def test_asg_state(self):
self.assertEqual(
CloudWatchEvents.get_ids(
event_data('event-asg-instance-failed.json'), {
'type': 'asg-instance-state',
'events': ['EC2 Instance Launch Unsuccessful']
}), ['CustodianTest'])
def test_get_ids_multiple_events(self):
d = event_data('event-cloud-trail-run-instances.json')
d['eventName'] = 'StartInstances'
self.assertEqual(
CloudWatchEvents.get_ids(
{'detail': d},
{'type': 'cloudtrail', 'events': [
# wrong event name
{'source': 'ec2.amazonaws.com',
'event': 'CreateTags',
'ids': 'requestParameters.resourcesSet.items[].resourceId'},
# wrong event source
{'source': 'ecs.amazonaws.com',
'event': 'StartInstances',
'ids': 'responseElements.instancesSet.items'},
# matches no resource ids
{'source': 'ec2.amazonaws.com',
'event': 'StartInstances',
'ids': 'responseElements.instancesSet2.items[].instanceId'},
# correct
{'source': 'ec2.amazonaws.com',
'event': 'StartInstances',
'ids': 'responseElements.instancesSet.items[].instanceId'},
# we don't fall off the end
{'source': 'ec2.amazonaws.com',
'event': 'StartInstances',
'ids': 'responseElements.instancesSet.items[]'},
]}),
['i-784cdacd', u'i-7b4cdace'])
def test_auto_tag_creator(self):
session_factory = self.replay_flight_data('test_ec2_autotag_creator')
policy = self.load_policy(
{
'name': 'ec2-auto-tag',
'resource': 'ec2',
'mode': {
'type': 'cloudtrail',
'events': ['RunInstances']
},
'actions': [{
'type': 'auto-tag-user',
'tag': 'Owner'
}]
},
session_factory=session_factory)
event = {
'detail':
event_data('event-cloud-trail-run-instance-creator.json'),
'debug': True
}
resources = policy.push(event, None)
self.assertEqual(len(resources), 1)
# Verify tag added
session = session_factory()
instances = query_instances(session,
InstanceIds=[resources[0]['InstanceId']])
tags = {t['Key']: t['Value'] for t in instances[0]['Tags']}
self.assertEqual(tags['Owner'], 'c7nbot')
# Verify we don't overwrite extant
client = session.client('ec2')
client.create_tags(Resources=[resources[0]['InstanceId']],
Tags=[{
'Key': 'Owner',
'Value': 'Bob'
}])
policy = self.load_policy(
{
'name': 'ec2-auto-tag',
'resource': 'ec2',
'mode': {
'type': 'cloudtrail',
'events': ['RunInstances']
},
'actions': [{
'type': 'auto-tag-user',
'tag': 'Owner'
}]
},
session_factory=session_factory)
resources = policy.push(event, None)
instances = query_instances(session,
InstanceIds=[resources[0]['InstanceId']])
tags = {t['Key']: t['Value'] for t in instances[0]['Tags']}
self.assertEqual(tags['Owner'], 'Bob')
def test_asg_state(self):
self.assertEqual(
CloudWatchEvents.get_ids(
event_data('event-asg-instance-failed.json'),
{'type': 'asg-instance-state',
'events': ['EC2 Instance Launch Unsuccessful']}),
['CustodianTest'])
def test_auto_tag_assumed(self):
# verify auto tag works with assumed roles and can optionally update
session_factory = self.replay_flight_data('test_ec2_autotag_assumed')
policy = self.load_policy({
'name': 'ec2-auto-tag',
'resource': 'ec2',
'mode': {
'type': 'cloudtrail',
'events': ['RunInstances']},
'actions': [
{'type': 'auto-tag-user',
'update': True,
'tag': 'Owner'}]
}, session_factory=session_factory)
event = {
'detail': event_data(
'event-cloud-trail-run-instance-creator-assumed.json'),
'debug': True}
resources = policy.push(event, None)
self.assertEqual(len(resources), 1)
tags = {t['Key']: t['Value'] for t in resources[0]['Tags']}
