def validate(self):
if self.data.get('encrypted', True):
key = self.data.get('target_key')
if not key:
raise FilterValidationError(
"Encrypted snapshot copy requires kms key")
return self
def validate(self):
diff_filters = [n for n in self.manager.filters if isinstance(
n, SecurityGroupDiffFilter)]
if not len(diff_filters):
raise FilterValidationError(
"resource patching requires diff filter")
return self
def _check_rules(self, resource_rules):
if self.policy_equal is not None:
return self.policy_equal == resource_rules
elif self.policy_include is not None:
return self.policy_include.issubset(resource_rules)
else: # validated earlier, can never happen
raise FilterValidationError("Internal error.")
def validate(self):
super(AutoTagDate, self).validate()
try:
datetime.datetime.now().strftime(self.format)
except Exception:
raise FilterValidationError(
"'%s' string has invalid datetime format." % self.format)
def validate(self):
if self.data.get('state') == 'enabled':
if 'bucket' not in self.data or 'prefix' not in self.data:
raise FilterValidationError(
("alb logging enablement requires `bucket` "
"and `prefix` specification"))
return self
def process(self, resources):
self.tz = zoneinfo.gettz(
Time.TZ_ALIASES.get(self.data.get('tz', 'utc')))
if not self.tz:
raise FilterValidationError("Invalid timezone specified %s" %
self.tz)
self.id_key = self.manager.get_model().id
# Move this to policy? / no resources bypasses actions?
if not len(resources):
return
msg_tmpl = self.data.get('msg', self.default_template)
op = self.data.get('op', 'stop')
tag = self.data.get('tag', DEFAULT_TAG)
days = self.data.get('days', 0)
hours = self.data.get('hours', 0)
action_date = self.generate_timestamp(days, hours)
msg = msg_tmpl.format(op=op, action_date=action_date)
self.log.info("Tagging %d resources for %s on %s" %
(len(resources), op, action_date))
tags = [{'Key': tag, 'Value': msg}]
batch_size = self.data.get('batch_size', self.batch_size)
_common_tag_processer(self.executor_factory, batch_size,
self.concurrency, self.process_resource_set,
self.id_key, resources, tags, self.log)
def validate(self):
region = self.manager.data.get('region', '')
if len(self.global_services.intersection(self.data.get('services', []))):
if region != 'us-east-1':
raise FilterValidationError(
"Global services: %s must be targeted in us-east-1 on the policy"
% ', '.join(self.global_services))
return self
def validate(self):
found = False
for f in self.manager.filters:
if isinstance(f, LatestSnapshot):
found = True
if not found:
# do we really need this...
raise FilterValidationError(
"must filter by latest to use restore action")
return self
def validate(self):
found = False
for f in self.manager.filters:
if isinstance(f, WafEnabled):
found = True
break
if not found:
# try to ensure idempotent usage
raise FilterValidationError(
"set-waf should be used in conjunction with waf-enabled filter")
return self
def validate(self):
if self.manager.data.get('mode', {}).get('type') == 'azure-event-grid' \
and self.data.get('days') is not None:
raise PolicyValidationError(
"Auto tag actions in event mode does not use days.")
