def lambda_handler(event, context):
try:
insert_event = [i for i in event["Records"] if i["eventName"] == "INSERT"]
if not len(insert_event):
print("ERROR: No account to create")
return
newImage = insert_event[0]["dynamodb"]["NewImage"]
account_email = newImage["id"]["S"]
sns_topic = avm_common.get_param("sns_topic_arn")
print(sns_topic)
sub = "ERROR: tfe avm-tfe-master-lambda"
func = "avm-tfe-master-lambda"
lambda_handler_inner(event, context)
except ClientError as e:
body = f"Unexpected error : {e}"
print(body)
#(accountId, snsARN, function_name, subject, body):
avm_common.send_pipeline_notification(account_email,sns_topic,func, sub,body)
raise e
except Exception as e:
body = f"Unexpected error : {e}"
print(body)
avm_common.send_pipeline_notification(account_email,sns_topic,func, sub,body)
raise e
def notify(self, message):
# TODO: Set up notifications
sub = "INFO: accountpipeline keyrotation-for-terraform-user"
func = "accountpipeline-tfe-secret-rotation"
sns_topic = avm_common.get_param("sns_topic_arn")
avm_common.send_pipeline_notification(self._account, sns_topic, func,
sub, message)
def send_error_notification(e, account_id):
body = f"Unexpected error : {e}"
print(body)
sns_topic = avm_common.get_param("sns_topic_arn")
print(sns_topic)
print(account_id)
sub = "ERROR: GuardDuty invites"
func = "avm-guardduty-invite-member-accounts"
#(accountId, snsARN, function_name, subject, body):
avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body)
def lambda_handler(event, context):
try:
account_id = event["AccountId"]
lambda_handler_inner(event, context)
except ClientError as e:
body = f"Unexpected error : {e}"
sns_topic = avm_common.get_param("sns_topic_arn")
sub = "ERROR: Managed policy update"
func = "avm-iam-managedpolicy-update-for-new-account"
avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body)
raise e
def lambda_handler(event, context):
try:
account_id = event["AccountId"]
lambda_handler_inner(event, context)
except ClientError as e:
body = f"Unexpected error : {e}"
print(body)
sns_topic = avm_common.get_param("sns_topic_arn")
print(sns_topic)
print(account_id)
sub = "ERROR: DNS Invite"
func = "avm-dns-invite-member-account"
avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body)
raise e
def lambda_handler(event, context):
try:
account_id = event["AccountId"]
handler_inner(event, context)
except ClientError as e:
body = f"Unexpected error : {e}"
print(body)
sns_topic = avm_common.get_param("sns_topic_arn")
print(sns_topic)
print(account_id)
sub = "ERROR: TFE Create Workspaces"
func = "avm-tfe-create-workspaces"
avm_common.send_pipeline_notification(account_id, sns_topic, func, sub,
body)
raise e
def lambda_handler(event, context):
try:
account_id = event["AccountId"]
sns_topic = avm_common.get_param("sns_topic_arn")
sub = "ERROR: redlock addaccount"
func = "avm-3rdparty-redlock-addaccount"
lambda_handler_inner(event, context)
except ClientError as e:
body = f"Unexpected error : {e}"
avm_common.send_pipeline_notification(account_id, sns_topic, func, sub,
body)
raise e
except Exception as e:
body = f"Unexpected error : {e}"
avm_common.send_pipeline_notification(account_id, sns_topic, func, sub,
body)
raise e
def lambda_handler(event, context):
try:
account_id = event["AccountId"]
sns_topic = avm_common.get_param("sns_topic_arn")
print(sns_topic)
print(account_id)
sub = "ERROR: accountpipeline CW destination policy update"
func = "accountpipeline-cw-destination-policy-update"
lambda_handler_inner(event, context)
except ClientError as e:
body = f"Unexpected error : {e}"
print(body)
#(accountId, snsARN, function_name, subject, body):
avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body)
except Exception as e:
body = f"Unexpected error : {e}"
print(body)
avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body)
def lambda_handler(event, context):
try:
account_id = event["AccountId"]
sns_topic = avm_common.get_param("sns_topic_arn")
sub = "ERROR: okta create groups"
func = "avm-okta-create-groups"
lambda_handler_inner(event, context)
except ClientError as e:
body = f"Unexpected error : {e}"
print(body)
avm_common.send_pipeline_notification(account_id, sns_topic, func, sub,
body)
raise e
except Exception as e:
body = f"Unexpected error : {e}"
print(body)
avm_common.send_pipeline_notification(account_id, sns_topic, func, sub,
body)
raise e
def lambda_handler(event, context):
try:
account_id = event["AccountId"]
sns_topic = avm_common.get_param("sns_topic_arn")
print(sns_topic)
print(account_id)
sub = "ERROR: accountpipeline keyrotation-for-terraform-user"
func = "accountpipeline-tfe-secret-rotation"
lambda_handler_inner(event, context)
except ClientError as e:
body = f"Unexpected error : {e}"
print(body)
#(accountId, snsARN, function_name, subject, body):
avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body)
raise e
except Exception as e:
body = f"Unexpected error : {e}"
print(body)
avm_common.send_pipeline_notification(account_id,sns_topic,func, sub,body)
raise e
def lambda_handler_inner(event, context):
account_id = event["AccountId"]
exec_id = event["execution_id"]
session = avm_common.aws_session(session_name="target_account")
client = session.client('ssm')
response = client.get_automation_execution(AutomationExecutionId=exec_id)
failed_steps = [
f for f in response["AutomationExecution"]["StepExecutions"]
if f["StepStatus"] == "Failed"
]
if len(failed_steps):
body = str(failed_steps)
sns_topic = avm_common.get_param("sns_topic_arn")
sub = f"SSM automation with {exec_id} failed for account {account_id}"
avm_common.send_pipeline_notification(
account_id, sns_topic,
response["AutomationExecution"]["DocumentName"], sub, body)
return 200
def lambda_handler(event, context):
try:
account_id = event["AccountId"]
sns_topic = avm_common.get_param("sns_topic_arn")
print(sns_topic)
print(account_id)
sub = "ERROR: avm sns post account creation email"
func = "avm-sns-post-account-creation-email"
lambda_handler_inner(event, context)
except ClientError as e:
body = f"Unexpected error : {e}"
print(body)
#(accountId, snsARN, function_name, subject, body):
avm_common.send_pipeline_notification(account_id, sns_topic, func, sub,
body)
raise e
except Exception as e:
body = f"Unexpected error : {e}"
print(body)
avm_common.send_pipeline_notification(account_id, sns_topic, func, sub,
body)
raise e
def add_account_to_redlock(account_id):
redlock = avm_common.get_secret("redlock")
result = avm_common.get_account_details(account_id)
account_alias = f"{result['org_details']['name']}"
if result['request_details']:
if "subAccountType" in result['request_details'].keys():
account_alias += f"-{result['request_details']['subAccountType']}"
body = {"username": redlock["user"], "password": redlock["password"]}
header = {'Content-Type': 'application/json'}
r = requests.post(f'{redlock["rest_api_url"]}/login',
headers=header,
data=json.dumps(body))
if r.status_code == requests.codes.ok:
resp = json.loads(r.text)
token = resp["token"]
account_payload = {
"accountId": account_id,
"enabled": True,
"externalId": extract_externalid(account_id),
"groupIds": [redlock["group_id"]],
"name": f"{account_alias}-{account_id}",
"roleArn": f"arn:aws:iam::{account_id}:role/tlz_redlock_read_only"
}
headers = {"x-redlock-auth": token, "Content-Type": "application/json"}
addaccount_r = requests.post(f'{redlock["rest_api_url"]}/cloud/aws',
headers=headers,
data=json.dumps(account_payload))
else:
body = f"{r.json()}"
sub = "ERROR: Unable to add account {account_id} to redlock"
func = "redlock-addaccount"
sns_topic = avm_common.get_param("sns_topic_arn")
avm_common.send_pipeline_notification(account_id, sns_topic, func, sub,
body)
def create_account(self,account_request):
print(account_request)
role_name = self._org_account_access_role
print(f'Email : {account_request["email"]}')
account = self.get_account_by_email(account_request["email"])
print("Response from Create account")
print(account)
account_created = False
max_attempts = 30
attempts = 0
response = None
create_account = False
if account:
return account
else:
print(f"Account with email: {account_request['email']} not found and creating a new account")
create_account = True
if create_account:
alias = self.get_account_alias(account_request["accountType"],account_request["account_name"],account_request["lob"], account_request["env"], account_request["accountPrefix"])
response = self._client.create_account(
Email=account_request["email"],
AccountName=alias,
RoleName=role_name
)
print(response)
account_created = False
max_attempts = 50
while account_created != True:
response = self._client.describe_create_account_status(CreateAccountRequestId=response["CreateAccountStatus"]["Id"])
if response["CreateAccountStatus"]["State"] == "SUCCEEDED":
account_created = True
break
else:
time.sleep(5)
attempts = attempts + 1
if attempts > max_attempts:
break
# By now account should have been created
if account_created:
acc = self._client.describe_account(AccountId=response["CreateAccountStatus"]["AccountId"])
# retry 5 times until sts succeeds
sleep_time = 10
num_retries = 5
result_account = None
for x in range(0, num_retries):
try:
target_session = self.assume_role_to_target(acc,role_name)
# Update trust-policy of the role_name so that CSS can assume the role_name
break
except Exception as str_error:
time.sleep(sleep_time)
sleep_time *= 2
if not result_account:
# send an SNS notification
body = f"Master account unable to assume {self._master_role} for {acc}"
sns_topic = avm_common.get_param("sns_topic_arn")
sub = "WARN: tfe avm-tfe-master-lambda"
func = "avm-tfe-master-lambda"
avm_common.send_pipeline_notification(account_request['email'],sns_topic,func, sub,body)
return self.get_account(acc)
else:
return None