def get_ids(self) -> List[str]:
ret = []
if hasattr(self, 'id'):
ret.append(self.id)
if hasattr(self, 'ids'):
ret.extend(self.ids)
if len(ret) == 0:
# TODO: resolve configured msi
auth = self.get_auth_client()
if auth is not None:
self.get_logger().debug(
'auth client found: {}. auto-discovering Azure subscriptions'
.format(auth.__class__.__name__))
try:
# let's try to enumerate subscriptions
from azure.mgmt.subscription import SubscriptionClient
subscription_client = SubscriptionClient(auth.get_client())
ret.extend(
map(lambda s: s.subscription_id,
subscription_client.subscriptions.list()))
except Exception as e:
self.get_logger().debug(
'unable to auto-resolve Azure subscriptions as no auth_client found {}'
.format(e))
pass
else:
self.get_logger().debug(
'unable to auto-resolve Azure subscriptions as no auth_client found'
)
return ret
def __init__(
self,
specs_file: str,
subscription_name: str,
resource_group: str,
factory_name: str,
name: str,
environment: str,
):
self.resource_group = resource_group
self.factory_name = factory_name
self.name = name
self.environment = environment
self.credential = DefaultAzureCredential(
exclude_visual_studio_code_credential=True)
self.sub_client = SubscriptionClient(self.credential)
self.subscription_id = self._get_subscription_id(subscription_name)
self.adf_client = DataFactoryManagementClient(
self.credential, subscription_id=self.subscription_id)
self._specs = self._read_specs(specs_file, environment)
self._config = self._get_config()
self._verify_adf_setup()
def handler(event, context):
logger.info("Received event: " + json.dumps(event, sort_keys=True))
dynamodb = boto3.resource('dynamodb')
subscription_table = dynamodb.Table(os.environ['SUBSCRIPTION_TABLE'])
azure_secrets = get_azure_creds(os.environ['AZURE_SECRET_NAME'])
if azure_secrets is None:
raise Exception("Unable to extract Azure Credentials. Aborting...")
collected_subs = []
for tenant, credential_info in azure_secrets.items():
azure_creds = ServicePrincipalCredentials(
client_id=credential_info["application_id"],
secret=credential_info["key"],
tenant=credential_info["tenant_id"])
resource_client = SubscriptionClient(azure_creds)
for subscription in resource_client.subscriptions.list():
# Some subscrption ID's retured by the API are not queryable, this seems like a bug with MS API.
# There may also be a better way of determining this...
queryable = 'false'
if 'Access to Azure Active Directory' not in subscription.display_name:
# Keep track of all valid subscriptions
collected_subs.append(subscription.subscription_id)
queryable = 'true'
subscription_dict = {
"subscription_id":
subscription.subscription_id,
"display_name":
subscription.display_name,
"state":
subscription.state,
"SubscriptionClass":
json.loads(json.dumps(subscription, default=str)),
"tenant_id":
credential_info["tenant_id"],
"tenant_name":
tenant,
"queryable":
queryable
}
# Add subscriptions to DynamoDB subscriptions table.
create_or_update_subscription(subscription_dict,
subscription_table)
if collected_subs is None:
raise Exception("No Subscriptions found. Aborting...")
# Return only valid subscription ID's to be sent via SNS by inventory trigger function
event['subscription_list'] = collected_subs
return (event)
def connect(self, client_id: str = None, tenant_id: str = None, secret: str = None):
"""Authenticate with the SDK."""
# Use details of msticpyyaml if not provided
if client_id is None and tenant_id is None and secret is None:
data_provs = get_provider_settings(config_section="DataProviders")
az_cli_config = data_provs.get("AzureCLI")
# az_cli_config = config.settings.get("AzureCLI")
if not az_cli_config:
raise MsticpyAzureConfigError(
"No AzureCLI section found in configuration settings.",
title="no AzureCLI settings available.",
)
config_items = az_cli_config.args
try:
client_id = config_items["clientId"]
tenant_id = config_items["tenantId"]
secret = config_items["clientSecret"]
except KeyError as key_err:
key_name = key_err.args[0]
raise MsticpyAzureConfigError(
f"{key_name} is missing from AzureCLI section in your",
"configuration.",
title="missing f{key_name} settings for AzureCLI.",
) from key_err
# Create credentials and connect to the subscription client to validate
self.credentials = ServicePrincipalCredentials(
client_id=client_id, secret=secret, tenant=tenant_id
)
if not self.credentials:
raise CloudError("Could not obtain credentials.")
self.sub_client = SubscriptionClient(self.credentials)
if not self.sub_client:
raise CloudError("Could not create a Subscription client.")
self.connected = True
def connect(self,
client_id: str = None,
tenant_id: str = None,
secret: str = None):
"""Authenticate with the SDK."""
