tuf repo canary: Adds canary client, dockerfile, cloudformation template

[etungsten]

Issue #, if available: Fixes #456

Description of changes:
Adds repo-canary client for retrieving & validating TUF repo metadata files and listed target files

Adds Dockerfile for building the repo-canary container image. Currently just directly mapping in the repo-canary client binary and the trusted root.json.

Adds Cloudformation template for setting up the TUF repo canary task, rules, alarms

Testing:

To build the tuf-repo-canary image, the repo-canary binary needs to first be built: cargo install --path . --force
And the metadata url and targets url need to be specified through build-args:

docker build --network=host --build-arg METADATA_BASE_URL=https://d25d9m6x9pxh9h.cloudfront.net/45efedef4afe/metadata/ --build-arg TARGET_BASE_URL=https://d25d9m6x9pxh9h.cloudfront.net/45efedef4afe/targets/  -t tuf-repo-canary .

Tested repo-canary locally and the sampled targets are reasonably random:

$ sudo ./target/release/repo-canary --metadata-base-url https://d25d9m6x9pxh9h.cloudfront.net/45efedef4afe/metadata/ --target-base-url https://d25d9m6x9pxh9h.cloudfront.net/45efedef4afe/targets/ --percentage-of-targets-to-retrieve 15
21:08:14 [ INFO] Loading TUF repo
21:08:14 [ INFO] Loaded TUF repo
21:08:14 [ INFO] Downloading 15% of listed targets
21:08:14 [ INFO] Downloading target: thar-x86_64-root.ext4.lz4
21:08:58 [ INFO] Downloading target: thar-x86_64-0.1.5-root.ext4.lz4
21:09:18 [ INFO] Downloading target: thar-x86_64-0.1.6-root.verity.lz4
$ sudo ./target/release/repo-canary --metadata-base-url https://d25d9m6x9pxh9h.cloudfront.net/45efedef4afe/metadata/ --target-base-url https://d25d9m6x9pxh9h.cloudfront.net/45efedef4afe/targets/ --percentage-of-targets-to-retrieve 15
21:09:20 [ INFO] Loading TUF repo
21:09:20 [ INFO] Loaded TUF repo
21:09:20 [ INFO] Downloading 15% of listed targets
21:09:21 [ INFO] Downloading target: thar-x86_64-0.2.1-root.ext4.lz4
21:09:35 [ INFO] Downloading target: thar-x86_64-0.1.4-boot.ext4.lz4
21:09:36 [ INFO] Downloading target: thar-x86_64-0.2.1-root.verity.lz4
$ sudo ./target/release/repo-canary --metadata-base-url https://d25d9m6x9pxh9h.cloudfront.net/45efedef4afe/metadata/ --target-base-url https://d25d9m6x9pxh9h.cloudfront.net/45efedef4afe/targets/ --percentage-of-targets-to-retrieve 15
21:09:41 [ INFO] Loading TUF repo
21:09:41 [ INFO] Loaded TUF repo
21:09:41 [ INFO] Downloading 15% of listed targets
21:09:41 [ INFO] Downloading target: thar-x86_64-0.1.5-boot.ext4.lz4
21:09:43 [ INFO] Downloading target: thar-x86_64-0.1.6-root.verity.lz4
21:09:43 [ INFO] Downloading target: thar-x86_64-0.2.1-root.verity.lz4
$ sudo ./target/release/repo-canary --metadata-base-url https://d25d9m6x9pxh9h.cloudfront.net/45efedef4afe/metadata/ --target-base-url https://d25d9m6x9pxh9h.cloudfront.net/45efedef4afe/targets/ --percentage-of-targets-to-retrieve 15
21:09:47 [ INFO] Loading TUF repo
21:09:48 [ INFO] Loaded TUF repo
21:09:48 [ INFO] Downloading 15% of listed targets
21:09:48 [ INFO] Downloading target: thar-x86_64-0.1.6-boot.ext4.lz4
21:09:49 [ INFO] Downloading target: thar-x86_64-0.1.4-root.verity.lz4
21:09:50 [ INFO] Downloading target: thar-x86_64-0.1.4-boot.ext4.lz4
$ sudo ./target/release/repo-canary --metadata-base-url https://d25d9m6x9pxh9h.cloudfront.net/45efedef4afe/metadata/ --target-base-url https://d25d9m6x9pxh9h.cloudfront.net/45efedef4afe/targets/ --percentage-of-targets-to-retrieve 15
21:09:52 [ INFO] Loading TUF repo
21:09:53 [ INFO] Loaded TUF repo
21:09:53 [ INFO] Downloading 15% of listed targets
21:09:53 [ INFO] Downloading target: thar-x86_64-0.1.6-boot.ext4.lz4
21:09:53 [ INFO] Downloading target: manifest.json
21:09:53 [ INFO] Downloading target: thar-x86_64-0.2.1-root.ext4.lz4

Tested the Cloudformation stack and verified alarms by triggering alarms manually.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[sam-aws]

As a side note, this could become a relatively expensive operation in the future. Our TUF repo is already about 1GB. Not a problem at the moment but depending on where or how often this canary is running maybe we should look at doing incremental checks as well.

[etungsten]

Tried addressing this with a new --percentage-of-targets-to-retrieve option.

[etungsten]

Addresses subset of @sam-aws 's comments:

Adds new option to repo-canary: --percentage-of-targets-to-retrieve that specifies percentage of target files to randomly sample and retrieve. Currently setting it to 50% of the targets.

[etungsten]

Addresses @zmrow 's comment.

Updated so there's only one explicit call to process::exit from main()

[etungsten]

Addresses @iliana 's comments.

Representing custom exit codes via constants.

[zmrow]

Just a few comments!

I like the cleanup of the exit codes!

[zmrow]

🦃

[etungsten]

Adds a new cloudwatch alarm for actually monitoring for task start failures (e.g. no memory, failed to pull container from ECR) and not just invocation failures (IAM role permission issues).

[iliana]

Just merged #496 with the error variant rename I mentioned in IRC, so you'll want to rebase.

[etungsten]

Rebase develop to bring in new tough changes.

Also adds separate log groups for different event rules.

[etungsten]

Fixed some cloudformation event rules that weren't logging anything :/

Gah! Had a typo. Fixed typo in the push below

[etungsten]

Referencing tough library directly from crates.io
Updated Dockerfile to build repo-canary binary for the TUF repo canary
Clean up unneeded dependencies in Cargo.toml

[zmrow]

🔍

[etungsten]

Updated the period of the event rules to every 10 minutes

[etungsten]

Relocated the infra folder to under `tools/