cfn-guardian 0.6.4 → 0.6.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfnguardian/compile.rb +3 -0
- data/lib/cfnguardian/models/alarm.rb +25 -1
- data/lib/cfnguardian/models/event_subscription.rb +99 -84
- data/lib/cfnguardian/resources/base.rb +1 -1
- data/lib/cfnguardian/resources/batch.rb +14 -0
- data/lib/cfnguardian/resources/glue.rb +23 -0
- data/lib/cfnguardian/resources/step_functions.rb +41 -0
- data/lib/cfnguardian/stacks/resources.rb +1 -1
- data/lib/cfnguardian/version.rb +1 -1
- metadata +5 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e13aeec66b2fd0beaaefac66257555ab629c777b3377e41829c16106a5fbde8a
|
4
|
+
data.tar.gz: 3e2a2f21d9bbc278f055a08256a4653e13649705f608f3f083d1e637bb4198d4
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6d617f561808d69040b13835627e07b0a5993750dfed7b0d97086b567542647f0189934994e29d651a06106879ada46f185fa0cc7eafd17dc8486fbf121aa0cb
|
7
|
+
data.tar.gz: 01b5c57874c7df8bff6ea5b3853e43cbec02c140c8043c89fa110b73130a5a124da4f521cd1fbb0c1a4136c6aa0e7d9f1d6b163c9cf36f9c5347931e2d663f92
|
data/lib/cfnguardian/compile.rb
CHANGED
@@ -37,6 +37,9 @@ require 'cfnguardian/resources/internal_sftp'
|
|
37
37
|
require 'cfnguardian/resources/tls'
|
38
38
|
require 'cfnguardian/resources/azure_file'
|
39
39
|
require 'cfnguardian/resources/amazonmq_rabbitmq'
|
40
|
+
require 'cfnguardian/resources/batch'
|
41
|
+
require 'cfnguardian/resources/glue'
|
42
|
+
require 'cfnguardian/resources/step_functions'
|
40
43
|
require 'cfnguardian/version'
|
41
44
|
require 'cfnguardian/error'
|
42
45
|
|
@@ -343,7 +343,31 @@ module CfnGuardian
|
|
343
343
|
@dimensions = { DBInstanceIdentifier: resource['Id'] }
|
344
344
|
end
|
345
345
|
end
|
346
|
-
|
346
|
+
|
347
|
+
class StepFunctionsAlarm < BaseAlarm
|
348
|
+
def initialize(resource)
|
349
|
+
super(resource)
|
350
|
+
@group = 'StepFunctions'
|
351
|
+
@namespace = 'AWS/States'
|
352
|
+
@dimensions = { StateMachineArn: { "Fn::Sub" => "arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:#{resource['Id']}"} }
|
353
|
+
end
|
354
|
+
end
|
355
|
+
|
356
|
+
class BatchAlarm < BaseAlarm
|
357
|
+
def initialize(resource)
|
358
|
+
super(resource)
|
359
|
+
@group = 'Batch'
|
360
|
+
end
|
361
|
+
end
|
362
|
+
|
363
|
+
class GlueAlarm < BaseAlarm
|
364
|
+
def initialize(resource)
|
365
|
+
super(resource)
|
366
|
+
@group = 'Batch'
|
367
|
+
@namespace = 'Glue'
|
368
|
+
end
|
369
|
+
end
|
370
|
+
|
347
371
|
class SqlAlarm < BaseAlarm
|
348
372
|
def initialize(resource)
|
349
373
|
super(resource)
|
@@ -1,96 +1,111 @@
|
|
1
1
|
module CfnGuardian
|
2
|
-
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
2
|
+
module Models
|
3
|
+
class BaseEventSubscription
|
4
|
+
|
5
|
+
attr_reader :type, :group
|
6
|
+
attr_writer :detail
|
7
|
+
attr_accessor :name,
|
8
|
+
:enabled,
|
9
|
+
:hash,
|
10
|
+
:topic,
|
11
|
+
:resource_id,
|
12
|
+
:resource_arn,
|
13
|
+
:source,
|
14
|
+
:detail_type,
|
15
|
+
:detail
|
16
16
|
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
17
|
+
def initialize(resource)
|
18
|
+
@type = 'EventSubscription'
|
19
|
+
@group = self.class.name.split('::').last
|
20
|
+
@name = ''
|
21
|
+
@hash = Digest::MD5.hexdigest resource['Id']
|
22
|
+
@enabled = true
|
23
|
+
@events = []
|
24
|
+
@topic = 'Events'
|
25
|
+
