import logging
from functools import wraps
import yaml
import boto3
from crhelper import CfnResource
from kubernetes.client.rest import ApiException
from overpass.config import CONFIG
from overpass.kube import create_kube_config, KubeWrapper
LOGGER = logging.getLogger(__name__)
# Initialise the helper, all inputs are optional, this example shows the defaults
helper = CfnResource(json_logging=False, log_level='INFO', boto_level='WARN')
try:
create_kube_config(CONFIG.KUBE_FILEPATH, boto3.client('eks', region_name=CONFIG.REGION), CONFIG.CLUSTER_NAME, CONFIG.KUBE_USER)
except Exception as ex:
helper.init_failure(ex)
def authenticate(func):
@wraps(func)
def wrapped(event, context):
kube_wrapper = KubeWrapper(CONFIG.CLUSTER_NAME, CONFIG.REGION, CONFIG.AUTH_BACKEND, CONFIG.KUBE_FILEPATH)
return func(event, context, kube_wrapper)
return wrapped
@helper.create
@authenticate
# Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance #
# with the License. A copy of the License is located at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES #
# OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions #
# and limitations under the License. #
######################################################################################################################
import logging, uuid, requests
from crhelper import CfnResource
from datetime import datetime
logger = logging.getLogger(__name__)
helper = CfnResource(log_level='INFO')
METRICS_ENDPOINT = 'https://metrics.awssolutionsbuilder.com/generic'
def _sanitize_data(resource_properties):
# Remove ServiceToken (lambda arn) to avoid sending AccountId
resource_properties.pop('ServiceToken', None)
resource_properties.pop('Resource', None)
# Solution ID and unique ID are sent separately
resource_properties.pop('Solution', None)
resource_properties.pop('UUID', None)
return resource_properties
import boto3
import logging
from crhelper import CfnResource
logger = logging.getLogger(__name__)
helper = CfnResource(polling_interval=1)
try:
pass
except Exception as e:
helper.init_failure(e)
def start_build(project_name, environment_variables_override):
codebuild = boto3.client("codebuild")
bootstrapper_build = codebuild.start_build(
projectName=project_name,
environmentVariablesOverride=environment_variables_override,
).get("build")
return bootstrapper_build.get("id")
def get_details_needed_for_build(event):
request_type = event["RequestType"]
properties = event.get("ResourceProperties")
if request_type in ["Create", "Update"]:
project_name = properties.get("CreateUpdateProject")
else:
project_name = properties.get("DeleteProject")
import logging
import os
import boto3
from crhelper import CfnResource
CODEBUILD_BUILD_ID_KEY = "CodeBuildBuildId"
helper = CfnResource(json_logging=False, log_level="INFO")
def trigger_codebuild_project(**kwargs):
"""Trigger CodeBuild projects using the given configuration."""
codebuild_client = boto3.client("codebuild",
region_name=os.environ["AWS_REGION"])
response = codebuild_client.start_build(**kwargs)
logging.info(
"Started build #%s of CodeBuild project %s with ID %s",
response.get("build", {}).get("buildNumber"),
response.get("build").get("projectName"),
response.get("build").get("id"),
)
return response
def get_build_status(build_id):
"""Get the status of specified build of a CodeBuild project."""
codebuild_client = boto3.client("codebuild",
region_name=os.environ["AWS_REGION"])
response = codebuild_client.batch_get_builds(ids=[build_id])
logging.info(f"detailed status for build {build_id}:\n{response}")
return response.get("builds")[0].get("buildStatus")
if TYPE_CHECKING:
from aws_lambda_typing.context import Context
from aws_lambda_typing.events import CloudFormationCustomResourceEvent
from mypy_boto3_config.client import ConfigServiceClient
from mypy_boto3_config.type_defs import AccountAggregationSourceTypeDef
from mypy_boto3_sts.client import STSClient
# Setup Default Logger
LOGGER = logging.getLogger(__name__)
log_level = os.environ.get("LOG_LEVEL", logging.ERROR)
LOGGER.setLevel(log_level)
# Initialize the helper
helper = CfnResource(json_logging=True,
log_level=log_level,
boto_level="CRITICAL",
sleep_on_delete=120)
def assume_role(role: str,
role_session_name: str,
account: str = None,
session: boto3.Session = None) -> boto3.Session:
"""Assumes the provided role in the given account and returns a session.
Args:
role: Role to assume in target account.
role_session_name: Identifier for the assumed role session.
account: AWS account number. Defaults to None.
session: Boto3 session. Defaults to None.
