c7n.mu module¶
-
class
c7n.mu.
AbstractLambdaFunction
[source]¶ Bases:
object
Abstract base class for lambda functions.
-
alias
= None¶
-
concurrency
¶
-
dead_letter_config
¶
-
description
¶
-
environment
¶
-
handler
¶
-
kms_key_arn
¶
-
layers
¶
-
memory_size
¶
-
name
¶ Name for the lambda function
-
role
¶
-
runtime
¶
-
security_groups
¶
-
subnets
¶
-
timeout
¶
-
tracing_config
¶
-
-
class
c7n.mu.
BucketLambdaNotification
(data, session_factory, bucket)[source]¶ Bases:
object
Subscribe a lambda to bucket notifications directly.
-
class
c7n.mu.
BucketSNSNotification
(session_factory, bucket, topic=None)[source]¶ Bases:
c7n.mu.SNSSubscription
Subscribe a lambda to bucket notifications via SNS.
-
class
c7n.mu.
CloudWatchEventSource
(data, session_factory)[source]¶ Bases:
object
Subscribe a lambda to cloud watch events.
Cloud watch events supports a number of different event sources, from periodic timers with cron syntax, to real time instance state notifications, cloud trail events, and realtime asg membership changes.
Event Pattern for Instance State
{ "source": ["aws.ec2"], "detail-type": ["EC2 Instance State-change Notification"], "detail": { "state": ["pending"]} }
Event Pattern for Cloud Trail API
{ "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["s3.amazonaws.com"], "eventName": ["CreateBucket", "DeleteBucket"] } }
-
ASG_EVENT_MAPPING
= {'launch-failure': 'EC2 Instance Launch Unsuccessful', 'launch-success': 'EC2 Instance Launch Successful', 'terminate-failure': 'EC2 Instance Terminate Unsuccessful', 'terminate-success': 'EC2 Instance Terminate Successful'}¶
-
client
¶
-
static
delta
(src, tgt)[source]¶ Given two cwe rules determine if the configuration is the same.
Name is already implied.
-
session
¶
-
-
class
c7n.mu.
CloudWatchLogSubscription
(session_factory, log_groups, filter_pattern)[source]¶ Bases:
object
Subscribe a lambda to a log group[s]
-
iam_delay
= 1.5¶
-
-
class
c7n.mu.
ConfigRule
(data, session_factory)[source]¶ Bases:
object
Use a lambda as a custom config rule.
-
class
c7n.mu.
LambdaFunction
(func_data, archive)[source]¶ Bases:
c7n.mu.AbstractLambdaFunction
-
concurrency
¶
-
dead_letter_config
¶
-
description
¶
-
environment
¶
-
handler
¶
-
kms_key_arn
¶
-
layers
¶
-
memory_size
¶
-
name
¶ Name for the lambda function
-
role
¶
-
runtime
¶
-
security_groups
¶
-
subnets
¶
-
timeout
¶
-
tracing_config
¶
-
-
class
c7n.mu.
LambdaManager
(session_factory, s3_asset_path=None)[source]¶ Bases:
object
Provides CRUD operations around lambda functions
-
add
(func, alias=None, role=None, s3_uri=None)¶
-
-
class
c7n.mu.
PolicyLambda
(policy)[source]¶ Bases:
c7n.mu.AbstractLambdaFunction
Wraps a custodian policy to turn it into a lambda function.
-
concurrency
¶
-
dead_letter_config
¶
-
description
¶
-
environment
¶
-
handler
= 'custodian_policy.run'¶
-
kms_key_arn
¶
-
layers
¶
-
memory_size
¶
-
name
¶ Name for the lambda function
-
packages
¶
-
role
¶
-
runtime
¶
-
security_groups
¶
-
subnets
¶
-
timeout
¶
-
tracing_config
¶
-
-
class
c7n.mu.
PythonPackageArchive
(modules=(), cache_file=None)[source]¶ Bases:
object
Creates a zip file for python lambda functions.
Parameters: modules (tuple) – the Python modules to add to the archive Amazon doesn’t give us straightforward docs here, only an example, from which we can infer that they simply unzip the file into a directory on
sys.path
. So what we do is locate all of themodules
specified, and add all of the.py
files we find for these modules to a zip file.In addition to the modules specified during instantiation, you can add arbitrary additional files to the archive using
add_file()
andadd_contents()
. For example, since we only add*.py
files for you, you’ll need to manually add files for any compiled extension modules that your Lambda requires.-
add_contents
(dest, contents)[source]¶ Add file contents to the archive under
dest
.If
dest
is a path, it will be added compressed and world-readable (user-writeable). You may also pass aZipInfo
for custom behavior.
-
add_file
(src, dest=None)[source]¶ Add the file at
src
to the archive.If
dest
isNone
then it is added under just the original filename. Soadd_file('foo/bar.txt')
ends up atbar.txt
in the archive, whileadd_file('bar.txt', 'foo/bar.txt')
ends up atfoo/bar.txt
.
-
add_modules
(ignore, modules)[source]¶ Add the named Python modules to the archive. For consistency’s sake we only add
*.py
files, not*.pyc
. We also don’t add other files, including compiled modules. You’ll have to add such files manually usingadd_file()
.
-
add_py_file
(src, dest=None)[source]¶ This is a special case of
add_file()
that helps for adding apy
when apyc
may be present as well. So for example, if__file__
isfoo.pyc
and you do:archive.add_py_file(__file__)
then this method will add
foo.py
instead if it exists, and raiseIOError
if it doesn’t.
-
close
()[source]¶ Close the zip file.
Note underlying tempfile is removed when archive is garbage collected.
-
get_checksum
(encoder=<function b64encode>, hasher=<built-in function openssl_sha256>)[source]¶ Return the b64 encoded sha256 checksum of the archive.
-
path
¶
-
size
¶
-
zip_compression
= 8¶
-
-
class
c7n.mu.
SNSSubscription
(session_factory, topic_arns)[source]¶ Bases:
object
Subscribe a lambda to one or more SNS topics.
-
iam_delay
= 1.5¶
-
-
class
c7n.mu.
SQSSubscription
(session_factory, queue_arns, batch_size=10)[source]¶ Bases:
object
Subscribe a lambda to one or more SQS queues.
-
c7n.mu.
custodian_archive
(packages=None)[source]¶ Create a lambda code archive for running custodian.
Lambda archive currently always includes c7n and pkg_resources. Add additional packages in the mode block.
Example policy that includes additional packages
policy: name: lambda-archive-example resource: s3 mode: packages: - botocore
packages: List of additional packages to include in the lambda archive.
-
c7n.mu.
zinfo
(fname)[source]¶ Amazon lambda exec environment setup can break itself if zip files aren’t constructed a particular way.
ie. It respects file perm attributes from the zip including those that prevent lambda from working. Namely lambda extracts code as one user, and executes code as a different user. Without permissions for the executing user to read the file the lambda function is broken.
Python’s default zipfile.writestr does a 0600 perm which we modify here as a workaround.