def lambda_handler_inner(event, context):
core_logging = avm_common.get_param("core_logging_account")
master_role = avm_common.get_param("tlz_admin_role")
ROLE_ARN_LOGGING=f"arn:aws:iam::{core_logging}:role/{master_role}"
session_assumed = avm_common.aws_session(role=ROLE_ARN_LOGGING, session_name='logging-services')
update_cw_destination_policy(session_assumed,event)
def assume_role_to_target(self, account, role_name, source_session=None):
print(f"Assuming {role_name} role for {account}")
role_arn = f"arn:aws:iam::{account}:role/{role_name}"
session = avm_common.aws_session(role=role_arn,
session_name="client_session",
source_session=source_session)
return session
def lambda_handler_inner(event, context):
session_assumed = avm_common.aws_session(role=None, session_name='logging-services')
account_id = event["AccountId"]
iamclient = session_assumed.client('iam')
iamresource = session_assumed.resource('iam')
current_account = session_assumed.client('sts').get_caller_identity().get('Account')
POLICY_ARN_AVM=f"arn:aws:iam::{current_account}:policy/tlz_accounts_assumerole_policy"
versionid = iamclient.get_policy(PolicyArn=POLICY_ARN_AVM)
versionid1 = versionid["Policy"]["DefaultVersionId"][1:]
previousversion = int(versionid1)-1
versiondelete = "v" + str(previousversion)
# Update a new version of the specified managed policy and set as Default
policy = iamresource.Policy(POLICY_ARN_AVM)
version = policy.default_version
policyJson = version.document
#policy = json.loads(policyJson)
#print()
resources = policyJson['Statement'][0]['Resource']
master_role = avm_common.get_param("tlz_admin_role")
new_policy = f'arn:aws:iam::{account_id}:role/{master_role}'
if new_policy not in resources:
print(f"Adding {account_id} to policy resources")
policyJson['Statement'][0]['Resource'].append(new_policy)
policystring = json.dumps(policyJson)
print(policystring)
if previousversion > 0:
deleteresponse = iamclient.delete_policy_version(PolicyArn=POLICY_ARN_AVM,VersionId=versiondelete)
print(deleteresponse)
policy_version = policy.create_version(PolicyDocument=policystring,SetAsDefault=True)
print(policy_version)
else:
print(f"{account_id} is already part of existing resources")
def __init__(self, account):
self._account = account
master_role = avm_common.get_param("tlz_admin_role")
self._session = avm_common.aws_session(role=f"arn:aws:iam::{account}:role/{master_role}", session_name='target-account')
self._iam = self._session.client('iam')
session = boto3.session.Session()
dynamodb = session.resource('dynamodb',region_name=aws_region_name)
self._ddb_table = dynamodb.Table(DDB_TABLE)
def lambda_handler_inner(event, context):
account_id = event["AccountId"]
account_details = avm_common.get_account_details(account_id)
core_logging = avm_common.get_param("core_logging_account")
master_role = avm_common.get_param("tlz_admin_role")
primary_region, secondary_region = avm_common.get_regions(account_id)
ROLE_ARN_LOGGING = f"arn:aws:iam::{core_logging}:role/{master_role}"
session_assumed = avm_common.aws_session(role=ROLE_ARN_LOGGING,
session_name='logging-services')
s3 = session_assumed.resource('s3')
#s3 = session_assumed.client('s3')
update_alb_bucket_policy_primary(
s3, account_id, f"tlz-alb-access-central-primary-{core_logging}",
core_logging, primary_region)
update_alb_bucket_policy_secondary(
s3, account_id, f"tlz-alb-access-central-secondary-{core_logging}",
core_logging, secondary_region)
def lambda_handler_inner(event, context):
account_id = event["AccountId"]
exec_id = event["execution_id"]
session = avm_common.aws_session(session_name="target_account")
client = session.client('ssm')
response = client.get_automation_execution(AutomationExecutionId=exec_id)
failed_steps = [
f for f in response["AutomationExecution"]["StepExecutions"]
if f["StepStatus"] == "Failed"
]
if len(failed_steps):
body = str(failed_steps)
sns_topic = avm_common.get_param("sns_topic_arn")
sub = f"SSM automation with {exec_id} failed for account {account_id}"
avm_common.send_pipeline_notification(
account_id, sns_topic,
response["AutomationExecution"]["DocumentName"], sub, body)
return 200
def process(event, context):
