runbooks 0.7.0__py3-none-any.whl → 0.7.6__py3-none-any.whl

runbooks/inventory/delete_s3_buckets_objects.py

@@ -1,169 +0,0 @@
-#!/usr/bin/env python3
-"""
-AWS S3 Bucket Object Deletion and Bucket Management Tool
-
-A specialized utility for safely emptying and optionally deleting S3 buckets,
-including all object versions and delete markers. Essential for bucket lifecycle
-management and compliance with data retention policies.
-
-**AWS API Mapping**:
-- `boto3.resource('s3').Bucket.object_versions.delete()`
-- `boto3.resource('s3').Bucket.delete()`
-
-**SECURITY WARNING**: This script performs DESTRUCTIVE operations:
-- Permanently deletes ALL objects and versions from specified bucket
-- Can delete the bucket itself with --force-delete flag
-- Cannot be undone - ensure proper backups before execution
-- May affect compliance with data retention requirements
-
-Features:
-    - Complete object version deletion (including delete markers)
-    - Interactive bucket deletion confirmation
-    - Force deletion mode for automation scenarios
-    - Comprehensive error handling and logging
-    - Single-bucket targeted operation for safety
-
-Security Controls:
-    - Requires explicit bucket name parameter
-    - Interactive confirmation for bucket deletion
-    - Force flag available for automated scenarios
-    - Detailed logging of all destructive operations
-
-Compliance Considerations:
-    - Verify data retention policy compliance before execution
-    - Ensure proper backup procedures are in place
-    - Document destruction for audit trails
-    - Consider legal hold and litigation requirements
-
-Example:
-    Empty bucket but keep it:
-    ```bash
-    python delete_s3_buckets_objects.py --profile my-profile --bucket my-bucket
-    ```
-
-    Empty and delete bucket with confirmation:
-    ```bash
-    python delete_s3_buckets_objects.py --profile my-profile --bucket my-bucket +delete
-    ```
-
-Requirements:
-    - IAM permissions: `s3:DeleteObject`, `s3:DeleteObjectVersion`, `s3:DeleteBucket`
-    - Bucket must be in accessible region
-    - Python 3.8+ with required dependencies
-
-Author:
-    AWS Cloud Foundations Team
-
-Version:
-    2023.05.04
-"""
-
-import logging
-
-from account_class import aws_acct_access
-from ArgumentsClass import CommonArguments
-
-__version__ = "2023.05.04"
-
-parser = CommonArguments()
-parser.singleprofile()
-parser.singleregion()
-parser.verbosity()
-parser.version(__version__)
-parser.my_parser.add_argument(
-    "-b",
-    "--bucket",
-    dest="pBucketName",
-    metavar="bucket to empty and delete",
-    required=True,
-    help="To specify a bucket, use this parameter.",
-)
-parser.my_parser.add_argument(
-    "+delete",
-    "+force-delete",
-    help="Whether or not to delete the bucket after it's been emptied",
-    action="store_const",
-    dest="pForceQuit",
-    const=True,
-    default=False,
-)
-args = parser.my_parser.parse_args()
-
-pProfile = args.Profile
-pRegion = args.Region
-pBucketDelete = args.pForceQuit
-pBucketName = args.pBucketName
-verbose = args.loglevel
-logging.basicConfig(level=args.loglevel, format="[%(filename)s:%(lineno)s - %(funcName)20s() ] %(message)s")
-
-# Establish AWS session and S3 resource connection
-# Uses the specified profile to access S3 services
-aws_acct = aws_acct_access(pProfile)
-s3 = aws_acct.session.resource(service_name="s3")
-
-# CRITICAL WARNING: Display destructive operation warning
-# This ensures users understand the irreversible nature of this operation
-print()
-print(f"This script is about to delete all versions of all objects from bucket {pBucketName}")
-print()
-
-# Create S3 bucket resource for the specified bucket
-# This provides access to bucket operations and object management
-bucket = s3.Bucket(pBucketName)
-
-try:
-    # DESTRUCTIVE OPERATION: Delete all object versions and delete markers
-    # This includes:
-    # - All current object versions
-    # - All historical object versions (if versioning enabled)
-    # - All delete markers
-    # - Cannot be undone once executed
-    logging.info(f"Starting deletion of all object versions in bucket {pBucketName}")
-    bucket.object_versions.delete()
-    logging.info(f"Successfully deleted all object versions from bucket {pBucketName}")
-
-except Exception as my_Error:
-    # Handle S3 API errors during object deletion
