cfn-guardian 0.7.16 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 698af7ce8ae6207dbecaba853e316c45b49f4097feb4b02109a4d4cf6e4e2e50
-  data.tar.gz: 37930ff02c6aac6e68bb84dc5d704523d67e2f0ec606bf4bc279f9dee987f59f
+  metadata.gz: dee3a34d28fcd37f9228a90d7c53a65d0cdfbbd27842c0ef3c6f78981f980480
+  data.tar.gz: b475d9c262e6620431450e74c5a0b2c5fdda3f5d76b135878f1974f114163530
 SHA512:
-  metadata.gz: 8dd7078ef3ecbf66c1a8120d029840afa9857c1478d7ce8c2bca341731af4bd7afce412add69008ec7137477b59c3f789a30cf79cfab31f5a2a2ef6810eff9e0
-  data.tar.gz: 23587e30e8b0fea611a60869c9b59b4acc984cb9869a5a3b16dc6d5c62a862ecf3b9adca5b5a0f45cb6868434dcfddeb1320330bbd4587647d77c21725531037
+  metadata.gz: 9860b56997a775b014c53d5b8de6432b1c38ca2223d65d1416482f3bfb3035c37aa0be6fd8edad99ad368e63de811f3d6e7bb30ba280b579f999b5bb1c518ca0
+  data.tar.gz: cf758b431fe395af861d05dbd200c5ee01e68270ed926b439bee9f83803828c0f3c63c53481996c6732a00b8b0c050f87caa7b724e8d274a5f65563faf6b3baa

data/docs/alarm_tags.md

@@ -0,0 +1,63 @@
+# Guardian Alarm Tags
+
+AWS tags can be applied to Cloudwatch alarms created by guardian. This is available as a separate guardian command [`cfn-guardian tag-alarms`] because Cloudformation doesn't support creating tags on Cloudwatch alarms.
+
+## Default Tags
+
+Guardian will add the following default tags to each alarm
+
+```
+guardian:resource:id
+guardian:resource:group
+guardian:alarm:name
+guardian:alarm:metric
+guardian:alarm:severity
+```
+
+## Adding Tags
+
+Additional tags can added through the alarms yaml configuration file. They can be applied globally to all alarms, to all alarms in a resource group or a specific alarm.
+
+### Global Tags
+
+Global tags are applied to every alarm created by guardian. Add the `GlobalTags` key at the top level of the alarms yaml config with key:value pairs. 
+
+```yml
+GlobalTags:
+  key: value
+  env: production
+```
+
+### Resource Group Tags
+
+Resource group tags are applied to every alarm in a guardian resource group using the `Templates` section to add the tags.
+
+```yaml
+Templates:
+  Ec2Instance:
+    GroupOverrides:
+      Tags:
+        key: value
+        env: production
+```
+
+### Specific Alarm Tags
+
+To add tags to a specific guardian alarm you can apply the tags in the `Templates` section of the alarms yaml config.
+
+```yaml
+Templates:
+  Ec2Instance:
+    CPUUtilizationHigh:
+      Tags:
+        key: value
+        alarm-action: restart ec2 instance
+```
+
+## Applying tags
+
+To apply the tags run the `tag-alarms` command passing the alarms yaml config.
+
+```sh
+cfn-guardian tag-alarms --config alarms.yaml
+```

data/docs/overview.md

@@ -20,4 +20,5 @@
 7. [Maintenance Mode](maintenance_mode.md)
 8. [Composite Alarms](composite_alarms.md)
 9. [Alarms for Custom Metrics](custom_metrics.md)
-10. [Dimension Variables](variables.md)
+10. [Dimension Variables](variables.md)
+11. [Alarm Tags](alarm_tags.md)

