lemur_aws Package¶
lemur_aws Package¶
elb Module¶
- lemur.plugins.lemur_aws.elb.attach_certificate(name, port, certificate_id, **kwargs)
Attaches a certificate to a listener, throws exception if certificate specified does not exist in a particular account.
- Parameters:
name –
port –
certificate_id –
- lemur.plugins.lemur_aws.elb.attach_certificate_v2(listener_arn, port, certificates, **kwargs)
Attaches a certificate to a listener, throws exception if certificate specified does not exist in a particular account.
- Parameters:
listener_arn –
port –
certificates –
- lemur.plugins.lemur_aws.elb.describe_listeners_v2(**kwargs)
Fetches one page of listener objects for a given elb arn.
- Parameters:
kwargs –
- Returns:
- lemur.plugins.lemur_aws.elb.describe_load_balancer_policies(load_balancer_name, policy_names, **kwargs)
Fetching all policies currently associated with an ELB.
- Parameters:
load_balancer_name –
- Returns:
- lemur.plugins.lemur_aws.elb.describe_load_balancer_types(policies, **kwargs)
Describe the policies with policy details.
- Parameters:
policies –
- Returns:
- lemur.plugins.lemur_aws.elb.describe_ssl_policies_v2(policy_names, **kwargs)
Fetching all policies currently associated with an ELB.
- Parameters:
policy_names –
- Returns:
- lemur.plugins.lemur_aws.elb.get_all_elbs(**kwargs)
Fetches all elbs for a given account/region
- Parameters:
kwargs –
- Returns:
- lemur.plugins.lemur_aws.elb.get_all_elbs_v2(**kwargs)
Fetches all elbs for a given account/region
- Parameters:
kwargs –
- Returns:
- lemur.plugins.lemur_aws.elb.get_elbs(**kwargs)
Fetches one page elb objects for a given account and region.
- lemur.plugins.lemur_aws.elb.get_elbs_v2(**kwargs)
Fetches one page of elb objects for a given account and region.
- Parameters:
kwargs –
- Returns:
- lemur.plugins.lemur_aws.elb.get_listener_arn_from_endpoint(endpoint_name, endpoint_port, **kwargs)
Get a listener ARN from an endpoint. :param endpoint_name: :param endpoint_port: :return:
- lemur.plugins.lemur_aws.elb.get_load_balancer_arn_from_endpoint(endpoint_name, **kwargs)
Get a load balancer ARN from an endpoint. :param endpoint_name: :return:
- lemur.plugins.lemur_aws.elb.has_listener_cert_for_sni(listener_arn, client)
Describe listener to list certificates in use For cert added as SNI listener, it will be listed with both, default true and false :param listener_arn: :return: True/False
- lemur.plugins.lemur_aws.elb.is_valid(listener_tuple)
There are a few rules that aws has when creating listeners, this function ensures those rules are met before we try and create or update a listener.
While these could be caught with boto exception handling, I would rather be nice and catch these early before we sent them out to aws. It also gives us an opportunity to create nice user warnings.
This validity check should also be checked in the frontend but must also be enforced by server.
- Parameters:
listener_tuple –
- lemur.plugins.lemur_aws.elb.retry_throttled(exception)
Determines if this exception is due to throttling :param exception: :return:
iam Module¶
- lemur.plugins.lemur_aws.iam.create_arn_from_cert(account_number, partition, certificate_name, path='')
Create an ARN from a certificate. :param path: :param account_number: :param partition: :param certificate_name: :return:
- lemur.plugins.lemur_aws.iam.delete_cert(cert_name, **kwargs)
Delete a certificate from AWS
- Parameters:
cert_name –
- Returns:
- lemur.plugins.lemur_aws.iam.get_all_certificates(restrict_path=None, **kwargs)
Use STS to fetch all of the SSL certificates from a given account :param restrict_path: If provided, only return certificates with a matching Path value.
- lemur.plugins.lemur_aws.iam.get_certificate(name, **kwargs)
Retrieves an SSL certificate.
- Returns:
- lemur.plugins.lemur_aws.iam.get_certificate_id_to_name(**kwargs)
Use STS to fetch a map of IAM certificate IDs to names
- lemur.plugins.lemur_aws.iam.get_certificates(**kwargs)
Fetches one page of certificate objects for a given account. :param kwargs: :return:
- lemur.plugins.lemur_aws.iam.get_name_from_arn(arn)
Extract the certificate name from an arn.
examples: ‘arn:aws:iam::123456789012:server-certificate/example.com’ –> ‘example.com’ ‘arn:aws:iam::123456789012:server-certificate/cloudfront/example.com-cloudfront’ –> ‘example.com-cloudfront’ ‘arn:aws:acm:us-west-2:123456789012:certificate/example.com’ –> ‘example.com’
- Parameters:
arn – IAM TLS certificate arn
- Returns:
name of the certificate as uploaded to AWS
- lemur.plugins.lemur_aws.iam.get_path_from_arn(arn)
Get the certificate path from the certificate arn.
