def __call__(self, logger, account):
try:
sts = STS(logger)
role_arn = "arn:aws:iam::" + str(account) + ":role/AWSControlTowerExecution"
session_name = "custom-control-tower-role"
# assume role
credentials = sts.assume_role(role_arn, session_name)
return credentials
except Exception as e:
message = {'FILE': __file__.split('/')[-1], 'CLASS': self.__class__.__name__,
'METHOD': inspect.stack()[0][3], 'EXCEPTION': str(e)}
logger.exception(message)
raise
def assume_role(self, account):
try:
sts = STS(self.logger)
role_arn = "arn:aws:iam::" + str(account) + ":role/AWSCloudFormationStackSetExecutionRole"
session_name = "update-vpc_peering_role"
# assume role
credentials = sts.assume_role(role_arn, session_name)
return credentials
except Exception as e:
message = {'FILE': __file__.split('/')[-1], 'CLASS': self.__class__.__name__,
'METHOD': inspect.stack()[0][3], 'EXCEPTION': str(e)}
self.logger.exception(message)
raise
def __call__(self, logger, account):
try:
sts = STS(logger)
role_name = "TransitNetworkExecutionRole"
role_arn = "arn:aws:iam::" + str(
account) + ":role/" + role_name + "-" + get_region()
session_name = "transit-network-role"
# assume role
credentials = sts.assume_role(role_arn, session_name)
return credentials
except Exception as e:
message = {
'FILE': __file__.split('/')[-1],
'CLASS': self.__class__.__name__,
'METHOD': inspect.stack()[0][3],
'EXCEPTION': str(e)
}
logger.exception(message)
raise
def member_expunge_default_vpc(self, accounts, region):
# instantiate STS class
sts = STS(self.logger)
# iterate through all the members in the list
for account in accounts:
#role_arn = "arn:aws:iam::" + str(account) + ":role/AWSCloudFormationStackSetExecutionRole"
role_arn = "arn:aws:iam::" + str(account) + ":role/pac-devops"
session_name = "expunge_default_vpc_role"
# assume role
credentials = sts.assume_role(role_arn, session_name)
self.logger.info("Assuming IAM role: {}".format(role_arn))
# instantiate EC2 class using temporary security credentials
self.logger.debug("Creating EC2 Session in {} for account: {}".format(region, account))
ec2 = EC2(self.logger, region, credentials=credentials)
if type(credentials) == dict:
response = ec2.describe_vpcs()
self.logger.info(response)
if not response.get('Vpcs'):
self.logger.info(
"There is no default VPC to delete in {} (member account: {}).".format(region, account))
else:
for vpc in response.get('Vpcs'):
vpc_id = vpc.get('VpcId')
default = True if vpc.get('IsDefault') is True else False
if default:
self.logger.info("Found the default VPC: {}".format(vpc_id))
# Delete dependencies (calling method)
self.logger.info(
"Deleting dependencies for member account ID: {} in {}".format(account, region))
self.delete_vpc_dependencies(ec2, region, vpc_id)
# Delete VPC
self.logger.info(
"Deleting VPC: {} in member account ID: {} in {}".format(vpc_id, account, region))
self.logger.info(ec2.delete_vpc(vpc_id))
else:
self.logger.info("{} is not the default VPC, skipping...".format(vpc_id))
else:
self.logger.error("Unable to obtain credentials")
def create_key_pair(self,
account,
region,
param_key_material=None,
param_key_fingerprint=None,
param_key_name=None):
if param_key_name:
self.logger.info(
"Looking up values in SSM parameter:{}".format(param_key_name))
existing_param = self.ssm.describe_parameters(param_key_name)
if existing_param:
return self.ssm.get_parameter(param_key_name)
sts = STS(self.logger)
key_name = sanitize(
"%s_%s_%s_%s" %
('lz', account, region, time.strftime("%Y-%m-%dT%H-%M-%S")))
try:
role_arn = "arn:aws:iam::" + str(
account) + ":role/AWSCloudFormationStackSetExecutionRole"
session_name = "create_key_pair_role"
# assume role
credentials = sts.assume_role(role_arn, session_name)
self.logger.info("Assuming IAM role: {}".format(role_arn))
# instantiate EC2 class
self.logger.debug(
"Creating EC2 Session in {} for account: {}".format(
region, account))
ec2 = EC2(self.logger, region, credentials=credentials)
if type(credentials) == dict:
# create EC2 key pair in member account
self.logger.info(
"Create key pair in the member account {} in region: {}".
format(account, region))
response = ec2.create_key_pair(key_name)
self.logger.debug(response)
# add key material and fingerprint in the SSM Parameter Store
self.logger.info(
"Adding Key Material and Fingerprint to SSM PS")
description = "Contains EC2 key pair asset created by Landing Zone Solution: " \
"EC2 Key Pair Custom Resource."
# Get Landing Zone KMS Key ID
key_id = self._get_kms_key_id()
if param_key_fingerprint:
self.ssm.put_parameter_use_cmk(
param_key_fingerprint, response.get('KeyFingerprint'),
key_id, description)
if param_key_material:
self.ssm.put_parameter_use_cmk(param_key_material,
response.get('KeyMaterial'),
key_id, description)
if param_key_name:
self.ssm.put_parameter(param_key_name, key_name,
description)
return key_name
else:
self.logger.error("Unable to obtain credentials.")
except Exception as e:
message = {
'FILE': __file__.split('/')[-1],
'CLASS': self.__class__.__name__,
'METHOD': inspect.stack()[0][3],
'EXCEPTION': str(e)
}
self.logger.exception(message)
raise