Skip to content

First commits #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 28 commits into from
Sep 5, 2024
Merged

First commits #1

merged 28 commits into from
Sep 5, 2024

Conversation

@jsf9k
Copy link
Member

@jsf9k jsf9k commented Aug 30, 2024
edited
Loading

🗣 Description

This pull request implements the Python code for an AWS Lambda function that will disable users' inactive console and programmatic access.

See also:

💭 Motivation and context

We have a POAM about disabling inactive users in IAM. Partially resolves cisagov/cool-system-internal#143.

🧪 Testing

I applied this module to our COOL Users account without incident.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
  • All new and existing tests pass.

✅ Pre-merge checklist

  • Finalize version.

✅ Post-merge checklist

  • Create a release.

jsf9k added 14 commits August 29, 2024 10:18
@jsf9k
First cut at creating this Lambda function
9f95a4e
@jsf9k
Ensure that expiration_days is nonzero
cfab690
@jsf9k
Correct the way I was using boto3 paginators
24997b9
@jsf9k
Ignore access keys that are already inactive
025efba
@jsf9k
Handle the case where a user's console access was created recently
47253b9 
If a user's console access was created too recently then we cannot yet
determine inactivity, so we should not disable it.
@jsf9k
Handle the case where a user's access key was created recently
0834ed5 
If a user's access key was created too recently then we cannot yet
determine inactivity, so we should not disable it.
@jsf9k
Update Pipfiles (and lock files) for this project
f9d6bea
@jsf9k
Update Docker composition to match the needs of this project
8142ee4 
I also removed the run_lambda_locally section as it will not be used
with this project.
@jsf9k
Correctly use boto3 IAM client exception class
f470e94
@jsf9k
Make now a timezone-aware datetime object
8c9da65 
Otherwise we cannot perform arithmetic such as now -
login_profile_create, since the latter is timezone-aware.
@jsf9k
Remove boto3 from the Pipfiles
a3b54ec 
This package is already available to Lambda functions.
@jsf9k
Correctly extract the last used date from the get_access_key_last_use…
1236fea 
…d response
@jsf9k
Correctly handle the case where the user has never used his or her co…
deaedec 
…nsole access

In such a case the "PasswordLastUsed" key does not exist for the user.
@jsf9k
Add a debug message for the case where an access key is already inactive
d17992f
@jsf9k jsf9k added the improvement This issue or pull request will add new or improve existing functionality label Aug 30, 2024
@jsf9k jsf9k self-assigned this Aug 30, 2024
This was referenced Aug 30, 2024
Merged
Merged
Merged
@jsf9k jsf9k marked this pull request as ready for review August 30, 2024 18:52
@jsf9k jsf9k requested a review from a team August 30, 2024 19:19
dav3r
dav3r approved these changes Aug 30, 2024
View reviewed changes
Copy link
Member

@dav3r dav3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! I noted a few thangs in validate_event_data that I think you overlooked.

@jsf9k @dav3r
Fix copy-and-paste errors
78a4470 
Co-authored-by: dav3r <david.redmin@trio.dhs.gov>
mcdonnnj
mcdonnnj requested changes Aug 30, 2024
View reviewed changes
Copy link
Member

@mcdonnnj mcdonnnj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please enable the dependabot ignore directives and fix the upstream repository reference in

disable-inactive-iam-users-lambda/.github/dependabot.yml

Lines 22 to 24 in 15fc27e

# # Managed by cisagov/disable-inactive-iam-users-lambda
# - dependency-name: actions/upload-artifact
# - dependency-name: github/codeql-action

That reference changing suggests you have not updated your locally installed skeleton extension. Please update with gh extension upgrade --all to ensure you're working with the latest copy.

@jsf9k @mcdonnnj
Uncomment Dependabot ignore lines
469a51f 
Also correct repo reference in comment.

Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com>
@jsf9k
Copy link
Member Author

jsf9k commented Sep 2, 2024

Please enable the dependabot ignore directives and fix the upstream repository reference in

disable-inactive-iam-users-lambda/.github/dependabot.yml

Lines 22 to 24 in 15fc27e

# # Managed by cisagov/disable-inactive-iam-users-lambda
# - dependency-name: actions/upload-artifact
# - dependency-name: github/codeql-action

That reference changing suggests you have not updated your locally installed skeleton extension. Please update with gh extension upgrade --all to ensure you're working with the latest copy.

Please see commit 469a51f.

@jsf9k jsf9k requested a review from mcdonnnj September 2, 2024 17:30
@dv4harr10
Copy link
Contributor

dv4harr10 commented Sep 3, 2024
edited by mcdonnnj
Loading

Hi Team, for README.md file section 'How to update Python dependencies' sentence 'More information about the Pipfile format can be found here.' The link from 'here' returns a 404 not found error.

@jsf9k
Copy link
Member Author

jsf9k commented Sep 3, 2024

Hi Team @ALL , for README.md file section 'How to update Python dependencies' sentence 'More information about the Pipfile format can be found here.' The link from 'here' returns a 404 not found error.

I created cisagov/skeleton-aws-lambda-python#32 to fix this upstream.

@jsf9k @dav3r
Add support for Python 3.10 and remove support for older versions of …
311f8b8 
…Python

This is the latest Python runtime we can currently support, given our
AWS Terraform provider constraints.

Co-authored-by: Dave Redmin <david.redmin@gwe.cisa.dhs.gov>
@jsf9k
Copy link
Member Author

jsf9k commented Sep 5, 2024

@mcdonnnj - This work is due tomorrow, and you are out of the office, so I am going to assume that you are satisfied with the changes I made in response to your review.

@jsf9k jsf9k merged commit 5dccdb5 into develop Sep 5, 2024
@jsf9k jsf9k deleted the first-commits branch September 5, 2024 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dav3r dav3r dav3r approved these changes

@felddy felddy Awaiting requested review from felddy

@mcdonnnj mcdonnnj Awaiting requested review from mcdonnnj mcdonnnj is a code owner

+1 more reviewer

@dv4harr10 dv4harr10 dv4harr10 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jsf9k jsf9k

Labels

improvement This issue or pull request will add new or improve existing functionality

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jsf9k @dv4harr10 @dav3r @mcdonnnj