add new module for wallix bastion (#337)

docs/severity.md

@@ -61,6 +61,7 @@
 - [usage](#usage)
 - [kong](#kong)
 - [squid](#squid)
+- [wallix-bastion](#wallix-bastion)
 - [apache](#apache)
 - [cassandra-nodetool](#cassandra-nodetool)
 - [cassandra](#cassandra)
@@ -659,6 +660,15 @@
 |Squid total amount of requests|X|-|-|-|-|
 
 
+## wallix-bastion
+
+|Detector|Critical|Major|Minor|Warning|Info|
+|---|---|---|---|---|---|
+|Wallix-bastion heartbeat|X|-|-|-|-|
+|Wallix-bastion status|X|-|-|-|-|
+|Wallix-bastion total number of current sessions|-|X|X|-|-|
+
+
 ## apache
 
 |Detector|Critical|Major|Minor|Warning|Info|

modules/prometheus-exporter_wallix-bastion/README.md

@@ -0,0 +1,149 @@
+# WALLIX-BASTION SignalFx detectors
+
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+:link: **Contents**
+
+- [How to use this module?](#how-to-use-this-module)
+- [What are the available detectors in this module?](#what-are-the-available-detectors-in-this-module)
+- [How to collect required metrics?](#how-to-collect-required-metrics)
+  - [Examples](#examples)
+  - [Metrics](#metrics)
+- [Related documentation](#related-documentation)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+## How to use this module?
+
+This directory defines a [Terraform](https://www.terraform.io/) 
+[module](https://www.terraform.io/docs/modules/usage.html) you can use in your
+existing [stack](https://github.com/claranet/terraform-signalfx-detectors/wiki/Getting-started#stack) by adding a 
+`module` configuration and setting its `source` parameter to URL of this folder:
+
+```hcl
+module "signalfx-detectors-prometheus-exporter-wallix-bastion" {
+  source = "github.com/claranet/terraform-signalfx-detectors.git//modules/prometheus-exporter_wallix-bastion?ref={revision}"
+
+  environment   = var.environment
+  notifications = local.notifications
+}
+```
+
+Note the following parameters:
+
+* `source`: Use this parameter to specify the URL of the module. The double slash (`//`) is intentional  and required. 
+  Terraform uses it to specify subfolders within a Git repo (see [module
+  sources](https://www.terraform.io/docs/modules/sources.html)). The `ref` parameter specifies a specific Git tag in
+  this repository. It is recommended to use the latest "pinned" version in place of `{revision}`. Avoid using a branch 
+  like `master` except for testing purpose. Note that every modules in this repository are available on the Terraform 
+  [registry](https://registry.terraform.io/modules/claranet/detectors/signalfx) and we recommend using it as source 
+  instead of `git` which is more flexible but less future-proof.
+
+* `environment`: Use this parameter to specify the 
+  [environment](https://github.com/claranet/terraform-signalfx-detectors/wiki/Getting-started#environment) used by this 
+  instance of the module.
+  Its value will be added to the `prefixes` list at the start of the [detector 
+  name](https://github.com/claranet/terraform-signalfx-detectors/wiki/Templating#example).
+  In general, it will also be used in the `filtering` internal sub-module to [apply
+  filters](https://github.com/claranet/terraform-signalfx-detectors/wiki/Guidance#filtering) based on our default 
+  [tagging convention](https://github.com/claranet/terraform-signalfx-detectors/wiki/Tagging-convention) by default.
+
+* `notifications`: Use this parameter to define where alerts should be sent depending on their severity. It consists 
+  of a Terraform [object](https://www.terraform.io/docs/configuration/types.html#object-) where each key represents an 
+  available [detector rule severity](https://docs.signalfx.com/en/latest/detect-alert/set-up-detectors.html#severity) 
+  and its value is a list of recipients. Every recipients must respect the [detector notification 
+  format](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/detector#notification-format).
+  Check the [notification binding](https://github.com/claranet/terraform-signalfx-detectors/wiki/Notifications-binding) 
+  documentation to understand the recommended role of each severity.
+
+These 3 parameters alongs with all variables defined in [common-variables.tf](common-variables.tf) are common to all 
+[modules](../) in this repository. Other variables, specific to this module, are available in 
+[variables-gen.tf](variables-gen.tf).
+In general, the default configuration "works" but all of these Terraform 
+[variables](https://www.terraform.io/docs/configuration/variables.html) make it possible to 
+customize the detectors behavior to better fit your needs.
+
+Most of them represent usual tips and rules detailled in the 
+[guidance](https://github.com/claranet/terraform-signalfx-detectors/wiki/Guidance) documentation and listed in the 
+common [variables](https://github.com/claranet/terraform-signalfx-detectors/wiki/Variables) dedicated documentation.
+
+Feel free to explore the [wiki](https://github.com/claranet/terraform-signalfx-detectors/wiki) for more information about 
+general usage of this repository.
+
+## What are the available detectors in this module?
+
+This module creates the following SignalFx detectors which could contain one or multiple alerting rules:
+
+|Detector|Critical|Major|Minor|Warning|Info|
+|---|---|---|---|---|---|
+|Wallix-bastion heartbeat|X|-|-|-|-|
+|Wallix-bastion status|X|-|-|-|-|
+|Wallix-bastion total number of current sessions|-|X|X|-|-|
+
+## How to collect required metrics?
+
+This module uses metrics available from 
+the scraping of a server following the [OpenMetrics convention](https://openmetrics.io/) based on and compatible with [the Prometheus
+exposition format](https://github.com/prometheus/docs/blob/main/content/docs/instrumenting/exposition_formats.md#openmetrics-text-format).
+They are generally called "Prometheus Exporter" which can be fetched by both the [SignalFx Smart Agent](https://github.com/signalfx/signalfx-agent)
+thanks to its [prometheus exporter monitor](https://docs.signalfx.com/en/latest/integrations/agent/monitors/prometheus-exporter.html) and the
+[OpenTelemetry Collector](https://github.com/signalfx/splunk-otel-collector) using its [prometheus
+receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/prometheusreceiver) or its derivates.
+
+
+The detectors of this module uses metrics from the [wallix-bastion exporter prometheus](https://github.com/claranet/wallix_bastion_exporter).
+Check its documentation to install and configure it appropriately with your Wallix Bastion instance.
+
+### Examples
+
+Here is a sample configuration fragment for the [OpenTelemetry Collector](https://opentelemetry.io/docs/collector/) agent using
+the [prometheusexec receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/prometheusexecreceiver).
+
+```yaml
+receivers:
+  prometheus_exec/wallix:
+    exec: /etc/otel/collector/scripts/wallix_bastion_exporter/wallix_bastion_exporter --listen-address ":{{port}}" --skip-verify
+    port: 9191
+    scrape_interval: 300s
+    env:
+      - name: WALLIX_USERNAME
+        value: monitoring
+      - name: WALLIX_PASSWORD
+        value: my_awesome_password
+processors:
+  filter/wallix:
+    metrics:
+      include:
+        match_type: regexp
+        metric_names:
+          - wallix_bastion.*
+  resourcedetection/internal:
+    detectors: [system, gce, ecs, ec2, azure]
+    # Useful in combination with the prometheus receivers which set `host.name` dimension from the scrapped url but we prefer to keep the hostname where the agent runs.
+    override: true
+service:
+  pipelines:
+    metrics/wallix:
+      receivers: [prometheus_exec/wallix]
+      processors: [resourcedetection/internal, filter/wallix, metricstransform/wallix]
+      exporters: [signalfx]
+```
+
+
+### Metrics
+
+
+Here is the list of required metrics for detectors in this module.
+
+* `squid_up`
+* `wallix_bastion_sessions`
+
+
+
+
+## Related documentation
+
+* [Terraform SignalFx provider](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs)
+* [Terraform SignalFx detector](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/detector)
+* [Wallix-Bastion](https://www.wallix.com/privileged-access-management)
+* [Prometheus Exporter for Wallix-Bastion](https://github.com/claranet/wallix_bastion_exporter)

