def create_report_batch_job_handler(event, context):
check_history_id = eventhelper.get_check_history_id_batch(event)
trace_id = check_history_id
common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe())
# セキュリティチェックレポート作成ジョブ登録
return awssecuritychecks_logic.create_report_batch_job(
trace_id, check_history_id)
def execute_securitycheck_aggregate_handler(event, context):
check_history_id = eventhelper.get_check_history_id_batch(event)
trace_id = check_history_id
common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe())
# セキュリティチェック結果集計
return awssecuritychecks_logic.execute_securitycheck_aggregate(
trace_id, check_history_id)
def create(trace_id,
organization_id,
notify_code,
webhook_url,
mentions,
is_cw_logger=False):
if (is_cw_logger):
common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
common_utils.begin_logger(trace_id, __name__, inspect.currentframe())
if common_utils.is_null(mentions):
mentions = None
date_now = common_utils.get_current_date()
org_notify_slack = {
"OrganizationID": organization_id,
"NotifyCode": notify_code,
"WebhookURL": webhook_url,
"Mentions": mentions,
"CreatedAt": date_now,
"UpdatedAt": date_now
}
DB_utils.create(trace_id,
Tables.PM_ORG_NOTIFY_SLACK,
org_notify_slack,
is_cw_logger=is_cw_logger)
def get_check_awsaccounts_handler(event, context):
# 必要な情報を取得
check_history_id = eventhelper.get_check_history_id_batch(event)
trace_id = check_history_id
common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe())
# セキュリティチェック対象AWSアカウント取得
return awssecuritychecks_logic.get_check_awsaccounts(
trace_id, check_history_id)
def update(trace_id, check_result_id, update_attribute, is_cw_logger=False):
if (is_cw_logger):
common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
common_utils.begin_logger(trace_id, __name__, inspect.currentframe())
key = {"CheckResultID": check_result_id}
DB_utils.update(trace_id,
Tables.PM_CHECK_RESULTS,
key,
update_attribute,
is_cw_logger=is_cw_logger)
def execute_securitycheck_statemachine_handler(event, context):
# Amazon SNSメッセージを取得
message = eventhelper.get_message_from_sns(event)
message = json.loads(message)
# 必要な情報を取得
check_history_id = eventhelper.get_check_history_id_batch(message)
trace_id = check_history_id
common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe())
# セキュリティチェックStepFunctions起動
awssecuritychecks_logic.execute_securitycheck_statemachine(
trace_id, check_history_id)
def create(trace_id,
check_result_id,
check_history_id,
check_rule_code,
organization_id,
organization_name,
project_id,
project_name,
aws_account_coop_id,
aws_account,
sort_code,
ok_count,
critical_count,
ng_count,
executed_date_time,
time_to_live,
aws_account_name,
is_cw_logger=False):
if (is_cw_logger):
common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
common_utils.begin_logger(trace_id, __name__, inspect.currentframe())
# 不要なクラムを作成することを避けるため
date_now = common_utils.get_current_date()
data_create = {
'CheckResultID': check_result_id,
'CheckHistoryID': check_history_id,
'CheckRuleCode': check_rule_code,
'OrganizationID': organization_id,
'OrganizationName': organization_name,
'ProjectID': project_id,
'ProjectName': project_name,
'AWSAccountCoopID': aws_account_coop_id,
'AWSAccount': aws_account,
'SortCode': sort_code,
'OKCount': ok_count,
'CriticalCount': critical_count,
'NGCount': ng_count,
'ExecutedDateTime': executed_date_time,
'TimeToLive': time_to_live,
'CreatedAt': date_now,
'UpdatedAt': date_now,
'AWSAccountName': aws_account_name
}
condition_expression = Attr("CheckResultID").not_exists()
DB_utils.create(trace_id,
Tables.PM_CHECK_RESULTS,
data_create,
condition_expression,
is_cw_logger=is_cw_logger)
def create(trace_id,
table_name,
create_data,
condition_expression=None,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
table = connect_dynamodb(table_name)
if (condition_expression is None):
table.put_item(Item=create_data)
else:
table.put_item(Item=create_data,
ConditionExpression=condition_expression)
