cfn_monitor 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 06a68ecda9a61437e7147f46a19f1f0eae4657fed927a5707055bef7393dff89
-  data.tar.gz: de1388e92d9c75303dafec4ce4172813b36ccf373a4847281ecaada1dec422c3
+  metadata.gz: 466206e0f5cedb6a5006c98a0004ce27dddf0fe0d793ed1842e1ec3d11fb8382
+  data.tar.gz: 72c10dbcead4deccf275f20609342474b37ae41c310643bc52d0340a0af67017
 SHA512:
-  metadata.gz: e977e75432f12b896a96ca0d42967e3d113d67e4394f48380e624b2939bf2f1fe93ef73e1369f60ef0d6b2b009f9125dce12e8e63d038a058dc6be2cfd043847
-  data.tar.gz: c774fecdcbfa6d8cb4f756f10bf2fa7987d9434e80c30b2980ff7911cca65d20bf12b10ba8e30d3124b4ba30326fc9ebcd38d9345974dbda501f8f2bcd1be7b2
+  metadata.gz: a1622b83a7cdfbf96757582b130b7c04c2ce7789f8f9de4f04c0610e2ab59795c2207361f79f157777bf7d858f42018cdaf0f430b9bb05053888b5950118058c
+  data.tar.gz: 9bd6dced53b3f49fa8516194a031239fe290bce680b3b59d9284a789e8509de2916c27988d830dc7b70038d561b0fa45402453e1258ebf138ce4235ee797affa

data/README.md

@@ -9,7 +9,7 @@ monitorable resources that can be placed into a config file. This config
 can then be used to generate a cloudformation stack to create and manage
 cloudwatch alarms.
 
-It is packaged as a docker container `base2/cfn_monitor` and
+It is packaged as a docker container `base2/cfn-monitor` and
 can be run by volume mounting in a local directory to access the config
 or by using within AWS CodePipeline.
 
@@ -152,6 +152,25 @@ timeOut | A timeout value for the endpoint monitoring | 120 seconds
 scheduleExpression | A cron expression used to schedule the endpoint monitoring | Every minute
 environments | A string or array of environment names. Monitoring will only be deployed for these environments (if specified) | All environments
 
+#### SSL certificate expiry date checking
+To alert on the expiry date of an SSL certificate for a particular domain, add the following config:
+
+```YAML
+ssl:
+  https://www.base2services.com: Ssl
+```
+
+The `Ssl` template is scheduled to push a metric once every day.
+
+#### DNS domain expiry date checking
+To alert on the expiry date of an DNS domain, add the following config:
+
+```YAML
+dns:
+  base2services.com: Dns
+```
+
+The `Dns` template is scheduled to push a metric once every day.
 
 #### Multiple templates
 You can specify multiple templates for the resource by providing a list/array. You may want to do this if you want to deploy some custom alarms in addition to the default alarms for a resource.

data/lib/cfn_monitor.rb

@@ -2,6 +2,7 @@ require "thor"
 require "cfn_monitor/version"
 require "cfn_monitor/query"
 require "cfn_monitor/generate"
+require "cfn_monitor/validate"
 require "cfn_monitor/deploy"
 
 module CfnMonitor
@@ -13,6 +14,12 @@ module CfnMonitor
       puts CfnMonitor::VERSION
     end
 
+    class_option :silent,
+        aliases: :s,
+        type: :boolean,
+        default: false,
+        desc: "Don't print Cfndsl output"
+
     # class_option :verbose,
     #   aliases: :V,
     #   type: :boolean,
@@ -32,35 +39,47 @@ module CfnMonitor
     #   type: :string,
     #   desc: "Profile name in AWS credentials file"
 
-    desc "generate", "Generate monitoring cloudformation templates"
+    desc "generate", "Generate monitoring CloudFormation templates"
     long_desc <<-LONG
-    Generates cloudformation templates from the alarm configuration and output to the output/ directory.
+    Generates CloudFormation templates from the alarm configuration and output to the output/ directory.
     LONG
     method_option :application, aliases: :a, type: :string, desc: "application name"
-    # method_option :validate, aliases: :v, type: :boolean, default: true, desc: "validate cfn templates"
+    method_option :validate, aliases: :v, type: :boolean, default: false, desc: "validate cfn templates"
     def generate
       CfnMonitor::Generate.run(options)
+      if options['validate']
+        CfnMonitor::Validate.run(options)
+      end
     end
 
-    desc "query", "Queries a cloudformation stack for monitorable resources"
+    desc "query", "Queries a CloudFormation stack for monitorable resources"
     long_desc <<-LONG
     This will provide a list of resources in the correct config syntax,
     including the nested stacks and the default templates for those resources.
     LONG
     method_option :application, aliases: :a, type: :string, desc: "application name"
-    method_option :stack, aliases: :s, type: :string, desc: "cfn stack name"
+    method_option :stack, aliases: :s, type: :string, desc: "CloudFormation stack name"
     def query
       CfnMonitor::Query.run(options)
     end
 
-    desc "deploy", "Deploys gerenated cfn templates to S3 bucket"
+    desc "deploy", "Deploys generated CloudFormation templates to an S3 bucket"
     long_desc <<-LONG
-    Deploys gerenated cloudformation templates to the specified S3 source_bucket
+    Deploys generated CloudFormation templates to the specified S3 source bucket
     LONG
     method_option :application, aliases: :a, type: :string, desc: "application name"
     def deploy
       CfnMonitor::Deploy.run(options)
     end
 