# Use details of msticpyyaml if not provided
if client_id is None and tenant_id is None and secret is None:
az_cli_config = config.settings.get("AzureCLI")
if not az_cli_config:
raise MsticpyAzureException(
"No AzureCLI configuration found in configuration settings."
)
config_items = az_cli_config["Args"]
client_id = config_items["clientId"]
tenant_id = config_items["tenantId"]
secret = config_items["clientSecret"]
# Create credentials and connect to the subscription client to validate
self.credentials = ServicePrincipalCredentials(client_id=client_id,
secret=secret,
tenant=tenant_id)
if not self.credentials:
raise CloudError("Could not obtain credentials.")
self.sub_client = SubscriptionClient(self.credentials)
if not self.sub_client:
raise CloudError("Could not create a Subscription client.")
self.connected = True
def get_subscription_info(credential):
return [[
sub.subscription_id,
MonitorManagementClient(credential=credential,
subscription_id=sub.subscription_id)
] for sub in SubscriptionClient(
credential=credential).subscriptions.list()]
def __init__(self, config: ops_web.config.Config, client_id: str, secret: str, tenant: str):
self.config = config
self.db = ops_web.db.Database(config)
self.credential = ClientSecretCredential(tenant_id=tenant, client_id=client_id, client_secret=secret)
self.subscriptions = {}
with SubscriptionClient(credential=self.credential) as client:
for sub in client.subscriptions.list():
self.subscriptions[sub.subscription_id] = sub.display_name
def list_subscriptions():
client = SubscriptionClient(CREDENTIALS)
# ignore disabled subscriptions
subs = [
sub.subscription_id for sub in client.subscriptions.list()
if sub.state.value == "Enabled"
]
return subs
def get(self, subscription_id):
"""
Gets detailed information on an individual subscription
:rtype: object
"""
subscription_client = SubscriptionClient(self.credentials, base_url=None)
sub_info = subscription_client.subscriptions.get(
subscription_id=subscription_id
)
return sub_info
def __init__(self):
load_dotenv()
self.credentials = AzureConnections().get_authenticated_client()
self.subscription_client = SubscriptionClient(self.credentials, base_url=None)
with change_dir(OPERATIONSPATH):
self.config = ConfigParser()
self.config.read(CONFVARIABLES)
logging_level = int(self.config['LOGGING']['level'])
logging.basicConfig(level=logging_level)
def az_connect(
auth_methods: List[str] = None,
silent: bool = False,
) -> AzCredentials:
"""
Connect to Azure SDK/API.
Parameters
----------
auth_methods : List[str], optional
List of authentication methods to try
Possible options are:
- "env" - to get authentication details from environment varibales
- "cli" - to use Azure CLI authentication details
- "msi" - to user Managed Service Indenity details
- "interactive" - to prompt for interactive login
Default is ["env", "cli", "msi", "interactive"]
silent : bool, optional
Set True to hide all output during connection, by default False
Returns
-------
AzCredentials
Named tuple of:
- legacy (ADAL) credentials
- modern (MSAL) credentials
Raises
------
CloudError
If chained token credential creation fails.
"""
# If using env options try to load from msticpy
data_provs = get_provider_settings(config_section="DataProviders")
az_cli_config = data_provs.get("AzureCLI")
auth_methods = auth_methods or default_auth_methods()
if az_cli_config and az_cli_config.args:
if "auth_methods" in az_cli_config.args:
auth_methods = az_cli_config.args.get("auth_methods")
if isinstance(auth_methods, list) and "env" in auth_methods:
os.environ["AZURE_CLIENT_ID"] = az_cli_config.args.get(
"clientId") or ""
os.environ["AZURE_TENANT_ID"] = az_cli_config.args.get(
"tenantId") or ""
os.environ["AZURE_CLIENT_SECRET"] = (
az_cli_config.args.get("clientSecret") or "")
credentials = az_connect_core(auth_methods=auth_methods, silent=silent)
sub_client = SubscriptionClient(credentials.modern) # type: ignore
if not sub_client:
raise CloudError("Could not create a Subscription client.")
return credentials
def connect(self, client_id: str = None, tenant_id: str = None, secret: str = None):
"""Authenticate with the SDK."""
