cfn-guardian 0.6.13 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/docs/maintenance_mode.md +12 -4
- data/lib/cfnguardian/compile.rb +5 -3
- data/lib/cfnguardian/models/check.rb +11 -0
- data/lib/cfnguardian/resources/elastic_search.rb +1 -0
- data/lib/cfnguardian/stacks/main.rb +47 -7
- data/lib/cfnguardian/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cd1284d70e2862cb14e2aa9f3c97e582ef6776bc54d80f47af8d8bfb561a9386
|
|
4
|
+
data.tar.gz: 6df131dc0d56bb00041f808617dbd856501d6a131d42ab1311a53d8fb3a3e02d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3f63a7f508b3b2b235138840ddcf9fbdf4512b646711cc7422da94727bde967e49f7da23e7dff94f10134d15c39e661a8da6e356b1fe60c514897f4bfd7176dc
|
|
7
|
+
data.tar.gz: 9ff94d8f5eeec75778f4b13da7fccd853fd85ff3669966de381c3147a94769b2dc916644069b764d05f560ad9e0f61024c6d776bd60e355cd6a2dbe89d579e04
|
data/docs/maintenance_mode.md
CHANGED
|
@@ -8,8 +8,8 @@ Alarms can be provided to the function the following ways
|
|
|
8
8
|
Alarm names be provided by a space delimited list using the `--alarms` switch.
|
|
9
9
|
|
|
10
10
|
```bash
|
|
11
|
-
cfn-guardian disable-alarms --
|
|
12
|
-
cfn-guardian enable-alarms --
|
|
11
|
+
cfn-guardian disable-alarms --alarms alarm-1 alarm-2
|
|
12
|
+
cfn-guardian enable-alarms --alarms alarm-1 alarm-2
|
|
13
13
|
```
|
|
14
14
|
|
|
15
15
|
## Alarm Name Prefix
|
|
@@ -60,10 +60,16 @@ Resources:
|
|
|
60
60
|
StatusCode: 200
|
|
61
61
|
|
|
62
62
|
# Define the top level key
|
|
63
|
-
|
|
63
|
+
MaintenanceGroups:
|
|
64
64
|
|
|
65
65
|
# Define the group name
|
|
66
66
|
AppUpdate:
|
|
67
|
+
# Optionally set a schedule for enabling/disabling
|
|
68
|
+
Schedules:
|
|
69
|
+
Disable: '30 0 * * ? *'
|
|
70
|
+
Enable: '00 1 * * ? *'
|
|
71
|
+
#Optionally specify and set to true to enable logging on lambda
|
|
72
|
+
Debug: true
|
|
67
73
|
# Define the resource group
|
|
68
74
|
ECSService:
|
|
69
75
|
# define the alarms in the resource group
|
|
@@ -82,4 +88,6 @@ MaintenaceGroups:
|
|
|
82
88
|
```bash
|
|
83
89
|
cfn-guardian disable-alarms --group AppUpdate
|
|
84
90
|
cfn-guardian enable-alarms --group AppUpdate
|
|
85
|
-
```
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
Optionally add a Schedule for disabling and enabling alarm actions as shown in the example above to deploy a lambda function that will be invoked by event rules created with the given cron expressions.
|
data/lib/cfnguardian/compile.rb
CHANGED
|
@@ -61,7 +61,7 @@ module CfnGuardian
|
|
|
61
61
|
@composites = config.fetch('Composites',{})
|
|
62
62
|
@templates = config.fetch('Templates',{})
|
|
63
63
|
@topics = config.fetch('Topics',{})
|
|
64
|
-
@maintenance_groups = config.fetch('
|
|
64
|
+
@maintenance_groups = config.fetch('MaintenanceGroups', {})
|
|
65
65
|
@event_subscriptions = config.fetch('EventSubscriptions', {})
|
|
66
66
|
|
|
67
67
|
# Make sure the default topics exist if they aren't supplied in the alarms.yaml
|
|
@@ -69,7 +69,6 @@ module CfnGuardian
|
|
|
69
69
|
@topics[topic] = '' unless @topics.has_key?(topic)
|
|
70
70
|
end
|
|
71
71
|
|
|
72
|
-
@maintenance_group_list = @maintenance_groups.keys.map {|group| "#{group}MaintenanceGroup"}
|
|
73
72
|
@resources = []
|
|
74
73
|
@stacks = []
|
|
75
74
|
@checks = []
|
|
@@ -116,6 +115,9 @@ module CfnGuardian
|
|
|
116
115
|
|
|
117
116
|
@maintenance_groups.each do |maintenance_group,resource_groups|
|
|
118
117
|
resource_groups.each do |group, alarms|
|
|
118
|
+
if group == 'Schedules'
|
|
119
|
+
next
|
|
120
|
+
end
|
|
119
121
|
alarms.each do |alarm, resources|
|
|
120
122
|
resources.each do |resource|
|
|
121
123
|
|
|
@@ -190,7 +192,7 @@ module CfnGuardian
|
|
|
190
192
|
resources = split_resources(bucket,path)
|
|
191
193
|
|
|
192
194
|
main_stack = CfnGuardian::Stacks::Main.new()
|
|
193
|
-
main_stack.build_template(@stacks,@checks,@topics,@
|
|
195
|
+
main_stack.build_template(@stacks,@checks,@topics,@maintenance_groups,@ssm_parameters)
|
|
194
196
|
valid = main_stack.template.validate
|
|
195
197
|
FileUtils.mkdir_p 'out'
|
|
196
198
|
File.write("out/guardian.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
|
|
@@ -205,5 +205,16 @@ module CfnGuardian
|
|
|
205
205
|
end
|
|
206
206
|
end
|
|
207
207
|
|
|
208
|
+
class MaintenanceGroupCheck < BaseCheck
|
|
209
|
+
def initialize(resource)
|
|
210
|
+
super(resource)
|
|
211
|
+
@name = 'MaintenanceGroupCheck'
|
|
212
|
+
@package = 'maintenance-group-check'
|
|
213
|
+
@handler = 'handler.maintenance_group_check'
|
|
214
|
+
@version = '5b795e6509068d1767e4be80f2e6868cbeb3b425'
|
|
215
|
+
@runtime = 'python3.7'
|
|
216
|
+
end
|
|
217
|
+
end
|
|
218
|
+
|
|
208
219
|
end
|
|
209
220
|
end
|
|
@@ -4,6 +4,7 @@ module CfnGuardian
|
|
|
4
4
|
module Stacks
|
|
5
5
|
class Main
|
|
6
6
|
include CfnDsl::CloudFormation
|
|
7
|
+
include Logging
|
|
7
8
|
|
|
8
9
|
attr_reader :parameters, :template
|
|
9
10
|
|
|
@@ -22,12 +23,10 @@ module CfnGuardian
|
|
|
22
23
|
parameter.Default sns
|
|
23
24
|
parameters[name] = Ref(name)
|
|
24
25
|
end
|
|
25
|
-
|
|
26
|
-
maintenance_groups.