+    desc "validate", "Validates CloudFormation templates in an S3 bucket"
+    long_desc <<-LONG
+    Validates generated CloudFormation templates in a specified S3 source bucket
+    LONG
+    method_option :application, aliases: :a, type: :string, desc: "application name"
+    def validate
+      CfnMonitor::Validate.run(options)
+    end
+
   end
 end

data/lib/cfn_monitor/deploy.rb

@@ -6,14 +6,16 @@ module CfnMonitor
 
     def self.run(options)
 
-      if !options['application']
-        raise "No application specified"
+      if options['application']
+        application = options['application']
+        custom_alarms_config_file = "#{application}/alarms.yml"
+        output_path = "output/#{application}"
+      else
+        application = File.basename(Dir.getwd)
+        custom_alarms_config_file = "alarms.yml"
+        output_path = "output"
       end
 
-      application = options['application']
-
-      custom_alarms_config_file = "#{application}/alarms.yml"
-      output_path = "output/#{application}"
       upload_path = "cloudformation/monitoring/#{application}"
 
       # Load custom config files

data/lib/cfn_monitor/generate.rb

@@ -10,11 +10,13 @@ module CfnMonitor
 
     def self.run(options)
 
-      if !options['application']
-        raise "No application specified"
+      if options['silent']
+        verbose_cfndsl = false
+      else
+        verbose_cfndsl = STDOUT
       end
 
-      application = options['application']
+      application = options['application'] || '.'
 
       template_path = File.join(File.dirname(__FILE__),'../config/templates.yml')
       config_path = File.join(File.dirname(__FILE__),'../config/config.yml')
@@ -47,74 +49,81 @@ module CfnMonitor
       alarms = []
       resources = custom_alarms_config['resources']
       metrics = custom_alarms_config['metrics']
-      hosts = custom_alarms_config['hosts']
-      hosts ||= {}
-      services = custom_alarms_config['services']
-      services ||= {}
-      endpoints = custom_alarms_config['endpoints']
-      endpoints ||= {}
-      rme = { resources: resources, metrics: metrics, endpoints: endpoints, hosts: hosts, services: services }
+      hosts = custom_alarms_config['hosts'] || {}
+      ssl = custom_alarms_config['ssl'] || {}
+      dns = custom_alarms_config['dns'] || {}
+      services = custom_alarms_config['services'] || {}
+      endpoints = custom_alarms_config['endpoints'] || {}
+      ecsClusters = custom_alarms_config['ecsClusters'] || {}
+
+      alarm_parameters = { resources: resources, metrics: metrics, endpoints: endpoints, hosts: hosts, ssl: ssl, dns: dns, services: services, ecsClusters: ecsClusters }
       source_bucket = custom_alarms_config['source_bucket']
 
-      rme.each do | k,v |
+      alarm_parameters.each do | k,v |
         if !v.nil?
-          v.each do | resource,attributes |
+          v.each do | resource,attributeList |
             # set environments to 'all' by default
             environments = ['all']
             # Support config hashs for additional parameters
             params = {}
-            if attributes.kind_of?(Hash)
-              attributes.each do | a,b |
-                environments = b if a == 'environments'
-                # Convert strings to arrays for consistency
-                if !environments.kind_of?(Array) then environments = environments.split end
-                params[a] = b if !['template','environments'].member? a
-              end
-              templatesEnabled = attributes['template']
-            else
-              templatesEnabled = attributes
+            if !attributeList.kind_of?(Array)
+              attributeList = [attributeList]
             end
-            # Convert strings to arrays for looping
-            if !templatesEnabled.kind_of?(Array) then templatesEnabled = templatesEnabled.split end
-            templatesEnabled.each do | templateEnabled |
-              if !templates['templates'][templateEnabled].nil?
-                # If a template is provided, inherit that template
-                if !templates['templates'][templateEnabled]['template'].nil?
-                  template_from = Marshal.load( Marshal.dump(templates['templates'][templates['templates'][templateEnabled]['template']]) )
-                  template_to = templates['templates'][templateEnabled].without('template')
-                  template_merged = CfnMonitor::Utils.deep_merge(template_from, template_to)
-                  templates['templates'][templateEnabled] = template_merged
+            attributeList.each do | attributes |
+              if attributes.kind_of?(Hash)
+                attributes.each do | a,b |
+                  environments = b if a == 'environments'
+                  # Convert strings to arrays for consistency
+                  if !environments.kind_of?(Array) then environments = environments.split end
+                  params[a] = b if !['template','environments'].member? a
                 end
-                templates['templates'][templateEnabled].each do | alarm,parameters |
-                  resourceParams = parameters.clone
-                  # Override template params if overrides provided
-                  params.each do | x,y |
-                    resourceParams[x] = y
+                templatesEnabled = attributes['template']
+              else
+                templatesEnabled = attributes
+              end
+              # Convert strings to arrays for looping
+              if !templatesEnabled.kind_of?(Array) then templatesEnabled = templatesEnabled.split end
+              templatesEnabled.each do | templateEnabled |
+                if !templates['templates'][templateEnabled].nil?
+                  # If a template is provided, inherit that template
+                  if !templates['templates'][templateEnabled]['template'].nil?
+                    template_from = Marshal.load( Marshal.dump(templates['templates'][templates['templates'][templateEnabled]['template']]) )
+                    template_to = templates['templates'][templateEnabled].without('template')
+                    template_merged = CfnMonitor::Utils.deep_merge(template_from, template_to)
+                    templates['templates'][templateEnabled] = template_merged
                   end
-                  if k == :hosts
-                    resourceParams['cmds'].each do |cmd|
-                      hostParams = resourceParams.clone
-                      hostParams['cmd'] = cmd
-                      # Construct alarm object per cmd
+                  templates['templates'][templateEnabled].each do | alarm,parameters |
+                    resourceParams = parameters.clone
+                    # Override template params if overrides provided
+                    params.each do | x,y |
+                      resourceParams[x] = y
+                    end
+
+                    if k == :hosts
+                      resourceParams['cmds'].each do |cmd|
+                        hostParams = resourceParams.clone
+                        hostParams['cmd'] = cmd
+                        # Construct alarm object per cmd
+                        alarms << {
+                          resource: resource,
+                          type: k[0...-1],
+                          template: templateEnabled,
+                          alarm: alarm,
+                          parameters: hostParams,
+                          environments: environments
+                        }
+                      end
+                    else
+                      # Construct alarm object
                       alarms << {
                         resource: resource,
                         type: k[0...-1],
                         template: templateEnabled,
                         alarm: alarm,
-                        parameters: hostParams,
+                        parameters: resourceParams,
                         environments: environments
                       }
                     end
-                  else
-                    # Construct alarm object
-                    alarms << {
-                      resource: resource,
-                      type: k[0...-1],
-                      template: templateEnabled,
-                      alarm: alarm,
-                      parameters: resourceParams,
-                      environments: environments
-                    }
                   end
                 end
               end
@@ -149,27 +158,29 @@ module CfnMonitor
         temp_files[i].rewind
       end
 
