From 026633b0f99b56a1d07269c71680eb47fafc92fb Mon Sep 17 00:00:00 2001 From: Lee Briggs Date: Tue, 4 Sep 2018 09:40:57 -0700 Subject: [PATCH 1/4] Add global_org_email option --- tools/c7n_mailer/c7n_mailer/cli.py | 1 + tools/c7n_mailer/c7n_mailer/email_delivery.py | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/tools/c7n_mailer/c7n_mailer/cli.py b/tools/c7n_mailer/c7n_mailer/cli.py index 14951926492..1e1922f2763 100755 --- a/tools/c7n_mailer/c7n_mailer/cli.py +++ b/tools/c7n_mailer/c7n_mailer/cli.py @@ -20,6 +20,7 @@ 'queue_url': {'type': 'string'}, 'from_address': {'type': 'string'}, 'contact_tags': {'type': 'array', 'items': {'type': 'string'}}, + 'org_domain': {'type': 'string'}, # Standard Lambda Function Config 'region': {'type': 'string'}, diff --git a/tools/c7n_mailer/c7n_mailer/email_delivery.py b/tools/c7n_mailer/c7n_mailer/email_delivery.py index 293f3a3d7b6..961ee03d1c2 100644 --- a/tools/c7n_mailer/c7n_mailer/email_delivery.py +++ b/tools/c7n_mailer/c7n_mailer/email_delivery.py @@ -103,10 +103,17 @@ def get_valid_emails_from_list(self, targets): return emails def get_event_owner_email(self, targets, event): + self.logger.debug('getting owner email') if 'event-owner' in targets and self.config.get('ldap_uri', False): + self.logger.debug('ldap_uri is: %s.', self.config.get('ldap_uri', False)) aws_username = self.get_aws_username_from_event(event) if aws_username: return self.ldap_lookup.get_email_to_addrs_from_uid(aws_username) + elif 'event-owner' in targets and self.config.get('org_domain', False): + self.logger.debug('org_domain is: %s.', self.config.get('org_domain', False)) + aws_username = self.get_aws_username_from_event(event) + if aws_username: + ['aws_username'+ self.config.get('org_domain', False)] return [] def get_ldap_emails_from_resource(self, sqs_message, resource): From 482b809c8c472104a2ef408fa558b550484723b1 Mon Sep 17 00:00:00 2001 From: Lee Briggs Date: Tue, 4 Sep 2018 12:02:01 -0700 Subject: [PATCH 2/4] Refactor to be cleaner Add more logging output for debugging purposes --- tools/c7n_mailer/c7n_mailer/email_delivery.py | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/tools/c7n_mailer/c7n_mailer/email_delivery.py b/tools/c7n_mailer/c7n_mailer/email_delivery.py index 961ee03d1c2..4c25927b4b4 100644 --- a/tools/c7n_mailer/c7n_mailer/email_delivery.py +++ b/tools/c7n_mailer/c7n_mailer/email_delivery.py @@ -104,16 +104,22 @@ def get_valid_emails_from_list(self, targets): def get_event_owner_email(self, targets, event): self.logger.debug('getting owner email') - if 'event-owner' in targets and self.config.get('ldap_uri', False): - self.logger.debug('ldap_uri is: %s.', self.config.get('ldap_uri', False)) + if 'event-owner' in targets: + self.logger.debug('event owner field in targets') aws_username = self.get_aws_username_from_event(event) if aws_username: - return self.ldap_lookup.get_email_to_addrs_from_uid(aws_username) - elif 'event-owner' in targets and self.config.get('org_domain', False): - self.logger.debug('org_domain is: %s.', self.config.get('org_domain', False)) - aws_username = self.get_aws_username_from_event(event) - if aws_username: - ['aws_username'+ self.config.get('org_domain', False)] + if self.config.get('ldap_uri', False): + self.logger.debug('ldap_uri is: %s.', self.config.get('ldap_uri', False)) + return self.ldap_lookup.get_email_to_addrs_from_uid(aws_username) + elif self.config.get('org_domain', False): + org_domain = self.config.get('org_domain', False) + self.logger.debug('org_domain is: %s.', org_domain) + self.logger.info('adding email %s to targets.', aws_username+'@'+org_domain) + return [aws_username+'@'+org_domain] + else: + self.logger.warning('unable to lookup owner email. Please configure LDAP or org_domain') + else: + self.logger.info('no aws username in event') return [] def get_ldap_emails_from_resource(self, sqs_message, resource): From 6073f645333ad6ec7697578e98c4246ab9be1e27 Mon Sep 17 00:00:00 2001 From: Lee Briggs Date: Tue, 4 Sep 2018 15:34:20 -0700 Subject: [PATCH 