def test_generate_arn(self):
self.assertEqual(
utils.generate_arn("s3", "my_bucket"), "arn:aws:s3:::my_bucket"
)
self.assertEqual(
utils.generate_arn(
"cloudformation",
"MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c",
region="us-east-1",
account_id="123456789012",
resource_type="stack",
),
"arn:aws:cloudformation:us-east-1:123456789012:"
"stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c",
)
self.assertEqual(
utils.generate_arn(
"rds",
"mysql-option-group1",
region="us-east-1",
account_id="123456789012",
resource_type="og",
separator=":",
),
"arn:aws:rds:us-east-1:123456789012:og:mysql-option-group1",
)
def cloudtrail_policy(original, bucket_name, account_id, bucket_region):
'''add CloudTrail permissions to an S3 policy, preserving existing'''
ct_actions = [
{
'Action':
's3:GetBucketAcl',
'Effect':
'Allow',
'Principal': {
'Service': 'cloudtrail.amazonaws.com'
},
'Resource':
generate_arn(service='s3',
resource=bucket_name,
region=bucket_region),
'Sid':
'AWSCloudTrailAclCheck20150319',
},
{
'Action':
's3:PutObject',
'Condition': {
'StringEquals': {
's3:x-amz-acl': 'bucket-owner-full-control'
},
},
'Effect':
'Allow',
'Principal': {
'Service': 'cloudtrail.amazonaws.com'
},
'Resource':
generate_arn(service='s3',
resource=bucket_name,
region=bucket_region),
'Sid':
'AWSCloudTrailWrite20150319',
},
]
# parse original policy
if original is None:
policy = {
'Statement': [],
'Version': '2012-10-17',
}
else:
policy = json.loads(original['Policy'])
original_actions = [a.get('Action') for a in policy['Statement']]
for cta in ct_actions:
if cta['Action'] not in original_actions:
policy['Statement'].append(cta)
return json.dumps(policy)
def send_sns(self, message):
topic = self.data['transport']['topic'].format(**message)
user_attributes = self.data['transport'].get('attributes')
if topic.startswith('arn:'):
region = region = topic.split(':', 5)[3]
topic_arn = topic
else:
region = message['region']
topic_arn = utils.generate_arn(service='sns',
resource=topic,
account_id=message['account_id'],
region=message['region'])
client = self.manager.session_factory(
region=region, assume=self.assume_role).client('sns')
attrs = {
'mtype': {
'DataType': 'String',
'StringValue': self.C7N_DATA_MESSAGE,
},
}
if user_attributes:
for k, v in user_attributes.items():
if k != 'mtype':
attrs[k] = {'DataType': 'String', 'StringValue': v}
client.publish(TopicArn=topic_arn,
Message=self.pack(message),
MessageAttributes=attrs)
def send_sns(self, message):
topic = self.data['transport']['topic'].format(**message)
user_attributes = self.data['transport'].get('attributes')
if topic.startswith('arn:'):
region = region = topic.split(':', 5)[3]
topic_arn = topic
else:
region = message['region']
topic_arn = utils.generate_arn(
service='sns', resource=topic,
account_id=message['account_id'],
region=message['region'])
client = self.manager.session_factory(
region=region, assume=self.assume_role).client('sns')
attrs = {
'mtype': {
'DataType': 'String',
'StringValue': self.C7N_DATA_MESSAGE,
},
}
if user_attributes:
for k, v in user_attributes.items():
if k != 'mtype':
attrs[k] = {'DataType': 'String', 'StringValue': v}
client.publish(
TopicArn=topic_arn,
Message=self.pack(message),
MessageAttributes=attrs
)
def get_arn(self, r):
return generate_arn(
account_id=self.config.account_id,
service='elasticloadbalancing',
resource_type='loadbalancer',
resource=r[self.resource_type.id],
region=self.config.region)
def test_generate_arn(self):
self.assertEqual(
utils.generate_arn('s3', 'my_bucket'),
'arn:aws:s3:::my_bucket')
self.assertEqual(
utils.generate_arn('cloudformation',
'MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c',
region='us-east-1',
account_id='123456789012',
resource_type='stack'),
'arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c')
self.assertEqual(
utils.generate_arn('rds',
'mysql-option-group1',
region='us-east-1',
account_id='123456789012',
resource_type='og',
separator=':'),
'arn:aws:rds:us-east-1:123456789012:og:mysql-option-group1')
def test_generate_arn(self):
self.assertEqual(
utils.generate_arn('s3', 'my_bucket'),
'arn:aws:s3:::my_bucket')
self.assertEqual(
utils.generate_arn('cloudformation',
'MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c',
region='us-east-1',
account_id='123456789012',
resource_type='stack'),
'arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/abc9dbf0-43c2-11e3-a6e8-50fa526be49c')
self.assertEqual(
utils.generate_arn('rds',
'mysql-option-group1',
region='us-east-1',
account_id='123456789012',
resource_type='og',
separator=':'),
'arn:aws:rds:us-east-1:123456789012:og:mysql-option-group1')
def process_tags(db):
client = local_session(session_factory).client('rds')
arn = generate_arn(db[model.id])
tag_list = None
try:
tag_list = client.list_tags_for_resource(ResourceName=arn)['TagList']
except ClientError as e:
if e.response['Error']['Code'] not in ['DBInstanceNotFound']:
log.warning("Exception getting rds tags \n %s" % (e))
return None
db['Tags'] = tag_list or []
return db
def process_tags(db):
client = local_session(session_factory).client('rds')
arn = generate_arn(db[model.id])
tag_list = None
try:
tag_list = client.list_tags_for_resource(
ResourceName=arn)['TagList']
except ClientError as e:
if e.response['Error']['Code'] not in ['DBInstanceNotFound']:
log.warning("Exception getting rds tags \n %s" % (e))
return None
db['Tags'] = tag_list or []
return db
def cloudtrail_policy(original, bucket_name, account_id, bucket_region):
'''add CloudTrail permissions to an S3 policy, preserving existing'''
ct_actions = [
{
'Action': 's3:GetBucketAcl',
'Effect': 'Allow',
'Principal': {'Service': 'cloudtrail.amazonaws.com'},
'Resource': generate_arn(
service='s3', resource=bucket_name, region=bucket_region),
'Sid': 'AWSCloudTrailAclCheck20150319',
},
{
'Action': 's3:PutObject',
'Condition': {
'StringEquals':
{'s3:x-amz-acl': 'bucket-owner-full-control'},
},
'Effect': 'Allow',
'Principal': {'Service': 'cloudtrail.amazonaws.com'},
'Resource': generate_arn(
service='s3', resource=bucket_name, region=bucket_region),
'Sid': 'AWSCloudTrailWrite20150319',
},
]
# parse original policy
if original is None:
policy = {
'Statement': [],
'Version': '2012-10-17',
}
else:
policy = json.loads(original['Policy'])
original_actions = [a.get('Action') for a in policy['Statement']]
for cta in ct_actions:
if cta['Action'] not in original_actions:
policy['Statement'].append(cta)
return json.dumps(policy)
def get_arn(self, r):
return generate_arn(account_id=self.config.account_id,
service='elasticloadbalancing',
resource_type='loadbalancer',
resource=r[self.resource_type.id],
region=self.config.region)
