more audit rules

config.yaml.example

@@ -13,10 +13,19 @@ accounts:
     :secret: test2_secret
 
 tag_policy:
-   :required:
-   - Application
-   - Owner
-   - Environment
-   :recommended:
-   - Product
-   - Name
+   :nodes:
+     :required:
+       - Application
+       - Owner
+       - Environment
+     :recommended:
+       - Product
+       - Name
+   :vpcs:
+     :required:
+       - Application
+       - Owner
+       - Environment
+     :recommended:
+       - Product
+       - Name

lib/neoinfra/audit.rb

@@ -14,6 +14,11 @@ module NeoInfra
       aws = NeoInfra::Aws.new
       @cfg = NeoInfra::Config.new
 
+      unless @cfg.tag_policy.has_key? :nodes
+        puts "no policy set for nodes"
+        return {:error => "No nodes tag policy"}
+      end
+
       @cfg.accounts.each do |account|
         base_conf = {
           provider: 'AWS',
@@ -26,10 +31,9 @@ module NeoInfra
           new_conn = Fog::Compute.new(region_conf.merge(base_conf))
           new_conn.servers.all.each do |ec2|
             %i[required recommended].each do |a|
-              next unless @cfg.tag_policy.has_key? a
-              puts 'Foo'
-              next if (ec2.tags.keys.sort & @cfg.tag_policy[a].sort) == @cfg.tag_policy[a].sort
-              results[ec2.id].merge!("#{a}_missing_tags" => @cfg.tag_policy[a].sort - ec2.tags.keys.sort,
+              next unless @cfg.tag_policy[:nodes].has_key? a
+              next if (ec2.tags.keys.sort & @cfg.tag_policy[:nodes][a].sort) == @cfg.tag_policy[:nodes][a].sort
+              results[ec2.id].merge!("#{a}_missing_tags" => @cfg.tag_policy[:nodes][a].sort - ec2.tags.keys.sort,
                                      'tags' => ec2.tags.keys.sort,
                                      'account' => account[:name],
                                      'launched' => ec2.created_at,
@@ -41,5 +45,79 @@ module NeoInfra
       end
       results
     end
+
+    def audit_vpcs
+      results = Hash.new { |h, k| h[k] = {} }
+      aws = NeoInfra::Aws.new
+      @cfg = NeoInfra::Config.new
+
+      unless @cfg.tag_policy.has_key? :vpcs
+        puts "no policy set for vpcs"
+        return {:error => "No vpc tag policy"}
+      end
+
+      @cfg.accounts.each do |account|
+        base_conf = {
+          provider: 'AWS',
+          aws_access_key_id: account[:key],
+          aws_secret_access_key: account[:secret]
+        }
+        aws.regions.each do |region|
+          region_conf = { region: region }
+          # Get Instances
+          new_conn = Fog::Compute.new(region_conf.merge(base_conf))
+          new_conn.vpcs.all.each do |vpc|
+            %i[required recommended].each do |a|
+              # we don't do default vpcs
+              next if vpc.is_default
+              next unless @cfg.tag_policy[:vpcs].has_key? a
+              next if (vpc.tags.keys.sort & @cfg.tag_policy[:vpcs][a].sort) == @cfg.tag_policy[:vpcs][a].sort
+              results[vpc.id].merge!("#{a}_missing_tags" => @cfg.tag_policy[:vpcs][a].sort - vpc.tags.keys.sort,
+                                     'tags' => vpc.tags.keys.sort,
+                                     'account' => account[:name],
+                                     'region' => region)
+            end
+          end
+        end
+      end
+      results
+    end
+ 
+    def audit_subnets
+      results = Hash.new { |h, k| h[k] = {} }
+      aws = NeoInfra::Aws.new
+      @cfg = NeoInfra::Config.new
+
+      unless @cfg.tag_policy.has_key? :subnets
+        puts "no policy set for subnets"
+        return {:error => "No subnet tag policy"}
+      end
+
+      @cfg.accounts.each do |account|
+        base_conf = {
+          provider: 'AWS',
+          aws_access_key_id: account[:key],
+          aws_secret_access_key: account[:secret]
+        }
+        aws.regions.each do |region|
+          region_conf = { region: region }
+          # Get Instances
+          new_conn = Fog::Compute.new(region_conf.merge(base_conf))
+          new_conn.subnets.all.each do |subnet|
+            %i[required recommended].each do |a|
+              next if subnet.default_for_az
+              next unless @cfg.tag_policy[:subnets].has_key? a
+              next if (subnet.tag_set.keys.sort & @cfg.tag_policy[:subnets][a].sort) == @cfg.tag_policy[:subnets][a].sort
+              results[subnet.subnet_id].merge!("#{a}_missing_tags" => @cfg.tag_policy[:subnets][a].sort - subnet.tag_set.keys.sort,
+                                     'tags' => subnet.tag_set.keys.sort,
+                                     'account' => account[:name],
+                                     'region' => region)
+            end
+          end
+        end
+      end
+      results
+    end
+
   end
 end

tasks/audit.rake

@@ -7,6 +7,18 @@ namespace :audit do
     pp j.audit_nodes
   end
 
+  task :audit_vpcs do
+    puts 'auditing VPCs'
+    j = NeoInfra::Audit.new
+    pp j.audit_vpcs
+  end
+
+  task :audit_subnets do
+    puts 'auditing Subnets'
+    j = NeoInfra::Audit.new
+    pp j.audit_subnets
+  end
+
   desc 'Tag Audit'
-  task all: %i[audit_nodes]
+  task all: %i[audit_vpcs audit_subnets audit_nodes]
 end