sensu-plugins-aws-boutetnico 1.0.6

data/bin/check-subnet-ip-consumption.rb

@@ -0,0 +1,234 @@
+#! /usr/bin/env ruby
+#
+# check-subnet-ip-consumption
+#
+#
+# DESCRIPTION:
+#   This plugin uses the EC2 API to determine if any subnet in a given region
+#   has consumed IP addresses such that the consumption exceeds a user-specified threshold.
+#   This plugin additionally uses the IAM API to resolve the account alias,
+#   if the user uses the -s/--show-account-alias flag.
+#
+# OUTPUT:
+#   plain-text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: aws-sdk
+#   gem: sensu-plugin
+#   gem: sensu-plugins-aws
+#
+# USAGE:
+#  ./check-subnet-ip-consumption.rb -a <access key> -k <secret key> -r <region> -t <integer percentage>
+#
+# NOTES:
+#   Special thanks to Garrett Kuchta and Antonio Beyah for their assistance.
+#
+# LICENSE:
+#   Nick Jacques <Nick.Jacques@target.com>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+
+require 'sensu-plugin/check/cli'
+require 'sensu-plugins-aws'
+require 'aws-sdk'
+
+class CheckSubnetIpConsumption < Sensu::Plugin::Check::CLI
+  include Common
+
+  option :aws_region,
+         short:       '-r AWS_REGION',
+         long:        '--aws-region REGION',
+         description: 'AWS Region (defaults to us-east-1).',
+         default:     'us-east-1'
+
+  option :alert_threshold,
+         short:       '-t <threshold percentage>',
+         long:        '--threshold <threshold percentage>',
+         proc:        proc { |a| a.to_i },
+         default:     85,
+         in:          (0..100).to_a,
+         description: 'Threshold (in percent) of consumed IP addresses (per subnet) to alert on'
+
+  option :show_friendly_names,
+         short:       '-f',
+         long:        '--show-friendly-names',
+         boolean:     true,
+         default:     false,
+         description: 'Show friendly names (using the Name tag) for AWS objects such as subnets or VPCs'
+
+  option :show_account_alias,
+         short:       '-s',
+         long:        '--show-account-alias',
+         boolean:     true,
+         default:     false,
+         description: 'Show the account alias in the alert output. Requires IAM read privileges.'
+
+  option :verbosity,
+         short:       '-v <level>',
+         long:        '--verbosity <level>',
+         proc:        proc { |a| a.to_i },
+         in:          (0..2).to_a,
+         default:     0,
+         description: 'Manipulate the verbosity of the alert output. Valid options are 0, 1, and 2 (from least to most verbose). Default is 0.'
+
+  def iam_client
+    @iam_client ||= Aws::IAM::Client.new
+  end
+
+  def ec2_client
+    @ec2_client ||= Aws::EC2::Client.new
+  end
+
+  # Returns the alias of the AWS account (if there is one), "<no name>" (if there is not), or nil if -s/--show-account-alias is not used.
+  def account_alias
+    # Do not execute IAM API call unless the -s/--show_account_alias flag is specified
+    # (to prevent excess API calls *and* errors if IAM rights are not allowed)
+    return nil unless config[:show_account_alias]
+
+    begin
+      iam_account_alias = iam_client.list_account_aliases[:account_aliases].first
+
+      return '<no alias>' if iam_account_alias.empty? || iam_account_alias.nil?
+      return iam_account_alias
+    rescue StandardError => e
+      unknown "An error occured while using AWS IAM to collect the account alias: #{e.message}"
+    end
+  end
+
+  # Returns the value of the Name tag (if there is one) or "<no name>" (if there is not). Used with VPC and subnet objects.
+  def extract_name_tag(tags)
+    # Find the 'Name' key in the tags object and extract it. If the key isn't found, we get nil instead.
+    name_tag = tags.find { |tag| tag.key == 'Name' }
+    # If extracting the key/value was successful...
