def _get_or_create_provider(db: Session, proxy: Proxy, identity: Dict, confirm: ConfirmAcct, external_id: Optional[int]) -> ProviderAccount: org = proxy.service('organizations') try: org_resp = org.get('describe_organization')['Organization'] org_id = org_resp['Id'] except botocore.exceptions.ClientError as e: code = e.response.get('Error', {}).get('Code') if code == 'AWSOrganizationsNotInUseException': org_id = f'OrgDummy:{identity["Account"]}' else: raise account_query = db.query(ProviderAccount).filter( ProviderAccount.provider == 'aws', ProviderAccount.name == org_id) if external_id is not None: account_query = account_query.filter( ProviderAccount.external_id == external_id) account = account_query.one_or_none() if account is not None: _require_credential(db, account.id, identity) return account add = confirm(identity) if not add: raise GFError('User cancelled') return _create_provider_and_credential(db, proxy, identity, external_id)
def _build_import_job_desc(proxy: Proxy, identity: Dict) -> Dict: account_id = identity['Account'] org, graph = _build_org_graph(proxy.service('organizations'), account_id) return { 'account': { 'account_id': org['Id'], 'provider': 'aws' }, 'principal': { 'provider_id': identity['UserId'], 'provider_uri': identity['Arn'] }, 'aws_org': org, 'aws_graph': graph }
def add_amis_to_import_job(proxy: Proxy, writer: ImportWriter, ps: PathStack, region: str, amis: List[str]) -> str: ps = ps.scope(region) service_proxy = proxy.service('ec2', region) result = service_proxy.list( 'describe_images', ImageIds=amis, # Remove the default filters Filters=[]) _log.debug(f'describe images result {result}') if result is not None: resource_name = result[0] raw_resources = result[1] # We can't add launch permissions here because we don't own the images #_add_image_attributes(service_proxy, raw_resources) writer(ps, resource_name, raw_resources, {'region': region}) return ps.path()
def add_logs_resource_policies(db: Session, proxy: Proxy, region_cache: RegionCache, writer: ImportWriter, import_job: ImportJob, ps: PathStack, account_id: str): for region in region_cache.regions_for_service('logs'): logs_proxy = proxy.service('logs', region) policies = _import_resource_policies(logs_proxy) synthesized = defaultdict(lambda: []) for prefix, statements in policies.items(): for log_group_uri in _log_group_uris_by_prefix( db, import_job.provider_account_id, account_id, region, prefix): synthesized[log_group_uri] += statements for uri, statements in synthesized.items(): policy = _make_policy(statements) writer(ps, 'ResourcePolicy', { 'Policy': policy, 'arn': uri }, {'region': region})
def _create_provider_and_credential( db: Session, proxy: Proxy, identity, external_id: Optional[int]) -> ProviderAccount: account_id = identity['Account'] org = proxy.service('organizations') try: org_resp = org.get('describe_organization')['Organization'] org_id = org_resp['Id'] except botocore.exceptions.ClientError as e: code = e.response.get('Error', {}).get('Code') if code == 'AWSOrganizationsNotInUseException': org_id = f'OrgDummy:{account_id}' else: raise provider = ProviderAccount(provider='aws', name=org_id, external_id=external_id) db.add(provider) db.flush() _require_credential(db, provider.id, identity) return provider
def synthesize_account_root(proxy: Proxy, db: Session, import_job: ImportJob, path: str, account_id: str, partition: str): service_proxy = proxy.service('iam') mfa_resp = service_proxy.list('list_virtual_mfa_devices') has_virtual_mfa = False if mfa_resp is not None: root_mfa_arn = f'arn:aws:iam::{account_id}:mfa/root-account-mfa-device' mfas = mfa_resp[1]['VirtualMFADevices'] for mfa in mfas: if mfa['SerialNumber'] == root_mfa_arn: has_virtual_mfa = True break arn = f'arn:{partition}:iam::{account_id}:root' mapped = MappedResource(name='<root account>', uri=arn, provider_type='RootAccount', raw={ 'Arn': arn, 'has_virtual_mfa': has_virtual_mfa }, service='iam', category=None) attrs: List[MappedAttribute] = [ MappedAttribute(type='provider', name='Arn', value=arn), MappedAttribute(type='provider', name='has_virtual_mfa', value=has_virtual_mfa) ] apply_mapped_attrs(db, import_job, path, mapped, attrs, source='base', raw_import_id=None)