bin/check-configservice-rules.rb
#! /usr/bin/env ruby
#
# check-configservice-rules
#
# DESCRIPTION:
# This plugin uses the AWS ConfigService API to check
# for rules compliance. CRITICAL for non-compliance,
# UNKNOWN for insufficient data.
#
# OUTPUT:
# plain-text
#
# PLATFORMS:
# Linux, Windows, Mac
#
# DEPENDENCIES:
# gem: aws-sdk
# gem: sensu-plugin
#
# USAGE:
# ./check-configservice-rules.rb -r {us-east-1|eu-west-1} [-c My_Config_Rule]
#
# NOTES:
# As of this writing, ConfigService rules are only available in us-east-1.
# All other region selections will return an AccessDeniedException
#
# LICENSE:
# Norm MacLennan <nmaclennan@cimpress.com>
# Released under the same terms as Sensu (the MIT license); see LICENSE
# for details.
require 'sensu-plugin/check/cli'
require 'sensu-plugins-aws'
require 'aws-sdk'
class CheckConfigServiceRules < Sensu::Plugin::Check::CLI
include Common
option :aws_region,
short: '-r AWS_REGION',
long: '--aws-region AWS_REGION',
description: 'The AWS region in which to check rules. Currently only available in us-east-1.',
default: 'us-east-1'
option :config_rules,
short: '-c rule1,rule2',
long: '--config-rules rule1,rule2',
description: 'A list of config rules to consider. Default is all rules.'
def get_config_rules_data(rules = nil)
options = { config_rule_names: rules.split(',') } if rules
config_client = Aws::ConfigService::Client.new
config_client.describe_compliance_by_config_rule(options).compliance_by_config_rules
end
def get_rule_names_by_compliance_type(rules, compliance_type)
rules.select { |r| r.compliance.compliance_type == compliance_type }.collect(&:config_rule_name)
end
def run
rules = get_config_rules_data(config[:config_rules])
noncompliant = get_rule_names_by_compliance_type rules, 'NON_COMPLIANT'
unknown = get_rule_names_by_compliance_type rules, 'INSUFFICIENT_DATA'
if noncompliant.any?
critical("Config rules in violation: #{noncompliant.join(',')}")
elsif unknown.any?
unknown("Config rules in unknown state: #{unknown.join(',')}")
else
ok
end
rescue StandardError => e
unknown "An error occurred processing AWS ConfigService API: #{e.message}"
end
end