def get_cognito_user_info_by_user_name(trace_id, user_name, is_cw_logger=False): if (is_cw_logger): logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) else: logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # get user_pool try: client = boto3.client("cognito-idp") except ClientError as e: raise common_utils.write_log_exception(e, logger) user_pool_id = os.environ.get("COGNITO_USER_POOL_ID") try: user_info = client.admin_get_user( UserPoolId=user_pool_id, Username=user_name) except ClientError as e: if e.response['Error']['Code'] == CommonConst.COGNITO_USER_NOT_FOUND_EXCEPTION: return None raise common_utils.write_log_exception(e, logger) logger.info("End : get cognito users info success") return user_info
def process_admin_create_user_pools( trace_id, user_name, user_attributes, temporary_password, message_action): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # get client cognito try: client = boto3.client("cognito-idp") except ClientError as e: raise common_utils.write_log_exception(e, pm_logger) user_pool_id = os.environ.get("COGNITO_USER_POOL_ID") try: user_info = client.admin_create_user( UserPoolId=user_pool_id, Username=user_name, TemporaryPassword=temporary_password, UserAttributes=user_attributes, MessageAction=message_action) except Exception as e: raise common_utils.write_log_exception(e, pm_logger) pm_logger.info("End : create cognito users success") return user_info
def send_email(trace_id, region_name, sender, bcc, subject, body): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: client = boto3.client( service_name='ses', region_name=region_name) except ClientError as e: pm_logger.error("[%s] SESクライアント作成に失敗しました。", region_name) raise common_utils.write_log_exception(e, pm_logger) try: response = client.send_email( Source=sender, Destination={ 'BccAddresses': bcc }, Message={ 'Subject': { 'Data': subject, 'Charset': 'UTF-8' }, 'Body': { 'Text': { 'Data': body, 'Charset': 'UTF-8' } } } ) if response['ResponseMetadata']['HTTPStatusCode'] != 200: raise PmError() except ClientError as e: raise common_utils.write_log_exception(e, pm_logger)
def list_entities_for_policy(trace_id, session, aws_account, policy_arn): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # 対象AWSアカウントに対する接続を作成します。 try: client = session.client(service_name="iam") except ClientError as e: pm_logger.error("[%s] IAMクライアント作成に失敗しました。", aws_account) raise common_utils.write_log_exception(e, pm_logger) try: response = client.list_entities_for_policy(PolicyArn=policy_arn) if (len(response) == 0): return [] policy_groups = response['PolicyGroups'] policy_users = response['PolicyUsers'] policy_roles = response['PolicyRoles'] is_truncated = response['IsTruncated'] while (is_truncated is True): marker = response['Marker'] response = client.list_entities_for_policy(PolicyArn=policy_arn, Marker=marker) policy_groups.extend(response['PolicyGroups']) policy_users.extend(response['PolicyUsers']) policy_roles.extend(response['PolicyRoles']) is_truncated = response['IsTruncated'] except ClientError as e: pm_logger.error("[%s]ポリシーエンティティ情報の取得に失敗しました。(%s)", aws_account, policy_arn) raise common_utils.write_log_exception(e, pm_logger) list_entities_for_policy = {} list_entities_for_policy['PolicyGroups'] = policy_groups list_entities_for_policy['PolicyUsers'] = policy_users list_entities_for_policy['PolicyRoles'] = policy_roles return list_entities_for_policy
def get_list_buckets(trace_id, check_history_id, organization_id, project_id, s3_client, aws_account): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) s3_file_name = CommonConst.PATH_CHECK_RAW.format( check_history_id, organization_id, project_id, aws_account, "ASC/S3_ListBuckets.json") # リソース情報取得 if (aws_common.check_exists_file_s3(trace_id, "S3_CHECK_BUCKET", s3_file_name)) is True: try: list_buckets = FileUtils.read_json(trace_id, "S3_CHECK_BUCKET", s3_file_name) except PmError as e: raise common_utils.write_log_exception(e, pm_logger) else: # S3バケット一覧を取得します。 try: list_buckets = S3Utils.list_buckets(trace_id, s3_client, aws_account) except PmError as e: raise common_utils.write_log_exception(e, pm_logger) # S3バケット一覧情報をS3に保存します。 try: FileUtils.upload_json(trace_id, "S3_CHECK_BUCKET", list_buckets, s3_file_name) except PmError as e: pm_logger.error("[%s] S3バケット一覧情報のS3保存に失敗しました。", aws_account) raise common_utils.write_log_exception(e, pm_logger) return list_buckets
