terrafying-components 2.3.7 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4cce3c1a633e5e4daca6ff1b63b4a904dba0c2105a8df0024765e2788b261247
-  data.tar.gz: 7d6c8f3938a4c813bee85152a0e5cc8e779a7bce6555388caedb54c21e7f0a4e
+  metadata.gz: 958f5cf0e55c8fb3ee50530de70424c144000a3ec34c263c66216fb89b234bca
+  data.tar.gz: 2b53beccd6f67c5069f3f1971c9d33e11830c1e047fae99a26197dc59e7696a2
 SHA512:
-  metadata.gz: 062cfb791bdf8a36cb408020f4b2fc7d0e4ce15bd07a0a5cf7417c83524051109904b2aa253b2f09f15e7444b9e4b8cf8db7a24df51146aceff98e1aa6131829
-  data.tar.gz: 3bcbb217b6a7a745e525935613d5e987dc00bd9d99f3325d6b9ec461444e74d1a93ce3d89aa5ebb9cf4b6d0f7e80600ffa0d56d399d59c3d0ff05cf5ed2b1ca6
+  metadata.gz: 0c0e3a2933af5c003222be6e5d957cd9d1763b0c6c241b794beb15e45b0e116f1bd3b7f2ac0b7a81c184f76d2a156be36fc6b079f4ce491cb19704695c7730cb
+  data.tar.gz: c9732ff0ecdc0be2ed2351f6a7b3405b2225d13e57d4a7b5c9b782cfae09064f2e1796a4ee314456b90104f8e2784b01a4877e85bc367c4753e72c0cbee37e40

data/lib/terrafying/components/dynamicset.rb

@@ -33,7 +33,7 @@ module Terrafying
         options = {
           public: false,
           eip: false,
-          ami: aws.ami('base-image-fc-79994d1f', owners = ['477284023816']),
+          ami: aws.ami('base-image-fc-f50b677a', owners = ['477284023816']),
           instance_type: 't3a.micro',
           instances: { min: 1, max: 1, desired: 1, tags: {} },
           ports: [],

data/lib/terrafying/components/instance.rb

@@ -2,6 +2,7 @@
 
 require 'xxhash'
 
+require 'terrafying'
 require 'terrafying/components/ports'
 require 'terrafying/components/usable'
 

data/lib/terrafying/components/prometheus.rb

@@ -7,7 +7,7 @@ require 'terrafying/components'
 module Terrafying
   module Components
     class Prometheus < Terrafying::Context
-      attr_reader :prometheus, :security_group
+      attr_reader :prometheus, :security_group, :thanos
 
       def self.create_in(options)
         new(**options).tap(&:create)

data/lib/terrafying/components/security/trail.rb

@@ -81,7 +81,8 @@ module Terrafying
               store:,
               topic:,
               include_all_regions: true,
-              include_all_organisation: true
+              include_all_organisation: true,
+              ignore_buckets: []
             )
 
           @name = name
@@ -142,6 +143,8 @@ module Terrafying
                      policy_arn: log_role_policy["arn"],
                    }
 
+          s3_data_selectors = bucket_selector(ignore_buckets)
+
           resource :aws_cloudtrail, "#{name}", {
                      name: "#{name}",
                      s3_bucket_name: store.name,
@@ -165,20 +168,81 @@ module Terrafying
                            values: ["arn:aws:lambda"],
                          },
                        },
-                       {
-                         read_write_type: "All",
-                         include_management_events: true,
-
-                         data_resource: {
-                           type: "AWS::S3::Object",
-                           values: ["arn:aws:s3:::"],
-                         },
-                       },
                      ],
-                   }
+
+                   }.deep_merge(s3_data_selectors)
           self
         end
 
+        def bucket_selector(buckets)
+          buckets = Array(buckets)
+
+          return all_buckets if buckets.empty?
+
+          {
+            advanced_event_selector: [
+              ignore_buckets_selectors(buckets),
+              management_events_selector,
+            ]
+          }
+        end
+
+        def all_buckets
+          {
+            event_selector: [
+              {
+                read_write_type: "All",
+                include_management_events: true,
+
+                data_resource: {
+                  type: "AWS::S3::Object",
+                  values: ["arn:aws:s3:::"],
+                }
+              }
+            ]
+          }
+        end
+
+        def ignore_buckets_selectors(buckets)
+          ignore_bucket_arns = Array(buckets).map { |bucket|
+            data_name = Digest::SHA256.hexdigest("#{@name}-#{bucket}")[0..16]
+            arn = data(:aws_s3_bucket, "ct-ignore-#{data_name}", bucket: bucket)['arn']
+            "#{arn}/"
+          }
+
+          {
+            name: "Log all S3 buckets objects events except these",
+
+            field_selector: [
+              {
+                field: 'eventCategory',
+                equals: ['Data']
+              },
+              {
+                field: 'resources.type',
+                equals: ['AWS::S3::Object']
+              },
+              {
+                field: 'resources.ARN',
+                not_equals: ignore_bucket_arns
+              }
+            ],
+          }
+        end
+
+        def management_events_selector
+          {
+            name: "Log readOnly and writeOnly management events",
+
+            field_selector: [
+              {
+                field: "eventCategory",
+                equals: ["Management"]
+              }
+            ]
+          }
+        end
+
         def alert!(name:, pattern:, threshold: 1, topic: @topic)
 
           ident = "cloudwatch-#{@name}-#{name}"

data/lib/terrafying/components/service.rb

@@ -41,7 +41,7 @@ module Terrafying
 
       def create_in(vpc, name, options = {})
         options = {
-          ami: aws.ami('base-image-fc-79994d1f', owners = ['477284023816']),
+          ami: aws.ami('base-image-fc-f50b677a', owners = ['477284023816']),
           instance_type: 't3a.micro',
           ports: [],
           instances: [{}],

data/lib/terrafying/components/staticset.rb

@@ -38,7 +38,7 @@ module Terrafying
         options = {
           public: false,
           eip: false,
-          ami: aws.ami('base-image-fc-79994d1f', owners = ['477284023816']),
+          ami: aws.ami('base-image-fc-f50b677a', owners = ['477284023816']),
           instance_type: 't3a.micro',
           subnets: vpc.subnets.fetch(:private, []),
           ports: [],

data/lib/terrafying/components/version.rb

@@ -2,6 +2,6 @@
 
 module Terrafying
   module Components
-    VERSION = '2.3.7'
+    VERSION = '2.4.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terrafying-components
 version: !ruby/object:Gem::Version
-  version: 2.3.7
+  version: 2.4.0
 platform: ruby
 authors:
 - uSwitch Limited
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-11 00:00:00.000000000 Z
+date: 2022-01-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake