Merge pull request #256 from cloud-gov/overhaul

rcgottlieb · web-flow · commit bc1ea499d8cd · 2024-12-03T15:00:01.000-05:00
adding in the needed rules and cleaning up the debug info from the code
diff --git a/bosh/opsfiles/rules.yml b/bosh/opsfiles/rules.yml
@@ -42,14 +42,35 @@
   value:
     name: aws-iam-check-keys
     rules:
-    - alert: AWSIAMCheckKeys
-      expr: stale_key_num > 0
+    - alert: OperatorsStaleKeyWarning
+      expr: last_rotated_days{user_type="Operator"} >= 75 and last_rotated_days{user_type="Operator"} < 90
       labels:
         service: aws-iam
         severity: warning
       annotations:
-        summary: AWS IAM user {{$labels.user}} has stale IAM Key(s)
-        description: Look up the procedures for rotating the access keys
+        summary: IAM key for {$labels.user} will be expired within the next 15 days
+        description: "For Operators if the expiration is within 15 days\n"
+    - alert: PlatformApplicationStaleKeyWarning
+      expr: last_rotated_days{user_type="Platform"} >= 80 and last_rotated_days{user_type="Platform"} < 165 or last_rotated_days{user_type="Application"} >= 80 and last_rotated_days{user_type="Application"} < 165
+      labels:
+        severity: warning
+      annotations:
+        summary: IAM key for Platform or Application {$labels.user} will be expired within the next 15 days
+        description: "For Platform or Applications if the expiration is within 85 days\n"
+    - alert: OperatorsStaleKeyViolation
+      expr: last_rotated_days{user_type="Operator"} >= 90
+      labels:
+        severity: critical
+      annotations:
+        summary: IAM key for {$labels.user} is now expired
+        description: "For Operators if the key is expired\n"
+    - alert: PlatformApplicationStaleKeyViolation
+      expr: last_rotated_days{user_type="Platform"} >= 165 or last_rotated_days{user_type="Application"} >= 165
+      labels:
+        severity: critical
+      annotations:
+        summary: IAM key for {$labels.user} is now expired
+        description: "For Platform or Applications if the key is expired\n"
 
 # CloudWatch logs alerts
 - type: replace
diff --git a/ci/aws-iam-check-keys/find_stale_keys.py b/ci/aws-iam-check-keys/find_stale_keys.py
@@ -289,7 +289,6 @@ def del_key(key_dict: dict):
     are stale
     """
     gateway = f'{env.str("GATEWAY_HOST")}:{env.int("GATEWAY_PORT", 9091)}'
-    print(f'gateway in del_key is: {gateway}')
     del key_dict["days_since_rotation"]
     del key_dict["last_rotated"]
     del key_dict["key_num"]
@@ -304,13 +303,9 @@ def send_key(key_dict: dict, severity: str):
     Send the key(s) to the pushgateway client to let it determine if they
     are stale
     """
-    gateway = f"{env.str('GATEWAY_HOST')}:9091"
-    #print(gateway_test)
-    #gateway = f"{env.str('GATEWAY_HOST')}:{env.int('GATEWAY_PORT', 9091)}"
-    print(f"gateway in send_key: {gateway}")
+    gateway = f"{env.str('GATEWAY_HOST')}:{env.int('GATEWAY_PORT', 9091)}"
     registry = CollectorRegistry()
     days_since_rotation = key_dict["days_since_rotation"]
-    # user_type = key_dict["user_type"]
     del key_dict["days_since_rotation"]
 
     key_info = Gauge(