"""Elasticsearch Domain Access Policy Updates Lambda
Executes Elasticsearch Domain Access Policy updates to allow AWS Services permissions to the domain
"""
from botocore.exceptions import ClientError
from crhelper import CfnResource
from typing import Tuple
import logging
import boto3
import json
import os
helper = CfnResource(json_logging=False,
log_level='INFO',
boto_level='CRITICAL')
es = boto3.client('es')
def handler(event: dict, context: dict) -> None:
"""AWS Lambda function handler - Elasticsearch Domain Access Policy Updates function
:type: dict
:param: event: aws cloudformation custom resource event
:type: dict
:param: context: aws lambda function environment context
:rtype: None
"""
logger: 'logging.Logger' = log(__name__.upper())
logger.info(f'EVENT: {event}')
# #
# Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance #
# with the License. A copy of the License is located at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES #
# OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions #
# and limitations under the License. #
######################################################################################################################
import boto3, logging
from crhelper import CfnResource
client_kinesis_analytics = boto3.client('kinesisanalyticsv2')
helper = CfnResource(json_logging=True)
logger = logging.getLogger(__name__)
def _filter_empty_items(str_list):
return list(filter(None, str_list))
def _get_application_details(application_name):
response = client_kinesis_analytics.describe_application(ApplicationName=application_name)
application_detail = response['ApplicationDetail']
description = application_detail['ApplicationConfigurationDescription']
if 'VpcConfigurationDescriptions' in description:
existing = description['VpcConfigurationDescriptions']
vpc_config_id = existing[0]['VpcConfigurationId']
else:
vpc_config_id = None
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES #
# OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions #
# and limitations under the License. #
######################################################################################################################
import boto3, logging, os, json
from crhelper import CfnResource
from botocore import config
config = config.Config(**json.loads(os.environ['AWS_SDK_USER_AGENT']))
client_iam = boto3.client('iam', config=config)
helper = CfnResource(json_logging=True, log_level='INFO')
logger = logging.getLogger(__name__)
def _create_iam_resources():
'''
This function creates the IAM resources required for a no-ingress EC2 environment.
https://docs.aws.amazon.com/cloud9/latest/user-guide/ec2-ssm.html#aws-cli-instance-profiles
'''
CLOUD9_ROLE = 'AWSCloud9SSMAccessRole'
CLOUD9_INSTANCE_PROFILE = 'AWSCloud9SSMInstanceProfile'
created_role = False
created_instance_profile = False
#!/usr/bin/env python """ Function to generate a random string author: [email protected] license: Apache 2.0 """ import random import string from crhelper import CfnResource CRHELPER = CfnResource() """ Run on Create and Update """ @CRHELPER.create @CRHELPER.update def _generate_random_string(event, _): if event["ResourceProperties"]["Length"] is not None: _length = int(event["ResourceProperties"]["Length"]) else: _length = 8 _seed = f"{string.ascii_letters}{string.digits}" _generated_string = "".join(random.choice(_seed) for x in range(_length))
import json
import yaml
import boto3
from crhelper import CfnResource
import logging
import cfnresponse
logger = logging.getLogger(__name__)
# Initialise the custom_resource_helper, all inputs are optional, this example shows the defaults
custom_resource_helper = CfnResource(json_logging=False,
log_level='WARN',
boto_level='WARN',
sleep_on_delete=30)
try:
## Init code goes here
def read_component_yaml(component_yaml):
with open(component_yaml, 'r') as file:
return yaml.safe_load(file)
def get_existing_component(ib, platform, component_config):
existing_component = ib.list_components(
owner='Self',
filters=[{
'name': 'name',
'values': [component_config.get('name')]
}, {
'name': 'platform',
'values': [platform]
}])
if len(existing_component.get('componentVersionList')) > 0:
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
import boto3, json, time, os, logging, botocore, uuid
from crhelper import CfnResource
from botocore.exceptions import ClientError
logger = logging.getLogger()
logger.setLevel(logging.INFO)
logging.getLogger('boto3').setLevel(logging.CRITICAL)
logging.getLogger('botocore').setLevel(logging.CRITICAL)
session = boto3.Session()
helper = CfnResource(json_logging=False,
log_level='INFO',
boto_level='CRITICAL',
sleep_on_delete=15)
@helper.create
@helper.update
# This module perform the following:
# 1. attempt to create stackset if one does not exist
# 2. attempt to deploy stackset instance to target accounts
def create(event, context):
logger.info(json.dumps(event))
try:
firstLaunch = False
stackSetName = os.environ['stackSetName']
stackSetUrl = os.environ['stackSetUrl']
newRelicAccId = os.environ['newRelicAccId']
import os
import boto3
import logging
import urllib.request
from crhelper import CfnResource
from distutils import util
logger = logging.getLogger(__name__)
logger.setLevel(logging.INFO)
helper = CfnResource(json_logging=True, log_level='DEBUG', boto_level='CRITICAL', sleep_on_delete=120)
def assume_role(accountId, region):
sts = boto3.client("sts")
identity = sts.get_caller_identity()
if identity["Account"] == accountId:
logger.warning(f"Already in Account '{accountId}', not assuming role...")