+    if name_tag
+      # ...extract the value (if there is one), or return <no name>
+      !name_tag[:value].empty? ? name_tag[:value] : '<no name>'
+    else
+      # Otherwise, there's not a Name key, and thus the object has no name.
+      '<no name>'
+    end
+  end
+
+  # Returns the subnet's friendly name if -f/--show-friendly-names is used, otherwise returns the ID
+  def display_subnet(alert)
+    return alert[:subnet_name] if config[:show_friendly_names]
+    alert[:subnet_id]
+  end
+
+  # Returns the VPC's friendly name if -f/--show-friendly-names is used, otherwise returns the ID
+  def display_vpc(alert)
+    return alert[:vpc_friendly_name] if config[:show_friendly_names]
+    alert[:subnet_vpc_id]
+  end
+
+  def run
+    # Subnets that meet the threshold criteria will store info hashes in this array
+    consumption_alert = []
+
+    begin
+      subnets = ec2_client.describe_subnets[:subnets]
+
+      subnets.each do |subnet|
+        # subnet.cidr_block contains '0.0.0.0/0' notation. We want the mask number after the slash.
+        subnet_netblock = subnet.cidr_block.split('/')[1].to_i
+        # Subtract the mask number from 32 and use the result as the exponent of 2 to get the number of possible addresses in the netblock.
+        # Then, subtract 5 from that number. Rationale: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#VPC_Sizing
+        # AWS reserves the first four addresses and the last address in any netblock.
+        subnet_total_capacity = (2**(32 - subnet_netblock)) - 5
+        # Determine how many IP addresses have been consumed
+        subnet_consumed_capacity = (subnet_total_capacity - subnet.available_ip_address_count)
+        # Divide consumed IPs by total IPs to get percentage. Multiply by 100 and round to get integer percents.
+        subnet_consumed_pct = ((subnet_consumed_capacity.to_f / subnet_total_capacity.to_f) * 100).round(0)
+
+        # Get the subnet's friendly name
+        subnet_name_tag = extract_name_tag subnet[:tags]
+        # Only get the VPC friendly names if explicitly asked for (otherwise this is a useless API hit)
+        if config[:show_friendly_names]
+          vpc = ec2_client.describe_vpcs(vpc_ids: [subnet.vpc_id])[:vpcs].first
+          vpc_friendly_name = extract_name_tag vpc[:tags]
+        end
+
+        # Test if the subnet consumption % meets or exceeds the threshold %
+        if subnet_consumed_pct >= config[:alert_threshold]
+          # Add a hash containing subnet info to the consumption_alert array
+          consumption_alert.push(subnet_id: subnet.subnet_id,
+                                 subnet_name: subnet_name_tag,
+                                 subnet_consumed_pct: subnet_consumed_pct,
+                                 subnet_vpc_id: subnet.vpc_id,
+                                 subnet_consumed_capacity: subnet_consumed_capacity,
+                                 subnet_total_capacity: subnet_total_capacity,
+                                 subnet_az: subnet[:availability_zone],
+                                 cidr_block: subnet[:cidr_block],
+                                 vpc_friendly_name: vpc_friendly_name)
+        end
+      end
+    rescue StandardError => e
+      unknown "An error occurred processing AWS EC2: #{e.message}"
+    end
+
+    # Process any alerts that might've been generated.
+    if consumption_alert.empty?
+      ok
+    else
+      # Compose alert messages at the configured verbosity
+      alert_msg = []
+      # TODO: Come back and re-asses Rubocop rule, following it's suggestion actually breaks the code
+      # rubocop:disable Style/FormatStringToken
+      verbosity0 = '%{subnet} at %{percent}%% [%{vpc}]'
+      verbosity1 = '%{subnet} at %{percent}%% (%{consumed}/%{total}) [%{vpc}]'
+      verbosity2 = '%{subnet} (%{cidr} in %{az}) at %{percent}%% (%{consumed}/%{total}) [%{vpc}]'
+      # rubocop:enable Style/FormatStringToken
+
+      case config[:verbosity]
+      when 0
+        consumption_alert.each do |alert|
+          alert_msg.push(verbosity0 % { subnet: (display_subnet alert).to_s,
+                                        percent: alert[:subnet_consumed_pct],
+                                        vpc: (display_vpc alert).to_s })
+        end
+      when 1
+        consumption_alert.each do |alert|
+          alert_msg.push(verbosity1 % { subnet: (display_subnet alert).to_s,
+                                        percent: alert[:subnet_consumed_pct],
+                                        consumed: alert[:subnet_consumed_capacity],
+                                        total: alert[:subnet_total_capacity],
+                                        vpc: (display_vpc alert).to_s })
+        end
+      when 2
+        consumption_alert.each do |alert|
+          alert_msg.push(verbosity2 % { subnet: (display_subnet alert).to_s,
+                                        cidr: alert[:cidr_block],
+                                        az: alert[:subnet_az],
+                                        percent: alert[:subnet_consumed_pct],
+                                        consumed: alert[:subnet_consumed_capacity],
+                                        total: alert[:subnet_total_capacity],
+                                        vpc: (display_vpc alert).to_s })
+        end
+      end
+
+      # Throw critical alert with optional account alias display
+      # TODO: Come back and re-asses Rubocop rule, following it's suggestion actually breaks the code
+      # rubocop:disable Style/FormatStringToken
+      alert_prefix = '%{count} subnets in %{region} exceeding %{threshold}%% IP consumption threshold: %{alerts}'
+      alert_prefix_with_alias = '%{count} subnets in %{alias} (%{region}) exceeding %{threshold}%% IP consumption threshold: %{alerts}'
+      # rubocop:enable Style/FormatStringToken
+
+      case config[:show_account_alias]
+      when true
+        critical(alert_prefix_with_alias % { count: alert_msg.length,
+                                             alias: account_alias,
+                                             region: config[:aws_region],
+                                             threshold: config[:alert_threshold],
+                                             alerts: alert_msg.join(', ') })
+      when false
+        critical(alert_prefix % { count: alert_msg.length,
+                                  region: config[:aws_region],
+                                  threshold: config[:alert_threshold],
+                                  alerts: alert_msg.join(', ') })
+      end
+    end
+  end
+end

data/bin/check-trustedadvisor-service-limits.rb

@@ -0,0 +1,90 @@
+#! /usr/bin/env ruby
+#
+# check-trustedadvisor-service-limits
+#
+#
+# DESCRIPTION:
+#   This plugin uses Trusted Advisor API to perform check for
+#   service limits. Trigger 'critical' on sensu for services
+#   that are not 'Green'.
+#
+#   IAM requires AWSSupportAccess policy enabled.
