def validate(self):
if self.manager.action_registry.get('tag') is None:
raise FilterValidationError("Resource does not support tagging")
if self.data.get('days') is not None and (self.data.get('days') < 1 or self.data.get('days') > 90):
raise FilterValidationError("Days must be between 1 and 90")
return self
def validate(self):
if self.get_tz(self.default_tz) is None:
raise FilterValidationError(
"Invalid timezone specified %s" % self.default_tz)
hour = self.data.get("%shour" % self.time_type, self.DEFAULT_HR)
if hour not in self.parser.VALID_HOURS:
raise FilterValidationError("Invalid hour specified %s" % hour)
return self
def validate(self):
if 'modifyable' not in self.manager.data.get('filters', ()):
raise FilterValidationError(
"modify action requires modifyable filter in policy")
if self.data.get('size-percent') < 100 and not self.data.get('shrink', False):
raise FilterValidationError((
"shrinking volumes requires os/fs support "
"or data-loss may ensue, use `shrink: true` to override"))
return self
def validate(self):
if self.factory is None:
raise FilterValidationError(
"The related resource is not a custodian supported azure resource"
)
if (self.data['relatedResource'] == 'azure.roleassignment' or
self.data['relatedResource'] == 'azure.roledefinition'):
raise FilterValidationError(
"The related resource can not be role assignments or role definitions"
)
def validate(self):
if not self.data.get('tags') and not (self.data.get('tag') and self.data.get('value')):
raise FilterValidationError(
"Must specify either tags or a tag and value")
if self.data.get('tags') and self.data.get('tag'):
raise FilterValidationError(
"Can't specify both tags and tag, choose one")
return self
def validate(self):
op = self.data.get('op')
if self.manager and op not in self.manager.action_registry.keys():
raise FilterValidationError("Invalid marked-for-op op:%s" % op)
tz = zoneinfo.gettz(Time.TZ_ALIASES.get(self.data.get('tz', 'utc')))
if not tz:
raise FilterValidationError("Invalid timezone specified '%s'" %
self.data.get('tz'))
return self
def validate(self):
if self.get_tz(self.default_tz) is None:
raise FilterValidationError("Invalid timezone specified %s" %
self.default_tz)
hour = self.data.get("%shour" % self.time_type, self.DEFAULT_HR)
if hour not in self.parser.VALID_HOURS:
raise FilterValidationError("Invalid hour specified %s" % hour)
if 'skip-days' in self.data and 'skip-days-from' in self.data:
raise FilterValidationError(
"Cannot specify two sets of skip days %s" % self.data)
return self
def validate(self):
op = self.data.get('op')
if self.manager and op not in self.manager.action_registry.keys():
raise FilterValidationError(
"mark-for-op specifies invalid op:%s in %s" %
(op, self.manager.data))
self.tz = tzutil.gettz(Time.TZ_ALIASES.get(self.data.get('tz', 'utc')))
if not self.tz:
raise FilterValidationError("Invalid timezone specified %s in %s" %
(self.tz, self.manager.data))
def validate(self):
# Check that variable values are valid
if PORTS in self.data:
if not PortsRangeHelper.validate_ports_string(self.data[PORTS]):
raise FilterValidationError("ports string has wrong format.")
if EXCEPT_PORTS in self.data:
if not PortsRangeHelper.validate_ports_string(self.data[EXCEPT_PORTS]):
raise FilterValidationError("exceptPorts string has wrong format.")
return True
def validate(self):
op = self.data.get('op')
if self.manager and op not in self.manager.action_registry.keys():
raise FilterValidationError("Invalid marked-for-op op:%s in %s" %
(op, self.manager.data))
tz = Time.get_tz(self.data.get('tz', 'utc'))
if not tz:
raise FilterValidationError(
"Invalid timezone specified '%s' in %s" %
(self.data.get('tz'), self.manager.data))
return self
def validate(self):
if 'whitelist' in self.data and 'blacklist' in self.data:
raise FilterValidationError(
"cannot specify whitelist and black list")
if 'whitelist' not in self.data and 'blacklist' not in self.data:
raise FilterValidationError(
"must specify either policy blacklist or whitelist")
if ('blacklist' in self.data
and not isinstance(self.data['blacklist'], list)):
raise FilterValidationError("blacklist must be a list")
return self
def validate(self):
self.policy_include = IpRangeHelper.parse_ip_ranges(self.data, 'include')
self.policy_equal = IpRangeHelper.parse_ip_ranges(self.data, 'equal')
has_include = self.policy_include is not None
has_equal = self.policy_equal is not None
if has_include and has_equal:
raise FilterValidationError('Cannot have both include and equal.')
if not has_include and not has_equal:
raise FilterValidationError('Must have either include or equal.')
return True
def validate(self):
if self.manager.action_registry.get('tag') is None:
raise FilterValidationError("Resource does not support tagging")
if self.manager.data.get('mode', {}).get('type') == 'azure-event-grid' \
and self.data.get('days') is not None:
raise PolicyValidationError(
"Auto tag user in event mode does not use days.")
if (self.data.get('days') is not None
and (self.data.get('days') < 1 or self.data.get('days') > 90)):
raise FilterValidationError("Days must be between 1 and 90")
return self
def _check_rules(self, resource_rules):
if self.policy_equal is not None:
return self.policy_equal == resource_rules
elif self.policy_include is not None:
return self.policy_include.issubset(resource_rules)
else: # validated earlier, can never happen
raise FilterValidationError("Internal error.")
