in lambda/prune_old_entries.py [0:0]
def lambda_handler(event, context):
#logger.info("log -- Event: %s " % json.dumps(event))
try:
# timestamp is calculated in seconds
expire_time = int(time.time()) - (int(RETENTION)*60)
logger.info("log -- expire_time = %s" % expire_time)
#scan the ddb table to find expired records
ddb = boto3.resource('dynamodb')
table = ddb.Table(ACLMETATABLE)
response = table.scan(FilterExpression=Attr('CreatedAt').lt(expire_time) & Attr('Region').eq(os.environ['AWS_REGION']))
if response['Items']:
logger.info("log -- attempting to prune entries, %s." % (response)['Items'])
# process each expired record
for item in response['Items']:
logger.info("deleting item: %s" %item)
logger.info("HostIp %s" %item['HostIp'])
HostIp = item['HostIp']
try:
logger.info('log -- deleting netacl rule')
delete_netacl_rule(item['NetACLId'], item['RuleNo'])
# check if IP is also recorded in a fresh finding, don't remove IP from blocklist in that case
response_nonexpired = table.scan( FilterExpression=Attr('CreatedAt').gt(expire_time) & Attr('HostIp').eq(HostIp) )
logger.info('log -- deleting dynamodb item')
if len(response_nonexpired['Items']) == 0:
delete_ddb_rule(item['NetACLId'], item['CreatedAt'])
# no fresher entry found for that IP
except Exception as e:
logger.error(e)
logger.error('log -- could not delete item')
# Update WAF IP Sets
logger.info('log -- update CloudFront Ip set %s and Regional IP set %s.' % (CLOUDFRONT_IP_SET, REGIONAL_IP_SET))
waf_update_ip_sets()
logger.info("Pruning Completed")
else:
logger.info("log -- no etntries older than %s hours... exiting GD2ACL pruning." % (int(RETENTION)/60))
except Exception as e:
logger.error('something went wrong')
raise