# 1. Identify target account VPC ID.
# aws ec2 describe-vpcs
# Assume role to target_account
account_id = event["AccountId"]
master_role = avm_common.get_param("tlz_admin_role")
primary_region, secondary_region = avm_common.get_regions(account_id)
target_session = avm_common.aws_session(role=f"arn:aws:iam::{account_id}:role/{master_role}", session_name='target-account')
regions = [secondary_region, primary_region]
vpcs = []
for region in regions:
print("Processing %s region" %(region))
try:
ec2 = target_session.client('ec2', region_name=region)
response = ec2.describe_vpcs()
v = [ {"VPCId" : x['VpcId'], "VPCRegion" : region} for x in response["Vpcs"]]
vpcs.extend(v)
except ClientError as e:
print(e)
except:
print("Unexpected error")
#print(vpcs)
# 2. On core-common-shared-service account (Route 53 Privated Hosted Zone SOA and InfoBlox forwarder), create vpc association authorization.
# aws route53 list-hosted-zones (assume the below is the default zone and will not change)
core_shared_services = avm_common.get_param("core_shared_services_account")
ROLE_ARN_SharedServices=f"arn:aws:iam::{core_shared_services}:role/{master_role}"
session_common_shared = avm_common.aws_session(role=ROLE_ARN_SharedServices, session_name='core-shared-services')
print("Able to assume role")
route53 = session_common_shared.client('route53')
zones_response = route53.list_hosted_zones()
#print(zones_response)
# Get the hosted_zone_id for HostedZone-> aws.spe.sony.com.
hosted_zone_ids = [ z['Id'] for z in zones_response['HostedZones'] if "aws.tlz-avm.com" in z['Name']]
print(hosted_zone_ids)
for x in hosted_zone_ids:
for vpc in vpcs:
response = route53.create_vpc_association_authorization(
HostedZoneId = x,
VPC = vpc
)
print(json.dumps(response))
print("****** Step : Accept VPC association authorization ******")
# 3. On target account, accept vpc association authorization.
# aws route53 associate-vpc-with-hosted-zone --hosted-zone-id "/hostedzone/$awsR53PHZ" --vpc VPCRegion=" $awsRegion",VPCId="$targetAccountVPCID"
route53_target = target_session.client('route53')
for x in hosted_zone_ids:
for vpc in vpcs:
try:
accept_response = route53_target.associate_vpc_with_hosted_zone(
HostedZoneId = x,
VPC = vpc
)
print(json.dumps(accept_response))
except ClientError as e:
print(e)
except:
print("Unknown error")
# 4. On core-common-shared-service account, delete vpc assoiciation authorization.
# aws route53 delete-vpc-association-authorization --hosted-zone-id "/hostedzone/$awsR53PHZ " --vpc VPCRegion="$awsRegion ",VPCId="$targetAccountVPCID "
print("****** Step: Delete VPC association authorization for core shared******")
for x in hosted_zone_ids:
for vpc in vpcs:
delete_response = route53.delete_vpc_association_authorization(
HostedZoneId = x,
VPC = vpc
)
print(json.dumps(delete_response))
def lambda_handler_inner(event, context):
master_account = avm_common.get_param("master_payer_account")
master_role = avm_common.get_param("tlz_admin_role")
org_account_access_role = avm_common.get_param("tlz_org_account_access_role")
#print("Received event: " + json.dumps(event, indent=2))
master_role_arn = f"arn:aws:iam::{master_account}:role/{org_account_access_role}"
session_local = avm_common.aws_session()
current_account = session_local.client('sts').get_caller_identity().get('Account')
session_regular = avm_common.aws_session(role=master_role_arn)
account_request = {}
insert_event = [i for i in event["Records"] if i["eventName"] == "INSERT"]
if not len(insert_event):
print("ERROR: No account to create")
return
newImage = insert_event[0]["dynamodb"]["NewImage"]
account_request["email"] = newImage["id"]["S"]
account_request["account_name"] = newImage["appName"]["S"]
account_request["accountType"] = newImage["accountType"]["S"]
account_request["accountPrefix"] = newImage["accountPrefix"]["S"]
account_request["lob"] = newImage["lob"]["S"]
if account_request["accountType"].lower() != "application":
account_request["lob"] = account_request["accountType"].title()
account_request["env"] = newImage["envType"]["S"]
