def lambda_handler(event, context): try: insert_event = [i for i in event["Records"] if i["eventName"] == "INSERT"] if not len(insert_event): print("ERROR: No account to create") return newImage = insert_event[0]["dynamodb"]["NewImage"] account_email = newImage["id"]["S"] sns_topic = avm_common.get_param("sns_topic_arn") print(sns_topic) sub = "ERROR: tfe avm-tfe-master-lambda" func = "avm-tfe-master-lambda" lambda_handler_inner(event, context) except ClientError as e: body = f"Unexpected error : {e}" print(body) #(accountId, snsARN, function_name, subject, body): avm_common.send_pipeline_notification(account_email,sns_topic,func, sub,body) raise e except Exception as e: body = f"Unexpected error : {e}" print(body) avm_common.send_pipeline_notification(account_email,sns_topic,func, sub,body) raise e
def notify(self, message): # TODO: Set up notifications sub = "INFO: accountpipeline keyrotation-for-terraform-user" func = "accountpipeline-tfe-secret-rotation" sns_topic = avm_common.get_param("sns_topic_arn") avm_common.send_pipeline_notification(self._account, sns_topic, func, sub, message)
def send_error_notification(e, account_id): body = f"Unexpected error : {e}" print(body) sns_topic = avm_common.get_param("sns_topic_arn") print(sns_topic) print(account_id) sub = "ERROR: GuardDuty invites" func = "avm-guardduty-invite-member-accounts" #(accountId, snsARN, function_name, subject, body): avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body)
def lambda_handler(event, context): try: account_id = event["AccountId"] lambda_handler_inner(event, context) except ClientError as e: body = f"Unexpected error : {e}" sns_topic = avm_common.get_param("sns_topic_arn") sub = "ERROR: Managed policy update" func = "avm-iam-managedpolicy-update-for-new-account" avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body) raise e
def lambda_handler(event, context): try: account_id = event["AccountId"] lambda_handler_inner(event, context) except ClientError as e: body = f"Unexpected error : {e}" print(body) sns_topic = avm_common.get_param("sns_topic_arn") print(sns_topic) print(account_id) sub = "ERROR: DNS Invite" func = "avm-dns-invite-member-account" avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body) raise e
def lambda_handler(event, context): try: account_id = event["AccountId"] handler_inner(event, context) except ClientError as e: body = f"Unexpected error : {e}" print(body) sns_topic = avm_common.get_param("sns_topic_arn") print(sns_topic) print(account_id) sub = "ERROR: TFE Create Workspaces" func = "avm-tfe-create-workspaces" avm_common.send_pipeline_notification(account_id, sns_topic, func, sub, body) raise e
def lambda_handler(event, context): try: account_id = event["AccountId"] sns_topic = avm_common.get_param("sns_topic_arn") sub = "ERROR: redlock addaccount" func = "avm-3rdparty-redlock-addaccount" lambda_handler_inner(event, context) except ClientError as e: body = f"Unexpected error : {e}" avm_common.send_pipeline_notification(account_id, sns_topic, func, sub, body) raise e except Exception as e: body = f"Unexpected error : {e}" avm_common.send_pipeline_notification(account_id, sns_topic, func, sub, body) raise e
def lambda_handler(event, context): try: account_id = event["AccountId"] sns_topic = avm_common.get_param("sns_topic_arn") print(sns_topic) print(account_id) sub = "ERROR: accountpipeline CW destination policy update" func = "accountpipeline-cw-destination-policy-update" lambda_handler_inner(event, context) except ClientError as e: body = f"Unexpected error : {e}" print(body) #(accountId, snsARN, function_name, subject, body): avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body) except Exception as e: body = f"Unexpected error : {e}" print(body) avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body)
def lambda_handler(event, context): try: account_id = event["AccountId"] sns_topic = avm_common.get_param("sns_topic_arn") sub = "ERROR: okta create groups" func = "avm-okta-create-groups" lambda_handler_inner(event, context) except ClientError as e: body = f"Unexpected error : {e}" print(body) avm_common.send_pipeline_notification(account_id, sns_topic, func, sub, body) raise e except Exception as e: body = f"Unexpected error : {e}" print(body) avm_common.send_pipeline_notification(account_id, sns_topic, func, sub, body) raise e
def lambda_handler(event, context): try: account_id = event["AccountId"] sns_topic = avm_common.get_param("sns_topic_arn") print(sns_topic) print(account_id) sub = "ERROR: accountpipeline keyrotation-for-terraform-user" func = "accountpipeline-tfe-secret-rotation" lambda_handler_inner(event, context) except ClientError as e: body = f"Unexpected error : {e}" print(body) #(accountId, snsARN, function_name, subject, body): avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body) raise e except Exception as e: body = f"Unexpected error : {e}" print(body) avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body) raise e