modules/prometheus-exporter_wallix-bastion/common-filters.tf

@@ -0,0 +1 @@
+../../common/module/filters-prometheus-exporter.tf

modules/prometheus-exporter_wallix-bastion/common-locals.tf

@@ -0,0 +1 @@
+../../common/module/locals.tf

modules/prometheus-exporter_wallix-bastion/common-modules.tf

@@ -0,0 +1 @@
+../../common/module/modules.tf

modules/prometheus-exporter_wallix-bastion/common-variables.tf

@@ -0,0 +1 @@
+../../common/module/variables.tf

modules/prometheus-exporter_wallix-bastion/common-versions.tf

@@ -0,0 +1 @@
+../../common/module/versions.tf

modules/prometheus-exporter_wallix-bastion/conf/00-heartbeat.yaml

@@ -0,0 +1,13 @@
+module: wallix-bastion
+name: heartbeat
+
+transformation: true
+aggregation: true
+exclude_not_running_vm: true
+
+signals:
+  signal:
+    metric: squid_up
+
+rules:
+  critical:

modules/prometheus-exporter_wallix-bastion/conf/01-status.yaml

@@ -0,0 +1,15 @@
+module: wallix-bastion
+name: status
+
+transformation: true
+aggregation: true
+
+signals:
+  signal:
+    metric: squid_up
+
+rules:
+  critical:
+    threshold: 1
+    comparator: "<"
+    lasting_duration: "5m"