-    # Common errors: AccessDenied, NoSuchBucket, InvalidBucketState
-    logging.error(f"Failed to delete objects from bucket {pBucketName}: {my_Error}")
-    print(f"Error message: {my_Error}")
-
-# Handle bucket deletion with safety controls
-# Provides both automated and interactive deletion modes
-DeleteBucket = False
-
-if pBucketDelete:
-    # Force deletion mode: Delete bucket without additional confirmation
-    # Used for automated scenarios where confirmation is handled externally
-    print(f"As per your request, we're deleting the bucket {pBucketName}")
-    logging.warning(f"Force deleting bucket {pBucketName} as requested")
-
-    try:
-        bucket.delete()
-        print(f"Bucket: {pBucketName} has been deleted")
-        logging.info(f"Successfully deleted bucket {pBucketName}")
-    except Exception as delete_error:
-        logging.error(f"Failed to delete bucket {pBucketName}: {delete_error}")
-        print(f"Failed to delete bucket: {delete_error}")
-
-else:
-    # Interactive deletion mode: Prompt user for confirmation
-    # Provides additional safety control for manual operations
-    DeleteBucket = input("Now that the bucket is empty, do you want to delete the bucket? (y/n): ") in ["y", "Y"]
-
-    if DeleteBucket:
-        try:
-            bucket.delete()
-            print(f"Bucket: {pBucketName} has been deleted")
-            logging.info(f"User confirmed deletion of bucket {pBucketName}")
-        except Exception as delete_error:
-            logging.error(f"Failed to delete bucket {pBucketName}: {delete_error}")
-            print(f"Failed to delete bucket: {delete_error}")
-    else:
-        print(f"Bucket: {pBucketName} has NOT been deleted")
-        logging.info(f"User chose to preserve bucket {pBucketName}")
-# Operation completion notification
-print()
-print("Thanks for using this script...")
-logging.info("S3 bucket operation completed successfully")
-print()

runbooks/inventory/lockdown_cfn_stackset_role.py

@@ -1,224 +0,0 @@
-#!/usr/bin/env python3
-
-import logging
-import sys
-
-import boto3
-import Inventory_Modules
-import simplejson as json
-from account_class import aws_acct_access
-from ArgumentsClass import CommonArguments
-from botocore.exceptions import ClientError
-
-__version__ = "2023.05.04"
-
-parser = CommonArguments()
-parser.singleprofile()
-parser.singleregion()
-parser.verbosity()
-parser.version(__version__)
-parser.my_parser.add_argument(
-    "-R",
-    "--access_rolename",
-    dest="pAccessRole",
-    default="AWSCloudFormationStackSetExecutionRole",
-    metavar="role to use for access to child accounts",
-    help="This parameter specifies the role that will allow this script to have access to the children accounts.",
-)
-parser.my_parser.add_argument(
-    "-t",
-    "--target_rolename",
-    dest="pTargetRole",
-    default="AWSCloudFormationStackSetExecutionRole",
-    metavar="role to change",
-    help="This parameter specifies the role to have its Trust Policy changed.",
-)
-parser.my_parser.add_argument(
-    "+f",
-    "--fix",
-    "+fix",
-    dest="pFix",
-    action="store_const",
-    const=True,
-    default=False,
-    help="This parameter determines whether to make any changes in child accounts.",
-)
-parser.my_parser.add_argument(
-    "+l",
-    "--lock",
-    "+lock",
-    dest="pLock",
-    action="store_const",
-    const=True,
-    default=False,
-    help="This parameter determines whether to lock the Trust Policy.",
-)
-parser.my_parser.add_argument(
-    "-s",
-    "--safety",
-    dest="pSafety",
-    action="store_const",
-    const=False,
-    default=True,
-    help="Adding this parameter will 'remove the safety' - by not including the principle running this script, which might mean you get locked out of making further changes.",
-)
-args = parser.my_parser.parse_args()
-
-pProfile = args.Profile
-pTargetRole = args.pTargetRole
-pAccessRole = args.pAccessRole
-pLock = args.pLock
-pSafety = args.pSafety
-pFix = args.pFix
-verbose = args.loglevel
-logging.basicConfig(level=args.loglevel, format="[%(filename)s:%(lineno)s - %(funcName)20s() ] %(message)s")
-
-aws_acct = aws_acct_access(pProfile)
-
-if not aws_acct.AccountType.lower() == "root":
-    print()
-    print(f"The profile {pProfile} does not represent an Org")
-    print("This script only works with org accounts.")