self.assertEqual(tags['Owner'], 'Bob')
session = session_factory()
instances = query_instances(
session, InstanceIds=[resources[0]['InstanceId']])
tags = {t['Key']: t['Value'] for t in instances[0]['Tags']}
self.assertEqual(tags['Owner'], 'Radiant')
def test_auto_tag_assumed(self):
# verify auto tag works with assumed roles and can optionally update
session_factory = self.replay_flight_data('test_ec2_autotag_assumed')
policy = self.load_policy({
'name': 'ec2-auto-tag',
'resource': 'ec2',
'mode': {
'type': 'cloudtrail',
'events': ['RunInstances']},
'actions': [
{'type': 'auto-tag-user',
'update': True,
'tag': 'Owner'}]
}, session_factory=session_factory)
event = {
'detail': event_data(
'event-cloud-trail-run-instance-creator-assumed.json'),
'debug': True}
resources = policy.push(event, None)
self.assertEqual(len(resources), 1)
tags = {t['Key']: t['Value'] for t in resources[0]['Tags']}
self.assertEqual(tags['Owner'], 'Bob')
session = session_factory()
instances = query_instances(
session, InstanceIds=[resources[0]['InstanceId']])
tags = {t['Key']: t['Value'] for t in instances[0]['Tags']}
self.assertEqual(tags['Owner'], 'Radiant')
def test_get_ids(self):
self.assertEqual(
CloudWatchEvents.get_ids(
{'detail': event_data('event-cloud-trail-run-instances.json')},
{
'type': 'cloudtrail',
'events': ['RunInstances']
}), ['i-784cdacd', u'i-7b4cdace'])
def test_event_filter(self):
b = Bag(data={'mode': []})
event = event_data('event-instance-state.json')
f = {'type': 'event', 'key': 'detail.state', 'value': 'pending'}
ef = filters.factory(f, b)
self.assertTrue(ef.process([instance()], event))
# event is None
self.assertEqual(ef.process('resources'), 'resources')
# event is not None, but is not "true" either
self.assertEqual(ef.process('resources', []), [])
def test_custom_event(self):
d = {'detail': event_data('event-cloud-trail-run-instances.json')}
d['detail']['eventName'] = 'StartInstances'
self.assertEqual(
CloudWatchEvents.get_ids(
d,
{'type': 'cloudtrail', 'events': [{
'event': 'StartInstances',
'ids': 'responseElements.instancesSet.items[].instanceId',
'source': 'ec2.amazonaws.com'}]}),
['i-784cdacd', u'i-7b4cdace'])
def test_get_ids_multiple_events(self):
d = event_data('event-cloud-trail-run-instances.json')
d['eventName'] = 'StartInstances'
self.assertEqual(
CloudWatchEvents.get_ids(
{'detail': d},
{
'type':
'cloudtrail',
'events': [
# wrong event name
{
'source':
'ec2.amazonaws.com',
'event':
'CreateTags',
'ids':
'requestParameters.resourcesSet.items[].resourceId'
},
# wrong event source
{
'source': 'ecs.amazonaws.com',
'event': 'StartInstances',
'ids': 'responseElements.instancesSet.items'
},
# matches no resource ids
{
'source':
'ec2.amazonaws.com',
'event':
'StartInstances',
'ids':
'responseElements.instancesSet2.items[].instanceId'
},
# correct
{
'source':
'ec2.amazonaws.com',
'event':
'StartInstances',
'ids':
'responseElements.instancesSet.items[].instanceId'
},
# we don't fall off the end
{
'source': 'ec2.amazonaws.com',
'event': 'StartInstances',
'ids': 'responseElements.instancesSet.items[]'
},
]
}),
['i-784cdacd', u'i-7b4cdace'])
def test_config_rule_evaluation(self):
session_factory = self.replay_flight_data('test_config_rule_evaluate')
p = self.load_policy({
'resource': 'ec2',
'name': 'ec2-modified',
'mode': {'type': 'config-rule'},
