0

下面的 Lambda 脚本应该将 AWS 账户添加到 Trend Micro DSM(也在 AWS 账户中)。在允许通信的帐户之间设置端点。它以 400 失败,无法添加帐户:

日志:

2020-11-06T13:28:37.612+00:00 开始请求 ID:074eff37-00cc-480b-affb-2e28f0e2a8af 版本:$LATEST

2020-11-06T13:28:42.034+00:00 假设角色:arn:aws:iam::414025531860:role/pcs-pipeline-role

2020-11-06T13:28:42.575+00:00 假设成功!

2020-11-06T13:28:42.575+00:00 /var/runtime/botocore/vendored/requests/api.py:72:弃用警告:您正在使用“botocore.vendored.requests”中的 get() 函数。此依赖项已从 Botocore 中删除,并将在 2021/01/30 之后从 Lambda 中删除。https://aws.amazon.com/blogs/developer/removing-the-vendored-version-of-requests-from-botocore/。安装 requests 包,直接 'import requests',并改用 requests.get() 函数。

2020-11-06T13:28:42.575+00:00 弃用警告

2020-11-06T13:28:44.927+00:00 允许执行 Lambda 的公共 IP 34.247.33.230/32 临时调用 Trend DSM

2020-11-06T13:28:45.070+00:00 完成!

2020-11-06T13:28:50.076+00:00 以组织租户身份登录 Trend DSM

2020-11-06T13:28:50.076+00:00 /var/runtime/botocore/vendored/requests/api.py:72:弃用警告:您正在使用“botocore.vendored.requests”中的 post() 函数。此依赖项已从 Botocore 中删除,并将在 2021/01/30 之后从 Lambda 中删除。https://aws.amazon.com/blogs/developer/removing-the-vendored-version-of-requests-from-botocore/。安装 requests 包,直接'import requests',并使用 requests.post() 函数代替。

2020-11-06T13:28:50.076+00:00 弃用警告

2020-11-06T13:28:50.233+00:00 /var/runtime/urllib3/connectionpool.py:988:InsecureRequestWarning:正在向主机“gdc-pcs-tre-dsmelb-fbsp95snsrjw-2115947587.eu”发出未经验证的 HTTPS 请求-west-1.elb.amazonaws.com'。强烈建议添加证书验证。请参阅:https ://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings

2020-11-06T13:28:50.233+00:00 不安全请求警告,

2020-11-06T13:28:50.319+00:00 200

2020-11-06T13:28:50.319+00:00 登录!

2020-11-06T13:28:50.319+00:00 为 Trend org 租户获取云帐户...

2020-11-06T13:28:50.319+00:00 /var/runtime/botocore/vendored/requests/api.py:72:弃用警告:您正在使用“botocore.vendored.requests”中的 get() 函数。此依赖项已从 Botocore 中删除,并将在 2021/01/30 之后从 Lambda 中删除。https://aws.amazon.com/blogs/developer/removing-the-vendored-version-of-requests-from-botocore/。安装 requests 包,直接 'import requests',并改用 requests.get() 函数。

2020-11-06T13:28:50.319+00:00 弃用警告

2020-11-06T13:28:50.493+00:00 /var/runtime/urllib3/connectionpool.py:988:InsecureRequestWarning:正在向主机“xyz-abc-tre-dsmelb-fbsp95snsrjw-7443282981.eu”发出未经验证的 HTTPS 请求-west-1.elb.amazonaws.com'。强烈建议添加证书验证。请参阅:https ://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings

2020-11-06T13:28:50.493+00:00 不安全请求警告,

2020-11-06T13:28:50.528+00:00 已检索!

2020-11-06T13:28:50.528+00:00 检查租户帐户是否已在 Trend DSM 组织租户中

2020-11-06T13:28:50.528+00:00 未找到

2020-11-06T13:28:50.528+00:00 添加 11994547362545 作为趋势云帐户...

