def process(self, resources, event=None): ec2 = local_session(self.manager.session_factory).client('ec2') cidrs = jmespath.search("PrefixLists[].Cidrs[]", ec2.describe_prefix_lists()) cidrs = [parse_cidr(cidr) for cidr in cidrs] results = [] check_egress = self.data.get('egress', True) check_ingress = self.data.get('ingress', True) present = self.data.get('present', False) for r in resources: matched = {cidr: None for cidr in cidrs} for entry in r['Entries']: if entry['Egress'] and not check_egress: continue if not entry['Egress'] and not check_ingress: continue entry_cidr = parse_cidr(entry['CidrBlock']) for c in matched: if c in entry_cidr and matched[c] is None: matched[c] = (entry['RuleAction'] == 'allow' and True or False) if present and all(matched.values()): results.append(r) elif not present and not all(matched.values()): results.append(r) return results
def process(self, resources, event=None): ec2 = local_session(self.manager.session_factory).client('ec2') cidrs = jmespath.search( "PrefixLists[].Cidrs[]", ec2.describe_prefix_lists()) cidrs = [parse_cidr(cidr) for cidr in cidrs] results = [] check_egress = self.data.get('egress', True) check_ingress = self.data.get('ingress', True) present = self.data.get('present', False) for r in resources: matched = {cidr: None for cidr in cidrs} for entry in r['Entries']: if entry['Egress'] and not check_egress: continue if not entry['Egress'] and not check_ingress: continue entry_cidr = parse_cidr(entry['CidrBlock']) for c in matched: if c in entry_cidr and matched[c] is None: matched[c] = ( entry['RuleAction'] == 'allow' and True or False) if present and all(matched.values()): results.append(r) elif not present and not all(matched.values()): results.append(r) return results
def process_value_type(self, sentinel, value): if self.vtype == 'normalize' and isinstance(value, basestring): return sentinel, value.strip().lower() elif self.vtype == 'integer': try: value = int(value.strip()) except ValueError: value = 0 elif self.vtype == 'size': try: return sentinel, len(value) except TypeError: return sentinel, 0 elif self.vtype == 'swap': return value, sentinel elif self.vtype == 'age': if not isinstance(sentinel, datetime): sentinel = datetime.now(tz=tzutc()) - timedelta(sentinel) if not isinstance(value, datetime): # EMR bug when testing ages in EMR. This is due to # EMR not having more functionality. try: value = parse(value, default=datetime.now(tz=tzutc())) except (AttributeError, TypeError): value = 0 # Reverse the age comparison, we want to compare the value being # greater than the sentinel typically. Else the syntax for age # comparisons is intuitively wrong. return value, sentinel elif self.vtype == 'cidr': s = parse_cidr(sentinel) v = parse_cidr(value) if (isinstance(s, ipaddress._BaseAddress) and isinstance(v, ipaddress._BaseNetwork)): return v, s return s, v elif self.vtype == 'cidr_size': cidr = parse_cidr(value) if cidr: return sentinel, cidr.prefixlen return sentinel, 0 # Allows for expiration filtering, for events in the future as opposed # to events in the past which age filtering allows for. elif self.vtype == 'expiration': if not isinstance(sentinel, datetime): sentinel = datetime.now(tz=tzutc()) + timedelta(sentinel) if not isinstance(value, datetime): value = parse(value, default=datetime.now(tz=tzutc())) return sentinel, value return sentinel, value
def process_value_type(self, sentinel, value, resource): if self.vtype == 'normalize' and isinstance(value, str): return sentinel, value.strip().lower() elif self.vtype == 'expr': sentinel = self.get_resource_value(sentinel, resource) return sentinel, value elif self.vtype == 'integer': try: value = int(str(value).strip()) except ValueError: value = 0 elif self.vtype == 'size': try: return sentinel, len(value) except TypeError: return sentinel, 0 elif self.vtype == 'unique_size': try: return sentinel, len(set(value)) except TypeError: return sentinel, 0 elif self.vtype == 'swap': return value, sentinel elif self.vtype == 'date': return parse_date(sentinel), parse_date(value) elif self.vtype == 'age': if not isinstance(sentinel, datetime.datetime): sentinel = datetime.datetime.now(tz=tzutc()) - timedelta(sentinel) value = parse_date(value) if value is None: # compatiblity value = 0 # Reverse the age comparison, we want to compare the value being # greater than the sentinel typically. Else the syntax for age # comparisons is intuitively wrong. return value, sentinel elif self.vtype == 'cidr': s = parse_cidr(sentinel) v = parse_cidr(value) if (isinstance(s, ipaddress._BaseAddress) and isinstance(v, ipaddress._BaseNetwork)): return v, s return s, v elif self.vtype == 'cidr_size': cidr = parse_cidr(value) if cidr: return sentinel, cidr.prefixlen return sentinel, 0 # Allows for expiration filtering, for events in the future as opposed # to events in the past which age filtering allows for. elif self.vtype == 'expiration': if not isinstance(sentinel, datetime.datetime): sentinel = datetime.datetime.now(tz=tzutc()) + timedelta(sentinel) value = parse_date(value) if value is None: value = 0 return sentinel, value # Allows for comparing version numbers, for things that you expect a minimum version number. elif self.vtype == 'version': s = ComparableVersion(sentinel) v = ComparableVersion(value) return s, v return sentinel, value
def main(event, context): from c7n.utils import parse_cidr parse_cidr( '10.0.0.0/24') # while we're here, ensure ipaddress availability json.dump(event, sys.stdout)