sensu-plugins-aws-boutetnico 1.0.6

data/bin/check-redshift-events.rb

@@ -0,0 +1,108 @@
+#! /usr/bin/env ruby
+#
+# check-redshift-events
+#
+# DESCRIPTION:
+#   This plugin checks amazon redshift clusters for maintenance events
+#
+# OUTPUT:
+#   plain-text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: aws-sdk
+#   gem: sensu-plugin
+#
+# USAGE:
+#
+#   check for instances in maint in us-east-1:
+#   ./check-redshift-events.rb -r us-east-1
+#
+#   check for maint events on a single instance in us-east-1 (skip others):
+#   ./check-redshift-events.rb -r us-east-1 -i ${your cluster name}
+#
+#   check for maint events on multiple instance in us-east-1 (skip others):
+#   ./check-redshift-events.rb -r us-east-1 -i ${cluster1,cluster2,cluster3}
+#
+# NOTES:
+#
+# LICENSE:
+#   Copyright (c) 2014, Tim Smith, tsmith@chef.io
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugin/check/cli'
+require 'sensu-plugins-aws'
+require 'aws-sdk'
+
+class CheckRedshiftEvents < Sensu::Plugin::Check::CLI
+  include Common
+
+  option :aws_region,
+         short: '-r AWS_REGION',
+         long: '--aws-region REGION',
+         description: 'AWS Region (defaults to us-east-1).',
+         default: 'us-east-1'
+
+  option :instances,
+         short: '-i INSTANCES',
+         long: '--instances INSTANCES',
+         description: 'Comma separated list of instances to check. Defaults to all clusters in the region',
+         proc: proc { |a| a.split(',') },
+         default: []
+
+  # setup a redshift connection using aws-sdk
+  def redshift
+    @redshift ||= Aws::Redshift::Client.new aws_config
+  end
+
+  # fetch all clusters in the region from AWS
+  def all_clusters
+    @clusters ||= redshift.describe_clusters[:clusters].map { |c| c[:cluster_identifier] }
+  end
+
+  # throw unknown message if the user passed us a missing instance
+  def check_missing_instances(instances)
+    missing_instances = instances.reject { |i| all_clusters.include?(i) }
+    unknown("Passed instance(s): #{missing_instances.join(',')} not found") unless missing_instances.empty?
+  end
+
+  # return an array of clusters that are in maintenance
+  def clusters_in_maint(clusters)
+    maint_clusters = []
+
+    # fetch the last 2 hours of events for each cluster
+    clusters.each do |cluster_name|
+      events_record = redshift.describe_events(start_time: (Time.now - 7200).iso8601, source_type: 'cluster', source_identifier: cluster_name)
+
+      next if events_record[:events].empty?
+
+      # if the last event is a start maint event then the cluster is still in maint
+      maint_clusters.push(cluster_name) if events_record[:events][-1][:event_id] == 'REDSHIFT-EVENT-2003'
+    end
+    maint_clusters
+  end
+
+  def run
+    begin
+      # make sure passed instances exist and only check those instances
+      unless config[:instances].empty?
+        check_missing_instances(config[:instances])
+        all_clusters.select! { |c| config[:instances].include?(c) }
+      end
+
+      maint_clusters = clusters_in_maint(all_clusters)
+    rescue StandardError => e
+      unknown "An error occurred processing AWS Redshift API: #{e.message}"
+    end
+
+    if maint_clusters.empty?
+      ok
+    else
+      critical("Clusters in maintenance: #{maint_clusters.join(',')}")
+    end
+  end
+end

