Exemplo n.º 1
0
 def __call__(self, logger, account):
     try:
         sts = STS(logger)
         role_arn = "arn:aws:iam::" + str(account) + ":role/AWSControlTowerExecution"
         session_name = "custom-control-tower-role"
         # assume role
         credentials = sts.assume_role(role_arn, session_name)
         return credentials
     except Exception as e:
         message = {'FILE': __file__.split('/')[-1], 'CLASS': self.__class__.__name__,
                    'METHOD': inspect.stack()[0][3], 'EXCEPTION': str(e)}
         logger.exception(message)
         raise
Exemplo n.º 2
0
 def assume_role(self, account):
     try:
         sts = STS(self.logger)
         role_arn = "arn:aws:iam::" + str(account) + ":role/AWSCloudFormationStackSetExecutionRole"
         session_name = "update-vpc_peering_role"
         # assume role
         credentials = sts.assume_role(role_arn, session_name)
         return credentials
     except Exception as e:
         message = {'FILE': __file__.split('/')[-1], 'CLASS': self.__class__.__name__,
                    'METHOD': inspect.stack()[0][3], 'EXCEPTION': str(e)}
         self.logger.exception(message)
         raise
 def __call__(self, logger, account):
     try:
         sts = STS(logger)
         role_name = "TransitNetworkExecutionRole"
         role_arn = "arn:aws:iam::" + str(
             account) + ":role/" + role_name + "-" + get_region()
         session_name = "transit-network-role"
         # assume role
         credentials = sts.assume_role(role_arn, session_name)
         return credentials
     except Exception as e:
         message = {
             'FILE': __file__.split('/')[-1],
             'CLASS': self.__class__.__name__,
             'METHOD': inspect.stack()[0][3],
             'EXCEPTION': str(e)
         }
         logger.exception(message)
         raise
    def member_expunge_default_vpc(self, accounts, region):
        # instantiate STS class
        sts = STS(self.logger)

        # iterate through all the members in the list
        for account in accounts:
            #role_arn = "arn:aws:iam::" + str(account) + ":role/AWSCloudFormationStackSetExecutionRole"
            role_arn = "arn:aws:iam::" + str(account) + ":role/pac-devops"
            session_name = "expunge_default_vpc_role"
            # assume role
            credentials = sts.assume_role(role_arn, session_name)
            self.logger.info("Assuming IAM role: {}".format(role_arn))

            # instantiate EC2 class using temporary security credentials
            self.logger.debug("Creating EC2 Session in {} for account: {}".format(region, account))
            ec2 = EC2(self.logger, region, credentials=credentials)

            if type(credentials) == dict:
                response = ec2.describe_vpcs()
                self.logger.info(response)
                if not response.get('Vpcs'):
                    self.logger.info(
                        "There is no default VPC to delete in {} (member account: {}).".format(region, account))
                else:
                    for vpc in response.get('Vpcs'):
                        vpc_id = vpc.get('VpcId')
                        default = True if vpc.get('IsDefault') is True else False
                        if default:
                            self.logger.info("Found the default VPC: {}".format(vpc_id))

                            # Delete dependencies (calling method)
                            self.logger.info(
                                "Deleting dependencies for member account ID: {} in {}".format(account, region))
                            self.delete_vpc_dependencies(ec2, region, vpc_id)

                            # Delete VPC
                            self.logger.info(
                                "Deleting VPC: {} in member account ID: {} in {}".format(vpc_id, account, region))
                            self.logger.info(ec2.delete_vpc(vpc_id))
                        else:
                            self.logger.info("{} is not the default VPC, skipping...".format(vpc_id))
            else:
                self.logger.error("Unable to obtain credentials")
    def member_expunge_default_vpc(self, accounts, region):
        # instantiate STS class
        sts = STS(self.logger)

        # iterate through all the members in the list
        for account in accounts:

            # instantiate EC2 class using temporary security credentials
            self.logger.debug(
                "Creating EC2 Session in {} for account: {}".format(
                    region, account))
            ec2 = self._session(region, account)

            # Describe VPCs
            response = ec2.describe_vpcs()
            self.logger.info(response)
            if not response.get('Vpcs'):
                self.logger.info(
                    "There is no default VPC to delete in {} (member account: {})."
                    .format(region, account))
            else:
                for vpc in response.get('Vpcs'):
                    vpc_id = vpc.get('VpcId')
                    default = True if vpc.get('IsDefault') is True else False
                    if default:
                        self.logger.info(
                            "Found the default VPC: {}".format(vpc_id))

                        # Delete dependencies (calling method)
                        self.logger.info(
                            "Deleting dependencies for member account ID: {} in {}"
                            .format(account, region))
                        self.delete_vpc_dependencies(ec2, region, vpc_id)