return boto3.Session(region_name=region)
credentials = sts.assume_role(RoleArn=f"arn:aws:iam::{accountId}:role/OrganizationAccountAccessRole", RoleSessionName="IAMSAMLProvider")
logger.info(f"Assumed OrganizationAccountAccessRole in {accountId} for access key: {credentials['Credentials']['AccessKeyId']}")
assumed = boto3.Session(
aws_access_key_id=credentials["Credentials"]["AccessKeyId"],
aws_secret_access_key=credentials["Credentials"]["SecretAccessKey"],
aws_session_token=credentials["Credentials"]["SessionToken"],
region_name=region
)
# the License. A copy of the License is located at
#
# http://aws.amazon.com/apache2.0/
#
# or in the "LICENSE.txt" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
# OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions and
# limitations under the License.
import logging
import time
import boto3
from botocore.config import Config
from crhelper import CfnResource
helper = CfnResource(json_logging=False,
log_level="INFO",
boto_level="ERROR",
sleep_on_delete=0)
logger = logging.getLogger(__name__)
boto3_config = Config(retries={"max_attempts": 60})
@helper.create
@helper.delete
def no_op(_, __):
pass
@helper.update
def update(event, _):
updated_config_version = event["ResourceProperties"]["ConfigVersion"]
logging.info("Updated config version: %s", updated_config_version)
# #
# Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance #
# with the License. A copy of the License is located at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES #
# OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions #
# and limitations under the License. #
# #####################################################################################################################
from uuid import uuid4 as uuid
from crhelper import CfnResource
helper = CfnResource(log_level="INFO")
@helper.create
@helper.update
@helper.delete
def generate_id(event, _):
"""
This resource will always generate a 12 hex digit random physical ID if its parameters have changed
:param event: The CloudFormation custom resource event
:return: the new 12 digit physical ID (also available in Data['Id'])
"""
physical_id = uuid().hex[0:12]
helper.Data["Id"] = physical_id
return physical_id
from __future__ import print_function
from crhelper import CfnResource
import boto3
import logging
logger = logging.getLogger(__name__)
# Initialise the helper, all inputs are optional, this example shows the defaults
helper = CfnResource(json_logging=False,
log_level='DEBUG',
boto_level='CRITICAL',
sleep_on_delete=120,
ssl_verify=None)
try:
## Init code goes here
connect = boto3.client('connect')
pass
except Exception as e:
helper.init_failure(e)
@helper.create
def create(event, context):
logger.info("[Event] %s", event)
response = connect.create_user(
Username='******',
Password='******',
IdentityInfo={
'FirstName': 'Admin',
'LastName': 'istrator',
from __future__ import print_function
import logging
from time import sleep
import boto3
from crhelper import CfnResource
logger = logging.getLogger(__name__)
helper = CfnResource(json_logging=True,
log_level='DEBUG',
boto_level='CRITICAL')
try:
ssm_client = boto3.client('ssm')
except Exception as e:
helper.init_failure(e)
def get_command_output(instance_id, command_id):
response = ssm_client.get_command_invocation(CommandId=command_id,
InstanceId=instance_id)
if response['Status'] in ['Pending', 'InProgress', 'Delayed']:
return
return response
def send_command(instance_id, commands):
logger.debug("Sending command to %s : %s" % (instance_id, commands))
try:
return ssm_client.send_command(InstanceIds=[instance_id],
DocumentName='AWS-RunShellScript',
Parameters={'commands': commands})
from __future__ import print_function
import logging
import boto3
from crhelper import CfnResource
logger = logging.getLogger(__name__)
helper = CfnResource(json_logging=False,
log_level="DEBUG",
boto_level="CRITICAL",
sleep_on_delete=120)
fsx = boto3.client("fsx")
@helper.create
def create(event, context):
logger.info("Got Create")
properties = event.get("ResourceProperties", {})
fsx_id = properties.get("FSxFileSystemId")
dns_name, private_ip = _fsx_describe_file_systems(fsx_id)
helper.Data.update({"FSxDNSName": dns_name, "FSxPrivateIP": private_ip})
@helper.update
def update(event, context):
logger.info("Got Update")
import os
import re
import boto3
from botocore.exceptions import ClientError
from crhelper import CfnResource
# Setup Default Logger
logger = logging.getLogger(__name__)
logger.setLevel(logging.INFO)
"""
The purpose of this script is to create and configure an Organization CloudTrail.