@resource_id = resource['Id']
|
26
|
+
@resource_arn = ''
|
27
|
+
@source = ''
|
28
|
+
@detail_type = ''
|
29
|
+
@detail = {}
|
30
|
+
end
|
31
31
|
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
32
|
+
def detail
|
33
|
+
return @detail
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
37
|
+
class RDSEventSubscription < BaseEventSubscription
|
38
|
+
attr_accessor :source_id, :rds_event_category, :message
|
36
39
|
|
37
|
-
|
38
|
-
|
40
|
+
def initialize(resource)
|
41
|
+
super(resource)
|
42
|
+
@source = 'aws.rds'
|
43
|
+
@detail_type = 'RDS DB Instance Event'
|
44
|
+
@source_id = ''
|
45
|
+
@rds_event_category = ''
|
46
|
+
@message = ''
|
47
|
+
end
|
39
48
|
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
49
|
+
def detail
|
50
|
+
return {
|
51
|
+
EventCategories: [@rds_event_category],
|
52
|
+
SourceType: [@source_type],
|
53
|
+
SourceIdentifier: ["rds:#{@resource_id}"],
|
54
|
+
Message: [@message]
|
55
|
+
}
|
56
|
+
end
|
57
|
+
end
|
48
58
|
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
}
|
56
|
-
end
|
57
|
-
end
|
59
|
+
class RDSInstanceEventSubscription < RDSEventSubscription
|
60
|
+
def initialize(resource)
|
61
|
+
super(resource)
|
62
|
+
@source_type = 'DB_INSTANCE'
|
63
|
+
end
|
64
|
+
end
|
58
65
|
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
66
|
+
class RDSClusterEventSubscription < RDSEventSubscription
|
67
|
+
def initialize(resource)
|
68
|
+
super(resource)
|
69
|
+
@source_type = 'DB_CLUSTER'
|
70
|
+
end
|
71
|
+
end
|
65
72
|
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
73
|
+
class Ec2InstanceEventSubscription < BaseEventSubscription
|
74
|
+
def initialize(resource)
|
75
|
+
super(resource)
|
76
|
+
@source = 'aws.ec2'
|
77
|
+
end
|
78
|
+
end
|
72
79
|
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
80
|
+
class BatchEventSubscription < BaseEventSubscription
|
81
|
+
def initialize(resource)
|
82
|
+
super(resource)
|
83
|
+
@source = 'aws.batch'
|
84
|
+
end
|
85
|
+
end
|
79
86
|
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
class DynamoDBTableEventSubscription < BaseEventSubscription; end
|
86
|
-
class Ec2InstanceEventSubscription < BaseEventSubscription; end
|
87
|
-
class ECSClusterEventSubscription < BaseEventSubscription; end
|
88
|
-
class ECSServiceEventSubscription < BaseEventSubscription; end
|
89
|
-
class ElastiCacheReplicationGroupEventSubscription < BaseEventSubscription; end
|
90
|
-
class ElasticLoadBalancerEventSubscription < BaseEventSubscription; end
|
91
|
-
class ElasticFileSystemEventSubscription < BaseEventSubscription; end
|
92
|
-
class LambdaEventSubscription < BaseEventSubscription; end
|
93
|
-
class NetworkTargetGroupEventSubscription < BaseEventSubscription; end
|
94
|
-
class RedshiftClusterEventSubscription < BaseEventSubscription; end
|
87
|
+
class GlueEventSubscription < BaseEventSubscription
|
88
|
+
def initialize(resource)
|
89
|
+
super(resource)
|
90
|
+
@source = 'aws.glue'
|
91
|
+
end
|
95
92
|
end
|
93
|
+
|
94
|
+
class ApiGatewayEventSubscription < BaseEventSubscription; end
|
95
|
+
class ApplicationTargetGroupEventSubscription < BaseEventSubscription; end
|
96
|
+
class AmazonMQBrokerEventSubscription < BaseEventSubscription; end
|
97
|
+
class CloudFrontDistributionEventSubscription < BaseEventSubscription; end
