def lambda_handler_inner(event, context): core_logging = avm_common.get_param("core_logging_account") master_role = avm_common.get_param("tlz_admin_role") ROLE_ARN_LOGGING=f"arn:aws:iam::{core_logging}:role/{master_role}" session_assumed = avm_common.aws_session(role=ROLE_ARN_LOGGING, session_name='logging-services') update_cw_destination_policy(session_assumed,event)
def assume_role_to_target(self, account, role_name, source_session=None): print(f"Assuming {role_name} role for {account}") role_arn = f"arn:aws:iam::{account}:role/{role_name}" session = avm_common.aws_session(role=role_arn, session_name="client_session", source_session=source_session) return session
def lambda_handler_inner(event, context): session_assumed = avm_common.aws_session(role=None, session_name='logging-services') account_id = event["AccountId"] iamclient = session_assumed.client('iam') iamresource = session_assumed.resource('iam') current_account = session_assumed.client('sts').get_caller_identity().get('Account') POLICY_ARN_AVM=f"arn:aws:iam::{current_account}:policy/tlz_accounts_assumerole_policy" versionid = iamclient.get_policy(PolicyArn=POLICY_ARN_AVM) versionid1 = versionid["Policy"]["DefaultVersionId"][1:] previousversion = int(versionid1)-1 versiondelete = "v" + str(previousversion) # Update a new version of the specified managed policy and set as Default policy = iamresource.Policy(POLICY_ARN_AVM) version = policy.default_version policyJson = version.document #policy = json.loads(policyJson) #print() resources = policyJson['Statement'][0]['Resource'] master_role = avm_common.get_param("tlz_admin_role") new_policy = f'arn:aws:iam::{account_id}:role/{master_role}' if new_policy not in resources: print(f"Adding {account_id} to policy resources") policyJson['Statement'][0]['Resource'].append(new_policy) policystring = json.dumps(policyJson) print(policystring) if previousversion > 0: deleteresponse = iamclient.delete_policy_version(PolicyArn=POLICY_ARN_AVM,VersionId=versiondelete) print(deleteresponse) policy_version = policy.create_version(PolicyDocument=policystring,SetAsDefault=True) print(policy_version) else: print(f"{account_id} is already part of existing resources")
def __init__(self, account): self._account = account master_role = avm_common.get_param("tlz_admin_role") self._session = avm_common.aws_session(role=f"arn:aws:iam::{account}:role/{master_role}", session_name='target-account') self._iam = self._session.client('iam') session = boto3.session.Session() dynamodb = session.resource('dynamodb',region_name=aws_region_name) self._ddb_table = dynamodb.Table(DDB_TABLE)
def lambda_handler_inner(event, context): account_id = event["AccountId"] account_details = avm_common.get_account_details(account_id) core_logging = avm_common.get_param("core_logging_account") master_role = avm_common.get_param("tlz_admin_role") primary_region, secondary_region = avm_common.get_regions(account_id) ROLE_ARN_LOGGING = f"arn:aws:iam::{core_logging}:role/{master_role}" session_assumed = avm_common.aws_session(role=ROLE_ARN_LOGGING, session_name='logging-services') s3 = session_assumed.resource('s3') #s3 = session_assumed.client('s3') update_alb_bucket_policy_primary( s3, account_id, f"tlz-alb-access-central-primary-{core_logging}", core_logging, primary_region) update_alb_bucket_policy_secondary( s3, account_id, f"tlz-alb-access-central-secondary-{core_logging}", core_logging, secondary_region)
def lambda_handler_inner(event, context): account_id = event["AccountId"] exec_id = event["execution_id"] session = avm_common.aws_session(session_name="target_account") client = session.client('ssm') response = client.get_automation_execution(AutomationExecutionId=exec_id) failed_steps = [ f for f in response["AutomationExecution"]["StepExecutions"] if f["StepStatus"] == "Failed" ] if len(failed_steps): body = str(failed_steps) sns_topic = avm_common.get_param("sns_topic_arn") sub = f"SSM automation with {exec_id} failed for account {account_id}" avm_common.send_pipeline_notification( account_id, sns_topic, response["AutomationExecution"]["DocumentName"], sub, body) return 200
