sensu-plugins-aws-boutetnico 1.0.6

data/bin/check-s3-bucket.rb

@@ -0,0 +1,86 @@
+#! /usr/bin/env ruby
+#
+# check-s3-bucket
+#
+# DESCRIPTION:
+#   This plugin checks a bucket and alerts if not exists
+#
+# OUTPUT:
+#   plain-text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: aws-sdk
+#   gem: sensu-plugin
+#
+# USAGE:
+#   ./check-s3-bucket.rb --bucket-name mybucket --aws-region eu-west-1
+#
+# NOTES:
+#
+# LICENSE:
+#   Copyright (c) 2015, Olivier Bazoud, olivier.bazoud@gmail.com
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugin/check/cli'
+require 'aws-sdk'
+
+class CheckS3Bucket < Sensu::Plugin::Check::CLI
+  option :aws_access_key,
+         short: '-a AWS_ACCESS_KEY',
+         long: '--aws-access-key AWS_ACCESS_KEY',
+         description: "AWS Access Key. Either set ENV['AWS_ACCESS_KEY'] or provide it as an option",
+         default: ENV['AWS_ACCESS_KEY']
+
+  option :aws_secret_access_key,
+         short: '-k AWS_SECRET_KEY',
+         long: '--aws-secret-access-key AWS_SECRET_KEY',
+         description: "AWS Secret Access Key. Either set ENV['AWS_SECRET_KEY'] or provide it as an option",
+         default: ENV['AWS_SECRET_KEY']
+
+  option :aws_region,
+         short: '-r AWS_REGION',
+         long: '--aws-region REGION',
+         description: 'AWS Region (defaults to us-east-1).',
+         default: 'us-east-1'
+
+  option :bucket_name,
+         short: '-b BUCKET_NAME',
+         long: '--bucket-name',
+         description: 'The name of the S3 bucket to check',
+         required: true
+
+  option :use_iam_role,
+         short: '-u',
+         long: '--use-iam',
+         description: 'Use IAM role authenticiation. Instance must have IAM role assigned for this to work'
+
+  def aws_config
+    { access_key_id: config[:aws_access_key],
+      secret_access_key: config[:aws_secret_access_key],
+      region: config[:aws_region] }
+  end
+
+  def run
+    aws_config = {}
+
+    if config[:use_iam_role].nil?
+      aws_config[:access_key_id] = config[:aws_access_key]
+      aws_config[:secret_access_key] = config[:aws_secret_access_key]
+    end
+
+    s3 = Aws::S3::Client.new(aws_config.merge!(region: config[:aws_region]))
+    begin
+      s3.head_bucket(bucket: config[:bucket_name])
+      ok "Bucket #{config[:bucket_name]} found"
+    rescue Aws::S3::Errors::NotFound => _
+      critical "Bucket #{config[:bucket_name]} not found"
+    rescue StandardError => e
+      critical "Bucket #{config[:bucket_name]} - #{e.message}"
+    end
+  end
+end

