def get_organization_root_id():
client = get_boto_client("organizations")
response = client.list_roots()
# debug_print(response)
root_id = response['Roots'][0]['Id']
return root_id
def assume_role(account_id, role_name):
debug_print("Assuming role.....")
role_arn = "arn:aws:iam::{0}:role/{1}".format(account_id, role_name)
client = get_boto_client('sts')
assumed_role = client.assume_role(
RoleArn=role_arn, RoleSessionName="account_vending_machine_lambda")
return assumed_role['Credentials']
def create_s3_presigned_url(bucket, object):
client = get_boto_client('s3')
response = client.generate_presigned_url('get_object',
Params={
'Bucket': bucket,
'Key': object
},
ExpiresIn=3600)
return response
def invoke_statemachine(arn, input):
client = get_boto_client("stepfunctions")
account_name = input.get("accountName")
response = client.start_execution(stateMachineArn=arn,
name="{}-creation-{}".format(
account_name, time.time()),
input=json.dumps(input))
debug_print(response)
return (response)
def main(event):
bucket = os.environ["ACCOUNT_DATA_BUCKET"]
ou = event.get("ouName")
account_id = event.get("accountId")
account_name = event.get("accountName")
account_id = event.get("accountId")
client = get_boto_client('s3')
client.put_object(Body=json.dumps(event),
Bucket=bucket,
Key="{}/{}/{}.json".format(ou, account_name, account_id),
ServerSideEncryption='AES256')
return event
def create_account(name, email, role):
account_request_id = None
client = get_boto_client('organizations')
debug_print("Creating account with {} name and e-mail {}".format(
name, email))
response = client.create_account(Email=email,
AccountName=name,
RoleName=role,
IamUserAccessToBilling="ALLOW")
account_request_id = response['CreateAccountStatus']['Id']
return account_request_id
def handler(event, context):
debug_print(json.dumps(event, indent=2))
s3_event = event["Records"][0]["s3"]
s3_bucket = s3_event["bucket"]["name"]
s3_object = s3_event["object"]["key"]
client = get_boto_client("s3")
response = client.get_object(Bucket=s3_bucket, Key=s3_object)
content = json.loads(response['Body'].read().decode('utf-8'))
debug_print(json.dumps(content, indent=2))
step_function_arn = os.environ["ACCOUNT_CREATOR_STEPFUNCTION"]
invoke_statemachine(step_function_arn, content)
def create_organizational_unit(root_ou_id, ou_name):
debug_print("Creating new OU if needed with name {}".format(ou_name))
ou_id = get_ou_id_for_name(root_ou_id, ou_name)
if ou_id == None:
client = get_boto_client("organizations")
response = client.create_organizational_unit(ParentId=root_ou_id,
Name=ou_name)
new_ou_id = response["OrganizationalUnit"]["Id"]
debug_print("Created OU with ID: {}".format(new_ou_id))
return new_ou_id
debug_print("OU already existed. ID: {}".format(ou_id))
return ou_id
def main(event):
account_id = event.get("accountId")
account_role = event.get("accountRole")
credentials = assume_role(account_id, account_role)
access_key = credentials['AccessKeyId']
secret_access_key = credentials['SecretAccessKey']
session_token = credentials['SessionToken']
cfn_client = get_boto_client("cloudformation", access_key,
secret_access_key, session_token)
templates = event["cfnTemplates"]
for template in templates:
deploy_cloudformation_template(cfn_client, template, event)
return event
def get_ou_id_for_name(root_id, ou_name):
debug_print("get id for {} in {}".format(ou_name, root_id))
client = get_boto_client("organizations")
response = client.list_organizational_units_for_parent(ParentId=root_id,
MaxResults=10)
ous = response["OrganizationalUnits"]
for ou in ous:
if ou["Name"] == ou_name:
return ou["Id"]
while ('NextToken' in response):
response = client.list_organizational_units_for_parent(
ParentId=root_id, MaxResults=50, NextToken=response['NextToken'])
ous = response["OrganizationalUnits"]
for ou in ous:
if ou["Name"] == ou_name:
return True
return None
def get_account_creation_status(account_request_id):
client = get_boto_client('organizations')
response = client.describe_create_account_status(
CreateAccountRequestId=account_request_id)
return response
def move_account(root_ou_id, ou_id, account_id):
client = get_boto_client('organizations')
debug_print("Trying to move account....")
client.move_account(AccountId=account_id,
SourceParentId=root_ou_id,
DestinationParentId=ou_id)
