def apply(self, input_list: RoleList) -> RoleList:
now = datetime.datetime.now()
if self.config:
days_delta = self.config.get("minimum_age", 90)
else:
log.info("Minimum age not set in config, using default 90 days")
days_delta = 90
ago = datetime.timedelta(days=days_delta)
too_young = RoleList([])
for role in input_list:
if not role.create_date:
log.warning(f"Role {role.role_name} is missing create_date")
too_young.append(role)
continue
# Ensure create_date is an offset-naive datetime
create_date = datetime.datetime.fromtimestamp(
role.create_date.timestamp())
if create_date > now - ago:
log.info(
f"Role {role.role_name} created too recently to cleanup. ({create_date})"
)
too_young.append(role)
return too_young
def apply(self, input_list: RoleList) -> RoleList:
blocklisted_roles = RoleList([])
for role in input_list:
if (role.role_name.lower() in self.blocklisted_role_names
or role.arn in self.blocklisted_arns):
blocklisted_roles.append(role)
return blocklisted_roles
def _repo_all_roles(
account_number: str,
config: RepokidConfig,
hooks: RepokidHooks,
commit: bool = False,
scheduled: bool = True,
limit: int = -1,
) -> None:
"""
Repo all scheduled or eligible roles in an account. Collect any errors and display them at the end.
Args:
account_number (string)
dynamo_table
config
commit (bool): actually make the changes
scheduled (bool): if True only repo the scheduled roles, if False repo all the (eligible) roles
limit (int): limit number of roles to be repoed per run (< 0 is unlimited)
Returns:
None
"""
access_advisor_datasource = AccessAdvisorDatasource()
access_advisor_datasource.seed(account_number)
iam_datasource = IAMDatasource()
role_arns = iam_datasource.seed(account_number)
errors = []
roles = RoleList.from_arns(role_arns, config=config)
roles = roles.get_active()
if scheduled:
roles = roles.get_scheduled()
if not roles:
LOGGER.info(f"No roles to repo in account {account_number}")
return
LOGGER.info(
"Repoing these {}roles from account {}:\n\t{}".format(
"scheduled " if scheduled else "",
account_number,
", ".join([role.role_name for role in roles]),
)
)
repokid.hooks.call_hooks(
hooks, "BEFORE_REPO_ROLES", {"account_number": account_number, "roles": roles}
)
count = 0
repoed = RoleList([])
for role in roles:
if limit >= 0 and count == limit:
break
role_errors = role.repo(hooks, commit=commit, scheduled=scheduled)
if role_errors:
errors.extend(role_errors)
repoed.append(role)
count += 1
if errors:
LOGGER.error(f"Error(s) during repo in account: {account_number}: {errors}")
LOGGER.info(f"Successfully repoed {count} roles in account {account_number}")
repokid.hooks.call_hooks(
hooks,
"AFTER_REPO_ROLES",
{"account_number": account_number, "roles": repoed, "errors": errors},
)