Example #1
0
def create_alerts(config):
    """"Creates Stackdriver alerts for logs-based metrics."""
    # Stackdriver alerts can't yet be created in Deployment Manager, so create
    # them here.
    alert_email = config.project.get('stackdriver_alert_email')
    if alert_email is None:
        logging.warning(
            'No Stackdriver alert email specified, skipping creation '
            'of Stackdriver alerts.')
        return
    project_id = config.project['project_id']

    # Create an email notification channel for alerts.
    logging.info('Creating Stackdriver notification channel.')
    channel = utils.create_notification_channel(alert_email, project_id)

    logging.info('Creating Stackdriver alerts.')
    utils.create_alert_policy(
        ['global', 'pubsub_topic', 'pubsub_subscription', 'gce_instance'],
        'iam-policy-change-count', 'IAM Policy Change Alert',
        ('This policy ensures the designated user/group is notified when IAM '
         'policies are altered.'), channel, project_id)

    utils.create_alert_policy(
        ['gcs_bucket'], 'bucket-permission-change-count',
        'Bucket Permission Change Alert',
        ('This policy ensures the designated user/group is notified when '
         'bucket/object permissions are altered.'), channel, project_id)

    utils.create_alert_policy(
        ['global'], 'bigquery-settings-change-count', 'Bigquery update Alert',
        ('This policy ensures the designated user/group is notified when '
         'Bigquery dataset settings are altered.'), channel, project_id)

    for data_bucket in config.project.get('data_buckets', []):
        # Every bucket with 'expected_users' has an expected-access alert.
        if 'expected_users' in data_bucket:
            bucket_name = project_id + data_bucket['name_suffix']
            metric_name = 'unexpected-access-' + bucket_name
            utils.create_alert_policy(
                'gcs_bucket', metric_name,
                'Unexpected Access to {} Alert'.format(bucket_name),
                ('This policy ensures the designated user/group is notified when '
                 'bucket {} is accessed by an unexpected user.'.format(
                     bucket_name)), channel, project_id)
Example #2
0
def create_alerts(config):
  """"Creates Stackdriver alerts for logs-based metrics."""
  # Stackdriver alerts can't yet be created in Deployment Manager, so create
  # them here.
  alert_email = config.project.get('stackdriver_alert_email')
  if alert_email is None:
    logging.warning('No Stackdriver alert email specified, skipping creation '
                    'of Stackdriver alerts.')
    return
  project_id = config.project['project_id']

  existing_channels_str = runner.run_gcloud_command([
      'alpha', 'monitoring', 'channels', 'list', '--format',
      'value(name,labels.email_address)'
  ],
                                                    project_id=project_id)

  existing_channels = existing_channels_str.split(
      '\n') if existing_channels_str else []

  email_to_channel = {}
  for existing_channel in existing_channels:
    channel, email = existing_channel.split()

    # assume only one channel exists per email
    email_to_channel[email] = channel

  if alert_email in email_to_channel:
    logging.info('Stackdriver notification channel already exists for %s',
                 alert_email)
    channel = email_to_channel[alert_email]
  else:
    logging.info('Creating Stackdriver notification channel.')
    channel = utils.create_notification_channel(alert_email, project_id)

  existing_alerts = runner.run_gcloud_command([
      'alpha', 'monitoring', 'policies', 'list', '--format',
      'value(displayName)'
  ],
                                              project_id=project_id).split('\n')

  existing_alerts = set(existing_alerts)

  logging.info('Creating Stackdriver alerts.')
  display_name = 'IAM Policy Change Alert'
  if display_name not in existing_alerts:
    utils.create_alert_policy(
        ['global', 'pubsub_topic', 'pubsub_subscription', 'gce_instance'],
        'iam-policy-change-count', display_name,
        ('This policy ensures the designated user/group is notified when IAM '
         'policies are altered.'), channel, project_id)

  display_name = 'Bucket Permission Change Alert'
  if display_name not in existing_alerts:
    utils.create_alert_policy(
        ['gcs_bucket'], 'bucket-permission-change-count', display_name,
        ('This policy ensures the designated user/group is notified when '
         'bucket/object permissions are altered.'), channel, project_id)

  display_name = 'Bigquery Update Alert'
  if display_name not in existing_alerts:
    utils.create_alert_policy(
        ['global'], 'bigquery-settings-change-count', display_name,
        ('This policy ensures the designated user/group is notified when '
         'Bigquery dataset settings are altered.'), channel, project_id)

  for data_bucket in config.project.get('data_buckets', []):
    # Every bucket with 'expected_users' has an expected-access alert.
    if 'expected_users' not in data_bucket:
      continue

    bucket_name = get_data_bucket_name(data_bucket, project_id)
    metric_name = 'unexpected-access-' + bucket_name
    display_name = 'Unexpected Access to {} Alert'.format(bucket_name)
    if display_name not in existing_alerts:
      utils.create_alert_policy(
          ['gcs_bucket'], metric_name, display_name,
          ('This policy ensures the designated user/group is notified when '
           'bucket {} is accessed by an unexpected user.'.format(bucket_name)),
          channel, project_id)