o .&aa5@sddlZddlZddlZddlmZddlmZddlmZddl m Z e e Z dZdZGd d d eZGd d d eZGd ddeZdS)N)get_account_id) BasicCommand)s3_bucket_exists) ClientErrorz6policy/S3/AWSCloudTrail-S3BucketPolicy-2014-12-17.jsonz7policy/SNS/AWSCloudTrail-SnsTopicPolicy-2014-12-17.jsonc@s eZdZdS)CloudTrailErrorN)__name__ __module__ __qualname__r r L/usr/lib/python3/dist-packages/awscli/customizations/cloudtrail/subscribe.pyrsrc @seZdZdZdZdZdZddddd d d d d d ddd ddd ddd ddd ddd gZdZdZ ddZ ddZ ddZ dd Z d,d"d#Zd,d$d%Zd&d'Zd(d)Zd*d+Zd!S)-CloudTrailSubscribez Subscribe/update a user account to CloudTrail, creating the required S3 bucket, the optional SNS topic, and starting the CloudTrail monitoring and logging. zcreate-subscriptionzCreates and configures the AWS resources necessary to use CloudTrail, creates a trail using those resources, and turns on logging.znaws cloudtrail create-subscription (--s3-use-bucket|--s3-new-bucket) bucket-name [--sns-new-topic topic-name] nameTzCloudtrail name)rrequired help_textz s3-new-bucketz%Create a new S3 bucket with this name)rrz s3-use-bucketz(Use an existing S3 bucket with this namez s3-prefixzS3 object prefixz sns-new-topicz%Create a new SNS topic with this namezinclude-global-service-eventsz(Whether to include global service eventszs3-custom-policyz Custom S3 policy template or URLzsns-custom-policyz!Custom SNS policy template or URLFcCs||||||dS)Nr)setup_services_call)selfargsparsed_globalsr r r _run_main@s  zCloudTrailSubscribe._run_maincCsddd}|jdur|j|d<|jdur|j|d<td|jjd i||_|jjd i||_|jjd i||_|jj j |_ |j durL|j |d<|jjd i||_ dS)N) region_nameverifyrrz&Initializing S3, SNS and CloudTrail...stss3sns endpoint_url cloudtrail)r)r)r)r) region verify_sslLOGdebug_session create_clientrrrmetarrr)rrr client_argsr r r rGs        z"CloudTrailSubscribe.setup_servicesc Cs|j}|r|dkrd}n |dkrd}ntd|j}|jrX|j}|jrN|jdurN|jj|j gd}|dd }d |vrNt d |d |d |_| ||j|jn |sa|jsatd |jrz ||j|j}Wnty|jr|jj|jd wz||j ||j|j|}Wnty|jr|jj|jd |jr|jj|ddwtjdj tj|ddd|js||j tjdj ||jpdddSdS)z Run the command. Calls various services based on input options and outputs the final CloudTrail configuration. trueTfalseFzFYou must pass either true or false to --include-global-service-events.N) trailNameList trailListr S3KeyPrefixzSetting S3 prefix to {0}zBYou must pass either --s3-use-bucket or --s3-new-bucket to create.BucketTopicArnr-z#CloudTrail configuration: {config} )indent)configz,Logs will be delivered to {bucket}:{prefix} )bucketprefix)include_global_service_eventslower ValueError s3_use_bucket s3_new_bucketUPDATE s3_prefixrdescribe_trailsrr r!formatsetup_new_buckets3_custom_policy sns_new_topicsetup_new_topicsns_custom_policy Exceptionr delete_bucketupsert_cloudtrail_configr delete_topicsysstdoutwritejsondumpsstart_cloudtrail) roptionsrgser3res trail_info topic_resultcloudtrail_configr r r r^sz            zCloudTrailSubscribe._callc CsTz|jjd|j|d}|ddWSty)}ztd|j||d}~ww)Nzawscloudtrail-policy-)r,KeyBodyzutf-8zCUnable to get regional policy template for region %s: %s. Error: %s)r get_objectrreaddecoderCr)rkey_namedataer r r _get_policyszCloudTrailSubscribe._get_policyNc Cs&tjdj|dt|j}|r|ds|d7}|dur!