data/bin/check-s3-object.rb

@@ -0,0 +1,205 @@
+#! /usr/bin/env ruby
+#
+# check-s3-object
+#
+# DESCRIPTION:
+#   This plugin checks if a file exists in a bucket and/or is not too old.
+#
+# OUTPUT:
+#   plain-text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: aws-sdk
+#   gem: sensu-plugin
+#
+# USAGE:
+#   ./check-s3-object.rb --bucket-name mybucket --aws-region eu-west-1 --use-iam --key-name "path/to/myfile.txt"
+#   ./check-s3-object.rb --bucket-name mybucket --aws-region eu-west-1 --use-iam --key-name "path/to/myfile.txt" --warning 90000 --critical 126000
+#   ./check-s3-object.rb --bucket-name mybucket --aws-region eu-west-1 --use-iam --key-name "path/to/myfile.txt" --warning 90000 --critical 126000 --ok-zero-size
+#
+# NOTES:
+#
+# LICENSE:
+#   Copyright (c) 2015, Olivier Bazoud, olivier.bazoud@gmail.com
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugin/check/cli'
+require 'aws-sdk'
+
+class CheckS3Object < Sensu::Plugin::Check::CLI
+  option :aws_access_key,
+         short: '-a AWS_ACCESS_KEY',
+         long: '--aws-access-key AWS_ACCESS_KEY',
+         description: "AWS Access Key. Either set ENV['AWS_ACCESS_KEY'] or provide it as an option",
+         default: ENV['AWS_ACCESS_KEY']
+
+  option :aws_secret_access_key,
+         short: '-k AWS_SECRET_KEY',
+         long: '--aws-secret-access-key AWS_SECRET_KEY',
+         description: "AWS Secret Access Key. Either set ENV['AWS_SECRET_KEY'] or provide it as an option",
+         default: ENV['AWS_SECRET_KEY']
+
+  option :aws_region,
+         short: '-r AWS_REGION',
+         long: '--aws-region REGION',
+         description: 'AWS Region (defaults to us-east-1).',
+         default: 'us-east-1'
+
+  option :use_iam_role,
+         short: '-u',
+         long: '--use-iam',
+         description: 'Use IAM role authenticiation. Instance must have IAM role assigned for this to work'
+
+  option :bucket_name,
+         short: '-b BUCKET_NAME',
+         long: '--bucket-name',
+         description: 'The name of the S3 bucket where object lives',
+         required: true
+
+  option :key_name,
+         short: '-n KEY_NAME',
+         long: '--key-name',
+         description: 'The name of key in the bucket'
+
+  option :key_prefix,
+         short: '-p KEY_PREFIX',
+         long: '--key-prefix',
+         description: 'Prefix key to search on the bucket'
+
+  option :warning_age,
+         description: 'Warn if mtime greater than provided age in seconds',
+         short: '-w SECONDS',
+         long: '--warning SECONDS'
+
+  option :critical_age,
+         description: 'Critical if mtime greater than provided age in seconds',
+         short: '-c SECONDS',
+         long: '--critical SECONDS'
+
+  option :ok_zero_size,
+         description: 'OK if file has zero size',
+         short: '-z',
+         long: '--ok-zero-size',
+         boolean: true,
+         default: false
+
+  option :warning_size,
+         description: 'Warning threshold for size',
+         long: '--warning-size COUNT'
+
+  option :critical_size,
+         description: 'Critical threshold for size',
+         long: '--critical-size COUNT'
+
+  option :compare_size,
+         description: 'Comparision operator for threshold: equal, not, greater, less',
+         short: '-o OPERATION',
+         long: '--operator-size OPERATION',
+         default: 'equal'
+
+  option :no_crit_on_multiple_objects,
+         description: 'If this flag is set, sort all matching objects by last_modified date and check against the newest. By default, this check will return a CRITICAL result if multiple matching objects are found.',
+         short: '-m',
+         long: '--ok-on-multiple-objects',
+         boolean: true
+
+  def aws_config
+    { access_key_id: config[:aws_access_key],
+      secret_access_key: config[:aws_secret_access_key],
+      region: config[:aws_region] }
+  end
+
+  def operator
+    op = lambda do |type, a, b|
+      case type
+      when 'age'
+        a > b
+      when 'size'
+        if config[:compare_size] == 'greater'
+          a > b
+        elsif config[:compare_size] == 'less'
+          a < b
+        elsif config[:compare_size] == 'not'
+          a != b
+        end
+      else
+        a == b
+      end
+    end
+    op
+  end
+
+  def run_check(type, level, value, element, msg)
+    key = "#{level}_#{type}".to_sym
+    return if config[key].nil?
+    to_check = config[key].to_i
+    send(level, msg % [element, value, config[:bucket_name]]) if operator.call type, value, to_check
+  end
+
+  def run
+    aws_config = {}
+
+    if (config[:key_name].nil? && config[:key_prefix].nil?) || (!config[:key_name].nil? && !config[:key_prefix].nil?)
+      critical 'Need one option between "key_name" and "key_prefix"'
+    end
+
+    if config[:use_iam_role].nil?
+      aws_config[:access_key_id] = config[:aws_access_key]
+      aws_config[:secret_access_key] = config[:aws_secret_access_key]
+    end
+
+    s3 = Aws::S3::Client.new(aws_config.merge!(region: config[:aws_region]))
+    begin
+      if !config[:key_name].nil?
+        key_search = config[:key_name]
+        key_fullname = key_search
+        output = s3.head_object(bucket: config[:bucket_name], key: key_search)
+        age = Time.now.to_i - output[:last_modified].to_i
+        size = output[:content_length]
+      elsif !config[:key_prefix].nil?
+        key_search = config[:key_prefix]
+        output = s3.list_objects(bucket: config[:bucket_name], prefix: key_search)
+        output = output.next_page while output.next_page?
+
+        if output.contents.size.to_i < 1
+          critical "Object with prefix \"#{key_search}\" not found in bucket #{config[:bucket_name]}"
+        end
+
+        if output.contents.size.to_i > 1
+          if config[:no_crit_on_multiple_objects].nil?
+            critical "Your prefix \"#{key_search}\" return too much files, you need to be more specific"
+          else
+            output.contents.sort_by!(&:last_modified).reverse!
+          end
+        end
+
+        key_fullname = output.contents[0].key
+        age = Time.now.to_i - output.contents[0].last_modified.to_i
+        size = output.contents[0].size
+      end
+
+      %i[critical warning].each do |level|
+        run_check('age', level, age, key_fullname, 'S3 object %s is %s seconds old (bucket %s)')
+      end
+
+      if size.zero?
+        critical "S3 object #{key_fullname} is empty (bucket #{config[:bucket_name]})" unless config[:ok_zero_size]
+      else
+        %i[critical warning].each do |level|
+          run_check('size', level, size, key_fullname, 'S3 %s object\'size : %s octets (bucket %s)')
+        end
+      end
+
+      ok("S3 object #{key_fullname} exists in bucket #{config[:bucket_name]}")
+    rescue Aws::S3::Errors::NotFound => _
+      critical "S3 object #{key_fullname} not found in bucket #{config[:bucket_name]}"
+    rescue StandardError => e
+      critical "S3 object #{key_fullname} in bucket #{config[:bucket_name]} - #{e.message} - #{e.backtrace}"
+    end
+  end
+end

