├── .buildspec.yml
├── .flake8
├── .github
    └── workflows
    │   └── ci.yml
├── .gitignore
├── .pre-commit-config.yaml
├── .pylintrc
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── central-aggregator-cf-template.yaml
├── docs
    ├── development.md
    ├── hub-spoke-topology.md
    ├── images
    │   ├── hub-spoke-separate-master-aggregator.png
    │   ├── hub-spoke-single-master-aggregator.png
    │   └── support-cases-aggregator-pipeline.png
    ├── member_acc_role_setup.md
    └── org_master_role_setup.md
├── member-acc-cf-template.yaml
├── org-master-cf-template.yaml
├── requirements.txt
├── run_cloudformation.sh
├── src
    ├── aws_common_utils_layer.py
    ├── cloudtrail_process.py
    └── support_cases_aggregator.py
└── tests
    ├── __init__.py
    ├── test_aws_common_utils_layer.py
    └── test_support_case_aggregator.py


/.buildspec.yml:
--------------------------------------------------------------------------------
1 | version: 0.2
2 | phases:
3 |   build:
4 |     commands:
5 |       - pre-commit run --all-files
6 | 


--------------------------------------------------------------------------------
/.flake8:
--------------------------------------------------------------------------------
1 | [flake8]
2 | max-line-length = 80
3 | ignore = E501, C812, W503
4 | 


--------------------------------------------------------------------------------
/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
 1 | name: ci
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |       - master
 7 |   pull_request:
 8 | 
 9 | jobs:
10 |   build:
11 |     runs-on: ubuntu-latest
12 |     steps:
13 |     - name: Checkout
14 |       uses: actions/checkout@v2
15 |     - name: Set up Python 3.8
16 |       uses: actions/setup-python@v1
17 |       with:
18 |         python-version: 3.8
19 |     - name: Lint with flake8
20 |       run: |
21 |         pip install flake8
22 |         flake8 .
23 |     - name: Test with pytest
24 |       run: |
25 |         pip install -r requirements.txt
26 |         pip install pytest
27 |         pytest


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Pycharm
 10 | .idea/
 11 | 
 12 | # Distribution / packaging
 13 | .Python
 14 | build/
 15 | develop-eggs/
 16 | dist/
 17 | downloads/
 18 | eggs/
 19 | .eggs/
 20 | lib/
 21 | lib64/
 22 | parts/
 23 | sdist/
 24 | var/
 25 | wheels/
 26 | *.egg-info/
 27 | .installed.cfg
 28 | *.egg
 29 | MANIFEST
 30 | 
 31 | # PyInstaller
 32 | #  Usually these files are written by a python script from a template
 33 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 34 | *.manifest
 35 | *.spec
 36 | 
 37 | # Installer logs
 38 | pip-log.txt
 39 | pip-delete-this-directory.txt
 40 | 
 41 | # Unit test / coverage reports
 42 | htmlcov/
 43 | .tox/
 44 | .coverage
 45 | .coverage.*
 46 | .cache
 47 | nosetests.xml
 48 | coverage.xml
 49 | *.cover
 50 | .hypothesis/
 51 | .pytest_cache/
 52 | 
 53 | # Translations
 54 | *.mo
 55 | *.pot
 56 | 
 57 | # Django stuff:
 58 | *.log
 59 | .static_storage/
 60 | .media/
 61 | local_settings.py
 62 | 
 63 | # Flask stuff:
 64 | instance/
 65 | .webassets-cache
 66 | 
 67 | # Scrapy stuff:
 68 | .scrapy
 69 | 
 70 | # Sphinx documentation
 71 | docs/_build/
 72 | 
 73 | # PyBuilder
 74 | target/
 75 | 
 76 | # Jupyter Notebook
 77 | .ipynb_checkpoints
 78 | 
 79 | # pyenv
 80 | .python-version
 81 | 
 82 | # celery beat schedule file
 83 | celerybeat-schedule
 84 | 
 85 | # SageMath parsed files
 86 | *.sage.py
 87 | 
 88 | # Environments
 89 | .env
 90 | .venv
 91 | env/
 92 | venv/
 93 | ENV/
 94 | env.bak/
 95 | venv.bak/
 96 | 
 97 | # Spyder project settings
 98 | .spyderproject
 99 | .spyproject
100 | 
101 | # Rope project settings
102 | .ropeproject
103 | 
104 | # mkdocs documentation
105 | /site
106 | 
107 | # mypy
108 | .mypy_cache/
109 | 
110 | # DS_Store on mac
111 | *.DS_Store
112 | 
113 | 


--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
 1 | exclude: ^(buildspec.yml|.pre-commit-config.yaml)$
 2 | fail_fast: true
 3 | repos:
 4 | - repo: https://github.com/ambv/black
 5 |   rev: stable
 6 |   hooks:
 7 |   - id: black
 8 | - repo: https://github.com/pre-commit/pre-commit-hooks
 9 |   rev: v2.0.0
10 |   hooks:
11 |   - id: check-case-conflict
12 |   - id: end-of-file-fixer
13 |   - id: mixed-line-ending
14 |     args:
15 |     - --fix=lf
16 |   - id: trailing-whitespace
17 |   - id: flake8
18 |     additional_dependencies:
19 |     - flake8-bugbear>=19.3.0
20 |     - flake8-builtins>=1.4.1
21 |     - flake8-commas>=2.0.0
22 |     - flake8-comprehensions>=2.1.0
23 |     - flake8-debugger>=3.1.0
24 |     - flake8-pep3101>=1.2.1
25 |     # language_version: python3.6
26 |   - id: pretty-format-json
27 |     args:
28 |     - --autofix
29 |     - --indent=4
30 |     - --no-sort-keys
31 |   - id: check-merge-conflict
32 |   # - id: check-yaml  # doesn't work with CloudFormation templates/intrinsics, should use cfn-lint instead
33 |     # language_version: python3.6
34 | - repo: https://github.com/pre-commit/pygrep-hooks
35 |   rev: v1.3.0
36 |   hooks:
37 |   - id: python-check-blanket-noqa
38 |   - id: python-check-mock-methods
39 |   - id: python-no-log-warn
40 | - repo: https://github.com/PyCQA/bandit
41 |   rev: f5a6f0ca62  # TODO: update once a release > 1.5.1 hits with this change in
42 |   hooks:
43 |   - id: bandit
44 |     files: "^src/"
45 |     # have to skip B101, contract tests use it and there's no way to skip for specific files
46 |     # have to skip B322, as there is no way to indicate the codebase is Python 3 only (input only vulnerable in Py2)
47 |     args: ["--skip", "B101,B322"]
48 | - repo: local
49 |   hooks:
50 |   - id: pylint-local
51 |     name: pylint-local
52 |     description: Run pylint in the local virtualenv
53 |     entry: pylint "src/" "tests/"
54 |     language: system
55 |     # ignore all files, run on hard-coded modules instead
56 |     pass_filenames: false
57 |     always_run: true
58 | 


--------------------------------------------------------------------------------
/.pylintrc:
--------------------------------------------------------------------------------
 1 | [BASIC]
 2 | good-names=
 3 |     i,
 4 |     e,
 5 |     logger,
 6 |     k,
 7 |     v,
 8 |     s3,
 9 | 
10 | disable=C0330
11 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing to the Support Cases Aggregator
 2 | 
 3 | Thanks for taking the time to contribute!
 4 | 
 5 | We love it when users contribute their innovations back to the project, or when they discover bugged functionality and want others to know about it.
 6 | 
 7 | This repository is optimized for forking, so please ensure code submitted remains generic (e.g. don't specify a bucket name).
 8 | 
 9 | Small pull requests will be reviewed within 7 days. Large pull requests will be reviewed when possible. All pull requests are greatly appreciated.
10 | 
11 | ### Pull Request Template
12 | 
13 | We ask you refer to the `Atom` project [PULL_REQUEST_TEMPLATE](https://github.com/atom/atom/blob/master/PULL_REQUEST_TEMPLATE.md) for formatting your pull request. Their formats are generic and broadly applicable to PR's we expect to be opened against this project.
14 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 Snap Inc.
 4 | 
 5 | All rights reserved.
 6 | 
 7 | Permission is hereby granted, free of charge, to any person obtaining a copy
 8 | of this software and associated documentation files (the "Software"), to deal
 9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 | 
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 | 
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # AWS Support Cases Aggregator
 2 | _AWS Support Cases aggregation for a multi-account organization_
 3 | 
 4 | [![ci](https://github.com/Snapchat/aws-support-tickets-aggregator/workflows/ci/badge.svg?branch=master)](https://github.com/Snapchat/aws-support-tickets-aggregator/actions?query=workflow%3Aci+branch%3Amaster)
 5 | 
 6 | This is a simple CloudFormation-based serverless pipeline for collecting support case information from all users across an AWS Organization into a single database.
 7 | 
 8 | This allows users to easily discover and monitor all Support Cases within an organization. See our [AWS Blog Post](https://aws.amazon.com/blogs/mt/) for details.
 9 | 
10 | ### AWS Support Cases Aggregator Architecture
11 | ![aws-support-cases-aggregator-pipeline-diagram](docs/images/support-cases-aggregator-pipeline.png)
12 | 
13 | 
14 | ### Topology - Hub and Spoke
15 | This service uses a Hub (central aggregator account) and Spoke (member accounts) model.
16 | The aggregator can be configured in two ways:
17 | 
18 | 1. Aggregator account is [AWS Organizations master account](docs/hub-spoke-topology.md#using-org-master-as-central-aggregator-account)
19 | 
20 | 2. Aggregator account is [NOT AWS Organizations master account](docs/hub-spoke-topology.md#using-separate-org-master-and-central-aggregator-accounts)
21 | 
22 | 
23 | ### Setup
24 | #### Central Aggregator Account (Hub)
25 | Ensure you have permissions for creating requisite AWS resources including IAM roles and policies.
26 | 
27 | ##### Prerequisite Steps
28 | 1. Create a S3 bucket in your central aggregator account to hold the CloudFormation stack template. Pass the bucket name to the `--cf_s3_bucket` parameter of the `run_cloudformation.sh` script.
29 | 
30 |     > The CloudFormation stack must be created in the same region as the aforementioned S3 bucket.
31 | 
32 | 2. Choose a free name for your CloudTrail S3 bucket. Pass it to the `--ct_s3_bucket` parameter of the `run_cloudformation.sh` script.
33 | 
34 |     > Ensure a bucket with the same name does not already exist, or the CloudFormation stack will fail to create.
35 | 
36 |     > The CloudFormation stack will handle bucket creation.
37 | 
38 | 3. (Optional) If your aggregator account will not be your AWS Organizations master account:
39 |     * Pass the role arn `arn:aws:iam::<ORG MASTER ACCOUNT ID>:role/OrgListAccountsViewer` to the `--org_role` parameter of the `run_cloudformation.sh` script.
40 |     > Note this role can be created in section [AWS Organizations Master Account #2](#aws-organizations-master-account)
41 | 
42 | ##### Creating the CloudFormation Stack
43 | Run the shell script:
44 | 
45 | ```bash
46 | ./run_cloudformation.sh --profile=<profile_name> --stack_name=<stack name> --cf_region=<cloudformation region> --cf_s3_bucket=<cloudformation s3 bucket> --ct_s3_bucket=<cloudtrail S3 bucket> [--template_file=<template file> --org_role=<org master role>]
47 | ```
48 | 
49 | > For instructions on how to set up an AWS command line profile, see the [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html).
50 | 
51 | You may use any name in the `<stack name>` parameter (e.g. `central-support`).
52 | 
53 | ###### Setting the CloudTrail S3 Bucket
54 | CloudTrail trails from every account you wish to monitor must be deposit their events into the newly created CloudTrail S3 bucket specified in the `--ct_s3_bucket` parameter above.
55 | 
56 | If you are using an organization CloudTrail trail, you only need to modify that organization trail S3 bucket location. If not, you must set a CloudTrail trail in every member account you wish to monitor to use the newly created S3 bucket.
57 | 
58 | #### Member Account (Spoke)
59 | Create an IAM role called `GetSupportInfoRole` in every member account with `support:` and `support:Describe*` permissions that trusts the `SupportAggregator` role in the central aggregator account.
60 | 
61 | > For specific details, follow instructions [here.](docs/member_acc_role_setup.md)
62 | 
63 | 
64 | #### AWS Organizations Master Account
65 | 1. Create an `organization trail` in your AWS organizations master account and configure the CloudTrail service to send events to your CloudTrail bucket.
66 |     > For details on organization trails, see the AWS docs on [Creating a Trail for an Organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html).
67 | 
68 |     > Deposit CloudTrail events into the CloudTrail S3 bucket specified in [central aggregator prerequisites #2](#prerequisite-steps).
69 | 
70 |     > You may also configure individual member accounts with CloudTrail trails that send events to the CloudTrail S3 bucket.
71 | 
72 | 2. (Optional) If your aggregator account will not be your AWS Organizations master account:
73 |     * Create an IAM Role `OrgListAccountsViewer` in the AWS Organizations master account that trusts central aggregator account and has role policy with `organizations:ListAccounts` actions. For specific details, follow instructions [here.](docs/org_master_role_setup.md)
74 | 
75 | 
76 | ### Periodic Scanning
77 | This pipeline scans case data from the past 60 days every 3 days. You can configure the scan to get all historical case data by setting `get_all_existing_cases(recent_cases_only=False)` in `support_cases_aggregator.py`.
78 | 
79 | If you do not use AWS Organizations, modify [list_account_ids()](src/support_cases_aggregator.py#L31) in `support_cases_aggregator.py` to return a list of strings of the account ids you want to monitor support cases for.
80 | 
81 | ## Project Resources
82 | [Development Guide](./docs/development.md)
83 | 
84 | [Contributing Guide](./CONTRIBUTING.md)
85 | 
86 | ## License
87 | 
88 | [The MIT License](http://opensource.org/licenses/MIT)
89 | 
90 | Copyright (c) 2020 Snap Inc.
91 | 