-      write_cfdndsl_template(temp_file_path, temp_file_paths, custom_alarms_config_file, source_bucket, template_envs, output_path, upload_path)
+      write_cfdndsl_template(alarm_parameters, temp_file_path, temp_file_paths, custom_alarms_config_file, source_bucket, template_envs, output_path, upload_path, verbose_cfndsl)
 
     end
 
-    def self.write_cfdndsl_template(alarms_config,configs,custom_alarms_config_file,source_bucket,template_envs,output_path,upload_path)
+    def self.write_cfdndsl_template(alarm_parameters,alarms_config_file,configs,custom_alarms_config_file,source_bucket,template_envs,output_path,upload_path,verbose_cfndsl)
       template_path = File.expand_path("../../templates", __FILE__)
       FileUtils::mkdir_p output_path
       configs.each_with_index do |config,index|
         File.open("#{output_path}/resources#{index}.json", 'w') { |file|
-          file.write(JSON.pretty_generate( CfnDsl.eval_file_with_extras("#{template_path}/resources.rb",[[:yaml, config],[:raw, "template_number=#{index}"],[:raw, "source_bucket='#{source_bucket}'"],[:raw, "upload_path='#{upload_path}'"]],STDOUT)))}
+          file.write(JSON.pretty_generate( CfnDsl.eval_file_with_extras("#{template_path}/resources.rb",[[:yaml, config],[:raw, "template_number=#{index}"],[:raw, "source_bucket='#{source_bucket}'"],[:raw, "upload_path='#{upload_path}'"]],verbose_cfndsl)))}
         File.open("#{output_path}/alarms#{index}.json", 'w') { |file|
-          file.write(JSON.pretty_generate( CfnDsl.eval_file_with_extras("#{template_path}/alarms.rb",[[:yaml, config],[:raw, "template_number=#{index}"],[:raw, "template_envs=#{template_envs}"]],STDOUT)))}
+          file.write(JSON.pretty_generate( CfnDsl.eval_file_with_extras("#{template_path}/alarms.rb",[[:yaml, config],[:raw, "template_number=#{index}"],[:raw, "template_envs=#{template_envs}"]],verbose_cfndsl)))}
+      end
+      ['endpoints', 'ssl', "dns", 'hosts', 'services','ecsClusters'].each do |template|
+        if !alarm_parameters[template.to_sym].nil? and alarm_parameters[template.to_sym] != {}
+          File.open("#{output_path}/#{template}.json", 'w') { |file|
+            file.write(JSON.pretty_generate( CfnDsl.eval_file_with_extras("#{template_path}/#{template}.rb",[[:yaml, alarms_config_file],[:raw, "template_envs=#{template_envs}"]],verbose_cfndsl)))
+          }
+        end
       end
-      File.open("#{output_path}/endpoints.json", 'w') { |file|
-        file.write(JSON.pretty_generate( CfnDsl.eval_file_with_extras("#{template_path}/endpoints.rb",[[:yaml, alarms_config],[:raw, "template_envs=#{template_envs}"]],STDOUT)))}
-      File.open("#{output_path}/hosts.json", 'w') { |file|
-        file.write(JSON.pretty_generate( CfnDsl.eval_file_with_extras("#{template_path}/hosts.rb",[[:yaml, alarms_config],[:raw, "template_envs=#{template_envs}"]],STDOUT)))}
-      File.open("#{output_path}/services.json", 'w') { |file|
-        file.write(JSON.pretty_generate( CfnDsl.eval_file_with_extras("#{template_path}/services.rb",[[:yaml, alarms_config],[:raw, "template_envs=#{template_envs}"]],STDOUT)))}
+
       File.open("#{output_path}/master.json", 'w') { |file|
-        file.write(JSON.pretty_generate( CfnDsl.eval_file_with_extras("#{template_path}/master.rb",[[:yaml, custom_alarms_config_file],[:raw, "templateCount=#{configs.count}"],[:raw, "template_envs=#{template_envs}"],[:raw, "upload_path='#{upload_path}'"]],STDOUT)))}
+        file.write(JSON.pretty_generate( CfnDsl.eval_file_with_extras("#{template_path}/master.rb",[[:yaml, custom_alarms_config_file],[:raw, "templateCount=#{configs.count}"],[:raw, "template_envs=#{template_envs}"],[:raw, "upload_path='#{upload_path}'"]],verbose_cfndsl)))}
     end
 
     def self.get_alarm_envs(params)

data/lib/cfn_monitor/query.rb

@@ -6,19 +6,23 @@ module CfnMonitor
 
     def self.run(options)
 