data/bin/check-s3-tag.rb

@@ -0,0 +1,70 @@
+#! /usr/bin/env ruby
+#
+# check-s3-tag
+#
+# DESCRIPTION:
+#   This plugin checks if buckets have a set of tags.
+#
+# OUTPUT:
+#   plain-text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: aws-sdk
+#   gem: sensu-plugin
+#
+# USAGE:
+#   ./check-s3-tag.rb --aws-region eu-west-1 --tag-keys xxx
+#
+# NOTES:
+#
+# LICENSE:
+#   Copyright (c) 2016, Olivier Bazoud, olivier.bazoud@gmail.com
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugin/check/cli'
+require 'sensu-plugins-aws/common'
+require 'aws-sdk'
+
+class CheckS3Tag < Sensu::Plugin::Check::CLI
+  include Common
+
+  option :aws_region,
+         short: '-r AWS_REGION',
+         long: '--aws-region REGION',
+         description: 'AWS Region (defaults to us-east-1).',
+         default: 'us-east-1'
+
+  option :tag_keys,
+         short: '-t TAG_KEYS',
+         long: '--tag-keys TAG_KEYS',
+         description: 'Tag keys'
+
+  def run
+    tags = config[:tag_keys].split(',')
+    s3 = Aws::S3::Client.new
+    missing_tags = []
+    s3.list_buckets.buckets.each do |bucket|
+      begin
+        keys = s3.get_bucket_tagging(bucket: bucket.name).tag_set.map(&:key)
+        if keys.sort & tags.sort != tags.sort
+          missing_tags.push bucket.name
+        end
+      rescue StandardError
+        missing_tags.push bucket.name
+      end
+    end
+
+    if missing_tags.empty?
+      ok
+    else
+      critical("Missing tags in #{missing_tags}")
+    end
+  rescue StandardError => e
+    critical "Error: #{e.message} - #{e.backtrace}"
+  end
+end

