chore!: Deprecate python3.6 runtime

Author: baolsen

.github/.pre-commit-config.yaml renamed to .github/DISABLED.pre-commit-config.yaml

@@ -52,19 +52,20 @@ jobs:
       - run: |
           NAME=${{ matrix.name }}
           RUNTIME=${{ matrix.runtime }}
+          DEPLOYMENT=deployment-$NAME-$RUNTIME.zip
           #
           echo NAME=$NAME RUNTIME=$RUNTIME
           #
-          cp $NAME-$RUNTIME.zip $NAME-$RUNTIME.zip_original
+          cp $DEPLOYMENT ${DEPLOYMENT}_original
           cd $NAME
-          zip -r ../$NAME-$RUNTIME.zip .
+          zip -r ../$DEPLOYMENT .
           cd ..
           #
           # Compare length and names of files in Zip.
           # Building in Docker doesn't work, some files are still different.
-          [[ -f $NAME-$RUNTIME.zip ]] || { echo "Deployment file not found."; exit 1; }
+          [[ -f $DEPLOYMENT ]] || { echo "Deployment file not found."; exit 1; }
           diff \
-            <(unzip -vqq $NAME-$RUNTIME.zip  | awk '{$2=""; $3=""; $4=""; $5=""; $6=""; print}' | sort -k3 -f) \
-            <(unzip -vqq $NAME-$RUNTIME.zip_original  | awk '{$2=""; $3=""; $4=""; $5=""; $6=""; print}' | sort -k3 -f)
+            <(unzip -vqq $DEPLOYMENT  | awk '{$2=""; $3=""; $4=""; $5=""; $6=""; print}' | sort -k3 -f) \
+            <(unzip -vqq ${DEPLOYMENT}_original  | awk '{$2=""; $3=""; $4=""; $5=""; $6=""; print}' | sort -k3 -f)
           FILES_CHANGED=$?
           echo FILES_CHANGED=$FILES_CHANGED

.github/workflows/check-deployments.yml

@@ -59,7 +59,7 @@ jobs:
         if: failure()
         run: |
           LOG_FILE=~/.cache/pre-commit/pre-commit.log
-          [ -f $LOG_FILE ] || cat $LOG_FILE
+          [ -f $LOG_FILE ] && cat $LOG_FILE
 
   #--------------------------------------------------------------
   # TESTS

.github/workflows/pre-commit-and-tests.yml

@@ -65,4 +65,4 @@ jobs:
           [[ -z "$TAG_NAME" ]] && { echo "TAG_NAME is empty" ; exit 1; }
           #
           gh config set prompt disabled
-          gh release upload $TAG_NAME *.zip
+          gh release upload $TAG_NAME deployment-*.zip

.github/workflows/release.yml

@@ -14,5 +14,7 @@
 
 ---
 exclude:
-# Add IDs of checks to ignore them
-#  - aws-sns-topic-encryption-use-cmk
+  # Add IDs of checks to ignore them
+  #  - aws-sns-topic-encryption-use-cmk
+  # Without full tracing enabled it is difficult to trace the flow of logs
+  - aws-lambda-enable-tracing

.tfsec-config.yml

@@ -50,7 +50,7 @@ Full contributing [guidelines are covered here](.github/contributing.md).
 | <a name="input_included_accounts"></a> [included\_accounts](#input\_included\_accounts) | List of accounts that be scanned to manual actions. If empty will scan all accounts. | `list(string)` | `[]` | no |
 | <a name="input_included_users"></a> [included\_users](#input\_included\_users) | List of emails that be scanned to manual actions. If empty will scan all emails. | `list(string)` | `[]` | no |
 | <a name="input_lambda_memory_size"></a> [lambda\_memory\_size](#input\_lambda\_memory\_size) | The amount of memory for Lambda to use | `number` | `"128"` | no |
-| <a name="input_lambda_runtime"></a> [lambda\_runtime](#input\_lambda\_runtime) | The lambda runtime to use | `string` | `"python3.8"` | no |
+| <a name="input_lambda_runtime"></a> [lambda\_runtime](#input\_lambda\_runtime) | The lambda runtime to use. One of: `["python3.9", "python3.8", "python3.7"]` | `string` | `"python3.8"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Number of days to keep CloudWatch logs | `number` | `14` | no |
 | <a name="input_message_format"></a> [message\_format](#input\_message\_format) | Where do you want to send this message? slack or msteams | `string` | `"slack"` | no |
 | <a name="input_naming_prefix"></a> [naming\_prefix](#input\_naming\_prefix) | Resources will be prefixed with this | `string` | `"clickops-notifier"` | no |

README.md

@@ -11,15 +11,16 @@ NAME=$1
 LAMBDA_RUNTIME=$2
 echo "*** NAME=$NAME  LAMBDA_RUNTIME=$LAMBDA_RUNTIME "
 