logger.info(table_name.value + "正常に作成しました。")
except ClientError as e:
if retrycheck.check_retryable(e.response):
retry_exception = RetryException(cause_error=e)
logger.error(retry_exception)
logger.exception("error_id: %s", retry_exception.error_id)
raise retry_exception
else:
no_retry_exception = NoRetryException(
cause_error=e, message=e.response['Error']['Message'])
logger.error(no_retry_exception)
raise no_retry_exception
def query_index(trace_id,
table_name,
index_name,
key_conditions,
filter_expression,
scan_index_forward=True,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
exclusiveStartKey = None
list_data = []
while True:
try:
result = query_index_db(trace_id,
table_name,
index_name,
key_conditions,
filter_expression,
scan_index_forward,
exclusiveStartKey,
is_cw_logger=is_cw_logger)
list_data.extend(result['Items'])
if common_utils.check_key('LastEvaluatedKey', result) is False:
break
exclusiveStartKey = result['LastEvaluatedKey']
except Exception as e:
logger.error(e)
break
return common_utils.response(list_data, logger)
def query_key(trace_id, table_name, key, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
table = connect_dynamodb(table_name)
result = table.get_item(Key=key)
result_item = None
if (common_utils.check_key('Item', result)):
result_item = result['Item']
return common_utils.response(result_item, logger)
except ClientError as e:
if retrycheck.check_retryable(e.response):
retry_exception = RetryException(cause_error=e)
logger.error(retry_exception)
logger.exception("error_id: %s", retry_exception.error_id)
raise retry_exception
else:
no_retry_exception = NoRetryException(
cause_error=e, message=e.response['Error']['Message'])
logger.error(no_retry_exception)
raise no_retry_exception
def query_key(trace_id,
organization_id,
notify_code,
convert_response=None,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
key = {"OrganizationID": organization_id, "NotifyCode": notify_code}
result = DB_utils.query_key(trace_id,
Tables.PM_ORG_NOTIFY_MAIL_DESTINATIONS,
key,
is_cw_logger=is_cw_logger)
if result and convert_response:
result = common_utils.convert_response(
trace_id,
result,
RESPONSE_ORG_NOTIFY_MAIL_DESTINATIONS,
is_cw_logger=is_cw_logger)
result['destinations'] = common_utils.convert_list_response(
trace_id,
result['destinations'],
RESPONSE_DESTINATIONS,
is_cw_logger=is_cw_logger)
return common_utils.response(result, logger)
def get_bucket_encryption(trace_id, s3_client, bucket, aws_account,
region_name, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
bucket_encryption = []
try:
result = s3_client.get_bucket_encryption(Bucket=bucket)
except ClientError as e:
if e.response["Error"]["Code"] == CommonConst.SERVER_SIDE_ENCRYPTION_CONFIGURATION_NOT_FOUND_ERROR:
logger.info("[%s]S3バケット暗号化情報がありません。(%s/%s)", aws_account,
region_name, bucket)
raise PmError(cause_error=e)
elif e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION:
logger.warning("[%s] 権限エラーによりS3バケットリージョン情報の取得に失敗しました。(%s/%s)",
aws_account, region_name, bucket)
raise common_utils.write_log_warning(e, logger)
else:
logger.error("[%s]S3バケット暗号化情報の取得に失敗しました。(%s/%s)", aws_account,
region_name, bucket)
raise common_utils.write_log_exception(e, logger)
if common_utils.check_key("ServerSideEncryptionConfiguration", result):
if common_utils.check_key("Rules", result["ServerSideEncryptionConfiguration"]):
bucket_encryption = result["ServerSideEncryptionConfiguration"]["Rules"]
return bucket_encryption
def get_cognito_user_info_by_user_name(trace_id, user_name,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# get user_pool
try:
client = boto3.client("cognito-idp")
except ClientError as e:
raise common_utils.write_log_exception(e, logger)
user_pool_id = os.environ.get("COGNITO_USER_POOL_ID")
try:
user_info = client.admin_get_user(
UserPoolId=user_pool_id,
Username=user_name)
except ClientError as e:
if e.response['Error']['Code'] == CommonConst.COGNITO_USER_NOT_FOUND_EXCEPTION:
return None
