manheim_c7n_tools.policygen module¶

class manheim_c7n_tools.policygen.PolicyGen(config)[source]¶

Bases: object

_add_always_notify(conf)[source]¶

Given a policy configuration like the one returned by _apply_defaults(), return the input unchanged if the always_notify configuration value is empty or not present, or else ensure that the policy contains at least one type: notify action with the specified transport and to.

Parameters: conf (dict) – configuration as returned by _apply_defaults()
Returns: conf with always_notify action if configured
Return type: dict

_apply_defaults(defaults, policy)[source]¶

_array_merge(base, update, policy_name, path)[source]¶: this starts with update, and adds things from base

_check_policies(policies)[source]¶

Check all of our policies to ensure that they conform with some rules and best practices around safety and sanity.

Each policy in policies is passed through each of the self._check_policy_* functions (which return a boolean pass/fail). At the end, all failures are collected. If there are any, SystemExit(1) is raised.

Parameters: policies (list) – list of policy dictionaries
Raises: SystemExit(1) if any policies failed checks

_check_policy_function_prefix(policy)[source]¶: Fail if function-prefix doesn’t match between manheim-c7n-tools config and the policy.

_check_policy_mark_but_no_tag_filter(policy)[source]¶: Policy performs a mark action, but does not filter out resources already marked with that tag.

_check_policy_mark_for_op_bad_message(policy)[source]¶: mark-for-op action has message that does not end with “: {op}@{action_date}” (won’t be parsed by c7n and will be ignored)

_check_policy_marked_for_op_first(policy)[source]¶: Policy includes a marked-for-op filter, but it is not the first filter.

_generate_cleanup_policies(policies)[source]¶

When c7n is run, it provisions all policies as lambda functions. But if policies are removed, it doesn’t know how to clean them up. See https://github.com/capitalone/cloud-custodian/issues/48

As a workaround for this, we tag all Lambda funcs created by c7n with Project: cloud-custodian and a Component tag of the policy name.

This method generates policies that look for cloud-custodian Lambda functions and CloudWatch Events that aren’t in the current list of policies, and therefore probably need cleanup, and notifies us.

Parameters: policies (list) – list of policy dictionaries
Returns: list of c7n cleanup policies to add
Return type: list

_generate_configs(policies, defaults, region_name)[source]¶

Given policies read from disk, apply defaults, generate cleanup policies, sanity/safety check policies. Then write the custodian configs to disk and return the resulting policies dict.

Parameters

policies (dict) – the policies read from disk (return value of _read_policies())
defaults (dict) – the defaults to apply to the policies
region_name (str) – the name of the region these configs are for

Returns

dictionary of final policies

Return type

dict

_handle_notify_only_policy(policy)[source]¶

Given an individual policy configuration dict, if it has notify_only set to True, update the policy accordingly.

Parameters: policy (dict) – policy dict, with defaults applied
Returns: policy updated as needed
Return type: dict

_load_all_policies()[source]¶: Read the policies, either the current list of policy_source_paths directories if the config key exists, or simply the policies/ subdirectory if it doesn’t.

_load_defaults()[source]¶: Load a defaults.yml file from either the policies/ subdirectory or directories in the policy_source_paths configuration key.

_load_policy(path='')[source]¶

Load all policies in a given path; return a nested dict of account name (str) to region name (str) to dict of policy names (str) to policies (dict).

Parameters: path (str) – path to load policies from
Returns: nested dict of policies
Return type: dict

_mailer_template_paths()[source]¶

Find all files in the mailer-templates subdirectory of each policy_source_paths directory, if present. Return a dictionary of file name to file path. If a file with the same name is found in multiple directories, the last one in policy_source_paths order wins.

Returns: Mailer template names to their source paths
Return type: dict

_merge_conf(base, update, policy_name, path)[source]¶: merge update into base

_merge_configs(target, source)[source]¶

_policy_comment(policy)[source]¶

_policy_rst(region_policies)[source]¶

Build the policies rST source for the documentation.

Parameters: region_policies (dict) – dict of region names to per-region dict of policy name to policy content, for that region.
Returns: built rST markup for policies docs
Return type: str

_policy_rst_data(account_policies, have_paths=False)[source]¶

Build the policy rST table data.

Parameters: account_policies (dict) – dict of Account names to dict of [region names to per-region dict of policy name to policy content].
Returns: list of [name, regions, comment] lists for each policy
Return type: list

_read_file_yaml(path)[source]¶: unit test helper - return YAML from file contents

_read_policies(subdir)[source]¶

Read policy files from a subdirectory of the policies directory, and return the resulting dict of policy names to policy contents.

Parameters: subdir (str) – directory path under policies/ to read
Returns: dict of policy names to policies
Return type: dict

_read_policy_directory(policy_dir)[source]¶

Read all policies from a policies/ subdirectory (all_accounts/ or an account name). Return a dict of region names to dict of policies (name to policy) for that region.

Parameters: policy_dir (str) – policies/ subdirectory name to read policies from
Returns: dict of region name to policies dict (name to policy)
Return type: dict

_regions_rst()[source]¶

_setup_mailer_templates()[source]¶: Call _mailer_template_paths(). If it returns an empty dict, do nothing. Otherwise, create ./mailer-templates if it does not already exist. For each template filename that does not already exist in that directory, copy it from the source path specified by _mailer_template_paths().

_write_custodian_configs(result, region_name)[source]¶

Write the per-region custodian_REGION.yml config file to disk. This also handles %% macro and environment variable substitution.

Parameters

result (dict) – final custodian configuration
region_name (str) – the name of the region the configs are for

_write_file(path, content)[source]¶: write a file - helper to make unit tests simpler

run()[source]¶

manheim_c7n_tools.policygen.is_enabled(policy)[source]¶

Helper function to determine if a policy is enabled.

Parameters: policy (dict) – policy to check

manheim_c7n_tools.policygen.main()[source]¶

manheim_c7n_tools.policygen.strip_doc(func)[source]¶: Given a function or method reference, return its docstring as one line (with all newlines removed and all whitespace collapsed).

manheim_c7n_tools.policygen.timestr()[source]¶: just here to make unit testing simpler