-DEPLOYMENT_FILE=$NAME-$LAMBDA_RUNTIME.zip
+DEPLOYMENT_FILE=deployment-$NAME-$LAMBDA_RUNTIME.zip
+
+[[ -d $DEPLOYMENT_FILE ]] && rm -f $DEPLOYMENT_FILE
 
 cd $NAME
 
 [[ -d .package ]] && rm -rf .package
-[[ -d $DEPLOYMENT_FILE ]] && rm -f $DEPLOYMENT_FILE
 
 # Build requirements in Lambda environment
-docker run -v "$PWD":/var/task "public.ecr.aws/sam/build-$LAMBDA_RUNTIME" /bin/sh -c "pip install -r requirements.txt -t .package; exit"
+docker run --platform linux/amd64 -v "$PWD":/var/task "public.ecr.aws/sam/build-$LAMBDA_RUNTIME" /bin/sh -c "pip install -r requirements.txt -t .package; exit"
 
 # Create deployment package
 echo "*** Adding requirements to $DEPLOYMENT_FILE"

build_one.sh

@@ -1,9 +1,5 @@
 {
   "include": [
-    {
-      "name": "clickopsnotifier",
-      "runtime": "python3.6"
-    },
     {
       "name": "clickopsnotifier",
       "runtime": "python3.7"

build_targets.json

@@ -7,27 +7,31 @@
 import base64
 import os
 from typing import Tuple
+import logging
 
 from clickops import ClickOpsEventChecker, CloudTrailEvent
 from messenger import Messenger
 from delivery_stream import DeliveryStream
 
-s3 = boto3.client("s3")
-ssm = boto3.client("ssm")
+logger = logging.getLogger("clickopsnotifier")
+LOG_LEVEL = os.environ.get("LOG_LEVEL", "INFO")
+logger.setLevel(LOG_LEVEL)
 
-WEBHOOK_PARAMETER = os.environ["WEBHOOK_PARAMETER"]
-EXCLUDED_ACCOUNTS = json.loads(os.environ["EXCLUDED_ACCOUNTS"])
-INCLUDED_ACCOUNTS = json.loads(os.environ["INCLUDED_ACCOUNTS"])
-EXCLUDED_USERS = json.loads(os.environ["EXCLUDED_USERS"])
-INCLUDED_USERS = json.loads(os.environ["INCLUDED_USERS"])
-EXCLUDED_SCOPED_ACTIONS = json.loads(os.environ["EXCLUDED_SCOPED_ACTIONS"])
-MESSAGE_FORMAT = os.environ["MESSAGE_FORMAT"]
-LOG_LEVEL = os.environ["LOG_LEVEL"]
+WEBHOOK_PARAMETER = os.environ.get("WEBHOOK_PARAMETER", "")
+EXCLUDED_ACCOUNTS = json.loads(os.environ.get("EXCLUDED_ACCOUNTS", "[]"))
+INCLUDED_ACCOUNTS = json.loads(os.environ.get("INCLUDED_ACCOUNTS", "[]"))
+EXCLUDED_USERS = json.loads(os.environ.get("EXCLUDED_USERS", "[]"))
+INCLUDED_USERS = json.loads(os.environ.get("INCLUDED_USERS", "[]"))
+EXCLUDED_SCOPED_ACTIONS = json.loads(os.environ.get("EXCLUDED_SCOPED_ACTIONS", "[]"))
+MESSAGE_FORMAT = os.environ.get("MESSAGE_FORMAT", "slack")
 
 FIREHOSE_DELIVERY_STREAM_NAME = os.environ.get("FIREHOSE_DELIVERY_STREAM_NAME")
 if FIREHOSE_DELIVERY_STREAM_NAME == "__NONE__":
     FIREHOSE_DELIVERY_STREAM_NAME = None
 
+s3 = boto3.client("s3")
+ssm = boto3.client("ssm")
+
 WEBHOOK_URL = None
 
 
@@ -91,6 +95,9 @@ def handler_organizational(event, context) -> None:  # noqa: C901
     :return: None
     """
 
+    if event is None:
+        raise KeyError("event is None")
+
     webhook_url = get_webhook()
 
     messenger = Messenger(format=MESSAGE_FORMAT, webhook=webhook_url)
@@ -104,7 +111,6 @@ def handler_organizational(event, context) -> None:  # noqa: C901
         records = s3_events.get("Records", [])
 
         for record in records:
-
             # Get the object from the event and show its content type
             bucket = record["s3"]["bucket"]["name"]
             key = urllib.parse.unquote_plus(
@@ -127,7 +133,6 @@ def handler_organizational(event, context) -> None:  # noqa: C901
                 event_json = json.load(fh)
 
                 for event in event_json["Records"]:
-
                     event_origin = f"{bucket}/{key}"
 
                     success = success and __handle_event(
@@ -146,6 +151,8 @@ def handler_organizational(event, context) -> None:  # noqa: C901
 
 
 def handler_standalone(event, context) -> None:
+    if event is None:
+        raise KeyError("event is None")
 
     webhook_url = get_webhook()
 
@@ -161,7 +168,6 @@ def handler_standalone(event, context) -> None:
 
     success = True
     for e in event_json["logEvents"]:
-
         event_origin = (
             event_json["logGroup"]
             + ":"