def get_list_policies(trace_id, session, awsaccount): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # 対象AWSアカウントに対する接続を作成します。 try: client = session.client(service_name="iam") except ClientError as e: pm_logger.error("[%s] IAMクライアント作成に失敗しました。", awsaccount) raise common_utils.write_log_exception(e, pm_logger) # IAMのアカウントパスワードポリシー情報を取得します。 policies = [] try: response = client.list_policies() if common_utils.check_key("Policies", response): policies = response["Policies"] # AWS SDKを用いて複数件のリソース情報取得を行う際の注意事項 is_truncated = response['IsTruncated'] while (is_truncated is True): marker = response['Marker'] response = client.list_policies(Marker=marker) policies.extend(response['Policies']) is_truncated = response['IsTruncated'] except ClientError as e: pm_logger.error("[%s] ポリシー一覧情報の取得に失敗しました。", awsaccount) raise common_utils.write_log_exception(e, pm_logger) # return data return policies
def get_credential_report(trace_id, session, awsaccount): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # 対象AWSアカウントに対する接続を作成します。 try: client = session.client(service_name="iam") except ClientError as e: pm_logger.error("[%s] IAMクライアント作成に失敗しました。", awsaccount) raise common_utils.write_log_exception(e, pm_logger) # IAMユーザーのCredentialReportを取得します。 try: result = client.generate_credential_report() while (result['State'] != 'COMPLETE'): time.sleep(2) result = client.generate_credential_report() credential_report = client.get_credential_report() except ClientError as e: pm_logger.error("[%s] CredentialReportの取得に失敗しました。", awsaccount) raise common_utils.write_log_exception(e, pm_logger) # return data if common_utils.check_key("Content", credential_report): return str(credential_report['Content'].decode()) return []
def sqs_delete_message(trace_id, queue_url, receipt_handle): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: client = boto3.client("sqs") client.delete_message( QueueUrl=queue_url, ReceiptHandle=receipt_handle ) pm_logger.info("End : delete message queue success") except ClientError as e: common_utils.write_log_exception(e, pm_logger, True)
def submit_job(trace_id, job_name, job_queue, depends_on, job_definition, parameters, container_overrides, max_retry, is_cw_logger=False): frame = inspect.currentframe() params = common_utils.get_params_function(frame) if (is_cw_logger): logger = common_utils.begin_cw_logger(trace_id, __name__, frame) else: logger = common_utils.begin_logger(trace_id, __name__, frame) job_id = [] aws_batch_job_submit = os.getenv('AWS_BATCH_JOB_SUBMIT', 'ON') if aws_batch_job_submit == 'OFF': job_id = [ { 'jobId': str(uuid.uuid4()) } ] return common_utils.response(job_id, logger), params try: client = boto3.client('batch') except ClientError as e: raise common_utils.write_log_exception(e, logger) try: response = client.submit_job( jobName=job_name, jobQueue=job_queue, dependsOn=depends_on, jobDefinition=job_definition, parameters=parameters, containerOverrides=container_overrides, retryStrategy={ 'attempts': int(max_retry) } ) job_id = [ { 'jobId': response['jobId'] }, ] logger.info("End : submit job success") except ClientError as e: raise common_utils.write_log_exception(e, logger) return common_utils.response(job_id, logger), params
def describe_security_groups(trace_id, awsaccount, ec2_client, region_name): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) security_groups = [] try: response = ec2_client.describe_security_groups() if common_utils.check_key("SecurityGroups", response): security_groups = response["SecurityGroups"] next_token = None if 'NextToken' in response: next_token = response['NextToken'] while (next_token is not None): response = ec2_client.describe_security_groups( NextToken=next_token) security_groups.extend(response['SecurityGroups']) if 'NextToken' in response: next_token = response['NextToken'] else: next_token = None except ClientError as e: pm_logger.error("[%s/%s] セキュリティグループ情報の取得に失敗しました。", awsaccount, region_name) raise common_utils.write_log_exception(e, pm_logger) return security_groups
def describe_volumes(trace_id, awsaccount, ec2_client, region_name, is_cw_logger=False): if (is_cw_logger): logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) else: logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) ebs_volumes = [] try: response = ec2_client.describe_volumes() if common_utils.check_key("Volumes", response): ebs_volumes = response["Volumes"] next_token = None if 'NextToken' in response: next_token = response['NextToken'] while (next_token is not None): response = ec2_client.describe_volumes(NextToken=next_token) ebs_volumes.extend(response['Volumes']) if 'NextToken' in response: next_token = response['NextToken'] else: next_token = None except ClientError as e: logger.error("[%s/%s] EBSボリューム情報の取得に失敗しました。", awsaccount, region_name) raise common_utils.write_log_exception(e, logger) return ebs_volumes