data/lib/cfnguardian/cloudwatch.rb

@@ -9,6 +9,10 @@ module CfnGuardian
       alarm_id = alarm.resource_name.nil? ? alarm.resource_id : alarm.resource_name
       return "guardian-#{alarm.group}-#{alarm_id}-#{alarm.name}"
     end
+
+    def self.get_alarm_arn(alarm)
+      return "arn:aws:cloudwatch:#{Aws.config[:region]}:#{aws_account_id()}:alarm:#{self.get_alarm_name(alarm)}"
+    end
         
     def self.get_alarms_by_prefix(prefix:, state: nil, action_prefix: nil)
       client = Aws::CloudWatch::Client.new()

data/lib/cfnguardian/compile.rb

@@ -57,7 +57,7 @@ module CfnGuardian
   class Compile
     include Logging
     
-    attr_reader :cost, :resources, :topics
+    attr_reader :cost, :resources, :topics, :global_tags
     
     def initialize(config_file)
       config = YAML.load_file(config_file)
@@ -68,6 +68,7 @@ module CfnGuardian
       @topics = config.fetch('Topics',{})
       @maintenance_groups = config.fetch('MaintenanceGroups', {})
       @event_subscriptions = config.fetch('EventSubscriptions', {})
+      @global_tags = config.fetch('GlobalTags', {})
       
       # Make sure the default topics exist if they aren't supplied in the alarms.yaml
       %w(Critical Warning Task Informational Events).each do |topic|
@@ -161,7 +162,7 @@ module CfnGuardian
         when 'Alarm'
           %w(metric_name namespace).each do |property|
             if resource.send(property).nil?
-              errors << "Alarm #{resource.name} for resource #{resource.resource_id} has nil value for property #{property.to_camelcase}"
+              errors << "Alarm #{resource.name} for resource #{resource.resource_id} has nil value for property #{property.to_camelcase}. This could be due to incorrect spelling of a default alarm name or missing property #{property.to_camelcase} on a new alarm."
             end
           end
         when 'Check'
@@ -180,34 +181,18 @@ module CfnGuardian
       raise CfnGuardian::ValidationError, "#{errors.size} errors found\n[*] #{errors.join("\n[*] ")}" if errors.any?
     end
     
-    def split_resources(bucket,path)
-      split = @resources.each_slice(200).to_a
-      split.each_with_index do |resources,index|
-        @stacks.push({
-          'Name' => "GuardianStack#{index}",
-          'TemplateURL' => "https://#{bucket}.s3.amazonaws.com/#{path}/guardian-stack-#{index}.compiled.yaml",
-          'Reference' => index
-        })
-      end
-      return split
-    end
-    
     def compile_templates(bucket,path)
       clean_out_directory()
-      resources = split_resources(bucket,path)
       
       main_stack = CfnGuardian::Stacks::Main.new()
       main_stack.build_template(@stacks,@checks,@topics,@maintenance_groups,@ssm_parameters)
+      
+      resource_stack = CfnGuardian::Stacks::Resources.new(main_stack.template)
+      resource_stack.build_template(@resources)
+
       valid = main_stack.template.validate
       FileUtils.mkdir_p 'out'
       File.write("out/guardian.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
-      
-      resources.each_with_index do |resources,index|
-        stack = CfnGuardian::Stacks::Resources.new(main_stack.parameters,index)
-        stack.build_template(resources)
-        valid = stack.template.validate
-        File.write("out/guardian-stack-#{index}.compiled.yaml", JSON.parse(valid.to_json).to_yaml)
-      end
     end
     
     def clean_out_directory

data/lib/cfnguardian/deploy.rb

@@ -14,6 +14,14 @@ module CfnGuardian
       @template_path = "out/guardian.compiled.yaml"
       @template_url = "https://#{@bucket}.s3.amazonaws.com/#{@prefix}/guardian.compiled.yaml"
       @parameters = parameters
+      @changeset_role_arn = opts.fetch(:role_arn, nil)
+
+      @tags = {}
+      if opts.has_key?("tag_yaml")
+        @tags.merge!(YAML.load_file(opts[:tag_yaml]))
+      end
+      @tags.merge!(opts.fetch(:tags, {}))
+
       @client = Aws::CloudFormation::Client.new()
     end
 
