def get_cognito_user_info_by_user_name(trace_id, user_name,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# get user_pool
try:
client = boto3.client("cognito-idp")
except ClientError as e:
raise common_utils.write_log_exception(e, logger)
user_pool_id = os.environ.get("COGNITO_USER_POOL_ID")
try:
user_info = client.admin_get_user(
UserPoolId=user_pool_id,
Username=user_name)
except ClientError as e:
if e.response['Error']['Code'] == CommonConst.COGNITO_USER_NOT_FOUND_EXCEPTION:
return None
raise common_utils.write_log_exception(e, logger)
logger.info("End : get cognito users info success")
return user_info
def process_admin_create_user_pools(
trace_id,
user_name,
user_attributes,
temporary_password,
message_action):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# get client cognito
try:
client = boto3.client("cognito-idp")
except ClientError as e:
raise common_utils.write_log_exception(e, pm_logger)
user_pool_id = os.environ.get("COGNITO_USER_POOL_ID")
try:
user_info = client.admin_create_user(
UserPoolId=user_pool_id,
Username=user_name,
TemporaryPassword=temporary_password,
UserAttributes=user_attributes,
MessageAction=message_action)
except Exception as e:
raise common_utils.write_log_exception(e, pm_logger)
pm_logger.info("End : create cognito users success")
return user_info
def send_email(trace_id, region_name, sender, bcc, subject, body):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
client = boto3.client(
service_name='ses', region_name=region_name)
except ClientError as e:
pm_logger.error("[%s] SESクライアント作成に失敗しました。", region_name)
raise common_utils.write_log_exception(e, pm_logger)
try:
response = client.send_email(
Source=sender,
Destination={
'BccAddresses': bcc
},
Message={
'Subject': {
'Data': subject,
'Charset': 'UTF-8'
},
'Body': {
'Text': {
'Data': body,
'Charset': 'UTF-8'
}
}
}
)
if response['ResponseMetadata']['HTTPStatusCode'] != 200:
raise PmError()
except ClientError as e:
raise common_utils.write_log_exception(e, pm_logger)
def list_entities_for_policy(trace_id, session, aws_account, policy_arn):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# 対象AWSアカウントに対する接続を作成します。
try:
client = session.client(service_name="iam")
except ClientError as e:
pm_logger.error("[%s] IAMクライアント作成に失敗しました。", aws_account)
raise common_utils.write_log_exception(e, pm_logger)
try:
response = client.list_entities_for_policy(PolicyArn=policy_arn)
if (len(response) == 0):
return []
policy_groups = response['PolicyGroups']
policy_users = response['PolicyUsers']
policy_roles = response['PolicyRoles']
is_truncated = response['IsTruncated']
while (is_truncated is True):
marker = response['Marker']
response = client.list_entities_for_policy(PolicyArn=policy_arn,
Marker=marker)
policy_groups.extend(response['PolicyGroups'])
policy_users.extend(response['PolicyUsers'])
policy_roles.extend(response['PolicyRoles'])
is_truncated = response['IsTruncated']
except ClientError as e:
pm_logger.error("[%s]ポリシーエンティティ情報の取得に失敗しました。(%s)", aws_account,
policy_arn)
raise common_utils.write_log_exception(e, pm_logger)
list_entities_for_policy = {}
list_entities_for_policy['PolicyGroups'] = policy_groups
list_entities_for_policy['PolicyUsers'] = policy_users
list_entities_for_policy['PolicyRoles'] = policy_roles
return list_entities_for_policy
def get_list_buckets(trace_id, check_history_id, organization_id, project_id,
s3_client, aws_account):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
s3_file_name = CommonConst.PATH_CHECK_RAW.format(
check_history_id, organization_id, project_id, aws_account,
"ASC/S3_ListBuckets.json")
# リソース情報取得
if (aws_common.check_exists_file_s3(trace_id, "S3_CHECK_BUCKET",
s3_file_name)) is True:
try:
list_buckets = FileUtils.read_json(trace_id, "S3_CHECK_BUCKET",
s3_file_name)
except PmError as e:
raise common_utils.write_log_exception(e, pm_logger)
else:
# S3バケット一覧を取得します。
try:
list_buckets = S3Utils.list_buckets(trace_id, s3_client,
aws_account)
except PmError as e:
raise common_utils.write_log_exception(e, pm_logger)
# S3バケット一覧情報をS3に保存します。
try:
FileUtils.upload_json(trace_id, "S3_CHECK_BUCKET", list_buckets,
s3_file_name)
except PmError as e:
pm_logger.error("[%s] S3バケット一覧情報のS3保存に失敗しました。", aws_account)
raise common_utils.write_log_exception(e, pm_logger)
return list_buckets
def get_list_policies(trace_id, session, awsaccount):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# 対象AWSアカウントに対する接続を作成します。
try:
client = session.client(service_name="iam")
