import logging from functools import wraps import yaml import boto3 from crhelper import CfnResource from kubernetes.client.rest import ApiException from overpass.config import CONFIG from overpass.kube import create_kube_config, KubeWrapper LOGGER = logging.getLogger(__name__) # Initialise the helper, all inputs are optional, this example shows the defaults helper = CfnResource(json_logging=False, log_level='INFO', boto_level='WARN') try: create_kube_config(CONFIG.KUBE_FILEPATH, boto3.client('eks', region_name=CONFIG.REGION), CONFIG.CLUSTER_NAME, CONFIG.KUBE_USER) except Exception as ex: helper.init_failure(ex) def authenticate(func): @wraps(func) def wrapped(event, context): kube_wrapper = KubeWrapper(CONFIG.CLUSTER_NAME, CONFIG.REGION, CONFIG.AUTH_BACKEND, CONFIG.KUBE_FILEPATH) return func(event, context, kube_wrapper) return wrapped @helper.create @authenticate
# Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance # # with the License. A copy of the License is located at # # # # http://www.apache.org/licenses/LICENSE-2.0 # # # # or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES # # OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions # # and limitations under the License. # ###################################################################################################################### import logging, uuid, requests from crhelper import CfnResource from datetime import datetime logger = logging.getLogger(__name__) helper = CfnResource(log_level='INFO') METRICS_ENDPOINT = 'https://metrics.awssolutionsbuilder.com/generic' def _sanitize_data(resource_properties): # Remove ServiceToken (lambda arn) to avoid sending AccountId resource_properties.pop('ServiceToken', None) resource_properties.pop('Resource', None) # Solution ID and unique ID are sent separately resource_properties.pop('Solution', None) resource_properties.pop('UUID', None) return resource_properties
import boto3 import logging from crhelper import CfnResource logger = logging.getLogger(__name__) helper = CfnResource(polling_interval=1) try: pass except Exception as e: helper.init_failure(e) def start_build(project_name, environment_variables_override): codebuild = boto3.client("codebuild") bootstrapper_build = codebuild.start_build( projectName=project_name, environmentVariablesOverride=environment_variables_override, ).get("build") return bootstrapper_build.get("id") def get_details_needed_for_build(event): request_type = event["RequestType"] properties = event.get("ResourceProperties") if request_type in ["Create", "Update"]: project_name = properties.get("CreateUpdateProject") else: project_name = properties.get("DeleteProject")
import logging import os import boto3 from crhelper import CfnResource CODEBUILD_BUILD_ID_KEY = "CodeBuildBuildId" helper = CfnResource(json_logging=False, log_level="INFO") def trigger_codebuild_project(**kwargs): """Trigger CodeBuild projects using the given configuration.""" codebuild_client = boto3.client("codebuild", region_name=os.environ["AWS_REGION"]) response = codebuild_client.start_build(**kwargs) logging.info( "Started build #%s of CodeBuild project %s with ID %s", response.get("build", {}).get("buildNumber"), response.get("build").get("projectName"), response.get("build").get("id"), ) return response def get_build_status(build_id): """Get the status of specified build of a CodeBuild project.""" codebuild_client = boto3.client("codebuild", region_name=os.environ["AWS_REGION"]) response = codebuild_client.batch_get_builds(ids=[build_id]) logging.info(f"detailed status for build {build_id}:\n{response}") return response.get("builds")[0].get("buildStatus")
if TYPE_CHECKING: from aws_lambda_typing.context import Context from aws_lambda_typing.events import CloudFormationCustomResourceEvent from mypy_boto3_config.client import ConfigServiceClient from mypy_boto3_config.type_defs import AccountAggregationSourceTypeDef from mypy_boto3_sts.client import STSClient # Setup Default Logger LOGGER = logging.getLogger(__name__) log_level = os.environ.get("LOG_LEVEL", logging.ERROR) LOGGER.setLevel(log_level) # Initialize the helper helper = CfnResource(json_logging=True, log_level=log_level, boto_level="CRITICAL", sleep_on_delete=120) def assume_role(role: str, role_session_name: str, account: str = None, session: boto3.Session = None) -> boto3.Session: """Assumes the provided role in the given account and returns a session. Args: role: Role to assume in target account. role_session_name: Identifier for the assumed role session. account: AWS account number. Defaults to None. session: Boto3 session. Defaults to None.
