lemur_aws Package

lemur_aws Package

elb Module

lemur.plugins.lemur_aws.elb.attach_certificate(name, port, certificate_id, **kwargs)

Attaches a certificate to a listener, throws exception if certificate specified does not exist in a particular account.

Parameters
  • name

  • port

  • certificate_id

lemur.plugins.lemur_aws.elb.attach_certificate_v2(listener_arn, port, certificates, **kwargs)

Attaches a certificate to a listener, throws exception if certificate specified does not exist in a particular account.

Parameters
  • listener_arn

  • port

  • certificates

lemur.plugins.lemur_aws.elb.describe_listeners_v2(**kwargs)

Fetches one page of listener objects for a given elb arn.

Parameters

kwargs

Returns

lemur.plugins.lemur_aws.elb.describe_load_balancer_policies(load_balancer_name, policy_names, **kwargs)

Fetching all policies currently associated with an ELB.

Parameters

load_balancer_name

Returns

lemur.plugins.lemur_aws.elb.describe_load_balancer_types(policies, **kwargs)

Describe the policies with policy details.

Parameters

policies

Returns

lemur.plugins.lemur_aws.elb.describe_ssl_policies_v2(policy_names, **kwargs)

Fetching all policies currently associated with an ELB.

Parameters

policy_names

Returns

lemur.plugins.lemur_aws.elb.get_all_elbs(**kwargs)

Fetches all elbs for a given account/region

Parameters

kwargs

Returns

lemur.plugins.lemur_aws.elb.get_all_elbs_v2(**kwargs)

Fetches all elbs for a given account/region

Parameters

kwargs

Returns

lemur.plugins.lemur_aws.elb.get_elbs(**kwargs)

Fetches one page elb objects for a given account and region.

lemur.plugins.lemur_aws.elb.get_elbs_v2(**kwargs)

Fetches one page of elb objects for a given account and region.

Parameters

kwargs

Returns

lemur.plugins.lemur_aws.elb.get_listener_arn_from_endpoint(endpoint_name, endpoint_port, **kwargs)

Get a listener ARN from an endpoint. :param endpoint_name: :param endpoint_port: :return:

lemur.plugins.lemur_aws.elb.get_load_balancer_arn_from_endpoint(endpoint_name, **kwargs)

Get a load balancer ARN from an endpoint. :param endpoint_name: :return:

lemur.plugins.lemur_aws.elb.is_valid(listener_tuple)

There are a few rules that aws has when creating listeners, this function ensures those rules are met before we try and create or update a listener.

While these could be caught with boto exception handling, I would rather be nice and catch these early before we sent them out to aws. It also gives us an opportunity to create nice user warnings.

This validity check should also be checked in the frontend but must also be enforced by server.

Parameters

listener_tuple

lemur.plugins.lemur_aws.elb.retry_throttled(exception)

Determines if this exception is due to throttling :param exception: :return:

iam Module

lemur.plugins.lemur_aws.iam.create_arn_from_cert(account_number, partition, certificate_name, path='')

Create an ARN from a certificate. :param path: :param account_number: :param partition: :param certificate_name: :return:

lemur.plugins.lemur_aws.iam.delete_cert(cert_name, **kwargs)

Delete a certificate from AWS

Parameters

cert_name

Returns

lemur.plugins.lemur_aws.iam.get_all_certificates(restrict_path=None, **kwargs)

Use STS to fetch all of the SSL certificates from a given account :param restrict_path: If provided, only return certificates with a matching Path value.

lemur.plugins.lemur_aws.iam.get_certificate(name, **kwargs)

Retrieves an SSL certificate.