|
98
|
+
class AutoScalingGroupEventSubscription < BaseEventSubscription; end
|
99
|
+
class DynamoDBTableEventSubscription < BaseEventSubscription; end
|
100
|
+
class Ec2InstanceEventSubscription < BaseEventSubscription; end
|
101
|
+
class ECSClusterEventSubscription < BaseEventSubscription; end
|
102
|
+
class ECSServiceEventSubscription < BaseEventSubscription; end
|
103
|
+
class ElastiCacheReplicationGroupEventSubscription < BaseEventSubscription; end
|
104
|
+
class ElasticLoadBalancerEventSubscription < BaseEventSubscription; end
|
105
|
+
class ElasticFileSystemEventSubscription < BaseEventSubscription; end
|
106
|
+
class LambdaEventSubscription < BaseEventSubscription; end
|
107
|
+
class NetworkTargetGroupEventSubscription < BaseEventSubscription; end
|
108
|
+
class RedshiftClusterEventSubscription < BaseEventSubscription; end
|
109
|
+
class StepFunctionsSubscription < BaseEventSubscription; end
|
110
|
+
end
|
96
111
|
end
|
@@ -108,7 +108,7 @@ module CfnGuardian::Resource
|
|
108
108
|
@alarms.each do |alarm|
|
109
109
|
next if alarm.dimensions.nil?
|
110
110
|
alarm.dimensions.each do |k,v|
|
111
|
-
if v.match?(/^\${Resource::.*[A-Za-z]}$/)
|
111
|
+
if v.is_a?(String) && v.match?(/^\${Resource::.*[A-Za-z]}$/)
|
112
112
|
resource_key = v.tr('${}', '').split('Resource::').last
|
113
113
|
if @resource.has_key?(resource_key)
|
114
114
|
logger.debug "overriding alarm #{alarm.name} dimension key '#{k}' with value '#{@resource[resource_key]}'"
|
@@ -0,0 +1,14 @@
|
|
1
|
+
module CfnGuardian::Resource
|
2
|
+
class Batch < Base
|
3
|
+
def default_event_subscriptions()
|
4
|
+
event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
|
5
|
+
event_subscription.name = 'FailedBatch'
|
6
|
+
event_subscription.detail_type = 'Batch Job State Change'
|
7
|
+
event_subscription.detail = {
|
8
|
+
'status': ['FAILED'],
|
9
|
+
'jobQueue': ["arn:aws:batch:${AWS::Region}:${AWS::AccountId}:job-queue/#{@resource['Id']}"]
|
10
|
+
}
|
11
|
+
@event_subscriptions.push(event_subscription)
|
12
|
+
end
|
13
|
+
end
|
14
|
+
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
module CfnGuardian::Resource
|
2
|
+
class Glue < Base
|
3
|
+
def default_event_subscriptions()
|
4
|
+
event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
|
5
|
+
event_subscription.name = 'FailedGlueJob'
|
6
|
+
event_subscription.detail_type = 'Glue Job State Change'
|
7
|
+
event_subscription.detail = {
|
8
|
+
'state': ['FAILED'],
|
9
|
+
'jobName': [{'prefix': @resource['Id']}]
|
10
|
+
}
|
11
|
+
@event_subscriptions.push(event_subscription)
|
12
|
+
|
13
|
+
event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
|
14
|
+
event_subscription.name = 'TimeoutGlueJob'
|
15
|
+
event_subscription.detail_type = 'Glue Job State Change'
|
16
|
+
event_subscription.detail = {
|
17
|
+
'state': ['TIMEOUT'],
|
18
|
+
'jobName': [{'prefix': @resource['Id']}]
|
19
|
+
}
|
20
|
+
@event_subscriptions.push(event_subscription)
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
@@ -0,0 +1,41 @@
|
|
1
|
+
module CfnGuardian::Resource
|
2
|
+
class StepFunctions < Base
|
3
|
+
|
4
|
+
def default_alarms
|
5
|
+
alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
|
6
|
+
alarm.name = 'ExecutionsFailed'
|
7
|
+
alarm.metric_name = 'ExecutionsFailed'
|
8
|
