def __exit__(self, exc_type=None, exc_value=None, exc_traceback=None):
self.metrics.flush()
# clear policy execution thread local session cache
reset_session_cache()
if self.cloudwatch_logs:
self.cloudwatch_logs.__exit__(exc_type, exc_value, exc_traceback)
self.cloudwatch_logs = None
if self.output:
self.output.__exit__(exc_type, exc_value, exc_traceback)
def __exit__(self, exc_type=None, exc_value=None, exc_traceback=None):
self.metrics.flush()
# clear policy execution thread local session cache
reset_session_cache()
if self.cloudwatch_logs:
self.cloudwatch_logs.__exit__(exc_type, exc_value, exc_traceback)
self.cloudwatch_logs = None
if self.output:
self.output.__exit__(exc_type, exc_value, exc_traceback)
def tag_org_account(account, region, db, creator_tag, user_suffix, dryrun, type):
log.info("processing account:%s id:%s region:%s",
account['name'], account['account_id'], region)
session = get_session(account, "c7n-trailcreator", region)
env_vars = _get_env_creds(session, region)
with environ(**env_vars):
try:
return tag.callback(
None, region, db, creator_tag, user_suffix, dryrun, summary=False, type=type)
finally:
reset_session_cache()
def environ(**kw):
current_env = dict(os.environ)
for k, v in kw.items():
os.environ[k] = v
try:
yield os.environ
finally:
for k in kw.keys():
del os.environ[k]
os.environ.update(current_env)
reset_session_cache()
def environ(**kw):
current_env = dict(os.environ)
for k, v in kw.items():
os.environ[k] = v
try:
yield os.environ
finally:
for k in kw.keys():
del os.environ[k]
os.environ.update(current_env)
reset_session_cache()
def process(self, resources, event=None):
original_assume = self.manager.ctx.session_factory.assume_role
images = set([])
for account in self.data.get('accounts', []):
reset_session_cache()
self.manager.ctx.session_factory.assume_role = account
images = images.union(self._pull_ec2_images().union(
self._pull_asg_images()))
reset_session_cache()
self.manager.ctx.session_factory.assume_role = original_assume
if self.data.get('value', True):
return [r for r in resources if r['ImageId'] not in images]
return [r for r in resources if r['ImageId'] in images]
def __exit__(self, exc_type=None, exc_value=None, exc_traceback=None):
self.metrics.flush()
# Clear policy execution thread local session cache if running in tests.
# IMPORTANT: multi-account execution (c7n-org and others) need to manually reset this.
# Why: Not doing this means we get excessive memory usage from client
# reconstruction.
if os.environ.get('C7N_TEST_RUN'):
reset_session_cache()
if self.cloudwatch_logs:
self.cloudwatch_logs.__exit__(exc_type, exc_value, exc_traceback)
self.cloudwatch_logs = None
if self.output:
self.output.__exit__(exc_type, exc_value, exc_traceback)
def assume_member(self, event):
# if a member role is defined we're being run out of the master, and we need
# to assume back into the member for policy execution.
member_role = self.policy.data['mode'].get('member-role')
member_id = self.get_member_account_id(event)
region = self.get_member_region(event)
if member_role and member_id and region:
# In the master account we might be multiplexing a hot lambda across
# multiple member accounts for each event/invocation.
member_role = member_role.format(account_id=member_id)
utils.reset_session_cache()
self.policy.options['account_id'] = member_id
self.policy.session_factory.region = region
self.policy.session_factory.assume_role = member_role
self.policy.log.info("Assuming member role: %s", member_role)
return True
return False
def assume_member(self, event):
# if a member role is defined we're being run out of the master, and we need
# to assume back into the member for policy execution.
member_role = self.policy.data['mode'].get('member-role')
member_id = self.get_member_account_id(event)
region = self.get_member_region(event)
if member_role and member_id and region:
# In the master account we might be multiplexing a hot lambda across
# multiple member accounts for each event/invocation.
member_role = member_role.format(account_id=member_id)
utils.reset_session_cache()
self.policy.options['account_id'] = member_id
self.policy.session_factory.region = region
self.policy.session_factory.assume_role = member_role
self.policy.log.info(
"Assuming member role: %s", member_role)
return True
return False
def __exit__(self, exc_type=None, exc_value=None, exc_traceback=None):
if exc_type is not None and self.metrics:
self.metrics.put_metric('PolicyException', 1, "Count")
self.policy._write_file(
'metadata.json', dumps(self.get_metadata(), indent=2))
self.api_stats.__exit__(exc_type, exc_value, exc_traceback)
with self.tracer.subsegment('output'):
self.metrics.flush()
self.logs.__exit__(exc_type, exc_value, exc_traceback)
self.output.__exit__(exc_type, exc_value, exc_traceback)
self.tracer.__exit__()
self.session_factory.policy_name = None
# IMPORTANT: multi-account execution (c7n-org and others) need
# to manually reset this. Why: Not doing this means we get
# excessive memory usage from client reconstruction for dynamic-gen
# sdks.
if os.environ.get('C7N_TEST_RUN'):
reset_session_cache()
def __exit__(self, exc_type=None, exc_value=None, exc_traceback=None):
if exc_type is not None and self.metrics:
self.metrics.put_metric('PolicyException', 1, "Count")
self.policy._write_file('metadata.json',
dumps(self.get_metadata(), indent=2))
self.api_stats.__exit__(exc_type, exc_value, exc_traceback)
with self.tracer.subsegment('output'):
self.metrics.flush()
self.logs.__exit__(exc_type, exc_value, exc_traceback)
self.output.__exit__(exc_type, exc_value, exc_traceback)
self.tracer.__exit__()
self.session_factory.policy_name = None
# IMPORTANT: multi-account execution (c7n-org and others) need
# to manually reset this. Why: Not doing this means we get
# excessive memory usage from client reconstruction for dynamic-gen
# sdks.
if os.environ.get('C7N_TEST_RUN'):
reset_session_cache()
def run(event, context, subscription_id=None):
# policies file should always be valid in functions so do loading naively
with open(context['config_file']) as f:
policy_config = json.load(f)
if not policy_config or not policy_config.get('policies'):
log.error('Invalid policy config')
return False
options_overrides = \
policy_config['policies'][0].get('mode', {}).get('execution-options', {})
# setup our auth file location on disk
options_overrides['authorization_file'] = context['auth_file']
# if output_dir specified use that, otherwise make a temp directory
if 'output_dir' not in options_overrides:
options_overrides['output_dir'] = get_tmp_output_dir()
# merge all our options in
options = Config.empty(**options_overrides)
if subscription_id is not None:
options['account_id'] = subscription_id
load_resources(StructureParser().get_resource_types(policy_config))
options = Azure().initialize(options)
policies = PolicyCollection.from_data(policy_config, options)
if policies:
for p in policies:
try:
p.push(event, context)
except (CloudError, AzureHttpError) as error:
log.error("Unable to process policy: %s :: %s" %
(p.name, error))
reset_session_cache()
return True
def run(event, context, subscription_id=None):
# policies file should always be valid in functions so do loading naively
with open(context['config_file']) as f:
policy_config = json.load(f)
if not policy_config or not policy_config.get('policies'):
log.error('Invalid policy config')
return False
options_overrides = \
policy_config['policies'][0].get('mode', {}).get('execution-options', {})
# setup our auth file location on disk
options_overrides['authorization_file'] = context['auth_file']
# if output_dir specified use that, otherwise make a temp directory
if 'output_dir' not in options_overrides:
options_overrides['output_dir'] = get_tmp_output_dir()
# merge all our options in
options = Config.empty(**options_overrides)
if subscription_id is not None:
options['account_id'] = subscription_id
load_resources()
options = Azure().initialize(options)
policies = PolicyCollection.from_data(policy_config, options)
if policies:
for p in policies:
try:
p.push(event, context)
except (CloudError, AzureHttpError) as error:
log.error("Unable to process policy: %s :: %s" % (p.name, error))
reset_session_cache()
return True
def test_key_vault_keys_keyvault(self):
mgmt_client = local_session(Session).client(
'azure.mgmt.keyvault.KeyVaultManagementClient')
kvs = [
k
for k in mgmt_client.vaults.list_by_resource_group('test_keyvault')
]
self.assertEqual(len(kvs), 1)
reset_session_cache()
p = self.load_policy(
{
'name': 'test-key-vault',
'resource': 'azure.keyvault-keys',
'filters': [
{
'type': 'keyvault',
'vaults': [kvs[0].name]
},
]
},
validate=True)
resources = p.run()
self.assertEqual(len(resources), 2)
def cleanUp(self):
# Clear out thread local session cache
reset_session_cache()
def cleanUp(self):
# Clear out thread local session cache
reset_session_cache()