def process(event, context): # 1. Identify target account VPC ID. # aws ec2 describe-vpcs # Assume role to target_account account_id = event["AccountId"] master_role = avm_common.get_param("tlz_admin_role") primary_region, secondary_region = avm_common.get_regions(account_id) target_session = avm_common.aws_session(role=f"arn:aws:iam::{account_id}:role/{master_role}", session_name='target-account') regions = [secondary_region, primary_region] vpcs = [] for region in regions: print("Processing %s region" %(region)) try: ec2 = target_session.client('ec2', region_name=region) response = ec2.describe_vpcs() v = [ {"VPCId" : x['VpcId'], "VPCRegion" : region} for x in response["Vpcs"]] vpcs.extend(v) except ClientError as e: print(e) except: print("Unexpected error") #print(vpcs) # 2. On core-common-shared-service account (Route 53 Privated Hosted Zone SOA and InfoBlox forwarder), create vpc association authorization. # aws route53 list-hosted-zones (assume the below is the default zone and will not change) core_shared_services = avm_common.get_param("core_shared_services_account") ROLE_ARN_SharedServices=f"arn:aws:iam::{core_shared_services}:role/{master_role}" session_common_shared = avm_common.aws_session(role=ROLE_ARN_SharedServices, session_name='core-shared-services') print("Able to assume role") route53 = session_common_shared.client('route53') zones_response = route53.list_hosted_zones() #print(zones_response) # Get the hosted_zone_id for HostedZone-> aws.spe.sony.com. hosted_zone_ids = [ z['Id'] for z in zones_response['HostedZones'] if "aws.tlz-avm.com" in z['Name']] print(hosted_zone_ids) for x in hosted_zone_ids: for vpc in vpcs: response = route53.create_vpc_association_authorization( HostedZoneId = x, VPC = vpc ) print(json.dumps(response)) print("****** Step : Accept VPC association authorization ******") # 3. On target account, accept vpc association authorization. # aws route53 associate-vpc-with-hosted-zone --hosted-zone-id "/hostedzone/$awsR53PHZ" --vpc VPCRegion=" $awsRegion",VPCId="$targetAccountVPCID" route53_target = target_session.client('route53') for x in hosted_zone_ids: for vpc in vpcs: try: accept_response = route53_target.associate_vpc_with_hosted_zone( HostedZoneId = x, VPC = vpc ) print(json.dumps(accept_response)) except ClientError as e: print(e) except: print("Unknown error") # 4. On core-common-shared-service account, delete vpc assoiciation authorization. # aws route53 delete-vpc-association-authorization --hosted-zone-id "/hostedzone/$awsR53PHZ " --vpc VPCRegion="$awsRegion ",VPCId="$targetAccountVPCID " print("****** Step: Delete VPC association authorization for core shared******") for x in hosted_zone_ids: for vpc in vpcs: delete_response = route53.delete_vpc_association_authorization( HostedZoneId = x, VPC = vpc ) print(json.dumps(delete_response))
def lambda_handler_inner(event, context): master_account = avm_common.get_param("master_payer_account") master_role = avm_common.get_param("tlz_admin_role") org_account_access_role = avm_common.get_param("tlz_org_account_access_role") #print("Received event: " + json.dumps(event, indent=2)) master_role_arn = f"arn:aws:iam::{master_account}:role/{org_account_access_role}" session_local = avm_common.aws_session() current_account = session_local.client('sts').get_caller_identity().get('Account') session_regular = avm_common.aws_session(role=master_role_arn) account_request = {} insert_event = [i for i in event["Records"] if i["eventName"] == "INSERT"] if not len(insert_event): print("ERROR: No account to create") return newImage = insert_event[0]["dynamodb"]["NewImage"] account_request["email"] = newImage["id"]["S"] account_request["account_name"] = newImage["appName"]["S"] account_request["accountType"] = newImage["accountType"]["S"] account_request["accountPrefix"] = newImage["accountPrefix"]["S"] account_request["lob"] = newImage["lob"]["S"] if account_request["accountType"].lower() != "application": account_request["lob"] = account_request["accountType"].title() account_request["env"] = newImage["envType"]["S"] # CloudOps interal variable definition that will be used in