raise common_utils.write_log_exception(e, logger)
logger.info("End : get cognito users info success")
return user_info
def test_execute_securitycheck_statemachine_case_error_validate_param(
self):
# create data mock
cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
# patch mock
patch_begin_cw_logger = patch(
"premembers.common.common_utils.begin_cw_logger")
patch_logger_error = patch.object(CwLogAdapter, "error")
# start mock object
mock_begin_cw_logger = patch_begin_cw_logger.start()
mock_logger_error = patch_logger_error.start()
# mock object
mock_begin_cw_logger.return_value = cw_logger
# addCleanup stop mock object
self.addCleanup(patch_begin_cw_logger.stop)
self.addCleanup(patch_logger_error.stop)
with self.assertRaises(PmError) as exception:
# call function test
awssecuritychecks_logic.execute_securitycheck_statemachine(
trace_id, "")
# check error
actual_message = exception.exception.message
self.assertEquals("CKEX_SECURITY-001", actual_message)
# check log message error
mock_logger_error.assert_any_call("チェック履歴IDが指定されていません。")
def query_check_history_index(trace_id,
check_history_id,
sort_code=None,
filter_expression=None,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
key_conditions = {
'CheckHistoryID': {
'AttributeValueList': [check_history_id],
'ComparisonOperator': 'EQ'
}
}
if sort_code is not None:
key_conditions['SortCode'] = {
'AttributeValueList': [sort_code],
'ComparisonOperator': 'EQ'
}
result = DB_utils.query_index(trace_id,
Tables.PM_CHECK_RESULT_ITEMS,
CHECK_HISTORY_INDEX,
key_conditions,
filter_expression,
is_cw_logger=is_cw_logger)
return common_utils.response(result, logger)
def query_history_index(trace_id,
check_history_id,
filter_expression=None,
convert_response=None,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
key_conditions = {
'CheckHistoryID': {
'AttributeValueList': [check_history_id],
'ComparisonOperator': 'EQ'
}
}
result = DB_utils.query_index(trace_id,
Tables.PM_CHECK_RESULTS,
CHECK_HISTORY_INDEX,
key_conditions,
filter_expression,
is_cw_logger=is_cw_logger)
if result and convert_response:
result = common_utils.convert_list_response(trace_id,
result,
RESPONSE_CHECK_RESULTS,
RESPONSE_REQUIRED,
is_cw_logger=is_cw_logger)
return common_utils.response(result, logger)
def test_check_effective_awsaccount_case_error_validate_param(self):
# create data mock
cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
# patch mock
patch_begin_cw_logger = patch(
"premembers.common.common_utils.begin_cw_logger")
patch_logger_error = patch.object(CwLogAdapter, "error")
# start mock object
mock_begin_cw_logger = patch_begin_cw_logger.start()
mock_logger_error = patch_logger_error.start()
# mock object
mock_begin_cw_logger.return_value = cw_logger
# addCleanup stop mock object
self.addCleanup(patch_begin_cw_logger.stop)
self.addCleanup(patch_logger_error.stop)
# call function test
actual_response = awssecuritychecks_logic.check_effective_awsaccount(
trace_id, "", "", role_name, external_id, organization_id,
project_id, check_history_id)
expect_response = {"TaskResult": "Fail"}
# check result
self.assertDictEqual(expect_response, actual_response)
# check log message error
mock_logger_error.assert_any_call("%sが指定されていません。",
"AWSAccount, CoopID")
def query_userid_key(trace_id,
user_id,
organization_id=None,
filter_expression=None,
convert_response=None,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
key_conditions = {
'UserID': {
'AttributeValueList': [user_id],
'ComparisonOperator': 'EQ'
}
}
if (organization_id):
key_conditions['OrganizationID'] = {
'AttributeValueList': [organization_id],
'ComparisonOperator': 'EQ'
}
result = DB_utils.query(trace_id,
Tables.PM_AFFILIATION,
key_conditions,
filter_expression,
is_cw_logger=is_cw_logger)
if result and convert_response:
result = common_utils.convert_list_response(trace_id,
result,
RESPONSE_AFFILIATION,
is_cw_logger=is_cw_logger)
return common_utils.response(result, logger)
def describe_volumes(trace_id,