if client_id is None and tenant_id is None and secret is None:
config_items = config.settings.get("AzureCLI")["Args"]
client_id = config_items["clientId"]
tenant_id = config_items["tenantId"]
secret = config_items["clientSecret"]
self.credentials = ServicePrincipalCredentials(
client_id=client_id, secret=secret, tenant=tenant_id
)
self.sub_client = SubscriptionClient(self.credentials)
self.connected = True
def get_locations(subscription_id,client_id,secret,tenant_id):
available_locations = []
try:
creds = ServicePrincipalCredentials(client_id=client_id, secret=secret, tenant=tenant_id)
subscription_client = SubscriptionClient(creds)
locations = subscription_client.subscriptions.list_locations(subscription_id)
for location in locations:
available_locations.append(location.name)
return available_locations,True
except Exception as e:
print(repr(e))
logger("Fetching available locations failed: "+str(e),"warning")
return available_locations, False
def extra_api(client_id, client_secret, tenant_id, env, verbose=False):
# utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat()
# check if it's prod or dev account
region_vm_dict = {}
credentials = ServicePrincipalCredentials(client_id=client_id,
secret=client_secret,
tenant=tenant_id)
sub_groups = []
count = 0
# grab all all subscriptions that the credential are associated to
sub_client = SubscriptionClient(credentials)
sub_interator = sub_client.subscriptions.list()
for sub in sub_interator:
sub_groups.append(sub.subscription_id)
# grab all vm in all subs and sort them by region
for sub_id in sub_groups:
compute_client = ComputeManagementClient(credentials, sub_id)
vms_by_subs = compute_client.virtual_machines.list_all()
for vm in vms_by_subs:
count = count + 1
if vm.location not in region_vm_dict:
region_vm_dict[vm.location] = [vm.name]
else:
region_vm_dict[vm.location].append(vm.name)
# grab all vm in all the Azure VM scale sets
vms_scale_sets = compute_client.virtual_machine_scale_sets.list_all()
for vm_s_set in vms_scale_sets:
id_list = vm_s_set.id.split('/')
resource_group = id_list[4]
scale_set_name = vm_s_set.name
vmss = compute_client.virtual_machine_scale_set_vms.list(
resource_group, scale_set_name)
for vm in vmss:
count = count + 1
if vm.location not in region_vm_dict:
region_vm_dict[vm.location] = [vm.name]
else:
region_vm_dict[vm.location].append(vm.name)
#print vms
if verbose:
for region in region_vm_dict:
for vm in region_vm_dict[region]:
print('{0}: {1}'.format(region, vm))
print('Total number of VM in {0} Azure environment: {1}'.format(
env, count))
def connect(
self,
auth_methods: List = None,
silent: bool = False,
):
"""Authenticate with the SDK."""
self.credentials = az_connect(auth_methods=auth_methods, silent=silent)
if not self.credentials:
raise CloudError("Could not obtain credentials.")
self._check_client("sub_client")
self.sub_client = SubscriptionClient(self.credentials.legacy)
if not self.sub_client:
raise CloudError("Could not create a Subscription client.")
self.connected = True
def login(self):
print('\nLogging in...')
self.credentials = ServicePrincipalCredentials(
client_id=self.config.client_id,
secret=self.config.secret,
tenant=self.config.tenant_id,
)
print('(got credentials)')
subscription_client = SubscriptionClient(self.credentials)
subscription = next(subscription_client.subscriptions.list())
print('(found subscription)')
self.resource_client = ResourceManagementClient(
self.credentials, subscription.subscription_id)
print("(logged in)")
def list_displayname_and_id(self):
"""
Returns a list of subscriptions available to the credential
:rtype: object
:param creds:
:return:
"""
subscription_client = SubscriptionClient(self.credentials, base_url=None)
subscription_list = [
[subscription_item.display_name, subscription_item.subscription_id]
for subscription_item in subscription_client.subscriptions.list()
]
return subscription_list
def get_subscription_id(self, key_file, verbose):
credentials = self.get_auth(key_file, verbose)
subscription_id = ""
subscription_client = SubscriptionClient(credentials)
for item in subscription_client.subscriptions.list():
if not subscription_id:
subscription_id = item.subscription_id
elif verbose:
print("You have more than one subscription id, " + \
"using the first one returned; consider setting " + \
"subscription_id in configuration file")
return subscription_id
def _get_azure_client(self, type):
""" Create/cache/return an Azure client object """
if type in self._clients:
return self._clients[type]
status, _credentials = self._get_azure_credentials()
if type == 'postgresql':
client = PostgreSQLManagementClient(_credentials,
self.subscription_id)
elif type == 'resource':
client = ResourceManagementClient(_credentials,
self.subscription_id)
elif type == 'subscription':
client = SubscriptionClient(_credentials)
self._clients[type] = client
return self._clients[type]