# CloudOps interal variable definition that will be used in certain areas where only prd, npd, sbx or dev are needed
if (account_request["env"] == "stg" or account_request["env"] == "qa" or account_request["env"] == "dev"):
account_request["intEnvironment"] = "npd"
elif (account_request["env"] == "pre-prod" or account_request["env"] == "prd"):
account_request["intEnvironment"] = "prd"
print(account_request)
orgMan = awsOrgManager(session_regular,current_account,master_account,master_role,org_account_access_role)
account = orgMan.create_account(account_request)
# By now account should have been created
if account:
target_ou = "Sandbox"
# Move the account the target organizational_unit
if account_request["accountType"].lower() != "application":
target_ou = account_request["accountType"].title()
else:
if "lob" in account_request.keys():
if account_request["lob"]:
target_ou = account_request["lob"]
orgMan.move_account(account["id"],target_ou)
acc = orgMan._client.describe_account(AccountId=account["id"])
# update account with additional details
account["account_request"] = json.dumps(account_request,default=defaultencode)
alias = orgMan.get_account_alias(account_request["accountType"],account_request["account_name"],account_request["lob"], account_request["env"], account_request["accountPrefix"] )
account["alias"] = alias
account["accountType"] = account_request["accountType"]
org = account_request["lob"].title()
git_url = avm_common.get_param("tlz_git_url")
print(git_url)
vended_applications_project = avm_common.get_param("vended_applications_project")
vended_baselines_project = avm_common.get_param("vended_baselines_project")
if avm_common.resource_workspace_required(account_request["accountType"]):
account["app_details"] = json.dumps({'git' : f'{git_url}/{vended_applications_project}/{alias}.git', 'tfe_workspace': f'{alias}-resources'})
account["baseline_details"] = json.dumps({'git' : f'{git_url}/{vended_baselines_project}/{alias}.git', 'tfe_workspace': f'{alias}-baseline'})
else:
account["baseline_details"] = json.dumps({'git' : f'{git_url}/{vended_baselines_project}/{alias}.git', 'tfe_workspace': f'{alias}'})
print(account)
orgMan.ingest_data(session_local,account)
additional_info = {}
additional_info["alias"] = alias
additional_info["account_type"] = account_request["accountType"]
additional_info["org_name"] = account_request["lob"]
additional_info["owner"] = newImage["responsible"]["S"]
additional_info["environment"] = account_request["env"]
additional_info["intEnvironment"] = account_request["env"]
additional_info["primaryVpcCidr"] = newImage["primaryVpcCidr"]["S"]
additional_info["secondaryVpcCidr"] = newImage["secondaryVpcCidr"]["S"]
#for k in newImage.keys():
# additional_info[k] = newImage[k]["S"]
#additional_info["account"] = account
orgMan.update_org_account_access_role(account["id"])
print("About to call the automation document")
orgMan.start_pipeline(session_local, account["id"], additional_info)
def lambda_handler_inner(event, context):
core_security = avm_common.get_param("core_security_account")
master_role = avm_common.get_param("tlz_admin_role")
ROLE_ARN_SECURITY=f"arn:aws:iam::{core_security}:role/{master_role}"
session_assumed = avm_common.aws_session(role=ROLE_ARN_SECURITY, session_name='security-services')
gd_client = session_assumed.client('ec2', region_name='us-east-1')
if core_security == event["AccountId"]:
print("No need to send guradduty invites as guardDuty master account cannot be member to itself")
return
regions = get_regions(gd_client)
for region in regions:#
print("Processing %s region" %(region))
try:
client = session_assumed.client('guardduty', region_name=region)
#Find out if GuardDuty already enabled:
detectors_list = client.list_detectors()
if not detectors_list["DetectorIds"]:
print ("GuardDuty is not enabled ... enabling GuardDuty on master account")
response = client.create_detector(Enable=True)
# Save DetectorID handler
DetectorId = response["DetectorId"]
else:
print("GuardDuty already enabled on account")
DetectorId = detectors_list['DetectorIds'][0]
# Do error handling here
# print all Detectorts
detectors_list = client.list_detectors()
print ("Detector lists: ")
