def empty(cls, **kw): account_id = None if 'AWS_LAMBDA_FUNCTION_NAME' in os.environ: try: import boto3 session = boto3.Session() account_id = get_account_id_from_sts(session) except: pass d = {} d.update({ 'region': os.environ.get('AWS_DEFAULT_REGION'), 'cache': '', 'profile': None, 'account_id': account_id, 'assume_role': None, 'external_id': None, 'log_group': None, 'metrics_enabled': True, 'output_dir': os.environ.get( 'C7N_OUTPUT_DIR', '/tmp/' + str(uuid.uuid4())), 'cache_period': 0, 'dryrun': False}) d.update(kw) if not os.path.exists(d['output_dir']): try: os.mkdir(d['output_dir']) except OSError as error: log.warning("Unable to make output directory: {}".format(error)) return cls(d)
def empty(cls, **kw): try: import boto3 session = boto3.Session() account_id = get_account_id_from_sts(session) except: account_id = None d = {} d.update({ 'region': os.environ.get('AWS_DEFAULT_REGION'), 'cache': '', 'profile': None, 'account_id': account_id, 'assume_role': None, 'log_group': None, 'metrics_enabled': True, 'output_dir': os.environ.get('C7N_OUTPUT_DIR', '/tmp/' + str(uuid.uuid4())), 'cache_period': 0, 'dryrun': False }) d.update(kw) if not os.path.exists(d['output_dir']): os.mkdir(d['output_dir']) return cls(d)
def dispatch_event(event, context): global account_id error = event.get('detail', {}).get('errorCode') if error: log.debug("Skipping failed operation: %s" % error) return event['debug'] = True if event['debug']: log.info("Processing event\n %s", format_event(event)) # Policies file should always be valid in lambda so do loading naively with open('config.json') as f: policy_config = json.load(f) if not policy_config or not policy_config.get('policies'): return False # Initialize output directory, we've seen occassional perm issues with # lambda on temp directory and changing unix execution users, so # use a per execution temp space. output_dir = os.environ.get('C7N_OUTPUT_DIR', '/tmp/' + str(uuid.uuid4())) if not os.path.exists(output_dir): try: os.mkdir(output_dir) except OSError as error: log.warning("Unable to make output directory: {}".format(error)) # TODO. This enshrines an assumption of a single policy per lambda. options_overrides = policy_config['policies'][0].get('mode', {}).get( 'execution-options', {}) # if using assume role in lambda ensure that the correct # execution account is captured in options. if 'assume_role' in options_overrides: account_id = options_overrides['assume_role'].split(':')[4] elif account_id is None: session = boto3.Session() account_id = get_account_id_from_sts(session) # Historical compatibility with manually set execution options # previously this was a boolean, its now a string value with the # boolean flag triggering a string value of 'aws' if 'metrics_enabled' in options_overrides and isinstance( options_overrides['metrics_enabled'], bool): options_overrides['metrics_enabled'] = 'aws' options_overrides['account_id'] = account_id if 'output_dir' not in options_overrides: options_overrides['output_dir'] = output_dir options = Config.empty(**options_overrides) policies = PolicyCollection.from_data(policy_config, options) if policies: for p in policies: p.push(event, context) return True
def init_config(policy_config): """Get policy lambda execution configuration. cli parameters are serialized into the policy lambda config, we merge those with any policy specific execution options. --assume role and -s output directory get special handling, as to disambiguate any cli context. account id is sourced from the config options or from api call and cached as a global. Todo: this should get refactored out to mu.py as part of the write out of configuration, instead of runtime processed. """ exec_options = policy_config.get('execution-options', {}) # Remove some configuration options that don't make sense to translate from # cli to lambda automatically. # - assume role on cli doesn't translate, it is the default lambda role and # used to provision the lambda. # - profile doesnt translate to lambda its `home` dir setup dependent # - dryrun doesn't translate (and shouldn't be present) # - region doesn't translate from cli (the lambda is bound to a region), and # on the cli represents the region the lambda is provisioned in. for k in ('assume_role', 'profile', 'region', 'dryrun', 'cache'): exec_options.pop(k, None) # a cli local directory doesn't translate to lambda if not exec_options.get('output_dir', '').startswith('s3'): exec_options['output_dir'] = '/tmp' account_id = None # we can source account id from the cli parameters to avoid the sts call if exec_options.get('account_id'): account_id = exec_options['account_id'] # merge with policy specific configuration exec_options.update( policy_config['policies'][0].get('mode', {}).get('execution-options', {})) # if using assume role in lambda ensure that the correct # execution account is captured in options. if 'assume_role' in exec_options: account_id = exec_options['assume_role'].split(':')[4] elif account_id is None: session = local_session(boto3.Session) account_id = get_account_id_from_sts(session) exec_options['account_id'] = account_id # Historical compatibility with manually set execution options # previously this was a boolean, its now a string value with the # boolean flag triggering a string value of 'aws' if 'metrics_enabled' in exec_options \ and isinstance(exec_options['metrics_enabled'], bool) \ and exec_options['metrics_enabled']: exec_options['metrics_enabled'] = 'aws' return Config.empty(**exec_options)