Returns

lemur.plugins.lemur_aws.iam.get_certificate_id_to_name(**kwargs)

Use STS to fetch a map of IAM certificate IDs to names

lemur.plugins.lemur_aws.iam.get_certificates(**kwargs)

Fetches one page of certificate objects for a given account. :param kwargs: :return:

lemur.plugins.lemur_aws.iam.get_name_from_arn(arn)

Extract the certificate name from an arn.

examples: ‘arn:aws:iam::123456789012:server-certificate/example.com’ –> ‘example.com’ ‘arn:aws:iam::123456789012:server-certificate/cloudfront/example.com-cloudfront’ –> ‘example.com-cloudfront’ ‘arn:aws:acm:us-west-2:123456789012:certificate/example.com’ –> ‘example.com’

Parameters

arn – IAM TLS certificate arn

Returns

name of the certificate as uploaded to AWS

lemur.plugins.lemur_aws.iam.get_path_from_arn(arn)

Get the certificate path from the certificate arn.

examples: ‘arn:aws:iam::123456789012:server-certificate/example.com’ –> ‘’ ‘arn:aws:iam::123456789012:server-certificate/cloudfront/example.com-cloudfront’ –> ‘cloudfront’ ‘arn:aws:iam::123456789012:server-certificate/cloudfront/2/example.com-cloudfront’ –> ‘cloudfront/2’ ‘arn:aws:acm:us-west-2:123456789012:certificate/example.com’ –> ‘’

Parameters

arn – IAM TLS certificate arn

Returns

empty or the certificate path without the certificate name

lemur.plugins.lemur_aws.iam.get_registry_type_from_arn(arn)

Get the registery type based on the arn.

examples: ‘arn:aws:iam::123456789000:server-certificate/example.com’ –> ‘iam’ ‘arn:aws:iam::123456789000:server-certificate/cloudfront/example.com-cloudfront’ –> ‘iam’ ‘arn:aws:acm:us-west-2:123456789000:certificate/example.com’ –> ‘acm’

Parameters

arn – IAM TLS certificate arn

Returns

iam or acm or unkown

lemur.plugins.lemur_aws.iam.retry_throttled(exception)

Determines if this exception is due to throttling :param exception: :return:

lemur.plugins.lemur_aws.iam.upload_cert(name, body, private_key, path, cert_chain=None, **kwargs)

Upload a certificate to AWS

Parameters
  • name

  • body

  • private_key

  • cert_chain

  • path

Returns

plugin Module

class lemur.plugins.lemur_aws.plugin.AWSDestinationPlugin

Bases: DestinationPlugin

author = 'Kevin Glisson'
author_url = 'https://github.com/netflix/lemur'
clean(certificate, options, **kwargs)
deploy(elb_name, account, region, certificate)
description = 'Allow the uploading of certificates to AWS IAM'
options = [{'name': 'accountNumber', 'type': 'str', 'required': True, 'validation': '[0-9]{12}', 'helpMessage': 'Must be a valid AWS account number!'}, {'name': 'path', 'type': 'str', 'validation': '^(?:|/|/\\S+/)$', 'default': '/', 'helpMessage': 'Path prefix for uploaded certificates.'}]
slug = 'aws-destination'
sync_as_source = True
sync_as_source_name = 'aws-source'
title = 'AWS'
upload(name, body, private_key, cert_chain, options, **kwargs)
version = 'unknown'
class lemur.plugins.lemur_aws.plugin.AWSSourcePlugin

Bases: SourcePlugin

author = 'Kevin Glisson'
author_url = 'https://github.com/netflix/lemur'
clean(certificate, options, **kwargs)
description = 'Discovers all SSL certificates and ELB or Cloudfront endpoints in an AWS account'
get_certificate_by_name(certificate_name, options)
get_certificates(options, **kwargs)
get_distributions(options, **kwargs)
get_endpoint_certificate_names(endpoint)
get_endpoints(options, **kwargs)
get_load_balancers(options, **kwargs)
options = [{'name': 'accountNumber', 'type': 'str', 'required': True, 'validation': '^[0-9]{12,12}$', 'helpMessage': 'Must be a valid AWS account number!'}, {'name': 'regions', 'type': 'str', 'helpMessage': 'Comma separated list of regions to search in, if no region is specified we look in all regions.'}, {'name': 'path', 'type': 'str', 'validation': '^(?:|/|/\\S+/)$', 'default': '/', 'helpMessage': "Only discover certificates with this path prefix. Must begin and end with slash. For CloudFront sources, use '/cloudfront/'."}, {'name': 'endpointType', 'type': 'select', 'available': ['elb', 'cloudfront', 'none'], 'default': 'elb', 'helpMessage': 'Type of AWS endpoint to discover. Defaults to elb if not set.'}]
slug = 'aws-source'
title = 'AWS'
update_endpoint(endpoint, certificate)
version = 'unknown'
class lemur.plugins.lemur_aws.plugin.S3DestinationPlugin(*args, **kwargs)