+#
+#   https://aws.amazon.com/premiumsupport/ta-faqs/
+#
+#
+# OUTPUT:
+#   plain-text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: aws-sdk-v1
+#   gem: sensu-plugin
+#
+# USAGE:
+#  ./check-trustedadvisor-service-limits.rb -l {en|ja}
+#
+# NOTES:
+#
+# LICENSE:
+#   Seandy Wibowo <swibowo@sugarcrm.com>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+
+require 'sensu-plugin/check/cli'
+require 'sensu-plugins-aws'
+require 'aws-sdk'
+
+class CheckTrustedAdvisorServiceLimits < Sensu::Plugin::Check::CLI
+  include Common
+  option :aws_language,
+         short: '-l AWS_LANGUAGE',
+         long: '--aws-language AWS_LANGUAGE',
+         description: "ISO 639-1 language code to be used when querying Trusted Advisor API. Only 'en' and 'ja' supported for now",
+         default: 'en'
+
+  def aws_support
+    # The Support endpoint seems to only available in us-east-1 region
+    # http://docs.aws.amazon.com/sdkforruby/api/Aws/Support.html
+    @aws_support ||= Aws::Support::Client.new(region: 'us-east-1')
+  end
+
+  def run
+    service_limit_msg = []
+
+    begin
+      # Get all check IDs with category "service_limits"
+      check_ids = []
+      aws_support.describe_trusted_advisor_checks(language: config[:aws_language])[:checks].each { |c| check_ids << c.id if c.category == 'service_limits' }
+
+      # Get all checks that are not "ok"
+      checks_not_ok = []
+      aws_support.describe_trusted_advisor_check_summaries(check_ids: check_ids)[:summaries].each { |c| checks_not_ok << c.check_id if c.status != 'ok' }
+
+      checks_not_ok.each do |cno|
+        aws_support.describe_trusted_advisor_check_result(language: config[:aws_language], check_id: cno)[:result][:flagged_resources].each do |slr|
+          # Data structure will be as follow
+          # ["<region>", "<service>", "<description>", "<limit>", "<usage>", "<status>"]
+          sl_region, sl_service, sl_description, sl_limit, sl_usage, sl_status = slr[:metadata]
+
+          next if slr.status == 'ok' || sl_status == 'Green'
+
+          sl_usage = 0 if sl_usage.nil?
+
+          sl_msg = "#{sl_service} (#{sl_region}) #{sl_description} #{sl_usage} out of #{sl_limit}"
+          service_limit_msg.push(sl_msg)
+        end
+      end
+    rescue StandardError => e
+      unknown "An error occurred processing AWS TrustedAdvisor API: #{e.message}"
+    end
+
+    if service_limit_msg.empty?
+      ok
+    else
+      critical("Services hitting usage limit: #{service_limit_msg.join(', ')}")
+    end
+  end
+end

data/bin/check-vpc-nameservers.rb

@@ -0,0 +1,87 @@
+#! /usr/bin/env ruby
+#
+# check-vpc-nameservers
+#
+# DESCRIPTION:
+#   Checks the VPCs nameservers are functional
+#
+# OUTPUT:
+#   plain-text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: aws-sdk
+#   gem: sensu-plugin
+#
+# USAGE:
+#   ./check-vpc-nameservers.rb -v vpc-12345678
+#   ./check-vpc-nameservers.rb -v vpc-12345678 -r us-east-1
+#   ./check-vpc-nameservers.rb -v vpc-12345678 -r us-east-1 -q google.com,internal.private.servers
+#
+# NOTES:
+#
+# LICENSE:
+#   Shane Starcher <shane.starcher@gmail.com>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugin/check/cli'
+require 'sensu-plugins-aws'
+require 'aws-sdk'
+require 'resolv'
+
+class CheckVpcNameservers < Sensu::Plugin::Check::CLI
+  include Common
+  option :queries,
+         short:       '-q queries',
+         long:        '--queries google.com,example1.com',
+         proc:        proc { |a| a.split(',') },
+         default:     ['google.com'],
+         description: 'Comma seperated dns queries to test'
+
+  option :vpc_id,
+         short:       '-v vpc_id',
+         long:        '--vpc_id vpc-12345678',
+         required:    true,
+         description: 'The vpc_id of the dhcp option set'
+
+  option :aws_region,
+         short:       '-r R',
+         long:        '--region REGION',
+         description: 'AWS region',
+         default: 'us-east-1'
+
+  def run
+    errors = []
+    ec2 = Aws::EC2::Client.new
+
+    dhcp_option_id = ec2.describe_vpcs(vpc_ids: [config[:vpc_id]]).vpcs[0].dhcp_options_id
+
+    options = ec2.describe_dhcp_options(dhcp_options_ids: [dhcp_option_id])
+
+    options.dhcp_options.each do |option|
+      option.dhcp_configurations.each do |map|
+        next if map.key != 'domain-name-servers'
+        map.values.each do |value| # rubocop:disable Performance/HashEachMethods
+          ip = value.value
+          config[:queries].each do |query|
+            begin
+              Resolv::DNS.open(nameserver: [ip]).getaddress(query)
+            rescue Resolv::ResolvError => res_err
+              errors << "[#{ip}] #{res_err} "
+            end
+          end
+        end
+      end
+    end
+
+    if errors.empty?
