class Metrics(object): def __init__(self, logger): self.logger = logger self.ssm = SSM(logger) def _get_parameter_value(self, key): response = self.ssm.describe_parameters(key) self.logger.info(response) # get paramter if key exist if response: value = self.ssm.get_parameter(key) self.logger.info(value) else: value = 'ssm-param-key-not-found' return value.get('Parameter', {}).get('Value') # Send anonymous metrics def metrics(self, data, solution_id='SO0058', url='https://metrics.awssolutionsbuilder.com/generic'): try: send_metrics = self._get_parameter_value('/solutions/stno/metrics_flag') if send_metrics.lower() == 'yes': uuid = self._get_parameter_value('/solutions/stno/customer_uuid') time_stamp = {'TimeStamp': str(datetime.utcnow().isoformat())} params = {'Solution': solution_id, 'UUID': uuid, 'Data': data} metrics = dict(time_stamp, **params) json_data = json.dumps(metrics, cls=DecimalEncoder) headers = {'content-type': 'application/json'} r = requests.post(url, data=json_data, headers=headers) code = r.status_code return code except: pass
def put_ssm_parameter(self, key, value): try: ssm = SSM(self.logger) response = ssm.describe_parameters(key) self.logger.info(response) # put parameter if key does not exist if not response: ssm.put_parameter(key, value) except Exception as e: self.logger.info(e) pass
class Metrics(object): def __init__(self, logger): self.logger = logger self.ssm = SSM(logger) def _get_parameter_value(self, key): response = self.ssm.describe_parameters(key) self.logger.info(response) # get paramter if key exist if response: value = self.ssm.get_parameter(key) self.logger.info(value) else: value = 'ssm-param-key-not-found' return value # Send anonymous metrics def metrics(self, data, solution_id='SO0044', url='https://metrics.awssolutionsbuilder.com/generic'): try: send_metrics = self._get_parameter_value( '/org/primary/metrics_flag') if send_metrics.lower() == 'yes': uuid = self._get_parameter_value('/org/primary/customer_uuid') time_stamp = {'TimeStamp': str(datetime.utcnow().isoformat())} params = {'Solution': solution_id, 'UUID': uuid, 'Data': data} metrics = dict(time_stamp, **params) json_data = json.dumps(metrics, indent=4, cls=DecimalEncoder, sort_keys=True) headers = {'content-type': 'application/json'} r = requests.post(url, data=json_data, headers=headers) code = r.status_code return code except Exception as e: message = { 'FILE': __file__.split('/')[-1], 'CLASS': self.__class__.__name__, 'METHOD': inspect.stack()[0][3], 'EXCEPTION': str(e) } self.logger.exception(message) raise
class ParamsHandler(object): def __init__(self, logger): self.logger = logger self.ssm = SSM(self.logger) self.kms = KMS(self.logger) self.assume_role = AssumeRole() def _session(self, region, account_id): # instantiate EC2 sessions return EC2(self.logger, region, credentials=self.assume_role(self.logger, account_id)) def _extract_string(self, str, search_str): return str[len(search_str):] def _get_ssm_params(self, ssm_parm_name): try: return self.ssm.get_parameter(ssm_parm_name) except Exception as e: raise Exception( "Missing SSM parameter value for: {} in the SSM Parameter Store." .format(ssm_parm_name)) def _get_kms_key_id(self): alias_name = environ.get('kms_key_alias_name') response = self.kms.describe_key(alias_name) self.logger.debug(response) key_id = response.get('KeyMetadata', {}).get('KeyId') return key_id def get_azs_from_member_account(self, region, qty, account, key_az=None): """gets a predefined quantity of (random) az's from a specified region Args: region (str): region name qty: quantity of az's to return account: account id of the member account Returns: list: availability zone names """ try: if key_az: self.logger.info( "Looking up values in SSM parameter:{}".format(key_az)) existing_param = self.ssm.describe_parameters(key_az) if existing_param: self.logger.info( 'Found existing SSM parameter, returning exising AZ list.' ) return self.ssm.get_parameter(key_az) if account is not None: ec2 = self._session(region, account) self.logger.info( "Getting list of AZs in region: {} from account: {}". format(region, account)) return self._get_az(ec2, key_az, qty) else: self.logger.info( "Creating EC2 Session in {} region".format(region)) ec2 = EC2(self.logger, region) return self._get_az(ec2, key_az, qty) except Exception as e: message = { 'FILE': __file__.split('/')[-1], 'CLASS': self.