-      if !options['application'] || !options['stack']
-        raise "No application specified"
-      end
-
       if !options['stack']
         raise "No stack specified"
       end
 
+      if options['application']
+        application = options['application']
+        custom_alarms_config_file = "#{application}/alarms.yml"
+      else
+        application = File.basename(Dir.getwd)
+        custom_alarms_config_file = "alarms.yml"
+      end
+
       config_path = File.join(File.dirname(__FILE__),'../config/config.yml')
       # Load global config files
       config = YAML.load(File.read(config_path))
 
-      custom_alarms_config_file = "#{options['application']}/alarms.yml"
+      custom_alarms_config_file = "#{application}/alarms.yml"
 
       # Load custom config files
       custom_alarms_config = YAML.load(File.read(custom_alarms_config_file)) if File.file?(custom_alarms_config_file)
@@ -27,7 +31,7 @@ module CfnMonitor
 
       puts "-----------------------------------------------"
       puts "stack: #{options['stack']}"
-      puts "application: #{options['application']}"
+      puts "application: #{application}"
       puts "-----------------------------------------------"
       puts "Searching Stacks for Monitorable Resources"
       puts "-----------------------------------------------"
@@ -75,7 +79,7 @@ module CfnMonitor
         puts "-----------------------------------------------"
       end
       puts "Monitorable resources in #{options['stack']} stack: #{stackResourceCount}"
-      puts "Resources in #{options['application']} alarms config: #{configResourceCount}"
+      puts "Resources in #{application} alarms config: #{configResourceCount}"
       if stackResourceCount > 0
         puts "Coverage: #{100-(configResources.count*100/stackResourceCount)}%"
       end

data/lib/cfn_monitor/validate.rb

@@ -0,0 +1,76 @@
+require 'aws-sdk-s3'
+require 'yaml'
+
+module CfnMonitor
+  class Validate
+
+    def self.run(options)
+
+      if options['application']
+        application = options['application']
+        custom_alarms_config_file = "#{application}/alarms.yml"
+        output_path = "output/#{application}"
+      else
+        application = File.basename(Dir.getwd)
+        custom_alarms_config_file = "alarms.yml"
+        output_path = "output"
+      end
+
+      validate_path = "cloudformation/monitoring/#{application}/validate"
+
+      # Load custom config files
+      if File.file?(custom_alarms_config_file)
+        custom_alarms_config = YAML.load(File.read(custom_alarms_config_file)) if File.file?(custom_alarms_config_file)
+      else
+        puts "Failed to load #{custom_alarms_config_file}"
+        exit 1
+      end
+
+      source_region = custom_alarms_config['source_region']
+      source_bucket = custom_alarms_config['source_bucket']
+
+      cfn = Aws::CloudFormation::Client.new(region: source_region)
+      s3 = Aws::S3::Client.new(region: source_region)
+      validated = 0
+      unvalidated = 0
+
+      puts "-----------------------------------------------"
+
+      ["#{output_path}/*.json"].each { |path|
+        Dir.glob(path) do |file|
+          template = File.open(file, 'rb')
+          filename = file.gsub("#{output_path}/", "")
+          begin
+            puts "INFO - Copying #{file} to s3://#{source_bucket}/#{validate_path}/#{filename}"
+            s3.put_object({
+              body: template,
+              bucket: "#{source_bucket}",
+              key: "#{validate_path}/#{filename}",
+            })
+            template_url = "https://#{source_bucket}.s3.amazonaws.com/#{validate_path}/#{filename}"
+            puts "INFO - Validating #{template_url}"
+            begin
+              resp = cfn.validate_template({ template_url: template_url })
+              puts "INFO - Template #{filename} validated successfully"
+              validated += 1
+            rescue => e
+              puts "ERROR - Template #{filename} failed to validate: #{e}"
+              unvalidated += 1
+            end
+          rescue => e
+            puts "ERROR - #{e.class}, #{e}"
+            exit 1
+          end
+        end
+      }
+
+      if unvalidated > 0
+        puts "ERROR - #{validated}/#{Dir["output/**/*.json"].count} templates validated successfully"
+        exit 1
+      else
+        puts "INFO - #{validated}/#{Dir["output/**/*.json"].count} templates validated successfully"
+      end
+    end
+
+  end
+end

data/lib/cfn_monitor/version.rb

@@ -1,3 +1,3 @@
 module CfnMonitor
-  VERSION = "0.1.1".freeze
+  VERSION = "0.2.0".freeze
 end