if (self.data.get('days') is not None and
(self.data.get('days') < 1 or self.data.get('days') > 90)):
raise FilterValidationError("Days must be between 1 and 90")
return self
def validate(self):
if 'whitelist' in self.data and 'blacklist' in self.data:
raise FilterValidationError(
"cannot specify whitelist and black list")
if 'whitelist' not in self.data and 'blacklist' not in self.data:
raise FilterValidationError(
"must specify either policy blacklist or whitelist")
if ('blacklist' in self.data
and not isinstance(self.data['blacklist'], list)):
raise FilterValidationError("blacklist must be a list")
if 'matching' in self.data:
# Sanity check that we can compile
try:
re.compile(self.data['matching'])
except re.error as e:
raise FilterValidationError("Invalid regex: %s %s" %
(e, self.data))
return self
def validate(self):
if 'selector' in self.data and self.data['selector'] == 'date':
if 'selector_value' not in self.data:
raise FilterValidationError(
"Date version selector requires specification of date")
try:
parse_date(self.data['selector_value'])
except ValueError:
raise FilterValidationError("Invalid date for selector_value")
elif 'selector' in self.data and self.data['selector'] == 'locked':
idx = self.manager.data['filters'].index(self.data)
found = False
for n in self.manager.data['filters'][:idx]:
if isinstance(n, dict) and n.get('type', '') == 'locked':
found = True
if isinstance(n, six.string_types) and n == 'locked':
found = True
if not found:
raise FilterValidationError(
"locked selector needs previous use of is-locked filter")
return self
def validate(self):
if not self.data.get('matched'):
return
listeners = [f for f in self.manager.filters
if isinstance(f, self.__class__)]
found = False
for f in listeners[:listeners.index(self)]:
if not f.data.get('matched', False):
found = True
break
if not found:
raise FilterValidationError(
"matched listener filter, requires preceding listener filter")
return self
def _check_bypass(self, bypass_set):
if self.mode == 'equal':
return self.list == bypass_set
elif self.mode == 'include':
return self.list.issubset(bypass_set)
elif self.mode == 'any':
return not self.list.isdisjoint(bypass_set)
elif self.mode == 'only':
return bypass_set.issubset(self.list)
else: # validated earlier, can never happen
raise FilterValidationError("Internal error.")
def validate(self):
op = self.data.get('op')
if self.manager and op not in self.manager.action_registry.keys():
raise FilterValidationError(
"mark-for-op specifies invalid op:%s" % op)
return self
def validate(self):
if self.manager.data.get('mode'):
raise FilterValidationError(
"invalid-config makes too many queries to be run in lambda")
return self
def validate(self):
if not isinstance(self.data.get('value', True), bool):
raise FilterValidationError(
"invalid config: expected boolean value")
return self
def validate(self):
if self.data.get('space') < 0 or self.data.get('space') > 15:
raise FilterValidationError("Space must be between 0 and 15")
return self
def validate(self):
if not self.data.get('labels') and not self.data.get('remove'):
raise FilterValidationError("Must specify one of labels or remove")
def validate(self):
if self.data.get('skip-ami-snapshots', not True or False):
raise FilterValidationError(
"invalid config: expected boolean value")
return self
def validate(self):
if not self.data.get('tags'):
raise FilterValidationError("Must specify tags")
return self
def validate(self):
for f in self.manager.data.get('filters', ()):
if 'listener' in f.get('type', ()):
return self
raise FilterValidationError(
"modify-listener action requires the listener filter")
def validate(self):
delta = set(self.data.keys()).difference(self.attrs)
delta.remove('type')
if delta:
raise FilterValidationError("Unknown keys %s" % ", ".join(delta))
return self
def validate(self):
if self.data.get('skip-snapshot', False) and self.data.get(
'copy-restore-info'):
raise FilterValidationError(
"skip-snapshot cannot be specified with copy-restore-info")
return self
def validate(self):
if self.data['desired_size'] != 'current':
raise FilterValidationError(
"only resizing desired/min to current capacity is supported")
return self
def validate(self):
if self.data.get('target_region') and self.manager.data.get('mode'):
raise FilterValidationError(
"cross region snapshot may require waiting for "
"longer then lambda runtime allows")
return self
def validate(self):
if self.data.get('key') and self.data.get('tag'):
raise FilterValidationError(
"Can't specify both key and tag, choose one")
return self
def validate(self):
if self.space < 0 or self.space > 15:
raise FilterValidationError("Space must be between 0 and 15")
return self
def validate(self):
if self.space < 0 or self.space > self.max_tag_count:
raise FilterValidationError("Space must be between 0 and %i" %
self.max_tag_count)
return self
def validate(self):
if self.data['data-trail'].get('create'):
if 's3-bucket' not in self.data['data-trail']:
raise FilterValidationError(
"If creating data trails, an s3-bucket is required")
return self