"""Elasticsearch Domain Access Policy Updates Lambda Executes Elasticsearch Domain Access Policy updates to allow AWS Services permissions to the domain """ from botocore.exceptions import ClientError from crhelper import CfnResource from typing import Tuple import logging import boto3 import json import os helper = CfnResource(json_logging=False, log_level='INFO', boto_level='CRITICAL') es = boto3.client('es') def handler(event: dict, context: dict) -> None: """AWS Lambda function handler - Elasticsearch Domain Access Policy Updates function :type: dict :param: event: aws cloudformation custom resource event :type: dict :param: context: aws lambda function environment context :rtype: None """ logger: 'logging.Logger' = log(__name__.upper()) logger.info(f'EVENT: {event}')
# # # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance # # with the License. A copy of the License is located at # # # # http://www.apache.org/licenses/LICENSE-2.0 # # # # or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES # # OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions # # and limitations under the License. # ###################################################################################################################### import boto3, logging from crhelper import CfnResource client_kinesis_analytics = boto3.client('kinesisanalyticsv2') helper = CfnResource(json_logging=True) logger = logging.getLogger(__name__) def _filter_empty_items(str_list): return list(filter(None, str_list)) def _get_application_details(application_name): response = client_kinesis_analytics.describe_application(ApplicationName=application_name) application_detail = response['ApplicationDetail'] description = application_detail['ApplicationConfigurationDescription'] if 'VpcConfigurationDescriptions' in description: existing = description['VpcConfigurationDescriptions'] vpc_config_id = existing[0]['VpcConfigurationId'] else: vpc_config_id = None
# # # http://www.apache.org/licenses/LICENSE-2.0 # # # # or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES # # OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions # # and limitations under the License. # ###################################################################################################################### import boto3, logging, os, json from crhelper import CfnResource from botocore import config config = config.Config(**json.loads(os.environ['AWS_SDK_USER_AGENT'])) client_iam = boto3.client('iam', config=config) helper = CfnResource(json_logging=True, log_level='INFO') logger = logging.getLogger(__name__) def _create_iam_resources(): ''' This function creates the IAM resources required for a no-ingress EC2 environment. https://docs.aws.amazon.com/cloud9/latest/user-guide/ec2-ssm.html#aws-cli-instance-profiles ''' CLOUD9_ROLE = 'AWSCloud9SSMAccessRole' CLOUD9_INSTANCE_PROFILE = 'AWSCloud9SSMInstanceProfile' created_role = False created_instance_profile = False
#!/usr/bin/env python """ Function to generate a random string author: [email protected] license: Apache 2.0 """ import random import string from crhelper import CfnResource CRHELPER = CfnResource() """ Run on Create and Update """ @CRHELPER.create @CRHELPER.update def _generate_random_string(event, _): if event["ResourceProperties"]["Length"] is not None: _length = int(event["ResourceProperties"]["Length"]) else: _length = 8 _seed = f"{string.ascii_letters}{string.digits}" _generated_string = "".join(random.choice(_seed) for x in range(_length))
import json import yaml import boto3 from crhelper import CfnResource import logging import cfnresponse logger = logging.getLogger(__name__) # Initialise the custom_resource_helper, all inputs are optional, this example shows the defaults custom_resource_helper = CfnResource(json_logging=False, log_level='WARN', boto_level='WARN', sleep_on_delete=30) try: ## Init code goes here def read_component_yaml(component_yaml): with open(component_yaml, 'r') as file: return yaml.safe_load(file) def get_existing_component(ib, platform, component_config): existing_component = ib.list_components( owner='Self', filters=[{ 'name': 'name', 'values': [component_config.get('name')] }, { 'name': 'platform', 'values': [platform] }]) if len(existing_component.get('componentVersionList')) > 0:
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. # import boto3, json, time, os, logging, botocore, uuid from crhelper import CfnResource from botocore.exceptions import ClientError logger = logging.getLogger() logger.setLevel(logging.INFO) logging.getLogger('boto3').setLevel(logging.CRITICAL) logging.getLogger('botocore').setLevel(logging.CRITICAL) session = boto3.Session() helper = CfnResource(json_logging=False, log_level='INFO', boto_level='CRITICAL', sleep_on_delete=15) @helper.create @helper.update # This module perform the following: # 1. attempt to create stackset if one does not exist # 2. attempt to deploy stackset instance to target accounts def create(event, context): logger.info(json.dumps(event)) try: firstLaunch = False stackSetName = os.environ['stackSetName'] stackSetUrl = os.environ['stackSetUrl'] newRelicAccId = os.environ['newRelicAccId']
