def setup_subscriptions(account_id, environment_id, trails_configuration, sourceAccountSession, targetAccountSession):
prefix = "Setting up CloudTrails subscriptions for environment %s:" % environment_id
regions = trails_configuration.keys()
if not len(regions): return trails_configuration
progress = Progress(
len(regions),
prefix + "\t\t")
for region in regions:
trail = trails_configuration.pop(region)
try:
trails_configuration[region] = aws_setup_subscription(
account_id,
environment_id,
trail,
sourceAccountSession,
targetAccountSession,
progress)
except Exception as e:
print "Error: %s" % (e)
# details = e.args[0]
# trails_configuration[u'invalid_trails'][region] = details['reason']
progress.report()
progress.done()
return trails_configuration
def main():
args = get_user_input()
targetAccountSession = args.profile and boto3.session.Session(profile_name = args.profile) or None
sourceAccountSession = args.source_profile and boto3.session.Session(profile_name = args.source_profile) or None
#
# Connect to CloudInsight
#
ci = CI_API(args.user, args.password, account_id = args.account, locality = args.locality)
print "Successfully logged in into CloudInsight. Account: %s(%s), User: %s" % \
(ci.auth_account_name, ci.auth_account_id, ci.auth_user_name)
#
# Load configuration file
#
config = {}
environments = []
with open(args.config) as data_file:
config = json.load(data_file)
if u'role' not in config:
raise Exception("Missing 'role' attribute in '%s' configuration file" % (args.config))
if u'external_id' not in config:
raise Exception("Missing 'external_id' attribute in '%s' configuration file" % (args.config))
if u'trails' not in config and u'regions' not in config :
raise Exception("Missing 'trails' and 'regions' configuration in '%s' configuration file" % (args.config))
role_arn = config[u'role']
external_id = config[u'external_id']
if u'environments' in config:
environments = config[u'environments']
elif u'aws_account_id' in config:
environments = ci.get_environments(config[u'aws_account_id'])
#
# Get CloudInsight Credential ID for the specified role
#
credential_id = get_credential(ci, role_arn, external_id)[u'credential'][u'id']
print "Obtained credential id for '%s' role" % (role_arn)
#
# Get sources for environments specified in the configuration file
#
sources = []
trails = {}
progress = Progress(
len(config[u'regions']),
"Validating configuration.\t\t\t\t\t\t\t\t\t\t")
for region_name, region_config in config[u'regions'].iteritems():
progress.report()
if region_config[u'type'] == u'queue':
if not u'queue' in region_config:
raise Exception("Invalid config file. 'queue' property is missing for '%s' region" % region_name)
if targetAccountSession and not validate_queue(region_name, region_config[u'queue'], targetAccountSession):
raise Exception("Invalid config file. '%s' queue doesn't exist in '%s' region in '%s' AWS Account." %\
(region_config[u'queue'], region_name, get_account_id(targetAccountSession) ) )
bucket_region = u'bucket_region' in region_config and region_config[u'bucket_region'] or u'us-east-1'
for environment_id in environments:
result = ci.get_sources(environment_id = environment_id, region = region_name)
sources.append(update_source_config(
len(result) and result[0] or None,
ci.account_id,
environment_id,
region_name,
credential_id = credential_id,
bucket_region = bucket_region,
queue = get_queue_name(region_config[u'queue'])))
elif region_config[u'type'] == u'trail':
if u'trail' not in region_config or not region_config[u'trail']:
raise Exception("Invalid config file. 'trail' property is missing '%s' region" % region_name)
trail = get_cloud_trail_configuration(
region_name,
region_config[u'trail'],
sourceAccountSession,
targetAccountSession)
if trail:
trails[region_name] = trail
progress.done()
#
# Setup CloudTrail subscriptions
#
for environment_id in environments:
trails_configuration = setup_subscriptions(
args.account,
environment_id,
trails,
sourceAccountSession,
targetAccountSession)
for region_name, trail_configuration in trails_configuration.iteritems():
result = ci.get_sources(environment = environment_id, region = region_name)
sources.append(update_source_config(
len(result) and result[0] or None,
ci.account_id,
environment_id,
region_name,
credential_id = credential_id,
bucket_region = trail_configuration[u'bucket_region'],
queue = trail_configuration[u'sqs_queue_name']))
#
# Create CloudInsight sources
#
for source in sources:
print "Updating '%s' source in '%s' environment." %\
(source[u'source'][u'name'], source[u'source'][u'environment'])
ci.create_source(source)
print "Successfully updated CloudInsight configuration."
print_instructions(role_arn)