data/bin/check-reserved-instances.rb

@@ -0,0 +1,80 @@
+#! /usr/bin/env ruby
+#
+# check-reserved-instances
+#
+# DESCRIPTION:
+#   This plugin checks if reserved instances expire soon.
+#
+# OUTPUT:
+#   plain-text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: aws-sdk
+#   gem: sensu-plugin
+#
+# USAGE:
+#   ./check-reserved-instances.rb --aws-region eu-west-1 --use-iam
+#
+# NOTES:
+#
+# LICENSE:
+#   Copyright (c) 2015, Olivier Bazoud, olivier.bazoud@gmail.com
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugin/check/cli'
+require 'sensu-plugins-aws'
+require 'aws-sdk'
+
+class CheckReservedInstances < Sensu::Plugin::Check::CLI
+  include Common
+
+  option :aws_region,
+         short: '-r AWS_REGION',
+         long: '--aws-region REGION',
+         description: 'AWS Region (defaults to us-east-1).',
+         default: 'us-east-1'
+
+  option :warning,
+         description: 'Warn if expire date is lower age in seconds',
+         short: '-w SECONDS',
+         long: '--warning SECONDS',
+         default: 60 * 60 * 24 * 5,
+         proc: proc(&:to_i)
+
+  option :critical,
+         description: 'Critical if expire date is lower age in seconds',
+         short: '-c SECONDS',
+         long: '--critical SECONDS',
+         default: 60 * 60 * 24 * 30 * 2,
+         proc: proc(&:to_i)
+
+  def run
+    reserved_instances_critical = []
+    reserved_instances_warning = []
+
+    ec2 = Aws::EC2::Client.new
+    reserved_instances = ec2.describe_reserved_instances(filters: [{ name: 'state', values: ['active'] }]).reserved_instances
+
+    reserved_instances.each do |reserved_instance|
+      age = reserved_instance.end.to_i - Time.now.to_i
+      if age < config[:critical]
+        reserved_instances_critical << reserved_instance.reserved_instances_id
+      elsif age < config[:warning]
+        reserved_instances_warning << reserved_instance.reserved_instances_id
+      end
+    end
+
+    if !reserved_instances_critical.empty?
+      critical "Reserved instances will expire soon - #{reserved_instances_critical}"
+    elsif !reserved_instances_warning.empty?
+      warning "Reserved instances will expire soon - #{reserved_instances_warning}"
+    end
+
+    ok "#{reserved_instances.size} reserved instances"
+  end
+end

data/bin/check-route.rb

@@ -0,0 +1,122 @@
+#! /usr/bin/env ruby
+#
+# check-route
+#
+# DESCRIPTION:
+#   This plugin checks a route to an instance / eni on a route table
+#
+# OUTPUT:
+#   plain-text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: aws-sdk
+#   gem: sensu-plugin
+#
+# USAGE:
+#   #YELLOW
+#
+# NOTES:
+#
+# LICENSE:
+#   Copyright (c) 2014, Leon Gibat, brendan.gibat@gmail.com
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugin/check/cli'
+require 'aws-sdk'
+require 'sensu-plugins-aws'
+
+class CheckRoute < Sensu::Plugin::Check::CLI
+  include Common
+  include Filter
+
+  option :aws_region,
+         short: '-r AWS_REGION',
+         long: '--aws-region REGION',
+         description: 'AWS Region (defaults to us-east-1).',
+         default: 'us-east-1'
+
+  option :filter,
+         short: '-f FILTER',
+         long: '--filter FILTER',
+         description: 'String representation of the filter to apply',
+         default: '{}'
+
+  option :network_interface_id,
+         description: 'Network interface id of route',
+         short: '-n NETWORK_INTERFACE_ID',
+         long: '--network-interface-id NETWORK_INTERFACE_ID',
+         default: ''
+
+  option :instance_id,
+         description: 'Instance Id attachment of route',
+         short: '-i INSTANCE_ID',
+         long: '--instance-id INSTANCE_ID',
+         default: ''
+
+  option :destination_cidr_block,
+         description: 'Destination CIDR block of route',
+         short: '-d DESTINATION_CIDR',
+         long: '--destination-cidr DESTINATION_CIDR',
+         default: ''
+
+  option :gateway_id,
+         description: 'Gateway Id of route',
+         short: '-g GATEWAY_ID',
+         long: '--gateway-id GATEWAY_ID',
+         default: ''
+
+  option :state,
+         description: 'The route state. Can be either "active" or "blackhole"',
+         short: '-s STATE',
+         long: '--state STATE',
+         default: 'active'
+
+  option :vpc_peering_id,
+         description: 'VPC peering connection id',
+         short: '-v VPC_PEERING_ID',
+         long: '--vpc-peering-id VPC_PEERING_ID',
+         default: ''
+
+  def run
+    begin
+      aws_config
+      client = Aws::EC2::Client.new
+
+      filter = Filter.parse(config[:filter])
+
+      options = { filters: filter }
+
+      data = client.describe_route_tables(options)
+
+      data[:route_tables].each do |rt|
+        rt[:routes].each do |route|
+          checks = true
+          if config[:state] != route[:state]
+            checks = false
+          elsif !config[:vpc_peering_id].empty? && config[:vpc_peering_id] != route[:vpc_peering_connection_id]
+            checks = false
+          elsif !config[:gateway_id].empty? && config[:gateway_id] != route[:gateway_id]
+            checks = false
+          elsif !config[:destination_cidr_block].empty? && config[:destination_cidr_block] != route[:destination_cidr_block]
+            checks = false
+          elsif !config[:instance_id].empty? && config[:instance_id] != route[:instance_id]
+            checks = false
+          elsif !config[:network_interface_id].empty? && config[:network_interface_id] != route[:network_interface_id]
+            checks = false
+          end
+          if checks
+            ok
+          end
+        end
+      end
+    rescue StandardError => e
+      critical "Error: exception: #{e}"
+    end
+    critical
+  end
+end