data/bin/check-sensu-client.rb

@@ -0,0 +1,184 @@
+#! /usr/bin/env ruby
+#
+# sensu-health-check
+#
+# DESCRIPTION:
+#   Finds a given tag set from EC2 and ensures sensu clients exist
+#
+# OUTPUT:
+#   plain-text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: aws-sdk
+#   gem: sensu-plugin
+#
+# USAGE:
+#   ./check-sensu-client.rb -w 20 -f "{name:tag-value,values:[infrastructure]}"
+#   ./check-sensu-client.rb -w 20 -f "{name:tag-value,values:[infrastructure]}" -e '{Name:[Ignore, Bad.*]}'
+#   ./check-sensu-client.rb -w 20 -f "{name:tag-value,values:[infrastructure]}" -e '{Name:[Ignore, Bad.*]} {Sensu: [Ignore]}'
+#
+# NOTES:
+#  Values provided for the exclusion filter are treated as regex's for evaluation purposes. Any matching value
+#  will result in the instance being excluded
+#
+# LICENSE:
+#   Justin McCarty (jmccarty3@gmail.com)
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugins-aws'
+require 'sensu-plugin/check/cli'
+require 'aws-sdk'
+require 'rest-client'
+require 'json'
+
+class CheckSensuClient < Sensu::Plugin::Check::CLI
+  include Filter
+  include Common
+  option :aws_region,
+         short: '-r AWS_REGION',
+         long: '--aws-region REGION',
+         description: 'AWS Region (such as us-east-1).',
+         default: 'us-east-1'
+
+  option :sensu_host,
+         short: '-h SENSU_HOST',
+         long: '--host SENSU_HOST',
+         description: 'Sensu host to query',
+         default: 'sensu'
+
+  option :insecure,
+         short: '-k',
+         boolean: true,
+         description: 'Enabling insecure connections',
+         default: false
+
+  option :sensu_port,
+         short: '-p SENSU_PORT',
+         long: '--port SENSU_PORT',
+         description: 'Sensu API port',
+         proc: proc(&:to_i),
+         default: 4567
+
+  option :warn,
+         short: '-w WARN',
+         description: 'Warn if instance has been up longer (Minutes)',
+         proc: proc(&:to_i),
+         default: 0
+
+  option :critical,
+         short: '-c CRITICAL',
+         description: 'Critical if instance has been up longer (Minutes)',
+         proc: proc(&:to_i)
+
+  option :min,
+         short: '-m MIN_TIME',
+         description: 'Minimum Time an instance must be running (Minutes)',
+         proc: proc(&:to_i),
+         default: 5
+
+  option :filter,
+         short: '-f FILTER',
+         description: 'Filter to use to find ec2 instances',
+         default: '{}'
+
+  option :exclude_tags,
+         short: '-e {<tag-key>:[VAL1, VAL2]} {<tag-key>:[VAL1, VAL2] }',
+         long: '--exclude_tags {<tag-key>:[VAL1, VAL2] } {<tag-key>:[VAL1, VAL2] }',
+         description: 'Tag Values to exclude by. Values treated as regex. Any matching value will result in exclusion.',
+         default: '{}'
+
+  def run
+    # Converting the string into a hash.
+    filter_list = config[:exclude_tags].split(/}\s?{/).map do |x|
+      x.gsub(/[{}]/, '')
+    end
+    filter_list = filter_list.map do |y|
+      h1, h2 = y.split(':')
+      { h1 => h2 }
+    end.reduce(:merge)
+    filter_list.delete(nil)
+    filter_list.each { |x, y| filter_list[x] = y.strip.gsub(/[\[\]]/, '') }
+    client = Aws::EC2::Client.new
+
+    parsed_filter = Filter.parse(config[:filter])
+
+    filter = if parsed_filter.empty?
+               {}
+             else
+               { filters: parsed_filter }
+             end
+
+    data = client.describe_instances(filter)
+
+    current_time = Time.now.utc
+    aws_instances = Set.new
+    data.reservations.each do |r|
+      r.instances.each do |i|
+        aws_instances << {
+          id: i[:instance_id],
+          up_time: (current_time - i[:launch_time]) / 60,
+          tags: i.tags
+        }
+      end
+    end
+
+    sensu_clients = client_check
+
+    missing = Set.new
+
+    aws_instances.delete_if do |instance|
+      instance[:tags].any? do |key|
+        filter_list.keys.include?(key.key) && filter_list[key.key].split(',').any? do |v|
+          key.value.match(/#{v.strip}/)
+        end
+      end
+    end
+
+    aws_instances.each do |i|
+      if sensu_clients.include?(i[:id]) == false
+        if i[:up_time] > config[:min]
+          missing << i
+          output "Missing instance #{i[:id]}. Uptime: #{i[:up_time]} Minutes"
+        end
+      end
+    end
+
+    warn_flag = false
+    crit_flag = false
+
+    missing.each do |m|
+      if (config[:critical].nil? == false) && (m[:up_time] > config[:critical])
+        crit_flag = true
+      elsif (config[:warn].nil? == false) && (m[:up_time] > config[:warn])
+        warn_flag = true
+      end
+    end
+
+    if crit_flag
+      critical
+    elsif warn_flag
+      warning
+    end
+    ok
+  end
+
+  def client_check
+    verify_mode = OpenSSL::SSL::VERIFY_PEER
+    verify_mode = OpenSSL::SSL::VERIFY_NONE if config[:insecure]
+    request = RestClient::Resource.new("#{config[:sensu_host]}:#{config[:sensu_port]}/clients",
+                                       verify_ssl: verify_mode)
+    response = JSON.parse(request.get)
+
+    clients = Set.new
+    response.each do |client|
+      clients << client['name']
+    end
+
+    clients
+  end
+end