def test_asg_state(self): self.assertEqual( CloudWatchEvents.get_ids( event_data('event-asg-instance-failed.json'), { 'type': 'asg-instance-state', 'events': ['EC2 Instance Launch Unsuccessful'] }), ['CustodianTest'])
def test_get_ids_multiple_events(self): d = event_data('event-cloud-trail-run-instances.json') d['eventName'] = 'StartInstances' self.assertEqual( CloudWatchEvents.get_ids( {'detail': d}, {'type': 'cloudtrail', 'events': [ # wrong event name {'source': 'ec2.amazonaws.com', 'event': 'CreateTags', 'ids': 'requestParameters.resourcesSet.items[].resourceId'}, # wrong event source {'source': 'ecs.amazonaws.com', 'event': 'StartInstances', 'ids': 'responseElements.instancesSet.items'}, # matches no resource ids {'source': 'ec2.amazonaws.com', 'event': 'StartInstances', 'ids': 'responseElements.instancesSet2.items[].instanceId'}, # correct {'source': 'ec2.amazonaws.com', 'event': 'StartInstances', 'ids': 'responseElements.instancesSet.items[].instanceId'}, # we don't fall off the end {'source': 'ec2.amazonaws.com', 'event': 'StartInstances', 'ids': 'responseElements.instancesSet.items[]'}, ]}), ['i-784cdacd', u'i-7b4cdace'])
def test_auto_tag_creator(self): session_factory = self.replay_flight_data('test_ec2_autotag_creator') policy = self.load_policy( { 'name': 'ec2-auto-tag', 'resource': 'ec2', 'mode': { 'type': 'cloudtrail', 'events': ['RunInstances'] }, 'actions': [{ 'type': 'auto-tag-user', 'tag': 'Owner' }] }, session_factory=session_factory) event = { 'detail': event_data('event-cloud-trail-run-instance-creator.json'), 'debug': True } resources = policy.push(event, None) self.assertEqual(len(resources), 1) # Verify tag added session = session_factory() instances = query_instances(session, InstanceIds=[resources[0]['InstanceId']]) tags = {t['Key']: t['Value'] for t in instances[0]['Tags']} self.assertEqual(tags['Owner'], 'c7nbot') # Verify we don't overwrite extant client = session.client('ec2') client.create_tags(Resources=[resources[0]['InstanceId']], Tags=[{ 'Key': 'Owner', 'Value': 'Bob' }]) policy = self.load_policy( { 'name': 'ec2-auto-tag', 'resource': 'ec2', 'mode': { 'type': 'cloudtrail', 'events': ['RunInstances'] }, 'actions': [{ 'type': 'auto-tag-user', 'tag': 'Owner' }] }, session_factory=session_factory) resources = policy.push(event, None) instances = query_instances(session, InstanceIds=[resources[0]['InstanceId']]) tags = {t['Key']: t['Value'] for t in instances[0]['Tags']} self.assertEqual(tags['Owner'], 'Bob')
def test_asg_state(self): self.assertEqual( CloudWatchEvents.get_ids( event_data('event-asg-instance-failed.json'), {'type': 'asg-instance-state', 'events': ['EC2 Instance Launch Unsuccessful']}), ['CustodianTest'])
def test_auto_tag_assumed(self): # verify auto tag works with assumed roles and can optionally update session_factory = self.replay_flight_data('test_ec2_autotag_assumed') policy = self.load_policy({ 'name': 'ec2-auto-tag', 'resource': 'ec2', 'mode': { 'type': 'cloudtrail', 'events': ['RunInstances']}, 'actions': [ {'type': 'auto-tag-user', 'update': True, 'tag': 'Owner'}] }, session_factory=session_factory) event = { 'detail': event_data( 'event-cloud-trail-run-instance-creator-assumed.json'), 'debug': True} resources = policy.push(event, None) self.assertEqual(len(resources), 1) tags = {t['Key']: t['Value'] for t in resources[0]['Tags']} self.assertEqual(tags['Owner'], 'Bob') session = session_factory() instances = query_instances( session, InstanceIds=[resources[0]['InstanceId']]) tags = {t['Key']: t['Value'] for t in instances[0]['Tags']} self.assertEqual(tags['Owner'], 'Radiant')