def sqs_receive_message(trace_id): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) queue_url = os.environ.get("SQS_ORGANIZATION_QUEUE") try: client = boto3.client("sqs") response = client.receive_message( QueueUrl=queue_url, MaxNumberOfMessages=10 ) messages = None if (common_utils.check_key('Messages', response)): messages = common_utils.response(response['Messages'], pm_logger) return common_utils.response(messages, pm_logger) except ClientError as e: common_utils.write_log_exception(e, pm_logger, True)
def get_bucket_encryption(trace_id, s3_client, bucket, aws_account, region_name, is_cw_logger=False): if (is_cw_logger): logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) else: logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) bucket_encryption = [] try: result = s3_client.get_bucket_encryption(Bucket=bucket) except ClientError as e: if e.response["Error"]["Code"] == CommonConst.SERVER_SIDE_ENCRYPTION_CONFIGURATION_NOT_FOUND_ERROR: logger.info("[%s]S3バケット暗号化情報がありません。(%s/%s)", aws_account, region_name, bucket) raise PmError(cause_error=e) elif e.response['Error']['Code'] in CommonConst.S3_SKIP_EXCEPTION: logger.warning("[%s] 権限エラーによりS3バケットリージョン情報の取得に失敗しました。(%s/%s)", aws_account, region_name, bucket) raise common_utils.write_log_warning(e, logger) else: logger.error("[%s]S3バケット暗号化情報の取得に失敗しました。(%s/%s)", aws_account, region_name, bucket) raise common_utils.write_log_exception(e, logger) if common_utils.check_key("ServerSideEncryptionConfiguration", result): if common_utils.check_key("Rules", result["ServerSideEncryptionConfiguration"]): bucket_encryption = result["ServerSideEncryptionConfiguration"]["Rules"] return bucket_encryption
def get_regions(trace_id, session=None, filter_describe_regions=CommonConst.FILTER_DESCRIBE_REGIONS, all_regions=True, is_cw_logger=False): if (is_cw_logger): logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) else: logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: if session: ec2_client = session.client('ec2') else: ec2_client = boto3.client('ec2') if filter_describe_regions is not None and all_regions is not None: response = ec2_client.describe_regions( Filters=filter_describe_regions, AllRegions=all_regions) elif filter_describe_regions is not None: response = ec2_client.describe_regions( Filters=filter_describe_regions) elif all_regions is not None: response = ec2_client.describe_regions( AllRegions=all_regions) else: response = ec2_client.describe_regions() except ClientError as e: raise common_utils.write_log_exception(e, logger) return response['Regions']
def lambda_invoke(trace_id, function_name, query, is_cw_logger=False): if (is_cw_logger): logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) else: logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: client = boto3.client('lambda') client.invoke( FunctionName=function_name, InvocationType='Event', Payload=query ) logger.info("End : call function lambda success") except ClientError as e: common_utils.write_log_exception(e, logger, True)
def get_account_summary(trace_id, session, aws_account): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # 対象AWSアカウントに対する接続を作成します。 try: client = session.client(service_name="iam") except ClientError as e: pm_logger.error("[%s] IAMクライアント作成に失敗しました。", aws_account) raise common_utils.write_log_exception(e, pm_logger) try: response = client.get_account_summary() except ClientError as e: pm_logger.error("[%s] アカウントサマリーの取得に失敗しました。", aws_account) raise common_utils.write_log_exception(e, pm_logger) if common_utils.check_key("SummaryMap", response): return response['SummaryMap'] return []
def get_cloud_front_client(trace_id, session, aws_account): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: cloud_front_client = session.client(service_name="cloudfront") except ClientError as e: pm_logger.error("[%s] CloudFrontクライアント作成に失敗しました。", aws_account) raise common_utils.write_log_exception(e, pm_logger) return cloud_front_client
def get_log_stream_name(trace_id, jobId): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: batch = boto3.client( service_name='batch', region_name='ap-northeast-1', endpoint_url='https://batch.ap-northeast-1.amazonaws.com') result = batch.describe_jobs(jobs=[jobId]) except ClientError as e: raise common_utils.write_log_exception(e, pm_logger) try: log_stream_name = result['jobs'][0]['container']['logStreamName'] except KeyError as e: raise common_utils.write_log_exception(e, pm_logger) return log_stream_name
def get_step_functions_client(trace_id): cw_logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) try: step_functions_client = boto3.client('stepfunctions') except ClientError as e: cw_logger.error("Step Functionsクライアント作成に失敗しました。") raise common_utils.write_log_exception(e, cw_logger) return step_functions_client
