From 144780cdfa7b83b996ef800d4b06dccef0a9c7a7 Mon Sep 17 00:00:00 2001 From: Tarun Menon <64295670+tarunmenon95@users.noreply.github.com> Date: Wed, 18 Oct 2023 10:22:10 +1100 Subject: [PATCH] ACM Support (#115) * Initial add of ACM resource * Add alarms & event subs for ACM * Bump version to 0.11.5 * Add default generation of specifed event subs * Bump version to 0.11.6 --- README.md | 2 +- docs/resources.md | 1 + lib/cfnguardian/compile.rb | 19 +++++++++- lib/cfnguardian/models/alarm.rb | 9 +++++ lib/cfnguardian/models/event_subscription.rb | 1 + lib/cfnguardian/resources/acm.rb | 39 ++++++++++++++++++++ lib/cfnguardian/version.rb | 2 +- 7 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 lib/cfnguardian/resources/acm.rb diff --git a/README.md b/README.md index daaa5ed..53e163f 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ CfnGuardian is a AWS monitoring tool with a few capabilities: - tls version checking **Supported AWS Resources** - +- ACM Certificates - AmazonMq(RabbitMQ and ActiveMQ) - ApiGateway - Application Targetgroups diff --git a/docs/resources.md b/docs/resources.md index dc7d68b..ea7ffda 100644 --- a/docs/resources.md +++ b/docs/resources.md @@ -36,6 +36,7 @@ Resources: | Resource Group | Require Keys | | --------------------------- | ---------------- | +| Acm | Id | | ApiGateway | Id | | AmazonMQBroker | Id | | AutoScalingGroup | Id | diff --git a/lib/cfnguardian/compile.rb b/lib/cfnguardian/compile.rb index 96f3717..0c349c4 100644 --- a/lib/cfnguardian/compile.rb +++ b/lib/cfnguardian/compile.rb @@ -5,6 +5,7 @@ require 'cfnguardian/stacks/main' require 'cfnguardian/models/composite' require 'cfnguardian/resources/base' +require 'cfnguardian/resources/acm' require 'cfnguardian/resources/apigateway' require 'cfnguardian/resources/application_targetgroup' require 'cfnguardian/resources/amazonmq_broker' @@ -139,6 +140,9 @@ def get_resources @cost += resource_class.get_cost end end + + # Add default event subscriptions + @resources.concat generate_default_event_subscriptions() @maintenance_groups.each do |maintenance_group,resource_groups| resource_groups.each do |group, alarms| @@ -251,6 +255,19 @@ def genrate_template_config(parameters) File.write("out/template-config.guardian.json", template.to_json) end - + + def generate_default_event_subscriptions() + # List of Classes which default events should be deployed + default_resource_classes = ['CfnGuardian::Resource::Acm'] + default_event_subscriptions = [] + + default_resource_classes.each do |resource_class| + resource_instance = Kernel.const_get(resource_class).new({"Id"=>resource_class}) # Dummy ID + default_event_subscriptions.concat(resource_instance.default_event_subscriptions()) + end + + return default_event_subscriptions + end + end end diff --git a/lib/cfnguardian/models/alarm.rb b/lib/cfnguardian/models/alarm.rb index 6b7d95d..0e22d4b 100644 --- a/lib/cfnguardian/models/alarm.rb +++ b/lib/cfnguardian/models/alarm.rb @@ -66,6 +66,15 @@ def metric_name=(metric_name) end end + class AcmAlarm < BaseAlarm + def initialize(resource) + super(resource) + @group = 'Acm' + @namespace = 'AWS/CertificateManager' + @dimensions = { CertificateArn: { "Fn::Sub" => "arn:aws:acm:${AWS::Region}:${AWS::AccountId}:certificate/#{resource['Id']}"}} + end + end + class ApiGatewayAlarm < BaseAlarm def initialize(resource) super(resource) diff --git a/lib/cfnguardian/models/event_subscription.rb b/lib/cfnguardian/models/event_subscription.rb index 951da08..ac2fa33 100644 --- a/lib/cfnguardian/models/event_subscription.rb +++ b/lib/cfnguardian/models/event_subscription.rb @@ -95,6 +95,7 @@ def initialize(resource) end end + class AcmEventSubscription < BaseEventSubscription; end class ApiGatewayEventSubscription < BaseEventSubscription; end class ApplicationTargetGroupEventSubscription < BaseEventSubscription; end class AmazonMQBrokerEventSubscription < BaseEventSubscription; end diff --git a/lib/cfnguardian/resources/acm.rb b/lib/cfnguardian/resources/acm.rb new file mode 100644 index 0000000..352b6d3 --- /dev/null +++ b/lib/cfnguardian/resources/acm.rb @@ -0,0 +1,39 @@ +module CfnGuardian::Resource + class Acm < Base + + def default_alarms + alarm = CfnGuardian::Models::AcmAlarm.new(@resource) + alarm.name = 'CertificateExpiry' + alarm.metric_name = 'DaysToExpiry' + alarm.statistic = 'Average' + alarm.threshold = 30 + alarm.comparison_operator = 'LessThanThreshold' + alarm.evaluation_periods = 1 + alarm.period = 86400 + @alarms.push(alarm) + end + + def default_event_subscriptions() + event_subscription = CfnGuardian::Models::AcmEventSubscription.new(@resource) + event_subscription.name = 'AcmCertificateNearExpiry' + event_subscription.detail_type = 'ACM Certificate Approaching Expiration' + event_subscription.source = 'aws.acm' + event_subscription.detail = { + 'DaysToExpiry' => [31] + } + @event_subscriptions.push(event_subscription) + + event_subscription = CfnGuardian::Models::AcmEventSubscription.new(@resource) + event_subscription.name = 'AcmCertificateExpired' + event_subscription.detail_type = 'ACM Certificate Expired' + event_subscription.source = 'aws.acm' + @event_subscriptions.push(event_subscription) + + event_subscription = CfnGuardian::Models::AcmEventSubscription.new(@resource) + event_subscription.name = 'AcmRenewalActionRequired' + event_subscription.detail_type = 'ACM Certificate Renewal Action Required' + event_subscription.source = 'aws.acm' + @event_subscriptions.push(event_subscription) + end + end + end \ No newline at end of file diff --git a/lib/cfnguardian/version.rb b/lib/cfnguardian/version.rb index ed7bbab..76db821 100644 --- a/lib/cfnguardian/version.rb +++ b/lib/cfnguardian/version.rb @@ -1,4 +1,4 @@ module CfnGuardian - VERSION = "0.11.5" + VERSION = "0.11.6" CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze end