Python: module sechub_batch_update

sechub_batch_update_stack

index
/Users/jjjoy/Workdocs/src/blogs/Sechub-suppression-blog/sechub_batch_update/sechub_batch_update_stack.py

Modules

aws_cdk.aws_lambda
aws_cdk.aws_kms
aws_cdk.aws_lambda_event_sources
aws_cdk.core
aws_cdk.aws_iam
os
aws_cdk.aws_sqs
subprocess

Classes



aws_cdk.core.Stack(aws_cdk.core.Construct)

SechubBatchUpdateStack

class SechubBatchUpdateStack(aws_cdk.core.Stack)

    SechubBatchUpdateStack(*args: Any, **kwargs) -> Any Creates stack which deploys suppression of Security Hub findings account_numbers_parameter: Cloudformation parameter which takes comma separated account number values to which Security Hub suppression applies to generator_ids_parameter: Cloudformation parameter which asks for Security Hub generator IDs to suppress Stack creates the following resources. batch_lambda: Lambda which invokes the Security Hub batch_update_findings batch_lambda_role: IAM role which is to be used by Lambda function to suppress SecurityHub findings queue: Encrypted queue to batch Security Hub findings that will be suppressed. Target is the batch_lambda for suppression. dead_letter_queue: Encrypted SQS dead letter queue to hold unprocessed Security Hub findings which could not be processed by the Lambda

Method resolution order:

SechubBatchUpdateStack

aws_cdk.core.Stack

aws_cdk.core.Construct

constructs.Construct

builtins.object

Methods defined here:

__init__(self, scope: aws_cdk.core.Construct, construct_id: str, **kwargs) -> None
Creates a new stack. :param scope: Parent of this stack, usually an ``App`` or a ``Stage``, but could be any construct. :param id: The construct ID of this stack. If ``stackName`` is not explicitly defined, this id (and any parent IDs) will be used to determine the physical ID of the stack. :param analytics_reporting: Include runtime versioning information in this Stack. Default: ``analyticsReporting`` setting of containing ``App``, or value of 'aws:cdk:version-reporting' context key :param description: A description of the stack. Default: - No description. :param env: The AWS environment (account/region) where this stack will be deployed. Set the ``region``/``account`` fields of ``env`` to either a concrete value to select the indicated environment (recommended for production stacks), or to the values of environment variables ``CDK_DEFAULT_REGION``/``CDK_DEFAULT_ACCOUNT`` to let the target environment depend on the AWS credentials/configuration that the CDK CLI is executed under (recommended for development stacks). If the ``Stack`` is instantiated inside a ``Stage``, any undefined ``region``/``account`` fields from ``env`` will default to the same field on the encompassing ``Stage``, if configured there. If either ``region`` or ``account`` are not set nor inherited from ``Stage``, the Stack will be considered "*environment-agnostic*"". Environment-agnostic stacks can be deployed to any environment but may not be able to take advantage of all features of the CDK. For example, they will not be able to use environmental context lookups such as ``ec2.Vpc.fromLookup`` and will not automatically translate Service Principals to the right format based on the environment's AWS partition, and other such enhancements. Default: - The environment of the containing ``Stage`` if available, otherwise create the stack will be environment-agnostic. :param stack_name: Name to deploy the stack with. Default: - Derived from construct path. :param synthesizer: Synthesis method to use while deploying this stack. Default: - ``DefaultStackSynthesizer`` if the ``@aws-cdk/core:newStyleStackSynthesis`` feature flag is set, ``LegacyStackSynthesizer`` otherwise. :param tags: Stack tags that will be applied to all the taggable resources and the stack itself. Default: {} :param termination_protection: Whether to enable termination protection for this stack. Default: false

create_dependencies_layer(self, id: str, requirements_path: str, output_dir: str) -> aws_cdk.aws_lambda.LayerVersion