+      ok
+    else
+      warning errors.join("\n")
+    end
+  end
+end

data/bin/check-vpc-vpn.rb

@@ -0,0 +1,98 @@
+#! /usr/bin/env ruby
+#
+#   check-vpc-vpn.rb
+#
+# DESCRIPTION:
+#   This plugin checks VPC VPN connections to ensure they are up
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   all
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#   gem: aws-sdk
+#   gem: sensu-plugins-aws
+#
+# USAGE:
+#  ./check-vpc-vpn.rb --aws-region us-east-1 --vpn-connection-id vpn-abc1234
+#
+# NOTES:
+#   Supports inline credentials or IAM roles
+#
+# LICENSE:
+#   John Dyer johntdyer@gmail.com
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#   Updated by Peter Hoppe <peter.hoppe.extern@bertelsmann.de> to aws-sdk-v2
+#
+
+require 'sensu-plugins-aws'
+require 'sensu-plugin/check/cli'
+require 'aws-sdk'
+
+class CheckAwsVpcVpnConnections < Sensu::Plugin::Check::CLI
+  include Common
+  option :vpn_id,
+         short: '-v VPN_ID',
+         long: '--vpn-connection-id VPN_ID',
+         required: true,
+         description: 'VPN connection ID'
+
+  option :aws_region,
+         short: '-r AWS_REGION',
+         long: '--aws-region REGION',
+         description: 'AWS Region (defaults to us-east-1).',
+         default: ENV['AWS_REGION']
+
+  option :warn_count,
+         short: '-W WARN_COUNT',
+         long: '--warn_count WARN_COUNT',
+         description: 'Warn when the count of down tunnels is at or above this number',
+         default: 1,
+         proc: proc(&:to_i)
+
+  option :crit_count,
+         short: '-C CRIT_COUNT',
+         long: '--crit_count CRIT_COUNT',
+         description: 'Critical when the count of down tunnels is at or above this number',
+         default: 2,
+         proc: proc(&:to_i)
+
+  def fetch_connection_data
+    begin
+      ec2 = Aws::EC2::Client.new
+      vpn_info = ec2.describe_vpn_connections(vpn_connection_ids: [config[:vpn_id]]).vpn_connections
+      down_connections = vpn_info.first.vgw_telemetry.reject { |x| x.status == 'UP' }
+      results = { down_count: down_connections.count }
+      results[:down_connection_status] = down_connections.map { |x| "#{x.outside_ip_address} => #{x.status_message.empty? ? 'none' : x.status_message}" }
+      results[:connection_name] = vpn_info[0].tags.find { |x| x.key == 'Name' }.value
+    rescue Aws::EC2::Errors::ServiceError
+      warning "The vpnConnection ID '#{config[:vpn_id]}' does not exist"
+    rescue StandardError => e
+      warning e.backtrace.join(' ')
+    end
+    results
+  end
+
+  def run
+    data = fetch_connection_data
+    msg = data[:down_connection_status].join(' | ')
+    name = data[:connection_name]
+    case data[:down_count]
+    when 2 then message = "'#{name}' shows both tunnels as DOWN - [ #{msg} ]"
+    when 1 then message = "'#{name}' shows 1 of 2 tunnels as DOWN - [ #{msg} ]"
+    end
+
+    if data[:down_count] >= config[:crit_count]
+      critical message
+    elsif data[:down_count] >= config[:warn_count]
+      warning message
+    else
+      up_count = 2 - data[:down_count]
+      ok "'#{name}' shows #{up_count} of 2 tunnels as UP"
+    end
+  end
+end