data/bin/check-route53-domain-expiration.rb

@@ -0,0 +1,78 @@
+#!/usr/bin/env ruby
+#
+# check-route53-domain-expiration
+#
+# DESCRIPTION:
+#   Alert when Route53 registered domains are close to expiration
+#
+# OUTPUT:
+#   plain-text
+#
+# DEPENDENCIES:
+#   gem: aws-sdk
+#   gem: sensu-plugin
+#
+# USAGE:
+#   check-route53-domain-expiration.rb
+#
+# LICENSE:
+#   Eric Heydrick <eheydrick@gmail.com>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+
+require 'sensu-plugins-aws'
+require 'sensu-plugin/check/cli'
+require 'aws-sdk'
+
+class CheckRoute53DomainExpiration < Sensu::Plugin::Check::CLI
+  include Common
+
+  option :aws_region,
+         short: '-r AWS_REGION',
+         long: '--aws-region REGION',
+         description: 'AWS Region (defaults to us-east-1).',
+         default: 'us-east-1'
+
+  option :warn,
+         short: '-w WARN',
+         long: '--warning WARN',
+         description: 'Warn if domain expires in less than this many days (default: 30)',
+         default: 30,
+         proc: proc(&:to_i)
+
+  option :crit,
+         short: '-c CRITICAL',
+         long: '--critical CRITICAL',
+         description: 'Critical if domain expires in less than this many days (default: 7)',
+         default: 7,
+         proc: proc(&:to_i)
+
+  def run
+    warn_domains = {}
+    crit_domains = {}
+
+    r53 = Aws::Route53Domains::Client.new(aws_config)
+    begin
+      domains = r53.list_domains.domains
+      domains.each do |domain|
+        expiration = DateTime.parse(domain.expiry.to_s) # rubocop: disable Style/DateTime
+        days_until_expiration = (expiration - DateTime.now).to_i # rubocop: disable Style/DateTime
+        if days_until_expiration <= config[:crit]
+          crit_domains[domain] = days_until_expiration
+        elsif days_until_expiration <= config[:warn]
+          warn_domains[domain] = days_until_expiration
+        end
+      end
+
+      if !crit_domains.empty?
+        critical "Domains are expiring in less than #{config[:crit]} days: " + crit_domains.map { |d, v| "#{d.domain_name} (in #{v} days)" }.join(', ')
+      elsif !warn_domains.empty?
+        warning "Domains are expiring in less than #{config[:warn]} days: " + warn_domains.map { |d, v| "#{d.domain_name} (in #{v} days)" }.join(', ')
+      else
+        ok 'No domains are expiring soon'
+      end
+    rescue StandardError => e
+      unknown "An error occurred communicating with the Route53 API: #{e.message}"
+    end
+  end
+end

