
|
|
24
28
|
@alarms.push(alarm)
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
module CfnGuardian::Resource
|
|
2
|
+
class DocumentDBCluster < Base
|
|
3
|
+
|
|
4
|
+
def default_alarms
|
|
5
|
+
alarm = CfnGuardian::Models::DocumentDBClusterAlarm.new(@resource)
|
|
6
|
+
alarm.name = 'CPUUtilizationHighBase'
|
|
7
|
+
alarm.metric_name = 'CPUUtilization'
|
|
8
|
+
alarm.threshold = 75
|
|
9
|
+
alarm.evaluation_periods = 60
|
|
10
|
+
alarm.alarm_action = 'Warning'
|
|
11
|
+
@alarms.push(alarm)
|
|
12
|
+
|
|
13
|
+
alarm = CfnGuardian::Models::DocumentDBClusterAlarm.new(@resource)
|
|
14
|
+
alarm.name = 'CPUUtilizationHighSpike'
|
|
15
|
+
alarm.metric_name = 'CPUUtilization'
|
|
16
|
+
alarm.threshold = 95
|
|
17
|
+
alarm.evaluation_periods = 10
|
|
18
|
+
@alarms.push(alarm)
|
|
19
|
+
|
|
20
|
+
alarm = CfnGuardian::Models::DocumentDBClusterAlarm.new(@resource)
|
|
21
|
+
alarm.name = 'DatabaseConnections'
|
|
22
|
+
alarm.metric_name = 'DatabaseConnections'
|
|
23
|
+
alarm.statistic = 'Minimum'
|
|
24
|
+
alarm.threshold = 50
|
|
25
|
+
alarm.evaluation_periods = 10
|
|
26
|
+
@alarms.push(alarm)
|
|
27
|
+
|
|
28
|
+
alarm = CfnGuardian::Models::DocumentDBClusterAlarm.new(@resource)
|
|
29
|
+
alarm.name = 'FreeableMemory'
|
|
30
|
+
alarm.metric_name = 'FreeableMemory'
|
|
31
|
+
alarm.threshold = 1000000000
|
|
32
|
+
alarm.evaluation_periods = 3
|
|
33
|
+
alarm.comparison_operator = 'LessThanThreshold'
|
|
34
|
+
@alarms.push(alarm)
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
|
|
@@ -14,8 +14,9 @@ module CfnGuardian
|
|
|
14
14
|
alarm = CfnGuardian::Models::Ec2InstanceAlarm.new(@resource)
|
|
15
15
|
alarm.name = 'StatusCheckFailed'
|
|
16
16
|
alarm.metric_name = 'StatusCheckFailed'
|
|
17
|
-
alarm.threshold =
|
|
18
|
-
alarm.evaluation_periods =
|
|
17
|
+
alarm.threshold = 0
|
|
18
|
+
alarm.evaluation_periods = 1
|
|
19
|
+
alarm.comparison_operator = 'GreaterThanThreshold'
|
|
19
20
|
@alarms.push(alarm)
|
|
20
21
|
|
|
21
22
|
alarm = CfnGuardian::Models::Ec2InstanceAlarm.new(@resource)
|
|
@@ -36,6 +36,7 @@ module CfnGuardian::Resource
|
|
|
36
36
|
alarm.name = 'ExpiresInDaysCritical'
|
|
37
37
|
alarm.metric_name = 'ExpiresInDays'
|
|
38
38
|
alarm.threshold = 5
|
|
39
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
39
40
|
@alarms.push(alarm)
|
|
40
41
|
|
|
41
42
|
alarm = CfnGuardian::Models::SslAlarm.new(@resource)
|
|
@@ -43,6 +44,7 @@ module CfnGuardian::Resource
|
|
|
43
44
|
alarm.metric_name = 'ExpiresInDays'
|
|
44
45
|
alarm.alarm_action = 'Task'
|
|
45
46
|
alarm.threshold = 30
|
|
47
|
+
alarm.treat_missing_data = 'notBreaching'
|
|
46
48
|
@alarms.push(alarm)
|
|
47
49
|
end
|
|
48
50
|
end
|
data/lib/cfnguardian/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-guardian
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.7.
|
|
4
|
+
version: 0.7.12
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Guslington
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-02-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: thor
|
|
@@ -280,6 +280,7 @@ files:
|
|
|
280
280
|
- lib/cfnguardian/resources/base.rb
|
|
281
281
|
- lib/cfnguardian/resources/batch.rb
|
|
282
282
|
- lib/cfnguardian/resources/cloudfront_distribution.rb
|
|
283
|
+
- lib/cfnguardian/resources/documentdb_cluster.rb
|
|
283
284
|
- lib/cfnguardian/resources/domain_expiry.rb
|
|
284
285
|
- lib/cfnguardian/resources/dynamodb_table.rb
|
|
285
286
|
- lib/cfnguardian/resources/ec2_instance.rb
|