modules/prometheus-exporter_wallix-bastion/conf/02-sessions-limit.yaml

@@ -0,0 +1,20 @@
+module: wallix-bastion
+name: total number of current sessions
+id: current_sessions
+
+transformation: ".mean(over='5m')"
+aggregation: true
+
+signals:
+  signal:
+    metric: wallix_bastion_sessions
+    filter: "filter('status', 'current')"
+
+rules:
+  major:
+    threshold: 75
+    comparator: ">"
+  minor:
+    threshold: 50
+    comparator: ">"
+    dependency: major

modules/prometheus-exporter_wallix-bastion/conf/readme.yaml

@@ -0,0 +1,45 @@
+documentations:
+  - name: Wallix-Bastion
+    url: https://www.wallix.com/privileged-access-management
+  - name: Prometheus Exporter for Wallix-Bastion
+    url: https://github.com/claranet/wallix_bastion_exporter
+
+source_doc: |
+  The detectors of this module uses metrics from the [wallix-bastion exporter prometheus](https://github.com/claranet/wallix_bastion_exporter).
+  Check its documentation to install and configure it appropriately with your Wallix Bastion instance.
+
+  ### Examples
+  
+  Here is a sample configuration fragment for the [OpenTelemetry Collector](https://opentelemetry.io/docs/collector/) agent using
+  the [prometheusexec receiver](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/receiver/prometheusexecreceiver).
+
+  ```yaml
+  receivers:
+    prometheus_exec/wallix:
+      exec: /etc/otel/collector/scripts/wallix_bastion_exporter/wallix_bastion_exporter --listen-address ":{{port}}" --skip-verify
+      port: 9191
+      scrape_interval: 300s
+      env:
+        - name: WALLIX_USERNAME
+          value: monitoring
+        - name: WALLIX_PASSWORD
+          value: my_awesome_password
+  processors:
+    filter/wallix:
+      metrics:
+        include:
+          match_type: regexp
+          metric_names:
+            - wallix_bastion.*
+    resourcedetection/internal:
+      detectors: [system, gce, ecs, ec2, azure]
+      # Useful in combination with the prometheus receivers which set `host.name` dimension from the scrapped url but we prefer to keep the hostname where the agent runs.
+      override: true
+  service:
+    pipelines:
+      metrics/wallix:
+        receivers: [prometheus_exec/wallix]
+        processors: [resourcedetection/internal, filter/wallix, metricstransform/wallix]
+        exporters: [signalfx]
+  ```
+