--------------------------------------------------------------------------------
/central-aggregator-cf-template.yaml:
--------------------------------------------------------------------------------
  1 | AWSTemplateFormatVersion: '2010-09-09'
  2 | Transform: 'AWS::Serverless-2016-10-31'
  3 | Description: >-
  4 |   Deploy pipeline for support cases aggregation
  5 | 
  6 | #===================================================================================
  7 | # Parameters MUST be updated; bucket name MUST BE UNIQUE and AVAILABLE
  8 | #===================================================================================
  9 | Parameters:
 10 |   # specifying bucket name as parameter is necessary to avoid circular dependency
 11 |   CloudTrailBucketName: # provide name of your choice for bucket during CloudFormation stack creation time
 12 |     Type: String
 13 |   OrgSupportViewerRoleArn:
 14 |     Type: String
 15 |     Default: "arn:aws:iam::*:role/GetSupportInfoRole"
 16 |   OrgListAccountsViewerRoleArn:
 17 |     Type: String
 18 |     Default: "" # If org master is separate account, provide role arn with perms to list accounts
 19 |   SupportCasesDDBTableName:
 20 |     Type: String
 21 |     Default: "support-cases"
 22 | 
 23 | Conditions: # evaluated only during create stack
 24 |   OrgListAccountsViewerRoleArnExists: !Not [!Equals [!Ref OrgListAccountsViewerRoleArn, "" ]]
 25 |   OrgListAccountsViewerRoleArnDoesNotExists: !Equals [!Ref OrgListAccountsViewerRoleArn, "" ]
 26 | 
 27 | #==================================================
 28 | # Resources
 29 | #==================================================
 30 | Resources:
 31 | 
 32 |   #==================================================
 33 |   # DynamoDB
 34 |   #==================================================
 35 |   # Support Cases extension
 36 |   SupportCasesTable:
 37 |     Type: AWS::DynamoDB::Table
 38 |     DeletionPolicy: Retain # retaining DDB after stack deletion
 39 |     Properties:
 40 |       AttributeDefinitions:
 41 |         -
 42 |           AttributeName: caseId
 43 |           AttributeType: S
 44 |       KeySchema:
 45 |         -
 46 |           AttributeName: caseId
 47 |           KeyType: HASH
 48 |       ProvisionedThroughput:
 49 |         ReadCapacityUnits: 5
 50 |         WriteCapacityUnits: 5
 51 |       TableName: !Ref SupportCasesDDBTableName
 52 | 
 53 |   #==================================================
 54 |   # Managed IAM Policies
 55 |   #==================================================
 56 |   InvokeCoreLambdas:
 57 |     Type: AWS::IAM::ManagedPolicy
 58 |     Properties:
 59 |       Description: "Allows invoking of core Lambda functions."
 60 |       Path: "/"
 61 |       PolicyDocument:
 62 |         Version: "2012-10-17"
 63 |         Statement:
 64 |           - 
 65 |             Effect: "Allow"
 66 |             Action:
 67 |               - lambda:InvokeFunction
 68 |               - lambda:GetFunction
 69 |             Resource: !Join ['', ['arn:aws:lambda:*:', !Ref 'AWS::AccountId', ':function:*']]
 70 |       ManagedPolicyName: "InvokeCoreLambdas"
 71 | 
 72 |   PublishToDeadLetterQueue:
 73 |     Type: AWS::IAM::ManagedPolicy
 74 |     Properties:
 75 |       Description: "Allows publishing to Dead Letter Queue."
 76 |       Path: "/"
 77 |       PolicyDocument:
 78 |         Version: "2012-10-17"
 79 |         Statement:
 80 |           - 
 81 |             Effect: "Allow"
 82 |             Action:
 83 |               - sns:Publish
 84 |               - sns:Subscribe
 85 |               - sns:ConfirmSubscription
 86 |               - sns:Unsubscribe
 87 |             Resource: !Ref DefaultDeadLetterQueue
 88 |       ManagedPolicyName: "PublishToDeadLetterQueue"
 89 | 
 90 |   GetS3CloudTrailObjects:
 91 |     Type: AWS::IAM::ManagedPolicy
 92 |     Properties:
 93 |       Description: "Retrieve objects from S3 CloudTrail bucket"
 94 |       Path: "/"
 95 |       PolicyDocument:
 96 |         Version: "2012-10-17"
 97 |         Statement:
 98 |           -
 99 |             Effect: Allow
100 |             Action:
101 |               - s3:GetObject
102 |               - s3:GetObjectAcl
103 |               - s3:GetBucketAcl
104 |             Resource:
105 |               - !Join ['', ['arn:aws:s3:::', !Ref 'CloudTrailBucketName']]
106 |               - !Join ['', ['arn:aws:s3:::', !Ref 'CloudTrailBucketName', '/*']]
107 |       ManagedPolicyName: "GetS3CloudTrailObjects"
108 | 
109 |   AssumeOrgMasterListAccountsViewerPolicy:
110 |     Type: AWS::IAM::ManagedPolicy
111 |     Condition: OrgListAccountsViewerRoleArnExists
112 |     Properties:
113 |       Description: "Allows central aggregator account to assume org master role"
114 |       Path: "/"
115 |       PolicyDocument:
116 |         Version: "2012-10-17"
117 |         Statement:
118 |           - Effect: "Allow"
119 |             Action:
120 |               - sts:AssumeRole
121 |             Resource: !Ref OrgListAccountsViewerRoleArn
122 |       ManagedPolicyName: "AssumeOrgMasterListAccountsViewerPolicy"
123 |       Roles:
124 |         - !Ref SupportAggregator
125 | 
126 |   ListAccountsViewerPolicy:
127 |     Type: AWS::IAM::ManagedPolicy
128 |     Condition: OrgListAccountsViewerRoleArnDoesNotExists
129 |     Properties:
130 |       Description: "Allows central aggregator account to list accounts"
131 |       Path: "/"
132 |       PolicyDocument:
133 |         Version: "2012-10-17"
134 |         Statement:
135 |           - Effect: "Allow"
136 |             Action:
137 |               - "organizations:ListAccounts"
138 |             Resource: "*"
139 |       ManagedPolicyName: "ListAccountsViewerPolicy"
140 |       Roles:
141 |         - !Ref SupportAggregator
142 | 
143 |   #==================================================
144 |   # IAMRoles and IAM Inline Policies
145 |   #==================================================
146 |   ProcessCloudTrailS3NotifRole:
147 |     Type: AWS::IAM::Role
148 |     Properties:
149 |       RoleName: "ProcessCloudTrailS3Notif"
150 |       AssumeRolePolicyDocument:
151 |         Version: "2012-10-17"
152 |         Statement:
153 |           -
154 |             Effect: "Allow"
155 |             Principal:
156 |               Service:
157 |                 - "lambda.amazonaws.com"
158 |             Action:
159 |               - "sts:AssumeRole"
160 |       ManagedPolicyArns:
161 |         - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
162 |         - !Ref InvokeCoreLambdas
163 |         - !Ref PublishToDeadLetterQueue
164 |         - !Ref GetS3CloudTrailObjects
165 |       Path: "/"
166 | 
167 |   # Support case roles
168 |   SupportAggregator:
169 |     Type: AWS::IAM::Role
170 |     Properties:
171 |       RoleName: "SupportAggregator"
172 |       AssumeRolePolicyDocument:
173 |         Version: "2012-10-17"
174 |         Statement:
175 |           -
176 |             Effect: "Allow"
177 |             Principal:
178 |               Service:
179 |                 - "lambda.amazonaws.com"
180 |             Action:
181 |               - "sts:AssumeRole"
182 |       ManagedPolicyArns:
183 |         - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
184 |         - !Ref PublishToDeadLetterQueue
185 |       Path: "/"
186 |       Policies:
187 |         -
188 |           PolicyName: "assume-org-support-viewer"
189 |           PolicyDocument:
190 |             Version: "2012-10-17"
191 |             Statement:
192 |               -
193 |                 Effect: "Allow"
194 |                 Action:
195 |                   - sts:AssumeRole
196 |                 Resource: !Ref OrgSupportViewerRoleArn
197 |         -
198 |           PolicyName: "manage-support-cases-table"
199 |           PolicyDocument:
200 |             Version: "2012-10-17"
201 |             Statement:
202 |               -
203 |                 Effect: "Allow"
204 |                 Action:
205 |                   - dynamodb:GetItem
206 |                   - dynamodb:PutItem
207 |                   - dynamodb:DeleteItem
208 |                   - dynamodb:BatchWriteItem
209 |                   - dynamodb:Scan
210 |                 Resource:
211 |                   - !GetAtt SupportCasesTable.Arn
212 |                   - !Join ['', [!GetAtt 'SupportCasesTable.Arn', '/*']]
213 | 
214 |   #==================================================
215 |   # SNS Topics
216 |   #==================================================
217 |   ## SNS Topic Policies hard code S3 bucket names rather than use !Ref because of this:
218 |   ## https://aws.amazon.com/premiumsupport/knowledge-center/unable-validate-destination-s3/
219 |           
220 |   DefaultDeadLetterQueue:
221 |     Type: AWS::SNS::Topic
222 |     Properties:
223 |       DisplayName: "SupportDLQ"
224 |       TopicName: support-dead-letter-queues
225 | 
226 |   CloudTrailChangesAllAccountsTopic:
227 |     Type: AWS::SNS::Topic
228 |     Properties:
229 |       TopicName: cloud-trail-changes
230 | 
231 |   CloudTrailChangesAllAccountsTopicPolicy:
232 |     Type: AWS::SNS::TopicPolicy
233 |     Properties:
234 |       Topics:
235 |         - !Ref CloudTrailChangesAllAccountsTopic
236 |       PolicyDocument:
237 |         Version: "2012-10-17"
238 |         Statement:
239 |           -
240 |             Sid: AllowS3Publish
241 |             Effect: "Allow"
242 |             Action:
243 |               - sns:Publish
244 |             Principal:
245 |               AWS: "*"
246 |             Resource: !Ref CloudTrailChangesAllAccountsTopic
247 |             Condition:
248 |               ArnLike:
249 |                 aws:SourceArn: !Join ['', ['arn:aws:s3:::', !Ref CloudTrailBucketName]]
250 |           -
251 |             Sid: AllowAccountSubscription
252 |             Effect: "Allow"
253 |             Action:
254 |               - sns:Subscribe
255 |             Principal:
256 |               AWS: !Join ['', ['arn:aws:iam::', !Ref 'AWS::AccountId', ':root']]
257 |             Resource: !Ref CloudTrailChangesAllAccountsTopic
258 |           -
259 |             Sid: "__default_statement_ID"
260 |             Effect: "Allow"
261 |             Principal:
262 |               AWS: "*"
263 |             Action:
264 |               - sns:GetTopicAttributes
265 |               - sns:SetTopicAttributes
266 |               - sns:AddPermission
267 |               - sns:RemovePermission
268 |               - sns:DeleteTopic
269 |               - sns:Subscribe
270 |               - sns:ListSubscriptionsByTopic
271 |               - sns:Publish
272 |               - sns:Receive
273 |             Resource: !Ref CloudTrailChangesAllAccountsTopic
274 |             Condition:
275 |               StringEquals:
276 |                 AWS:SourceOwner: !Ref 'AWS::AccountId'
277 | 
278 |   #==================================================
279 |   # S3 buckets
280 |   #==================================================
281 |   CloudTrailBucket:
282 |     Type: AWS::S3::Bucket
283 |     Properties:
284 |       # specifying bucket name is necessary to avoid circular dependency
285 |       # as the CloudTrailChangesAllAccountsTopic must allow the CloudTrail bucket to access it
286 |       BucketName: !Ref CloudTrailBucketName
287 |       NotificationConfiguration:
288 |         TopicConfigurations:
289 |           -
290 |             Event: s3:ObjectCreated:*
291 |             Topic: !Ref CloudTrailChangesAllAccountsTopic
292 |       AccessControl: Private
293 |     # Must wait for topic policy to be initialized first before topic configuration can be created
294 |     DependsOn: CloudTrailChangesAllAccountsTopicPolicy
295 | 
296 |   CloudTrailBucketPolicy:
297 |     Type: AWS::S3::BucketPolicy
298 |     Properties:
299 |       Bucket: !Ref CloudTrailBucket
300 |       PolicyDocument:
301 |         Version: "2012-10-17"
302 |         Statement:
303 |           -
304 |             Sid: AllowS3Publish
305 |             Effect: "Allow"
306 |             Principal:
307 |               Service: "cloudtrail.amazonaws.com"
308 |             Action:
309 |               - s3:PutObject
310 |               - s3:PutObjectAcl
311 |             Resource: !Join ['', ['arn:aws:s3:::', !Ref 'CloudTrailBucketName', '/*']]
312 |           -
313 |             Sid: AllowS3PermissionCheck
314 |             Effect: "Allow"
315 |             Principal:
316 |                 Service: "cloudtrail.amazonaws.com"
317 |             Action:
318 |               - s3:GetBucketAcl
319 |             Resource: !Join ['', ['arn:aws:s3:::', !Ref 'CloudTrailBucketName']]
320 | 
321 |   #==================================================
322 |   # Lambda functions
323 |   #==================================================
324 |   cloudtrailprocess:
325 |     Type: 'AWS::Serverless::Function'
326 |     Properties:
327 |       FunctionName: cloudtrail-process
328 |       Handler: cloudtrail_process.lambda_handler
329 |       Runtime: python3.8
330 |       CodeUri: ./build/cloudtrail_process.py
331 |       Layers:
332 |         - !Ref SupportCasesAggregatorBaseLayer
333 |       Description: >-
334 |         This lambda function will take in an S3 notification from the CloudTrail bucket via SNS topic,
335 |         fetch S3 object, process it and invoke support-cases-aggregator function.
336 |       MemorySize: 128
337 |       Timeout: 180
338 |       Role: !GetAtt ProcessCloudTrailS3NotifRole.Arn
339 |       DeadLetterQueue:
340 |         Type: SNS
341 |         TargetArn: !Ref DefaultDeadLetterQueue
342 |       Events:
343 |         CloudTrailTriggerSNS:
344 |           Type: SNS
345 |           Properties:
346 |             Topic: !Ref CloudTrailChangesAllAccountsTopic
347 |       Environment:
348 |         Variables:
349 |           LOGGING_LEVEL: INFO
350 |           SUPPORT_CASES_AGGREGATOR_LAMBDA_NAME: !Ref supportupdater
351 | 
352 |   supportupdater:
353 |     Type: 'AWS::Serverless::Function'
354 |     Properties:
355 |       FunctionName: support-cases-aggregator
356 |       Handler: support_cases_aggregator.lambda_handler
357 |       Runtime: python3.8
358 |       CodeUri: ./build/support_cases_aggregator.py
359 |       Layers:
360 |         - !Ref SupportCasesAggregatorBaseLayer
361 |       Description: >-
362 |         This lambda function retrieves information for a given case and dumps it into a DynamoDB table.
363 |       MemorySize: 128
364 |       Timeout: 600
365 |       Role: !GetAtt SupportAggregator.Arn
366 |       DeadLetterQueue:
367 |         Type: SNS
368 |         TargetArn: !Ref DefaultDeadLetterQueue
369 |       Events:
370 |         ScheduleTwiceWeeklySyncCheck:
371 |           Type: Schedule
372 |           Properties:
373 |             Schedule: rate(3 days)
374 |       ReservedConcurrentExecutions: 1
375 |       Environment:
376 |         Variables:
377 |           LOGGING_LEVEL: INFO
378 |           ORG_MASTER_ACCOUNT_VIEWER_ROLE: !Ref OrgListAccountsViewerRoleArn
379 |           SUPPORT_CASES_TABLE_NAME: !Ref SupportCasesDDBTableName
380 | 
381 |   SupportCasesAggregatorBaseLayer:
382 |     Type: AWS::Serverless::LayerVersion
383 |     Properties:
384 |       Description: Lambda Layer for basic utilities and dependencies used by Support Cases Aggregator related functions.
385 |       ContentUri: layersbuild/
386 |       CompatibleRuntimes:
387 |         - python3.6
388 |         - python3.7
389 |         - python3.8
390 | 
391 | Outputs:
392 |   OrgListAccountsViewerRoleArnExists:
393 |     Description: Org list accounts role provided
394 |     Condition: OrgListAccountsViewerRoleArnExists
395 |     Value: "Environment setup with Central Aggregator account separate from AWS Organizations master account"
396 | 
397 |   OrgListAccountsViewerRoleArnDoesNotExists:
398 |     Description: Org list accounts role not provided
399 |     Condition: OrgListAccountsViewerRoleArnDoesNotExists
400 |     Value: "Environment setup with AWS Organizations master account as Central Aggregator account"
401 | 


--------------------------------------------------------------------------------
/docs/development.md:
--------------------------------------------------------------------------------
 1 | # Development, Build and Deploy Guide
 2 | 
 3 | ## Environment Prerequisites
 4 | Only python3 is supported. [https://www.python.org/doc/sunset-python-2/](Python2 has been deprecated since January 1, 2020) and we strongly urge you to use python3.
 5 | 
 6 | > To maintain multiple versions on python locally, use [pyenv](https://github.com/pyenv/pyenv)
 7 | 
 8 | ## Build and Deploy
 9 | ```bash
10 | ./run_cloudformation.sh
11 | ```
12 | 
13 | ## Tests
14 | This project use `unittest` module from `Python`
15 | 
16 | ### Invoking unit tests
17 | 
18 | #### All tests
19 | ```bash
20 | python3 -m unittest tests/*.py
21 | ```
22 | 
23 | #### All tests in single class
24 | e.g:
25 | ```bash
26 | python3 -m unittest tests.test_support_case_aggregator.SupportCaseAggregator
27 | ```
28 | 
29 | #### Single test
30 | e.g:
31 | ```bash
32 | python3 -m unittest tests.test_support_case_aggregator.SupportCaseAggregator.test_get_all_existing_cases
33 | ```
34 | 


--------------------------------------------------------------------------------
/docs/hub-spoke-topology.md:
--------------------------------------------------------------------------------
 1 | ## Topology - Hub and Spoke details 
 2 | ### Using Org master as central aggregator account
 3 | 
 4 | ![hub&spoke-single-master-aggregator](images/hub-spoke-single-master-aggregator.png)
 5 | 
 6 | ### Using separate Org master and central aggregator accounts 
 7 | 
 8 | ![hub&spoke-separate-master-aggregator](images/hub-spoke-separate-master-aggregator.png)  
 9 | 
10 | 
11 | 


--------------------------------------------------------------------------------
/docs/images/hub-spoke-separate-master-aggregator.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Snapchat/aws-support-tickets-aggregator/ea49189d42f9066fd70b07dd65fdee0645a1fdbe/docs/images/hub-spoke-separate-master-aggregator.png


--------------------------------------------------------------------------------
/docs/images/hub-spoke-single-master-aggregator.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Snapchat/aws-support-tickets-aggregator/ea49189d42f9066fd70b07dd65fdee0645a1fdbe/docs/images/hub-spoke-single-master-aggregator.png


--------------------------------------------------------------------------------
/docs/images/support-cases-aggregator-pipeline.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Snapchat/aws-support-tickets-aggregator/ea49189d42f9066fd70b07dd65fdee0645a1fdbe/docs/images/support-cases-aggregator-pipeline.png


--------------------------------------------------------------------------------
/docs/member_acc_role_setup.md:
--------------------------------------------------------------------------------
 1 | #### Member Account role setup
 2 | 
 3 | For automatic updates, you will need an IAM role in every member account for this service to assume, in order to make `Support` API calls. 
 4 | Member account role setup [CloudFormation template](../member-acc-cf-template.yaml) can be used to create this role
 5 | 
 6 | ```bash
 7 | aws cloudformation deploy --stack-name <stack name> --template-file member-acc-cf-template.yaml --parameter-overrides CentralAggregatorAwsAccountId=<central aggregator account id> --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM --profile aws_profile 
 8 | ```
 9 | 
10 | You may use any name in the `<stack name>` parameter (e.g. `member-acct-support`).
11 | 
12 | #### Example Role Policy
13 | Above CloudFormation stack will create role with policies as shown below.
14 | 
15 | ##### Role Policy Permissions:
16 | 
17 | ```
18 | {
19 |     "Version": "2012-10-17",
20 |     "Statement": [
21 |         {
22 |             "Action": [
23 |                 "support:Describe*",
24 |                 "support:"
25 |             ],
26 |             "Resource": "*",
27 |             "Effect": "Allow"
28 |         }
29 |     ]
30 | }
31 | ```
32 | **Note on `support:`**: The Support API expects this permission in this specific format. Failure to include the `support:` permission will result in `botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the DescribeCases operation: User: arn:aws:sts::ACCOUNT_ID:assumed-role/GetSupportInfoRole/get_support_info is not authorized to perform: support:`. Alternatively, you may choose to provide `GetSupportInfoRole` with the broader `support:*` permission to allow all support actions.
33 | 
34 | ##### Role Trust Relationships:
35 | 
36 | ```
37 | {
38 |   "Version": "2012-10-17",
39 |   "Statement": [
40 |     {
41 |       "Sid": "TrustSupportViewer",
42 |       "Effect": "Allow",
43 |       "Principal": {
44 |         "AWS": "arn:aws:iam::CentralAggregatorAwsAccountId:role/SupportAggregator"
45 |       },
46 |       "Action": "sts:AssumeRole"
47 |     }
48 |   ]
49 | }
50 | ```