def test_auto_tag_assumed(self): # verify auto tag works with assumed roles and can optionally update session_factory = self.replay_flight_data('test_ec2_autotag_assumed') policy = self.load_policy({ 'name': 'ec2-auto-tag', 'resource': 'ec2', 'mode': { 'type': 'cloudtrail', 'events': ['RunInstances']}, 'actions': [ {'type': 'auto-tag-user', 'update': True, 'tag': 'Owner'}] }, session_factory=session_factory) event = { 'detail': event_data( 'event-cloud-trail-run-instance-creator-assumed.json'), 'debug': True} resources = policy.push(event, None) self.assertEqual(len(resources), 1) tags = {t['Key']: t['Value'] for t in resources[0]['Tags']} self.assertEqual(tags['Owner'], 'Bob') session = session_factory() instances = query_instances( session, InstanceIds=[resources[0]['InstanceId']]) tags = {t['Key']: t['Value'] for t in instances[0]['Tags']} self.assertEqual(tags['Owner'], 'Radiant')
def test_get_ids(self): self.assertEqual( CloudWatchEvents.get_ids( {'detail': event_data('event-cloud-trail-run-instances.json')}, { 'type': 'cloudtrail', 'events': ['RunInstances'] }), ['i-784cdacd', u'i-7b4cdace'])
def test_event_filter(self): b = Bag(data={'mode': []}) event = event_data('event-instance-state.json') f = {'type': 'event', 'key': 'detail.state', 'value': 'pending'} ef = filters.factory(f, b) self.assertTrue(ef.process([instance()], event)) # event is None self.assertEqual(ef.process('resources'), 'resources') # event is not None, but is not "true" either self.assertEqual(ef.process('resources', []), [])
def test_custom_event(self): d = {'detail': event_data('event-cloud-trail-run-instances.json')} d['detail']['eventName'] = 'StartInstances' self.assertEqual( CloudWatchEvents.get_ids( d, {'type': 'cloudtrail', 'events': [{ 'event': 'StartInstances', 'ids': 'responseElements.instancesSet.items[].instanceId', 'source': 'ec2.amazonaws.com'}]}), ['i-784cdacd', u'i-7b4cdace'])
def test_get_ids_multiple_events(self): d = event_data('event-cloud-trail-run-instances.json') d['eventName'] = 'StartInstances' self.assertEqual( CloudWatchEvents.get_ids( {'detail': d}, { 'type': 'cloudtrail', 'events': [ # wrong event name { 'source': 'ec2.amazonaws.com', 'event': 'CreateTags', 'ids': 'requestParameters.resourcesSet.items[].resourceId' }, # wrong event source { 'source': 'ecs.amazonaws.com', 'event': 'StartInstances', 'ids': 'responseElements.instancesSet.items' }, # matches no resource ids { 'source': 'ec2.amazonaws.com', 'event': 'StartInstances', 'ids': 'responseElements.instancesSet2.items[].instanceId' }, # correct { 'source': 'ec2.amazonaws.com', 'event': 'StartInstances', 'ids': 'responseElements.instancesSet.items[].instanceId' }, # we don't fall off the end { 'source': 'ec2.amazonaws.com', 'event': 'StartInstances', 'ids': 'responseElements.instancesSet.items[]' }, ] }), ['i-784cdacd', u'i-7b4cdace'])