data/lib/config/templates.yml

@@ -1,4 +1,16 @@
 templates:
+  EcsCICheck:
+    ECSContianerInstancesDisconnected:
+      AlarmActions: crit
+      Namespace: EcsCICheck
+      ComparisonOperator: GreaterThanThreshold
+      DimensionsName: Cluster
+      Statistic: Maximum
+      Threshold: 0
+      Period: 60
+      EvaluationPeriods: 2
+      MetricName: ECSContianerInstancesDisconnected
+      TreatMissingData: notBreaching
   HttpCheck:
     EndpointAvailable:
       AlarmActions: crit
@@ -66,6 +78,52 @@ templates:
     #   MetricName: Failed_SSM_Agent
     #   AlarmDescription: { 'Fn::Join': [ ' ', [ Ref: 'MonitoredStack', { 'Fn::Sub': ['${resource}', {'env': { Ref: 'EnvironmentName' } } ] }, '${alarmName}' ] ] }
     #   TreatMissingData: notBreaching
+  Ssl:
+    Crit:
+      AlarmActions: crit
+      Namespace: SSL
+      ComparisonOperator: LessThanThreshold
+      Dimensions: [ { Name: 'URL', Value: '${resource}' } ]
+      Statistic: Maximum
+      Threshold: 30   # 30 days
+      Period: 60
+      EvaluationPeriods: 1
+      MetricName: ExpiresInDays
+      AlarmDescription: { 'Fn::Join': [ ' ', [ '${resource}', '${templateName}' ] ] }
+    Warn:
+      AlarmActions: warn
+      Namespace: SSL
+      ComparisonOperator: LessThanThreshold
+      Dimensions: [ { Name: 'URL', Value: '${resource}' } ]
+      Statistic: Maximum
+      Threshold: 60   # 60 days
+      Period: 60
+      EvaluationPeriods: 1
+      MetricName: ExpiresInDays
+      AlarmDescription: { 'Fn::Join': [ ' ', [ '${resource}', '${templateName}' ] ] }
+  Dns:
+    Crit:
+      AlarmActions: crit
+      Namespace: DNS
+      ComparisonOperator: LessThanThreshold
+      Dimensions: [ { Name: 'Domain', Value: '${resource}' } ]
+      Statistic: Maximum
+      Threshold: 30   # 30 days
+      Period: 60
+      EvaluationPeriods: 1
+      MetricName: ExpiresInDays
+      AlarmDescription: { 'Fn::Join': [ ' ', [ '${resource}', '${templateName}' ] ] }
+    Warn:
+      AlarmActions: warn
+      Namespace: DNS
+      ComparisonOperator: LessThanThreshold
+      Dimensions: [ { Name: 'Domain', Value: '${resource}' } ]
+      Statistic: Maximum
+      Threshold: 60   # 60 days
+      Period: 60
+      EvaluationPeriods: 1
+      MetricName: ExpiresInDays
+      AlarmDescription: { 'Fn::Join': [ ' ', [ '${resource}', '${templateName}' ] ] }
   Nrpe:
     Warn:
       AlarmActions: warn
@@ -399,14 +457,14 @@ templates:
       EvaluationPeriods: 5
   ApiGateway: #AWS:ApiGateway
     ApiEndpoint5xx:
-      AlarmActions: crit
+      AlarmActions: warn
       Namespace: AWS/ApiGateway
       MetricName: 5XXError
       ComparisonOperator: GreaterThanThreshold
       DimensionsName: ApiName
       Statistic: Sum
       Threshold: 5
-      EvaluationPdyneriods: 2
+      EvaluationPeriods: 2
   DynamoDBTable: #AWS::DynamoDB::Table
     DynamoDBReadUsage:
       AlarmActions: warn
@@ -425,4 +483,4 @@ templates:
       DimensionsName: TableName
       Statistic: Sum
       Threshold: 80
-      EvaluationPeriods: 2
+      EvaluationPeriods: 2

data/lib/templates/alarms.rb

@@ -53,7 +53,7 @@ CloudFormation do
     template = alarm[:template]
     name = alarm[:alarm]
     params = alarm[:parameters]
-    cmd = params['cmd']
+    cmd = params['cmd'] || ''
 
     alarmHash = Digest::MD5.hexdigest "#{resourceGroup}#{template}#{name}#{cmd}"
 
@@ -104,7 +104,7 @@ CloudFormation do
     conditions = []
 
     # Configure resource parameters
-    if type == 'resource'
+    if ['resource','ecsCluster'].include? type
       # Configure physical resource inputs
       dimensionsNames = params['DimensionsName'].split('/')
       dimensions = []

data/lib/templates/dns.rb

@@ -0,0 +1,61 @@
+require 'cfndsl'
+
+CloudFormation do
+  Description("CloudWatch Endpoints")
+
+  Parameter("MonitoredStack"){
+    Type 'String'
+  }
+  Parameter("EnvironmentName"){
+    Type 'String'
+  }
+  Parameter("DnsCheckFunctionArn"){
+    Type 'String'
+  }
+
+  alarms.each do |alarm|
+    if alarm[:type] == 'dn'
+      endpointHash =  Digest::MD5.hexdigest "dns-" + alarm[:resource]
+
+      # Conditionally create shedule based on environments attribute
+      if alarm[:environments] != ['all']
+        conditions = []
+        alarm[:environments].each do | env |
+          conditions << FnEquals(Ref("EnvironmentName"),env)
+        end
+        if conditions.length > 1
+          Condition("Condition#{endpointHash}", FnOr(conditions))
+        else
+          Condition("Condition#{endpointHash}", conditions[0])
+        end
+      end
+
+      params = alarm[:parameters]
+
+      # Set defaults
+      params['scheduleExpression'] ||= "0 12 * * ? *"   # 12PM every day
+
+      # Create payload
+      payload = {}
+      payload['Domain'] = alarm[:resource]
+      payload['Region'] = "${region}"
+
+      endpointHash =  Digest::MD5.hexdigest alarm[:resource]
+      Resource("DnsCheckSchedule#{endpointHash}") do
+        Condition "Condition#{endpointHash}" if alarm[:environments] != ['all']
+        Type 'AWS::Events::Rule'
+        Property('Description', "#{payload['Domain']}")
+        Property('ScheduleExpression', "cron(#{params['scheduleExpression']})")
+        Property('State', 'ENABLED')
+        Property('Targets', [
+          {
+            Arn: Ref('DnsCheckFunctionArn'),
+            Id: endpointHash,
+            Input: FnSub(payload.to_json, region: Ref("AWS::Region"))
+          }
+        ])
+      end
+    end
+  end
+
+end