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
topic.Tags([{ Key: 'Environment', Value: 'guardian' }])
|
|
30
|
-
parameters[group] = Ref(group)
|
|
26
|
+
|
|
27
|
+
if maintenance_groups.any?
|
|
28
|
+
add_lambda(CfnGuardian::Models::MaintenanceGroupCheck.new(maintenance_groups))
|
|
29
|
+
maintenance_groups.each {|group,config| add_maintenance_group(group,config,parameters)}
|
|
31
30
|
end
|
|
32
31
|
|
|
33
32
|
add_iam_role(ssm_parameters)
|
|
@@ -73,6 +72,17 @@ module CfnGuardian
|
|
|
73
72
|
}]
|
|
74
73
|
}
|
|
75
74
|
}
|
|
75
|
+
policies << {
|
|
76
|
+
PolicyName: 'maintenance-group-actions',
|
|
77
|
+
PolicyDocument: {
|
|
78
|
+
Version: '2012-10-17',
|
|
79
|
+
Statement: [{
|
|
80
|
+
Effect: 'Allow',
|
|
81
|
+
Action: [ 'cloudwatch:DescribeAlarms', 'cloudwatch:DisableAlarmActions', 'cloudwatch:EnableAlarmActions', 'cloudwatch:SetAlarmState' ],
|
|
82
|
+
Resource: FnSub("arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:*")
|
|
83
|
+
}]
|
|
84
|
+
}
|
|
85
|
+
}
|
|
76
86
|
if ssm_parameters.any?
|
|
77
87
|
policies << {
|
|
78
88
|
PolicyName: 'ssm-parameters',
|
|
@@ -165,7 +175,37 @@ module CfnGuardian
|
|
|
165
175
|
end
|
|
166
176
|
end
|
|
167
177
|
end
|
|
168
|
-
|
|
178
|
+
|
|
179
|
+
def add_maintenance_group(group,config,parameters)
|
|
180
|
+
group_name = "#{group}MaintenanceGroup"
|
|
181
|
+
schedules = config.fetch('Schedules', {})
|
|
182
|
+
logging = config.dig('Schedules', 'Debug').to_s
|
|
183
|
+
|
|
184
|
+
topic = @template.SNS_Topic(group_name)
|
|
185
|
+
topic.TopicName group_name
|
|
186
|
+
topic.Tags([{ Key: 'Environment', Value: 'guardian' }])
|
|
187
|
+
parameters[group_name] = Ref(group_name)
|
|
188
|
+
|
|
189
|
+
if schedules.any?
|
|
190
|
+
event = @template.Events_Rule("#{group_name}EnableEvent")
|
|
191
|
+
event.Name "#{group_name}EnableEvent"
|
|
192
|
+
event.ScheduleExpression "cron(#{schedules['Enable']})"
|
|
193
|
+
event.Targets([{
|
|
194
|
+
Arn: FnGetAtt('MaintenanceGroupCheckFunction', 'Arn'),
|
|
195
|
+
Id: "#{group_name}EnableTarget",
|
|
196
|
+
Input: {action:"enable_alarms", maintenance_group: group_name, logging: logging}.to_json
|
|
197
|
+
}])
|
|
198
|
+
|
|
199
|
+
event = @template.Events_Rule("#{group_name}DisableEvent")
|
|
200
|
+
event.Name "#{group_name}DisableEvent"
|
|
201
|
+
event.ScheduleExpression "cron(#{schedules['Disable']})"
|
|
202
|
+
event.Targets([{
|
|
203
|
+
Arn: FnGetAtt('MaintenanceGroupCheckFunction', 'Arn'),
|
|
204
|
+
Id: "#{group_name}DisableTarget",
|
|
205
|
+
Input: {action:"disable_alarms", maintenance_group: group_name, logging: logging}.to_json
|
|
206
|
+
}])
|
|
207
|
+
end
|
|
208
|
+
end
|
|
169
209
|
end
|
|
170
210
|
end
|
|
171
211
|
end
|
data/lib/cfnguardian/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-guardian
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.7.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Guslington
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-08-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: thor
|