richadams/pd_aws_config_event_transformer.js

## pd_aws_config_event_transformer.js
// Parses AWS Config events from SNS and will raise PagerDuty incidents if resources
// go non-compliant, resolving the incident when they return to compliant.
//
// This file is intended to be used with a PagerDuty Custom Event Transformer.
// https://www.pagerduty.com/docs/guides/custom-event-transformer/
//
// Create a new Custom Event Transformer integration in PagerDuty, and subscribe it's
// Integration URL on the SNS Topic that you send AWS Config events to.
//
// You can see all the different notifications Config sends here:
// http://docs.aws.amazon.com/config/latest/developerguide/notifications-for-AWS-Config.html
//
// Note that there is currently no way to filter on the AWS side, so we have to
// do it here instead. All of then have the same "Type" field, so we need to look
// at the actual contents to determine if it's an event we care about.
//
// Compliance events will have a "newEvaluationResult" field, and resource information.
// If it lacks those, then it's not compliance related.
// You can see an example notification format here:
// http://docs.aws.amazon.com/config/latest/developerguide/example-config-rule-compliance-notification.html
//
// PD.fail(...) is used for any error cases. You will only see these messages if you have
// debug mode enabled in the event transformer, otherwise they are suppressed.

// Parse the rawBody into a JSON structure
var body = JSON.parse(PD.inputRequest.rawBody)

// If it's an SNS subscription confirmation, allow it through.
if (typeof body.SubscribeURL != "undefined")
{
  var normalized_event = {
    incident_key: "sns-subscription",
    event_type: PD.Trigger,
    description: "SNS topic subscription confirmation",
    details: body.SubscribeURL
  };
  PD.emitGenericEvents([normalized_event]);
}

// Message is double JSON encoded, so we need to parse it again.
var message = JSON.parse(body.Message);

// Extract resource information, this will be our incident key and identifier.
var resourceType = message.resourceType;
var resourceId   = message.resourceId;
var resourceKey  = resourceType + "/" + resourceId;

// If resource information is missing, then it's not an event we care about.
if (typeof resourceType == "undefined") { PD.fail("resourceType missing.") }
if (typeof resourceId == "undefined") { PD.fail("resourceId missing.") }

// If we don't have any new evaluation results, then this wasn't a compliance
// event, and was likely another type of message.
if (typeof message.newEvaluationResult == "undefined") { PD.fail("newEvaluationResult missing.") }

// Our action is based on the compliance type of the new result.
switch(message.newEvaluationResult.complianceType)
{
  // Has become non-compliant, raise an incident.
  // (We don't check oldEvaluationResult, as it could be a brand new resource without one)
  case "NON_COMPLIANT":
    var normalized_event = {
      incident_key: resourceKey,
      event_type: PD.Trigger,
      description: "Non-compliant AWS resource: " + resourceKey,
      details: message
    };
    PD.emitGenericEvents([normalized_event]);
    break;

  // Has become compliant, resolve any open incident for it.
  case "COMPLIANT":
    var normalized_event = {
      incident_key: resourceKey,
      event_type: PD.Resolve,
      description: "Compliant AWS resource: " + resourceKey,
      details: message
    };
    PD.emitGenericEvents([normalized_event]);
    break;

  // Resource was deleted, if there's an open incident, we should resolve it.
  case "NOT_APPLICABLE":
    var normalized_event = {
      incident_key: resourceKey,
      event_type: PD.Resolve,
      description: "AWS resource deleted: " + resourceKey,
      details: message
    };
    PD.emitGenericEvents([normalized_event]);
    break;

  // If there's insufficient data, then we also do nothing.
  case "INSUFFICIENT_DATA":
    PD.fail("Insufficient data to determine compliance.");
    break;

  // Catch-all
  default:
    PD.fail("Unknown compliance state: " + newResult);
}
	// Parses AWS Config events from SNS and will raise PagerDuty incidents if resources
	// go non-compliant, resolving the incident when they return to compliant.
	//
	// This file is intended to be used with a PagerDuty Custom Event Transformer.
	// https://www.pagerduty.com/docs/guides/custom-event-transformer/
	//
	// Create a new Custom Event Transformer integration in PagerDuty, and subscribe it's
	// Integration URL on the SNS Topic that you send AWS Config events to.
	//
	// You can see all the different notifications Config sends here:
	// http://docs.aws.amazon.com/config/latest/developerguide/notifications-for-AWS-Config.html
	//
	// Note that there is currently no way to filter on the AWS side, so we have to
	// do it here instead. All of then have the same "Type" field, so we need to look
	// at the actual contents to determine if it's an event we care about.
	//
	// Compliance events will have a "newEvaluationResult" field, and resource information.
	// If it lacks those, then it's not compliance related.
	// You can see an example notification format here:
	// http://docs.aws.amazon.com/config/latest/developerguide/example-config-rule-compliance-notification.html
	//
	// PD.fail(...) is used for any error cases. You will only see these messages if you have
	// debug mode enabled in the event transformer, otherwise they are suppressed.

	// Parse the rawBody into a JSON structure
	var body = JSON.parse(PD.inputRequest.rawBody)

	// If it's an SNS subscription confirmation, allow it through.
	if (typeof body.SubscribeURL != "undefined")
	{
	var normalized_event = {
	incident_key: "sns-subscription",
	event_type: PD.Trigger,
	description: "SNS topic subscription confirmation",
	details: body.SubscribeURL
	};
	PD.emitGenericEvents([normalized_event]);
	}

	// Message is double JSON encoded, so we need to parse it again.
	var message = JSON.parse(body.Message);

	// Extract resource information, this will be our incident key and identifier.
	var resourceType = message.resourceType;
	var resourceId = message.resourceId;
	var resourceKey = resourceType + "/" + resourceId;

	// If resource information is missing, then it's not an event we care about.
	if (typeof resourceType == "undefined") { PD.fail("resourceType missing.") }
	if (typeof resourceId == "undefined") { PD.fail("resourceId missing.") }

	// If we don't have any new evaluation results, then this wasn't a compliance
	// event, and was likely another type of message.
	if (typeof message.newEvaluationResult == "undefined") { PD.fail("newEvaluationResult missing.") }

	// Our action is based on the compliance type of the new result.
	switch(message.newEvaluationResult.complianceType)
	{
	// Has become non-compliant, raise an incident.
	// (We don't check oldEvaluationResult, as it could be a brand new resource without one)
	case "NON_COMPLIANT":
	var normalized_event = {
	incident_key: resourceKey,
	event_type: PD.Trigger,
	description: "Non-compliant AWS resource: " + resourceKey,
	details: message
	};
	PD.emitGenericEvents([normalized_event]);
	break;

	// Has become compliant, resolve any open incident for it.
	case "COMPLIANT":
	var normalized_event = {
	incident_key: resourceKey,
	event_type: PD.Resolve,
	description: "Compliant AWS resource: " + resourceKey,
	details: message
	};
	PD.emitGenericEvents([normalized_event]);
	break;

	// Resource was deleted, if there's an open incident, we should resolve it.
	case "NOT_APPLICABLE":
	var normalized_event = {
	incident_key: resourceKey,
	event_type: PD.Resolve,
	description: "AWS resource deleted: " + resourceKey,
	details: message
	};
	PD.emitGenericEvents([normalized_event]);
	break;

	// If there's insufficient data, then we also do nothing.
	case "INSUFFICIENT_DATA":
	PD.fail("Insufficient data to determine compliance.");
	break;

	// Catch-all
	default:
	PD.fail("Unknown compliance state: " + newResult);
	}