__class__.__name__, 'METHOD': inspect.stack()[0][3], 'EXCEPTION': str(e) } self.logger.exception(message) raise def _get_az(self, ec2, key_az, qty): # Get AZs az_list = ec2.describe_availability_zones() self.logger.info("_get_azs output: %s" % az_list) random_az_list = ','.join(random.sample(az_list, qty)) description = "Contains random AZs selected by Landing Zone Solution" if key_az: self.ssm.put_parameter(key_az, random_az_list, description) return random_az_list def create_key_pair(self, account, region, param_key_material=None, param_key_fingerprint=None, param_key_name=None): if param_key_name: self.logger.info( "Looking up values in SSM parameter:{}".format(param_key_name)) existing_param = self.ssm.describe_parameters(param_key_name) if existing_param: return self.ssm.get_parameter(param_key_name) key_name = sanitize( "%s_%s_%s_%s" % ('lz', account, region, time.strftime("%Y-%m-%dT%H-%M-%S"))) try: ec2 = self._session(region, account) # create EC2 key pair in member account self.logger.info( "Create key pair in the member account {} in region: {}". format(account, region)) response = ec2.create_key_pair(key_name) # add key material and fingerprint in the SSM Parameter Store self.logger.info("Adding Key Material and Fingerprint to SSM PS") description = "Contains EC2 key pair asset created by Landing Zone Solution: " \ "EC2 Key Pair Custom Resource." # Get Landing Zone KMS Key ID key_id = self._get_kms_key_id() if param_key_fingerprint: self.ssm.put_parameter_use_cmk(param_key_fingerprint, response.get('KeyFingerprint'), key_id, description) if param_key_material: self.ssm.put_parameter_use_cmk(param_key_material, response.get('KeyMaterial'), key_id, description) if param_key_name: self.ssm.put_parameter(param_key_name, key_name, description) return key_name except Exception as e: message = { 'FILE': __file__.split('/')[-1], 'CLASS': self.__class__.__name__, 'METHOD': inspect.stack()[0][3], 'EXCEPTION': str(e) } self.logger.exception(message) raise def random_password(self, length, key_password=None, alphanum=True): """Generates a random string, by default only including letters and numbers Args: length (int): length of string to generate alphanum (bool): [optional] if False it will also include ';:=+!@#%^&*()[]{}' in the character set """ try: response = '_get_ssm_secure_string_' + key_password if key_password: self.logger.info( "Looking up values in SSM parameter:{}".format( key_password)) existing_param = self.ssm.describe_parameters(key_password) if existing_param: return response additional = '' if not alphanum: additional = ';:=+!@#%^&*()[]{}' chars = string.ascii_uppercase + string.ascii_lowercase + string.digits + additional # Making sure the password has two numbers and symbols at the very least password = ''.join(random.SystemRandom().choice(chars) for _ in range(length-4)) + \ ''.join(random.SystemRandom().choice(string.digits) for _ in range(2)) + \ ''.join(random.SystemRandom().choice(additional) for _ in range(2)) self.logger.info("Adding Random password to SSM PS") description = "Contains random password created by Landing Zone Solution" if key_password: key_id = self._get_kms_key_id() self.ssm.put_parameter_use_cmk(key_password, password, key_id, description) return response except Exception as e: message = { 'FILE': __file__.split('/')[-1], 'CLASS': self.__class__.__name__, 'METHOD': inspect.stack()[0][3], 'EXCEPTION': str(e) } self.logger.exception(message) raise def update_params(self, params_in, account=None, region=None, substitute_ssm_values=True): """ Args: params_in (list): Python List of dict of input params e.g. [{ "ParameterKey": "LoggingAccountId", "ParameterValue": "$[alfred_ssm_/org/member/logging/account_id]" },{ "ParameterKey": "foo", "ParameterValue": "bar" }] Return: params_out (dict): Python dict of output params e.g. { "LoggingAccountId": "${AWS::AccountId}", "foo": "bar" } """ try: self.logger.info("params in : {}".format(params_in)) params_out = {} for param in params_in: key = param.get("ParameterKey") value = param.get("ParameterValue") if not