                        # Delete VPC
                        self.logger.info(
                            "Deleting VPC: {} in member account ID: {} in {}".
                            format(vpc_id, account, region))
                        self.logger.info(ec2.delete_vpc(vpc_id))
                    else:
                        self.logger.info(
                            "{} is not the default VPC, skipping...".format(
                                vpc_id))
    def create_key_pair(self, account, region, param_key_material=None, param_key_fingerprint=None, param_key_name=None):

        if param_key_name:
            self.logger.info("Looking up values in SSM parameter:{}".format(param_key_name))
            existing_param = self.ssm.describe_parameters(param_key_name)

            if existing_param:
                return self.ssm.get_parameter(param_key_name)

        sts = STS(self.logger)
        key_name = sanitize("%s_%s_%s_%s" % ('lz', account, region, time.strftime("%Y-%m-%dT%H-%M-%S")))

        try:
            ec2 = self._session(region, account)
            # create EC2 key pair in member account
            self.logger.info("Create key pair in the member account {} in region: {}".format(account, region))
            response = ec2.create_key_pair(key_name)

            # add key material and fingerprint in the SSM Parameter Store
            self.logger.info("Adding Key Material and Fingerprint to SSM PS")
            description = "Contains EC2 key pair asset created by Landing Zone Solution: " \
                          "EC2 Key Pair Custom Resource."
            # Get Landing Zone KMS Key ID
            key_id = self._get_kms_key_id()
            if param_key_fingerprint:
                self.ssm.put_parameter_use_cmk(param_key_fingerprint, response.get('KeyFingerprint'),
                                               key_id, description)
            if param_key_material:
                self.ssm.put_parameter_use_cmk(param_key_material, response.get('KeyMaterial'),
                                               key_id, description)
            if param_key_name:
                self.ssm.put_parameter(param_key_name, key_name, description)

            return key_name
        except Exception as e:
            message = {'FILE': __file__.split('/')[-1], 'CLASS': self.__class__.__name__,
                       'METHOD': inspect.stack()[0][3], 'EXCEPTION': str(e)}
            self.logger.exception(message)
            raise
    def create_key_pair(self,
                        account,
                        region,
                        param_key_material=None,
                        param_key_fingerprint=None,
                        param_key_name=None):

        if param_key_name:
            self.logger.info(
                "Looking up values in SSM parameter:{}".format(param_key_name))
            existing_param = self.ssm.describe_parameters(param_key_name)

            if existing_param:
                return self.ssm.get_parameter(param_key_name)

        sts = STS(self.logger)
        key_name = sanitize(
            "%s_%s_%s_%s" %
            ('lz', account, region, time.strftime("%Y-%m-%dT%H-%M-%S")))

        try:
            role_arn = "arn:aws:iam::" + str(
                account) + ":role/AWSCloudFormationStackSetExecutionRole"
            session_name = "create_key_pair_role"
            # assume role
            credentials = sts.assume_role(role_arn, session_name)
            self.logger.info("Assuming IAM role: {}".format(role_arn))

            # instantiate EC2 class
            self.logger.debug(
                "Creating EC2 Session in {} for account: {}".format(
                    region, account))
            ec2 = EC2(self.logger, region, credentials=credentials)

            if type(credentials) == dict:
                # create EC2 key pair in member account
                self.logger.info(
                    "Create key pair in the member account {} in region: {}".
                    format(account, region))
                response = ec2.create_key_pair(key_name)
                self.logger.debug(response)

                # add key material and fingerprint in the SSM Parameter Store
                self.logger.info(
                    "Adding Key Material and Fingerprint to SSM PS")
                description = "Contains EC2 key pair asset created by Landing Zone Solution: " \
                              "EC2 Key Pair Custom Resource."
                # Get Landing Zone KMS Key ID
                key_id = self._get_kms_key_id()
                if param_key_fingerprint:
                    self.ssm.put_parameter_use_cmk(
                        param_key_fingerprint, response.get('KeyFingerprint'),
                        key_id, description)
                if param_key_material:
                    self.ssm.put_parameter_use_cmk(param_key_material,
                                                   response.get('KeyMaterial'),
                                                   key_id, description)
                if param_key_name:
                    self.ssm.put_parameter(param_key_name, key_name,
                                           description)

                return key_name
            else:
                self.logger.error("Unable to obtain credentials.")
        except Exception as e:
            message = {
                'FILE': __file__.split('/')[-1],
                'CLASS': self.__class__.__name__,
                'METHOD': inspect.stack()[0][3],
                'EXCEPTION': str(e)
            }
            self.logger.exception(message)
            raise