except ClientError as e:
pm_logger.error("[%s] IAMクライアント作成に失敗しました。", awsaccount)
raise common_utils.write_log_exception(e, pm_logger)
# IAMのアカウントパスワードポリシー情報を取得します。
policies = []
try:
response = client.list_policies()
if common_utils.check_key("Policies", response):
policies = response["Policies"]
# AWS SDKを用いて複数件のリソース情報取得を行う際の注意事項
is_truncated = response['IsTruncated']
while (is_truncated is True):
marker = response['Marker']
response = client.list_policies(Marker=marker)
policies.extend(response['Policies'])
is_truncated = response['IsTruncated']
except ClientError as e:
pm_logger.error("[%s] ポリシー一覧情報の取得に失敗しました。", awsaccount)
raise common_utils.write_log_exception(e, pm_logger)
# return data
return policies
def get_credential_report(trace_id, session, awsaccount):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# 対象AWSアカウントに対する接続を作成します。
try:
client = session.client(service_name="iam")
except ClientError as e:
pm_logger.error("[%s] IAMクライアント作成に失敗しました。", awsaccount)
raise common_utils.write_log_exception(e, pm_logger)
# IAMユーザーのCredentialReportを取得します。
try:
result = client.generate_credential_report()
while (result['State'] != 'COMPLETE'):
time.sleep(2)
result = client.generate_credential_report()
credential_report = client.get_credential_report()
except ClientError as e:
pm_logger.error("[%s] CredentialReportの取得に失敗しました。", awsaccount)
raise common_utils.write_log_exception(e, pm_logger)
# return data
if common_utils.check_key("Content", credential_report):
return str(credential_report['Content'].decode())
return []
def sqs_delete_message(trace_id, queue_url, receipt_handle):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
client = boto3.client("sqs")
client.delete_message(
QueueUrl=queue_url,
ReceiptHandle=receipt_handle
)
pm_logger.info("End : delete message queue success")
except ClientError as e:
common_utils.write_log_exception(e, pm_logger, True)
def submit_job(trace_id,
job_name,
job_queue,
depends_on,
job_definition,
parameters,
container_overrides,
max_retry,
is_cw_logger=False):
frame = inspect.currentframe()
params = common_utils.get_params_function(frame)
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__, frame)
else:
logger = common_utils.begin_logger(trace_id, __name__, frame)
job_id = []
aws_batch_job_submit = os.getenv('AWS_BATCH_JOB_SUBMIT', 'ON')
if aws_batch_job_submit == 'OFF':
job_id = [
{
'jobId': str(uuid.uuid4())
}
]
return common_utils.response(job_id, logger), params
try:
client = boto3.client('batch')
except ClientError as e:
raise common_utils.write_log_exception(e, logger)
try:
response = client.submit_job(
jobName=job_name,
jobQueue=job_queue,
dependsOn=depends_on,
jobDefinition=job_definition,
parameters=parameters,
containerOverrides=container_overrides,
retryStrategy={
'attempts': int(max_retry)
}
)
job_id = [
{
'jobId': response['jobId']
},
]
logger.info("End : submit job success")
except ClientError as e:
raise common_utils.write_log_exception(e, logger)
return common_utils.response(job_id, logger), params
def describe_security_groups(trace_id, awsaccount, ec2_client, region_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
security_groups = []
try:
response = ec2_client.describe_security_groups()
if common_utils.check_key("SecurityGroups", response):
security_groups = response["SecurityGroups"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while (next_token is not None):
response = ec2_client.describe_security_groups(
NextToken=next_token)
security_groups.extend(response['SecurityGroups'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
pm_logger.error("[%s/%s] セキュリティグループ情報の取得に失敗しました。", awsaccount,
region_name)
raise common_utils.write_log_exception(e, pm_logger)
return security_groups
def describe_volumes(trace_id,
awsaccount,
ec2_client,
region_name,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
ebs_volumes = []
try:
response = ec2_client.describe_volumes()
if common_utils.check_key("Volumes", response):
ebs_volumes = response["Volumes"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while (next_token is not None):
response = ec2_client.describe_volumes(NextToken=next_token)
ebs_volumes.extend(response['Volumes'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
logger.error("[%s/%s] EBSボリューム情報の取得に失敗しました。", awsaccount, region_name)
raise common_utils.write_log_exception(e, logger)
return ebs_volumes
def sqs_receive_message(trace_id):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