def update_cognito_user_attributes(trace_id, user_name, attributes_update): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: client = boto3.client("cognito-idp") except ClientError as e: raise common_utils.write_log_exception(e, pm_logger) user_pool_id = os.environ.get("COGNITO_USER_POOL_ID") try: response = client.admin_update_user_attributes( UserPoolId=user_pool_id, Username=user_name, UserAttributes=attributes_update) except ClientError as e: raise common_utils.write_log_exception(e, pm_logger) pm_logger.info("End : Update cognito users success") return response
def delete_cognito_user_by_user_name(trace_id, user_name): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # get client cognito try: client = boto3.client("cognito-idp") except ClientError as e: raise common_utils.write_log_exception(e, pm_logger) # delete cognito user user_pool_id = os.environ.get("COGNITO_USER_POOL_ID") try: client.admin_delete_user( UserPoolId=user_pool_id, Username=user_name) except ClientError as e: raise common_utils.write_log_exception(e, pm_logger) pm_logger.info("End : delete cognito user success")
def toDate(strDate, time_zone=None): pm_logger = common_utils.begin_logger(None, __name__, inspect.currentframe()) try: date = parse(strDate) if time_zone is not None: date = date.replace(tzinfo=timezone(time_zone)) except Exception as e: raise common_utils.write_log_exception(e, pm_logger) return date
def get_trail_client(trace_id, session, region_name, awsaccount): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: trail_client = session.client( service_name="cloudtrail", region_name=region_name) except ClientError as e: pm_logger.error("[%s] CloudTrailクライアント作成に失敗しました。 ", awsaccount) raise common_utils.write_log_exception(e, pm_logger) return trail_client
def get_kms_client(trace_id, awsaccount, session, region_name): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: kms_client = session.client(service_name="kms", region_name=region_name) except ClientError as e: pm_logger.error("[%s] KMSクライアント作成に失敗しました。", awsaccount) raise common_utils.write_log_exception(e, pm_logger) return kms_client
def get_logs_client(trace_id, session, region_name, aws_account): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: logs_client = session.client(service_name="logs", region_name=region_name) except ClientError as e: pm_logger.error("[%s/%s] CloudWatch Logsクライアント作成に失敗しました。", aws_account, region_name) raise common_utils.write_log_exception(e, pm_logger) return logs_client
def generate_presigned_url(trace_id, bucket, key, expire_time=3600): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) url = None try: client = boto3.client('s3') except ClientError as e: raise common_utils.write_log_exception(e, pm_logger) try: url = client.generate_presigned_url( ClientMethod='get_object', Params={'Bucket': bucket, 'Key': key}, ExpiresIn=expire_time) pm_logger.info("End : Get url success") except ClientError as e: raise common_utils.write_log_exception(e, pm_logger) return url
def get_distribution(trace_id, cloud_front_client, distributions_id, aws_account): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: response = cloud_front_client.get_distribution(Id=distributions_id) except ClientError as e: pm_logger.error("[%s] ディストリビューション情報取得に失敗しました。(%s)", aws_account, distributions_id) raise common_utils.write_log_exception(e, pm_logger) return response['Distribution']
def get_config_client(trace_id, session, region_name, awsaccount): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) try: config_client = session.client(service_name='config', region_name=region_name) except ClientError as e: pm_logger.error("[%s/%s] Configクライアント作成に失敗しました。", awsaccount, region_name) raise common_utils.write_log_exception(e, pm_logger) return config_client
def aws_sns(trace_id, subject, message, topic_arn, is_cw_logger=False): if (is_cw_logger): logger = common_utils.begin_cw_logger(trace_id, __name__, inspect.currentframe()) else: logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # connect sns try: client = boto3.client("sns") except ClientError as e: raise common_utils.write_log_exception(e, logger) try: # Publish a message. client.publish( Subject=subject, Message=message, TopicArn=topic_arn) logger.info("End : send message to sns success") except ClientError as e: common_utils.write_log_exception(e, logger, True)
def send_message_slack(trace_id, webhook_url, data_json): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) headers = {'Content-Type': 'application/json', 'Charset': 'utf-8'} try: req = request.Request(webhook_url, data=data_json.encode('utf-8'), headers=headers) request.urlopen(req) except Exception as e: raise common_utils.write_log_exception(e, pm_logger)