+
alarm.threshold = 1
|
9
|
+
alarm.evaluation_periods = 5
|
10
|
+
alarm.treat_missing_data = 'notBreaching'
|
11
|
+
@alarms.push(alarm)
|
12
|
+
|
13
|
+
alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
|
14
|
+
alarm.name = 'ExecutionsTimedOut'
|
15
|
+
alarm.metric_name = 'ExecutionsTimedOut'
|
16
|
+
alarm.threshold = 1
|
17
|
+
alarm.evaluation_periods = 5
|
18
|
+
alarm.treat_missing_data = 'notBreaching'
|
19
|
+
@alarms.push(alarm)
|
20
|
+
|
21
|
+
alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
|
22
|
+
alarm.name = 'ExecutionThrottled'
|
23
|
+
alarm.metric_name = 'ExecutionThrottled'
|
24
|
+
alarm.threshold = 1
|
25
|
+
alarm.evaluation_periods = 5
|
26
|
+
alarm.alarm_action = 'Warning'
|
27
|
+
alarm.treat_missing_data = 'notBreaching'
|
28
|
+
@alarms.push(alarm)
|
29
|
+
|
30
|
+
alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
|
31
|
+
alarm.name = 'ExecutionTime'
|
32
|
+
alarm.metric_name = 'ExecutionTime'
|
33
|
+
alarm.threshold = 60
|
34
|
+
alarm.evaluation_periods = 5
|
35
|
+
alarm.alarm_action = 'Warning'
|
36
|
+
alarm.treat_missing_data = 'notBreaching'
|
37
|
+
@alarms.push(alarm)
|
38
|
+
end
|
39
|
+
|
40
|
+
end
|
41
|
+
end
|
@@ -132,7 +132,7 @@ module CfnGuardian
|
|
132
132
|
Events_Rule("#{subscription.group}#{subscription.name}#{subscription.hash}"[0..255]) do
|
133
133
|
State subscription.enabled ? 'ENABLED' : 'DISABLED'
|
134
134
|
Description "Guardian event subscription #{subscription.group} #{subscription.name} for resource #{subscription.resource_id}"
|
135
|
-
EventPattern event_pattern
|
135
|
+
EventPattern FnSub(event_pattern.to_json)
|
136
136
|
Targets [
|
137
137
|
{
|
138
138
|
Arn: Ref(subscription.topic),
|
data/lib/cfnguardian/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-guardian
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.6.
|
4
|
+
version: 0.6.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Guslington
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-03-
|
11
|
+
date: 2021-03-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: thor
|
@@ -277,6 +277,7 @@ files:
|
|
277
277
|
- lib/cfnguardian/resources/autoscaling_group.rb
|
278
278
|
- lib/cfnguardian/resources/azure_file.rb
|
279
279
|
- lib/cfnguardian/resources/base.rb
|
280
|
+
- lib/cfnguardian/resources/batch.rb
|
280
281
|
- lib/cfnguardian/resources/cloudfront_distribution.rb
|
281
282
|
- lib/cfnguardian/resources/domain_expiry.rb
|
282
283
|
- lib/cfnguardian/resources/dynamodb_table.rb
|
@@ -286,6 +287,7 @@ files:
|
|
286
287
|
- lib/cfnguardian/resources/elastic_file_system.rb
|
287
288
|
- lib/cfnguardian/resources/elastic_loadbalancer.rb
|
288
289
|
- lib/cfnguardian/resources/elasticache_replication_group.rb
|
290
|
+
- lib/cfnguardian/resources/glue.rb
|
289
291
|
- lib/cfnguardian/resources/http.rb
|
290
292
|
- lib/cfnguardian/resources/internal_http.rb
|
291
293
|
- lib/cfnguardian/resources/internal_port.rb
|
@@ -302,6 +304,7 @@ files:
|
|
302
304
|
- lib/cfnguardian/resources/sftp.rb
|
303
305
|
- lib/cfnguardian/resources/sql.rb
|
304
306
|
- lib/cfnguardian/resources/sqs_queue.rb
|
307
|
+
- lib/cfnguardian/resources/step_functions.rb
|
305
308
|
- lib/cfnguardian/resources/tls.rb
|
306
309
|
- lib/cfnguardian/s3.rb
|
307
310
|
- lib/cfnguardian/stacks/main.rb
|