cfn-guardian 0.6.4 → 0.6.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9df1f4d7843a5283660b98138d46976465f2e64418c9a76b9a88cfb8ce8d2c59
-  data.tar.gz: f05a68bf8dc81f31f70185e79f9aedce3497d0087013d9ed1bc5738786b3b3ea
+  metadata.gz: e13aeec66b2fd0beaaefac66257555ab629c777b3377e41829c16106a5fbde8a
+  data.tar.gz: 3e2a2f21d9bbc278f055a08256a4653e13649705f608f3f083d1e637bb4198d4
 SHA512:
-  metadata.gz: 1bafaf7b5dcbb19b3b3365cc514683426e1f26e98ad9c516606e20ca7463ab2de9fa102c0ac2a9e4bdbdf76b107c2c7f0c02e24f26894944d5d3429f055ad551
-  data.tar.gz: 833a797750326a35d09cd96b1fc1d9e0d895793962da45e75dcf01c0197a1ad9283222e7c0ccadcf319446684eb5b66f4ce4b544012f5a7f01bc68efc2f20d57
+  metadata.gz: 6d617f561808d69040b13835627e07b0a5993750dfed7b0d97086b567542647f0189934994e29d651a06106879ada46f185fa0cc7eafd17dc8486fbf121aa0cb
+  data.tar.gz: 01b5c57874c7df8bff6ea5b3853e43cbec02c140c8043c89fa110b73130a5a124da4f521cd1fbb0c1a4136c6aa0e7d9f1d6b163c9cf36f9c5347931e2d663f92

data/lib/cfnguardian/compile.rb

@@ -37,6 +37,9 @@ require 'cfnguardian/resources/internal_sftp'
 require 'cfnguardian/resources/tls'
 require 'cfnguardian/resources/azure_file'
 require 'cfnguardian/resources/amazonmq_rabbitmq'
+require 'cfnguardian/resources/batch'
+require 'cfnguardian/resources/glue'
+require 'cfnguardian/resources/step_functions'
 require 'cfnguardian/version'
 require 'cfnguardian/error'
 

data/lib/cfnguardian/models/alarm.rb

@@ -343,7 +343,31 @@ module CfnGuardian
         @dimensions = { DBInstanceIdentifier: resource['Id'] }
       end
     end
-    
+
+    class StepFunctionsAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'StepFunctions'
+        @namespace = 'AWS/States'
+        @dimensions = { StateMachineArn: { "Fn::Sub" => "arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:#{resource['Id']}"} }
+      end
+    end
+
+    class BatchAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'Batch'
+      end
+    end
+
+    class GlueAlarm < BaseAlarm
+      def initialize(resource)
+        super(resource)
+        @group = 'Batch'
+        @namespace = 'Glue'
+      end
+    end
+
     class SqlAlarm < BaseAlarm
       def initialize(resource)
         super(resource)

data/lib/cfnguardian/models/event_subscription.rb

@@ -1,96 +1,111 @@
 module CfnGuardian
-    module Models
-        class BaseEventSubscription
-            
-            attr_reader :type, :group
-            attr_writer :detail
-            attr_accessor :name,
-                :enabled,
-                :hash,
-                :topic,
-                :resource_id,
-                :resource_arn,
-                :source,
-                :detail_type,
-                :detail
+  module Models
+    class BaseEventSubscription
+        
+      attr_reader :type, :group
+      attr_writer :detail
+      attr_accessor :name,
+        :enabled,
+        :hash,
+        :topic,
+        :resource_id,
+        :resource_arn,
+        :source,
+        :detail_type,
+        :detail
 
-            def initialize(resource)
-                @type = 'EventSubscription'
-                @group = self.class.name.split('::').last
-                @name = ''
-                @hash = Digest::MD5.hexdigest resource['Id']
-                @enabled = true
-                @events = []
-                @topic = 'Events'
-                @resource_id = resource['Id']
-                @resource_arn = ''
-                @source = ''
-                @detail_type = ''
-                @detail = {}
-            end
+      def initialize(resource)
+        @type = 'EventSubscription'
+        @group = self.class.name.split('::').last
+        @name = ''
+        @hash = Digest::MD5.hexdigest resource['Id']
+        @enabled = true
+        @events = []
+        @topic = 'Events'
+        @resource_id = resource['Id']
+        @resource_arn = ''
+        @source = ''
+        @detail_type = ''
+        @detail = {}
+      end
 
-            def detail
-                return @detail
-            end
-        end
+      def detail
+        return @detail
+      end
+    end
+
+    class RDSEventSubscription < BaseEventSubscription
+      attr_accessor :source_id, :rds_event_category, :message
 
-        class RDSEventSubscription < BaseEventSubscription
-            attr_accessor :source_id, :rds_event_category, :message
+      def initialize(resource)
+        super(resource)
+        @source = 'aws.rds'
+        @detail_type = 'RDS DB Instance Event'
+        @source_id = ''
+        @rds_event_category = ''
+        @message = ''
+      end
 