def validate(self):
diff_filters = [n for n in self.manager.filters if isinstance(
n, SecurityGroupDiffFilter)]
if not len(diff_filters):
raise FilterValidationError(
"resource patching requires diff filter")
return self
def validate(self):
super(AutoTagDate, self).validate()
try:
datetime.datetime.now().strftime(self.format)
except Exception:
raise FilterValidationError(
"'%s' string has invalid datetime format." % self.format)
def validate(self):
if self.data.get('state') == 'enabled':
if 'bucket' not in self.data or 'prefix' not in self.data:
raise FilterValidationError(
("alb logging enablement requires `bucket` "
"and `prefix` specification"))
return self
def process(self, resources):
self.tz = zoneinfo.gettz(
Time.TZ_ALIASES.get(self.data.get('tz', 'utc')))
if not self.tz:
raise FilterValidationError("Invalid timezone specified %s" %
self.tz)
self.id_key = self.manager.get_model().id
# Move this to policy? / no resources bypasses actions?
if not len(resources):
return
msg_tmpl = self.data.get('msg', self.default_template)
op = self.data.get('op', 'stop')
tag = self.data.get('tag', DEFAULT_TAG)
days = self.data.get('days', 0)
hours = self.data.get('hours', 0)
action_date = self.generate_timestamp(days, hours)
msg = msg_tmpl.format(op=op, action_date=action_date)
self.log.info("Tagging %d resources for %s on %s" %
(len(resources), op, action_date))
tags = [{'Key': tag, 'Value': msg}]
batch_size = self.data.get('batch_size', self.batch_size)
_common_tag_processer(self.executor_factory, batch_size,
self.concurrency, self.process_resource_set,
self.id_key, resources, tags, self.log)
def validate(self):
if self.data.get('encrypted', True):
key = self.data.get('target_key')
if not key:
raise FilterValidationError(
"Encrypted snapshot copy requires kms key")
return self
def validate(self):
region = self.manager.data.get('region', '')
if len(self.global_services.intersection(self.data.get('services', []))):
if region != 'us-east-1':
raise FilterValidationError(
"Global services: %s must be targeted in us-east-1 on the policy"
% ', '.join(self.global_services))
return self
def validate(self):
found = False
for f in self.manager.filters:
if isinstance(f, LatestSnapshot):
found = True
if not found:
# do we really need this...
raise FilterValidationError(
"must filter by latest to use restore action")
return self
def validate(self):
found = False
for f in self.manager.filters:
if isinstance(f, WafEnabled):
found = True
break
if not found:
# try to ensure idempotent usage
raise FilterValidationError(
"set-waf should be used in conjunction with waf-enabled filter")
return self
def validate(self):
if 'whitelist' in self.data and 'blacklist' in self.data:
raise FilterValidationError(
"cannot specify whitelist and black list")
if 'whitelist' not in self.data and 'blacklist' not in self.data:
raise FilterValidationError(
"must specify either policy blacklist or whitelist")
if ('blacklist' in self.data
and not isinstance(self.data['blacklist'], list)):
raise FilterValidationError("blacklist must be a list")
if 'matching' in self.data:
# Sanity check that we can compile
try:
re.compile(self.data['matching'])
except re.error as e:
raise FilterValidationError("Invalid regex: %s %s" %
(e, self.data))
return self
def validate(self):
if 'selector' in self.data and self.data['selector'] == 'date':
if 'selector_value' not in self.data:
raise FilterValidationError(
"Date version selector requires specification of date")
try:
parse_date(self.data['selector_value'])
except ValueError:
raise FilterValidationError("Invalid date for selector_value")
elif 'selector' in self.data and self.data['selector'] == 'locked':
idx = self.manager.data['filters'].index(self.data)
found = False
for n in self.manager.data['filters'][:idx]:
if isinstance(n, dict) and n.get('type', '') == 'locked':
found = True
if isinstance(n, six.string_types) and n == 'locked':
found = True
if not found:
raise FilterValidationError(
"locked selector needs previous use of is-locked filter")
return self
def validate(self):
if not self.data.get('matched'):
return
listeners = [f for f in self.manager.filters
if isinstance(f, self.__class__)]
found = False
for f in listeners[:listeners.index(self)]:
if not f.data.get('matched', False):
found = True
break
if not found:
raise FilterValidationError(
"matched listener filter, requires preceding listener filter")
return self
def _check_bypass(self, bypass_set):
if self.mode == 'equal':
return self.list == bypass_set
elif self.mode == 'include':
return self.list.issubset(bypass_set)
elif self.mode == 'any':
return not self.list.isdisjoint(bypass_set)
elif self.mode == 'only':
return bypass_set.issubset(self.list)
else: # validated earlier, can never happen
raise FilterValidationError("Internal error.")
def validate(self):
op = self.data.get('op')
if self.manager and op not in self.manager.action_registry.keys():
raise FilterValidationError(
"mark-for-op specifies invalid op:%s" % op)
return self
def validate(self):
if self.manager.data.get('mode'):
raise FilterValidationError(
"invalid-config makes too many queries to be run in lambda")
return self
def validate(self):
if not self.data.get('labels') and not self.data.get('remove'):
raise FilterValidationError("Must specify one of labels or remove")
def validate(self):
if self.data.get('space') < 0 or self.data.get('space') > 15:
raise FilterValidationError("Space must be between 0 and 15")
return self
