Add ability to subscribe to DDoS detected alarms #386

markdboyd · 2024-09-19T21:39:24Z

Related to https://github.com/cloud-gov/private/issues/1097

Changes proposed in this pull request:

Add new alarm_notification_email that customers must specify for CDN w/dedicated WAF instances to receive notifications from Cloudwatch alarms
Add new Cloudwatch alarm when DDoS is detected on the protected CDN
Add dedicated SNS topic for sending notifications to the customer
Ensure that SNS topic and DDoS alarm are created when migrating CDN to CDN w/dedicated WAF plan
Add/update tests

Things to check

For any logging statements, is there any chance that they could be logging sensitive data?
Are log statements using a logging library with a logging level set? Setting a logging level means that log statements "below" that level will not be written to the output. For example, if the logging level is set to INFO and debugging statements are written with log.debug or similar, then they won't be written to the otput, which can prevent unintentional leaks of sensitive data.

Security considerations

No direct security considerations for the broker, but these changes will facilitate better security monitoring for customers

…model

… provision and update requests

…ce does not specify alarm notification email

…for CDN instances

…on-nullable

…en going from CDN to CDN dedicated WAF plan

…notification_email

…ification_email

…_alarm_name

…alarm & add test

…tion email

…oS alarms

…s are missing

…tion email

bengerman13 · 2024-09-20T18:47:03Z

broker/lib/cdn.py

    return service_instance.instance_type in [
        ServiceInstanceTypes.CDN.value,
        ServiceInstanceTypes.CDN_DEDICATED_WAF.value,
    ]


maybe late to be checking this, but why aren't we just using isinstance(service_intance, CDNServiceInstance)

Absolutely no reason. Is there an inherent benefit to one approach vs the other?

isinstance is a builtin, so I think it's a bit more idiomatic, and probably faster (although speed isn't really critical here - nobody would notice if this took seconds to perform, except during testing)

bengerman13 · 2024-09-20T18:47:43Z

broker/lib/cdn.py

+def is_cdn_dedicated_waf_instance(service_instance) -> bool:
+    return (
+        service_instance.instance_type == ServiceInstanceTypes.CDN_DEDICATED_WAF.value
+    )


same question here: why not just isinstance(service_instance, DedicatedCDNServiceInstance)

bengerman13 · 2024-09-20T18:51:57Z

broker/tasks/sns.py

+    operation = db.session.get(Operation, operation_id)
+    service_instance = operation.service_instance
+
+    operation.step_description = "Creating SNS notification topic"
+    flag_modified(operation, "step_description")
+    db.session.add(operation)
+    db.session.commit()


(not for this PR)
this pattern is repeated in almost every task, should we refactor it out?