def _check_subscription(self, credentials, account_name, subscription_id):
""" Checking the subscription state """
self.log(' Checking the subscription {} for account {}'.format(
subscription_id, account_name))
subscription_client = SubscriptionClient(credentials)
curr_subscription = subscription_client.subscriptions.get(
subscription_id)
subscription_info = curr_subscription.state
self.log(' Got the subscription state')
available_subscription = True
if subscription_info not in self.good_subscription_statuses:
available_subscription = False
self.log(' Checked the subscription availability')
return available_subscription, subscription_info
def list_regions(self):
"""
list the available regions in the alibaba
:return:
"""
try:
subscription_id = self.azure_subscription_id # your Azure Subscription Id
credentials = ServicePrincipalCredentials(
client_id=self.azure_client_id,
secret=self.azure_client_secret,
tenant=self.azure_tenant_id,
)
region_list = []
subscription_client = SubscriptionClient(credentials)
result = subscription_client.subscriptions.list_locations(subscription_id)
for region in result:
if hasattr(region, 'name'):
region_list.append(region.name)
return False, region_list
except Exception as e:
return True, e.message
def fetch_az_obj():
if "AZ_CLIENT" in os.environ and "AZ_SECRET" in os.environ and "AZ_TENANT" in os.environ:
credentials = ServicePrincipalCredentials(
client_id=os.environ["AZ_CLIENT"],
secret=os.environ["AZ_SECRET"],
tenant=os.environ["AZ_TENANT"])
elif "AZ_USER" in os.environ and "AZ_PASS" in os.environ:
credentials = UserPassCredentials(
os.environ["AZ_USER"],
os.environ["AZ_PASS"],
)
else:
print("ERROR: Missing credentials in environmental variables")
return
subscriptions = SubscriptionClient(credentials).subscriptions
root_obj = []
# subscriptions
for sub in subscriptions.list():
client = ResourceManagementClient(credentials, sub.subscription_id)
sub_obj = sub.as_dict()
sub_obj["resource_groups"] = []
root_obj.append(sub_obj)
# resource groups
for res_group in client.resource_groups.list():
res_group_obj = res_group.as_dict()
res_group_obj["resources"] = []
sub_obj["resource_groups"].append(res_group_obj)
# resources
for res in client.resources.list_by_resource_group(res_group.name):
res_group_obj["resources"].append(res.as_dict())
return root_obj
def setup_client(self):
subscription_id = self.SUBSCRIPTION_ID
credentials = ServicePrincipalCredentials(
client_id=self.AZURE_CLIENT_ID,
secret=self.AZURE_CLIENT_SECRET,
tenant=self.AZURE_TENANT_ID)
self.compute_client = ComputeManagementClient(credentials,
subscription_id)
self.billing_client = BillingManagementClient(credentials,
subscription_id)
self.subscription_client = SubscriptionClient(credentials,
base_url=None)
self.curr_subscription = self.subscription_client.subscriptions.get(
subscription_id)
self.curr_subscription_state = self.curr_subscription.state
self.P("Connected to subscription [{}]".format(subscription_id))
self.P(" Subscription status: {}".format(self.curr_subscription_state))
if self.curr_subscription_state not in self.good_statuses:
self.P("\nATTENTION: SUBSCRIPTION PROBLEM!!!\n")
return
)
sys.exit(0)
except:
sys.exit(0)
verify_env_variables()
# Set Azure AD credentials from the environment variables
credentials = ServicePrincipalCredentials(
client_id=os.environ['AZURE_CLIENT_ID'],
secret=os.environ['AZURE_CLIENT_SECRET'],
tenant=os.environ['AZURE_TENANT_ID'])
# Instantiate an instance of the Azure SDK Subscription Client
sub_client = SubscriptionClient(credentials)
# Read in required environment variables
d9_api_key = os.environ['D9_API_KEY']
d9_api_secret = os.environ['D9_API_SECRET']
az_tenant = os.environ['AZURE_TENANT_ID']
az_appid = os.environ['AZURE_CLIENT_ID']
az_appkey = os.environ['AZURE_CLIENT_SECRET']
# Set header parameters for Dome9 HTTP POST
headers = {'Content-Type': 'application/json', 'Accept': 'application/json'}
# Set the account mode for automatic Dome9 onboarding - values are Read (default) or Manage
d9_operation_mode = 'Read'
def _get_subscription(self, session_factory, config):
session = local_session(session_factory)
client = SubscriptionClient(session.get_credentials())
details = client.subscriptions.get(subscription_id=session.subscription_id)
return details.serialize(True)
def subscription(self) -> SubscriptionClient:
return SubscriptionClient(credential=self.credential)
def get_regions() -> List[Region]:
subscription = get_subscription()
client = SubscriptionClient(credential=get_identity())
locations = client.subscriptions.list_locations(subscription)
return sorted([Region(x.name) for x in locations])
def update_available_region_names():
# Authenticate to Azure Subscription Manager
sub_client = SubscriptionClient(
ServicePrincipalCredentials(client_id=os.environ["AZURE_CLIENT_ID"],
secret=os.environ["AZURE_CLIENT_SECRET"],
tenant=os.environ["AZURE_TENANT_ID"]))