Methods inherited from aws_cdk.core.Stack:

add_dependency(self, target: 'Stack', reason: Optional[str] = None) -> None
Add a dependency between this stack and another stack. This can be used to define dependencies between any two stacks within an app, and also supports nested stacks. :param target: - :param reason: -

add_docker_image_asset(self, *, source_hash: str, directory_name: Optional[str] = None, docker_build_args: Optional[Mapping[str, str]] = None, docker_build_target: Optional[str] = None, docker_file: Optional[str] = None, executable: Optional[Sequence[str]] = None, repository_name: Optional[str] = None) -> aws_cdk.core.DockerImageAssetLocation
(deprecated) Register a docker image asset on this Stack. :param source_hash: The hash of the contents of the docker build context. This hash is used throughout the system to identify this image and avoid duplicate work in case the source did not change. NOTE: this means that if you wish to update your docker image, you must make a modification to the source (e.g. add some metadata to your Dockerfile). :param directory_name: The directory where the Dockerfile is stored, must be relative to the cloud assembly root. Default: - Exactly one of ``directoryName`` and ``executable`` is required :param docker_build_args: Build args to pass to the ``docker build`` command. Since Docker build arguments are resolved before deployment, keys and values cannot refer to unresolved tokens (such as ``lambda.functionArn`` or ``queue.queueUrl``). Only allowed when ``directoryName`` is specified. Default: - no build args are passed :param docker_build_target: Docker target to build to. Only allowed when ``directoryName`` is specified. Default: - no target :param docker_file: Path to the Dockerfile (relative to the directory). Only allowed when ``directoryName`` is specified. Default: - no file :param executable: An external command that will produce the packaged asset. The command should produce the name of a local Docker image on ``stdout``. Default: - Exactly one of ``directoryName`` and ``executable`` is required :param repository_name: (deprecated) ECR repository name. Specify this property if you need to statically address the image, e.g. from a Kubernetes Pod. Note, this is only the repository name, without the registry and the tag parts. Default: - automatically derived from the asset's ID. :deprecated: Use ``stack.synthesizer.addDockerImageAsset()`` if you are calling, and a different ``IStackSynthesizer`` class if you are implementing. :stability: deprecated

add_file_asset(self, *, source_hash: str, executable: Optional[Sequence[str]] = None, file_name: Optional[str] = None, packaging: Optional[aws_cdk.core.FileAssetPackaging] = None) -> aws_cdk.core.FileAssetLocation
(deprecated) Register a file asset on this Stack. :param source_hash: A hash on the content source. This hash is used to uniquely identify this asset throughout the system. If this value doesn't change, the asset will not be rebuilt or republished. :param executable: An external command that will produce the packaged asset. The command should produce the location of a ZIP file on ``stdout``. Default: - Exactly one of ``directory`` and ``executable`` is required :param file_name: The path, relative to the root of the cloud assembly, in which this asset source resides. This can be a path to a file or a directory, depending on the packaging type. Default: - Exactly one of ``directory`` and ``executable`` is required :param packaging: Which type of packaging to perform. Default: - Required if ``fileName`` is specified. :deprecated: Use ``stack.synthesizer.addFileAsset()`` if you are calling, and a different IStackSynthesizer class if you are implementing. :stability: deprecated

add_transform(self, transform: str) -> None
Add a Transform to this stack. A Transform is a macro that AWS CloudFormation uses to process your template. Duplicate values are removed when stack is synthesized. :param transform: The transform to add. :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-section-structure.html Example::     # Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826     stack.add_transform("AWS::Serverless-2016-10-31")

export_value(self, exported_value: Any, *, name: Optional[str] = None) -> str
Create a CloudFormation Export for a value. Returns a string representing the corresponding ``Fn.importValue()`` expression for this Export. You can control the name for the export by passing the ``name`` option. If you don't supply a value for ``name``, the value you're exporting must be a Resource attribute (for example: ``bucket.bucketName``) and it will be given the same name as the automatic cross-stack reference that would be created if you used the attribute in another Stack. One of the uses for this method is to *remove* the relationship between two Stacks established by automatic cross-stack references. It will temporarily ensure that the CloudFormation Export still exists while you remove the reference from the consuming stack. After that, you can remove the resource and the manual export. Example Here is how the process works. Let's say there are two stacks, ``producerStack`` and ``consumerStack``, and ``producerStack`` has a bucket called ``bucket``, which is referenced by ``consumerStack`` (perhaps because an AWS Lambda Function writes into it, or something like that). It is not safe to remove ``producerStack.bucket`` because as the bucket is being deleted, ``consumerStack`` might still be using it. Instead, the process takes two deployments: Deployment 1: break the relationship - Make sure ``consumerStack`` no longer references ``bucket.bucketName`` (maybe the consumer   stack now uses its own bucket, or it writes to an AWS DynamoDB table, or maybe you just   remove the Lambda Function altogether). - In the ``ProducerStack`` class, call ``this.exportValue(this.bucket.bucketName)``. This   will make sure the CloudFormation Export continues to exist while the relationship   between the two stacks is being broken. - Deploy (this will effectively only change the ``consumerStack``, but it's safe to deploy both). Deployment 2: remove the bucket resource - You are now free to remove the ``bucket`` resource from ``producerStack``. - Don't forget to remove the ``exportValue()`` call as well. - Deploy again (this time only the ``producerStack`` will be changed -- the bucket will be deleted). :param exported_value: - :param name: The name of the export to create. Default: - A name is automatically chosen