data/lib/templates/ecsClusters.rb

@@ -0,0 +1,76 @@
+require 'cfndsl'
+
+CloudFormation do
+  Description("CloudWatch ECS Container Instances")
+
+  Parameter("EcsCICheckFunctionArn"){
+    Type 'String'
+  }
+
+  Parameter("MonitoredStack"){
+    Type 'String'
+  }
+  Parameter("GetPhysicalIdFunctionArn"){
+    Type 'String'
+  }
+  Parameter("EnvironmentName"){
+    Type 'String'
+  }
+  Parameter("ConfigToggle"){
+    Type 'String'
+  }
+
+  alarms.each do |alarm|
+    if alarm[:type] == 'ecsCluster'
+
+      resourceHash =  Digest::MD5.hexdigest alarm[:resource]
+
+      Resource("GetPhysicalId#{resourceHash}") do
+        Type 'Custom::GetResourcePhysicalId'
+        Property('ServiceToken', Ref('GetPhysicalIdFunctionArn'))
+        Property('StackName', Ref('MonitoredStack'))
+        if alarm[:resource].include? "::"
+          Property('LogicalResourceId', alarm[:resource].gsub('::','.') )
+        else
+          Property('LogicalResourceId', FnJoin( '.', [ Ref('MonitoredStack'), alarm[:resource] ] ))
+        end
+        Property('Region', Ref('AWS::Region'))
+        Property('ConfigToggle', Ref('ConfigToggle'))
+      end
+
+      # Conditionally create shedule based on environments attribute
+      if alarm[:environments] != ['all']
+        conditions = []
+        alarm[:environments].each do | env |
+          conditions << FnEquals(Ref("EnvironmentName"),env)
+        end
+        if conditions.length > 1
+          Condition("Condition#{resourceHash}", FnOr(conditions))
+        else
+          Condition("Condition#{resourceHash}", conditions[0])
+        end
+      end
+
+      # Set defaults
+      params = alarm[:parameters]
+      params['scheduleExpression'] ||= "0/5 * * * ? *"
+
+      Events_Rule("EcsCICheckSchedule#{resourceHash}") {
+        Condition "Condition#{resourceHash}" if alarm[:environments] != ['all']
+        Description FnJoin("",["ECS container instance check for the ", FnGetAtt("GetPhysicalId#{resourceHash}",'PhysicalResourceId') ," ECS cluster"])
+        ScheduleExpression "cron(#{params['scheduleExpression']})"
+        State params['enabled'] ? 'ENABLED' : 'DISABLED'
+        Targets([
+            {
+              Arn: Ref('EcsCICheckFunctionArn'),
+              Id: resourceHash,
+              Input: FnSub({CLUSTER: '${cluster}'}.to_json, cluster: FnGetAtt("GetPhysicalId#{resourceHash}",'PhysicalResourceId'))
+            }
+        ])
+      }
+
+    end
+
+  end
+
+end

data/lib/templates/hosts.rb

@@ -73,8 +73,8 @@ CloudFormation do
       Resource("NrpeCheckFunction#{hostHash}") do
         Condition "Condition#{hostHash}" if alarm[:environments] != ['all']
         Type 'AWS::Lambda::Function'
-        Property('Code', { S3Bucket: FnJoin('.',['base2.lambda',Ref('AWS::Region')]), S3Key: 'nrpe.zip' })
-        Property('Handler', 'nrpe')
+        Property('Code', { S3Bucket: FnJoin('.', ['base2.lambda', Ref('AWS::Region')]), S3Key: 'aws-lambda-nrpe-check/0.1/handler.zip' })
+        Property('Handler', 'main')
         Property('MemorySize', 128)
         Property('Runtime', 'go1.x')
         Property('Timeout', 300)

data/lib/templates/master.rb

@@ -64,7 +64,41 @@ CloudFormation do
     ])
   end
 
-  Resource("HttpLambdaExecutionRole") do
+  Resource("EcsCICheckLambdaExecutionRole") do
+    Type 'AWS::IAM::Role'
+    Property('AssumeRolePolicyDocument', {
+      Version: '2012-10-17',
+      Statement: [{
+        Effect: 'Allow',
+        Principal: { Service: [ 'lambda.amazonaws.com' ] },
+        Action: [ 'sts:AssumeRole' ]
+      }]
+    })
+    Property('Path','/')
+    Property('Policies', [
+      PolicyName: 'CloudFormationReadOnly',
+      PolicyDocument: {
+        Version: '2012-10-17',
+        Statement: [{
+          Effect: 'Allow',
+          Action: [ 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents' ],
+          Resource: 'arn:aws:logs:*:*:*'
+        },
+        {
+          Effect: 'Allow',
+          Action: [ 'ecs:ListContainerInstances', 'ecs:DescribeContainerInstances' ],
+          Resource: '*'
+        },
+        {
+          Effect: 'Allow',
+          Action: [ 'cloudwatch:PutMetricData' ],
+          Resource: '*'
+        }]
+      }
+    ])
+  end
+
+  Resource("LambdaExecutionRole") do
     Type 'AWS::IAM::Role'
     Property('AssumeRolePolicyDocument', {
       Version: '2012-10-17',
@@ -123,12 +157,12 @@ CloudFormation do
 
