manheim_c7n_tools.policygen module¶
-
class
manheim_c7n_tools.policygen.
PolicyGen
(config)[source]¶ Bases:
object
-
_add_always_notify
(conf)[source]¶ Given a policy configuration like the one returned by
_apply_defaults()
, return the input unchanged if thealways_notify
configuration value is empty or not present, or else ensure that the policy contains at least onetype: notify
action with the specified transport andto
.Parameters: conf (dict) – configuration as returned by _apply_defaults()
Returns: conf with always_notify action if configured Return type: dict
-
_array_merge
(base, update, policy_name, path)[source]¶ this starts with update, and adds things from base
-
_check_policies
(policies)[source]¶ Check all of our policies to ensure that they conform with some rules and best practices around safety and sanity.
Each policy in
policies
is passed through each of theself._check_policy_*
functions (which return a boolean pass/fail). At the end, all failures are collected. If there are any, SystemExit(1) is raised.Parameters: policies (list) – list of policy dictionaries Raises: SystemExit(1) if any policies failed checks
-
_check_policy_mark_but_no_tag_filter
(policy)[source]¶ Policy performs a mark action, but does not filter out resources already marked with that tag.
-
_check_policy_mark_for_op_bad_message
(policy)[source]¶ mark-for-op action has message that does not end with “: {op}@{action_date}” (won’t be parsed by c7n and will be ignored)
-
_check_policy_marked_for_op_first
(policy)[source]¶ Policy includes a marked-for-op filter, but it is not the first filter.
-
_generate_cleanup_policies
(policies)[source]¶ When c7n is run, it provisions all policies as lambda functions. But if policies are removed, it doesn’t know how to clean them up. See https://github.com/capitalone/cloud-custodian/issues/48
As a workaround for this, we tag all Lambda funcs created by c7n with Project: cloud-custodian and a Component tag of the policy name.
This method generates policies that look for cloud-custodian Lambda functions and CloudWatch Events that aren’t in the current list of policies, and therefore probably need cleanup, and notifies us.
Parameters: policies (list) – list of policy dictionaries Returns: list of c7n cleanup policies to add Return type: list
-
_generate_configs
(policies, defaults, region_name)[source]¶ Given policies read from disk, apply defaults, generate cleanup policies, sanity/safety check policies. Then write the custodian configs to disk and return the resulting policies dict.
Parameters: - policies (dict) – the policies read from disk (return value of
_read_policies()
) - defaults (dict) – the defaults to apply to the policies
- region_name (str) – the name of the region these configs are for
Returns: dictionary of final policies
Return type: - policies (dict) – the policies read from disk (return value of
-
_load_all_policies
()[source]¶ Read the policies, either the current list of
policy_source_paths
directories if the config key exists, or simply thepolicies/
subdirectory if it doesn’t.
-
_load_defaults
()[source]¶ Load a defaults.yml file from either the
policies/
subdirectory or directories in thepolicy_source_paths
configuration key.
-
_policy_rst
(region_policies)[source]¶ Build the policies rST source for the documentation.
Parameters: region_policies (dict) – dict of region names to per-region dict of policy name to policy content, for that region. Returns: built rST markup for policies docs Return type: str
-
_policy_rst_data
(account_policies)[source]¶ Build the policy rST table data.
Parameters: account_policies (dict) – dict of Account names to dict of [region names to per-region dict of policy name to policy content]. Returns: list of [name, regions, comment] lists for each policy Return type: list
-
_read_policies
(subdir)[source]¶ Read policy files from a subdirectory of the policies directory, and return the resulting dict of policy names to policy contents.
Parameters: subdir (str) – directory path under policies/
to readReturns: dict of policy names to policies Return type: dict
-
_read_policy_directory
(policy_dir)[source]¶ Read all policies from a
policies/
subdirectory (all_accounts/
or an account name). Return a dict of region names to dict of policies (name to policy) for that region.Parameters: policy_dir (str) – policies/
subdirectory name to read policies fromReturns: dict of region name to policies dict (name to policy) Return type: dict
-