-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdelete.py
87 lines (72 loc) · 3.2 KB
/
delete.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# ['805741416284','326930160498', '255007049728']
import boto3
import json
import botocore
print(botocore.__version__)
print(boto3.__version__)
account_id = '476494407737'
aws_region = 'us-west-2'
event = 'Update'
CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING = 'AWS::HealthLake::FHIRDatastore,AWS::Pinpoint::Segment,AWS::Pinpoint::ApplicationSettings'
STS = boto3.client("sts")
def assume_role(account_id, role='AWSControlTowerExecution'):
'''
Return a session in the target account using Control Tower Role
'''
try:
curr_account = STS.get_caller_identity()['Account']
if curr_account != account_id:
part = STS.get_caller_identity()['Arn'].split(":")[1]
role_arn = 'arn:' + part + ':iam::' + account_id + ':role/' + role
ses_name = str(account_id + '-' + role)
response = STS.assume_role(RoleArn=role_arn, RoleSessionName=ses_name)
sts_session = boto3.Session(
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken'])
return sts_session
except:
print('Unable to assume role')
pass
sts_session = assume_role(account_id)
print(f'Printing STS session: {sts_session}')
# Use the session and create a client for configservice
configservice = sts_session.client('config', region_name=aws_region)
# Describe for config recorder
configrecorder = configservice.describe_configuration_recorders()
print(f'Existing Configuration Recorder :', configrecorder)
# ControlTower created configuration recorder with name "aws-controltower-BaselineConfigRecorder" update that
role_arn = 'arn:aws:iam::' + account_id + ':role/aws-controltower-ConfigRecorderRole'
CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST = CONFIG_RECORDER_EXCLUSION_RESOURCE_STRING.split(',')
# Event = Delete is when stack is deleted, we rollback changed made and leave it as ControlTower Intended
if event == 'Delete':
response = configservice.put_configuration_recorder(
ConfigurationRecorder={
'name': 'aws-controltower-BaselineConfigRecorder',
'roleARN': role_arn,
'recordingGroup': {
'allSupported': True,
'includeGlobalResourceTypes': False
}
})
print(response)
else:
response = configservice.put_configuration_recorder(
ConfigurationRecorder={
'name': 'aws-controltower-BaselineConfigRecorder',
'roleARN': role_arn,
'recordingGroup': {
'allSupported': False,
'includeGlobalResourceTypes': False,
'exclusionByResourceTypes': {
'resourceTypes': CONFIG_RECORDER_EXCLUSION_RESOURCE_LIST
},
'recordingStrategy': {
'useOnly': 'EXCLUSION_BY_RESOURCE_TYPES'
}
}
})
print(f'Response for put_configuration_recorder :{response} ')
# Describe for configuration recorder after the update
configrecorder = configservice.describe_configuration_recorders()
print(f'Post Change Configuration recorder : {configrecorder}')