feat: initial commit with a few examples
This commit is contained in:
KenF
@@ -0,0 +1,105 @@
|
||||
schemaVersion: '0.3'
|
||||
parameters:
|
||||
ExecutionRole:
|
||||
type: String
|
||||
assumeRole: '{{ ExecutionRole }}'
|
||||
mainSteps:
|
||||
- name: GetParameter
|
||||
action: aws:executeAwsApi
|
||||
nextStep: ConvertInputToList
|
||||
isEnd: false
|
||||
inputs:
|
||||
Service: ssm
|
||||
Api: GetParameter
|
||||
Name: some-parameter
|
||||
outputs:
|
||||
- Name: Accounts
|
||||
Selector: $.Parameter.Value
|
||||
Type: String
|
||||
- name: ConvertInputToList
|
||||
action: aws:executeScript
|
||||
nextStep: Loop
|
||||
isEnd: false
|
||||
inputs:
|
||||
Runtime: python3.11
|
||||
Handler: script_handler
|
||||
InputPayload:
|
||||
accounts: '{{ GetParameter.Accounts }}'
|
||||
Script: |
|
||||
def script_handler(events, context):
|
||||
return events['accounts'].split(',')
|
||||
outputs:
|
||||
- Name: AccountList
|
||||
Selector: $.Payload
|
||||
Type: StringList
|
||||
- name: Loop
|
||||
action: aws:loop
|
||||
isEnd: true
|
||||
inputs:
|
||||
Iterators: '{{ ConvertInputToList.AccountList }}'
|
||||
IteratorDataType: StringList
|
||||
Steps:
|
||||
- name: ListTrails
|
||||
action: aws:executeScript
|
||||
isEnd: true
|
||||
inputs:
|
||||
Runtime: python3.11
|
||||
Handler: script_handler
|
||||
InputPayload:
|
||||
accountId: '{{Loop.CurrentIteratorValue}}'
|
||||
Script: |
|
||||
import boto3
|
||||
import botocore.exceptions
|
||||
from botocore.exceptions import ClientError
|
||||
|
||||
def assume_role(role_arn, role_session_name="CloudTrailSession"):
|
||||
"""
|
||||
Assume an IAM role and return boto3 session with temporary credentials
|
||||
"""
|
||||
sts_client = boto3.client('sts')
|
||||
|
||||
try:
|
||||
response = sts_client.assume_role(
|
||||
RoleArn=role_arn,
|
||||
RoleSessionName=role_session_name
|
||||
)
|
||||
|
||||
credentials = response['Credentials']
|
||||
|
||||
return boto3.Session(
|
||||
aws_access_key_id=credentials['AccessKeyId'],
|
||||
aws_secret_access_key=credentials['SecretAccessKey'],
|
||||
aws_session_token=credentials['SessionToken']
|
||||
)
|
||||
except ClientError as e:
|
||||
print(f"Error assuming role: {e}")
|
||||
return None
|
||||
|
||||
def describe_cloudtrails(session):
|
||||
"""
|
||||
Describe all CloudTrail trails using the assumed role session
|
||||
"""
|
||||
try:
|
||||
cloudtrail = session.client('cloudtrail')
|
||||
response = cloudtrail.describe_trails()
|
||||
|
||||
trails = response['trailList']
|
||||
if not trails:
|
||||
print("No CloudTrail trails found.")
|
||||
return
|
||||
|
||||
for trail in trails:
|
||||
print(f"ARN: {trail['TrailARN']}")
|
||||
|
||||
except ClientError as e:
|
||||
print(f"Error describing CloudTrails: {e}")
|
||||
|
||||
def script_handler(events, context):
|
||||
ROLE_ARN = f"arn:aws:iam::{events.get('accountId')[0]}:role/OrganizationReadOnlyRole"
|
||||
session = assume_role(ROLE_ARN)
|
||||
|
||||
if session:
|
||||
describe_cloudtrails(session)
|
||||
|
||||
return {"accountId": events.get('accountId')}
|
||||
|
||||
@@ -0,0 +1,51 @@
|
||||
schemaVersion: '0.3'
|
||||
mainSteps:
|
||||
- name: GetParameter
|
||||
action: aws:executeAwsApi
|
||||
nextStep: ConvertInputToList
|
||||
isEnd: false
|
||||
# parameter contains comma separated ids (i.e. 111111111111,222222222222)
|
||||
inputs:
|
||||
Service: ssm
|
||||
Api: GetParameter
|
||||
Name: some-parameter
|
||||
outputs:
|
||||
- Name: Accounts
|
||||
Selector: $.Parameter.Value
|
||||
Type: String
|
||||
# input needs to be transformed to a list of string in order to be used by aws:loop
|
||||
- name: ConvertInputToList
|
||||
action: aws:executeScript
|
||||
nextStep: Loop
|
||||
isEnd: false
|
||||
inputs:
|
||||
Runtime: python3.11
|
||||
Handler: script_handler
|
||||
InputPayload:
|
||||
accounts: '{{ GetParameter.Accounts }}'
|
||||
Script: |
|
||||
def script_handler(events, context):
|
||||
return events['accounts'].split(',')
|
||||
outputs:
|
||||
- Name: AccountList
|
||||
Selector: $.Payload
|
||||
Type: StringList
|
||||
- name: Loop
|
||||
action: aws:loop
|
||||
isEnd: true
|
||||
inputs:
|
||||
Iterators: '{{ ConvertInputToList.AccountList }}'
|
||||
IteratorDataType: String
|
||||
Steps:
|
||||
- name: PrintInput
|
||||
action: aws:executeScript
|
||||
isEnd: true
|
||||
inputs:
|
||||
Runtime: python3.11
|
||||
Handler: script_handler
|
||||
InputPayload:
|
||||
accountId: '{{Loop.CurrentIteratorValue}}'
|
||||
Script: |
|
||||
def script_handler(events,context):
|
||||
return {"accountId": events.get('accountId')}
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
schemaVersion: '0.3'
|
||||
mainSteps:
|
||||
- name: ListAccounts
|
||||
action: aws:executeAwsApi
|
||||
nextStep: Loop
|
||||
isEnd: false
|
||||
inputs:
|
||||
Service: organizations
|
||||
Api: ListAccounts
|
||||
outputs:
|
||||
- Type: StringList
|
||||
Name: Accounts
|
||||
Selector: $.Accounts..Id
|
||||
- name: Loop
|
||||
action: aws:loop
|
||||
isEnd: true
|
||||
inputs:
|
||||
Iterators: '{{ ListAccounts.Accounts }}'
|
||||
IteratorDataType: StringList
|
||||
Steps:
|
||||
- name: PrintInput
|
||||
action: aws:executeScript
|
||||
isEnd: true
|
||||
inputs:
|
||||
Runtime: python3.11
|
||||
Handler: script_handler
|
||||
InputPayload:
|
||||
accountId: '{{Loop.CurrentIteratorValue}}'
|
||||
Script: |
|
||||
def script_handler(events,context):
|
||||
return {"accountId": events.get('accountId')}
|
||||
|
||||
Reference in New Issue
Block a user