#!/usr/bin/env python # -*- coding: utf-8 -*- """ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: MIT-0 * * Permission is hereby granted, free of charge, to any person obtaining a copy of this * software and associated documentation files (the "Software"), to deal in the Software * without restriction, including without limitation the rights to use, copy, modify, * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. """ import os import time from typing import Optional from aws_lambda_powertools import Logger from quarantine.plugins.abstract_plugin import AbstractPlugin from quarantine.constants import SSM_COMMANDS logger = Logger(child=True) EC2_INSTANCE_PROFILE_ARN = os.getenv("EC2_INSTANCE_PROFILE_ARN") class CommandOutput(AbstractPlugin): """ Run commands from SSM and upload results to S3 """ def execute(self) -> Optional[str]: if not SSM_COMMANDS: logger.debug(f"No commands to execute on {self.instance_id}, skipping") return is_ssm_managed = len(self.ssm.describe_instance_information(self.instance_id)) > 0 try: # remove any existing EC2 instance profiles self.ec2.remove_ec2_instance_profile(self.instance_id) except Exception: logger.exception(f"Unable to remove EC2 instance profile from {self.instance_id}") return if not is_ssm_managed: message = ( f"Instance {self.instance_id} was not managed by SSM, skipping command capture" ) logger.debug(message) return message if not EC2_INSTANCE_PROFILE_ARN: logger.warning("EC2_INSTANCE_PROFILE_ARN is not defined, unable to issue commands") return try: # attach limited EC2 instance profile self.ec2.attach_ec2_instance_profile(self.instance_id, EC2_INSTANCE_PROFILE_ARN) # wait 5 seconds for the instance profile to stabilize time.sleep(5) self.ssm.send_commands(self.instance_id, SSM_COMMANDS) # remove the limited EC2 instance profiles self.ec2.remove_ec2_instance_profile(self.instance_id) message = f"Captured output from {self.instance_id} for commands: {SSM_COMMANDS}" except Exception: message = ( f"Unable to capture output from {self.instance_id} for commands: {SSM_COMMANDS}" ) logger.exception(message) return message