--------------------------------------------------------------------------------
/docs/org_master_role_setup.md:
--------------------------------------------------------------------------------
 1 | #### AWS Organizations Master Account role setup
 2 | 
 3 | Org master setup [CloudFormation template](../org-master-cf-template.yaml) can be used to create requisite role 
 4 | when your setup has separate Central Aggregator and Master accounts.
 5 | 
 6 | ```bash
 7 | aws cloudformation deploy --stack-name <stack name> --template-file org-master-cf-template.yaml --parameter-overrides CentralAggregatorAwsAccountId=<central aggregator account id> --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM --profile aws_profile 
 8 | ```
 9 | 
10 | You may use any name in the `<stack name>` parameter (e.g. `master-acct-support`).
11 | 
12 | #### Example Role Policy
13 | Above CloudFormation stack will create role with policies as shown below.
14 | 
15 | ##### Role Policy Permissions:
16 | 
17 | ```
18 | {
19 |     "Version": "2012-10-17",
20 |     "Statement": [
21 |         {
22 |             "Action": [
23 |                 "organizations:ListAccounts"
24 |             ],
25 |             "Resource": "*",
26 |             "Effect": "Allow"
27 |         }
28 |     ]
29 | }
30 | ```
31 | 
32 | ##### Role Trust Relationships:
33 | 
34 | ```
35 | {
36 |   "Version": "2012-10-17",
37 |   "Statement": [
38 |     {
39 |       "Sid": "TrustSupportAggregator",
40 |       "Effect": "Allow",
41 |       "Principal": {
42 |         "AWS": "arn:aws:iam::CentralAggregatorAwsAccountId:role/SupportAggregator"
43 |       },
44 |       "Action": "sts:AssumeRole"
45 |     }
46 |   ]
47 | }
48 | ```


--------------------------------------------------------------------------------
/member-acc-cf-template.yaml:
--------------------------------------------------------------------------------
 1 | AWSTemplateFormatVersion: '2010-09-09'
 2 | Description: 'Required role in member accounts'
 3 | Parameters:
 4 |   GetSupportInfoRoleName:
 5 |     Type: String
 6 |     Default: "GetSupportInfoRole"
 7 |   CentralAggregatorAwsAccountId:
 8 |     Type: Number
 9 |     Description: "Account Id of the central aggregator AWS account."
10 |   SupportAggregatorRoleName:
11 |     Type: String
12 |     Description: "Required role in central aggregator account."
13 |     Default: "SupportAggregator"
14 | 
15 | Resources:
16 |   GetSupportInfoRole:
17 |     Type: AWS::IAM::Role
18 |     # Role assumed from support cases central aggregator account to get support case info in this account
19 |     Properties:
20 |       RoleName: !Ref GetSupportInfoRoleName
21 |       AssumeRolePolicyDocument:
22 |         Version: "2012-10-17"
23 |         Statement:
24 |           - Sid: TrustSupportAggregator
25 |             Effect: Allow
26 |             Principal:
27 |               AWS: !Sub "arn:aws:iam::${CentralAggregatorAwsAccountId}:role/${SupportAggregatorRoleName}"
28 |             Action:
29 |               - sts:AssumeRole
30 |       Path: "/"
31 |       Policies:
32 |         - PolicyName: "read-support-cases"
33 |           PolicyDocument:
34 |             Version: "2012-10-17"
35 |             Statement:
36 |               - Effect: "Allow"
37 |                 Action:
38 |                   - "support:Describe*"
39 |                   - "support:"
40 |                 # support: is necessary for programmatic support API
41 |                 Resource: "*"
42 | 


--------------------------------------------------------------------------------
/org-master-cf-template.yaml:
--------------------------------------------------------------------------------
 1 | AWSTemplateFormatVersion: '2010-09-09'
 2 | Description: 'Role in AWS organizations master account'
 3 | Parameters:
 4 |   OrgListAccountsViewerRoleName:
 5 |     Type: String
 6 |     Default: "OrgListAccountsViewer"
 7 |   CentralAggregatorAwsAccountId:
 8 |     Type: Number
 9 |     Description: "Account Id of the central aggregator AWS account."
10 |   SupportAggregatorRoleName:
11 |     Type: String
12 |     Description: "Required role in central aggregator account."
13 |     Default: "SupportAggregator"
14 | 
15 | Resources:
16 |   OrgListAccountsViewer:
17 |     Type: AWS::IAM::Role
18 |     # Role assumed from support cases central aggregator account to get list of accounts
19 |     Properties:
20 |       RoleName: !Ref OrgListAccountsViewerRoleName
21 |       AssumeRolePolicyDocument:
22 |         Version: "2012-10-17"
23 |         Statement:
24 |           - Sid: TrustSupportAggregator
25 |             Effect: Allow
26 |             Principal:
27 |               AWS: !Sub "arn:aws:iam::${CentralAggregatorAwsAccountId}:role/${SupportAggregatorRoleName}"
28 |             Action:
29 |               - sts:AssumeRole
30 |       Path: "/"
31 |       Policies:
32 |         - PolicyName: "list-org-accounts"
33 |           PolicyDocument:
34 |             Version: "2012-10-17"
35 |             Statement:
36 |               - Effect: "Allow"
37 |                 Action:
38 |                   - "organizations:ListAccounts"
39 |                 Resource: "*"
40 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | boto3


