richadams · February 9, 2018 22:55 · AClarkie · Apr 14, 2021
diff --git a/pd_aws_config_event_transformer.js b/pd_aws_config_event_transformer.js
 // Parses AWS Config events from SNS and will raise PagerDuty incidents if resources
 // go non-compliant, resolving the incident when they return to compliant.
 //
 // This file is intended to be used with a PagerDuty Custom Event Transformer.
 // https://www.pagerduty.com/docs/guides/custom-event-transformer/
 // 
 // Create a new Custom Event Transformer integration in PagerDuty, and subscribe it's 
 // Integration URL on the SNS Topic that you send AWS Config events to.
 //
 // You can see all the different notifications Config sends here:
 // http://docs.aws.amazon.com/config/latest/developerguide/notifications-for-AWS-Config.html
 //
 // Note that there is currently no way to filter on the AWS side, so we have to
 // do it here instead. All of then have the same "Type" field, so we need to look
 // at the actual contents to determine if it's an event we care about.
 //
 // Compliance events will have a "newEvaluationResult" field, and resource information.
 // If it lacks those, then it's not compliance related.
 // You can see an example notification format here:
 // http://docs.aws.amazon.com/config/latest/developerguide/example-config-rule-compliance-notification.html
 //
 // PD.fail(...) is used for any error cases. You will only see these messages if you have
 // debug mode enabled in the event transformer, otherwise they are suppressed.

 // Parse the rawBody into a JSON structure
 var body = JSON.parse(PD.inputRequest.rawBody)

 // If it's an SNS subscription confirmation, allow it through.
 if (typeof body.SubscribeURL != "undefined")
 {
  var normalized_event = {
    incident_key: "sns-subscription",
    event_type: PD.Trigger,
    description: "SNS topic subscription confirmation",
    details: body.SubscribeURL
  };
  PD.emitGenericEvents([normalized_event]);
 }

 // Message is double JSON encoded, so we need to parse it again.
 var message = JSON.parse(body.Message);

 // Extract resource information, this will be our incident key and identifier.
 var resourceType = message.resourceType;
 var resourceId   = message.resourceId;
 var resourceKey  = resourceType + "/" + resourceId;

 // If resource information is missing, then it's not an event we care about.
 if (typeof resourceType == "undefined") { PD.fail("resourceType missing.") }
 if (typeof resourceId == "undefined") { PD.fail("resourceId missing.") }

 // If we don't have any new evaluation results, then this wasn't a compliance
 // event, and was likely another type of message.
 if (typeof message.newEvaluationResult == "undefined") { PD.fail("newEvaluationResult missing.") }

 // Our action is based on the compliance type of the new result.
 switch(message.newEvaluationResult.complianceType)
 {
  // Has become non-compliant, raise an incident.
  // (We don't check oldEvaluationResult, as it could be a brand new resource without one)
  case "NON_COMPLIANT":
    var normalized_event = {
      incident_key: resourceKey,
      event_type: PD.Trigger,
      description: "Non-compliant AWS resource: " + resourceKey,
      details: message
    };
    PD.emitGenericEvents([normalized_event]);
    break;

  // Has become compliant, resolve any open incident for it.
  case "COMPLIANT":
    var normalized_event = {
      incident_key: resourceKey,
      event_type: PD.Resolve,
      description: "Compliant AWS resource: " + resourceKey,
      details: message
    };
    PD.emitGenericEvents([normalized_event]);
    break;

  // Resource was deleted, if there's an open incident, we should resolve it.
  case "NOT_APPLICABLE":
    var normalized_event = {
      incident_key: resourceKey,
      event_type: PD.Resolve,
      description: "AWS resource deleted: " + resourceKey,
      details: message
    };
    PD.emitGenericEvents([normalized_event]);
    break;

  // If there's insufficient data, then we also do nothing.
  case "INSUFFICIENT_DATA":
    PD.fail("Insufficient data to determine compliance.");
    break;