'filters': [{'InstanceId': 'i-094bc87c84d56c589'}]
}, session_factory=session_factory)
mode = p.get_execution_mode()
event = event_data('event-config-rule-instance.json')
resources = mode.run(event, None)
self.assertEqual(len(resources), 1)
def test_config_rule_evaluation(self):
session_factory = self.replay_flight_data('test_config_rule_evaluate')
p = self.load_policy({
'resource': 'ec2',
'name': 'ec2-modified',
'mode': {'type': 'config-rule'},
'filters': [{'InstanceId': 'i-094bc87c84d56c589'}]
}, session_factory=session_factory)
mode = p.get_execution_mode()
event = event_data('event-config-rule-instance.json')
resources = mode.run(event, None)
self.assertEqual(len(resources), 1)
def test_create_bucket_event(self):
self.patch(s3, 'S3_AUGMENT_TABLE', [
('get_bucket_policy', 'Policy', None, 'Policy'),
])
self.patch(s3.S3, 'executor_factory', MainThreadExecutor)
session_factory = self.replay_flight_data('test_s3_create')
bname = 'custodian-create-bucket-v4'
session = session_factory()
client = session.client('s3')
client.create_bucket(Bucket=bname)
self.addCleanup(destroyBucket, client, bname)
p = self.load_policy(
{
'name': 'bucket-create-v2',
'resource': 's3',
'mode': {
'type': 'cloudtrail',
'role': 'arn:aws:iam::619193117841:role/CustodianDemoRole',
'events': ['CreateBucket'],
},
'actions': ['encryption-policy']
},
session_factory=session_factory)
p.push(event_data('event-cloud-trail-create-bucket.json'), None)
try:
result = client.get_bucket_policy(Bucket=bname)
except:
self.fail("Could not get bucket policy")
self.assertTrue('Policy' in result)
policy = json.loads(result['Policy'])
self.assertEqual(
policy, {
u'Statement': [{
u'Action': u's3:PutObject',
u'Condition': {
u'StringNotEquals': {
u's3:x-amz-server-side-encryption':
[u'AES256', u'aws:kms']
}
},
u'Effect': u'Deny',
u'Principal': u'*',
u'Resource': u'arn:aws:s3:::custodian-create-bucket-v4/*',
u'Sid': u'RequireEncryptedPutObject'
}],
u'Version':
u'2012-10-17'
})
def test_event_filter(self):
b = Bag(data={'mode': []})
event = event_data('event-instance-state.json')
f = {'type': 'event',
'key': 'detail.state',
'value': 'pending'}
ef = filters.factory(f, b)
self.assertTrue(ef.process(
[instance()], event))
# event is None
self.assertEqual(ef.process('resources'), 'resources')
# event is not None, but is not "true" either
self.assertEqual(ef.process('resources', []), [])
def test_custom_event(self):
d = {'detail': event_data('event-cloud-trail-run-instances.json')}
d['detail']['eventName'] = 'StartInstances'
self.assertEqual(
CloudWatchEvents.get_ids(
d, {
'type':
'cloudtrail',
'events': [{
'event': 'StartInstances',
'ids':
'responseElements.instancesSet.items[].instanceId',
'source': 'ec2.amazonaws.com'
}]
}), ['i-784cdacd', u'i-7b4cdace'])
def test_auto_tag_creator(self):
session_factory = self.replay_flight_data('test_ec2_autotag_creator')
policy = self.load_policy({
'name': 'ec2-auto-tag',
'resource': 'ec2',
'mode': {
'type': 'cloudtrail',
'events': ['RunInstances']},
'actions': [
{'type': 'auto-tag-user',
'tag': 'Owner'}]
}, session_factory=session_factory)
event = {
'detail': event_data('event-cloud-trail-run-instance-creator.json'),
'debug': True}
resources = policy.push(event, None)
self.assertEqual(len(resources), 1)
# Verify tag added
session = session_factory()
instances = query_instances(