@@ -63,25 +71,25 @@ module CfnGuardian
         end
       end
 
-      logger.debug "Creating changeset"
-      change_set = @client.create_change_set({
+      tags = get_tags()
+      logger.debug "tagging stack with tags #{tags}"
+
+      changeset_request = {
         stack_name: @stack_name,
         template_url: @template_url,
         capabilities: ["CAPABILITY_IAM"],
         parameters: params,
-        tags: [
-          {
-            key: "guardian:version",
-            value: CfnGuardian::VERSION,
-          },
-          { 
-            key: 'Environment', 
-            value: 'guardian' 
-          }
-        ],
+        tags: tags,
         change_set_name: change_set_name,
         change_set_type: change_set_type
-      })
+      }
+
+      unless @changeset_role_arn.nil?
+        changeset_request[:role_arn] = @changeset_role_arn
+      end
+
+      logger.debug "Creating changeset"
+      change_set = @client.create_change_set(changeset_request)
       return change_set, change_set_type
     end
 
@@ -126,5 +134,15 @@ module CfnGuardian
       return resp.parameters.collect { |p| { parameter_key: p.parameter_key, parameter_value: p.default_value }  }
     end
 
+    def get_tags()
+      default_tags = {
+        'guardian:version': CfnGuardian::VERSION,
+        Environment: 'guardian'
+      }
+      default_tags.merge!(@tags)
+      tags = default_tags.map {|k,v| {key: k, value: v}}
+      return tags
+    end
+
   end
 end

data/lib/cfnguardian/models/alarm.rb

@@ -29,7 +29,8 @@ module CfnGuardian
         :evaluate_low_sample_count_percentile,
         :unit,
         :maintenance_groups,
-        :additional_notifiers
+        :additional_notifiers,
+        :tags
       
       def initialize(resource)
         @type = 'Alarm'
@@ -56,6 +57,7 @@ module CfnGuardian
         @treat_missing_data = nil
         @maintenance_groups = []
         @additional_notifiers = []
+        @tags = {}
       end
       
       def metric_name=(metric_name)
@@ -64,7 +66,6 @@ module CfnGuardian
       end      
     end
     
-    
     class ApiGatewayAlarm < BaseAlarm
       def initialize(resource)
         super(resource)

data/lib/cfnguardian/stacks/main.rb

@@ -6,7 +6,7 @@ module CfnGuardian
       include CfnDsl::CloudFormation
       include Logging
       
-      attr_reader :parameters, :template
+      attr_reader :template
       
       def initialize()
         @parameters = []
@@ -32,9 +32,7 @@ module CfnGuardian
         add_iam_role(ssm_parameters)
                 
         checks.each {|check| parameters["#{check.name}Function#{check.environment}"] = add_lambda(check)}
-        stacks.each {|stack| add_stack(stack['Name'],stack['TemplateURL'],parameters,stack['Reference'])}
-        
-        @parameters = parameters.keys
+        stacks.each {|stack| add_stack(stack['Name'],stack['TemplateURL'],parameters,stack['Reference'])}        
       end
       
       def add_iam_role(ssm_parameters)

data/lib/cfnguardian/stacks/resources.rb

@@ -6,17 +6,9 @@ module CfnGuardian
   module Stacks
     class Resources
       include CfnDsl::CloudFormation
-      
-      attr_reader :template
-      
-      def initialize(parameters,stack_id)
-        @stack_id = stack_id
-
-        @template = CloudFormation("Guardian nested - stack-id:stk#{@stack_id}")
-        parameters.each do |name|
-          parameter = @template.Parameter(name)
-          parameter.Type 'String'
-        end
+            
+      def initialize(template)
+        @template = template
       end
       
       def build_template(resources)
@@ -41,13 +33,12 @@ module CfnGuardian
       def add_alarm(alarm)
         actions = alarm.alarm_action.kind_of?(Array) ? alarm.alarm_action.map{|action| Ref(action)} : [Ref(alarm.alarm_action)]
         actions.concat alarm.maintenance_groups.map {|mg| Ref(mg)} if alarm.maintenance_groups.any?
-        stack_id = @stack_id
 