Bases: ExportDestinationPlugin

additional_options = [{'name': 'bucket', 'type': 'str', 'required': True, 'validation': '[0-9a-z.-]{3,63}', 'helpMessage': 'Must be a valid S3 bucket name!'}, {'name': 'accountNumber', 'type': 'str', 'required': True, 'validation': '[0-9]{12}', 'helpMessage': 'A valid AWS account number with permission to access S3'}, {'name': 'region', 'type': 'str', 'default': 'us-east-1', 'required': False, 'helpMessage': 'Region bucket exists', 'available': ['us-east-1', 'us-west-2', 'eu-west-1']}, {'name': 'encrypt', 'type': 'bool', 'required': False, 'helpMessage': 'Enable server side encryption', 'default': True}, {'name': 'prefix', 'type': 'str', 'required': False, 'helpMessage': 'Must be a valid S3 object prefix!'}]
author = 'Mikhail Khodorovskiy, Harm Weites <harm@weites.com>'
author_url = 'https://github.com/Netflix/lemur'
delete_acme_token(token_path, options, **kwargs)
description = 'Allow the uploading of certificates to Amazon S3'
slug = 'aws-s3'
title = 'AWS-S3'
upload(name, body, private_key, chain, options, **kwargs)
upload_acme_token(token_path, token, options, **kwargs)

This is called from the acme http challenge

Parameters
  • self

  • token_path

  • token

  • options

  • kwargs

Returns

class lemur.plugins.lemur_aws.plugin.SNSNotificationPlugin

Bases: ExpirationNotificationPlugin

additional_options = [{'name': 'accountNumber', 'type': 'str', 'required': True, 'validation': '[0-9]{12}', 'helpMessage': 'A valid AWS account number with permission to access the SNS topic'}, {'name': 'region', 'type': 'str', 'required': True, 'validation': '[0-9a-z\\-]{1,25}', 'helpMessage': 'Region in which the SNS topic is located, e.g. "us-east-1"'}, {'name': 'topicName', 'type': 'str', 'required': True, 'validation': '^[a-zA-Z0-9_\\-]{1,256}$', 'helpMessage': 'The name of the topic to use for expiration notifications'}]
author = 'Jasmine Schladen <jschladen@netflix.com>'
author_url = 'https://github.com/Netflix/lemur'
description = 'Sends notifications to AWS SNS'
send(notification_type, message, excluded_targets, options, **kwargs)

While we receive a targets parameter here, it is unused, as the SNS topic is pre-configured in the plugin configuration, and can’t reasonably be changed dynamically.

slug = 'aws-sns'
title = 'AWS SNS'
version = 'unknown'
lemur.plugins.lemur_aws.plugin.format_elb_cipher_policy(policy)

Attempts to format cipher policy information into a common format. :param policy: :return:

lemur.plugins.lemur_aws.plugin.format_elb_cipher_policy_v2(policy)

Attempts to format cipher policy information for elbv2 into a common format. :param policy: :return:

lemur.plugins.lemur_aws.plugin.get_distribution_endpoint(account_number, cert_id_to_name, distrib_dict)

Constructs endpoint data from a distribution response, or None if it does not represent a distribution Lemur cares about. :param account_number: :param cert_id_to_name: map of IAM certificate IDs to names :param distrib_dict: :return: a list of endpoint dictionaries

lemur.plugins.lemur_aws.plugin.get_elb_endpoints(account_number, region, elb_dict)

Retrieves endpoint information from elb response data. :param account_number: :param region: :param elb_dict: :return:

lemur.plugins.lemur_aws.plugin.get_elb_endpoints_v2(account_number, region, elb_dict)

Retrieves endpoint information from elbv2 response data. :param account_number: :param region: :param elb_dict: :return:

lemur.plugins.lemur_aws.plugin.get_region_from_dns(dns)

sts Module

lemur.plugins.lemur_aws.sts.sts_client(service, service_type='client')