session, InstanceIds=[resources[0]['InstanceId']])
tags = {t['Key']: t['Value'] for t in instances[0]['Tags']}
self.assertEqual(tags['Owner'], 'c7nbot')
# Verify we don't overwrite extant
client = session.client('ec2')
client.create_tags(
Resources=[resources[0]['InstanceId']],
Tags=[{'Key': 'Owner', 'Value': 'Bob'}])
policy = self.load_policy({
'name': 'ec2-auto-tag',
'resource': 'ec2',
'mode': {
'type': 'cloudtrail',
'events': ['RunInstances']},
'actions': [
{'type': 'auto-tag-user',
'tag': 'Owner'}]
}, session_factory=session_factory)
resources = policy.push(event, None)
instances = query_instances(
session, InstanceIds=[resources[0]['InstanceId']])
tags = {t['Key']: t['Value'] for t in instances[0]['Tags']}
self.assertEqual(tags['Owner'], 'Bob')
def test_create_bucket_event(self):
self.patch(s3, 'S3_AUGMENT_TABLE', [
('get_bucket_policy', 'Policy', None, 'Policy'),
])
self.patch(s3.S3, 'executor_factory', MainThreadExecutor)
session_factory = self.replay_flight_data('test_s3_create')
bname = 'custodian-create-bucket-v4'
session = session_factory()
client = session.client('s3')
client.create_bucket(Bucket=bname)
self.addCleanup(destroyBucket, client, bname)
p = self.load_policy({
'name': 'bucket-create-v2',
'resource': 's3',
'mode': {
'type': 'cloudtrail',
'role': 'arn:aws:iam::619193117841:role/CustodianDemoRole',
'events': ['CreateBucket'],
},
'actions': [
'encryption-policy']}, session_factory=session_factory)
p.push(event_data('event-cloud-trail-create-bucket.json'), None)
try:
result = client.get_bucket_policy(Bucket=bname)
except:
self.fail("Could not get bucket policy")
self.assertTrue('Policy' in result)
policy = json.loads(result['Policy'])
self.assertEqual(
policy,
{u'Statement': [
{u'Action': u's3:PutObject',
u'Condition': {
u'StringNotEquals': {
u's3:x-amz-server-side-encryption': [
u'AES256',
u'aws:kms']}},
u'Effect': u'Deny',
u'Principal': u'*',
u'Resource': u'arn:aws:s3:::custodian-create-bucket-v4/*',
u'Sid': u'RequireEncryptedPutObject'}],
u'Version': u'2012-10-17'})
def test_cloud_trail_resource(self):
self.assertEqual(
CloudWatchEvents.match(
event_data('event-cloud-trail-s3.json')),
{'source': 's3.amazonaws.com',
'ids': jmespath.compile('detail.requestParameters.bucketName')})
def test_non_cloud_trail_event(self):
for event in ['event-instance-state.json', 'event-scheduled.json']:
self.assertFalse(CloudWatchEvents.match(event_data(event)))
def test_non_cloud_trail_event(self):
for event in ['event-instance-state.json', 'event-scheduled.json']:
self.assertFalse(CloudWatchEvents.match(event_data(event)))
def test_ec2_state(self):
self.assertEqual(
CloudWatchEvents.get_ids(
event_data('event-instance-state.json'),
{'type': 'ec2-instance-state'}),
['i-a2d74f12'])
def test_cloud_trail_resource(self):
self.assertEqual(
CloudWatchEvents.match(event_data('event-cloud-trail-s3.json')), {
'source': 's3.amazonaws.com',
'ids': jmespath.compile('detail.requestParameters.bucketName')
})
def test_get_ids(self):
self.assertEqual(
CloudWatchEvents.get_ids(
{'detail': event_data('event-cloud-trail-run-instances.json')},
{'type': 'cloudtrail', 'events': ['RunInstances']}),
['i-784cdacd', u'i-7b4cdace'])
def test_ec2_state(self):
self.assertEqual(
CloudWatchEvents.get_ids(event_data('event-instance-state.json'),
{'type': 'ec2-instance-state'}),
['i-a2d74f12'])