"""
# Initialise the helper, all inputs are optional, this example shows the defaults
helper = CfnResource(json_logging=False,
log_level="DEBUG",
boto_level="CRITICAL")
AWS_SERVICE_PRINCIPAL = "cloudtrail.amazonaws.com"
try:
# Process Environment Variables
if "LOG_LEVEL" in os.environ:
LOG_LEVEL = os.environ.get("LOG_LEVEL")
if isinstance(LOG_LEVEL, str):
log_level = logging.getLevelName(LOG_LEVEL.upper())
logger.setLevel(log_level)
else:
raise ValueError("LOG_LEVEL parameter is not a string")
# Required variables
import logging
import os
import time
from typing import Dict, Tuple
from crhelper import CfnResource
from botocore.exceptions import ClientError
from delete_dataset_groups import delete_dataset_groups, ResourcePending
logger = logging.getLogger()
logger.setLevel(logging.INFO)
ssm = boto3.client('ssm')
personalize = boto3.client('personalize')
cw_events = boto3.client('events')
codepipeline = boto3.client('codepipeline')
cloudformation_helper = CfnResource()
sts = boto3.client('sts')
# Where our data is for training
bucket = os.environ['csv_bucket']
bucket_path = os.environ.get('csv_path', '')
items_filename = bucket_path + "items.csv"
users_filename = bucket_path + "users.csv"
interactions_filename = bucket_path + "interactions.csv"
offer_interactions_filename = bucket_path + "offer_interactions.csv"
session = boto3.session.Session()
region = session.region_name
account_id = sts.get_caller_identity().get('Account')
'Statement': [{
'Effect':
'Allow',
'Action': [
'logs:CreateLogGroup', 'logs:CreateLogStream',
'logs:DescribeLogGroups', 'logs:DescribeLogStreams',
'logs:PutLogEvents', 'cloudwatch:ListMetrics',
'cloudwatch:PutMetricData'
],
'Resource':
'*'
}]
}
logger = logging.getLogger(__name__)
helper = CfnResource(json_logging=True, log_level='DEBUG')
cfn = boto3.client('cloudformation')
ssm = boto3.client('ssm')
iam = boto3.client("iam")
sts = boto3.client("sts")
identity = sts.get_caller_identity()
account_id = identity['Account']
partition = identity['Arn'].split(':')[1]
def put_role(role_name, policy, trust_policy):
retries = 5
while True:
try:
try:
response = iam.create_role(
import secrets
import string
import time
from datetime import date, datetime
import boto3
import requests
from crhelper import CfnResource
from requests_aws4auth import AWS4Auth
__version__ = '2.3.0'
print('version: ' + __version__)
logger = logging.getLogger(__name__)
helper_domain = CfnResource(json_logging=False,
log_level='DEBUG',
boto_level='CRITICAL',
sleep_on_delete=120)
helper_config = CfnResource(json_logging=False,
log_level='DEBUG',
boto_level='CRITICAL',
sleep_on_delete=120)
client = boto3.client('es')
accountid = os.environ['accountid']
region = os.environ['AWS_REGION']
aesdomain = os.environ['aes_domain_name']
myaddress = os.environ['allow_source_address'].split()
aes_admin_role = os.environ['aes_admin_role']
es_loader_role = os.environ['es_loader_role']
myiamarn = [accountid]
# runtime install
tmp_path = Path(tempfile.gettempdir())
subprocess.check_call([
sys.executable, "-m", "pip", "install", "--target={}".format(tmp_path),
"cryptography"
])
sys.path.append(str(tmp_path))
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
helper = CfnResource()
def generate_key():
key = rsa.generate_private_key(public_exponent=65537,
key_size=2048,
backend=default_backend())
return key
def generate_self_signed_certificate(key):
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
from controltowersetup import (
AccessAnalyzer,
GuardDuty,
Macie,
Organizations,
RAM,
ServiceCatalog,
)
warnings.filterwarnings("ignore", "No metrics to publish*")
tracer = Tracer()
logger = Logger()
metrics = Metrics()
helper = CfnResource(json_logging=True, log_level="INFO", boto_level="INFO")
CT_AUDIT_ACCOUNT_NAME = "Audit"
SERVICE_ACCESS_PRINCIPALS = {
"backup.amazonaws.com",
"config.amazonaws.com",
"config-multiaccountsetup.amazonaws.com",
"guardduty.amazonaws.com",
"macie.amazonaws.com",
}
DELEGATED_ADMINISTRATOR_PRINCIPALS = {
"access-analyzer.amazonaws.com",
"config-multiaccountsetup.amazonaws.com",
"guardduty.amazonaws.com",
"macie.amazonaws.com",