|}n|t}| d| d|}d|vr=| d|p:d}n| d |pCd}t d |t |j |}|r]td j|dd |i}|jd krod|ji}||d<|j jdi|} z |j j||dW| Sty|j j|dw)zx Creates a new S3 bucket with an appropriate policy to let CloudTrail write to the prefix path. z%Setting up new S3 bucket {bucket}... )r3/Nz zz /r2zzBucket policy: {0}zBucket {bucket} already exists.r,z us-east-1LocationConstraintCreateBucketConfiguration)r,Policyr+r )rGrHrIr=rrendswithr[S3_POLICY_TEMPLATEreplacer r!rrrCr create_bucketput_bucket_policyrrD) rr3r4 custom_policy account_idpolicy bucket_existsparams bucket_configrYr r r r>sB        z$CloudTrailSubscribe.setup_new_bucketc s6tjdjdt|j}z |jd}Wnty(g}t dYnwfdd|Dr:tdjd|jj j }|durF|}n| t}|d |d |d }|jjd }z)|jj|d d}||dd|}t d||jj|d d|dW|Sty|jj|d dw)zz Creates a new SNS topic with an appropriate policy to let CloudTrail post messages to the topic. z$Setting up new SNS topic {topic}... topicTopicsz$Unable to list topics, continuing...cs&g|]}|dddkr|qS)r-:)split).0trkr r s&z7CloudTrailSubscribe.setup_new_topic..zTopic {topic} already exists.NzzzNamer-r. Attributesr_zTopic policy: {0})r- AttributeNameAttributeValue)rGrHrIr=rrr list_topicsrCr warnr$rr[SNS_POLICY_TEMPLATErb create_topicget_topic_attributesmerge_sns_policyr!set_topic_attributesrF) rrlrerftopicsrrgrQ topic_attrr rkr rAsP        z#CloudTrailSubscribe.setup_new_topiccCs2t|}t|}|d|d7<t|S)a Merge two SNS topic policy documents. The id information from ``left`` is used in the final document, and the statements from ``right`` are merged into ``left``. http://docs.aws.amazon.com/sns/latest/dg/BasicStructure.html :type left: string :param left: First policy JSON document :type right: string :param right: Second policy JSON document :rtype: string :return: Merged policy JSON Statement)rJloadsrK)rleftright left_parsed right_parsedr r r r~%s   z$CloudTrailSubscribe.merge_sns_policycCstjdd|i}|dur||d<|dur||d<|dur"||d<|dur*||d<|js7|jjdi|n |jjdi||jS) z Either create or update the CloudTrail configuration depending on whether this command is a create or update command. z.Creating/updating CloudTrail configuration... ruN S3BucketNamer* SnsTopicNameIncludeGlobalServiceEventsr )rGrHrIr:r create_trail update_trailr<)rrr3r4rlrNr1r r r rE9s  z,CloudTrailSubscribe.upsert_cloudtrail_configcCstjd|jj|dS)zE Start the CloudTrail service, which begins logging. zStarting CloudTrail service... rt)rGrHrIr start_logging)rrr r r rLPs z$CloudTrailSubscribe.start_cloudtrail)N)rr r __doc__NAME DESCRIPTIONSYNOPSIS ARG_TABLEr: _UNDOCUMENTEDrrrr[r>rAr~rErLr r r r r sJ M 4; r c@s eZdZdZdZdZdZdZdS)CloudTrailUpdatezF Like subscribe above, but the update version of the command. zupdate-subscriptionTzlUpdates any of the trail configuration settings, and creates and configures any new AWS resources specified.zpaws cloudtrail update-subscription [(--s3-use-bucket|--s3-new-bucket) bucket-name] [--sns-new-topic topic-name] N)rr r rrr:rrr r r r rXs r)rJloggingrGutilsrawscli.customizations.commandsrawscli.customizations.utilsrbotocore.exceptionsr getLoggerrr rar{rCrr rr r r r s      :