c7n.mu module¶

class c7n.mu.AbstractLambdaFunction[source]¶

Bases: object

Abstract base class for lambda functions.

alias = None¶

concurrency¶

dead_letter_config¶

description¶

environment¶

get_archive()[source]¶: Return the lambda distribution archive object.

get_config()[source]¶

get_events(session_factory)[source]¶: event sources that should be bound to this lambda.

handler¶

kms_key_arn¶

layers¶

memory_size¶

name¶: Name for the lambda function

role¶

runtime¶

security_groups¶

subnets¶

tags¶

timeout¶

tracing_config¶

class c7n.mu.BucketLambdaNotification(data, session_factory, bucket)[source]¶

Bases: object

Subscribe a lambda to bucket notifications directly.

_get_notifies(s3, func)[source]¶

add(func)[source]¶

delta(src, tgt)[source]¶

remove(func)[source]¶

class c7n.mu.BucketSNSNotification(session_factory, bucket, topic=None)[source]¶

Bases: c7n.mu.SNSSubscription

Subscribe a lambda to bucket notifications via SNS.

get_topic(bucket)[source]¶

class c7n.mu.CloudWatchEventSource(data, session_factory)[source]¶

Bases: object

Subscribe a lambda to cloud watch events.

Cloud watch events supports a number of different event sources, from periodic timers with cron syntax, to real time instance state notifications, cloud trail events, and realtime asg membership changes.

Event Pattern for Instance State

{
  "source": ["aws.ec2"],
  "detail-type": ["EC2 Instance State-change Notification"],
  "detail": { "state": ["pending"]}
}

Event Pattern for Cloud Trail API

{
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
     "eventSource": ["s3.amazonaws.com"],
     "eventName": ["CreateBucket", "DeleteBucket"]
  }
}

ASG_EVENT_MAPPING = {'launch-failure': 'EC2 Instance Launch Unsuccessful', 'launch-success': 'EC2 Instance Launch Successful', 'terminate-failure': 'EC2 Instance Terminate Unsuccessful', 'terminate-success': 'EC2 Instance Terminate Successful'}¶

add(func)[source]¶

client¶

static delta(src, tgt)[source]¶

Given two cwe rules determine if the configuration is the same.

Name is already implied.

get(rule_name)[source]¶

pause(func)[source]¶

remove(func)[source]¶

render_event_pattern()[source]¶

resolve_cloudtrail_payload(payload)[source]¶

resume(func)[source]¶

session¶

update(func)[source]¶

class c7n.mu.CloudWatchLogSubscription(session_factory, log_groups, filter_pattern)[source]¶

Bases: object

Subscribe a lambda to a log group[s]

add(func)[source]¶

iam_delay = 1.5¶

remove(func)[source]¶

class c7n.mu.ConfigRule(data, session_factory)[source]¶

Bases: object

Use a lambda as a custom config rule.

add(func)[source]¶

static delta(rule, params)[source]¶

get(rule_name)[source]¶

get_rule_params(func)[source]¶

remove(func)[source]¶

class c7n.mu.LambdaFunction(func_data, archive)[source]¶

Bases: c7n.mu.AbstractLambdaFunction

concurrency¶

dead_letter_config¶

description¶

environment¶

get_archive()[source]¶: Return the lambda distribution archive object.

get_events(session_factory)[source]¶: event sources that should be bound to this lambda.

handler¶

kms_key_arn¶

layers¶

memory_size¶

name¶: Name for the lambda function

role¶

runtime¶

security_groups¶

subnets¶

tags¶

timeout¶

tracing_config¶

class c7n.mu.LambdaManager(session_factory, s3_asset_path=None)[source]¶

Bases: object

Provides CRUD operations around lambda functions

_create_or_update(func, role=None, s3_uri=None, qualifier=None)[source]¶

_update_concurrency(existing, func)[source]¶

_update_tags(existing, new_tags)[source]¶

_upload_func(s3_uri, func, archive)[source]¶

add(func, alias=None, role=None, s3_uri=None)¶

static delta_function(old_config, new_config)[source]¶

static diff_tags(old_tags, new_tags)[source]¶

get(func_name, qualifier=None)[source]¶

list_functions(prefix=None)[source]¶

logs(func, start, end)[source]¶

metrics(funcs, start, end, period=300)[source]¶

publish(func, alias=None, role=None, s3_uri=None)[source]¶

publish_alias(func_data, alias)[source]¶: Create or update an alias for the given function.

remove(func, alias=None)[source]¶

class c7n.mu.PolicyLambda(policy)[source]¶

Bases: c7n.mu.AbstractLambdaFunction

Wraps a custodian policy to turn it into a lambda function.

concurrency¶

dead_letter_config¶

description¶

environment¶

get_archive()[source]¶: Return the lambda distribution archive object.

get_events(session_factory)[source]¶: event sources that should be bound to this lambda.

handler = 'custodian_policy.run'¶

kms_key_arn¶

layers¶

memory_size¶

name¶: Name for the lambda function

packages¶

role¶

runtime¶

security_groups¶

subnets¶

tags¶

timeout¶

tracing_config¶

class c7n.mu.PythonPackageArchive(modules=(), cache_file=None)[source]¶

Bases: object

Creates a zip file for python lambda functions.