--------------------------------------------------------------------------------
/run_cloudformation.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | usage () {
  4 |   echo "$1, profile, stack_name, cf_s3_bucket, cf_region, ct_s3_bucket must be supplied, run script as
  5 | ./run_cloudformation.sh --profile=<profile_name> --stack_name=<stack name> --cf_s3_bucket=<cloudformation s3 bucket> --cf_region=<cloudformation region> --ct_s3_bucket=<cloudtrail S3 bucket> [--template_file=<template file> --org_role=<org master role>]
  6 | where:
  7 |     --profile AWS session profile
  8 |     --stack_name AWS CloudFormation stack name to create and maintain the stack
  9 |     --cf_s3_bucket S3 bucket used as AWS SAM CloudFormation code repo
 10 |     --cf_region AWS region
 11 |     --ct_s3_bucket S3 bucket used for centralized CloudTrail events aggregation
 12 |     --template_file (Optional) AWS CloudFormation template file name (defaults to central-aggregator-cf-template.yaml)
 13 |     --org_role (Optional) Org Master account viewer role"
 14 | 
 15 |   exit "$2"
 16 | }
 17 | 
 18 | cleanup () {
 19 |   echo "cleaning up..for code $?"
 20 |   err=$?
 21 |   rm -rf build
 22 |   rm -rf layersbuild
 23 | 
 24 |   if [[ -f "${stack_name}"-"${some_random}".json ]]; then
 25 |     echo "removing temporary created deployment template.."
 26 |     rm -rf "${stack_name}"-"${some_random}".json
 27 |   fi
 28 | 
 29 |   echo "done.."
 30 | 
 31 |   exit ${err} # exit with same status cleanup was called
 32 | }
 33 | trap cleanup EXIT # return to original state on failure
 34 | 
 35 | if [[ "$#" -lt 5 ]]; then
 36 |   usage "Invalid number of arguments" 1
 37 | fi
 38 | 
 39 | while [[ $# -gt 0 ]]; do
 40 |   case "$1" in
 41 |     --profile=*)
 42 |       profile="${1#*=}"
 43 |       ;;
 44 |     --stack_name=*)
 45 |       stack_name="${1#*=}"
 46 |       ;;
 47 |     --cf_s3_bucket=*)
 48 |       s3_bucket="${1#*=}"
 49 |       ;;
 50 |     --cf_region=*)
 51 |       region="${1#*=}"
 52 |       ;;
 53 |     --ct_s3_bucket=*)
 54 |       cloudtrail_s3_bucket="${1#*=}"
 55 |       ;;
 56 |     --template_file=*)
 57 |       template_file="${1#*=}"
 58 |       ;;
 59 |     --org_role=*)
 60 |       org_role="${1#*=}"
 61 |       ;;
 62 |     *)
 63 |       usage "Error: Invalid arguments" 1
 64 |   esac
 65 |   shift
 66 | done
 67 | 
 68 | 
 69 | 
 70 | if [[ -z ${template_file+x} ]];
 71 | then
 72 |   template_file="central-aggregator-cf-template.yaml";
 73 | fi
 74 | 
 75 | S3_CHECK=$(aws s3api head-bucket --bucket "${s3_bucket}" --profile "${profile}" --region "${region}" --output json 2>&1)
 76 | 
 77 | if [[ ${S3_CHECK} = *"An error occurred"* ]]
 78 | then
 79 |   echo "$s3_bucket bucket does not exist or access denied. Aborting.."
 80 |   exit 1
 81 | fi
 82 | 
 83 | if [[ ${S3_CHECK} = *"config profile ($profile) could not be found"* ]]
 84 | then
 85 |   echo "$profile is invalid AWS profile. Aborting.."
 86 |   exit 1
 87 | fi
 88 | 
 89 | echo "This script assumes you have required permissions to create and configure AWS resources, else it will fail."
 90 | echo
 91 | echo "Using profile $profile"
 92 | echo "Using region $region"
 93 | echo "Using CloudFormation stack name as $stack_name"
 94 | echo "Using CloudFormation template '$template_file'"
 95 | 
 96 | some_random=$RANDOM
 97 | mkdir build
 98 | find ./src -iname '*.py' -not -iname '*_layer.py'  -exec cp '{}' './build' ';'
 99 | 
100 | mkdir layersbuild
101 | mkdir layersbuild/python
102 | 
103 | cp src/*_layer.py ./layersbuild/python
104 | 
105 | if [[ -f requirements.txt ]]
106 | then
107 |     echo "Looking for python dependencies"
108 |     pip3 install -t build -r requirements.txt
109 | fi
110 | 
111 | if [[ -z ${org_role+x} ]];
112 | then
113 |   org_role="";
114 | fi
115 | 
116 | aws cloudformation package --template-file "${template_file}" --output-template-file "${stack_name}"-"${some_random}".json --s3-bucket "${s3_bucket}" --region "${region}" --profile "${profile}" --output json --use-json
117 | 
118 | aws cloudformation deploy --parameter-overrides CloudTrailBucketName="${cloudtrail_s3_bucket}" OrgListAccountsViewerRoleArn="${org_role}" --template-file "${stack_name}"-"${some_random}".json --stack-name "${stack_name}" --profile "${profile}" --region "${region}" --output json --s3-bucket "${s3_bucket}" --capabilities CAPABILITY_NAMED_IAM
119 | 
120 | aws cloudformation describe-stack-events --stack-name "${stack_name}" --profile "${profile}" --region "${region}" --output json --max-items 3
121 | 
122 | exit 0
123 | 


--------------------------------------------------------------------------------
/src/aws_common_utils_layer.py:
--------------------------------------------------------------------------------
  1 | """
  2 | Utilities needed to perform common AWS related tasks like getting sessions,
  3 | unzipping notifications received from S3 etc.
  4 | 
  5 | Typically this file can be part of AWS Lambda layer package
  6 | """
  7 | 
  8 | import json
  9 | import logging
 10 | import os
 11 | import urllib
 12 | from gzip import GzipFile
 13 | from io import BytesIO
 14 | 
 15 | import boto3
 16 | from botocore.exceptions import ClientError, BotoCoreError
 17 | 
 18 | # see RoleSessionName in
 19 | # https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
 20 | SESSION_NAME_MIN_LENGTH = 2
 21 | SESSION_NAME_MAX_LENGTH = 64
 22 | 
 23 | 
 24 | def handle_session_name_length(session_name):
 25 |     """
 26 |     Comply to role session name limitation of 64 characters
 27 |     https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html
 28 | 
 29 |     :param session_name: role session name
 30 |     :return: session_name (truncated to 64 if needed)
 31 |     """
 32 |     if len(session_name) > SESSION_NAME_MAX_LENGTH:
 33 |         logging.info(
 34 |             "session name was too long; truncating to %s", SESSION_NAME_MAX_LENGTH
 35 |         )
 36 |         return session_name[:SESSION_NAME_MAX_LENGTH]
 37 | 
 38 |     return session_name
 39 | 
 40 | 
 41 | def get_session_with_arn(role_arn, session_name, base_session):
 42 |     """
 43 |     Returns a boto3.session.Session that assumed role_arn from base_session.
 44 | 
 45 |     base_session is the session used to assume the role;
 46 |         it must have permissions to assume the role.
 47 |     By default, base_session is the caller's regular boto3 session.
 48 |     """
 49 |     if not base_session:
 50 |         base_session = boto3.Session()
 51 | 
 52 |     if not session_name:
 53 |         session_name = "aws_common_utils"
 54 | 
 55 |     session_name = handle_session_name_length(session_name)
 56 |     client = base_session.client("sts")
 57 | 
 58 |     try:
 59 |         response = client.assume_role(RoleArn=role_arn, RoleSessionName=session_name)
 60 | 
 61 |         access_key = response["Credentials"]["AccessKeyId"]
 62 |         secret = response["Credentials"]["SecretAccessKey"]
 63 |         session_token = response["Credentials"]["SessionToken"]
 64 | 
 65 |         return boto3.Session(
 66 |             aws_access_key_id=access_key,
 67 |             aws_secret_access_key=secret,
 68 |             aws_session_token=session_token,
 69 |         )
 70 |     except (BotoCoreError, ClientError) as e:
 71 |         logging.error(
 72 |             "get_session_with_arn() failed trying to assume %s \
 73 |                        due to clienterror or botocore error",
 74 |             role_arn,
 75 |         )
 76 |         logging.error(str(e))
 77 |         raise e
 78 | 
 79 | 
 80 | def get_session(account_id, role_name, session_name):
 81 |     """
 82 |     Returns a boto3.session.Session for account_id that assumes role_name role.
 83 | 
 84 |     base_session is the session used to assume the role;
 85 |         it must have permissions to assume the role.
 86 |     By default, base_session is the caller's regular boto3 session.
 87 |     """
 88 | 
 89 |     return get_session_with_arn(
 90 |         "arn:aws:iam::{}:role/{}".format(account_id, role_name), session_name, None
 91 |     )
 92 | 
 93 | 
 94 | def clear_empty_strings(data):
 95 |     """
 96 |     Remove empty string values from data structs.
 97 |     For dict, deletes the empty string value and any corresponding key.
 98 |     Since dicts are passed as references, dict changes are also in-place.
 99 | 
100 |     Returns the modified version of the data.
101 |     """
102 |     if isinstance(data, dict):
103 |         for k, v in data.items():
104 |             if v == "":
105 |                 del data[k]
106 |             else:
107 |                 data[k] = clear_empty_strings(v)
108 |     elif isinstance(data, (list, set, tuple)):
109 |         # use list comprehension to filter out "" and modify items,
110 |         # then reconstruct as original data type
111 |         data = type(data)([clear_empty_strings(x) for x in data if x != ""])
112 |     elif data == "":
113 |         return None
114 |     return data
115 | 
116 | 
117 | def _is_s3_notif(event):
118 |     """
119 |     Check if type is S3 notification
120 | 
121 |     :param event:
122 |     :return: True/False
123 |     """
124 |     return (
125 |         event.get("Records")
126 |         and isinstance(event.get("Records"), list)
127 |         and "s3" in event.get("Records")[0]
128 |     )
129 | 
130 | 
131 | def get_gzipped_s3_objects_from_sns_msg_of_dict(session, event):
132 |     """
133 |     get_s3_objects_from_sns_msg_of_dict() but with a predefined
134 |     object_handler_function that unzips gzipped objects
135 |     and converts them to dicts.
136 | 
137 |     Will also detect if a regular S3 notif was received instead
138 |     of an SNS dict and forward to appropriate getter function.
139 |     """
140 |     objects = []
141 |     if _is_s3_notif(event):
142 |         return get_gzipped_s3_objects_from_dict(session, event)
143 |     for record in event.get("Records", []):
144 |         message = record.get("Sns", {}).get("Message")
145 |         objects.extend(get_gzipped_s3_objects_from_dict(session, json.loads(message)))
146 |     return objects
147 | 
148 | 
149 | def default_unzip_s3_object_handler_function(response):
150 |     """
151 |     Utility to unzip S3 object
152 |     """
153 |     bytestream = BytesIO(response["Body"].read())
154 |     raw_object = GzipFile(None, "rb", fileobj=bytestream).read()
155 |     try:
156 |         # decode if allowed
157 |         return_object = raw_object.decode("utf-8")
158 |     except AttributeError:
159 |         return_object = raw_object
160 |     return json.loads(return_object)
161 | 
162 | 
163 | def get_gzipped_s3_objects_from_dict(session, event):
164 |     """
165 |     get_s3_objects_from_dict() but with a predefined object_handler_function
166 |     that unzips gzipped objects and converts them to dicts.
167 |     """
168 |     return get_s3_objects_from_dict(
169 |         session, event, default_unzip_s3_object_handler_function
170 |     )
171 | 
172 | 
173 | def get_s3_objects_from_dict(session, event, object_handler_function):
174 |     """
175 |     Given a dict (e.g. event, notification), return a list of all
176 |         the S3 objects mentioned in the dict.
177 |     object_handler_function(response) will decode the s3 get_object
178 |         API response for every object.
179 |     By default, object_handler_function treats response["Body"] as a
180 |         JSON string and loads it as a dict.
181 |     """
182 | 
183 |     objects = []
184 |     s3 = session.client("s3")
185 |     # Get the object from the event and show its content type
186 |     for record in event.get("Records", []):
187 |         bucket = record["s3"]["bucket"]["name"]
188 |         unprocessed_key = record["s3"]["object"]["key"]
189 |         # urllib changes structure and encoding is different
190 |         # between python 2 and 3
191 |         key = (
192 |             urllib.parse.unquote_plus(unprocessed_key)
193 |             # if sys.version_info[0] >= 3
194 |             # else urllib.unquote_plus(unprocessed_key.encode("utf-8"))
195 |         )
196 |         logging.info("Bucket: %s. Key: %s", bucket, key)
197 | 
198 |         # get S3 object and add it to return list
199 |         response = s3.get_object(Bucket=bucket, Key=key)
200 |         objects.append(object_handler_function(response))
201 |     return objects
202 | 
203 | 
204 | def set_logging_level(
205 |     manually_set_level=None, environment_variable_key="LOGGING_LEVEL"
206 | ):
207 |     """
208 |     Set logging level according to whatever value is stored in the environment
209 |     variable. Order of "if" checks is prioritized by anticipated frequency
210 |     of use. See actual levels here:
211 |     https://docs.python.org/3/library/logging.html#levels
212 |     Provide value for either environment_variable_key or manually_set_level,
213 |     not both. Defaults to using environment_variable_key 'LOGGING_LEVEL'
214 |     If providing manually_set_level, please provide the string (e.g. "INFO"),
215 |     not the class (e.g. logging.INFO)
216 | 
217 |     Returns logger object
218 |     """
219 |     logger = logging.getLogger()
220 |     level = (
221 |         os.environ.get(environment_variable_key)
222 |         if environment_variable_key
223 |         else manually_set_level
224 |     )
225 |     if level == "INFO":
226 |         logger.setLevel(logging.INFO)
227 |     elif level == "ERROR":
228 |         logger.setLevel(logging.ERROR)
229 |     elif level == "WARNING":
230 |         logger.setLevel(logging.WARNING)
231 |     elif level == "DEBUG":
232 |         logger.setLevel(logging.DEBUG)
233 |     elif level == "CRITICAL":
234 |         logger.setLevel(logging.CRITICAL)
235 |     else:
236 |         logging.error("Received level of %s, defaulting to NOTSET", level)
237 |         logger.setLevel(logging.NOTSET)
238 |     return logger
239 | 


--------------------------------------------------------------------------------
/src/cloudtrail_process.py:
--------------------------------------------------------------------------------
 1 | """
 2 | Function that receives and processes CloudTrail events via S3 object
 3 | creation notifications
 4 | """
 5 | 
 6 | import json
 7 | import logging
 8 | import os
 9 | from collections import defaultdict
10 | 
11 | import boto3
12 | from aws_common_utils_layer import (
13 |     get_gzipped_s3_objects_from_sns_msg_of_dict,
14 |     set_logging_level,
15 | )
16 | 
17 | set_logging_level()
18 | 
19 | 
20 | def lambda_handler(event, context):
21 |     """
22 |     How is it invoked?:
23 |     This lambda will take in an s3 notification from the CloudTrail
24 |         bucket that was sent via SNS and fetch the S3 object.
25 | 
26 |     The purpose of this pattern for the SNS topic is to fan out
27 |     CloudTrail events processing, as CT events may be used for other purposes.
28 | 
29 |     :param event:
30 |     https://docs.aws.amazon.com/AmazonS3/latest/
31 |     dev/notification-content-structure.html
32 | 
33 |     :param context:
34 |     https://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
35 | 
36 |     :return: None
37 |     """
38 | 
39 |     logging.debug(context)
40 | 
41 |     session = boto3.session.Session()
42 |     try:
43 |         objects = get_gzipped_s3_objects_from_sns_msg_of_dict(session, event)
44 |     except ValueError as e:
45 |         logging.warning("Retrieved non-JSON object %s", str(e))
46 |         return
47 | 
48 |     logging.info("Retrieved S3 objects:\n%s", objects)
49 | 
50 |     support_cases_to_check = defaultdict(set)
51 | 
52 |     for obj in objects:
53 |         for record in obj.get("Records", []):
54 |             account_id = record.get("recipientAccountId")
55 |             event_name = record.get("eventName")
56 | 
57 |             # Support Cases
58 |             # Currently not including event AddAttachmentsToSet
59 |             # Including AddCommunicationToCase to cover when case is reopened
60 |             if event_name in ["CreateCase", "ResolveCase", "AddCommunicationToCase"]:
61 |                 case_id = record.get("responseElements", {}).get(
62 |                     "caseId"
63 |                 ) or record.get("requestParameters", {}).get("caseId")
64 | 
65 |                 if case_id:
66 |                     logging.info(
67 |                         "%s: Support case %s found with event %s",
68 |                         account_id,
69 |                         case_id,
70 |                         event_name,
71 |                     )
72 |                     support_cases_to_check[account_id].add(case_id)
73 |                 else:
74 |                     logging.error(
75 |                         "CaseIdMissingError %s: \
76 |                         Support case without caseId found with event %s; %s",
77 |                         account_id,
78 |                         event_name,
79 |                         record,
80 |                     )
81 | 
82 |     # Invoke Support Case Lambda to aggregate support case info
83 |     client = session.client("lambda")
84 |     for account_id, case_ids in support_cases_to_check.items():
85 |         cases = list(case_ids)
86 |         client.invoke(
87 |             FunctionName=os.environ["SUPPORT_CASES_AGGREGATOR_LAMBDA_NAME"],
88 |             InvocationType="Event",
89 |             Payload=json.dumps({"AccountId": account_id, "CaseIds": cases}),
90 |         )
91 | 


