Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Updated query log_metric_filter_and_alarm #471

Merged
merged 6 commits into from
Dec 29, 2023
Merged

fix: Updated query log_metric_filter_and_alarm #471

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2878a21
Updated query log_metric_filter_and_alarm
ronsh12 Dec 28, 2023
52e6889
Updated query log_metric_filter_and_alarm - snowflake
ronsh12 Dec 28, 2023
a73a225
Updated 1 query log_metric_filter_and_alarm - snowflake
ronsh12 Dec 28, 2023
58b6d96
Updated query 2 log_metric_filter_and_alarm - snowflake
ronsh12 Dec 29, 2023
6836472
Update 3 query
ronsh12 Dec 29, 2023
41822db
Update 4 query
ronsh12 Dec 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 19 additions & 6 deletions transformations/aws/macros/log_metric_filter_and_alarm.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,23 +36,36 @@ where t.is_multi_region_trail = TRUE

{% macro bigquery__log_metric_filter_and_alarm() %}
with af as (
select distinct a.arn, a.actions_enabled, ARRAY_TO_STRING(a.alarm_actions, ',') as alarm_actions, JSON_VALUE(m.MetricStat.Metric.MetricName) as metric_name -- TODO check
from {{ full_table_name("aws_cloudwatch_alarms") }} a, UNNEST(JSON_QUERY_ARRAY(metrics)) as m
select distinct a.arn, a.actions_enabled, ARRAY_TO_STRING(a.alarm_actions, ',') as alarm_actions, JSON_VALUE(m.MetricStat.Metric.MetricName) as metric_name
from {{ full_table_name("aws_cloudwatch_alarms") }} a,
UNNEST(JSON_QUERY_ARRAY(metrics)) as m
),
tes as (
select trail_arn from {{ full_table_name("aws_cloudtrail_trail_event_selectors") }}
where exists(
select * from UNNEST(JSON_QUERY_ARRAY(event_selectors)) as es
where JSON_VALUE(es.ReadWriteType) = 'All' and CAST( JSON_VALUE(es.IncludeManagementEvents) AS BOOL) = TRUE
)
or exists(
select * from UNNEST(JSON_QUERY_ARRAY(advanced_event_selectors)) as aes
where not exists (
select * from UNNEST(JSON_QUERY_ARRAY(aes.FieldSelectors)) as aes_fs
where JSON_VALUE(aes_fs.Field) = 'readOnly'
)
)
)
select
t.account_id,
t.region,
t.cloud_watch_logs_log_group_arn,
mf.filter_pattern as pattern
from {{ full_table_name("aws_cloudtrail_trails") }} t
inner join {{ full_table_name("aws_cloudtrail_trail_event_selectors") }} tes on t.arn = tes.trail_arn
inner join tes on t.arn = tes.trail_arn
inner join {{ full_table_name("aws_cloudwatchlogs_metric_filters") }} mf on mf.log_group_name = t.cloudwatch_logs_log_group_name
inner join af on mf.filter_name = af.metric_name
inner join {{ full_table_name("aws_sns_subscriptions") }} ss on ss.topic_arn in UNNEST(SPLIT(af.alarm_actions, ','))
inner join {{ full_table_name("aws_sns_subscriptions") }} ss on ss.topic_arn in UNNEST(SPLIT(af.alarm_actions, ','))
where t.is_multi_region_trail = TRUE
and CAST( JSON_VALUE(t.status.IsLogging) AS BOOL) = TRUE
and tes.include_management_events = TRUE
and tes.read_write_type = 'All'
and ss.arn like 'aws:arn:%'
{% endmacro %}

Expand Down