-            def initialize(resource)
-                super(resource)
-                @source = 'aws.rds'
-                @detail_type = 'RDS DB Instance Event'
-                @source_id = ''
-                @rds_event_category = ''
-                @message = ''
-            end
+      def detail
+        return {
+          EventCategories: [@rds_event_category],
+          SourceType: [@source_type],
+          SourceIdentifier: ["rds:#{@resource_id}"],
+          Message: [@message]
+        }
+      end
+    end
 
-            def detail
-                return {
-                    EventCategories: [@rds_event_category],
-                    SourceType: [@source_type],
-                    SourceIdentifier: ["rds:#{@resource_id}"],
-                    Message: [@message]
-                }
-            end
-        end
+    class RDSInstanceEventSubscription < RDSEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source_type = 'DB_INSTANCE'
+      end
+    end
 
-        class RDSInstanceEventSubscription < RDSEventSubscription
-            def initialize(resource)
-                super(resource)
-                @source_type = 'DB_INSTANCE'
-            end
-        end
+    class RDSClusterEventSubscription < RDSEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source_type = 'DB_CLUSTER'
+      end
+    end
 
-        class RDSClusterEventSubscription < RDSEventSubscription
-            def initialize(resource)
-                super(resource)
-                @source_type = 'DB_CLUSTER'
-            end
-        end
+    class Ec2InstanceEventSubscription < BaseEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source = 'aws.ec2'
+      end
+    end
 
-        class Ec2InstanceEventSubscription < BaseEventSubscription
-            def initialize(resource)
-                super(resource)
-                @source = 'aws.ec2'
-            end
-        end
+    class BatchEventSubscription < BaseEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source = 'aws.batch'
+      end
+    end
 
-        class ApiGatewayEventSubscription < BaseEventSubscription; end
-        class ApplicationTargetGroupEventSubscription < BaseEventSubscription; end
-        class AmazonMQBrokerEventSubscription < BaseEventSubscription; end
-        class CloudFrontDistributionEventSubscription < BaseEventSubscription; end
-        class AutoScalingGroupEventSubscription < BaseEventSubscription; end
-        class DynamoDBTableEventSubscription < BaseEventSubscription; end
-        class Ec2InstanceEventSubscription < BaseEventSubscription; end
-        class ECSClusterEventSubscription < BaseEventSubscription; end
-        class ECSServiceEventSubscription < BaseEventSubscription; end
-        class ElastiCacheReplicationGroupEventSubscription < BaseEventSubscription; end
-        class ElasticLoadBalancerEventSubscription < BaseEventSubscription; end
-        class ElasticFileSystemEventSubscription < BaseEventSubscription; end
-        class LambdaEventSubscription < BaseEventSubscription; end
-        class NetworkTargetGroupEventSubscription < BaseEventSubscription; end
-        class RedshiftClusterEventSubscription < BaseEventSubscription; end
+    class GlueEventSubscription < BaseEventSubscription
+      def initialize(resource)
+        super(resource)
+        @source = 'aws.glue'
+      end
     end
+
+    class ApiGatewayEventSubscription < BaseEventSubscription; end
+    class ApplicationTargetGroupEventSubscription < BaseEventSubscription; end
+    class AmazonMQBrokerEventSubscription < BaseEventSubscription; end
+    class CloudFrontDistributionEventSubscription < BaseEventSubscription; end
+    class AutoScalingGroupEventSubscription < BaseEventSubscription; end
+    class DynamoDBTableEventSubscription < BaseEventSubscription; end
+    class Ec2InstanceEventSubscription < BaseEventSubscription; end
+    class ECSClusterEventSubscription < BaseEventSubscription; end
+    class ECSServiceEventSubscription < BaseEventSubscription; end
+    class ElastiCacheReplicationGroupEventSubscription < BaseEventSubscription; end
+    class ElasticLoadBalancerEventSubscription < BaseEventSubscription; end
+    class ElasticFileSystemEventSubscription < BaseEventSubscription; end
+    class LambdaEventSubscription < BaseEventSubscription; end
+    class NetworkTargetGroupEventSubscription < BaseEventSubscription; end
+    class RedshiftClusterEventSubscription < BaseEventSubscription; end
+    class StepFunctionsSubscription < BaseEventSubscription; end
+  end
 end

data/lib/cfnguardian/resources/base.rb

@@ -108,7 +108,7 @@ module CfnGuardian::Resource
       @alarms.each do |alarm|
         next if alarm.dimensions.nil?
         alarm.dimensions.each do |k,v|
-          if v.match?(/^\${Resource::.*[A-Za-z]}$/)
+          if v.is_a?(String) && v.match?(/^\${Resource::.*[A-Za-z]}$/)
             resource_key = v.tr('${}', '').split('Resource::').last
             if @resource.has_key?(resource_key)
               logger.debug "overriding alarm #{alarm.name} dimension key '#{k}' with value '#{@resource[resource_key]}'" 