import os import boto3 import logging import urllib.request from crhelper import CfnResource from distutils import util logger = logging.getLogger(__name__) logger.setLevel(logging.INFO) helper = CfnResource(json_logging=True, log_level='DEBUG', boto_level='CRITICAL', sleep_on_delete=120) def assume_role(accountId, region): sts = boto3.client("sts") identity = sts.get_caller_identity() if identity["Account"] == accountId: logger.warning(f"Already in Account '{accountId}', not assuming role...") return boto3.Session(region_name=region) credentials = sts.assume_role(RoleArn=f"arn:aws:iam::{accountId}:role/OrganizationAccountAccessRole", RoleSessionName="IAMSAMLProvider") logger.info(f"Assumed OrganizationAccountAccessRole in {accountId} for access key: {credentials['Credentials']['AccessKeyId']}") assumed = boto3.Session( aws_access_key_id=credentials["Credentials"]["AccessKeyId"], aws_secret_access_key=credentials["Credentials"]["SecretAccessKey"], aws_session_token=credentials["Credentials"]["SessionToken"], region_name=region )
# the License. A copy of the License is located at # # http://aws.amazon.com/apache2.0/ # # or in the "LICENSE.txt" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES # OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and # limitations under the License. import logging import time import boto3 from botocore.config import Config from crhelper import CfnResource helper = CfnResource(json_logging=False, log_level="INFO", boto_level="ERROR", sleep_on_delete=0) logger = logging.getLogger(__name__) boto3_config = Config(retries={"max_attempts": 60}) @helper.create @helper.delete def no_op(_, __): pass @helper.update def update(event, _): updated_config_version = event["ResourceProperties"]["ConfigVersion"] logging.info("Updated config version: %s", updated_config_version)
# # # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance # # with the License. A copy of the License is located at # # # # http://www.apache.org/licenses/LICENSE-2.0 # # # # or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES # # OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions # # and limitations under the License. # # ##################################################################################################################### from uuid import uuid4 as uuid from crhelper import CfnResource helper = CfnResource(log_level="INFO") @helper.create @helper.update @helper.delete def generate_id(event, _): """ This resource will always generate a 12 hex digit random physical ID if its parameters have changed :param event: The CloudFormation custom resource event :return: the new 12 digit physical ID (also available in Data['Id']) """ physical_id = uuid().hex[0:12] helper.Data["Id"] = physical_id return physical_id
from __future__ import print_function from crhelper import CfnResource import boto3 import logging logger = logging.getLogger(__name__) # Initialise the helper, all inputs are optional, this example shows the defaults helper = CfnResource(json_logging=False, log_level='DEBUG', boto_level='CRITICAL', sleep_on_delete=120, ssl_verify=None) try: ## Init code goes here connect = boto3.client('connect') pass except Exception as e: helper.init_failure(e) @helper.create def create(event, context): logger.info("[Event] %s", event) response = connect.create_user( Username='******', Password='******', IdentityInfo={ 'FirstName': 'Admin', 'LastName': 'istrator',
from __future__ import print_function import logging from time import sleep import boto3 from crhelper import CfnResource logger = logging.getLogger(__name__) helper = CfnResource(json_logging=True, log_level='DEBUG', boto_level='CRITICAL') try: ssm_client = boto3.client('ssm') except Exception as e: helper.init_failure(e) def get_command_output(instance_id, command_id): response = ssm_client.get_command_invocation(CommandId=command_id, InstanceId=instance_id) if response['Status'] in ['Pending', 'InProgress', 'Delayed']: return return response def send_command(instance_id, commands): logger.debug("Sending command to %s : %s" % (instance_id, commands)) try: return ssm_client.send_command(InstanceIds=[instance_id], DocumentName='AWS-RunShellScript', Parameters={'commands': commands})
from __future__ import print_function import logging import boto3 from crhelper import CfnResource logger = logging.getLogger(__name__) helper = CfnResource(json_logging=False, log_level="DEBUG", boto_level="CRITICAL", sleep_on_delete=120) fsx = boto3.client("fsx") @helper.create def create(event, context): logger.info("Got Create") properties = event.get("ResourceProperties", {}) fsx_id = properties.get("FSxFileSystemId") dns_name, private_ip = _fsx_describe_file_systems(fsx_id) helper.Data.update({"FSxDNSName": dns_name, "FSxPrivateIP": private_ip}) @helper.update def update(event, context): logger.info("Got Update")