certain areas where only prd, npd, sbx or dev are needed if (account_request["env"] == "stg" or account_request["env"] == "qa" or account_request["env"] == "dev"): account_request["intEnvironment"] = "npd" elif (account_request["env"] == "pre-prod" or account_request["env"] == "prd"): account_request["intEnvironment"] = "prd" print(account_request) orgMan = awsOrgManager(session_regular,current_account,master_account,master_role,org_account_access_role) account = orgMan.create_account(account_request) # By now account should have been created if account: target_ou = "Sandbox" # Move the account the target organizational_unit if account_request["accountType"].lower() != "application": target_ou = account_request["accountType"].title() else: if "lob" in account_request.keys(): if account_request["lob"]: target_ou = account_request["lob"] orgMan.move_account(account["id"],target_ou) acc = orgMan._client.describe_account(AccountId=account["id"]) # update account with additional details account["account_request"] = json.dumps(account_request,default=defaultencode) alias = orgMan.get_account_alias(account_request["accountType"],account_request["account_name"],account_request["lob"], account_request["env"], account_request["accountPrefix"] ) account["alias"] = alias account["accountType"] = account_request["accountType"] org = account_request["lob"].title() git_url = avm_common.get_param("tlz_git_url") print(git_url) vended_applications_project = avm_common.get_param("vended_applications_project") vended_baselines_project = avm_common.get_param("vended_baselines_project") if avm_common.resource_workspace_required(account_request["accountType"]): account["app_details"] = json.dumps({'git' : f'{git_url}/{vended_applications_project}/{alias}.git', 'tfe_workspace': f'{alias}-resources'}) account["baseline_details"] = json.dumps({'git' : f'{git_url}/{vended_baselines_project}/{alias}.git', 'tfe_workspace': f'{alias}-baseline'}) else: account["baseline_details"] = json.dumps({'git' : f'{git_url}/{vended_baselines_project}/{alias}.git', 'tfe_workspace': f'{alias}'}) print(account) orgMan.ingest_data(session_local,account) additional_info = {} additional_info["alias"] = alias additional_info["account_type"] = account_request["accountType"] additional_info["org_name"] = account_request["lob"] additional_info["owner"] = newImage["responsible"]["S"] additional_info["environment"] = account_request["env"] additional_info["intEnvironment"] = account_request["env"] additional_info["primaryVpcCidr"] = newImage["primaryVpcCidr"]["S"] additional_info["secondaryVpcCidr"] = newImage["secondaryVpcCidr"]["S"] #for k in newImage.keys(): # additional_info[k] = newImage[k]["S"] #additional_info["account"] = account orgMan.update_org_account_access_role(account["id"]) print("About to call the automation document") orgMan.start_pipeline(session_local, account["id"], additional_info)
def lambda_handler_inner(event, context): core_security = avm_common.get_param("core_security_account") master_role = avm_common.get_param("tlz_admin_role") ROLE_ARN_SECURITY=f"arn:aws:iam::{core_security}:role/{master_role}" session_assumed = avm_common.aws_session(role=ROLE_ARN_SECURITY, session_name='security-services') gd_client = session_assumed.client('ec2', region_name='us-east-1') if core_security == event["AccountId"]: print("No need to send guradduty invites as guardDuty master account cannot be member to itself") return regions = get_regions(gd_client) for region in regions:# print("Processing %s region" %(region)) try: client = session_assumed.client('guardduty', region_name=region) #Find out if GuardDuty already enabled: detectors_list = client.list_detectors() if not detectors_list["DetectorIds"]: print ("GuardDuty is not enabled ... enabling GuardDuty on master account") response = client.create_detector(Enable=True) # Save DetectorID handler DetectorId = response["DetectorId"] else: print("GuardDuty already enabled on account") DetectorId = detectors_list['DetectorIds'][0] # Do error handling here # print all Detectorts detectors_list = client.list_detectors() print ("Detector lists: ") for x in detectors_list["DetectorIds"]: #print(x, end=" ") print(x) account_id = event["AccountId"] account = avm_common.get_account_details(account_id) print(f"id from event : {account_id} id from orgdetails: {account['org_details']['id']}") if account: # invite an account print(account['org_details']) print ("\nInviting member account " + account_id) invite_member = client.create_members( AccountDetails=[ { 'AccountId': account_id, 'Email': account['org_details']["email"] }, ], DetectorId=DetectorId ) gd_members = client.get_members( AccountIds=[ account_id, ], DetectorId=DetectorId ) # the future member account is now staged if gd_members: print(gd_members) print ("Memeber account RelationshipStatus: " + gd_members['Members'][0]['RelationshipStatus']) # Invite members account(s) response = client.invite_members( AccountIds=[ account_id, ], DetectorId=DetectorId, Message='Please join AWS GuardDuty master account' ) gd_members = client.get_members( AccountIds=[ account_id, ], DetectorId=DetectorId ) # the future member account should be 'pending' print ("Memeber account RelationshipStatus: " + gd_members['Members'][0]['RelationshipStatus']) except ClientError as e: send_error_notification(e,account_id) # Enable GuardDuty on target account and accept the invites print(f"About to enable and accept requests for {account_id}") target_session = avm_common.aws_session(role=f"arn:aws:iam::{account_id}:role/{master_role}", session_name='target-account') for region in regions: print("Processing %s region" %(region)) try: client = target_session.client('guardduty', region_name=region) #Find out if GuardDuty already enabled: detectors_list = client.list_detectors() if not detectors_list["DetectorIds"]: print (f"GuardDuty is not enabled ... enabling GuardDuty on {account_id} account") response = client.create_detector(Enable=True) # Save DetectorID handler DetectorId = response["DetectorId"] else: print(f"GuardDuty already enabled on account {account_id}") DetectorId = detectors_list['DetectorIds'][0] # accept the invites response = client.list_invitations(MaxResults=10) if response: invites = [i for i in response['Invitations']] for i in invites: r = client.accept_invitation(DetectorId=DetectorId,InvitationId=i["InvitationId"],MasterId=i["AccountId"]) except ClientError as e: body = f"Unexpected error : {e}" print(body) send_error_notification(e,account_id)
def process(event, context): """ Do the work.. Order of operation: 1.) Delete the internet gateway 2.) Delete subnets 3.) Delete route tables 4.) Delete network access lists 5.) Delete security groups 6.) Delete the VPC """ account_id = event["AccountId"] master_role = avm_common.get_param("tlz_admin_role") ROLE_ARN = f"arn:aws:iam::{account_id}:role/{master_role}" region_name = os.getenv('AWS_REGION') session = avm_common.aws_session(role=ROLE_ARN, session_name="target_account") ec2_client = session.client('ec2', region_name=region_name) regions = get_regions(ec2_client) #regions = ["us-west-2"] for region in regions: # ec2_client = session.client('ec2', region_name=region) ec2_client = session.client('ec2', region_name=region) try: attribs = ec2_client.describe_account_attributes( AttributeNames=['default-vpc'])['AccountAttributes'] except ClientError as e: print(e.response['Error']['Message']) return else: vpc_id = attribs[0]['AttributeValues'][0]['AttributeValue'] if vpc_id == 'none': print( 'VPC (default) was not found in the {} region.'.format(region)) continue # Are there any existing resources? Since most resources attach an ENI, let's check.. args = {'Filters': [{'Name': 'vpc-id', 'Values': [vpc_id]}]} try: eni = ec2_client.describe_network_interfaces( **args)['NetworkInterfaces'] except ClientError as e: print(e.response['Error']['Message']) return if eni: print('VPC {} has existing resources in the {} region.'.format( vpc_id, region)) continue result = delete_igw(ec2_client, vpc_id) result = delete_subs(ec2_client, args) result = delete_rtbs(ec2_client, args) result = delete_acls(ec2_client, args) result = delete_sgps(ec2_client, args) result = delete_vpc(ec2_client, vpc_id, region) return