def __exit__(self, exc_type=None, exc_value=None, exc_traceback=None): self.metrics.flush() # clear policy execution thread local session cache reset_session_cache() if self.cloudwatch_logs: self.cloudwatch_logs.__exit__(exc_type, exc_value, exc_traceback) self.cloudwatch_logs = None if self.output: self.output.__exit__(exc_type, exc_value, exc_traceback)
def __exit__(self, exc_type=None, exc_value=None, exc_traceback=None): self.metrics.flush() # clear policy execution thread local session cache reset_session_cache() if self.cloudwatch_logs: self.cloudwatch_logs.__exit__(exc_type, exc_value, exc_traceback) self.cloudwatch_logs = None if self.output: self.output.__exit__(exc_type, exc_value, exc_traceback)
def tag_org_account(account, region, db, creator_tag, user_suffix, dryrun, type): log.info("processing account:%s id:%s region:%s", account['name'], account['account_id'], region) session = get_session(account, "c7n-trailcreator", region) env_vars = _get_env_creds(session, region) with environ(**env_vars): try: return tag.callback( None, region, db, creator_tag, user_suffix, dryrun, summary=False, type=type) finally: reset_session_cache()
def environ(**kw): current_env = dict(os.environ) for k, v in kw.items(): os.environ[k] = v try: yield os.environ finally: for k in kw.keys(): del os.environ[k] os.environ.update(current_env) reset_session_cache()
def environ(**kw): current_env = dict(os.environ) for k, v in kw.items(): os.environ[k] = v try: yield os.environ finally: for k in kw.keys(): del os.environ[k] os.environ.update(current_env) reset_session_cache()
def process(self, resources, event=None): original_assume = self.manager.ctx.session_factory.assume_role images = set([]) for account in self.data.get('accounts', []): reset_session_cache() self.manager.ctx.session_factory.assume_role = account images = images.union(self._pull_ec2_images().union( self._pull_asg_images())) reset_session_cache() self.manager.ctx.session_factory.assume_role = original_assume if self.data.get('value', True): return [r for r in resources if r['ImageId'] not in images] return [r for r in resources if r['ImageId'] in images]
def __exit__(self, exc_type=None, exc_value=None, exc_traceback=None): self.metrics.flush() # Clear policy execution thread local session cache if running in tests. # IMPORTANT: multi-account execution (c7n-org and others) need to manually reset this. # Why: Not doing this means we get excessive memory usage from client # reconstruction. if os.environ.get('C7N_TEST_RUN'): reset_session_cache() if self.cloudwatch_logs: self.cloudwatch_logs.__exit__(exc_type, exc_value, exc_traceback) self.cloudwatch_logs = None if self.output: self.output.__exit__(exc_type, exc_value, exc_traceback)
def assume_member(self, event): # if a member role is defined we're being run out of the master, and we need # to assume back into the member for policy execution. member_role = self.policy.data['mode'].get('member-role') member_id = self.get_member_account_id(event) region = self.get_member_region(event) if member_role and member_id and region: # In the master account we might be multiplexing a hot lambda across # multiple member accounts for each event/invocation. member_role = member_role.format(account_id=member_id) utils.reset_session_cache() self.policy.options['account_id'] = member_id self.policy.session_factory.region = region self.policy.session_factory.assume_role = member_role self.policy.log.info("Assuming member role: %s", member_role) return True return False
def assume_member(self, event): # if a member role is defined we're being run out of the master, and we need # to assume back into the member for policy execution. member_role = self.policy.data['mode'].get('member-role') member_id = self.get_member_account_id(event) region = self.get_member_region(event) if member_role and member_id and region: # In the master account we might be multiplexing a hot lambda across # multiple member accounts for each event/invocation. member_role = member_role.format(account_id=member_id) utils.reset_session_cache() self.policy.options['account_id'] = member_id self.policy.session_factory.region = region self.policy.session_factory.assume_role = member_role self.policy.log.info( "Assuming member role: %s", member_role) return True return False