2020-11-06T13:28:50.528+00:00 /var/runtime/botocore/vendored/requests/api.py:72:弃用警告:您正在使用“botocore.vendored.requests”中的 post() 函数。此依赖项已从 Botocore 中删除,并将在 2021/01/30 之后从 Lambda 中删除。https://aws.amazon.com/blogs/developer/removing-the-vendored-version-of-requests-from-botocore/。安装 requests 包,直接'import requests',并使用 requests.post() 函数代替。

2020-11-06T13:28:50.528+00:00 弃用警告

2020-11-06T13:28:50.693+00:00 /var/runtime/urllib3/connectionpool.py:988:InsecureRequestWarning:正在向主机“xyz-abc-tre-dsmelb-fbsp95snsrjw-7443282981.eu”发出未经验证的 HTTPS 请求-west-1.elb.amazonaws.com'。强烈建议添加证书验证。请参阅:https ://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings

2020-11-06T13:28:50.693+00:00 不安全请求警告,

2020-11-06T13:28:51.373+00:00 400

2020-11-06T13:28:51.373+00:00 失败!




`No lines are selected.
import os
import json
import time
import boto3
from botocore.vendored import requests
import layer as utils
def handler(event, context):
    try:
        # Extract the Job ID
        job_id = event['CodePipeline.job']['id']
        event_data = utils.parse_event_data(event)
        print(event_data)
        trend_micro_deep_security_integration(event_data['TenantAccountId'], event_data['Organisation'])
        utils.put_job_success(job_id)
    except Exception as err:
        utils.put_job_failure(job_id, str(err))
def trend_micro_deep_security_integration(tenant_account_id, tenant_organisation):
    #retrieve trend tenant password from ssm param store
    client = boto3.client('ssm', region_name='eu-west-1')    
    TREND_TENANT_PASSWORD = client.get_parameter(Name='TrendTenantPassword', WithDecryption=True)['Parameter']['Value']
    #assume role in aws provider account for trend dsm
    sts_client = boto3.client('sts')
    trend_account_role_arn = 'arn:aws:iam::654533721364:role/{}'.format(os.environ['DEPLOY_ROLE'])
    TREND_SESSION = utils.get_sts_session(sts_client, trend_account_role_arn)
    #determine public ip of executing lambda function
    public_ip = requests.get('https://checkip.amazonaws.com').text.rstrip()    
    global LAMBDA_PUBLIC_IP
    LAMBDA_PUBLIC_IP = '{}/32'.format(public_ip)
    #add lambda public ip as temp ingress cidr ip
    SG_ID = 'sg-01ct911f8ch7d2ed5'
    changed = authorize_trend_elb_ingress(TREND_SESSION, SG_ID)
    if changed:
        time.sleep(5)
    org_name = tenant_organisation.upper().strip()
    #log into trend dsm
    payload = get_trend_auth_payload_json(org_name, TREND_TENANT_PASSWORD)
    cookie = get_trend_org_cookie(org_name, payload)
    # check and if required, add tenant account into their trend tenant for the assigned org
    dsm_account_names = get_trend_org_cloud_accounts(cookie)
    if not is_account_in_trend_dsm(dsm_account_names, tenant_account_id):
        success = add_trend_cloud_account(cookie, tenant_account_id)
    else:
        success = True
    # always remove temp ingress rule
    revoke_trend_elb_ingress(TREND_SESSION, SG_ID)
    #if any error when adding account, throw exception
    if not success:
        raise Exception("Failed to add tenant as cloud account in Trend Deep Security Manager!")
    print("Trend Micro Deep Security Manager integration complete!")
    