data/lib/cfnguardian/resources/batch.rb

@@ -0,0 +1,14 @@
+module CfnGuardian::Resource
+  class Batch < Base
+    def default_event_subscriptions()
+      event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
+      event_subscription.name = 'FailedBatch'
+      event_subscription.detail_type = 'Batch Job State Change'
+      event_subscription.detail = {
+        'status': ['FAILED'],
+        'jobQueue': ["arn:aws:batch:${AWS::Region}:${AWS::AccountId}:job-queue/#{@resource['Id']}"]
+      }
+      @event_subscriptions.push(event_subscription)
+    end
+  end
+end

data/lib/cfnguardian/resources/glue.rb

@@ -0,0 +1,23 @@
+module CfnGuardian::Resource
+  class Glue < Base
+    def default_event_subscriptions()
+      event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
+      event_subscription.name = 'FailedGlueJob'
+      event_subscription.detail_type = 'Glue Job State Change'
+      event_subscription.detail = {
+        'state': ['FAILED'],
+        'jobName': [{'prefix': @resource['Id']}]
+      }
+      @event_subscriptions.push(event_subscription)
+
+      event_subscription = CfnGuardian::Models::BatchEventSubscription.new(@resource)
+      event_subscription.name = 'TimeoutGlueJob'
+      event_subscription.detail_type = 'Glue Job State Change'
+      event_subscription.detail = {
+        'state': ['TIMEOUT'],
+        'jobName': [{'prefix': @resource['Id']}]
+      }
+      @event_subscriptions.push(event_subscription)
+    end
+  end
+end

data/lib/cfnguardian/resources/step_functions.rb

@@ -0,0 +1,41 @@
+module CfnGuardian::Resource
+  class StepFunctions < Base
+      
+    def default_alarms    
+      alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
+      alarm.name = 'ExecutionsFailed'
+      alarm.metric_name = 'ExecutionsFailed'
+      alarm.threshold = 1
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
+      alarm.name = 'ExecutionsTimedOut'
+      alarm.metric_name = 'ExecutionsTimedOut'
+      alarm.threshold = 1
+      alarm.evaluation_periods = 5
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
+      alarm.name = 'ExecutionThrottled'
+      alarm.metric_name = 'ExecutionThrottled'
+      alarm.threshold = 1
+      alarm.evaluation_periods = 5
+      alarm.alarm_action = 'Warning'
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+
+      alarm = CfnGuardian::Models::StepFunctionsAlarm.new(@resource)
+      alarm.name = 'ExecutionTime'
+      alarm.metric_name = 'ExecutionTime'
+      alarm.threshold = 60
+      alarm.evaluation_periods = 5
+      alarm.alarm_action = 'Warning'
+      alarm.treat_missing_data = 'notBreaching'
+      @alarms.push(alarm)
+    end
+      
+  end
+end

data/lib/cfnguardian/stacks/resources.rb

@@ -132,7 +132,7 @@ module CfnGuardian
           Events_Rule("#{subscription.group}#{subscription.name}#{subscription.hash}"[0..255]) do
             State subscription.enabled ? 'ENABLED' : 'DISABLED'
             Description "Guardian event subscription #{subscription.group} #{subscription.name} for resource #{subscription.resource_id}"
-            EventPattern event_pattern
+            EventPattern FnSub(event_pattern.to_json)
             Targets [
               {
                 Arn: Ref(subscription.topic),

data/lib/cfnguardian/version.rb

@@ -1,4 +1,4 @@
 module CfnGuardian
-  VERSION = "0.6.4"
+  VERSION = "0.6.5"
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-guardian
 version: !ruby/object:Gem::Version
-  version: 0.6.4
+  version: 0.6.5
 platform: ruby
 authors:
 - Guslington
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-03-03 00:00:00.000000000 Z
+date: 2021-03-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -277,6 +277,7 @@ files:
 - lib/cfnguardian/resources/autoscaling_group.rb
 - lib/cfnguardian/resources/azure_file.rb
 - lib/cfnguardian/resources/base.rb
+- lib/cfnguardian/resources/batch.rb
 - lib/cfnguardian/resources/cloudfront_distribution.rb
 - lib/cfnguardian/resources/domain_expiry.rb
 - lib/cfnguardian/resources/dynamodb_table.rb
@@ -286,6 +287,7 @@ files:
 - lib/cfnguardian/resources/elastic_file_system.rb
 - lib/cfnguardian/resources/elastic_loadbalancer.rb
 - lib/cfnguardian/resources/elasticache_replication_group.rb
+- lib/cfnguardian/resources/glue.rb
 - lib/cfnguardian/resources/http.rb
 - lib/cfnguardian/resources/internal_http.rb
 - lib/cfnguardian/resources/internal_port.rb
@@ -302,6 +304,7 @@ files:
 - lib/cfnguardian/resources/sftp.rb
 - lib/cfnguardian/resources/sql.rb
 - lib/cfnguardian/resources/sqs_queue.rb
+- lib/cfnguardian/resources/step_functions.rb
 - lib/cfnguardian/resources/tls.rb
 - lib/cfnguardian/s3.rb
 - lib/cfnguardian/stacks/main.rb