queue_url = os.environ.get("SQS_ORGANIZATION_QUEUE")
try:
client = boto3.client("sqs")
response = client.receive_message(
QueueUrl=queue_url,
MaxNumberOfMessages=10
)
messages = None
if (common_utils.check_key('Messages', response)):
messages = common_utils.response(response['Messages'], pm_logger)
return common_utils.response(messages, pm_logger)
except ClientError as e:
common_utils.write_log_exception(e, pm_logger, True)
def get_bucket_encryption(trace_id, s3_client, bucket, aws_account,
region_name, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
bucket_encryption = []
try:
result = s3_client.get_bucket_encryption(Bucket=bucket)
except ClientError as e:
if e.response["Error"]["Code"] == CommonConst.SERVER_SIDE_ENCRYPTION_CONFIGURATION_NOT_FOUND_ERROR:
logger.info("[%s]S3バケット暗号化情報がありません。(%s/%s)", aws_account,
region_name, bucket)
raise PmError(cause_error=e)
elif e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION:
logger.warning("[%s] 権限エラーによりS3バケットリージョン情報の取得に失敗しました。(%s/%s)",
aws_account, region_name, bucket)
raise common_utils.write_log_warning(e, logger)
else:
logger.error("[%s]S3バケット暗号化情報の取得に失敗しました。(%s/%s)", aws_account,
region_name, bucket)
raise common_utils.write_log_exception(e, logger)
if common_utils.check_key("ServerSideEncryptionConfiguration", result):
if common_utils.check_key("Rules", result["ServerSideEncryptionConfiguration"]):
bucket_encryption = result["ServerSideEncryptionConfiguration"]["Rules"]
return bucket_encryption
def get_regions(trace_id, session=None,
filter_describe_regions=CommonConst.FILTER_DESCRIBE_REGIONS,
all_regions=True, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
if session:
ec2_client = session.client('ec2')
else:
ec2_client = boto3.client('ec2')
if filter_describe_regions is not None and all_regions is not None:
response = ec2_client.describe_regions(
Filters=filter_describe_regions, AllRegions=all_regions)
elif filter_describe_regions is not None:
response = ec2_client.describe_regions(
Filters=filter_describe_regions)
elif all_regions is not None:
response = ec2_client.describe_regions(
AllRegions=all_regions)
else:
response = ec2_client.describe_regions()
except ClientError as e:
raise common_utils.write_log_exception(e, logger)
return response['Regions']
def lambda_invoke(trace_id, function_name, query, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
client = boto3.client('lambda')
client.invoke(
FunctionName=function_name,
InvocationType='Event',
Payload=query
)
logger.info("End : call function lambda success")
except ClientError as e:
common_utils.write_log_exception(e, logger, True)
def get_account_summary(trace_id, session, aws_account):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# 対象AWSアカウントに対する接続を作成します。
try:
client = session.client(service_name="iam")
except ClientError as e:
pm_logger.error("[%s] IAMクライアント作成に失敗しました。", aws_account)
raise common_utils.write_log_exception(e, pm_logger)
try:
response = client.get_account_summary()
except ClientError as e:
pm_logger.error("[%s] アカウントサマリーの取得に失敗しました。", aws_account)
raise common_utils.write_log_exception(e, pm_logger)
if common_utils.check_key("SummaryMap", response):
return response['SummaryMap']
return []
def get_cloud_front_client(trace_id, session, aws_account):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
cloud_front_client = session.client(service_name="cloudfront")
except ClientError as e:
pm_logger.error("[%s] CloudFrontクライアント作成に失敗しました。", aws_account)
raise common_utils.write_log_exception(e, pm_logger)
return cloud_front_client
def get_log_stream_name(trace_id, jobId):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
batch = boto3.client(
service_name='batch',
region_name='ap-northeast-1',
endpoint_url='https://batch.ap-northeast-1.amazonaws.com')
result = batch.describe_jobs(jobs=[jobId])
except ClientError as e:
raise common_utils.write_log_exception(e, pm_logger)
try:
log_stream_name = result['jobs'][0]['container']['logStreamName']
except KeyError as e:
raise common_utils.write_log_exception(e, pm_logger)
return log_stream_name
def get_step_functions_client(trace_id):
cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
try:
step_functions_client = boto3.client('stepfunctions')
except ClientError as e:
cw_logger.error("Step Functionsクライアント作成に失敗しました。")
raise common_utils.write_log_exception(e, cw_logger)
return step_functions_client
def update_cognito_user_attributes(trace_id, user_name, attributes_update):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