markdboyd added 30 commits September 17, 2024 16:45

add alarm_notification_email field to CDNDedicatedWAFServiceInstance …

c6bb386

…model

add migration to create alarm_notification_email column

5b8a483

update documentation URL

c11552b

add logic to set alarm_notification_email on instance from params for…

c6d6af9

… provision and update requests

update logic for parsing alarm notification email

c5af748

add test for setting alarm_notification_email on API provision request

2899908

update provision logic to raise error if CDN with dedicatd WAF instan…

289e2c0

…ce does not specify alarm notification email

update CDN provision tests

682bbc5

refactor tests

127fed9

add tests for setting alarm notification email on API update request …

e5086c4

…for CDN instances

update migration for alarm_notification_email field to set field as n…

320bd61

…on-nullable

make alarm_notification_email field non-nullable

f423172

add condition to return error if alarm_notification_email is unset wh…

c650a34

…en going from CDN to CDN dedicated WAF plan

revert change to make alarm_notification_email non-nullable

a040bd7

revert change to make alarm_notification_email non-nullable

94867c1

refactor logic for updating CDN to CDN dedicated WAF instance

242c82d

update API tests for plan update from CDN to CDN dedicated WAF instance

b735ebe

update CDN to CDN dedicated WAF pipeline tests to properly set alarm_…

8d08e0b

…notification_email

update tests for CDN dedicated WAF provisin pipeline to set alarm_not…

468f2b2

…ification_email

refactor update logic

971a83b

add sns client

2ddfc9f

add sns_notification_topic_arn field

d39f8f9

stub out logic for task to creatE a DDosDetected alarm

8af3f25

add field for ddos_detected_cloudwatch_alarm_arn

f07f338

combine config fields into single field

0ba181f

update test helper to set alarm_notification_email on CDN plan update

f8f4fd1

refactor logic for create cloudwatch alarms

43708ea

change ddos_detected_cloudwatch_alarm_arn to ddos_detected_cloudwatch…

e4dce6e

…_alarm_name

add test stubber for SNS

15e9a7d

create basic test for create_ddos_detected_alarm

0ca0be8

markdboyd added 21 commits September 18, 2024 17:31

add test for creating ddos detection alarm

331fa22

add test for creating ddos alarm with tags

4e5dac2

create separate task for create_notification_topic

276ff1c

add tests for create_notification_topic

cec2477

raise error if there is no SNS topic ARN when creating DDoS detected …

ce1fb3a

…alarm & add test

add delete_ddos_detected_alarm task and tests

460cdce

refactor cloudwatch health check alarms to use user provided notifica…

22a4797

…tion email

remove NOTIFICATIONS_SNS_TOPIC_ARN config

da651b6

remove test for NOTIFICATIONS_SNS_TOPIC_ARN

8e9cf6b

add more tests for case of no topic provided

256d74b

add delete_notification_topic task and tests

182e2c2

add tasks to pipelines

993d13b

update CDN dedicated WAF provision pipeline tests for creating new DD…

0e2f55c

…oS alarms

update CDN dedicated WAF deprovision pipeline happy path

1b9dbc1

update delete_notification_topic task to handle missing topic

b03b8b4

update tests for CDN dedicated WAF deprovision pipeline when resource…

a7c65e4

…s are missing

update pipeline tests for updating CDN to CDN dedicated WAF instance

35d1a0c

update pipeline tests for CDN dedicated WAF to specify alarm notifica…

22b7e93

…tion email

update pipeline test alarm notification email

fa430a5

fix provision common checks test

21bbf94

fix update logic & update integration tests

84000a4

markdboyd marked this pull request as ready for review September 20, 2024 18:22

markdboyd requested a review from a team as a code owner September 20, 2024 18:22

remove success notifications from pipeline

7ef5cb7

bengerman13 approved these changes Sep 20, 2024

View reviewed changes

markdboyd merged commit 205f2aa into main Sep 20, 2024
1 check passed

markdboyd deleted the subscribe-shield-alarms branch September 20, 2024 18:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add ability to subscribe to DDoS detected alarms #386

Add ability to subscribe to DDoS detected alarms #386

markdboyd commented Sep 19, 2024 •

edited

Loading

bengerman13 Sep 20, 2024

markdboyd Sep 20, 2024

bengerman13 Sep 20, 2024

bengerman13 Sep 20, 2024

bengerman13 Sep 20, 2024

Add ability to subscribe to DDoS detected alarms #386

Add ability to subscribe to DDoS detected alarms #386

Conversation

markdboyd commented Sep 19, 2024 • edited Loading

Changes proposed in this pull request:

Things to check

Security considerations

bengerman13 Sep 20, 2024

Choose a reason for hiding this comment

markdboyd Sep 20, 2024

Choose a reason for hiding this comment

bengerman13 Sep 20, 2024

Choose a reason for hiding this comment

bengerman13 Sep 20, 2024

Choose a reason for hiding this comment

bengerman13 Sep 20, 2024

Choose a reason for hiding this comment

markdboyd commented Sep 19, 2024 •

edited

Loading