isinstance(value, list): if value.startswith('$[') and value.endswith(']'): # Apply transformations keyword = value[2:-1] # Check if supported keyword e.g. alfred_ssm_, alfred_genaz_, alfred_getaz_, alfred_genuuid, etcself. if keyword.startswith('alfred_ssm_'): ssm_param_name = self._extract_string( keyword, 'alfred_ssm_') if ssm_param_name: # If this flag is True, it will replace the SSM parameter name i.e. /org/member/ss/directory-name with its # value i.e. example, whereas if its False, it will leave the parameter name as-is if substitute_ssm_values: value = self._get_ssm_params( ssm_param_name) else: raise Exception( "Missing SSM parameter name for: {} in the parameters JSON file." .format(key)) elif keyword.startswith('alfred_genkeypair'): keymaterial_param_name = None keyfingerprint_param_name = None keyname_param_name = None ssm_parameters = param.get('ssm_parameters', []) if type(ssm_parameters) is list: for ssm_parameter in ssm_parameters: val = ssm_parameter.get('value')[2:-1] if val.lower() == 'keymaterial': keymaterial_param_name = ssm_parameter.get( 'name') elif val.lower() == 'keyfingerprint': keyfingerprint_param_name = ssm_parameter.get( 'name') elif val.lower() == 'keyname': keyname_param_name = ssm_parameter.get( 'name') value = self.create_key_pair( account, region, keymaterial_param_name, keyfingerprint_param_name, keyname_param_name) elif keyword.startswith('alfred_genpass_'): sub_string = self._extract_string( keyword, 'alfred_genpass_') if sub_string: pw_length = int(sub_string) else: pw_length = 8 password_param_name = None ssm_parameters = param.get('ssm_parameters', []) if type(ssm_parameters) is list: for ssm_parameter in ssm_parameters: val = ssm_parameter.get('value')[2:-1] if val.lower() == 'password': password_param_name = ssm_parameter.get( 'name') value = self.random_password( pw_length, password_param_name, False) elif keyword.startswith('alfred_genaz_'): sub_string = self._extract_string( keyword, 'alfred_genaz_') if sub_string: no_of_az = int(sub_string) else: no_of_az = 2 az_param_name = None ssm_parameters = param.get('ssm_parameters', []) if type(ssm_parameters) is list: for ssm_parameter in ssm_parameters: val = ssm_parameter.get('value')[2:-1] if val.lower() == 'az': az_param_name = ssm_parameter.get( 'name') value = self.get_azs_from_member_account( region, no_of_az, account, az_param_name) else: value = keyword params_out.update({key: value}) self.logger.info("params out : {}".format(params_out)) return params_out except Exception as e: message = { 'FILE': __file__.split('/')[-1], 'CLASS': self.__class__.__name__, 'METHOD': inspect.stack()[0][3], 'EXCEPTION': str(e) } self.logger.exception(message) raise
class CFNParamsHandler(object): """This class goes through the cfn parameters passed by users to state machines and SSM parameters to get the correct parameter , create parameter value and update SSM parameters as applicable. For example, if a cfn parameter is passed, save it in SSM parameter store. """ def __init__(self, logger): self.logger = logger self.ssm = SSM(self.logger) self.kms = KMS(self.logger) self.assume_role = AssumeRole() def _session(self, region, account_id=None): # instantiate EC2 session if account_id is None: return EC2(self.logger, region) else: return EC2(self.logger, region, credentials=self.assume_role(self.logger, account_id)) def _get_ssm_params(self, ssm_parm_name): return self.ssm.get_parameter(ssm_parm_name) def _get_kms_key_id(self): alias_name = environ.get('KMS_KEY_ALIAS_NAME') response = self.kms.describe_key(alias_name) self.logger.debug(response) key_id = response.get('KeyMetadata', {}).get('KeyId') return key_id def get_azs_from_member_account(self, region, qty, account, key_az=None): """gets a predefined quantity of (random) az's from a specified region Args: region (str): region name qty: quantity of az's to return account: account id of the member account key_az (str): ssm parameter store key where existing AZ list is stored Returns: list: availability zone names """ if key_az: self.logger.info( "Looking up values in SSM parameter:{}".format(key_az)) existing_param = self.ssm.describe_parameters(key_az) if existing_param: self.logger.info('Found existing SSM parameter, returning' ' existing