data/bin/check-s3-bucket-visibility.rb

@@ -0,0 +1,176 @@
+#! /usr/bin/env ruby
+#
+# check-s3-bucket-visibility
+#
+# DESCRIPTION:
+#   This plugin checks a bucket for website configuration and bucket policy.
+#   It alerts if the bucket has a website configuration, or a policy that has
+#   Get or List actions.
+#
+# OUTPUT:
+#   plain-text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: aws-sdk
+#   gem: sensu-plugin
+#
+# USAGE:
+#   ./check-s3-bucket-visibility.rb --bucket-name mybucket --aws-region eu-west-1
+#
+# NOTES:
+#
+# LICENSE:
+#   Copyright (c) 2015, Olivier Bazoud and Ricky Hussmann,
+#     olivier.bazoud@gmail.com, ricky.hussmann@gmail.com
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'aws-sdk-s3'
+require 'sensu-plugin/check/cli'
+require 'sensu-plugins-aws'
+
+class CheckS3Bucket < Sensu::Plugin::Check::CLI
+  include Common
+  option :aws_region,
+         short: '-r AWS_REGION',
+         long: '--aws-region REGION',
+         description: 'AWS Region (defaults to us-east-1).',
+         default: 'us-east-1'
+
+  option :bucket_names,
+         short: '-b BUCKET_NAMES',
+         long: '--bucket-names',
+         description: 'A comma seperated list of S3 buckets to check',
+         proc: proc { |b| b.split(',') }
+
+  option :all_buckets,
+         short: '-a BOOL',
+         long: '--all-buckets BOOL',
+         description: 'If all buckets are true it will look at any buckets that we have access to in the region',
+         boolean: true,
+         default: false
+
+  option :exclude_buckets,
+         short: '-e EXCLUDED_BUCKETS_COMMA_SEPERATED',
+         long: '--excluded-buckets EXCLUDED_BUCKETS_COMMA_SEPERATED',
+         description: 'A comma seperated list of buckets to ignore that are expected to have loose permissions',
+         proc: proc { |b| b.split(',') }
+
+  option :exclude_regex_filter,
+         long: '--exclude-regex-filter MY_REGEX',
+         description: 'A regex to filter out bucket names'
+
+  option :critical_on_missing,
+         short: '-m ',
+         long: '--critical-on-missing',
+         description: 'The check will fail with CRITICAL rather than WARN when a bucket is not found',
+         default: 'false'
+
+  def true?(obj)
+    !obj.nil? && obj.to_s.casecmp('true') != -1
+  end
+
+  def s3_client
+    @s3_client ||= Aws::S3::Client.new
+  end
+
+  def s3_resource
+    @s3_resource || Aws::S3::Resource.new
+  end
+
+  def list_buckets
+    buckets = []
+    s3_resource.buckets.each do |bucket|
+      if s3_resource.client.get_bucket_location(bucket: bucket.name).location_constraint == config[:aws_region]
+        buckets << bucket.name
+      else
+        p "skipping bucket: #{bucket.name} as is not in the region specified: #{config[:aws_region]}"
+      end
+    end
+    buckets
+  end
+
+  def excluded_bucket?(bucket_name)
+    return false if config[:exclude_buckets].nil?
+    config[:exclude_buckets].include?(bucket_name)
+  end
+
+  def excluded_bucket_regex?(bucket_name)
+    return false if config[:exclude_regex_filter].nil?
+    if bucket_name.match(Regexp.new(Regexp.escape(config[:exclude_regex_filter])))
+      true
+    else
+      false
+    end
+  end
+
+  def website_configuration?(bucket_name)
+    s3_client.get_bucket_website(bucket: bucket_name)
+    true
+  rescue Aws::S3::Errors::NoSuchWebsiteConfiguration
+    false
+  end
+
+  def get_bucket_policy(bucket_name)
+    JSON.parse(s3_client.get_bucket_policy(bucket: bucket_name).policy.string)
+  rescue Aws::S3::Errors::NoSuchBucketPolicy
+    { 'Statement' => [] }
+  end
+
+  def policy_too_permissive?(policy)
+    policy['Statement'].any? { |s| statement_too_permissive? s }
+  end
+
+  def statement_too_permissive?(s)
+    actions_contain_get_or_list? Array(s['Action'])
+  end
+
+  def actions_contain_get_or_list?(actions)
+    actions.any? { |a| !Array(a).grep(/^s3:Get|s3:List|s3:\*/).empty? }
+  end
+
+  def run
+    errors = []
+    warnings = []
+    buckets = if config[:all_buckets]
+                list_buckets
+              elsif config[:bucket_names] && !config[:bucket_names].empty?
+                config[:bucket_names]
+              else
+                unknown 'you must specify either all buckets or provide list of buckets'
+              end
+
+    buckets.each do |bucket_name|
+      if excluded_bucket?(bucket_name)
+        p "bucket_name: #{bucket_name} was ignored as it matched excluded_buckets"
+        next
+      elsif excluded_bucket_regex?(bucket_name)
+        p "bucket_name: #{bucket_name} was ignored as it matched exclude_regex_filter: #{Regexp.new(Regexp.escape(config[:exclude_regex_filter]))}"
+        next
+      end
+      begin
+        if website_configuration?(bucket_name)
+          errors.push "#{bucket_name}: website configuration found"
+        end
+        if policy_too_permissive?(get_bucket_policy(bucket_name))
+          errors.push "#{bucket_name}: bucket policy too permissive"
+        end
+      rescue Aws::S3::Errors::NoSuchBucket
+        mesg = "Bucket #{bucket_name} not found"
+        true?(config[:critical_on_missing]) ? errors.push(mesg) : warnings.push(mesg)
+      end
+    end
+
+    if !errors.empty?
+      critical errors.join '; '
+    elsif !warnings.empty?
+      warning warnings.join '; '
+    else
+      ok "#{buckets.join ','} not exposed via website or bucket policy"
+    end
+  end
+end