awsaccount,
ec2_client,
region_name,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
ebs_volumes = []
try:
response = ec2_client.describe_volumes()
if common_utils.check_key("Volumes", response):
ebs_volumes = response["Volumes"]
next_token = None
if 'NextToken' in response:
next_token = response['NextToken']
while (next_token is not None):
response = ec2_client.describe_volumes(NextToken=next_token)
ebs_volumes.extend(response['Volumes'])
if 'NextToken' in response:
next_token = response['NextToken']
else:
next_token = None
except ClientError as e:
logger.error("[%s/%s] EBSボリューム情報の取得に失敗しました。", awsaccount, region_name)
raise common_utils.write_log_exception(e, logger)
return ebs_volumes
def get_regions(trace_id, session=None,
filter_describe_regions=CommonConst.FILTER_DESCRIBE_REGIONS,
all_regions=True, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
if session:
ec2_client = session.client('ec2')
else:
ec2_client = boto3.client('ec2')
if filter_describe_regions is not None and all_regions is not None:
response = ec2_client.describe_regions(
Filters=filter_describe_regions, AllRegions=all_regions)
elif filter_describe_regions is not None:
response = ec2_client.describe_regions(
Filters=filter_describe_regions)
elif all_regions is not None:
response = ec2_client.describe_regions(
AllRegions=all_regions)
else:
response = ec2_client.describe_regions()
except ClientError as e:
raise common_utils.write_log_exception(e, logger)
return response['Regions']
def update(trace_id,
check_history_id,
update_attribute,
target_update_date,
is_cw_logger=False):
if (is_cw_logger):
common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
common_utils.begin_logger(trace_id, __name__, inspect.currentframe())
key = {"CheckHistoryID": check_history_id}
DB_utils.update(trace_id,
Tables.PM_CHECK_HISTORY,
key,
update_attribute,
target_update_date,
is_cw_logger=is_cw_logger)
def update_awscoops(trace_id,
coop_id,
update_attribute,
target_update_date=None,
is_cw_logger=False):
if (is_cw_logger):
common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
common_utils.begin_logger(trace_id, __name__, inspect.currentframe())
key = {"CoopID": coop_id}
DB_utils.update(trace_id,
Tables.PM_AWSACCOUNTCOOPS,
key,
update_attribute,
target_update_date,
is_cw_logger=is_cw_logger)
def get_step_functions_client(trace_id):
cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
try:
step_functions_client = boto3.client('stepfunctions')
except ClientError as e:
cw_logger.error("Step Functionsクライアント作成に失敗しました。")
raise common_utils.write_log_exception(e, cw_logger)
return step_functions_client
def test_get_check_awsaccounts_case_error_get_record_pm_project(self):
# create data mock
cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
pm_error = PmError()
# patch mock
patch_begin_cw_logger = patch(
"premembers.common.common_utils.begin_cw_logger")
patch_query_key_pm_check_history = patch(
"premembers.repository.pm_checkHistory.query_key")
patch_query_key_pm_organizations = patch(
"premembers.repository.pm_organizations.get_organization")
patch_query_key_pm_project = patch(
"premembers.repository.pm_projects.query_key")
patch_logger_error = patch.object(CwLogAdapter, "error")
patch_write_log_pm_error = patch(
"premembers.common.common_utils.write_log_pm_error")
# start mock object
mock_begin_cw_logger = patch_begin_cw_logger.start()
mock_query_key_pm_check_history = patch_query_key_pm_check_history.start(
)
mock_query_key_pm_organizations = patch_query_key_pm_organizations.start(
)
mock_query_key_pm_project = patch_query_key_pm_project.start()
mock_logger_error = patch_logger_error.start()
mock_write_log_pm_error = patch_write_log_pm_error.start()
# mock data
mock_begin_cw_logger.return_value = cw_logger
mock_query_key_pm_check_history.return_value = data_pm_check_history
mock_query_key_pm_organizations.return_value = data_pm_organizations
mock_query_key_pm_project.side_effect = pm_error
mock_write_log_pm_error.return_value = pm_error