         @template.declare do
           CloudWatch_Alarm("#{alarm.resource_hash}#{alarm.group}#{alarm.name.gsub(/[^0-9a-zA-Z]/i, '')}#{alarm.type}"[0..255]) do
             ActionsEnabled true
             AlarmDescription "Guardian alarm #{alarm.name} for the resource #{alarm.resource_id} in alarm group #{alarm.group}"
-            AlarmName CfnGuardian::CloudWatch.get_alarm_name(alarm) + "-stk#{stack_id}"
+            AlarmName CfnGuardian::CloudWatch.get_alarm_name(alarm)
             ComparisonOperator alarm.comparison_operator
             Dimensions alarm.dimensions.map {|k,v| {Name: k, Value: v}} unless alarm.dimensions.nil?
             EvaluationPeriods alarm.evaluation_periods
@@ -75,7 +66,7 @@ module CfnGuardian
             ScheduleExpression "cron(#{event.cron})"
             Targets([
               { 
-                Arn: Ref(event.target),
+                Arn: FnGetAtt(event.target, :Arn),
                 Id: event.hash,
                 Input: FnSub(event.payload)
               }
@@ -85,13 +76,11 @@ module CfnGuardian
       end
       
       def add_composite_alarm(alarm)
-        stack_id = @stack_id
-
         @template.declare do
           CloudWatch_CompositeAlarm(alarm.name.gsub(/[^0-9a-zA-Z]/i, '')) do
             
             AlarmDescription alarm.description
-            AlarmName "guardian-#{alarm.name}-stk#{stack_id}"
+            AlarmName "guardian-#{alarm.name}"
             AlarmRule alarm.rule
             
             unless alarm.alarm_action.nil?

data/lib/cfnguardian/tagger.rb

@@ -0,0 +1,69 @@
+require 'aws-sdk-cloudwatch'
+require 'cfnguardian/cloudwatch'
+require 'cfnguardian/log'
+
+module CfnGuardian
+  class Tagger
+    include Logging
+
+    def initialize()
+      @client = Aws::CloudWatch::Client.new(max_attempts: 5)
+    end
+
+    def tag_alarm(alarm, global_tags={})
+      alarm_arn = CfnGuardian::CloudWatch.get_alarm_arn(alarm)
+      
+      new_tags = get_tags(alarm, global_tags)
+      current_tags = get_alarm_tags(alarm_arn)
+      tags_to_delete = get_tags_to_delete(current_tags, new_tags)
+
+      if tags_to_delete.any?
+        logger.debug "Removing tags #{tags_to_delete} from alarm #{alarm_arn}"
+        @client.untag_resource({
+          resource_arn: alarm_arn,
+          tag_keys: tags_to_delete
+        })
+      end
+
+      if tags_changed?(current_tags, new_tags)
+        logger.debug "Updating tags on alarm #{alarm_arn}"
+        @client.tag_resource({
+          resource_arn: alarm_arn,
+          tags: new_tags.map {|key,value| {key: key, value: value}}
+        })
+      end
+    end
+
+    def get_tags(alarm, global_tags)
+      defaults = {
+        'guardian:resource:id' => alarm.resource_id,
+        'guardian:resource:group' => alarm.group,
+        'guardian:alarm:name' => alarm.name,
+        'guardian:alarm:metric' => alarm.metric_name,
+        'guardian:alarm:severity' => alarm.alarm_action
+      }
+      tags = global_tags.merge(defaults)
+      return alarm.tags.merge(tags)
+    end
+
+    def get_alarm_tags(alarm_arn)
+      resp = @client.list_tags_for_resource({
+        resource_arn: alarm_arn
+      })
+      return resp.tags
+    end
+
+    def get_tags_to_delete(current_tags, new_tags)
+      return current_tags.select {|tag| !new_tags.has_key?(tag.key)}.map {|tag| tag.key}
+    end
+
+    def tags_changed?(current_tags, new_tags)
+      return tags_to_hash(current_tags) != new_tags
+    end
+
+    def tags_to_hash(tags)
+      return tags.map {|tag| {tag.key => tag.value} }.reduce(Hash.new, :merge)
+    end
+
+  end
+end

