manheim_c7n_tools.policygen module¶

class manheim_c7n_tools.policygen.PolicyGen(config)[source]¶

Bases: object

_add_always_notify(conf)[source]¶

Given a policy configuration like the one returned by _apply_defaults(), return the input unchanged if the always_notify configuration value is empty or not present, or else ensure that the policy contains at least one type: notify action with the specified transport and to.

Parameters:	conf (dict) – configuration as returned by `_apply_defaults()`
Returns:	conf with always_notify action if configured
Return type:	dict

_apply_defaults(defaults, policy)[source]¶

_array_merge(base, update, policy_name, path)[source]¶: this starts with update, and adds things from base

_check_policies(policies)[source]¶

Check all of our policies to ensure that they conform with some rules and best practices around safety and sanity.

Each policy in policies is passed through each of the self._check_policy_* functions (which return a boolean pass/fail). At the end, all failures are collected. If there are any, SystemExit(1) is raised.

Parameters:	policies (list) – list of policy dictionaries
Raises:	SystemExit(1) if any policies failed checks

_check_policy_mark_but_no_tag_filter(policy)[source]¶: Policy performs a mark action, but does not filter out resources already marked with that tag.

_check_policy_mark_for_op_bad_message(policy)[source]¶: mark-for-op action has message that does not end with “: {op}@{action_date}” (won’t be parsed by c7n and will be ignored)

_check_policy_marked_for_op_first(policy)[source]¶: Policy includes a marked-for-op filter, but it is not the first filter.

_generate_cleanup_policies(policies)[source]¶

When c7n is run, it provisions all policies as lambda functions. But if policies are removed, it doesn’t know how to clean them up. See https://github.com/capitalone/cloud-custodian/issues/48

As a workaround for this, we tag all Lambda funcs created by c7n with Project: cloud-custodian and a Component tag of the policy name.

This method generates policies that look for cloud-custodian Lambda functions and CloudWatch Events that aren’t in the current list of policies, and therefore probably need cleanup, and notifies us.

Parameters:	policies (list) – list of policy dictionaries
Returns:	list of c7n cleanup policies to add
Return type:	list

_generate_configs(policies, defaults, region_name)[source]¶

Given policies read from disk, apply defaults, generate cleanup policies, sanity/safety check policies. Then write the custodian configs to disk and return the resulting policies dict.

Parameters:	policies (dict) – the policies read from disk (return value of `_read_policies()`) defaults (dict) – the defaults to apply to the policies region_name (str) – the name of the region these configs are for
Returns:	dictionary of final policies
Return type:	dict

_merge_conf(base, update, policy_name, path)[source]¶: merge update into base

_policy_comment(policy)[source]¶

_policy_rst(region_policies)[source]¶

Build the policies rST source for the documentation.

Parameters:	region_policies (dict) – dict of region names to per-region dict of policy name to policy content, for that region.
Returns:	built rST markup for policies docs
Return type:	str

_policy_rst_data(account_policies)[source]¶

Build the policy rST table data.

Parameters:	account_policies (dict) – dict of Account names to dict of [region names to per-region dict of policy name to policy content].
Returns:	list of [name, regions, comment] lists for each policy
Return type:	`list`

_read_file_yaml(path)[source]¶: unit test helper - return YAML from file contents

_read_policies(subdir)[source]¶

Read policy files from a subdirectory of the policies directory, and return the resulting dict of policy names to policy contents.

Parameters:	subdir (str) – directory path under `policies/` to read
Returns:	dict of policy names to policies
Return type:	dict

_read_policy_directory(policy_dir)[source]¶

Read all policies from a policies/ subdirectory (all_accounts/ or an account name). Return a dict of region names to dict of policies (name to policy) for that region.

Parameters:	policy_dir (str) – `policies/` subdirectory name to read policies from
Returns:	dict of region name to policies dict (name to policy)
Return type:	dict

_regions_rst()[source]¶

_write_custodian_configs(result, region_name)[source]¶

Write the per-region custodian_REGION.yml config file to disk. This also handles %% macro and environment variable substitution.

Parameters:	result (dict) – final custodian configuration region_name (str) – the name of the region the configs are for

_write_file(path, content)[source]¶: write a file - helper to make unit tests simpler

run()[source]¶

manheim_c7n_tools.policygen.main()[source]¶

manheim_c7n_tools.policygen.strip_doc(func)[source]¶: Given a function or method reference, return its docstring as one line (with all newlines removed and all whitespace collapsed).

manheim_c7n_tools.policygen.timestr()[source]¶: just here to make unit testing simpler