AZ list.') return self.ssm.get_parameter(key_az) if account is not None: acct = account[0] if isinstance(account, list) else account ec2 = self._session(region, acct) self.logger.info("Getting list of AZs in region: {} from" " account: {}".format(region, acct)) return self._get_az(ec2, key_az, qty) else: self.logger.info( "Creating EC2 Session in {} region".format(region)) ec2 = EC2(self.logger, region) return self._get_az(ec2, key_az, qty) def _get_az(self, ec2, key_az, qty): # Get AZs az_list = ec2.describe_availability_zones() self.logger.info("_get_azs output: %s" % az_list) random_az_list = ','.join(random.sample(az_list, qty)) description = "Contains random AZs selected by Landing Zone" \ "Solution" if key_az: self.ssm.put_parameter(key_az, random_az_list, description) return random_az_list def _create_key_pair(self, account, region, param_key_material=None, param_key_fingerprint=None, param_key_name=None): """Creates an ec2 key pair if it does not exist already. Args: account: region: param_key_material: key material used to encrypt and decrypt data. Default to None param_key_fingerprint: key finger print. Default to None param_key_name: key name. A key name will be automatically created if there is none. Default to None Returns: key name """ if param_key_name: self.logger.info( "Looking up values in SSM parameter:{}".format(param_key_name)) existing_param = self.ssm.describe_parameters(param_key_name) if existing_param: return self.ssm.get_parameter(param_key_name) key_name = sanitize( "%s_%s_%s_%s" % ('lz', account, region, time.strftime("%Y-%m-%dT%H-%M-%S"))) ec2 = self._session(region, account) # create EC2 key pair in member account self.logger.info("Create key pair in the member account {} in" " region: {}".format(account, region)) response = ec2.create_key_pair(key_name) # add key material and fingerprint in the SSM Parameter Store self.logger.info("Adding Key Material and Fingerprint to SSM PS") description = "Contains EC2 key pair asset created by " \ "Landing Zone Solution: " \ "EC2 Key Pair Custom Resource." # Get AWS Landing Zone KMS Key ID key_id = self._get_kms_key_id() if param_key_fingerprint: self.ssm.put_parameter_use_cmk(param_key_fingerprint, response.get('KeyFingerprint'), key_id, description) if param_key_material: self.ssm.put_parameter_use_cmk(param_key_material, response.get('KeyMaterial'), key_id, description) if param_key_name: self.ssm.put_parameter(param_key_name, key_name, description) return key_name def random_password(self, length, key_password=None, alphanum=True): """Generates a random string, by default only including letters and numbers Args: length (int): length of string to generate key_password (str): ssm parameter store key where existing password is stored alphanum (bool): [optional] if False it will also include ';:=+!@#%^&*()[]{}' in the character set """ response = '_get_ssm_secure_string_' + key_password param_exists = False if key_password: self.logger.info( "Looking up values in SSM parameter:{}".format(key_password)) existing_param = self.ssm.describe_parameters(key_password) if existing_param: param_exists = True if not param_exists: additional = '' if not alphanum: additional = ';:=+!@#%^&*()[]{}' password = random_pwd_generator(length, additional) self.logger.info("Adding Random password to SSM Parameter Store") description = "Contains random password created by Landing Zone"\ " Solution" if key_password: key_id = self._get_kms_key_id() self.ssm.put_parameter_use_cmk(key_password, password, key_id, description) return response def update_params(self, params_in, account=None, region=None, substitute_ssm_values=True): """Updates SSM parameters Args: params_in (list): Python List of dict of input params e.g. [{ "ParameterKey": "LoggingAccountId", "ParameterValue": "$[alfred_ssm_/org/member/logging/account_id]" },{ "ParameterKey": "foo", "ParameterValue": "bar" }] Return: params_out (dict): Python dict of output params e.g. { "LoggingAccountId": "${AWS::AccountId}", "foo": "bar" } """ self.logger.info("params in : {}".format(params_in)) params_out = {} for param in params_in: key = param.get("ParameterKey") value = param.get("ParameterValue") if not isinstance(value, list): if value.startswith('$[') and