def test_config_rule_evaluation(self): session_factory = self.replay_flight_data('test_config_rule_evaluate') p = self.load_policy({ 'resource': 'ec2', 'name': 'ec2-modified', 'mode': {'type': 'config-rule'}, 'filters': [{'InstanceId': 'i-094bc87c84d56c589'}] }, session_factory=session_factory) mode = p.get_execution_mode() event = event_data('event-config-rule-instance.json') resources = mode.run(event, None) self.assertEqual(len(resources), 1)
def test_config_rule_evaluation(self): session_factory = self.replay_flight_data('test_config_rule_evaluate') p = self.load_policy({ 'resource': 'ec2', 'name': 'ec2-modified', 'mode': {'type': 'config-rule'}, 'filters': [{'InstanceId': 'i-094bc87c84d56c589'}] }, session_factory=session_factory) mode = p.get_execution_mode() event = event_data('event-config-rule-instance.json') resources = mode.run(event, None) self.assertEqual(len(resources), 1)
def test_create_bucket_event(self): self.patch(s3, 'S3_AUGMENT_TABLE', [ ('get_bucket_policy', 'Policy', None, 'Policy'), ]) self.patch(s3.S3, 'executor_factory', MainThreadExecutor) session_factory = self.replay_flight_data('test_s3_create') bname = 'custodian-create-bucket-v4' session = session_factory() client = session.client('s3') client.create_bucket(Bucket=bname) self.addCleanup(destroyBucket, client, bname) p = self.load_policy( { 'name': 'bucket-create-v2', 'resource': 's3', 'mode': { 'type': 'cloudtrail', 'role': 'arn:aws:iam::619193117841:role/CustodianDemoRole', 'events': ['CreateBucket'], }, 'actions': ['encryption-policy'] }, session_factory=session_factory) p.push(event_data('event-cloud-trail-create-bucket.json'), None) try: result = client.get_bucket_policy(Bucket=bname) except: self.fail("Could not get bucket policy") self.assertTrue('Policy' in result) policy = json.loads(result['Policy']) self.assertEqual( policy, { u'Statement': [{ u'Action': u's3:PutObject', u'Condition': { u'StringNotEquals': { u's3:x-amz-server-side-encryption': [u'AES256', u'aws:kms'] } }, u'Effect': u'Deny', u'Principal': u'*', u'Resource': u'arn:aws:s3:::custodian-create-bucket-v4/*', u'Sid': u'RequireEncryptedPutObject' }], u'Version': u'2012-10-17' })
def test_event_filter(self): b = Bag(data={'mode': []}) event = event_data('event-instance-state.json') f = {'type': 'event', 'key': 'detail.state', 'value': 'pending'} ef = filters.factory(f, b) self.assertTrue(ef.process( [instance()], event)) # event is None self.assertEqual(ef.process('resources'), 'resources') # event is not None, but is not "true" either self.assertEqual(ef.process('resources', []), [])
def test_custom_event(self): d = {'detail': event_data('event-cloud-trail-run-instances.json')} d['detail']['eventName'] = 'StartInstances' self.assertEqual( CloudWatchEvents.get_ids( d, { 'type': 'cloudtrail', 'events': [{ 'event': 'StartInstances', 'ids': 'responseElements.instancesSet.items[].instanceId', 'source': 'ec2.amazonaws.com' }] }), ['i-784cdacd', u'i-7b4cdace'])
def test_auto_tag_creator(self): session_factory = self.replay_flight_data('test_ec2_autotag_creator') policy = self.load_policy({ 'name': 'ec2-auto-tag', 'resource': 'ec2', 'mode': { 'type': 'cloudtrail', 'events': ['RunInstances']}, 'actions': [ {'type': 'auto-tag-user', 'tag': 'Owner'}] }, session_factory=session_factory) event = { 'detail': event_data('event-cloud-trail-run-instance-creator.json'), 'debug': True} resources = policy.push(event, None) self.assertEqual(len(resources), 1) # Verify tag added session = session_factory() instances = query_instances( session, InstanceIds=[resources[0]['InstanceId']]) tags = {t['Key']: t['Value'] for t in instances[0]['Tags']} self.assertEqual(tags['Owner'], 'c7nbot') # Verify we don't overwrite extant client = session.client('ec2') client.create_tags( Resources=[resources[0]['InstanceId']], Tags=[{'Key': 'Owner', 'Value': 'Bob'}]) policy = self.load_policy({ 'name': 'ec2-auto-tag', 'resource': 'ec2', 'mode': { 'type': 'cloudtrail', 'events': ['RunInstances']}, 'actions': [ {'type': 'auto-tag-user', 'tag': 'Owner'}] }, session_factory=session_factory) resources = policy.push(event, None) instances = query_instances( session, InstanceIds=[resources[0]['InstanceId']]) tags = {t['Key']: t['Value'] for t in instances[0]['Tags']} self.assertEqual(tags['Owner'], 'Bob')
def test_create_bucket_event(self): self.patch(s3, 'S3_AUGMENT_TABLE', [ ('get_bucket_policy', 'Policy', None, 'Policy'), ]) self.patch(s3.S3, 'executor_factory', MainThreadExecutor) session_factory = self.replay_flight_data('test_s3_create') bname = 'custodian-create-bucket-v4' session = session_factory() client = session.client('s3') client.create_bucket(Bucket=bname) self.addCleanup(destroyBucket, client, bname) p = self.load_policy({ 'name': 'bucket-create-v2', 'resource': 's3', 'mode': { 'type': 'cloudtrail', 'role': 'arn:aws:iam::619193117841:role/CustodianDemoRole', 'events': ['CreateBucket'], }, 'actions': [ 'encryption-policy']}, session_factory=session_factory) p.push(event_data('event-cloud-trail-create-bucket.json'), None) try: result = client.get_bucket_policy(Bucket=bname) except: self.fail("Could not get bucket policy") self.assertTrue('Policy' in result) policy = json.loads(result['Policy']) self.assertEqual( policy, {u'Statement': [ {u'Action': u's3:PutObject', u'Condition': { u'StringNotEquals': { u's3:x-amz-server-side-encryption': [ u'AES256', u'aws:kms']}}, u'Effect': u'Deny', u'Principal': u'*', u'Resource': u'arn:aws:s3:::custodian-create-bucket-v4/*', u'Sid': u'RequireEncryptedPutObject'}], u'Version': u'2012-10-17'})
def test_cloud_trail_resource(self): self.assertEqual( CloudWatchEvents.match( event_data('event-cloud-trail-s3.json')), {'source': 's3.amazonaws.com', 'ids': jmespath.compile('detail.requestParameters.bucketName')})
def test_non_cloud_trail_event(self): for event in ['event-instance-state.json', 'event-scheduled.json']: self.assertFalse(CloudWatchEvents.match(event_data(event)))
def test_non_cloud_trail_event(self): for event in ['event-instance-state.json', 'event-scheduled.json']: self.assertFalse(CloudWatchEvents.match(event_data(event)))
def test_ec2_state(self): self.assertEqual( CloudWatchEvents.get_ids( event_data('event-instance-state.json'), {'type': 'ec2-instance-state'}), ['i-a2d74f12'])
def test_cloud_trail_resource(self): self.assertEqual( CloudWatchEvents.match(event_data('event-cloud-trail-s3.json')), { 'source': 's3.amazonaws.com', 'ids': jmespath.compile('detail.requestParameters.bucketName') })
def test_get_ids(self): self.assertEqual( CloudWatchEvents.get_ids( {'detail': event_data('event-cloud-trail-run-instances.json')}, {'type': 'cloudtrail', 'events': ['RunInstances']}), ['i-784cdacd', u'i-7b4cdace'])
def test_ec2_state(self): self.assertEqual( CloudWatchEvents.get_ids(event_data('event-instance-state.json'), {'type': 'ec2-instance-state'}), ['i-a2d74f12'])