in source/CRRdeployagent/CRRdeployagent.py [0:0]
def agent_creator(agt_region, topic_name, queue_arn, monitor_account, agent_accounts):
rule = 'CRRRemoteAgent'
if not monitor_account:
rule = 'CRRAgent'
boto3.setup_default_session(region_name=agt_region)
# -----------------------------------------------------------------
# Create client connections
#
try:
cwe = boto3.client('events')
sns = boto3.client('sns')
except Exception as e:
print(e)
print('Error creating clients for ' + agt_region)
raise e
try:
cwe.put_rule(
Description='Fires CRRMonitor for S3 events that indicate an object has been stored.',
Name=rule,
EventPattern="{ \"detail-type\": [ \"AWS API Call via CloudTrail\" ], \"detail\": { \"eventSource\": [ \"s3.amazonaws.com\"], \"eventName\": [ \"PutObject\", \"CopyObject\", \"CompleteMultipartUpload\" ] } }",
State='DISABLED'
)
except Exception as e:
print(e)
print('Error creating CW Event rule')
raise e
if not monitor_account:
print('Creating agent for a monitor/agent account in region ' + agt_region)
topic = topic_name + "-" + agt_region
# -----------------------------------------------------------------
# Note: duplication is not a concern - we will replace the rule and
# topic if they already exist
#
# Create the CloudWatch Event rule in a disabled state.
# Create an SNS topic
# Add a target to the rule to send to the new SNS topic
# Enable the rule
try:
topicarn = sns.create_topic(Name=topic)['TopicArn']
sns.set_topic_attributes(
TopicArn=topicarn,
AttributeName='Policy',
AttributeValue='{\
"Version": "2012-10-17",\
"Id": "CWEventPublishtoTopic",\
"Statement": [\
{\
"Sid": "CWEventPublishPolicy",\
"Action": [\
"SNS:Publish"\
],\
"Effect": "Allow",\
"Resource": "' + topicarn + '",\
"Principal": {\
"Service": [\
"events.amazonaws.com"\
]\
}\
}\
]\
}\
',
)
cwe.put_targets(
Rule=rule,
Targets=[
{
'Id': 'CRRAgent-' + agt_region,
'Arn': topicarn
}
]
)
cwe.enable_rule(Name=rule)
except Exception as e:
print(e)
print('Error creating SNS topic and CW Event rule: ' + topic)
raise e
# -----------------------------------------------------------------
# Create cross-region Queue subscription from the SNS end
# Only when deployed from the Manager account
#
try:
response = sns.subscribe(
TopicArn=topicarn,
Protocol='sqs',
Endpoint=queue_arn
)
except Exception as e:
print(e)
print('Error subscribing SNS topic ' + topic + ' to SQS Queue ' + queue_arn)
raise e
# Grant permissions to the default event bus
for account in agent_accounts:
try:
cwe.put_permission(
Action='events:PutEvents',
Principal=account,
StatementId=account
)
except Exception as e:
print(e)
print('Error creating Event Bus permissions for ' + account)
raise e
return_data = {
'Data': { 'TopicArn': topicarn },
'PhysicalResourceId': 'CRRMonitorAgent-' + agt_region
}
else:
print('Creating agent for an agent-only account in region ' + agt_region)
try:
cwe.put_targets(
Rule=rule,
Targets=[
{
'Id': 'CRRRemoteAgent-' + agt_region,
'Arn': 'arn:aws:events:' + agt_region + ':' + monitor_account + ':event-bus/default'
}
]
)
cwe.enable_rule(Name=rule)
except Exception as e:
print(e)
print('Error creating CW Event target')
raise e
return_data = {'PhysicalResourceId': 'CRRMonitorAgent-' + agt_region}
return return_data