3/4] Add ability to send to username directly If an org is using SSO of some kind, the username might already be an email address. Also updated the example.yml --- tools/c7n_mailer/c7n_mailer/email_delivery.py | 15 +++++++++++---- tools/c7n_mailer/example.yml | 6 ++++++ 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/tools/c7n_mailer/c7n_mailer/email_delivery.py b/tools/c7n_mailer/c7n_mailer/email_delivery.py index 4c25927b4b4..a9011d165f0 100644 --- a/tools/c7n_mailer/c7n_mailer/email_delivery.py +++ b/tools/c7n_mailer/c7n_mailer/email_delivery.py @@ -108,16 +108,23 @@ def get_event_owner_email(self, targets, event): self.logger.debug('event owner field in targets') aws_username = self.get_aws_username_from_event(event) if aws_username: - if self.config.get('ldap_uri', False): + # is using SSO, the target might already be an email + if self.target_is_email(aws_username): + return [aws_username] + # if the LDAP config is set, lookup in ldap + elif self.config.get('ldap_uri', False): self.logger.debug('ldap_uri is: %s.', self.config.get('ldap_uri', False)) return self.ldap_lookup.get_email_to_addrs_from_uid(aws_username) + # the org_domain setting is configured, append the org_domain + # to the username from AWS elif self.config.get('org_domain', False): org_domain = self.config.get('org_domain', False) self.logger.debug('org_domain is: %s.', org_domain) - self.logger.info('adding email %s to targets.', aws_username+'@'+org_domain) - return [aws_username+'@'+org_domain] + self.logger.info('adding email %s to targets.', aws_username + '@' + org_domain) + return [aws_username + '@' + org_domain] else: - self.logger.warning('unable to lookup owner email. Please configure LDAP or org_domain') + self.logger.warning('unable to lookup owner email. \ + Please configure LDAP or org_domain') else: self.logger.info('no aws username in event') return [] diff --git a/tools/c7n_mailer/example.yml b/tools/c7n_mailer/example.yml index 9f81c3092f3..166e9997645 100644 --- a/tools/c7n_mailer/example.yml +++ b/tools/c7n_mailer/example.yml @@ -43,3 +43,9 @@ ldap_bind_password: "base64_encoded_ciphertext_password" # For sending to sns topics we need to assume back into the target account cross_accounts: '991119991111': 'arn:aws:iam::991119991111:role/MyDeliveryRole' + +# if your usernames match email addresses +# you can set an org domain here which is appended to the username +# to send to +org_domain: example.com + From bc244a8399da9b5a840e35f82cd884cae0e00c62 Mon Sep 17 00:00:00 2001 From: Lee Briggs Date: Wed, 5 Sep 2018 06:59:17 -0700 Subject: [PATCH 4/4] Remove verbose logging for static components --- tools/c7n_mailer/c7n_mailer/email_delivery.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tools/c7n_mailer/c7n_mailer/email_delivery.py b/tools/c7n_mailer/c7n_mailer/email_delivery.py index a9011d165f0..0d07fc35c56 100644 --- a/tools/c7n_mailer/c7n_mailer/email_delivery.py +++ b/tools/c7n_mailer/c7n_mailer/email_delivery.py @@ -103,9 +103,7 @@ def get_valid_emails_from_list(self, targets): return emails def get_event_owner_email(self, targets, event): - self.logger.debug('getting owner email') if 'event-owner' in targets: - self.logger.debug('event owner field in targets') aws_username = self.get_aws_username_from_event(event) if aws_username: # is using SSO, the target might already be an email @@ -113,13 +111,11 @@ def get_event_owner_email(self, targets, event): return [aws_username] # if the LDAP config is set, lookup in ldap elif self.config.get('ldap_uri', False): - self.logger.debug('ldap_uri is: %s.', self.config.get('ldap_uri', False)) return self.ldap_lookup.get_email_to_addrs_from_uid(aws_username) # the org_domain setting is configured, append the org_domain # to the username from AWS elif self.config.get('org_domain', False): org_domain = self.config.get('org_domain', False) - self.logger.debug('org_domain is: %s.', org_domain) self.logger.info('adding email %s to targets.', aws_username + '@' + org_domain) return [aws_username + '@' + org_domain] else: