使用 boto 的函数的 CloudTrail 日志

Question

我正在编写一个 boto 脚本，该脚本将创建一个 IAM 策略并将其属性存储在 dynamodb 表中。我有一个 python 函数，它从另一个文件调用区域、instance_type、ebs_volume_size、meta_template_name、start_time、end_time 等属性。在为 cloudtrail 编写代码时，我收到 f-strings 的错误，说“ebs_volume_size”是一个未定义的变量，这可能是解决此问题的方法或更好的方法。

import jmespath
import boto3
import sys
import json
import time
import meta_templates
from jinja2 import Template
iam = boto3.client('iam')
sts = boto3.client('sts')
ec2 = boto3.resource('ec2')
cloudtrail = boto3.client('cloudtrail')
s3  = boto3.client('s3')
sqs = boto3.client('sqs')
lambd = boto3.client('lambda')
dynamodb = boto3.resource('dynamodb')

start_time_1 = input("What's the start time")
end_time1 = input("What's the end time")
def create_aws_iam_policy_template(**kwargs):
  template_data = {}
  template_data["region"] = kwargs.get('region')
  template_data["start_time"] = kwargs.get('end_time')
  template_data["end_time"] = kwargs.get('start_time')
  template_data["instance_types"] = kwargs.get('instance_type')
  template_data["ebs_volume_size"] = kwargs.get('ebs_volume_size')
  template_data["meta_template_name"] = kwargs.get('meta_template_name')

  meta_template_dict = getattr(meta_templates, template_data["meta_template_name"])
  meta_template_json = json.dumps(meta_template_dict)
  template_json = Template(meta_template_json).render(template_data)
  return template_json  


template_json = create_aws_iam_policy_template(
  region="us-east-2",
  instance_type="t2.micro",
  ebs_volume_size="20",
  meta_template_name="ec2_policy_meta_template",
  start_time = start_time_1,
  end_time = end_time1
)


print(template_json)


#Create S3 Bucket for CloudTrail

# Create a bucket policy
bucket_name = 'goodbucket3'
bucket_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:GetBucketAcl",
            "Resource": f"arn:aws:s3:::{bucket_name}"
        },
        {
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": f"arn:aws:s3:::{bucket_name}/AWSLogs/562922379100/*",
            "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
        }
    ]
}

# Convert the policy from JSON dict to string
bucket_policy = json.dumps(bucket_policy)

# Set the new policy
s3.put_bucket_policy(Bucket='goodbucket3', Policy=bucket_policy)
result = s3.get_bucket_policy(Bucket='goodbucket3')

logs = cloudtrail.create_trail(
    Name='GoodTrail',
    S3BucketName='goodbucket3',
)
response = cloudtrail.start_logging(
    Name= f"arn:aws:cloudtrail:us-east-1:562922379100:trail/GoodTrail"
)

path = jmespath.search('S3BucketName', template_json)
print(path)
path1 = jmespath.search('InstanceID',template_json)
print(path1)

table =dynamodb.create_table(
    TableName='GoodTable',
    AttributeDefinitions=[
    {
      "AttributeName": "S3BucketName",
      "AttributeType": "S"
    }
    ],
      KeySchema=[
    {
      "AttributeName": "S3BucketName",
      "KeyType": "HASH"
    }
  ],
  ProvisionedThroughput={
    "ReadCapacityUnits": 1,
    "WriteCapacityUnits": 1
  }
)
time.sleep(20)
table = dynamodb.Table('GoodTable')
response = table.put_item(
    Item= {
        'Content': 'Volume Size', 
        'Details': f'{ebs_volume_size}',
    }
)
response = table.put_item(
    Item= {
        'Content': 'Instance Type', 
        'Details': f'{instance_type}',
    }
)
response = table.put_item(
    Item= {
        'Content': 'Region', 
        'Details': f'{region}',
    }
)

Answer 1

您的ebs_volume_size 以及其他变量对于create_aws_iam_policy_template 是本地，不能在函数外使用。

如果您希望这些值可以在您的脚本中访问，您可以将它们设为全局。

import jmespath
import boto3
import sys
import json
import time
import meta_templates
from jinja2 import Template
iam = boto3.client('iam')
sts = boto3.client('sts')
ec2 = boto3.resource('ec2')
cloudtrail = boto3.client('cloudtrail')
s3  = boto3.client('s3')
sqs = boto3.client('sqs')
lambd = boto3.client('lambda')
dynamodb = boto3.resource('dynamodb')

###########################
##### Global variables ####
###########################
region="us-east-2"
instance_type="t2.micro"
ebs_volume_size="20"
meta_template_name="ec2_policy_meta_template"
###############################

start_time_1 = input("What's the start time")
end_time1 = input("What's the end time")

def create_aws_iam_policy_template(**kwargs):
  template_data = {}
  template_data["region"] = kwargs.get('region')
  template_data["start_time"] = kwargs.get('end_time')
  template_data["end_time"] = kwargs.get('start_time')
  template_data["instance_types"] = kwargs.get('instance_type')
  template_data["ebs_volume_size"] = kwargs.get('ebs_volume_size')
  template_data["meta_template_name"] = kwargs.get('meta_template_name')

  meta_template_dict = getattr(meta_templates, template_data["meta_template_name"])
  meta_template_json = json.dumps(meta_template_dict)
  template_json = Template(meta_template_json).render(template_data)
  return template_json  



template_json = create_aws_iam_policy_template(
  region=region,
  instance_type=instance_type,
  ebs_volume_size=ebs_volume_size,
  meta_template_name=meta_template_name,
  start_time = start_time_1,
  end_time = end_time1
)


print(template_json)


#Create S3 Bucket for CloudTrail

# Create a bucket policy
bucket_name = 'goodbucket3'
bucket_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:GetBucketAcl",
            "Resource": f"arn:aws:s3:::{bucket_name}"
        },
        {
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": f"arn:aws:s3:::{bucket_name}/AWSLogs/562922379100/*",
            "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
        }
    ]
}

# Convert the policy from JSON dict to string
bucket_policy = json.dumps(bucket_policy)

# Set the new policy
s3.put_bucket_policy(Bucket='goodbucket3', Policy=bucket_policy)
result = s3.get_bucket_policy(Bucket='goodbucket3')

logs = cloudtrail.create_trail(
    Name='GoodTrail',
    S3BucketName='goodbucket3',
)
response = cloudtrail.start_logging(
    Name= f"arn:aws:cloudtrail:us-east-1:562922379100:trail/GoodTrail"
)

path = jmespath.search('S3BucketName', template_json)
print(path)
path1 = jmespath.search('InstanceID',template_json)
print(path1)

table =dynamodb.create_table(
    TableName='GoodTable',
    AttributeDefinitions=[
    {
      "AttributeName": "S3BucketName",
      "AttributeType": "S"
    }
    ],
      KeySchema=[
    {
      "AttributeName": "S3BucketName",
      "KeyType": "HASH"
    }
  ],
  ProvisionedThroughput={
    "ReadCapacityUnits": 1,
    "WriteCapacityUnits": 1
  }
)
time.sleep(20)
table = dynamodb.Table('GoodTable')
response = table.put_item(
    Item= {
        'Content': 'Volume Size', 
        'Details': f'{ebs_volume_size}',
    }
)
response = table.put_item(
    Item= {
        'Content': 'Instance Type', 
        'Details': f'{instance_type}',
    }
)
response = table.put_item(
    Item= {
        'Content': 'Region', 
        'Details': f'{region}',
    }
)