def _default_account_id(options): profile = getattr(options, 'profile', None) try: import boto3 session = boto3.Session(profile_name=profile) options.account_id = get_account_id_from_sts(session) except: options.account_id = None
def init_config(policy_config): """Get policy lambda execution configuration. cli parameters are serialized into the policy lambda config, we merge those with any policy specific execution options. --assume role and -s output directory get special handling, as to disambiguate any cli context. account id is sourced from the config options or from api call and cached as a global """ global account_id exec_options = policy_config.get('execution-options', {}) # Remove some configuration options that don't make sense to translate from # cli to lambda automatically. # - assume role on cli doesn't translate, it is the default lambda role and # used to provision the lambda. # - profile doesnt translate to lambda its `home` dir setup dependent # - dryrun doesn't translate (and shouldn't be present) # - region doesn't translate from cli (the lambda is bound to a region), and # on the cli represents the region the lambda is provisioned in. for k in ('assume_role', 'profile', 'region', 'dryrun', 'cache'): exec_options.pop(k, None) # a cli local directory doesn't translate to lambda if not exec_options.get('output_dir', '').startswith('s3'): exec_options['output_dir'] = get_local_output_dir() # we can source account id from the cli parameters to avoid the sts call if exec_options.get('account_id'): account_id = exec_options['account_id'] # merge with policy specific configuration exec_options.update( policy_config['policies'][0].get('mode', {}).get('execution-options', {})) # if using assume role in lambda ensure that the correct # execution account is captured in options. if 'assume_role' in exec_options: account_id = exec_options['assume_role'].split(':')[4] elif account_id is None: session = boto3.Session() account_id = get_account_id_from_sts(session) exec_options['account_id'] = account_id # Historical compatibility with manually set execution options # previously this was a boolean, its now a string value with the # boolean flag triggering a string value of 'aws' if 'metrics_enabled' in exec_options \ and isinstance(exec_options['metrics_enabled'], bool) \ and exec_options['metrics_enabled']: exec_options['metrics_enabled'] = 'aws' return Config.empty(**exec_options)
def _default_account_id(options): if options.assume_role: try: options.account_id = options.assume_role.split(':')[4] return except IndexError: pass try: session = utils.get_profile_session(options) options.account_id = get_account_id_from_sts(session) except: options.account_id = None
def dispatch_event(event, context): global account_id if account_id is None: session = boto3.Session() account_id = get_account_id_from_sts(session) error = event.get('detail', {}).get('errorCode') if error: log.debug("Skipping failed operation: %s" % error) return event['debug'] = True if event['debug']: log.info("Processing event\n %s", format_event(event)) # policies file should always be valid in lambda so do loading naively with open('config.json') as f: policy_config = json.load(f) if not policy_config or not policy_config.get('policies'): return False # Initialize output directory, we've seen occassional perm issues with # lambda on temp directory and changing unix execution users, so # use a per execution temp space. output_dir = os.environ.get( 'C7N_OUTPUT_DIR', '/tmp/' + str(uuid.uuid4())) if not os.path.exists(output_dir): try: os.mkdir(output_dir) except OSError as error: log.warning("Unable to make output directory: {}".format(error)) # TODO. This enshrines an assumption of a single policy per lambda. options_overrides = policy_config[ 'policies'][0].get('mode', {}).get('execution-options', {}) options_overrides['account_id'] = account_id if 'output_dir' not in options_overrides: options_overrides['output_dir'] = output_dir options = Config.empty(**options_overrides) load_resources() policies = PolicyCollection.from_data(policy_config, options) if policies: for p in policies: p.push(event, context) return True