client = boto3.client("cognito-idp")
except ClientError as e:
raise common_utils.write_log_exception(e, pm_logger)
user_pool_id = os.environ.get("COGNITO_USER_POOL_ID")
try:
response = client.admin_update_user_attributes(
UserPoolId=user_pool_id,
Username=user_name,
UserAttributes=attributes_update)
except ClientError as e:
raise common_utils.write_log_exception(e, pm_logger)
pm_logger.info("End : Update cognito users success")
return response
def delete_cognito_user_by_user_name(trace_id, user_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# get client cognito
try:
client = boto3.client("cognito-idp")
except ClientError as e:
raise common_utils.write_log_exception(e, pm_logger)
# delete cognito user
user_pool_id = os.environ.get("COGNITO_USER_POOL_ID")
try:
client.admin_delete_user(
UserPoolId=user_pool_id,
Username=user_name)
except ClientError as e:
raise common_utils.write_log_exception(e, pm_logger)
pm_logger.info("End : delete cognito user success")
def toDate(strDate, time_zone=None):
pm_logger = common_utils.begin_logger(None, __name__,
inspect.currentframe())
try:
date = parse(strDate)
if time_zone is not None:
date = date.replace(tzinfo=timezone(time_zone))
except Exception as e:
raise common_utils.write_log_exception(e, pm_logger)
return date
def get_trail_client(trace_id, session, region_name, awsaccount):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
trail_client = session.client(
service_name="cloudtrail", region_name=region_name)
except ClientError as e:
pm_logger.error("[%s] CloudTrailクライアント作成に失敗しました。 ", awsaccount)
raise common_utils.write_log_exception(e, pm_logger)
return trail_client
def get_kms_client(trace_id, awsaccount, session, region_name):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
kms_client = session.client(service_name="kms",
region_name=region_name)
except ClientError as e:
pm_logger.error("[%s] KMSクライアント作成に失敗しました。", awsaccount)
raise common_utils.write_log_exception(e, pm_logger)
return kms_client
def get_logs_client(trace_id, session, region_name, aws_account):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
logs_client = session.client(service_name="logs", region_name=region_name)
except ClientError as e:
pm_logger.error("[%s/%s] CloudWatch Logsクライアント作成に失敗しました。", aws_account,
region_name)
raise common_utils.write_log_exception(e, pm_logger)
return logs_client
def generate_presigned_url(trace_id, bucket, key, expire_time=3600):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
url = None
try:
client = boto3.client('s3')
except ClientError as e:
raise common_utils.write_log_exception(e, pm_logger)
try:
url = client.generate_presigned_url(
ClientMethod='get_object',
Params={'Bucket': bucket,
'Key': key},
ExpiresIn=expire_time)
pm_logger.info("End : Get url success")
except ClientError as e:
raise common_utils.write_log_exception(e, pm_logger)
return url
def get_distribution(trace_id, cloud_front_client, distributions_id,
aws_account):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
response = cloud_front_client.get_distribution(Id=distributions_id)
except ClientError as e:
pm_logger.error("[%s] ディストリビューション情報取得に失敗しました。(%s)", aws_account,
distributions_id)
raise common_utils.write_log_exception(e, pm_logger)
return response['Distribution']
def get_config_client(trace_id, session, region_name, awsaccount):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
config_client = session.client(service_name='config',
region_name=region_name)
except ClientError as e:
pm_logger.error("[%s/%s] Configクライアント作成に失敗しました。", awsaccount,
region_name)
raise common_utils.write_log_exception(e, pm_logger)
return config_client
def aws_sns(trace_id, subject, message, topic_arn, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# connect sns
try:
client = boto3.client("sns")
except ClientError as e:
raise common_utils.write_log_exception(e, logger)
try:
# Publish a message.
client.publish(
Subject=subject, Message=message, TopicArn=topic_arn)
logger.info("End : send message to sns success")
except ClientError as e:
common_utils.write_log_exception(e, logger, True)
def send_message_slack(trace_id, webhook_url, data_json):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
headers = {'Content-Type': 'application/json', 'Charset': 'utf-8'}
try:
req = request.Request(webhook_url,
data=data_json.encode('utf-8'),
headers=headers)
request.urlopen(req)
except Exception as e:
raise common_utils.write_log_exception(e, pm_logger)
