def test_generate_arn(self): self.assertEqual( utils.generate_arn("s3", "my_bucket"), "arn:aws:s3:::my_bucket" ) self.assertEqual( utils.generate_arn( "cloudformation", "MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c", region="us-east-1", account_id="123456789012", resource_type="stack", ), "arn:aws:cloudformation:us-east-1:123456789012:" "stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c", ) self.assertEqual( utils.generate_arn( "rds", "mysql-option-group1", region="us-east-1", account_id="123456789012", resource_type="og", separator=":", ), "arn:aws:rds:us-east-1:123456789012:og:mysql-option-group1", )
def cloudtrail_policy(original, bucket_name, account_id, bucket_region): '''add CloudTrail permissions to an S3 policy, preserving existing''' ct_actions = [ { 'Action': 's3:GetBucketAcl', 'Effect': 'Allow', 'Principal': { 'Service': 'cloudtrail.amazonaws.com' }, 'Resource': generate_arn(service='s3', resource=bucket_name, region=bucket_region), 'Sid': 'AWSCloudTrailAclCheck20150319', }, { 'Action': 's3:PutObject', 'Condition': { 'StringEquals': { 's3:x-amz-acl': 'bucket-owner-full-control' }, }, 'Effect': 'Allow', 'Principal': { 'Service': 'cloudtrail.amazonaws.com' }, 'Resource': generate_arn(service='s3', resource=bucket_name, region=bucket_region), 'Sid': 'AWSCloudTrailWrite20150319', }, ] # parse original policy if original is None: policy = { 'Statement': [], 'Version': '2012-10-17', } else: policy = json.loads(original['Policy']) original_actions = [a.get('Action') for a in policy['Statement']] for cta in ct_actions: if cta['Action'] not in original_actions: policy['Statement'].append(cta) return json.dumps(policy)
def send_sns(self, message): topic = self.data['transport']['topic'].format(**message) user_attributes = self.data['transport'].get('attributes') if topic.startswith('arn:'): region = region = topic.split(':', 5)[3] topic_arn = topic else: region = message['region'] topic_arn = utils.generate_arn(service='sns', resource=topic, account_id=message['account_id'], region=message['region']) client = self.manager.session_factory( region=region, assume=self.assume_role).client('sns') attrs = { 'mtype': { 'DataType': 'String', 'StringValue': self.C7N_DATA_MESSAGE, }, } if user_attributes: for k, v in user_attributes.items(): if k != 'mtype': attrs[k] = {'DataType': 'String', 'StringValue': v} client.publish(TopicArn=topic_arn, Message=self.pack(message), MessageAttributes=attrs)
def send_sns(self, message): topic = self.data['transport']['topic'].format(**message) user_attributes = self.data['transport'].get('attributes') if topic.startswith('arn:'): region = region = topic.split(':', 5)[3] topic_arn = topic else: region = message['region'] topic_arn = utils.generate_arn( service='sns', resource=topic, account_id=message['account_id'], region=message['region']) client = self.manager.session_factory( region=region, assume=self.assume_role).client('sns') attrs = { 'mtype': { 'DataType': 'String', 'StringValue': self.C7N_DATA_MESSAGE, }, } if user_attributes: for k, v in user_attributes.items(): if k != 'mtype': attrs[k] = {'DataType': 'String', 'StringValue': v} client.publish( TopicArn=topic_arn, Message=self.pack(message), MessageAttributes=attrs )
def get_arn(self, r): return generate_arn( account_id=self.config.account_id, service='elasticloadbalancing', resource_type='loadbalancer', resource=r[self.resource_type.id], region=self.config.region)
def test_generate_arn(self): self.assertEqual( utils.generate_arn('s3', 'my_bucket'), 'arn:aws:s3:::my_bucket') self.assertEqual( utils.generate_arn('cloudformation', 'MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c', region='us-east-1', account_id='123456789012', resource_type='stack'), 'arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c') self.assertEqual( utils.generate_arn('rds', 'mysql-option-group1', region='us-east-1', account_id='123456789012', resource_type='og', separator=':'), 'arn:aws:rds:us-east-1:123456789012:og:mysql-option-group1')
def test_generate_arn(self): self.assertEqual( utils.generate_arn('s3', 'my_bucket'), 'arn:aws:s3:::my_bucket') self.assertEqual( utils.generate_arn('cloudformation', 'MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c', region='us-east-1', account_id='123456789012', resource_type='stack'), 'arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c') self.assertEqual( utils.generate_arn('rds', 'mysql-option-group1', region='us-east-1', account_id='123456789012', resource_type='og', separator=':'), 'arn:aws:rds:us-east-1:123456789012:og:mysql-option-group1')
def process_tags(db): client = local_session(session_factory).client('rds') arn = generate_arn(db[model.id]) tag_list = None try: tag_list = client.list_tags_for_resource(ResourceName=arn)['TagList'] except ClientError as e: if e.response['Error']['Code'] not in ['DBInstanceNotFound']: log.warning("Exception getting rds tags \n %s" % (e)) return None db['Tags'] = tag_list or [] return db
def process_tags(db): client = local_session(session_factory).client('rds') arn = generate_arn(db[model.id]) tag_list = None try: tag_list = client.list_tags_for_resource( ResourceName=arn)['TagList'] except ClientError as e: if e.response['Error']['Code'] not in ['DBInstanceNotFound']: log.warning("Exception getting rds tags \n %s" % (e)) return None db['Tags'] = tag_list or [] return db
def cloudtrail_policy(original, bucket_name, account_id, bucket_region): '''add CloudTrail permissions to an S3 policy, preserving existing''' ct_actions = [ { 'Action': 's3:GetBucketAcl', 'Effect': 'Allow', 'Principal': {'Service': 'cloudtrail.amazonaws.com'}, 'Resource': generate_arn( service='s3', resource=bucket_name, region=bucket_region), 'Sid': 'AWSCloudTrailAclCheck20150319', }, { 'Action': 's3:PutObject', 'Condition': { 'StringEquals': {'s3:x-amz-acl': 'bucket-owner-full-control'}, }, 'Effect': 'Allow', 'Principal': {'Service': 'cloudtrail.amazonaws.com'}, 'Resource': generate_arn( service='s3', resource=bucket_name, region=bucket_region), 'Sid': 'AWSCloudTrailWrite20150319', }, ] # parse original policy if original is None: policy = { 'Statement': [], 'Version': '2012-10-17', } else: policy = json.loads(original['Policy']) original_actions = [a.get('Action') for a in policy['Statement']] for cta in ct_actions: if cta['Action'] not in original_actions: policy['Statement'].append(cta) return json.dumps(policy)
def get_arn(self, r): return generate_arn(account_id=self.config.account_id, service='elasticloadbalancing', resource_type='loadbalancer', resource=r[self.resource_type.id], region=self.config.region)