-    print()
-    sys.exit(1)
-##########################
-ERASE_LINE = "\x1b[2K"
-##########################
-
-print(f"We're using the {pAccessRole} role to gain access to the child accounts")
-print(f"We're targeting the {pTargetRole} role to change its Trust Policy")
-
-"""
-1. Collect SSM parameters with the ARNs that should be in the permission
-2. Create the TrustPolicy in JSON
-3. Get a listing of all accounts that need to be updated
-4. Connect to each account, and update the existing trust policy with the new policy
-"""
-# 1. Collect parameters with the ARNs that should be in the permission
-# lock_down_arns_list=[]
-allowed_arns = []
-ssm_client = aws_acct.session.client("ssm")
-param_list = ssm_client.describe_parameters(
-    ParameterFilters=[{"Key": "Name", "Option": "Contains", "Values": ["lock_down_role_arns_list"]}]
-)["Parameters"]
-if len(param_list) == 0:
-    print("You need to set the region (-r|--region) to the default region where the SSM parameters are stored.")
-    print("Otherwise, with no *allowed* arns, we would lock everything out from this role.")
-    print("Exiting...")
-    sys.exit(2)
-for i in param_list:
-    response = param = ssm_client.get_parameter(Name=i["Name"])
-    logging.info(f"Adding {response['Parameter']['Value']} to the list for i: {i['Name']}")
-    allowed_arns.append(response["Parameter"]["Value"])
-
-# 1.5 Find who is running the script and add their credential as a safety
-Creds = Inventory_Modules.find_calling_identity(pProfile)
-if pSafety:
-    allowed_arns.append(Creds["Arn"])
-# 2. Create the Trust Policy in JSON
-
-if pLock:
-    if pSafety and pFix:
-        logging.error("Locking down the Trust Policy to *only* the Lambda functions.")
-    elif pFix:
-        logging.error(f"Locking down the Trust Policy to the Lambda functions and {Creds['Arn']}.")
-    else:
-        logging.critical(
-            "While you asked us to lock things down, You didn't use the '+f' parameter, so we're not changing a thing."
-        )
-    Trust_Policy = {
-        "Version": "2012-10-17",
-        "Statement": [
-            {"Sid": "LambdaAccess", "Effect": "Allow", "Principal": {"AWS": allowed_arns}, "Action": "sts:AssumeRole"}
-        ],
-    }
-else:
-    Trust_Policy = {
-        "Version": "2012-10-17",
-        "Statement": [
-            {"Sid": "LambdaAccess", "Effect": "Allow", "Principal": {"AWS": allowed_arns}, "Action": "sts:AssumeRole"},
-            {
-                "Sid": "DevAccess",
-                "Effect": "Allow",
-                "Principal": {"AWS": [f"arn:aws:iam::{aws_acct.MgmtAccount}:root"]},
-                "Action": "sts:AssumeRole",
-            },
-        ],
-    }
-Trust_Policy_json = json.dumps(Trust_Policy)
-# 3. Get a listing of all accounts that need to be updated and then ...
