RubyGems - terrafying-components - Versions diffs - 2.3.7 → 2.4.0 - Mend

terrafying-components 2.3.7 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/lib/terrafying/components/dynamicset.rb +1 -1
data/lib/terrafying/components/instance.rb +1 -0
data/lib/terrafying/components/prometheus.rb +1 -1
data/lib/terrafying/components/security/trail.rb +75 -11
data/lib/terrafying/components/service.rb +1 -1
data/lib/terrafying/components/staticset.rb +1 -1
data/lib/terrafying/components/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4cce3c1a633e5e4daca6ff1b63b4a904dba0c2105a8df0024765e2788b261247
-  data.tar.gz: 7d6c8f3938a4c813bee85152a0e5cc8e779a7bce6555388caedb54c21e7f0a4e
+  metadata.gz: 958f5cf0e55c8fb3ee50530de70424c144000a3ec34c263c66216fb89b234bca
+  data.tar.gz: 2b53beccd6f67c5069f3f1971c9d33e11830c1e047fae99a26197dc59e7696a2
 SHA512:
-  metadata.gz: 062cfb791bdf8a36cb408020f4b2fc7d0e4ce15bd07a0a5cf7417c83524051109904b2aa253b2f09f15e7444b9e4b8cf8db7a24df51146aceff98e1aa6131829
-  data.tar.gz: 3bcbb217b6a7a745e525935613d5e987dc00bd9d99f3325d6b9ec461444e74d1a93ce3d89aa5ebb9cf4b6d0f7e80600ffa0d56d399d59c3d0ff05cf5ed2b1ca6
+  metadata.gz: 0c0e3a2933af5c003222be6e5d957cd9d1763b0c6c241b794beb15e45b0e116f1bd3b7f2ac0b7a81c184f76d2a156be36fc6b079f4ce491cb19704695c7730cb
+  data.tar.gz: c9732ff0ecdc0be2ed2351f6a7b3405b2225d13e57d4a7b5c9b782cfae09064f2e1796a4ee314456b90104f8e2784b01a4877e85bc367c4753e72c0cbee37e40

data/lib/terrafying/components/dynamicset.rb CHANGED Viewed

@@ -33,7 +33,7 @@ module Terrafying
         options = {
           public: false,
           eip: false,
-          ami: aws.ami('base-image-fc-79994d1f', owners = ['477284023816']),
+          ami: aws.ami('base-image-fc-f50b677a', owners = ['477284023816']),
           instance_type: 't3a.micro',
           instances: { min: 1, max: 1, desired: 1, tags: {} },
           ports: [],

data/lib/terrafying/components/instance.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 require 'xxhash'
+require 'terrafying'
 require 'terrafying/components/ports'
 require 'terrafying/components/usable'

data/lib/terrafying/components/prometheus.rb CHANGED Viewed

@@ -7,7 +7,7 @@ require 'terrafying/components'
 module Terrafying
   module Components
     class Prometheus < Terrafying::Context
-      attr_reader :prometheus, :security_group
+      attr_reader :prometheus, :security_group, :thanos
       def self.create_in(options)
         new(**options).tap(&:create)

data/lib/terrafying/components/security/trail.rb CHANGED Viewed

@@ -81,7 +81,8 @@ module Terrafying
               store:,
               topic:,
               include_all_regions: true,
-              include_all_organisation: true
+              include_all_organisation: true,
+              ignore_buckets: []
             )
           @name = name
@@ -142,6 +143,8 @@ module Terrafying
                      policy_arn: log_role_policy["arn"],
                    }
+          s3_data_selectors = bucket_selector(ignore_buckets)
           resource :aws_cloudtrail, "#{name}", {
                      name: "#{name}",
                      s3_bucket_name: store.name,
@@ -165,20 +168,81 @@ module Terrafying
                            values: ["arn:aws:lambda"],
                          },
                        },
-                       {
-                         read_write_type: "All",
-                         include_management_events: true,
-                         data_resource: {
-                           type: "AWS::S3::Object",
-                           values: ["arn:aws:s3:::"],
-                         },
-                       },
                      ],
-                   }
+                   }.deep_merge(s3_data_selectors)
           self
         end
+        def bucket_selector(buckets)
+          buckets = Array(buckets)
+          return all_buckets if buckets.empty?
+          {
+            advanced_event_selector: [
+              ignore_buckets_selectors(buckets),
+              management_events_selector,
+            ]
+          }
+        end
+        def all_buckets
+          {
+            event_selector: [
+              {
+                read_write_type: "All",
+                include_management_events: true,
+                data_resource: {
+                  type: "AWS::S3::Object",
+                  values: ["arn:aws:s3:::"],
+                }
+              }
+            ]
+          }
+        end
+        def ignore_buckets_selectors(buckets)
+          ignore_bucket_arns = Array(buckets).map { |bucket|
+            data_name = Digest::SHA256.hexdigest("#{@name}-#{bucket}")[0..16]
+            arn = data(:aws_s3_bucket, "ct-ignore-#{data_name}", bucket: bucket)['arn']
+            "#{arn}/"
+          }
+          {
+            name: "Log all S3 buckets objects events except these",
+            field_selector: [
+              {
+                field: 'eventCategory',
+                equals: ['Data']
+              },
+              {
+                field: 'resources.type',
+                equals: ['AWS::S3::Object']
+              },
+              {
+                field: 'resources.ARN',
+                not_equals: ignore_bucket_arns
+              }
+            ],
+          }
+        end
+        def management_events_selector
+          {
+            name: "Log readOnly and writeOnly management events",
+            field_selector: [
+              {
+                field: "eventCategory",
+                equals: ["Management"]
+              }
+            ]
+          }
+        end
         def alert!(name:, pattern:, threshold: 1, topic: @topic)
           ident = "cloudwatch-#{@name}-#{name}"

data/lib/terrafying/components/service.rb CHANGED Viewed

@@ -41,7 +41,7 @@ module Terrafying
       def create_in(vpc, name, options = {})
         options = {
-          ami: aws.ami('base-image-fc-79994d1f', owners = ['477284023816']),
+          ami: aws.ami('base-image-fc-f50b677a', owners = ['477284023816']),
           instance_type: 't3a.micro',
           ports: [],
           instances: [{}],

data/lib/terrafying/components/staticset.rb CHANGED Viewed

@@ -38,7 +38,7 @@ module Terrafying
         options = {
           public: false,
           eip: false,
-          ami: aws.ami('base-image-fc-79994d1f', owners = ['477284023816']),
+          ami: aws.ami('base-image-fc-f50b677a', owners = ['477284023816']),
           instance_type: 't3a.micro',
           subnets: vpc.subnets.fetch(:private, []),
           ports: [],

data/lib/terrafying/components/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Terrafying
   module Components
-    VERSION = '2.3.7'
+    VERSION = '2.4.0'
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terrafying-components
 version: !ruby/object:Gem::Version
-  version: 2.3.7
+  version: 2.4.0
 platform: ruby
 authors:
 - uSwitch Limited
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-11 00:00:00.000000000 Z
+date: 2022-01-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake