Skip to main content

Read-only AWS reliability audit. Alarm-coverage assessment + real-usage urgency ranking for ECS, Lambda, RDS, Aurora, and SQS. Produces a self-contained HTML report.

Project description

opsfabric-discovery

PyPI License: MIT Python Downloads

Open-source AWS reliability audit. Produces a self-contained HTML report assessing CloudWatch alarm coverage across ECS, Lambda, RDS, Aurora, and SQS workloads — and ranks the gaps by real 30-day usage so you see which fixes matter this week. Runs locally; your data never leaves your laptop.

DiscoveryFabric is the audit layer of the OpsFabric reliability platform. The closed-source companion products — AlarmFabric (alarm remediation) and OpsFabric (incident response orchestration) — turn the audit findings into production-fixing automations. See docs/comparison.md for the full feature matrix.

See what your audit would look like — no AWS needed

Run it yourself in 30 seconds:

pip install opsfabric-discovery
opsfabric-discovery audit --demo
# → out/audit-demo.html  (open in any browser)

--demo runs against a baked-in synthetic dataset that exercises every feature of the audit (DEGRADED alarm detection, ALB→ECS bridge, urgency ranking from synthetic CloudWatch usage, business-vs-technical tabs). No AWS calls, no credentials needed. Same matching engine, same report — only the input is fake.

What it does

  • Discovers AWS resources via Resource Explorer 2 across one or all enabled regions.
  • Maps CloudWatch alarms to those resources using a five-strategy matcher (exact dimensions, ALB target-group bridge for ECS, namespace + partial dimensions, log-group → metric-filter linkage, naming heuristic).
  • Detects alarms that exist but won't notify (actions disabled / no SNS target / INSUFFICIENT_DATA) and surfaces them as DEGRADED — they don't count toward coverage.
  • Scores required-check coverage against the OpsFabric reliability baseline.
  • Fetches 30 days of CloudWatch usage per resource (read-only GetMetricData) and ranks the gaps by urgency — so a Lambda with a 55% error rate and no alarm jumps to the top, not a quiet function with a missing alarm.
  • Renders a self-contained HTML report (opens in any browser, prints reasonably, emailable as one attachment) plus JSON appendices.

Trust statement

  • Read-only. Calls only AWS describe / list APIs. Never creates, modifies, or deletes any resource.
  • Runs on your laptop. Your cloud data never leaves your machine. The only thing sent is anonymous, opt-out usage stats — a random install id, which command ran, a resource-count range, and your coverage score — with no account data and no cloud data. Disable anytime with --no-telemetry, OPSFABRIC_TELEMETRY=0, or DO_NOT_TRACK=1. Details: TELEMETRY.md.
  • Source is auditable. Open the installed Python files — every AWS call is visible in opsfabric_discovery/aws/, and the entire telemetry surface is one file, opsfabric_discovery/telemetry.py.
  • Minimum IAM permissions (read-only across the board): sts:GetCallerIdentity, ec2:DescribeRegions, resource-explorer-2:ListViews / GetView / Search, tag:GetResources, cloudwatch:DescribeAlarms, cloudwatch:ListMetrics, cloudwatch:GetMetricData, logs:DescribeLogGroups / DescribeMetricFilters, ecs:ListClusters / ListServices / DescribeServices / DescribeTaskDefinition, lambda:ListFunctions / GetFunction, rds:DescribeDBInstances / DescribeDBClusters, sqs:ListQueues / GetQueueAttributes. (cloudwatch:ListMetrics resolves each resource's real metric namespace/dimensions before scoring; GetMetricData fetches the 30-day usage signals for urgency ranking.)

Install

pip install opsfabric-discovery
opsfabric-discovery --help

Quickstart

Once installed, from any directory:

# Audit a profile from ~/.aws/credentials
opsfabric-discovery audit --profile prod --regions all --account-alias acme-prod

# Or via STS assume-role (cross-account)
opsfabric-discovery audit \
  --assume-role-arn arn:aws:iam::CUSTOMER_ACCOUNT:role/OpsFabricAuditor \
  --external-id agreed-secret \
  --regions all \
  --account-alias acme-prod

# Show OpsFabric product context (DiscoveryFabric / AlarmFabric / OpsFabric)
opsfabric-discovery --about

# Outputs land in ./out/ by default; override with --output-dir
ls out/
# audit-<account-id>-<YYYYMMDD>.html    ← open in any browser
# alarm-coverage-score.json
# alarm-coverage-missing.json
# resource-mapping.json
# all-resources.json
# audit-meta.json

Closing the gaps

DiscoveryFabric tells you what's missing. To close the gaps, you have two paths:

  1. DIY — open the audit report, click through to the AWS Console, author each missing CloudWatch alarm by hand. Free, but tedious; a mid-market fleet usually has 30–200 missing alarms.
  2. AlarmFabric — the OpsFabric remediation product. Reads this audit's JSON output, generates the alarms in your account via the same read-only role used for the audit (plus cloudwatch:PutMetricAlarm), and tags each alarm with its provenance for easy rollback. Typical turnaround: under one engineering day for a fleet of any size. Closed-source SaaS — opsfabric.ai or email vaishal2611@gmail.com.

Once the alarms start firing, OpsFabric handles the incident lifecycle: triage from Slack/CloudWatch/Jira, automated RCA, remediation suggestions, Confluence post-mortems, ticket close-out. Also closed-source SaaS.

The OSS audit is genuinely useful on its own. The paid products are a different layer — not a crippled version of the audit, just a different part of the reliability loop.

Open source vs commercial — feature matrix

Capability DiscoveryFabric (OSS) AlarmFabric (paid) OpsFabric (paid)
Read-only audit
Resource discovery (ECS / Lambda / RDS / Aurora / SQS)
Five-strategy alarm matching
DEGRADED alarm detection
Executive HTML report + JSON output
--demo synthetic walkthrough
Create missing alarms in your account
Tagged + reversible alarm provenance
SNS / PagerDuty / Opsgenie wiring
Scheduled / continuous audits
Slack-based incident triage
Automated RCA + remediation suggestions
Jira / Confluence incident lifecycle
Multi-tenant managed SaaS
Pricing Free (MIT) opsfabric.ai opsfabric.ai

See docs/comparison.md for the full version with one-paragraph explanations of each row.

About OpsFabric

We build reliability automation for AWS-heavy mid-market teams. DiscoveryFabric is open-source under the MIT license because the audit should be free — we make money on the remediation and incident-response automation. The OSS funnel and the SaaS funnel feed each other: a team runs the audit, sees their coverage is below baseline, and decides whether to fix the gaps themselves or have us do it.

Contributing

PRs welcome — see CONTRIBUTING.md for dev setup, test conventions, and what's in scope (resource types, matching strategies, output polish) vs out of scope (live alarm creation, runtime incident handling — those belong to the commercial products).

By participating, you agree to our Code of Conduct.

Support

Question type Where to go
Bug in the OSS audit tool GitHub issues — use the Bug Report template
Feature idea for the OSS audit GitHub issues — use the Feature Request template
Security issue Email vaishal2611@gmail.com (SECURITY.md)
Commercial AlarmFabric / OpsFabric questions Email vaishal2611@gmail.com

License

MIT — © 2026 Vaishal Shah / OpsFabric.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

opsfabric_discovery-0.6.0.tar.gz (203.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

opsfabric_discovery-0.6.0-py3-none-any.whl (88.6 kB view details)

Uploaded Python 3

File details

Details for the file opsfabric_discovery-0.6.0.tar.gz.

File metadata

  • Download URL: opsfabric_discovery-0.6.0.tar.gz
  • Upload date:
  • Size: 203.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.9.7

File hashes

Hashes for opsfabric_discovery-0.6.0.tar.gz
Algorithm Hash digest
SHA256 a045f002d448a764afdfc73c62b10faafdae5964ed6b5d41299995b7fcb6f00d
MD5 11763a466641fc6c472e6d53e6e9ee63
BLAKE2b-256 959cc0b41a0834243790a4b7a0eab152297af456e05157bd1355878e99ba4566

See more details on using hashes here.

File details

Details for the file opsfabric_discovery-0.6.0-py3-none-any.whl.

File metadata

File hashes

Hashes for opsfabric_discovery-0.6.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b039cb61fd82d8dc8a4982fd2f6bc58b7c491e0204ec40a103bfb75d9e6d8e55
MD5 4f032258f98462df3384864829463c4a
BLAKE2b-256 70607df8352f3008c50b82c99ffba32481ab96b7e8f219dabc33e40b5b6da2fd

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page