def get_lambda_client(config):
return desc.BotoRetryWrapper(boto_client=boto3.client(
'lambda',
region_name=config[tac.region],
aws_access_key_id=config[tac.key_id],
aws_secret_access_key=config[tac.secret_key],
aws_session_token=config.get('aws_session_token')
))
def application_load_balancers(config):
elb_v2_client = desc.BotoRetryWrapper(boto_client=boto3.client(
"elbv2",
region_name=config[tac.region],
aws_access_key_id=config.get(tac.key_id),
aws_secret_access_key=config.get(tac.secret_key),
aws_session_token=config.get('aws_session_token')
))
alb_paginator = elb_v2_client.get_paginator('describe_load_balancers')
for page in alb_paginator.paginate():
albs = page['LoadBalancers']
if albs is not None and len(albs) > 0:
for alb in albs:
# add account id and region
alb[tac.account_id] = config[tac.account_id]
alb[tac.region] = config[tac.region]
# fetch tags
tags_arr = elb_v2_client.describe_tags(ResourceArns = [alb['LoadBalancerArn']])['TagDescriptions']
if tags_arr is not None and len(tags_arr) > 0:
alb['Tags'] = tags_arr[0]['Tags']
# fetch target groups
target_groups_paginator = elb_v2_client.get_paginator('describe_target_groups')
target_group_list = []
for target_group_page in target_groups_paginator.paginate(LoadBalancerArn=alb['LoadBalancerArn']):
target_groups = target_group_page['TargetGroups']
if target_groups is not None and len(target_groups) > 0:
for target_group in target_groups:
# fetch target health
target_health_description = elb_v2_client.describe_target_health(TargetGroupArn = target_group['TargetGroupArn'])
target_group['TargetHealthDescriptions'] = target_health_description['TargetHealthDescriptions']
target_group_list.append(target_group)
alb['TargetGroups'] = target_group_list
# fetch listeners
# error handling for users upgrading from 4.3, whose IAM settings do not contain the policy "elasticloadbalancing:DescribeListeners"
try:
listeners_paginator = elb_v2_client.get_paginator('describe_listeners')
listener_list = []
for listener_page in listeners_paginator.paginate(LoadBalancerArn=alb['LoadBalancerArn']):
listeners = listener_page['Listeners']
if listeners is not None and len(listeners) > 0:
listener_list.extend(listeners)
alb['Listeners'] = listener_list
except ClientError as e:
if 'Code' in e.response['Error'] and e.response['Error']['Code'] == 'AccessDenied':
logger.warn('Failed to describe classic load balancer listeners. It requires "elasticloadbalancing:DescribeListeners" IAM policy.')
yield desc.serialize(alb)
def s3_buckets(config):
s3_client = desc.BotoRetryWrapper(boto_client=boto3.client(
's3',
region_name=config.get(tac.region),
aws_access_key_id=config[tac.key_id],
aws_secret_access_key=config[tac.secret_key],
aws_session_token=config.get('aws_session_token'),
config=Config(signature_version='s3v4')))
bucket_arr = s3_client.list_buckets()['Buckets']
if bucket_arr is not None and len(bucket_arr) > 0:
for bucket in bucket_arr:
# add account id
# TODO assume role changes this
bucket[tac.account_id] = config[tac.account_id]
# add other info
for operation in [
'get_bucket_accelerate_configuration', 'get_bucket_cors',
'get_bucket_lifecycle', 'get_bucket_location',
'get_bucket_logging', 'get_bucket_tagging'
]:
try:
response = getattr(s3_client,
operation)(Bucket=bucket['Name'])
response.pop('ResponseMetadata', None)
# http://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETlocation.html#RESTBucketGETlocation-responses-response-elements
# if location is us-east-1, it will return None
if operation == 'get_bucket_location' and response[
'LocationConstraint'] is None:
response['LocationConstraint'] = 'us-east-1'
bucket.update(response)
except ClientError as client_error:
if 'Code' not in client_error.response[
'Error'] or client_error.response['Error'][
'Code'] not in skipped_error_code_list:
logger.exception(
'%s operation is invalid in %s bucket.' %
(operation, bucket['Name']))
continue
except Exception:
logger.exception(
'An error occurred when attempting %s operation on %s bucket.'