examples: ‘arn:aws:iam::123456789012:server-certificate/example.com’ –> ‘’ ‘arn:aws:iam::123456789012:server-certificate/cloudfront/example.com-cloudfront’ –> ‘cloudfront’ ‘arn:aws:iam::123456789012:server-certificate/cloudfront/2/example.com-cloudfront’ –> ‘cloudfront/2’ ‘arn:aws:acm:us-west-2:123456789012:certificate/example.com’ –> ‘’
- Parameters:
arn – IAM TLS certificate arn
- Returns:
empty or the certificate path without the certificate name
- lemur.plugins.lemur_aws.iam.get_registry_type_from_arn(arn)
Get the registery type based on the arn.
examples: ‘arn:aws:iam::123456789000:server-certificate/example.com’ –> ‘iam’ ‘arn:aws:iam::123456789000:server-certificate/cloudfront/example.com-cloudfront’ –> ‘iam’ ‘arn:aws:acm:us-west-2:123456789000:certificate/example.com’ –> ‘acm’
- Parameters:
arn – IAM TLS certificate arn
- Returns:
iam or acm or unkown
- lemur.plugins.lemur_aws.iam.retry_throttled(exception)
Determines if this exception is due to throttling :param exception: :return:
- lemur.plugins.lemur_aws.iam.upload_cert(name, body, private_key, path, cert_chain=None, **kwargs)
Upload a certificate to AWS
- Parameters:
name –
body –
private_key –
cert_chain –
path –
- Returns:
plugin Module¶
- class lemur.plugins.lemur_aws.plugin.ACMDestinationPlugin
Bases:
DestinationPlugin- author_url: str | None = 'https://github.com/Netflix/lemur'
- clean(certificate, options, **kwargs)
- description: str | None = 'Allow the uploading of certificates to Amazon ACM'
- options: List[Dict[str, Any]] = [{'helpMessage': 'A valid AWS account number with permission to access ACM', 'name': 'accountNumber', 'required': True, 'type': 'str', 'validation': '[0-9]{12}'}, {'available': ['us-east-1', 'us-west-2', 'eu-west-1'], 'default': 'us-east-1', 'helpMessage': 'Region bucket exists', 'name': 'region', 'required': False, 'type': 'str'}]
- slug: str | None = 'aws-acm-dest'
- title: str | None = 'AWS-ACM'
- upload(name, body, private_key, cert_chain, options, **kwargs)
- version = 'unknown'
- class lemur.plugins.lemur_aws.plugin.AWSACMSourcePlugin
Bases:
SourcePlugin- author_url: str | None = 'https://github.com/netflix/lemur'
- description: str | None = 'Discovers all ACM TLS certificates in an AWS account'
- get_certificates(options, **kwargs)
- options: List[Dict[str, Any]] = [{'helpMessage': 'Must be a valid AWS account number!', 'name': 'accountNumber', 'required': True, 'type': 'str', 'validation': '^[0-9]{12,12}$'}, {'helpMessage': 'Comma separated list of regions to search in, if no region is specified we look in all regions.', 'name': 'regions', 'type': 'str'}]
- slug: str | None = 'aws-acm-source'
- title: str | None = 'AWS-ACM'
- version = 'unknown'
- class lemur.plugins.lemur_aws.plugin.AWSDestinationPlugin
Bases:
DestinationPlugin- author: str | None = 'Kevin Glisson'
- author_url: str | None = 'https://github.com/netflix/lemur'
- clean(certificate, options, **kwargs)
- deploy(elb_name, account, region, certificate)
- description: str | None = 'Allow the uploading of certificates to AWS IAM'
- options: List[Dict[str, Any]] = [{'helpMessage': 'Must be a valid AWS account number!', 'name': 'accountNumber', 'required': True, 'type': 'str', 'validation': '[0-9]{12}'}, {'default': '/', 'helpMessage': 'Path prefix for uploaded certificates.', 'name': 'path', 'type': 'str', 'validation': '^(?:|/|/\\S+/)$'}]
- slug: str | None = 'aws-destination'
- sync_as_source = True
- sync_as_source_name = 'aws-source'
- title: str | None = 'AWS'
- upload(name, body, private_key, cert_chain, options, **kwargs)
- version = 'unknown'
- class lemur.plugins.lemur_aws.plugin.AWSSourcePlugin
Bases:
SourcePlugin- author: str | None = 'Kevin Glisson'
- author_url: str | None = 'https://github.com/netflix/lemur'
- clean(certificate, options, **kwargs)
- description: str | None = 'Discovers all SSL certificates and ELB or Cloudfront endpoints in an AWS account'
- get_certificate_by_name(certificate_name, options)
- get_certificates(options, **kwargs)
- get_distributions(options, **kwargs)
- get_endpoint_certificate_names(endpoint)
- get_endpoints(options, **kwargs)
- get_load_balancers(options, **kwargs)