   Resource("HttpCheckFunction") do
     Type 'AWS::Lambda::Function'
-    Property('Code', { S3Bucket: FnJoin('.',[Ref('AWS::Region'),'aws-lambda-http-check']), S3Key: 'httpCheck-v2.zip' })
-    Property('Handler', 'handler.http_check')
+    Property('Code', { S3Bucket: FnJoin('.', ['base2.lambda', Ref('AWS::Region')]), S3Key: 'aws-lambda-http-check/0.1/handler.zip' })
+    Property('Handler', 'handler.main')
     Property('MemorySize', 128)
     Property('Runtime', 'python3.6')
     Property('Timeout', 300)
-    Property('Role', FnGetAtt('HttpLambdaExecutionRole','Arn'))
+    Property('Role', FnGetAtt('LambdaExecutionRole','Arn'))
   end
 
   Resource("HttpCheckPermissions") do
@@ -138,6 +172,57 @@ CloudFormation do
     Property('Principal', 'events.amazonaws.com')
   end
 
+  Resource("SslCheckFunction") do
+    Type 'AWS::Lambda::Function'
+    Property('Code', { S3Bucket: FnJoin('.', ['base2.lambda', Ref('AWS::Region')]), S3Key: 'aws-lambda-ssl-check/0.1/handler.zip' })
+    Property('Handler', 'main')
+    Property('MemorySize', 128)
+    Property('Runtime', 'go1.x')
+    Property('Timeout', 300)
+    Property('Role', FnGetAtt('LambdaExecutionRole','Arn'))
+  end
+
+  Resource("SslCheckPermissions") do
+    Type 'AWS::Lambda::Permission'
+    Property('FunctionName', Ref('SslCheckFunction'))
+    Property('Action', 'lambda:InvokeFunction')
+    Property('Principal', 'events.amazonaws.com')
+  end
+
+  Resource("DnsCheckFunction") do
+    Type 'AWS::Lambda::Function'
+    Property('Code', { S3Bucket: FnJoin('.', ['base2.lambda', Ref('AWS::Region')]), S3Key: 'aws-lambda-dns-check/0.1/handler.zip' })
+    Property('Handler', 'main')
+    Property('MemorySize', 128)
+    Property('Runtime', 'go1.x')
+    Property('Timeout', 300)
+    Property('Role', FnGetAtt('LambdaExecutionRole','Arn'))
+  end
+
+  Resource("DnsCheckPermissions") do
+    Type 'AWS::Lambda::Permission'
+    Property('FunctionName', Ref('DnsCheckFunction'))
+    Property('Action', 'lambda:InvokeFunction')
+    Property('Principal', 'events.amazonaws.com')
+  end
+
+  Resource("EcsCICheckFunction") do
+    Type 'AWS::Lambda::Function'
+    Property('Code', { S3Bucket: FnJoin('.', ['base2.lambda', Ref('AWS::Region')]), S3Key: 'aws-lambda-ecs-container-instance-check/0.1/handler.zip' })
+    Property('Handler', 'handler.run_check')
+    Property('MemorySize', 128)
+    Property('Runtime', 'python3.6')
+    Property('Timeout', 300)
+    Property('Role', FnGetAtt('EcsCICheckLambdaExecutionRole','Arn'))
+  end
+
+  Resource("EcsCICheckPermissions") do
+    Type 'AWS::Lambda::Permission'
+    Property('FunctionName', Ref('EcsCICheckFunction'))
+    Property('Action', 'lambda:InvokeFunction')
+    Property('Principal', 'events.amazonaws.com')
+  end
+
   params = {
     MonitoredStack: Ref('MonitoredStack'),
     SnsTopicCrit: Ref('SnsTopicCrit'),
@@ -175,6 +260,38 @@ CloudFormation do
     end
   end
 
+  sslParams = {
+    MonitoredStack: Ref('MonitoredStack'),
+    SslCheckFunctionArn: FnGetAtt('SslCheckFunction','Arn'),
+    EnvironmentName: FnGetAtt('GetEnvironmentName', 'EnvironmentName' )
+  }
+
+  ssl ||= {}
+  if !ssl.empty?
+    Resource("SslStack") do
+      Type 'AWS::CloudFormation::Stack'
+      Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/#{upload_path}/ssl.json")
+      Property('TimeoutInMinutes', 5)
+      Property('Parameters', sslParams)
+    end
+  end
+
+  dnsParams = {
+    MonitoredStack: Ref('MonitoredStack'),
+    DnsCheckFunctionArn: FnGetAtt('DnsCheckFunction','Arn'),
+    EnvironmentName: FnGetAtt('GetEnvironmentName', 'EnvironmentName' )
+  }
+
+  dns ||= {}
+  if !dns.empty?
+    Resource("DnsStack") do
+      Type 'AWS::CloudFormation::Stack'
+      Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/#{upload_path}/dns.json")
+      Property('TimeoutInMinutes', 5)
+      Property('Parameters', dnsParams)
+    end
+  end
+
   hostParams = {
     EnvironmentName: FnGetAtt('GetEnvironmentName', 'EnvironmentName' )
   }
@@ -203,6 +320,24 @@ CloudFormation do
     end
   end
 