  // Catch-all
  default:
    PD.fail("Unknown compliance state: " + newResult);
 }
	// Parses AWS Config events from SNS and will raise PagerDuty incidents if resources
	// go non-compliant, resolving the incident when they return to compliant.
	//
	// This file is intended to be used with a PagerDuty Custom Event Transformer.
	// https://www.pagerduty.com/docs/guides/custom-event-transformer/
	//
	// Create a new Custom Event Transformer integration in PagerDuty, and subscribe it's
	// Integration URL on the SNS Topic that you send AWS Config events to.
	//
	// You can see all the different notifications Config sends here:
	// http://docs.aws.amazon.com/config/latest/developerguide/notifications-for-AWS-Config.html
	//
	// Note that there is currently no way to filter on the AWS side, so we have to
	// do it here instead. All of then have the same "Type" field, so we need to look
	// at the actual contents to determine if it's an event we care about.
	//
	// Compliance events will have a "newEvaluationResult" field, and resource information.
	// If it lacks those, then it's not compliance related.
	// You can see an example notification format here:
	// http://docs.aws.amazon.com/config/latest/developerguide/example-config-rule-compliance-notification.html
	//
	// PD.fail(...) is used for any error cases. You will only see these messages if you have
	// debug mode enabled in the event transformer, otherwise they are suppressed.

	// Parse the rawBody into a JSON structure
	var body = JSON.parse(PD.inputRequest.rawBody)

	// If it's an SNS subscription confirmation, allow it through.
	if (typeof body.SubscribeURL != "undefined")
	{
	var normalized_event = {
	incident_key: "sns-subscription",
	event_type: PD.Trigger,
	description: "SNS topic subscription confirmation",
	details: body.SubscribeURL
	};
	PD.emitGenericEvents([normalized_event]);
	}

	// Message is double JSON encoded, so we need to parse it again.
	var message = JSON.parse(body.Message);

	// Extract resource information, this will be our incident key and identifier.
	var resourceType = message.resourceType;
	var resourceId = message.resourceId;
	var resourceKey = resourceType + "/" + resourceId;

	// If resource information is missing, then it's not an event we care about.
	if (typeof resourceType == "undefined") { PD.fail("resourceType missing.") }
	if (typeof resourceId == "undefined") { PD.fail("resourceId missing.") }

	// If we don't have any new evaluation results, then this wasn't a compliance
	// event, and was likely another type of message.
	if (typeof message.newEvaluationResult == "undefined") { PD.fail("newEvaluationResult missing.") }

	// Our action is based on the compliance type of the new result.
	switch(message.newEvaluationResult.complianceType)
	{
	// Has become non-compliant, raise an incident.
	// (We don't check oldEvaluationResult, as it could be a brand new resource without one)
	case "NON_COMPLIANT":
	var normalized_event = {
	incident_key: resourceKey,
	event_type: PD.Trigger,
	description: "Non-compliant AWS resource: " + resourceKey,
	details: message
	};
	PD.emitGenericEvents([normalized_event]);
	break;

	// Has become compliant, resolve any open incident for it.
	case "COMPLIANT":
	var normalized_event = {
	incident_key: resourceKey,
	event_type: PD.Resolve,
	description: "Compliant AWS resource: " + resourceKey,
	details: message
	};
	PD.emitGenericEvents([normalized_event]);
	break;

	// Resource was deleted, if there's an open incident, we should resolve it.
	case "NOT_APPLICABLE":
	var normalized_event = {
	incident_key: resourceKey,
	event_type: PD.Resolve,
	description: "AWS resource deleted: " + resourceKey,
	details: message
	};
	PD.emitGenericEvents([normalized_event]);
	break;

	// If there's insufficient data, then we also do nothing.
	case "INSUFFICIENT_DATA":
	PD.fail("Insufficient data to determine compliance.");
	break;

	// Catch-all
	default:
	PD.fail("Unknown compliance state: " + newResult);
	}