format_arn(self, *, resource: str, service: str, account: Optional[str] = None, partition: Optional[str] = None, region: Optional[str] = None, resource_name: Optional[str] = None, sep: Optional[str] = None) -> str
Creates an ARN from components. If ``partition``, ``region`` or ``account`` are not specified, the stack's partition, region and account will be used. If any component is the empty string, an empty string will be inserted into the generated ARN at the location that component corresponds to. The ARN will be formatted as follows: arn:{partition}:{service}:{region}:{account}:{resource}{sep}}{resource-name} The required ARN pieces that are omitted will be taken from the stack that the 'scope' is attached to. If all ARN pieces are supplied, the supplied scope can be 'undefined'. :param resource: Resource type (e.g. "table", "autoScalingGroup", "certificate"). For some resource types, e.g. S3 buckets, this field defines the bucket name. :param service: The service namespace that identifies the AWS product (for example, 's3', 'iam', 'codepipline'). :param account: The ID of the AWS account that owns the resource, without the hyphens. For example, 123456789012. Note that the ARNs for some resources don't require an account number, so this component might be omitted. Default: The account the stack is deployed to. :param partition: The partition that the resource is in. For standard AWS regions, the partition is aws. If you have resources in other partitions, the partition is aws-partitionname. For example, the partition for resources in the China (Beijing) region is aws-cn. Default: The AWS partition the stack is deployed to. :param region: The region the resource resides in. Note that the ARNs for some resources do not require a region, so this component might be omitted. Default: The region the stack is deployed to. :param resource_name: Resource name or path within the resource (i.e. S3 bucket object key) or a wildcard such as ``"*"``. This is service-dependent. :param sep: Separator between resource type and the resource. Can be either '/', ':' or an empty string. Will only be used if resourceName is defined. Default: '/'

get_logical_id(self, element: 'CfnElement') -> str
Allocates a stack-unique CloudFormation-compatible logical identity for a specific resource. This method is called when a ``CfnElement`` is created and used to render the initial logical identity of resources. Logical ID renames are applied at this stage. This method uses the protected method ``allocateLogicalId`` to render the logical ID for an element. To modify the naming scheme, extend the ``Stack`` class and override this method. :param element: The CloudFormation element for which a logical identity is needed.

parse_arn(self, arn: str, sep_if_token: Optional[str] = None, has_name: Optional[bool] = None) -> aws_cdk.core.ArnComponents
Given an ARN, parses it and returns components. IF THE ARN IS A CONCRETE STRING... ...it will be parsed and validated. The separator (``sep``) will be set to '/' if the 6th component includes a '/', in which case, ``resource`` will be set to the value before the '/' and ``resourceName`` will be the rest. In case there is no '/', ``resource`` will be set to the 6th components and ``resourceName`` will be set to the rest of the string. IF THE ARN IS A TOKEN... ...it cannot be validated, since we don't have the actual value yet at the time of this function call. You will have to supply ``sepIfToken`` and whether or not ARNs of the expected format usually have resource names in order to parse it properly. The resulting ``ArnComponents`` object will contain tokens for the subexpressions of the ARN, not string literals. If the resource name could possibly contain the separator char, the actual resource name cannot be properly parsed. This only occurs if the separator char is '/', and happens for example for S3 object ARNs, IAM Role ARNs, IAM OIDC Provider ARNs, etc. To properly extract the resource name from a Tokenized ARN, you must know the resource type and call ``Arn.extractResourceName``. :param arn: The ARN string to parse. :param sep_if_token: The separator used to separate resource from resourceName. :param has_name: Whether there is a name component in the ARN at all. For example, SNS Topics ARNs have the 'resource' component contain the topic name, and no 'resourceName' component. :return: an ArnComponents object which allows access to the various components of the ARN.