for x in detectors_list["DetectorIds"]:
#print(x, end=" ")
print(x)
account_id = event["AccountId"]
account = avm_common.get_account_details(account_id)
print(f"id from event : {account_id} id from orgdetails: {account['org_details']['id']}")
if account:
# invite an account
print(account['org_details'])
print ("\nInviting member account " + account_id)
invite_member = client.create_members(
AccountDetails=[
{
'AccountId': account_id,
'Email': account['org_details']["email"]
},
],
DetectorId=DetectorId
)
gd_members = client.get_members(
AccountIds=[
account_id,
],
DetectorId=DetectorId
)
# the future member account is now staged
if gd_members:
print(gd_members)
print ("Memeber account RelationshipStatus: " + gd_members['Members'][0]['RelationshipStatus'])
# Invite members account(s)
response = client.invite_members(
AccountIds=[
account_id,
],
DetectorId=DetectorId,
Message='Please join AWS GuardDuty master account'
)
gd_members = client.get_members(
AccountIds=[
account_id,
],
DetectorId=DetectorId
)
# the future member account should be 'pending'
print ("Memeber account RelationshipStatus: " + gd_members['Members'][0]['RelationshipStatus'])
except ClientError as e:
send_error_notification(e,account_id)
# Enable GuardDuty on target account and accept the invites
print(f"About to enable and accept requests for {account_id}")
target_session = avm_common.aws_session(role=f"arn:aws:iam::{account_id}:role/{master_role}", session_name='target-account')
for region in regions:
print("Processing %s region" %(region))
try:
client = target_session.client('guardduty', region_name=region)
#Find out if GuardDuty already enabled:
detectors_list = client.list_detectors()
if not detectors_list["DetectorIds"]:
print (f"GuardDuty is not enabled ... enabling GuardDuty on {account_id} account")
response = client.create_detector(Enable=True)
# Save DetectorID handler
DetectorId = response["DetectorId"]
else:
print(f"GuardDuty already enabled on account {account_id}")
DetectorId = detectors_list['DetectorIds'][0]
# accept the invites
response = client.list_invitations(MaxResults=10)
if response:
invites = [i for i in response['Invitations']]
for i in invites:
r = client.accept_invitation(DetectorId=DetectorId,InvitationId=i["InvitationId"],MasterId=i["AccountId"])
except ClientError as e:
body = f"Unexpected error : {e}"
print(body)
send_error_notification(e,account_id)
def process(event, context):
"""
Do the work..
Order of operation:
1.) Delete the internet gateway
2.) Delete subnets
3.) Delete route tables
4.) Delete network access lists
5.) Delete security groups
6.) Delete the VPC
"""
account_id = event["AccountId"]
master_role = avm_common.get_param("tlz_admin_role")
ROLE_ARN = f"arn:aws:iam::{account_id}:role/{master_role}"
region_name = os.getenv('AWS_REGION')
session = avm_common.aws_session(role=ROLE_ARN,
session_name="target_account")
ec2_client = session.client('ec2', region_name=region_name)
regions = get_regions(ec2_client)
#regions = ["us-west-2"]
for region in regions:
# ec2_client = session.client('ec2', region_name=region)
ec2_client = session.client('ec2', region_name=region)
try:
attribs = ec2_client.describe_account_attributes(
AttributeNames=['default-vpc'])['AccountAttributes']
except ClientError as e:
print(e.response['Error']['Message'])
return
else:
vpc_id = attribs[0]['AttributeValues'][0]['AttributeValue']
if vpc_id == 'none':
print(
'VPC (default) was not found in the {} region.'.format(region))
continue
# Are there any existing resources? Since most resources attach an ENI, let's check..
args = {'Filters': [{'Name': 'vpc-id', 'Values': [vpc_id]}]}
try:
eni = ec2_client.describe_network_interfaces(
**args)['NetworkInterfaces']
except ClientError as e:
print(e.response['Error']['Message'])
return
if eni:
print('VPC {} has existing resources in the {} region.'.format(
vpc_id, region))
continue
result = delete_igw(ec2_client, vpc_id)
result = delete_subs(ec2_client, args)
result = delete_rtbs(ec2_client, args)
result = delete_acls(ec2_client, args)
result = delete_sgps(ec2_client, args)
result = delete_vpc(ec2_client, vpc_id, region)
return