def dispatch_event(event, context): global account_id if account_id is None: session = boto3.Session() account_id = get_account_id_from_sts(session) error = event.get('detail', {}).get('errorCode') if error: log.debug("Skipping failed operation: %s" % error) return event['debug'] = True if event['debug']: log.info("Processing event\n %s", format_event(event)) # policies file should always be valid in lambda so do loading naively with open('config.json') as f: policy_config = json.load(f) if not policy_config or not policy_config.get('policies'): return False # Initialize output directory, we've seen occassional perm issues with # lambda on temp directory and changing unix execution users, so # use a per execution temp space. output_dir = os.environ.get('C7N_OUTPUT_DIR', '/tmp/' + str(uuid.uuid4())) if not os.path.exists(output_dir): try: os.mkdir(output_dir) except OSError as error: log.warning("Unable to make output directory: {}".format(error)) # TODO. This enshrines an assumption of a single policy per lambda. options_overrides = policy_config['policies'][0].get('mode', {}).get( 'execution-options', {}) options_overrides['account_id'] = account_id if 'output_dir' not in options_overrides: options_overrides['output_dir'] = output_dir options = Config.empty(**options_overrides) load_resources() policies = PolicyCollection.from_data(policy_config, options) if policies: for p in policies: p.push(event, context) return True
def empty(cls, **kw): account_id = None if 'AWS_LAMBDA_FUNCTION_NAME' in os.environ: try: import boto3 session = boto3.Session() account_id = get_account_id_from_sts(session) except: pass d = {} d.update({ 'region': os.environ.get('AWS_DEFAULT_REGION'), 'cache': '', 'profile': None, 'account_id': account_id, 'assume_role': None, 'external_id': None, 'log_group': None, 'metrics_enabled': True, 'output_dir': os.environ.get('C7N_OUTPUT_DIR', '/tmp/' + str(uuid.uuid4())), 'cache_period': 0, 'dryrun': False }) d.update(kw) if not os.path.exists(d['output_dir']): try: os.mkdir(d['output_dir']) except OSError as error: log.warning( "Unable to make output directory: {}".format(error)) return cls(d)
def dispatch_event(event, context): global account_id error = event.get('detail', {}).get('errorCode') if error: log.debug("Skipping failed operation: %s" % error) return event['debug'] = True if event['debug']: log.info("Processing event\n %s", format_event(event)) # Policies file should always be valid in lambda so do loading naively with open('config.json') as f: policy_config = json.load(f) if not policy_config or not policy_config.get('policies'): return False # Initialize output directory, we've seen occassional perm issues with # lambda on temp directory and changing unix execution users, so # use a per execution temp space. output_dir = os.environ.get( 'C7N_OUTPUT_DIR', '/tmp/' + str(uuid.uuid4())) if not os.path.exists(output_dir): try: os.mkdir(output_dir) except OSError as error: log.warning("Unable to make output directory: {}".format(error)) # TODO. This enshrines an assumption of a single policy per lambda. options_overrides = policy_config[ 'policies'][0].get('mode', {}).get('execution-options', {}) # if using assume role in lambda ensure that the correct # execution account is captured in options. if 'assume_role' in options_overrides: account_id = options_overrides['assume_role'].split(':')[4] elif account_id is None: session = boto3.Session() account_id = get_account_id_from_sts(session) # Historical compatibility with manually set execution options # previously this was a boolean, its now a string value with the # boolean flag triggering a string value of 'aws' if 'metrics_enabled' in options_overrides and isinstance( options_overrides['metrics_enabled'], bool): options_overrides['metrics_enabled'] = 'aws' options_overrides['account_id'] = account_id if 'output_dir' not in options_overrides: options_overrides['output_dir'] = output_dir options = Config.empty(**options_overrides) policies = PolicyCollection.from_data(policy_config, options) if policies: for p in policies: p.push(event, context) return True
from c7n.policy import PolicyCollection from c7n.resources import load_resources from c7n.utils import format_event, get_account_id_from_sts from c7n.config import Config logging.root.setLevel(logging.DEBUG) logging.getLogger('botocore').setLevel(logging.WARNING) log = logging.getLogger('custodian.lambda') account_id = None try: import boto3 session = boto3.Session() account_id = get_account_id_from_sts(session) except Exception: pass def dispatch_event(event, context): error = event.get('detail', {}).get('errorCode') if error: log.debug("Skipping failed operation: %s" % error) return event['debug'] = True if event['debug']: log.info("Processing event\n %s", format_event(event))