## TREND DEEP SECURITY HELPER FUNCTIONS ###
def trend_sg_ingress_rule_exists(sg_rules):
    for elem in sg_rules:
        matches = [ x for x in elem['IpRanges'] if x['CidrIp'] == LAMBDA_PUBLIC_IP ]
        if any(matches):
            return True
    return False
def authorize_trend_elb_ingress(TREND_SESSION, SECURITY_GROUP_ID):
    ec2 = TREND_SESSION.resource('ec2', region_name='eu-west-1')
    elb_security_group = ec2.SecurityGroup(SECURITY_GROUP_ID)
    if trend_sg_ingress_rule_exists(elb_security_group.ip_permissions):
        return False
    print("Allowing public IP for executing Lambda, {}, to temporarily call Trend DSM".format(LAMBDA_PUBLIC_IP))
    elb_security_group.authorize_ingress(
        CidrIp=LAMBDA_PUBLIC_IP,
        FromPort=777,
        ToPort=777,
        IpProtocol='tcp',
    )
    print("DONE!")
    return True
def revoke_trend_elb_ingress(TREND_SESSION, SECURITY_GROUP_ID):
    ec2 = TREND_SESSION.resource('ec2', region_name='eu-west-1')
    elb_security_group = ec2.SecurityGroup(SECURITY_GROUP_ID)
    if not trend_sg_ingress_rule_exists(elb_security_group.ip_permissions):
        return False
    print("Revoking public IP for executing Lambda, {}, from Trend DSM ELB SG".format(LAMBDA_PUBLIC_IP))
    elb_security_group.revoke_ingress(
        CidrIp=LAMBDA_PUBLIC_IP,
        FromPort=777,
        ToPort=777,
        IpProtocol='tcp',
    )
    print("DONE!")
def is_account_in_trend_dsm(dsm_names, account_id):
    print("Checking if tenant account already in Trend DSM Org Tenant")
    for dsm_account_name in dsm_names:
        if account_id == dsm_account_name[-12:]:
            print("Found!")
            return True
    
    print("Not found")
    return False    
def get_trend_org_cookie(org_name, payload):
    print("Logging into Trend DSM as Org tenant")
    headers = {'content-type': "application/json", 'accept': "application/json"  }
    r = requests.post(
        url = "https://xyz-abc-tre-dsmelb-fbsp95snsrjw-2912957566.eu-west-1.elb.amazonaws.com/rest/authentication/login",
        headers= headers,
        data = payload,
        verify=False
    )
    print(r.status_code)
    print("Logged in!")
    return r.text
def get_trend_auth_payload_json(org_name, org_tenant_password):
   auth = {
       'dsCredentials' : { 'userName' : 'MasterAdmin' , 'password' : org_tenant_password, 'tenantName' : org_name}
   }
   return json.dumps(auth)
def get_trend_org_cloud_accounts(cookie_string):
    cookie = {'sID': cookie_string}
    headers = {'content-type': "application/json", 'accept': "application/json"  }
    print("Getting cloud accounts for Trend org tenant...")
    r = requests.get(
        url = "https://xyz-abc-tre-dsmelb-fbsh952n1rbw-2185847414.eu-west-1.elb.amazonaws.com/rest/cloudaccounts/",
        headers= headers,
        cookies=cookie,
        verify=False
    )
    resp = r.json()['ListCloudAccountsResponse']
    print("Retrieved!")
    return [ x['name'] for x in resp['cloudAccount'] ]
def add_trend_cloud_account(cookie_string, account_id):
    cookie = {'sID': cookie_string}
    headers = {'content-type': "application/json", 'accept': "application/json"  }
    info = {}
    info['AddAwsAccountRequest'] = {}
    info['AddAwsAccountRequest']['crossAccountRole'] = {}
    info['AddAwsAccountRequest']['crossAccountRole']['roleArn'] = 'arn:aws:iam::{}:role/gdc-pcs-trend-micro-dsm-role'.format(account_id)
    info['AddAwsAccountRequest']['crossAccountRole']['externalId'] = '7F4DC12D-53B2-1BEX-7CB7-8759CDADEB71'
    print('Adding {} as Trend cloud account...'.format(account_id))
    r = requests.post(
        url = "https//xyz-abc-tre-dsmelb-fbsp95snsrjw-7443282981.eu-west-1.elb.amazonaws.com/rest/cloudaccounts/aws",
        headers= headers,
        cookies=cookie,
        data = json.dumps(info),
        verify=False
    )
    print(r.status_code)
    if r.status_code == 200:
        print("Done!")
        return True
    else:
        print("Failed!")
        return False`
4

0 回答 0