-
-
-# 4. Connect to each account, and detach the existing policy, and apply the new policy
-sts_client = aws_acct.session.client("sts")
-TrustPoliciesChanged = 0
-ErroredAccounts = []
-for acct in aws_acct.ChildAccounts:
-    ConnectionSuccess = False
-    try:
-        role_arn = f"arn:aws:iam::{acct['AccountId']}:role/{pAccessRole}"
-        account_credentials = sts_client.assume_role(RoleArn=role_arn, RoleSessionName="RegistrationScript")[
-            "Credentials"
-        ]
-        account_credentials["Account"] = acct["AccountId"]
-        logging.warning(f"Accessed Account {acct['AccountId']} using rolename {pAccessRole}")
-        ConnectionSuccess = True
-    except ClientError as my_Error:
-        logging.error(
-            f"Account {acct['AccountId']}, role {pTargetRole} was unavailable to change, so we couldn't access the role's Trust Policy"
-        )
-        logging.warning(my_Error)
-        ErroredAccounts.append(acct["AccountId"])
-        pass
-    if ConnectionSuccess:
-        try:
-            # detach policy from the role and attach the new policy
-            iam_session = boto3.Session(
-                aws_access_key_id=account_credentials["AccessKeyId"],
-                aws_secret_access_key=account_credentials["SecretAccessKey"],
-                aws_session_token=account_credentials["SessionToken"],
-            )
-            iam_client = iam_session.client("iam")
-            trustpolicyexisting = iam_client.get_role(RoleName=pTargetRole)
-            logging.info(
-                "Found Trust Policy %s in account %s for role %s"
-                % (json.dumps(trustpolicyexisting["Role"]["AssumeRolePolicyDocument"]), acct["AccountId"], pTargetRole)
-            )
-            if pFix:
-                trustpolicyupdate = iam_client.update_assume_role_policy(
-                    RoleName=pTargetRole, PolicyDocument=Trust_Policy_json
-                )
-                TrustPoliciesChanged += 1
-                logging.error(f"Updated Trust Policy in Account {acct['AccountId']} for role {pTargetRole}")
-                trustpolicyexisting = iam_client.get_role(RoleName=pTargetRole)
-                logging.info(
-                    "Updated Trust Policy %s in account %s for role %s"
-                    % (
-                        json.dumps(trustpolicyexisting["Role"]["AssumeRolePolicyDocument"]),
-                        acct["AccountId"],
-                        pTargetRole,
-                    )
-                )
-            else:
-                logging.error(f"Account {acct['AccountId']} - no changes made")
-        except ClientError as my_Error:
-            logging.warning(my_Error)
-            pass
-
-print(ERASE_LINE)
-print(f"We found {len(aws_acct.ChildAccounts)} accounts under your organization")
-if pLock and pFix:
-    print(f"We locked {TrustPoliciesChanged} Trust Policies")
-elif not pLock and pFix:
-    print(f"We unlocked {TrustPoliciesChanged} Trust Policies")
-else:
-    print(f"We didn't change {TrustPoliciesChanged} Trust Policies")
-if len(ErroredAccounts) > 0:
-    print(f"We weren't able to access {len(ErroredAccounts)} accounts.")
-if verbose < 50:
-    print("Here are the accounts that were not updated")
-    for i in ErroredAccounts:
-        print(i)
-print()
-print("Thanks for using the tool.")
-print()

runbooks/inventory/update_aws_actions.py

@@ -1,173 +0,0 @@
-import logging
-import sys
-from datetime import datetime
-from os.path import split
-from queue import Queue
-from threading import Thread
-from time import time
-
-import boto3
-from ArgumentsClass import CommonArguments
-from colorama import Fore, Style, init
-from tqdm.auto import tqdm, trange
-
-__version__ = "2024.04.24"
-
-from tqdm import trange
-
-init()
-
-
-##################
-# Functions
-##################
-
-
-def parse_args(f_arguments):
-    """
-    Description: Parses the arguments passed into the script
-    @param f_arguments: args represents the list of arguments passed in
-    @return: returns an object namespace that contains the individualized parameters passed in
-    """
-    script_path, script_name = split(sys.argv[0])
-    parser = CommonArguments()
-    parser.my_parser.description = "We're going to find all API actions within the available AWS services."