% (operation, bucket['Name']))
continue
bucket[tac.region] = bucket['LocationConstraint']
yield desc.serialize(bucket)
def connect_cloudfront(config):
conn = AWSCloudFrontConnection(
aws_access_key_id=config.get(tac.key_id),
aws_secret_access_key=config.get(tac.secret_key),
security_token=config.get('aws_session_token'),
proxy=config.get(tac.proxy_hostname),
proxy_port=config.get(tac.proxy_port),
proxy_user=config.get(tac.proxy_username),
proxy_pass=config.get(tac.proxy_password),
)
return desc.BotoRetryWrapper(boto_client=conn)
def iam_users(config):
iam_client = desc.BotoRetryWrapper(boto_client=boto3.client(
"iam",
region_name=config[tac.region],
aws_access_key_id=config.get(tac.key_id),
aws_secret_access_key=config.get(tac.secret_key),
aws_session_token=config.get('aws_session_token')))
# list users
paginator = iam_client.get_paginator('list_users')
# get account password policy (the same among users)
password_policy = None
# http://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html
# account may not have enable password policy, and throws out a "NoSuchEntity" Error
try:
password_policy = iam_client.get_account_password_policy()
except ClientError as client_error:
if 'Code' not in client_error.response['Error'] or \
client_error.response['Error']['Code'] not in skipped_error_code_list:
logger.error(
'"get_account_password_policy" operation returns invalid '
'result for account %s: %s' %
(config[tac.account_id], client_error))
for page in paginator.paginate():
iam_users = page['Users']
if iam_users is not None and len(iam_users) > 0:
for iam_user in iam_users:
# add account id and region
iam_user[tac.account_id] = config[tac.account_id]
# add account password policy
if password_policy is not None:
iam_user.update(password_policy)
# get access keys
ak_paginator = iam_client.get_paginator('list_access_keys')
access_key_list = []
for ak_page in ak_paginator.paginate(
UserName=iam_user['UserName']):
access_keys = ak_page['AccessKeyMetadata']
if access_keys is not None and len(access_keys) > 0:
for access_key in access_keys:
# get ak last used
# will throw out an error with code "InvalidAction" if does not support (CN region)
try:
ak_last_used = \
iam_client.get_access_key_last_used(AccessKeyId = access_key['AccessKeyId'])
access_key.update(ak_last_used)
except ClientError as client_error:
if 'Code' not in client_error.response['Error'] or \
client_error.response['Error']['Code'] not in skipped_error_code_list:
logger.error(
'"get_access_key_last_used" operation returns invalid '
'result for access key %s: %s' %
(access_key['AccessKeyId'],
client_error))
# remove metadata of response
access_key.pop('ResponseMetadata', None)
access_key_list.append(access_key)
iam_user['AccessKeys'] = access_key_list
# remove metadata of response
iam_user.pop('ResponseMetadata', None)
yield desc.serialize(iam_user)
def connect_vpc_to_region(config):
return desc.BotoRetryWrapper(
boto_client=tacommon.connect_service_to_region(
boto.vpc.connect_to_region, config))
def classic_load_balancers(config):
elb_client = desc.BotoRetryWrapper(boto_client=boto3.client(
'elb',
region_name=config.get(tac.region),
aws_access_key_id=config.get(tac.key_id),
aws_secret_access_key=config.get(tac.secret_key),
aws_session_token=config.get('aws_session_token')
))
paginator = elb_client.get_paginator('describe_load_balancers')
for page in paginator.paginate():
all_elbs = page.get('LoadBalancerDescriptions', None)
if all_elbs is None or len(all_elbs) <= 0:
continue
for elb in all_elbs:
# describe instance health
try:
instances = elb_client.describe_instance_health(LoadBalancerName=elb.get('LoadBalancerName', None)).get('InstanceStates', None)
except Exception:
logger.exception(
'Ignore ELB due to exception',
ELB=elb.get('LoadBalancerName'))
continue
instances_trans = []
for instance in instances:
instance_trans = {
'instance_id': instance.get('InstanceId', None),
'state': instance.get('State', None)
}
instances_trans.append(instance_trans)
# describe tags
try:
tags_arr = elb_client.describe_tags(LoadBalancerNames=[elb['LoadBalancerName']]).get('TagDescriptions', None)
except ClientError as e:
tags_arr = None
logger.exception('Error in describing classic load balancer tags.',
load_balancer_name=elb['LoadBalancerName'])
tags = []
if tags_arr is not None and len(tags_arr) > 0:
tags = tags_arr[0]['Tags']
# transform results for boto2 compatibility
res_trans = _transform_boto3_to_boto2(elb)
result = {
tac.account_id: config.get(tac.account_id, None),
'availability_zones': elb.get('AvailabilityZones', None),
'backends': res_trans.get('backends', None),
'created_time': elb.get('CreatedTime', None),
'dns_name': elb.get('DNSName', None),
'name': elb.get('LoadBalancerName', None),
'health_check': res_trans.get('healthcheck', 'None'),
'instances': instances_trans,
'listeners': res_trans.get('listeners', None),
'source_security_group': res_trans.get('source_security_group', None),
'subnets': elb.get('Subnets', None),
'security_groups': elb.get('SecurityGroups', None),
'vpc_id': elb.get('VPCId', None),
tac.region: config.get('region', None),
'tags': tags
}
result = desc.serialize(result)
yield result