rename_logical_id(self, old_id: str, new_id: str) -> None
Rename a generated logical identities. To modify the naming scheme strategy, extend the ``Stack`` class and override the ``allocateLogicalId`` method. :param old_id: - :param new_id: -

report_missing_context(self, *, key: str, props: Mapping[str, Any], provider: str) -> None
(deprecated) DEPRECATED. :param key: (deprecated) The missing context key. :param props: (deprecated) A set of provider-specific options. (This is the old untyped definition, which is necessary for backwards compatibility. See cxschema for a type definition.) :param provider: (deprecated) The provider from which we expect this context key to be obtained. (This is the old untyped definition, which is necessary for backwards compatibility. See cxschema for a type definition.) :deprecated: use ``reportMissingContextKey()`` :stability: deprecated

report_missing_context_key(self, *, key: str, props: Union[aws_cdk.cloud_assembly_schema.AmiContextQuery, aws_cdk.cloud_assembly_schema.AvailabilityZonesContextQuery, aws_cdk.cloud_assembly_schema.HostedZoneContextQuery, aws_cdk.cloud_assembly_schema.SSMParameterContextQuery, aws_cdk.cloud_assembly_schema.VpcContextQuery, aws_cdk.cloud_assembly_schema.EndpointServiceAvailabilityZonesContextQuery, aws_cdk.cloud_assembly_schema.LoadBalancerContextQuery, aws_cdk.cloud_assembly_schema.LoadBalancerListenerContextQuery, aws_cdk.cloud_assembly_schema.SecurityGroupContextQuery], provider: aws_cdk.cloud_assembly_schema.ContextProvider) -> None
Indicate that a context key was expected. Contains instructions which will be emitted into the cloud assembly on how the key should be supplied. :param key: The missing context key. :param props: A set of provider-specific options. :param provider: The provider from which we expect this context key to be obtained.

resolve(self, obj: Any) -> Any
Resolve a tokenized value in the context of the current stack. :param obj: -

to_json_string(self, obj: Any, space: Union[int, float, NoneType] = None) -> str
Convert an object, potentially containing tokens, to a JSON string. :param obj: - :param space: -

Class methods inherited from aws_cdk.core.Stack:

is_stack(x: Any) -> bool from jsii._runtime.JSIIMeta
Return whether the given object is a Stack. We do attribute detection since we can't reliably use 'instanceof'. :param x: -

of(construct: constructs.IConstruct) -> 'Stack' from jsii._runtime.JSIIMeta
Looks up the first stack scope in which ``construct`` is defined. Fails if there is no stack up the tree. :param construct: The construct to start the search from.

Readonly properties inherited from aws_cdk.core.Stack:

account

The AWS account into which this stack will be deployed. This value is resolved according to the following rules: 1. The value provided to ``env.account`` when the stack is defined. This can    either be a concerete account (e.g. ``585695031111``) or the    ``Aws.accountId`` token. 2. ``Aws.accountId``, which represents the CloudFormation intrinsic reference    ``{ "Ref": "AWS::AccountId" }`` encoded as a string token. Preferably, you should use the return value as an opaque string and not attempt to parse it to implement your logic. If you do, you must first check that it is a concerete value an not an unresolved token. If this value is an unresolved token (``Token.isUnresolved(stack.account)`` returns ``true``), this implies that the user wishes that this stack will synthesize into a **account-agnostic template**. In this case, your code should either fail (throw an error, emit a synth error using ``Annotations.of(construct).addError()``) or implement some other region-agnostic behavior.

artifact_id

The ID of the cloud assembly artifact for this stack.