-    parser.timing()
-    parser.save_to_file()
-    parser.verbosity()
-    parser.version(__version__)
-    local = parser.my_parser.add_argument_group(script_name, "Parameters specific to this script")
-    # local.add_argument(
-    # 	"-s", "--status",
-    # 	dest="pStatus",
-    # 	choices=['running', 'stopped'],
-    # 	type=str,
-    # 	default=None,
-    # 	help="Whether you want to limit the instances returned to either 'running', 'stopped'. Default is both")
-    return parser.my_parser.parse_args(f_arguments)
-
-
-def random_string(stringLength=10):
-    """
-    Description: Generates a random string
-    @param stringLength: to determine the length of the random number generated
-    @return: returns a random string of characters of length "stringlength"
-    """
-    import random
-    import string
-
-    # Generate a random string of fixed length
-    letters = string.ascii_lowercase
-    randomstring = "".join(random.choice(letters) for _ in range(stringLength))
-    return randomstring
-
-
-def get_aws_actions():
-    """
-    Description: Gets all the actions for all the services in AWS
-    @return: list of actions
-    """
-
-    class AWSActionThread(Thread):
-        def __init__(self, queue):
-            Thread.__init__(self)
-            self.queue = queue
-
-        def run(self):
-            while True:
-                # existing code to get actions for a service
-                c_service = self.queue.get()
-                client = boto3.client(c_service)
-                try:
-                    list_of_operations = client.meta.method_to_api_mapping.keys()
-                    # print(f"{ERASE_LINE}Checking actions for {c_service}", end='\r', flush=True)
-                    for operation in tqdm(list_of_operations, desc=f"actions for {c_service}", leave=False):
-                        action_list.append({"Service": c_service, "Operation": operation})
-                except AttributeError as myError:
-                    print(myError)
-                    action_list.append({"Service": c_service, "Operation": None})
-                    pass
-                finally:
-                    self.queue.task_done()
-
-    checkqueue = Queue()
-    action_list = []
-    workerthreads = 10
-
-    for x in trange(
-        workerthreads,
-        desc=f"Creating {workerthreads} worker threads",
-        leave=False,
-        # , position=0
-    ):
-        worker = AWSActionThread(checkqueue)
-        worker.daemon = True
-        worker.start()
-
-    # Create a thread for every service.
-    print(f"Capturing all available AWS Services...")
-    for service in tqdm(
-        list_of_services,
-        desc=f"Checking actions for each service",
-        # , position=0
-    ):
-        # for service in list_of_services:
-        checkqueue.put(service)
-        checkqueue.join()
-
-    return action_list
-
-
-def save_file(file_to_save_to: str = None, input_data: list = None):
-    """
-    Description: Saves the data to a file
-    @param file_to_save_to:
-    @param input_data:
-    @return: None
-    """
-    if input_data is None:
-        print(f"Input data cannot be none. Exiting...")
-        raise SystemExit(1)
-    elif len(input_data) == 0:
-        print(f"No data to save. Exiting...")
-        raise SystemExit(1)
-
-    if file_to_save_to is None:
-        print(f"No filename provided to save data.\nUsing a randomized name.")
-        file_to_save_to = random_string(15) + ".txt"
-    else:
-        logging.info(f"Saving data to {file_to_save_to}")
-    with open(file_to_save_to, "w", encoding="utf-8") as f:
-        for item in input_data:
-            f.write(f"{item['Service']}:{item['Operation']}\n")
-    return file_to_save_to
-
-
-##################
-# Main
-##################
-ERASE_LINE = "\x1b[2K"
-begin_time = time()
-
-if __name__ == "__main__":
-    arguments = parse_args(sys.argv[1:])
-    pTiming = arguments.Time
-    file_to_save = arguments.Filename
-    verbose = arguments.loglevel
-    logging.basicConfig(level=verbose, format="[%(filename)s:%(lineno)s - %(funcName)20s() ] %(message)s")
-    logging.getLogger("boto3").setLevel(logging.CRITICAL)
-    logging.getLogger("botocore").setLevel(logging.CRITICAL)
-    logging.getLogger("s3transfer").setLevel(logging.CRITICAL)
-    logging.getLogger("urllib3").setLevel(logging.CRITICAL)
-
-    list_of_services = boto3.Session().get_available_services()
-    all_actions = get_aws_actions()
-    if pTiming:
-        print(ERASE_LINE)
-        print(f"{Fore.GREEN}This script took {time() - begin_time:.2f} seconds{Fore.RESET}")
-    print(ERASE_LINE)
-    print(f"Found {len(all_actions)} actions across {len(list_of_services)} services")
-    filename = save_file(file_to_save, all_actions)
-    print(f"Saved to {filename}")
-    print("Thank you for using this script")
-    print()