def get_tasks(self):
conf_mgr = cm.ConfManager(self.metas[tac.server_uri],
self.metas[tac.session_key])
tasks = self._get_config_rule_tasks(conf_mgr)
settings = conf_mgr.all_stanzas_as_dicts(self.conf_file,
do_reload=False)
proxy_info = tpc.get_proxy_info(self.metas[tac.session_key])
# set proxy here for validating credentials
tacommon.set_proxy_env(proxy_info)
set_log_level(settings[tac.log_stanza][tac.log_level])
valid_tasks = []
for task in tasks:
try:
# validate credentials
tacommon.get_service_client(task, tac.config)
task[tac.log_level] = settings[tac.log_stanza][tac.log_level]
task.update(settings[tac.global_settings])
task.update(proxy_info)
valid_tasks.append(task)
except Exception as e:
input_name = scutil.extract_datainput_name(task[tac.name])
logger.exception(
'Failed to load credentials, ignore this input.',
datainput=input_name)
return tacommon.handle_hec(valid_tasks, "aws_config_rule")
def _do_indexing(self):
if self._credentials.need_retire():
self._cli, self._credentials = tacommon.get_service_client(
self._config, tac.inspector)
account_id = self._credentials.account_id
AWSInspectorAssessmentRunsDataLoader(self._config, self._cli,
account_id).run()
AWSInspectorFindingsDataLoader(self._config, self._cli,
account_id).run()
def _expand_tasks(self, stanza):
tasks = []
regions = stanza[tac.regions].split(",")
for region in regions:
task = copy.copy(stanza)
task[tac.region] = region.strip()
task[tac.polling_interval] = int(stanza[tac.polling_interval])
task[tac.is_secure] = True
task[tac.datainput] = task[tac.stanza_name]
try:
tacommon.get_service_client(task, tac.inspector)
tasks.append(task)
except Exception as e:
input_name = scutil.extract_datainput_name(task[tac.name])
logger.exception(
'Failed to load credentials, ingore this input.',
datainput=input_name,
region=region)
return tasks
def __init__(self, config):
"""
:config: dict object
{
"interval": 30,
"sourcetype": yyy,
"index": zzz,
}
"""
self._config = config
self._stopped = False
self._client, self._credentials = tacommon.get_service_client(
config, tac.config)
self._lock = threading.Lock()
self._ckpt = ackpt.AWSConfigRuleCheckpointer(config)
account_id = self._credentials.account_id
region = config[tac.region]
self._source_config_rules = "{}:{}:configRule".format(
account_id, region)
self._source_status = self._source_config_rules + ":evaluationStatus"
self._source_detail = self._source_config_rules + ":complianceDetail"
self._source_summary = self._source_config_rules + ":complianceSummary"
def _do_index_data(self):
if self._credentials.need_retire():
self._client, self._credentials = tacommon.get_service_client(
self._config, tac.config)
next_token = ""
rule_names = self._config.get("rule_names", [])
throttling = 0
while 1:
try:
response = self._client.describe_config_rules(
ConfigRuleNames=rule_names, NextToken=next_token)
except ClientError as e:
error_code = e.response["Error"].get("Code", "Unknown")
error_message = e.response["Error"].get("Message", "Unknown")
if error_code == "NoSuchConfigRuleException" and \
error_message.startswith('The ConfigRule'):
invalid_rule = error_message.split("'")[1]
rule_names.remove(invalid_rule)
logger.info("Neglect invalid rule and retry.",
invalid_rule=invalid_rule)
if rule_names:
next_token = ""
continue
else:
# empty rule_names will list all,
# directly returns to avoid
logger.info("No valid config rule found.",
region=self._config[tac.region],
datainput=self._config[tac.datainput])
return
elif error_code == "ThrottlingException":
logger.info(
"Throttling happened when DescribeConfigRules, "
"use exponential back off logic.")
time.sleep(2**(throttling + 1))
throttling += 1
else:
logger.exception(
"Unknown error code returned when describing config rules.",
region=self._config[tac.region],
datainput=self._config[tac.datainput])
return
except:
logger.exception(
"Unknown exception happened when describing config rules.",
region=self._config[tac.region],
datainput=self._config[tac.datainput])
return
if not tacommon.is_http_ok(response):
logger.error("Failed to describe config rules, errorcode=%s",
tacommon.http_code(response))
return
rules = response.get("ConfigRules")
if not rules:
return
self._index_rules(rules)
next_token = response.get("NextToken")
if not next_token:
return
def __init__(self, config):
self._config = config
self._stopped = False
self._lock = threading.Lock()
self._cli, self._credentials = tacommon.get_service_client(
self._config, tac.inspector)