def lambda_handler_inner(event, context): account_id = event["AccountId"] exec_id = event["execution_id"] session = avm_common.aws_session(session_name="target_account") client = session.client('ssm') response = client.get_automation_execution(AutomationExecutionId=exec_id) failed_steps = [ f for f in response["AutomationExecution"]["StepExecutions"] if f["StepStatus"] == "Failed" ] if len(failed_steps): body = str(failed_steps) sns_topic = avm_common.get_param("sns_topic_arn") sub = f"SSM automation with {exec_id} failed for account {account_id}" avm_common.send_pipeline_notification( account_id, sns_topic, response["AutomationExecution"]["DocumentName"], sub, body) return 200
def lambda_handler(event, context): try: account_id = event["AccountId"] sns_topic = avm_common.get_param("sns_topic_arn") print(sns_topic) print(account_id) sub = "ERROR: avm sns post account creation email" func = "avm-sns-post-account-creation-email" lambda_handler_inner(event, context) except ClientError as e: body = f"Unexpected error : {e}" print(body) #(accountId, snsARN, function_name, subject, body): avm_common.send_pipeline_notification(account_id, sns_topic, func, sub, body) raise e except Exception as e: body = f"Unexpected error : {e}" print(body) avm_common.send_pipeline_notification(account_id, sns_topic, func, sub, body) raise e
def add_account_to_redlock(account_id): redlock = avm_common.get_secret("redlock") result = avm_common.get_account_details(account_id) account_alias = f"{result['org_details']['name']}" if result['request_details']: if "subAccountType" in result['request_details'].keys(): account_alias += f"-{result['request_details']['subAccountType']}" body = {"username": redlock["user"], "password": redlock["password"]} header = {'Content-Type': 'application/json'} r = requests.post(f'{redlock["rest_api_url"]}/login', headers=header, data=json.dumps(body)) if r.status_code == requests.codes.ok: resp = json.loads(r.text) token = resp["token"] account_payload = { "accountId": account_id, "enabled": True, "externalId": extract_externalid(account_id), "groupIds": [redlock["group_id"]], "name": f"{account_alias}-{account_id}", "roleArn": f"arn:aws:iam::{account_id}:role/tlz_redlock_read_only" } headers = {"x-redlock-auth": token, "Content-Type": "application/json"} addaccount_r = requests.post(f'{redlock["rest_api_url"]}/cloud/aws', headers=headers, data=json.dumps(account_payload)) else: body = f"{r.json()}" sub = "ERROR: Unable to add account {account_id} to redlock" func = "redlock-addaccount" sns_topic = avm_common.get_param("sns_topic_arn") avm_common.send_pipeline_notification(account_id, sns_topic, func, sub, body)
def create_account(self,account_request): print(account_request) role_name = self._org_account_access_role print(f'Email : {account_request["email"]}') account = self.get_account_by_email(account_request["email"]) print("Response from Create account") print(account) account_created = False max_attempts = 30 attempts = 0 response = None create_account = False if account: return account else: print(f"Account with email: {account_request['email']} not found and creating a new account") create_account = True if create_account: alias = self.get_account_alias(account_request["accountType"],account_request["account_name"],account_request["lob"], account_request["env"], account_request["accountPrefix"]) response = self._client.create_account( Email=account_request["email"], AccountName=alias, RoleName=role_name ) print(response) account_created = False max_attempts = 50 while account_created != True: response = self._client.describe_create_account_status(CreateAccountRequestId=response["CreateAccountStatus"]["Id"]) if response["CreateAccountStatus"]["State"] == "SUCCEEDED": account_created = True break else: time.sleep(5) attempts = attempts + 1 if attempts > max_attempts: break # By now account should have been created if account_created: acc = self._client.describe_account(AccountId=response["CreateAccountStatus"]["AccountId"]) # retry 5 times until sts succeeds sleep_time = 10 num_retries = 5 result_account = None for x in range(0, num_retries): try: target_session = self.assume_role_to_target(acc,role_name) # Update trust-policy of the role_name so that CSS can assume the role_name break except Exception as str_error: time.sleep(sleep_time) sleep_time *= 2 if not result_account: # send an SNS notification body = f"Master account unable to assume {self._master_role} for {acc}" sns_topic = avm_common.get_param("sns_topic_arn") sub = "WARN: tfe avm-tfe-master-lambda" func = "avm-tfe-master-lambda" avm_common.send_pipeline_notification(account_request['email'],sns_topic,func, sub,body) return self.get_account(acc) else: return None