def __exit__(self, exc_type=None, exc_value=None, exc_traceback=None): if exc_type is not None and self.metrics: self.metrics.put_metric('PolicyException', 1, "Count") self.policy._write_file( 'metadata.json', dumps(self.get_metadata(), indent=2)) self.api_stats.__exit__(exc_type, exc_value, exc_traceback) with self.tracer.subsegment('output'): self.metrics.flush() self.logs.__exit__(exc_type, exc_value, exc_traceback) self.output.__exit__(exc_type, exc_value, exc_traceback) self.tracer.__exit__() self.session_factory.policy_name = None # IMPORTANT: multi-account execution (c7n-org and others) need # to manually reset this. Why: Not doing this means we get # excessive memory usage from client reconstruction for dynamic-gen # sdks. if os.environ.get('C7N_TEST_RUN'): reset_session_cache()
def __exit__(self, exc_type=None, exc_value=None, exc_traceback=None): if exc_type is not None and self.metrics: self.metrics.put_metric('PolicyException', 1, "Count") self.policy._write_file('metadata.json', dumps(self.get_metadata(), indent=2)) self.api_stats.__exit__(exc_type, exc_value, exc_traceback) with self.tracer.subsegment('output'): self.metrics.flush() self.logs.__exit__(exc_type, exc_value, exc_traceback) self.output.__exit__(exc_type, exc_value, exc_traceback) self.tracer.__exit__() self.session_factory.policy_name = None # IMPORTANT: multi-account execution (c7n-org and others) need # to manually reset this. Why: Not doing this means we get # excessive memory usage from client reconstruction for dynamic-gen # sdks. if os.environ.get('C7N_TEST_RUN'): reset_session_cache()
def run(event, context, subscription_id=None): # policies file should always be valid in functions so do loading naively with open(context['config_file']) as f: policy_config = json.load(f) if not policy_config or not policy_config.get('policies'): log.error('Invalid policy config') return False options_overrides = \ policy_config['policies'][0].get('mode', {}).get('execution-options', {}) # setup our auth file location on disk options_overrides['authorization_file'] = context['auth_file'] # if output_dir specified use that, otherwise make a temp directory if 'output_dir' not in options_overrides: options_overrides['output_dir'] = get_tmp_output_dir() # merge all our options in options = Config.empty(**options_overrides) if subscription_id is not None: options['account_id'] = subscription_id load_resources(StructureParser().get_resource_types(policy_config)) options = Azure().initialize(options) policies = PolicyCollection.from_data(policy_config, options) if policies: for p in policies: try: p.push(event, context) except (CloudError, AzureHttpError) as error: log.error("Unable to process policy: %s :: %s" % (p.name, error)) reset_session_cache() return True
def run(event, context, subscription_id=None): # policies file should always be valid in functions so do loading naively with open(context['config_file']) as f: policy_config = json.load(f) if not policy_config or not policy_config.get('policies'): log.error('Invalid policy config') return False options_overrides = \ policy_config['policies'][0].get('mode', {}).get('execution-options', {}) # setup our auth file location on disk options_overrides['authorization_file'] = context['auth_file'] # if output_dir specified use that, otherwise make a temp directory if 'output_dir' not in options_overrides: options_overrides['output_dir'] = get_tmp_output_dir() # merge all our options in options = Config.empty(**options_overrides) if subscription_id is not None: options['account_id'] = subscription_id load_resources() options = Azure().initialize(options) policies = PolicyCollection.from_data(policy_config, options) if policies: for p in policies: try: p.push(event, context) except (CloudError, AzureHttpError) as error: log.error("Unable to process policy: %s :: %s" % (p.name, error)) reset_session_cache() return True
def test_key_vault_keys_keyvault(self): mgmt_client = local_session(Session).client( 'azure.mgmt.keyvault.KeyVaultManagementClient') kvs = [ k for k in mgmt_client.vaults.list_by_resource_group('test_keyvault') ] self.assertEqual(len(kvs), 1) reset_session_cache() p = self.load_policy( { 'name': 'test-key-vault', 'resource': 'azure.keyvault-keys', 'filters': [ { 'type': 'keyvault', 'vaults': [kvs[0].name] }, ] }, validate=True) resources = p.run() self.assertEqual(len(resources), 2)
def cleanUp(self): # Clear out thread local session cache reset_session_cache()
def cleanUp(self): # Clear out thread local session cache reset_session_cache()