--------------------------------------------------------------------------------
/src/support_cases_aggregator.py:
--------------------------------------------------------------------------------
  1 | """
  2 | Function that manages persistence and retrieval of AWS Support
  3 | service case information
  4 | """
  5 | 
  6 | import logging
  7 | import os
  8 | from datetime import datetime, timedelta
  9 | 
 10 | import boto3
 11 | from botocore.config import Config
 12 | from botocore.exceptions import ClientError, BotoCoreError
 13 | 
 14 | from aws_common_utils_layer import (
 15 |     get_session_with_arn,
 16 |     get_session,
 17 |     clear_empty_strings,
 18 |     set_logging_level,
 19 | )
 20 | 
 21 | set_logging_level()
 22 | 
 23 | 
 24 | DEFAULT_CASE_LOOKBACK_DAYS = 60
 25 | 
 26 | # Provide IAM role that is assumed in the member account
 27 | # where the support case was opened
 28 | ORG_SUPPORT_VIEWER_ROLE = "GetSupportInfoRole"
 29 | 
 30 | 
 31 | def list_account_ids():
 32 |     """
 33 |     Default requires permission to invoke organizations:ListAccounts API.
 34 | 
 35 |     DEFAULTS TO CALLING organizations:ListAccounts WITH CURRENT ROLE
 36 |     If CloudFormation stack is deployed in non-master AWS Organizations
 37 |     account, must assume role in that master AWS Organizations account.
 38 |     See README for details.
 39 |     """
 40 | 
 41 |     accounts = []
 42 |     assumed_role_arn = os.environ.get("ORG_MASTER_ACCOUNT_VIEWER_ROLE")
 43 |     if assumed_role_arn:
 44 |         session = get_session_with_arn(
 45 |             role_arn=assumed_role_arn, session_name="listAccountIds", base_session=None
 46 |         )
 47 |     else:
 48 |         session = boto3.session.Session()  # get local session
 49 |     try:
 50 |         client = session.client(
 51 |             "organizations", config=Config(retries={"max_attempts": 8})
 52 |         )
 53 |         paginator = client.get_paginator("list_accounts")
 54 |         response_iterator = paginator.paginate()
 55 |         for page in response_iterator:
 56 |             accounts.extend(page.get("Accounts", []))
 57 |     except (BotoCoreError, ClientError) as e:
 58 |         if e.response["Error"]["Code"] == "AccessDeniedException":
 59 |             logging.error(e)
 60 |             logging.error(
 61 |                 "Could not call organizations:ListAccounts. "
 62 |                 "Current account is likely not "
 63 |                 "the AWS Organizations master account. "
 64 |                 "See README for more details on setup. "
 65 |                 "Returning empty list by default."
 66 |             )
 67 |         return []
 68 | 
 69 |     return [str(account_info.get("Id", "")) for account_info in accounts]
 70 | 
 71 | 
 72 | def get_all_existing_cases(recent_cases_only):
 73 |     """
 74 |     This function is called on every cron interval
 75 |     to reload the support cases DynamoDB table.
 76 |     """
 77 |     account_ids = list_account_ids()
 78 | 
 79 |     dynamodb_session = boto3.session.Session()
 80 |     dynamodb = dynamodb_session.resource("dynamodb")
 81 |     support_cases_table = dynamodb.Table(os.environ.get("SUPPORT_CASES_TABLE_NAME"))
 82 |     for account_id in account_ids:
 83 |         session = get_session(account_id, ORG_SUPPORT_VIEWER_ROLE, "get_support_info")
 84 |         client = session.client("support")
 85 |         if recent_cases_only:
 86 |             update_recent_cases(support_cases_table, account_id, client)
 87 |         else:
 88 |             update_all_cases(support_cases_table, account_id, client)
 89 | 
 90 | 
 91 | def update_recent_cases(
 92 |     support_cases_table, account_id, client, days=DEFAULT_CASE_LOOKBACK_DAYS
 93 | ):
 94 |     """
 95 |     Only retrieve updates within last X days to avoid unnecessary duplication
 96 |     """
 97 |     kwargs = {
 98 |         "includeResolvedCases": True,
 99 |         "maxResults": 100,
100 |         "afterTime": (datetime.now() - timedelta(days=days)).isoformat(),
101 |     }
102 |     update_cases_helper(support_cases_table, account_id, client, kwargs)
103 | 
104 | 
105 | def update_all_cases(support_cases_table, account_id, client):
106 |     """
107 |     For a manual update of every case.
108 |     """
109 |     kwargs = {"includeResolvedCases": True, "maxResults": 100}
110 |     update_cases_helper(support_cases_table, account_id, client, kwargs)
111 | 
112 | 
113 | def update_cases_helper(support_cases_table, account_id, client, kwargs):
114 |     """
115 | 
116 |     :param support_cases_table: DDB table name
117 |     :param account_id: account id
118 |     :param client: DDB session object
119 |     :param kwargs: pagination params
120 |     :return: None
121 |     """
122 |     try:
123 |         case_response = client.describe_cases(**kwargs)
124 |     except (ClientError, BotoCoreError) as e:
125 |         if e.response["Error"]["Code"] == "SubscriptionRequiredException":
126 |             logging.error("Failed subscription for account %s; ignoring", account_id)
127 |             return
128 |         raise e
129 |     for case in case_response.get("cases"):
130 |         # WARNING: recentCommunications is only the last 5 communications.
131 |         if case.get("recentCommunications", {}).get("nextToken"):
132 |             del case["recentCommunications"]["nextToken"]
133 | 
134 |         # put updated info into table
135 |         case["AccountId"] = account_id
136 |         support_cases_table.put_item(Item=case)
137 |     if "nextToken" in case_response:
138 |         kwargs["nextToken"] = case_response["nextToken"]
139 |         update_cases_helper(support_cases_table, account_id, client, kwargs)
140 | 
141 | 
142 | def lambda_handler(event, context):
143 |     """
144 |     :param event:
145 |     Event will be either a CloudWatch Event triggered periodically,
146 |         whose source is aws.events, or event will be the payload from
147 |         aws_cloudtrail_process.py in the following format:
148 |     {
149 |         "AccountId": account_id string,
150 |         "CaseIds": [caseid1 string, caseid2 string, etc.]
151 |     }
152 |     :param context:
153 |     see https://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
154 | 
155 |     :return: None
156 |     """
157 |     logging.debug(context)
158 | 
159 |     logging.debug(event)
160 |     if event.get("source") == "aws.events" or "ManualUpdate" in event:
161 |         logging.info("Invocation to ensure support info is up-to-date")
162 |         # Note: ensure list_account_ids() works and has proper permissions
163 |         return get_all_existing_cases(recent_cases_only=True)
164 |     account_id = event.get("AccountId")
165 |     # Note: Case Id format is
166 |     # case-ACCOUNT_NUMBER-<alphanumeric>-YEAR-<other_alphanumeric>
167 |     # The 10-digit "Case Id" viewed from the
168 |     # Support console is the Display Id of the case.
169 |     case_ids = event.get("CaseIds")
170 | 
171 |     # assume role
172 |     member_account_session = get_session(
173 |         account_id, ORG_SUPPORT_VIEWER_ROLE, "get_support_info"
174 |     )
175 |     # support client has difficult in regions that aren't us-east-1 strangely
176 |     client = member_account_session.client("support", region_name="us-east-1")
177 | 
178 |     # Use current role
179 |     dynamodb_session = boto3.session.Session()
180 |     dynamodb = dynamodb_session.resource("dynamodb")
181 |     support_cases_table = dynamodb.Table(os.environ.get("SUPPORT_CASES_TABLE_NAME"))
182 |     with support_cases_table.batch_writer() as support_table_batch:
183 |         for case_id in case_ids:
184 | 
185 |             # get support info
186 |             try:
187 |                 case_response = client.describe_cases(
188 |                     caseIdList=[case_id], includeResolvedCases=True
189 |                 )
190 |             except ClientError as e:
191 |                 logging.error("error on %s", case_id)
192 |                 if e.response["Error"]["Code"] == "SubscriptionRequiredException":
193 |                     logging.error(
194 |                         "Failed subscription for account %s, "
195 |                         "need Enterprise Support; ignoring",
196 |                         account_id,
197 |                     )
198 |                     support_cases_table.put_item(
199 |                         Item={
200 |                             "caseId": case_id,
201 |                             "status": "** N/A; " "Must Enable Enterprise Support **",
202 |                         }
203 |                     )
204 |                     continue
205 |                 raise e
206 |             except Exception as e:
207 |                 logging.error("error on %s", case_id)
208 |                 raise e
209 |             case = case_response.get("cases")[0]
210 |             # WARNING: recentCommunications is only the last 5 communications.
211 |             if case.get("recentCommunications", {}).get("nextToken"):
212 |                 del case["recentCommunications"]["nextToken"]
213 | 
214 |             clear_empty_strings(case)
215 | 
216 |             # put updated info into table
217 |             case["AccountId"] = account_id
218 |             support_table_batch.put_item(Item=case)
219 | 
220 |     return True
221 | 


--------------------------------------------------------------------------------
/tests/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Snapchat/aws-support-tickets-aggregator/ea49189d42f9066fd70b07dd65fdee0645a1fdbe/tests/__init__.py


--------------------------------------------------------------------------------
/tests/test_aws_common_utils_layer.py:
--------------------------------------------------------------------------------
 1 | """
 2 | Test class to test common utils
 3 | """
 4 | import unittest
 5 | import string
 6 | import random
 7 | from src.aws_common_utils_layer import handle_session_name_length
 8 | 
 9 | 
10 | class AWSCommonUtils(unittest.TestCase):
11 |     """
12 |     unittest class for SupportCaseAggregator
13 |     """
14 | 
15 |     def test_handle_session_name_length(self):
16 |         """
17 |         Test session longer than 64 characters is truncated
18 |         :return:
19 |         """
20 |         random_long_string = "".join(
21 |             [random.choice(string.ascii_letters) for _ in range(100)]
22 |         )
23 |         self.assertEqual(len(handle_session_name_length(random_long_string)), 64)
24 | 
25 |         random_long_string = "".join(
26 |             [random.choice(string.ascii_letters) for _ in range(63)]
27 |         )
28 |         self.assertEqual(len(handle_session_name_length(random_long_string)), 63)
29 | 


--------------------------------------------------------------------------------
/tests/test_support_case_aggregator.py:
--------------------------------------------------------------------------------
 1 | """
 2 | Test class to test behaviour of SupportCaseAggregator
 3 | """
 4 | import unittest
 5 | 
 6 | 
 7 | class SupportCaseAggregator(unittest.TestCase):
 8 |     """
 9 |     unittest class for SupportCaseAggregator
10 |     """
11 | 
12 |     def test_get_all_existing_cases(self):
13 |         """
14 |         Test get all existing cases reads support case information from Support services API and
15 |         correctly updates DDB table
16 |         :return:
17 |         """
18 |         self.assertEqual("foo".upper(), "FOO")
19 | 


--------------------------------------------------------------------------------