def isValidTarget(ctx,policyName, targetRegion, targetEnv, targetService, targetPolicy): if targetPolicy != None and policyName != targetPolicy: return False region, env, service = utils.regionEnvAndRole(policyName) if targetRegion != None and region != targetRegion: return False if targetEnv != None and env != targetEnv: return False if targetService != None and service != targetService: return False return True
def isRoleInModel(ctx, roleName): try: region, env, _ = utils.regionEnvAndRole(roleName) if env not in ctx.model['roles'][region]: return False else: if roleName not in ctx.model['roles'][region][env]: return False else: return True except: return False
def updateAWSRoles(ctx, targetRegion, targetEnv, targetRole): for role in ctx.currentRoles: roleName = role['RoleName'] if targetRole != None and roleName != targetRole: continue region, env, _ = utils.regionEnvAndRole(roleName) if targetRegion != None and region != targetRegion: continue if targetEnv != None and env != targetEnv: continue if not isRoleInModel(ctx, roleName): aws_roles.deleteRole(ctx,roleName)
def showRoles(ctx, targetRegion, targetEnv, targetRole): for role in ctx.currentRoles: roleName = role['RoleName'] if targetRole != None and roleName != targetRole: continue region, env, _ = utils.regionEnvAndRole(roleName) if targetRegion != None and region != targetRegion: continue if targetEnv != None and env != targetEnv: continue attached = aws_roles.getAttachedPolicies(ctx, roleName) ctx.log('Role: %s: %d attached policies:' % (roleName, len(attached))) for policyName in attached: policyDoc = csm_policies.getAWSPolicyDocument(ctx,policyName) utils.showPolicyJson(ctx, policyName, ctx.dumps(policyDoc), 15, 120) ctx.log('')
def compareAWSRoles(ctx, targetRegion, targetEnv, targetRole): extraRoles = [] for role in ctx.currentRoles: roleName = role['RoleName'] if targetRole != None and roleName != targetRole: continue region, env, _ = utils.regionEnvAndRole(roleName) if targetRegion != None and region != targetRegion: continue if targetEnv != None and env != targetEnv: continue if not isRoleInModel(ctx, roleName): extraRoles.append(roleName) if len(extraRoles) > 0: ctx.log('AWS Roles NOT in Model:', fg='cyan') for roleName in extraRoles: ctx.log(' %s' % roleName)
def getAllRoles(ctx): iam = ctx.iam if ctx.env == None: mps = iam.list_roles() else: mps = iam.list_roles(PathPrefix="/%s/%s" % (ctx.region, ctx.env)) ctx.currentRoles.extend(mps["Roles"]) while mps["IsTruncated"]: mps = iam.list_roles(Marker=mps["Marker"]) ctx.currentRoles.extend(mps["Roles"]) for role in ctx.currentRoles: if role["Path"] == "/": try: region, env, rolePart = utils.regionEnvAndRole(role["RoleName"]) _, path = utils.nameAndPath(region, env, rolePart) role["Path"] = path except: pass
def createRole(ctx, roleName): iam = ctx.iam if ctx.currentRoles == None: ctx.vlog("createRole: Roles must be fetched first") return assumeRolePolicyDocument = '{"Statement": [{"Action": "sts:AssumeRole", "Principal": {"Service": "ec2.amazonaws.com"}, "Sid": "", "Effect": "Allow"}], "Version": "2012-10-17"}' if ctx.dry_run: ctx.log( "create_role(Path=%s, RoleName=%s,AssumeRolePolicyDocument=%s)" % (path, roleName, assumeRolePolicyDocument) ) return # Create roles region, env, role = utils.regionEnvAndRole(roleName) path = "/%s/%s/%s/" % (region, env, role) # Attach role to instance profile msp = iam.create_role(Path=path, RoleName=roleName, AssumeRolePolicyDocument=assumeRolePolicyDocument) if msp["ResponseMetadata"]["HTTPStatusCode"] != 200: ctx.log("createRole Error: create_role returned %d" % msp["ResponseMetadata"]["HTTPStatusCode"]) return ctx.audit("Created role: %s" % roleName) msp2 = iam.create_instance_profile(InstanceProfileName=roleName) if msp2["ResponseMetadata"]["HTTPStatusCode"] != 200: ctx.log("createRole Error: create_role returned %d" % msp2["ResponseMetadata"]["HTTPStatusCode"]) return ctx.audit("Created instance profile: %s" % roleName) msp3 = iam.add_role_to_instance_profile(InstanceProfileName=roleName, RoleName=roleName) if msp3["ResponseMetadata"]["HTTPStatusCode"] != 200: ctx.log("createRole Error: create_role returned %d" % msp3["ResponseMetadata"]["HTTPStatusCode"]) return ctx.audit("Attached role %s to instance profile: %s" % (roleName, roleName)) ctx.vlog("Role created: %s" % msp["Role"]["Arn"]) ctx.currentRoles.append(msp["Role"])
def showInstanceProfiles(ctx, targetRegion, targetEnv, targetRole, targetProfileName, targetId, show_instances): instanceProfiles,instanceProfileByProfileId = aws_profiles.getAllInstanceProfiles(ctx) if show_instances: instances, instancesByProfileId = aws_instances.getInstances(ctx, targetRegion, targetEnv ) for profile in instanceProfiles: profileName = profile['InstanceProfileName'] profileId = profile['InstanceProfileId'] if targetProfileName != None and profileName != targetProfileName: continue if targetId != None and profileId != targetId: continue region, env, role = utils.regionEnvAndRole(profileName) if targetRegion != None and region != targetRegion: continue if targetEnv != None and env != targetEnv: continue if targetRole != None and role != targetRole: continue ctx.log('Profile Name: %s Profile ID: %s' % (profileName, profileId)) ctx.log(' Attached Roles:') for role in profile['Roles']: ctx.log(' %s' % (role['RoleName'])) if not show_instances: continue if profileId in instancesByProfileId: ctx.log(' Attached Instances:') for instance in instancesByProfileId[profileId]: fullName = aws_instances.getTag(ctx,instance['Tags'], 'FullName') ctx.log(' %s' % (fullName)) else: ctx.log(' No Attached Instances:') ctx.log('\n') if not show_instances: return if 'NO_INSTANCE_PROFILE' in instancesByProfileId: ctx.log('The following instances have no profile id') for instance in instancesByProfileId['NO_INSTANCE_PROFILE']: fullName = aws_instances.getTag(ctx,instance['Tags'], 'FullName') state = instance['State']['Name'] ctx.log(' %-30s State: %s' % (fullName, state)) else: ctx.log('All instances have a profile id') badIds = [] for instance in instances: if 'IamInstanceProfile' not in instance: continue profileId = instance['IamInstanceProfile']['Id'] if profileId not in instanceProfileByProfileId: fullName = aws_instances.getTag(ctx,instance['Tags'], 'FullName') state = instance['State']['Name'] badIds.append({'fullName':fullName,'state':state, 'profileId':profileId}) if len(badIds) > 0: ctx.log('\nThe following instances have a bad profile id') for entry in badIds: ctx.log(' Instance: %-25s State: %-10s Profile ID: %s' % (entry['fullName'], entry['state'], entry['profileId'])) else: ctx.log('\nAll instances have a valid profile id')