# addCleanup stop mock object
self.addCleanup(patch_begin_cw_logger.stop)
self.addCleanup(patch_query_key_pm_check_history.stop)
self.addCleanup(patch_query_key_pm_organizations.stop)
self.addCleanup(patch_query_key_pm_project.stop)
self.addCleanup(patch_logger_error.stop)
self.addCleanup(patch_write_log_pm_error.stop)
with self.assertRaises(PmError):
# call function test
awssecuritychecks_logic.get_check_awsaccounts(
trace_id, check_history_id)
# check log message error
mock_logger_error.assert_called_once_with(
"プロジェクト情報の取得に失敗しました。: ProjectID=%s", project_id)
# check call function write_log_pm_error
mock_write_log_pm_error.assert_called_once_with(
pm_error, cw_logger, "GCA_SECURITY-004")
def check_effective_awsaccount_handler(event, context):
# 必要な情報を取得
check_history_id = eventhelper.get_check_history_id_batch(event)
trace_id = check_history_id
coop_id = eventhelper.get_coop_id_batch(event)
role_name = eventhelper.get_role_name(event)
external_id = eventhelper.get_external_id(event)
organization_id = eventhelper.get_organization_id_batch(event)
project_id = eventhelper.get_project_id_batch(event)
common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe())
# 対象となるAWSアカウント
target_aws_account = eventhelper.get_awsaccount(event)
# AWSアカウントチェック
return awssecuritychecks_logic.check_effective_awsaccount(
trace_id, target_aws_account, coop_id, role_name, external_id,
organization_id, project_id, check_history_id)
def update(trace_id,
table_name,
key,
update_attribute,
target_update_date=None,
is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
date_now = common_utils.get_current_date()
update_attribute['UpdatedAt'] = {'Value': date_now}
update_expression = 'SET '
update_expression_attribute_values = {
':UpdatedAt': update_attribute['UpdatedAt']['Value']
}
first_row = True
for update_key in update_attribute.keys():
update_value_key = ":{}".format(update_key)
update_value = " {} = {}".format(update_key, update_value_key)
if (first_row):
update_expression += update_value
first_row = False
else:
update_expression += ", {}".format(update_value)
update_expression_attribute_values[
update_value_key] = update_attribute[update_key]['Value']
condition_expression = Attr('UpdatedAt').eq(target_update_date)
try:
table = connect_dynamodb(table_name)
if target_update_date:
table.update_item(
Key=key,
ExpressionAttributeValues=update_expression_attribute_values,
UpdateExpression=update_expression,
ConditionExpression=condition_expression)
else:
table.update_item(
Key=key,
ExpressionAttributeValues=update_expression_attribute_values,
UpdateExpression=update_expression)
logger.info(table_name.value + "を正常に更新しました。")
except ClientError as e:
if retrycheck.check_retryable(e.response):
retry_exception = RetryException(cause_error=e)
logger.error(retry_exception)
logger.exception("error_id: %s", retry_exception.error_id)
raise retry_exception
else:
no_retry_exception = NoRetryException(
cause_error=e, message=e.response['Error']['Message'])
logger.error(no_retry_exception)
raise no_retry_exception
def get_role(trace_id, iam_client, role_name, is_cw_logger=False):
if (is_cw_logger):
logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
else:
logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
try:
response = iam_client.get_role(RoleName=role_name)
except ClientError as e:
raise common_utils.write_log_warning(e, logger)
return response
def check_asc_item_copy_cis_check(trace_id, check_history_id, organization_id,
project_id, aws_account, session,
result_json_path, check_cis_item):
cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
error_cis = LIST_ERROR_CIS[check_cis_item]
try:
try:
check_result_items = pm_checkResultItems.query_by_check_history_id_and_check_item_code_and_aws_account(
trace_id,
check_history_id,
check_cis_item,
aws_account,
is_cw_logger=True)
except Exception as e:
cw_logger.error("[%s] %sのチェック結果を取得できませんでした。", aws_account,
error_cis)
return CheckResult.Error
