Jinja2 Templating Examples

Now that you have gone step by step on building custom messages with Jinja2 Templating, here are some examples of dynamic messages you can use in emails, slack messages, and more.

Custom Messages

Ensure Tag Strategy is Enforced

A resource of type ```{{resource.get_resource_type()}}``` was discovered at
```{{resource.common.creation_timestamp}}``` without the required *owner*
or *contact-email* tags. The resource name is ```{{resource.get_resource_name()}}```.
It lives in account ```{{resource.get_organization_service_name()}}```.

Instance Has More Than 4 Cores

```{{resource.name}}``` has been created or discovered with more than 4 cores. This resource will cost ```${{resource.get_daily_cost()}}```/day. The details are ```{{resource.serialize(indent=2)}}```. If this instance isn't downsized or cleaned up, it will be deleted within 6 hours.

A Resource You Own Was Removed

The resource ```{{resource.name}}``` which belongs to you, has been deleted. Details below:
```{{resource.serialize(indent=2)}}```

Instance With Public IP Has SSH Open To The World

Instance ```{{resource.instance_id}}``` is ```{{resource.state}}``` and has a
public IP address of ```{{resource.public_ip_address}}```. This instance has exposed
port 22 (SSH) open to the world. This instance is not within our security policy. Please
lock down the attached ACLs ```{{resource.access_lists}}```, or this instance will be
deleted in 4 hours.

Bad ACL

Bad ACL found on `{{resource.name}}`. Please login to investigate!

Expensive Instance was created or discovered

A very expensive instance `{{resource.get_resource_name()}}` created at
`{{resource.common.creation_timestamp}}` was found in account
`{{resource. get_organization_service_name()}}` which costs
`${{resource.get_daily_cost()}}/day` and `${{resource.get_monthly_cost()}}/mo`.

Database Open to the World

An insecure database was identified with access open to the World.
The details of this resource are:
```{{resource.serialize(indent=2)}}```

Storage Container Public Access

An insecure storage container was identified with public permissions to the world.
The details of this resource are:
```{{resource.serialize(indent=2)}}```.
The resource has the following tags
```{{resource.serialize_tags(indent=2)}}```
This storage container is scheduled for deletion in 24 hours.
Please update security access rules to avoid the scheduled deletion.

CloudWatch Alarm has triggered

A CloudWatch Alarm has triggered. The data on the alarm is:
ID of the parent organization service (cloud): `{{resource.organization_service_id}}`
ID of alarm: `{{resource. alarm_id}}`
Name of Alarm: `{{resource.name}}`
ARN for the account where this alarm resides: `{{resource.provider_resource_id}}`
An optional, brief description of this alarm: `{{resource.description}}`
Namespace (container for CloudWatch metrics) of the alarm: `{{resource.namespace}}`
Name of the metric this alarm checks for: `{{resource.metric_name}}`
User defined threshold for this alarm: `{{resource.threshold}}`
Amount of times this data will be evaluated before arriving at conclusion for alarm: `{{resource.evaluation_periods}}`
Alarm Type: `{{resource.state_value}}`
Alarm Reason: `{{resource.state_reason}}`
More data regarding this alarm: `{{resource.state_reason_data}}`

Database Instance has had Zero Connections in 14 days

Database instance `{{resource.name}}` has had no connections within 14 days. This database instance
resides in `{{resource.get_organization_service_name()}}` account and has an endpoint of
`{{resource.endpoint_address}}`.
This resource will have a snapshot taken, will be stopped, and finally deleted after 7 days.

Instance Provisioned outside of AMI Whitelist

{{resource.image_id}} has been used to provision instance `{{resource.instance_id}}`
in `{{resource.organization_service_name}}`. This machine image is not permitted.
This instance will have a snapshot taken, and be terminated immediately.

User without MFA Enabled

`{{resource.get_resource_type()}}: {{resource.get_resource_name()}}` in account `{{resource. get_organization_service_name()}}` with account # `{{resource.get_organization_service().account_id}}` does not have MFA enabled.

Custom Policies

Bucket Encryption Policy

{
    "Version": "2012-10-17",
    "Id": "bucketpolicyid:{{event.resource.get_resource_name()}}",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{event.resource.get_resource_name()}}/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{event.resource.get_resource_name()}}/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

Bucket Lockdown Policy

{
    "Version": "2012-10-17",
    "Id": "bucketpolicyid:{{event.resource.get_resource_name()}}",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::{{event.resource.get_resource_name()}}/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "<insert IP range to block>"
                },
                "IpAddress": {
                    "aws:SourceIp": "<or insert IP range to allow>"
                }
            }
        }
    ]
}