Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws.elasticsearch remove-statements action issue #6337

Open
jtroberts83 opened this issue Dec 8, 2020 · 0 comments
Open

aws.elasticsearch remove-statements action issue #6337

jtroberts83 opened this issue Dec 8, 2020 · 0 comments
Labels
kind/bug

Comments

@jtroberts83
Copy link
Contributor

Describe the bug
When testing the new aws.elasticsearch resources cross account filter and remove-statement action that elasticsearch errors out if after removing the bad policy statement, the policy is then blank as blank policies are not allowed.

To Reproduce
If the elasticsearch domain's policy only has 1 statement which is bad and you run a cross-account filter and remove-statement action it will error out.

Expected behavior
The remove-statements action would need to populate something for the policy if it is left blank after removing the matched/bad statements. Not sure what this would look like though.

Background (please complete the following information):

  • OS: Ubuntu V20
  • Python Version: [e.g. python 3.8.1] 3.8.5
  • Custodian Version: [e.g. 0.8.46.1] Main branch (non-release)
  • Tool Version: [if applicable] 0.9.8
  • Cloud Provider: [e.g. gcp, aws, azure] aws
  • Policy: [please exclude any account/sensitive information]
policies:
- name: es-cross-account
  resource: elasticsearch
  filters:
      - type: cross-account
        everyone_only: false
  actions:
      - type: remove-statements
        statement_ids: matched
  • Traceback: [if applicable, please exclude sensitive/account information]
custodian run -s . --assume "arn:aws:iam::12345678900:role/Custodian_EC2_Role" es-cross-account.yml -v --debug
2020-12-08 21:23:30,537: custodian.commands:DEBUG Loaded file es-cross-account.yml . Contains 1 policies
2020-12-08 21:23:30,546: custodian.aws:DEBUG using default region:us-east-1 from boto
2020-12-08 21:23:30,667: custodian.output:DEBUG Storing output with <LogFile file://./es-cross-account/custodian-run.log>
2020-12-08 21:23:30,755: custodian.policy:DEBUG Running policy:es-cross-account resource:elasticsearch region:us-east-1 c7n:0.9.8
2020-12-08 21:23:30,756: custodian.cache:DEBUG Using cache file /home/ubuntu/.cache/cloud-custodian.cache
2020-12-08 21:23:30,756: custodian.resources.elasticsearchdomain:DEBUG Using cached c7n.resources.elasticsearch.ElasticSearchDomain: 1
2020-12-08 21:23:30,843: custodian.resources.elasticsearchdomain:DEBUG Filtered from 1 to 1 elasticsearchdomain
2020-12-08 21:23:30,843: custodian.policy:INFO policy:es-cross-account resource:elasticsearch region:us-east-1 count:1 time:0.09
2020-12-08 21:23:31,236: custodian.actions:ERROR Error processing es:arn:aws:es:us-east-1:12345678900:domain/tf-es-cross-account
Traceback (most recent call last):
  File "/home/ubuntu/.local/lib/python3.8/site-packages/c7n/resources/elasticsearch.py", line 185, in process
    self.process_resource(client, r)
  File "/home/ubuntu/.local/lib/python3.8/site-packages/c7n/resources/elasticsearch.py", line 199, in process_resource
    client.update_elasticsearch_domain_config(
  File "/usr/local/lib/python3.8/dist-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python3.8/dist-packages/botocore/client.py", line 676, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.InvalidTypeException: An error occurred (InvalidTypeException) when calling the UpdateElasticsearchDomainConfig operation: Error setting policy: [{"Version": "2012-10-17", "Statement": []}]
2020-12-08 21:23:31,238: custodian.policy:INFO policy:es-cross-account action:removepolicystatement resources:1 execution_time:0.39
2020-12-08 21:23:31,239: custodian.output:DEBUG metric:ResourceCount Count:1 policy:es-cross-account restype:elasticsearch scope:policy
2020-12-08 21:23:31,239: custodian.output:DEBUG metric:ApiCalls Count:2 policy:es-cross-account restype:elasticsearch
  • custodian version --debug output

Custodian:   0.9.8
Python:      3.8.5 (default, Jul 28 2020, 12:59:40) 
             [GCC 9.3.0]
Platform:    posix.uname_result(sysname='Linux', nodename='ip-hidden', release='5.4.0-1024-aws', version='#24-Ubuntu SMP Sat Sep 5 06:19:55 UTC 2020', machine='x86_64')
Using venv:  False
Docker: False
Installed: 

/usr/lib/python3/dist-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.2) or chardet (3.0.4) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
argcomplete==1.12.2
attrs==20.3.0
boto3==1.16.28
botocore==1.19.28
c7n==0.9.8
cachetools==4.1.1
cffi==1.14.4
google-api-core==1.23.0
google-api-python-client==1.12.8
google-auth==1.23.0
google-auth-httplib2==0.0.4
google-cloud-core==1.4.4
google-cloud-logging==1.15.1
google-cloud-monitoring==0.34.0
google-cloud-storage==1.33.0
google-crc32c==1.0.0
google-resumable-media==1.1.0
googleapis-common-protos==1.52.0
httplib2==0.18.1
importlib-metadata==1.7.0
importlib_metadata==1.7.0
jmespath==0.10.0
jsonpickle==1.3
jsonschema==3.2.0
protobuf==3.14.0
pyasn1-modules==0.2.1
pycparser==2.20
pyrsistent==0.17.3
python-dateutil==2.8.1
pytz==2020.4
pyyaml==5.3.1
ratelimiter==1.2.0.post0
requests==2.22.0
retrying==1.3.3
rsa==4.0
s3transfer==0.3.3
setuptools==45.2.0
six==1.15.0
tabulate==0.8.7
uritemplate==3.0.1
urllib3==1.26.2
zipp==3.4.0

Additional context
Related to PR - ##6225
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jtroberts83