- options: List[Dict[str, Any]] = [{'helpMessage': 'Must be a valid AWS account number!', 'name': 'accountNumber', 'required': True, 'type': 'str', 'validation': '^[0-9]{12,12}$'}, {'helpMessage': 'Comma separated list of regions to search in, if no region is specified we look in all regions.', 'name': 'regions', 'type': 'str'}, {'default': '/', 'helpMessage': "Only discover certificates with this path prefix. Must begin and end with slash. For CloudFront sources, use '/cloudfront/'.", 'name': 'path', 'type': 'str', 'validation': '^(?:|/|/\\S+/)$'}, {'available': ['elb', 'cloudfront', 'none'], 'default': 'elb', 'helpMessage': 'Type of AWS endpoint to discover. Defaults to elb if not set.', 'name': 'endpointType', 'type': 'select'}]
- slug: str | None = 'aws-source'
- title: str | None = 'AWS'
- update_endpoint(endpoint, certificate)
- version = 'unknown'
- class lemur.plugins.lemur_aws.plugin.S3DestinationPlugin(*args, **kwargs)
Bases:
ExportDestinationPlugin- additional_options = [{'helpMessage': 'Must be a valid S3 bucket name!', 'name': 'bucket', 'required': True, 'type': 'str', 'validation': '[0-9a-z.-]{3,63}'}, {'helpMessage': 'A valid AWS account number with permission to access S3', 'name': 'accountNumber', 'required': True, 'type': 'str', 'validation': '[0-9]{12}'}, {'available': ['us-east-1', 'us-west-2', 'eu-west-1'], 'default': 'us-east-1', 'helpMessage': 'Region bucket exists', 'name': 'region', 'required': False, 'type': 'str'}, {'default': True, 'helpMessage': 'Enable server side encryption', 'name': 'encrypt', 'required': False, 'type': 'bool'}, {'default': '', 'helpMessage': 'Must be a valid S3 object prefix!', 'name': 'prefix', 'required': False, 'type': 'str', 'validation': '^(?:[^/].*|)$'}]
- allow_multiple_per_account()
Specifies whether or not multiple of this destination type may be added per AWS account.
- author: str | None = 'Mikhail Khodorovskiy, Harm Weites <harm@weites.com>'
- author_url: str | None = 'https://github.com/Netflix/lemur'
- clean(certificate, options, **kwargs)
- delete_acme_token(token_path, options, **kwargs)
- description: str | None = 'Allow the uploading of certificates to Amazon S3'
- slug: str | None = 'aws-s3'
- title: str | None = 'AWS-S3'
- upload(name, body, private_key, chain, options, **kwargs)
- upload_acme_token(token_path, token, options, **kwargs)
This is called from the acme http challenge
- Parameters:
self –
token_path –
token –
options –
kwargs –
- Returns:
- class lemur.plugins.lemur_aws.plugin.SNSNotificationPlugin
Bases:
ExpirationNotificationPlugin- additional_options = [{'helpMessage': 'A valid AWS account number with permission to access the SNS topic', 'name': 'accountNumber', 'required': True, 'type': 'str', 'validation': '[0-9]{12}'}, {'helpMessage': 'Region in which the SNS topic is located, e.g. "us-east-1"', 'name': 'region', 'required': True, 'type': 'str', 'validation': '[0-9a-z\\-]{1,25}'}, {'helpMessage': 'The name of the topic to use for expiration notifications', 'name': 'topicName', 'required': True, 'type': 'str', 'validation': '^[a-zA-Z0-9_\\-]{1,256}$'}]
- author: str | None = 'Jasmine Schladen <jschladen@netflix.com>'
- author_url: str | None = 'https://github.com/Netflix/lemur'
- description: str | None = 'Sends notifications to AWS SNS'
- send(notification_type, message, excluded_targets, options, **kwargs)
While we receive a targets parameter here, it is unused, as the SNS topic is pre-configured in the plugin configuration, and can’t reasonably be changed dynamically.
- slug: str | None = 'aws-sns'
- title: str | None = 'AWS SNS'
- version = 'unknown'
- lemur.plugins.lemur_aws.plugin.format_elb_cipher_policy(policy)
Attempts to format cipher policy information into a common format. :param policy: :return:
- lemur.plugins.lemur_aws.plugin.format_elb_cipher_policy_v2(policy)
Attempts to format cipher policy information for elbv2 into a common format. :param policy: :return:
- lemur.plugins.lemur_aws.plugin.get_distribution_endpoint(account_number, cert_id_to_name, distrib_dict)
Constructs endpoint data from a distribution response, or None if it does not represent a distribution Lemur cares about. :param account_number: :param cert_id_to_name: map of IAM certificate IDs to names :param distrib_dict: :return: a list of endpoint dictionaries
- lemur.plugins.lemur_aws.plugin.get_elb_endpoints(account_number, region, elb_dict)
Retrieves endpoint information from elb response data. :param account_number: :param region: :param elb_dict: :return:
- lemur.plugins.lemur_aws.plugin.get_elb_endpoints_v2(account_number, region, elb_dict)
Retrieves endpoint information from elbv2 response data. :param account_number: :param region: :param elb_dict: :return:
- lemur.plugins.lemur_aws.plugin.get_region_from_dns(dns)
sts Module¶
- lemur.plugins.lemur_aws.sts.sts_client(service, service_type='client')