data/lib/cfnguardian/version.rb

@@ -1,4 +1,4 @@
 module CfnGuardian
-  VERSION = "0.7.16"
+  VERSION = "0.8.0"
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

data/lib/cfnguardian.rb

@@ -11,6 +11,7 @@ require "cfnguardian/display_formatter"
 require "cfnguardian/drift"
 require "cfnguardian/codecommit"
 require "cfnguardian/codepipeline"
+require "cfnguardian/tagger"
 
 module CfnGuardian
   class Cli < Thor
@@ -85,6 +86,9 @@ module CfnGuardian
     method_option :sns_task, type: :string, desc: "sns topic arn for the task alarms"
     method_option :sns_informational, type: :string, desc: "sns topic arn for the informational alarms"
     method_option :sns_events, type: :string, desc: "sns topic arn for the informational alarms"
+    method_option :tags, type: :hash, desc: "additional tags on the cloudformation stack"
+    method_option :tag_yaml, type: :string, desc: "additional tags on the cloudformation stack in a yaml file"
+    method_option :role_arn, type: :string, desc: "IAM role arn that CloudFormation assumes when executing the change set"
 
     def deploy
       set_log_level(options[:debug])
@@ -114,14 +118,37 @@ module CfnGuardian
       deployer.execute_change_set(change_set.id)
       deployer.wait_for_execute(change_set_type)
     end
-        
+
+    desc "tag-alarms", "apply tags to the cloudwatch alarms deployed"
+    long_desc <<-LONG
+    Because Cloudformation desn't support tagging cloudwatch alarms this command
+    applies tags to each cloudwatch alarm created by guardian.
+    Guardian defines default tags and this can be added to through the alarms.yaml config.
+    LONG
+    method_option :config, aliases: :c, type: :string, desc: "yaml config file", required: true
+    method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
+
+    def tag_alarms
+      set_log_level(options[:debug])
+      set_region(options[:region],true)
+
+      compiler = CfnGuardian::Compile.new(options[:config])
+      compiler.get_resources
+      alarms = compiler.alarms
+
+      tagger = CfnGuardian::Tagger.new()
+      alarms.each do |alarm|
+        tagger.tag_alarm(alarm, compiler.global_tags)
+      end
+    end
+
     desc "show-drift", "Cloudformation drift detection"
     long_desc <<-LONG
     Displays any cloudformation drift detection in the cloudwatch alarms from the deployed stacks
     LONG
     method_option :stack_name, aliases: :s, type: :string, default: 'guardian', desc: "set the Cloudformation stack name"
     method_option :region, aliases: :r, type: :string, desc: "set the AWS region"
-    
+
     def show_drift
       set_region(options[:region],true)
       

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-guardian
 version: !ruby/object:Gem::Version
-  version: 0.7.16
+  version: 0.8.0
 platform: ruby
 authors:
 - Guslington
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-05-17 00:00:00.000000000 Z
+date: 2022-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -234,6 +234,7 @@ files:
 - README.md
 - Rakefile
 - cfn-guardian.gemspec
+- docs/alarm_tags.md
 - docs/alarm_templates.md
 - docs/cli.md
 - docs/composite_alarms.md
@@ -320,6 +321,7 @@ files:
 - lib/cfnguardian/stacks/main.rb
 - lib/cfnguardian/stacks/resources.rb
 - lib/cfnguardian/string.rb
+- lib/cfnguardian/tagger.rb
 - lib/cfnguardian/validate.rb
 - lib/cfnguardian/version.rb
 homepage: https://github.com/base2Services/cfn-guardian