# チェック結果が「マネージド-1」だった場合は、チェック結果ファイルは作られていないのでファイル取得はスキップします。
check_result = check_result_items[0]["CheckResult"]
if check_result == CheckResult.MembersManagement:
return check_result
s3_file_name = CommonConst.PATH_CHECK_RESULT.format(
check_history_id, organization_id, project_id, aws_account,
check_cis_item + ".json")
try:
check_results_s3 = FileUtils.read_json(trace_id,
CommonConst.S3_CHECK_BUCKET,
s3_file_name,
is_cw_logger=True)
except PmError as e:
cw_logger.error("[%s] %sのチェック結果ファイルを取得できませんでした。", aws_account,
error_cis)
return CheckResult.Error
except Exception as e:
cw_logger.error("[%s] チェック処理中にエラーが発生しました。", aws_account)
return CheckResult.Error
# Export File Json
try:
FileUtils.upload_s3(trace_id,
check_results_s3,
result_json_path,
format_json=True,
is_cw_logger=True)
except Exception as e:
cw_logger.error("[%s] チェック結果JSONファイルの保存に失敗しました。", aws_account)
return CheckResult.Error
# チェック結果
return check_result
def test_check_effective_awsaccount_case_error_create_session_client(self):
# create data mock
cw_logger = common_utils.begin_cw_logger(trace_id, __name__,
inspect.currentframe())
# patch mock
patch_begin_cw_logger = patch(
"premembers.common.common_utils.begin_cw_logger")
patch_logger_warning = patch.object(CwLogAdapter, "warning")
patch_do_disable_awscoop = patch(
"premembers.check.logic.awssecuritychecks_logic.do_disable_awscoop"
)
patch_create_session_client = patch(
"premembers.common.aws_common.create_session_client")
patch_query_awscoop_coop_key = patch(
"premembers.repository.pm_awsAccountCoops.query_awscoop_coop_key")
# start mock object
mock_begin_cw_logger = patch_begin_cw_logger.start()
mock_logger_warning = patch_logger_warning.start()
mock_do_disable_awscoop = patch_do_disable_awscoop.start()
mock_create_session_client = patch_create_session_client.start()
mock_query_awscoop_coop_key = patch_query_awscoop_coop_key.start()
# mock object
mock_begin_cw_logger.return_value = cw_logger
mock_do_disable_awscoop.side_effect = None
mock_create_session_client.side_effect = PmError()
mock_query_awscoop_coop_key.side_effect = None
# addCleanup stop mock object
self.addCleanup(patch_begin_cw_logger.stop)
self.addCleanup(patch_logger_warning.stop)
self.addCleanup(patch_do_disable_awscoop.stop)
self.addCleanup(patch_create_session_client.stop)
self.addCleanup(patch_query_awscoop_coop_key.stop)
# call function test
actual_response = awssecuritychecks_logic.check_effective_awsaccount(
trace_id, aws_account, coop_id, role_name, external_id,
organization_id, project_id, check_history_id)
expect_response = {"TaskResult": "Fail"}
# check result
self.assertDictEqual(expect_response, actual_response)
# check log message warning
mock_logger_warning.assert_any_call("[%s] Credentialsを取得できませんでした。",
aws_account)
# check call function do_disable_awscoop
mock_do_disable_awscoop.assert_called_once_with(
trace_id, coop_id, aws_account)
def execute_asc_check_handler(event, context):
check_history_id = eventhelper.get_check_history_id_batch(event)
trace_id = check_history_id
aws_account = eventhelper.get_awsaccount(event)
coop_id = eventhelper.get_coop_id_batch(event)
aws_account_name = eventhelper.get_awsaccount_name_batch(event)
role_name = eventhelper.get_role_name(event)
external_id = eventhelper.get_external_id(event)
organization_id = eventhelper.get_organization_id_batch(event)
organization_name = eventhelper.get_organization_name_batch(event)
project_id = eventhelper.get_project_id_batch(event)
project_name = eventhelper.get_project_name_batch(event)
check_result_id = eventhelper.get_check_result_id_batch(event)
effective_awsaccount = eventhelper.get_effective_awsaccount(event)
common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe())
# セキュリティチェックASC実行
return awssecuritychecks_logic.execute_asc_check(
trace_id, aws_account, coop_id, aws_account_name, role_name,
external_id, organization_id, organization_name, project_id,
project_name, check_history_id, check_result_id, effective_awsaccount)