import os import re import boto3 from botocore.exceptions import ClientError from crhelper import CfnResource # Setup Default Logger logger = logging.getLogger(__name__) logger.setLevel(logging.INFO) """ The purpose of this script is to create and configure an Organization CloudTrail. """ # Initialise the helper, all inputs are optional, this example shows the defaults helper = CfnResource(json_logging=False, log_level="DEBUG", boto_level="CRITICAL") AWS_SERVICE_PRINCIPAL = "cloudtrail.amazonaws.com" try: # Process Environment Variables if "LOG_LEVEL" in os.environ: LOG_LEVEL = os.environ.get("LOG_LEVEL") if isinstance(LOG_LEVEL, str): log_level = logging.getLevelName(LOG_LEVEL.upper()) logger.setLevel(log_level) else: raise ValueError("LOG_LEVEL parameter is not a string") # Required variables
import logging import os import time from typing import Dict, Tuple from crhelper import CfnResource from botocore.exceptions import ClientError from delete_dataset_groups import delete_dataset_groups, ResourcePending logger = logging.getLogger() logger.setLevel(logging.INFO) ssm = boto3.client('ssm') personalize = boto3.client('personalize') cw_events = boto3.client('events') codepipeline = boto3.client('codepipeline') cloudformation_helper = CfnResource() sts = boto3.client('sts') # Where our data is for training bucket = os.environ['csv_bucket'] bucket_path = os.environ.get('csv_path', '') items_filename = bucket_path + "items.csv" users_filename = bucket_path + "users.csv" interactions_filename = bucket_path + "interactions.csv" offer_interactions_filename = bucket_path + "offer_interactions.csv" session = boto3.session.Session() region = session.region_name account_id = sts.get_caller_identity().get('Account')
'Statement': [{ 'Effect': 'Allow', 'Action': [ 'logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:DescribeLogGroups', 'logs:DescribeLogStreams', 'logs:PutLogEvents', 'cloudwatch:ListMetrics', 'cloudwatch:PutMetricData' ], 'Resource': '*' }] } logger = logging.getLogger(__name__) helper = CfnResource(json_logging=True, log_level='DEBUG') cfn = boto3.client('cloudformation') ssm = boto3.client('ssm') iam = boto3.client("iam") sts = boto3.client("sts") identity = sts.get_caller_identity() account_id = identity['Account'] partition = identity['Arn'].split(':')[1] def put_role(role_name, policy, trust_policy): retries = 5 while True: try: try: response = iam.create_role(
import secrets import string import time from datetime import date, datetime import boto3 import requests from crhelper import CfnResource from requests_aws4auth import AWS4Auth __version__ = '2.3.0' print('version: ' + __version__) logger = logging.getLogger(__name__) helper_domain = CfnResource(json_logging=False, log_level='DEBUG', boto_level='CRITICAL', sleep_on_delete=120) helper_config = CfnResource(json_logging=False, log_level='DEBUG', boto_level='CRITICAL', sleep_on_delete=120) client = boto3.client('es') accountid = os.environ['accountid'] region = os.environ['AWS_REGION'] aesdomain = os.environ['aes_domain_name'] myaddress = os.environ['allow_source_address'].split() aes_admin_role = os.environ['aes_admin_role'] es_loader_role = os.environ['es_loader_role'] myiamarn = [accountid]
# runtime install tmp_path = Path(tempfile.gettempdir()) subprocess.check_call([ sys.executable, "-m", "pip", "install", "--target={}".format(tmp_path), "cryptography" ]) sys.path.append(str(tmp_path)) from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography import x509 from cryptography.x509.oid import NameOID from cryptography.hazmat.primitives import hashes helper = CfnResource() def generate_key(): key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) return key def generate_self_signed_certificate(key): subject = issuer = x509.Name([ x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"), x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
from controltowersetup import ( AccessAnalyzer, GuardDuty, Macie, Organizations, RAM, ServiceCatalog, ) warnings.filterwarnings("ignore", "No metrics to publish*") tracer = Tracer() logger = Logger() metrics = Metrics() helper = CfnResource(json_logging=True, log_level="INFO", boto_level="INFO") CT_AUDIT_ACCOUNT_NAME = "Audit" SERVICE_ACCESS_PRINCIPALS = { "backup.amazonaws.com", "config.amazonaws.com", "config-multiaccountsetup.amazonaws.com", "guardduty.amazonaws.com", "macie.amazonaws.com", } DELEGATED_ADMINISTRATOR_PRINCIPALS = { "access-analyzer.amazonaws.com", "config-multiaccountsetup.amazonaws.com", "guardduty.amazonaws.com", "macie.amazonaws.com",