value.endswith(']'): # Apply transformations keyword = value[2:-1] # Check if supported keyword e.g. alfred_ssm_, # alfred_genaz_, alfred_getaz_, alfred_genuuid, etc. if keyword.startswith('alfred_ssm_'): value, param_flag = self._update_alfred_ssm( keyword, key, value, substitute_ssm_values) if param_flag is False: raise Exception( "Missing SSM parameter name for:" " {} in the parameters JSON file.".format(key)) elif keyword.startswith('alfred_genkeypair'): value = self._update_alfred_genkeypair( param, account, region) elif keyword.startswith('alfred_genpass_'): value = self._update_alfred_genpass(keyword, param) elif keyword.startswith('alfred_genaz_'): value = self._update_alfred_genaz( keyword, param, account, region) else: value = keyword params_out.update({key: value}) self.logger.info("params out : {}".format(params_out)) return params_out def _update_alfred_ssm(self, keyword, key, value, substitute_ssm_values): """Gets the value of the SSM parameter whose name starts with 'alfred_ssm_ ' Args: keyword: string. trimmed parameter value without unwanted leading and trailing characters key: parameter key value: parameter value substitute_ssm_values: boolean. default to true Return: value of the SSM parameter """ ssm_param_name = trim_string_from_front(keyword, 'alfred_ssm_') param_flag = True if ssm_param_name: # If this flag is True, it will replace the SSM parameter name # i.e. /org/member/ss/directory-name with its value i.e. example, # whereas if it is False, it will leave the parameter name as-is. if substitute_ssm_values: value = self._get_ssm_params(ssm_param_name) else: param_flag = False return value, param_flag def _update_alfred_genkeypair(self, param, account, region): """Gets the ec2 key pair name if SSM parameter name starts with 'alfred_genkeypair ' Args: value: string. parameter value param: one parameter in list account: string region: string Return: ec2 key pair name """ keymaterial_param_name = None keyfingerprint_param_name = None keyname_param_name = None ssm_parameters = param.get('ssm_parameters', []) if type(ssm_parameters) is list: for ssm_parameter in ssm_parameters: val = ssm_parameter.get('value')[2:-1] if val.lower() == 'keymaterial': keymaterial_param_name = ssm_parameter.get('name') elif val.lower() == 'keyfingerprint': keyfingerprint_param_name = ssm_parameter.get('name') elif val.lower() == 'keyname': keyname_param_name = ssm_parameter.get('name') value = self._create_key_pair(account, region, keymaterial_param_name, keyfingerprint_param_name, keyname_param_name) return value def _update_alfred_genpass(self, keyword, param): """Creates a random password if SSM parameter name starts with 'alfred_genpass_ ' Args: keyword: string. trimmed parameter value without unwanted leading and trailing characters value: string. parameter value param: one parameter in list Return: generated random password """ sub_string = trim_string_from_front(keyword, 'alfred_genpass_') if sub_string: pw_length = int(sub_string) else: pw_length = 8 password_param_name = None ssm_parameters = param.get('ssm_parameters', []) if type(ssm_parameters) is list: for ssm_parameter in ssm_parameters: val = ssm_parameter.get('value')[2:-1] if val.lower() == 'password': password_param_name = ssm_parameter.get('name') value = self.random_password(pw_length, password_param_name, False) return value def _update_alfred_genaz(self, keyword, param, account, region): """gets a predefined list of (random) az's from a specified region if SSM parameter name starts with 'alfred_genaz ' Args: keyword: string. trimmed parameter value without unwanted leading and trailing characters value: string. parameter value param: one parameter in list account: string region: string Return: list of random az's """ sub_string = trim_string_from_front(keyword, 'alfred_genaz_') if sub_string: no_of_az = int(sub_string) else: no_of_az = 2 az_param_name = None ssm_parameters = param.get('ssm_parameters', []) if type(ssm_parameters) is list: for ssm_parameter in ssm_parameters: val = ssm_parameter.get('value')[2:-1] if val.lower() == 'az': az_param_name = ssm_parameter.get('name') value = self.get_azs_from_member_account(region, no_of_az, account, az_param_name) return value