availability_zones

Returns the list of AZs that are available in the AWS environment (account/region) associated with this stack. If the stack is environment-agnostic (either account and/or region are tokens), this property will return an array with 2 tokens that will resolve at deploy-time to the first two availability zones returned from CloudFormation's ``Fn::GetAZs`` intrinsic function. If they are not available in the context, returns a set of dummy values and reports them as missing, and let the CLI resolve them by calling EC2 ``DescribeAvailabilityZones`` on the target environment. To specify a different strategy for selecting availability zones override this method.

dependencies

Return the stacks this stack depends on.

environment

The environment coordinates in which this stack is deployed. In the form ``aws://account/region``. Use ``stack.account`` and ``stack.region`` to obtain the specific values, no need to parse. You can use this value to determine if two stacks are targeting the same environment. If either ``stack.account`` or ``stack.region`` are not concrete values (e.g. ``Aws.account`` or ``Aws.region``) the special strings ``unknown-account`` and/or ``unknown-region`` will be used respectively to indicate this stack is region/account-agnostic.

nested

Indicates if this is a nested stack, in which case ``parentStack`` will include a reference to it's parent.

nested_stack_parent

If this is a nested stack, returns it's parent stack.

nested_stack_resource

If this is a nested stack, this represents its ``AWS::CloudFormation::Stack`` resource. ``undefined`` for top-level (non-nested) stacks.

notification_arns

Returns the list of notification Amazon Resource Names (ARNs) for the current stack.

parent_stack

(deprecated) Returns the parent of a nested stack. :deprecated: use ``nestedStackParent`` :stability: deprecated

partition

The partition in which this stack is defined.

region

The AWS region into which this stack will be deployed (e.g. ``us-west-2``). This value is resolved according to the following rules: 1. The value provided to ``env.region`` when the stack is defined. This can    either be a concerete region (e.g. ``us-west-2``) or the ``Aws.region``    token. 2. ``Aws.region``, which is represents the CloudFormation intrinsic reference    ``{ "Ref": "AWS::Region" }`` encoded as a string token. Preferably, you should use the return value as an opaque string and not attempt to parse it to implement your logic. If you do, you must first check that it is a concerete value an not an unresolved token. If this value is an unresolved token (``Token.isUnresolved(stack.region)`` returns ``true``), this implies that the user wishes that this stack will synthesize into a **region-agnostic template**. In this case, your code should either fail (throw an error, emit a synth error using ``Annotations.of(construct).addError()``) or implement some other region-agnostic behavior.

stack_id

The ID of the stack. Example::     # Example automatically generated. See https://github.com/aws/jsii/issues/826     # After resolving, looks like     "arn:aws:cloudformation:us-west-2:123456789012:stack/teststack/51af3dc0-da77-11e4-872e-1234567db123"

stack_name

The concrete CloudFormation physical stack name. This is either the name defined explicitly in the ``stackName`` prop or allocated based on the stack's location in the construct tree. Stacks that are directly defined under the app use their construct ``id`` as their stack name. Stacks that are defined deeper within the tree will use a hashed naming scheme based on the construct path to ensure uniqueness. If you wish to obtain the deploy-time AWS::StackName intrinsic, you can use ``Aws.stackName`` directly.

synthesizer

Synthesis method for this stack.

tags

Tags to be applied to the stack.

template_file

The name of the CloudFormation template file emitted to the output directory during synthesis. Example::     # Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826     "MyStack.template.json"

template_options

Options for CloudFormation template (like version, transform, description).

termination_protection

Whether termination protection is enabled for this stack.

url_suffix

The Amazon domain suffix for the region in which this stack is defined.

Data and other attributes inherited from aws_cdk.core.Stack:

__jsii_ifaces__ = [<class 'constructs.IConstruct'>, <class 'aws_cdk.core.IConstruct'>, <class 'aws_cdk.core.ITaggable'>]

__jsii_type__ = '@aws-cdk/core.Stack'

Class methods inherited from aws_cdk.core.Construct:

is_construct(x: Any) -> bool from jsii._runtime.JSIIMeta
Return whether the given object is a Construct. :param x: -

Readonly properties inherited from aws_cdk.core.Construct:

node

The construct tree node associated with this construct.

Methods inherited from constructs.Construct:

to_string(self) -> str
Returns a string representation of this construct.

Data descriptors inherited from constructs.Construct:

__dict__

dictionary for instance variables (if defined)

__weakref__

list of weak references to the object (if defined)