# Get the list of locations accessible to this subscription.
sub_id = os.environ["AZURE_SUBSCRIPTION_ID"]
locations = sorted(
[x.name for x in sub_client.subscriptions.list_locations(sub_id)] +
regions_to_include)
locations = [x for x in locations if x not in regions_to_exclude]
# Get entities for all of the regions.
old_entities = table_service.query_entities(
table_name, filter="PartitionKey eq '{}'".format(part_deploy_region))
old_entities_dict = {x.RegionShortname: x for x in old_entities}
# Create a new list of entities for the table.
new_entities = []
for i, loc in enumerate(locations):
# Remove this region from the original list and table.
old_entity = old_entities_dict.pop(loc, {})
# Save the last successful run timestamp (if it exists).
last_succ_run = None
if "LastSuccessfulRun" in old_entity:
last_succ_run = old_entity.LastSuccessfulRun
# Create a new entity for this region (re-indexed).
new_entities.append(
Entity(PartitionKey=part_deploy_region,
RowKey=str(i + 1),
RegionShortname=loc,
LastSuccessfulRun=last_succ_run))
logging.debug("new_entities = {}".format(new_entities))
# If there are any entries left in old_entities_dict, then that means
# some regions that were live before are no longer live.
if len(old_entities_dict):
logging.debug(
"WARNING: The following regions seem to have been decomissioned:")
for k, v in old_entities_dict.items():
logging.debug("\t{}".format(k))
# Delete the old entities.
for oe in old_entities:
table_service.delete_entity(table_name, oe.PartitionKey, oe.RowKey)
# Add the new entities.
for ne in new_entities:
table_service.insert_entity(table_name, ne)
# Update the last region RowKey (the number of new entities).
last_rowkey_entity = table_service.get_entity(table_name,
part_table_control,
"NumberOfRegions")
last_rowkey_entity.pop("etag", None)
last_rowkey_entity.pop("Timestamp", None)
last_rowkey_entity.VALUE = EntityProperty(EdmType.INT32, len(new_entities))
logging.debug("last_rowkey_entity = {}".format(last_rowkey_entity))
table_service.update_entity(table_name, last_rowkey_entity)
sys.stdout.flush()
def start(self):
self.busy = True
threading.Thread(target=self.spinner_task, daemon=True).start()
def stop(self):
self.busy = False
time.sleep(self.delay)
if __name__ == "__main__":
print("\nGetting credentials.")
# get credentials and tenant_id
creds, subscription_id = credentials.get_azure_cli_credentials()
subscription_client = SubscriptionClient(creds)
tenant_ids = [tenant.id for tenant in subscription_client.tenants.list()]
if len(tenant_ids) != 1:
tenant_id = prompt_tenant_selection(tenant_ids)
else:
tenant_id = tenant_ids[0]
print("Input the desired names and values for your Azure resources. "\
"Default values are provided in the brackets. "\
"Hit enter to use default.")
kwargs = {
"region":
prompt_with_default("Azure Region", DefaultSettings.region),
"resource_group":
prompt_with_default("Resource Group Name",
DefaultSettings.resource_group),
from azure.identity import ClientSecretCredential
from azure.mgmt.security import SecurityCenter
from azure.mgmt.subscription import SubscriptionClient
from collections import Counter
client_id = os.environ["ARM_CLIENT_ID"]
secret = os.environ["ARM_CLIENT_SECRET"]
tenant = os.environ["TENANT_ID"]
CREDENTIALS = ClientSecretCredential(
client_id=client_id,
client_secret=secret,
tenant_id=tenant,
)
client = SubscriptionClient(CREDENTIALS)
compliance = []
alerts = []
for sub in client.subscriptions.list():
sub_id = f"/subscriptions/{sub.subscription_id}"
if sub.state == "Enabled":
try:
client = SecurityCenter(CREDENTIALS,
sub.subscription_id,
asc_location="westeurope")
for al in client.alerts.list():
alerts.append(f"{al.severity}-{al.alert_display_name}")