modules/prometheus-exporter_wallix-bastion/detectors-gen.tf

@@ -0,0 +1,91 @@
+resource "signalfx_detector" "heartbeat" {
+  name = format("%s %s", local.detector_name_prefix, "Wallix-bastion heartbeat")
+
+  authorized_writer_teams = var.authorized_writer_teams
+  teams                   = try(coalescelist(var.teams, var.authorized_writer_teams), null)
+  tags                    = compact(concat(local.common_tags, local.tags, var.extra_tags))
+
+  max_delay = 900
+
+  program_text = <<-EOF
+    from signalfx.detectors.not_reporting import not_reporting
+    signal = data('squid_up', filter=${local.not_running_vm_filters} and ${module.filtering.signalflow})${var.heartbeat_aggregation_function}${var.heartbeat_transformation_function}.publish('signal')
+    not_reporting.detector(stream=signal, resource_identifier=None, duration='${var.heartbeat_timeframe}', auto_resolve_after='${local.heartbeat_auto_resolve_after}').publish('CRIT')
+EOF
+
+  rule {
+    description           = "has not reported in ${var.heartbeat_timeframe}"
+    severity              = "Critical"
+    detect_label          = "CRIT"
+    disabled              = coalesce(var.heartbeat_disabled, var.detectors_disabled)
+    notifications         = coalescelist(lookup(var.heartbeat_notifications, "critical", []), var.notifications.critical)
+    runbook_url           = try(coalesce(var.heartbeat_runbook_url, var.runbook_url), "")
+    tip                   = var.heartbeat_tip
+    parameterized_subject = var.message_subject == "" ? local.rule_subject_novalue : var.message_subject
+    parameterized_body    = var.message_body == "" ? local.rule_body : var.message_body
+  }
+}
+
+resource "signalfx_detector" "status" {
+  name = format("%s %s", local.detector_name_prefix, "Wallix-bastion status")
+
+  authorized_writer_teams = var.authorized_writer_teams
+  teams                   = try(coalescelist(var.teams, var.authorized_writer_teams), null)
+  tags                    = compact(concat(local.common_tags, local.tags, var.extra_tags))
+
+  program_text = <<-EOF
+    signal = data('squid_up', filter=${module.filtering.signalflow})${var.status_aggregation_function}${var.status_transformation_function}.publish('signal')
+    detect(when(signal < ${var.status_threshold_critical}, lasting=%{if var.status_lasting_duration_critical == null}None%{else}'${var.status_lasting_duration_critical}'%{endif}, at_least=${var.status_at_least_percentage_critical})).publish('CRIT')
+EOF
+
+  rule {
+    description           = "is too low < ${var.status_threshold_critical}"
+    severity              = "Critical"
+    detect_label          = "CRIT"
+    disabled              = coalesce(var.status_disabled, var.detectors_disabled)
+    notifications         = coalescelist(lookup(var.status_notifications, "critical", []), var.notifications.critical)
+    runbook_url           = try(coalesce(var.status_runbook_url, var.runbook_url), "")
+    tip                   = var.status_tip
+    parameterized_subject = var.message_subject == "" ? local.rule_subject : var.message_subject
+    parameterized_body    = var.message_body == "" ? local.rule_body : var.message_body
+  }
+}
+
+resource "signalfx_detector" "current_sessions" {
+  name = format("%s %s", local.detector_name_prefix, "Wallix-bastion total number of current sessions")
+
+  authorized_writer_teams = var.authorized_writer_teams
+  teams                   = try(coalescelist(var.teams, var.authorized_writer_teams), null)
+  tags                    = compact(concat(local.common_tags, local.tags, var.extra_tags))
+
+  program_text = <<-EOF
+    signal = data('wallix_bastion_sessions', filter=filter('status', 'current') and ${module.filtering.signalflow})${var.current_sessions_aggregation_function}${var.current_sessions_transformation_function}.publish('signal')
+    detect(when(signal > ${var.current_sessions_threshold_major}, lasting=%{if var.current_sessions_lasting_duration_major == null}None%{else}'${var.current_sessions_lasting_duration_major}'%{endif}, at_least=${var.current_sessions_at_least_percentage_major})).publish('MAJOR')
+    detect(when(signal > ${var.current_sessions_threshold_minor}, lasting=%{if var.current_sessions_lasting_duration_minor == null}None%{else}'${var.current_sessions_lasting_duration_minor}'%{endif}, at_least=${var.current_sessions_at_least_percentage_minor}) and (not when(signal > ${var.current_sessions_threshold_major}, lasting=%{if var.current_sessions_lasting_duration_major == null}None%{else}'${var.current_sessions_lasting_duration_major}'%{endif}, at_least=${var.current_sessions_at_least_percentage_major}))).publish('MINOR')
+EOF
+
+  rule {
+    description           = "is too high > ${var.current_sessions_threshold_major}"
+    severity              = "Major"
+    detect_label          = "MAJOR"
+    disabled              = coalesce(var.current_sessions_disabled_major, var.current_sessions_disabled, var.detectors_disabled)
+    notifications         = coalescelist(lookup(var.current_sessions_notifications, "major", []), var.notifications.major)
+    runbook_url           = try(coalesce(var.current_sessions_runbook_url, var.runbook_url), "")
+    tip                   = var.current_sessions_tip
+    parameterized_subject = var.message_subject == "" ? local.rule_subject : var.message_subject
+    parameterized_body    = var.message_body == "" ? local.rule_body : var.message_body
+  }
+
+  rule {
+    description           = "is too high > ${var.current_sessions_threshold_minor}"
+    severity              = "Minor"
+    detect_label          = "MINOR"
+    disabled              = coalesce(var.current_sessions_disabled_minor, var.current_sessions_disabled, var.detectors_disabled)
+    notifications         = coalescelist(lookup(var.current_sessions_notifications, "minor", []), var.notifications.minor)
+    runbook_url           = try(coalesce(var.current_sessions_runbook_url, var.runbook_url), "")
+    tip                   = var.current_sessions_tip
+    parameterized_subject = var.message_subject == "" ? local.rule_subject : var.message_subject
+    parameterized_body    = var.message_body == "" ? local.rule_body : var.message_body
+  }
+}
+

modules/prometheus-exporter_wallix-bastion/outputs.tf

@@ -0,0 +1,15 @@
+output "current_sessions" {
+  description = "Detector resource for current_sessions"
+  value       = signalfx_detector.current_sessions
+}
+
+output "heartbeat" {
+  description = "Detector resource for heartbeat"
+  value       = signalfx_detector.heartbeat
+}
+
+output "status" {
+  description = "Detector resource for status"
+  value       = signalfx_detector.status
+}
+

modules/prometheus-exporter_wallix-bastion/tags.tf

@@ -0,0 +1,4 @@
+locals {
+  tags = ["prometheus-exporter", "wallix-bastion"]
+}
+