manheim_c7n_tools.policygen module¶
- class manheim_c7n_tools.policygen.PolicyGen(config)[source]¶
Bases:
object
- _add_always_notify(conf)[source]¶
Given a policy configuration like the one returned by
_apply_defaults()
, return the input unchanged if thealways_notify
configuration value is empty or not present, or else ensure that the policy contains at least onetype: notify
action with the specified transport andto
.- Parameters
conf (dict) – configuration as returned by
_apply_defaults()
- Returns
conf with always_notify action if configured
- Return type
- _array_merge(base, update, policy_name, path)[source]¶
this starts with update, and adds things from base
- _check_policies(policies)[source]¶
Check all of our policies to ensure that they conform with some rules and best practices around safety and sanity.
Each policy in
policies
is passed through each of theself._check_policy_*
functions (which return a boolean pass/fail). At the end, all failures are collected. If there are any, SystemExit(1) is raised.- Parameters
policies (list) – list of policy dictionaries
- Raises
SystemExit(1) if any policies failed checks
- _check_policy_function_prefix(policy)[source]¶
Fail if function-prefix doesn’t match between manheim-c7n-tools config and the policy.
- _check_policy_mark_but_no_tag_filter(policy)[source]¶
Policy performs a mark action, but does not filter out resources already marked with that tag.
- _check_policy_mark_for_op_bad_message(policy)[source]¶
mark-for-op action has message that does not end with “: {op}@{action_date}” (won’t be parsed by c7n and will be ignored)
- _check_policy_marked_for_op_first(policy)[source]¶
Policy includes a marked-for-op filter, but it is not the first filter.
- _generate_cleanup_policies(policies)[source]¶
When c7n is run, it provisions all policies as lambda functions. But if policies are removed, it doesn’t know how to clean them up. See https://github.com/capitalone/cloud-custodian/issues/48
As a workaround for this, we tag all Lambda funcs created by c7n with Project: cloud-custodian and a Component tag of the policy name.
This method generates policies that look for cloud-custodian Lambda functions and CloudWatch Events that aren’t in the current list of policies, and therefore probably need cleanup, and notifies us.
- _generate_configs(policies, defaults, region_name)[source]¶
Given policies read from disk, apply defaults, generate cleanup policies, sanity/safety check policies. Then write the custodian configs to disk and return the resulting policies dict.
- Parameters
policies (dict) – the policies read from disk (return value of
_read_policies()
)defaults (dict) – the defaults to apply to the policies
region_name (str) – the name of the region these configs are for
- Returns
dictionary of final policies
- Return type
- _handle_notify_only_policy(policy)[source]¶
Given an individual policy configuration dict, if it has
notify_only
set to True, update the policy accordingly.
- _load_all_policies()[source]¶
Read the policies, either the current list of
policy_source_paths
directories if the config key exists, or simply thepolicies/
subdirectory if it doesn’t.
- _load_defaults()[source]¶
Load a defaults.yml file from either the
policies/
subdirectory or directories in thepolicy_source_paths
configuration key.
- _load_policy(path='')[source]¶
Load all policies in a given path; return a nested dict of account name (str) to region name (str) to dict of policy names (str) to policies (dict).
- _mailer_template_paths()[source]¶
Find all files in the
mailer-templates
subdirectory of eachpolicy_source_paths
directory, if present. Return a dictionary of file name to file path. If a file with the same name is found in multiple directories, the last one inpolicy_source_paths
order wins.- Returns
Mailer template names to their source paths
- Return type
- _policy_rst_data(account_policies, have_paths=False)[source]¶
Build the policy rST table data.
- Parameters
account_policies (dict) – dict of Account names to dict of [region names to per-region dict of policy name to policy content].
- Returns
list of [name, regions, comment] lists for each policy
- Return type
list
- _read_policies(subdir)[source]¶
Read policy files from a subdirectory of the policies directory, and return the resulting dict of policy names to policy contents.
- _read_policy_directory(policy_dir)[source]¶
Read all policies from a
policies/
subdirectory (all_accounts/
or an account name). Return a dict of region names to dict of policies (name to policy) for that region.
- _setup_mailer_templates()[source]¶
Call
_mailer_template_paths()
. If it returns an empty dict, do nothing. Otherwise, create./mailer-templates
if it does not already exist. For each template filename that does not already exist in that directory, copy it from the source path specified by_mailer_template_paths()
.
- manheim_c7n_tools.policygen.is_enabled(policy)[source]¶
Helper function to determine if a policy is enabled.
- Parameters
policy (dict) – policy to check