+  ecsClusterParams = {
+    MonitoredStack: Ref('MonitoredStack'),
+    GetPhysicalIdFunctionArn: FnGetAtt('GetPhysicalIdFunction','Arn'),
+    EnvironmentName: FnGetAtt('GetEnvironmentName', 'EnvironmentName' ),
+    ConfigToggle: Ref('ConfigToggle'),
+    EcsCICheckFunctionArn: FnGetAtt('EcsCICheckFunction','Arn')
+  }
+
+  ecsClusters ||= {}
+  if !ecsClusters.empty?
+    Resource("ServicesStack") do
+      Type 'AWS::CloudFormation::Stack'
+      Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/#{upload_path}/ecsClusters.json")
+      Property('TimeoutInMinutes', 5)
+      Property('Parameters', ecsClusterParams)
+    end
+  end
+
   Output("CfnMonitorVersion") { Value(CfnMonitor::VERSION) }
   Output("RenderDate") { Value(Time.now.strftime("%Y-%m-%d")) }
   Output("MonitoredStack") { Value(Ref("MonitoredStack")) }

data/lib/templates/resources.rb

@@ -46,13 +46,17 @@ CloudFormation do
           Type 'Custom::GetResourcePhysicalId'
           Property('ServiceToken', Ref('GetPhysicalIdFunctionArn'))
           Property('StackName', Ref('MonitoredStack'))
-          Property('LogicalResourceId', FnJoin( '.', [ Ref('MonitoredStack'), resource ] ))
+          if resource.include? "::"
+            Property('LogicalResourceId', resource.gsub('::','.') )
+          else
+            Property('LogicalResourceId', FnJoin( '.', [ Ref('MonitoredStack'), resource ] ))
+          end
           Property('Region', Ref('AWS::Region'))
           Property('ConfigToggle', Ref('ConfigToggle'))
         end
         customResources << "GetPhysicalId#{resourceHash}"
         # Create outputs for user reference
-        Output("#{resource.delete('.')}") { Value(FnGetAtt("GetPhysicalId#{resourceHash}",'PhysicalResourceId')) }
+        Output("#{resource.delete('.').delete('-').delete('::')}") { Value(FnGetAtt("GetPhysicalId#{resourceHash}",'PhysicalResourceId')) }
       end
     end
   end

data/lib/templates/ssl.rb

@@ -0,0 +1,61 @@
+require 'cfndsl'
+
+CloudFormation do
+  Description("CloudWatch Endpoints")
+
+  Parameter("MonitoredStack"){
+    Type 'String'
+  }
+  Parameter("EnvironmentName"){
+    Type 'String'
+  }
+  Parameter("SslCheckFunctionArn"){
+    Type 'String'
+  }
+
+  alarms.each do |alarm|
+    if alarm[:type] == 'ss'
+      endpointHash =  Digest::MD5.hexdigest "ssl-" + alarm[:resource]
+
+      # Conditionally create shedule based on environments attribute
+      if alarm[:environments] != ['all']
+        conditions = []
+        alarm[:environments].each do | env |
+          conditions << FnEquals(Ref("EnvironmentName"),env)
+        end
+        if conditions.length > 1
+          Condition("Condition#{endpointHash}", FnOr(conditions))
+        else
+          Condition("Condition#{endpointHash}", conditions[0])
+        end
+      end
+
+      params = alarm[:parameters]
+
+      # Set defaults
+      params['scheduleExpression'] ||= "0 12 * * ? *"   # 12PM every day
+
+      # Create payload
+      payload = {}
+      payload['Url'] = alarm[:resource]
+      payload['Region'] = "${region}"
+
+      endpointHash =  Digest::MD5.hexdigest alarm[:resource]
+      Resource("SslCheckSchedule#{endpointHash}") do
+        Condition "Condition#{endpointHash}" if alarm[:environments] != ['all']
+        Type 'AWS::Events::Rule'
+        Property('Description', "#{payload['Url']}")
+        Property('ScheduleExpression', "cron(#{params['scheduleExpression']})")
+        Property('State', 'ENABLED')
+        Property('Targets', [
+          {
+            Arn: Ref('SslCheckFunctionArn'),
+            Id: endpointHash,
+            Input: FnSub(payload.to_json, region: Ref("AWS::Region"))
+          }
+        ])
+      end
+    end
+  end
+
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfn_monitor
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Base2Services
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-10-25 00:00:00.000000000 Z
+date: 2019-01-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -211,6 +211,7 @@ files:
 - lib/cfn_monitor/generate.rb
 - lib/cfn_monitor/query.rb
 - lib/cfn_monitor/utils.rb
+- lib/cfn_monitor/validate.rb
 - lib/cfn_monitor/version.rb
 - lib/config/config.yml
 - lib/config/templates.yml
@@ -218,11 +219,14 @@ files:
 - lib/lambda/getEnvironmentName.py
 - lib/lambda/getPhysicalId.py
 - lib/templates/alarms.rb
+- lib/templates/dns.rb
+- lib/templates/ecsClusters.rb
 - lib/templates/endpoints.rb
 - lib/templates/hosts.rb
 - lib/templates/master.rb
 - lib/templates/resources.rb
 - lib/templates/services.rb
+- lib/templates/ssl.rb
 homepage: https://github.com/base2Services/cfn-monitor/blob/master/README.md
 licenses:
 - MIT
@@ -242,8 +246,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 3.0.2
 signing_key: 
 specification_version: 4
 summary: Configure and generate a cloudwatch monitoring cloudformation stack