def _get_or_create_provider(db: Session, proxy: Proxy, identity: Dict,
confirm: ConfirmAcct,
external_id: Optional[int]) -> ProviderAccount:
org = proxy.service('organizations')
try:
org_resp = org.get('describe_organization')['Organization']
org_id = org_resp['Id']
except botocore.exceptions.ClientError as e:
code = e.response.get('Error', {}).get('Code')
if code == 'AWSOrganizationsNotInUseException':
org_id = f'OrgDummy:{identity["Account"]}'
else:
raise
account_query = db.query(ProviderAccount).filter(
ProviderAccount.provider == 'aws', ProviderAccount.name == org_id)
if external_id is not None:
account_query = account_query.filter(
ProviderAccount.external_id == external_id)
account = account_query.one_or_none()
if account is not None:
_require_credential(db, account.id, identity)
return account
add = confirm(identity)
if not add:
raise GFError('User cancelled')
return _create_provider_and_credential(db, proxy, identity, external_id)
def _build_import_job_desc(proxy: Proxy, identity: Dict) -> Dict:
account_id = identity['Account']
org, graph = _build_org_graph(proxy.service('organizations'), account_id)
return {
'account': {
'account_id': org['Id'],
'provider': 'aws'
},
'principal': {
'provider_id': identity['UserId'],
'provider_uri': identity['Arn']
},
'aws_org': org,
'aws_graph': graph
}
def add_amis_to_import_job(proxy: Proxy, writer: ImportWriter, ps: PathStack,
region: str, amis: List[str]) -> str:
ps = ps.scope(region)
service_proxy = proxy.service('ec2', region)
result = service_proxy.list(
'describe_images',
ImageIds=amis,
# Remove the default filters
Filters=[])
_log.debug(f'describe images result {result}')
if result is not None:
resource_name = result[0]
raw_resources = result[1]
# We can't add launch permissions here because we don't own the images
#_add_image_attributes(service_proxy, raw_resources)
writer(ps, resource_name, raw_resources, {'region': region})
return ps.path()
def add_logs_resource_policies(db: Session, proxy: Proxy,
region_cache: RegionCache, writer: ImportWriter,
import_job: ImportJob, ps: PathStack,
account_id: str):
for region in region_cache.regions_for_service('logs'):
logs_proxy = proxy.service('logs', region)
policies = _import_resource_policies(logs_proxy)
synthesized = defaultdict(lambda: [])
for prefix, statements in policies.items():
for log_group_uri in _log_group_uris_by_prefix(
db, import_job.provider_account_id, account_id, region, prefix):
synthesized[log_group_uri] += statements
for uri, statements in synthesized.items():
policy = _make_policy(statements)
writer(ps, 'ResourcePolicy', {
'Policy': policy,
'arn': uri
}, {'region': region})
def _create_provider_and_credential(
db: Session, proxy: Proxy, identity,
external_id: Optional[int]) -> ProviderAccount:
account_id = identity['Account']
org = proxy.service('organizations')
try:
org_resp = org.get('describe_organization')['Organization']
org_id = org_resp['Id']
except botocore.exceptions.ClientError as e:
code = e.response.get('Error', {}).get('Code')
if code == 'AWSOrganizationsNotInUseException':
org_id = f'OrgDummy:{account_id}'
else:
raise
provider = ProviderAccount(provider='aws',
name=org_id,
external_id=external_id)
db.add(provider)
db.flush()
_require_credential(db, provider.id, identity)
return provider
def synthesize_account_root(proxy: Proxy, db: Session, import_job: ImportJob,
path: str, account_id: str, partition: str):
service_proxy = proxy.service('iam')
mfa_resp = service_proxy.list('list_virtual_mfa_devices')
has_virtual_mfa = False
if mfa_resp is not None:
root_mfa_arn = f'arn:aws:iam::{account_id}:mfa/root-account-mfa-device'
mfas = mfa_resp[1]['VirtualMFADevices']
for mfa in mfas:
if mfa['SerialNumber'] == root_mfa_arn:
has_virtual_mfa = True
break
arn = f'arn:{partition}:iam::{account_id}:root'
mapped = MappedResource(name='<root account>',
uri=arn,
provider_type='RootAccount',
raw={
'Arn': arn,
'has_virtual_mfa': has_virtual_mfa
},
service='iam',
category=None)
attrs: List[MappedAttribute] = [
MappedAttribute(type='provider', name='Arn', value=arn),
MappedAttribute(type='provider',
name='has_virtual_mfa',
value=has_virtual_mfa)
]
apply_mapped_attrs(db,
import_job,
path,
mapped,
attrs,
source='base',
raw_import_id=None)