Parameters:	modules (tuple) – the Python modules to add to the archive

Amazon doesn’t give us straightforward docs here, only an example, from which we can infer that they simply unzip the file into a directory on sys.path. So what we do is locate all of the modules specified, and add all of the .py files we find for these modules to a zip file.

In addition to the modules specified during instantiation, you can add arbitrary additional files to the archive using add_file() and add_contents(). For example, since we only add *.py files for you, you’ll need to manually add files for any compiled extension modules that your Lambda requires.

add_contents(dest, contents)[source]¶

Add file contents to the archive under dest.

If dest is a path, it will be added compressed and world-readable (user-writeable). You may also pass a ZipInfo for custom behavior.

add_directory(path, ignore=None)[source]¶: Add *.py files under the directory path to the archive.

add_file(src, dest=None)[source]¶

Add the file at src to the archive.

If dest is None then it is added under just the original filename. So add_file('foo/bar.txt') ends up at bar.txt in the archive, while add_file('bar.txt', 'foo/bar.txt') ends up at foo/bar.txt.

add_modules(ignore, modules)[source]¶: Add the named Python modules to the archive. For consistency’s sake we only add *.py files, not *.pyc. We also don’t add other files, including compiled modules. You’ll have to add such files manually using add_file().

add_py_file(src, dest=None)[source]¶

This is a special case of add_file() that helps for adding a py when a pyc may be present as well. So for example, if __file__ is foo.pyc and you do:

archive.add_py_file(__file__)

then this method will add foo.py instead if it exists, and raise IOError if it doesn’t.

close()[source]¶

Close the zip file.

Note underlying tempfile is removed when archive is garbage collected.

create_zinfo(file)[source]¶

get_bytes()[source]¶: Return the entire zip file as a byte string.

get_checksum(encoder=<function b64encode>, hasher=<built-in function openssl_sha256>)[source]¶: Return the b64 encoded sha256 checksum of the archive.

get_filenames()[source]¶: Return a list of filenames in the archive.

get_reader()[source]¶: Return a read-only ZipFile.

get_stream()[source]¶: Return the entire zip file as a stream.

path¶

remove()[source]¶: Dispose of the temp file for garbage collection.

size¶

zip_compression = 8¶

class c7n.mu.SNSSubscription(session_factory, topic_arns)[source]¶

Bases: object

Subscribe a lambda to one or more SNS topics.

static _parse_arn(arn)[source]¶

add(func)[source]¶

iam_delay = 1.5¶

remove(func)[source]¶

class c7n.mu.SQSSubscription(session_factory, queue_arns, batch_size=10)[source]¶

Bases: object

Subscribe a lambda to one or more SQS queues.

add(func)[source]¶

remove(func)[source]¶

class c7n.mu.SecurityHubAction(policy, session_factory)[source]¶

Bases: object

_get_arn()[source]¶

add(func)[source]¶

delta(src, tgt)[source]¶

get(name)[source]¶

remove(func)[source]¶

update(func)[source]¶

c7n.mu._package_deps(package, deps=None, ignore=())[source]¶: Recursive gather package’s named transitive dependencies

c7n.mu.checksum(fh, hasher, blocksize=65536)[source]¶

c7n.mu.custodian_archive(packages=None)[source]¶

Create a lambda code archive for running custodian.

Lambda archive currently always includes c7n and pkg_resources. Add additional packages in the mode block.

Example policy that includes additional packages

policy:
  name: lambda-archive-example
  resource: s3
  mode:
    packages:
      - botocore

packages: List of additional packages to include in the lambda archive.

c7n.mu.generate_requirements(package, ignore=())[source]¶: Generate frozen requirements file for the given package.

c7n.mu.resource_exists(op, NotFound='ResourceNotFoundException', *args, **kw)[source]¶

c7n.mu.zinfo(fname)[source]¶

Amazon lambda exec environment setup can break itself if zip files aren’t constructed a particular way.

ie. It respects file perm attributes from the zip including those that prevent lambda from working. Namely lambda extracts code as one user, and executes code as a different user. Without permissions for the executing user to read the file the lambda function is broken.

Python’s default zipfile.writestr does a 0600 perm which we modify here as a workaround.