-
Notifications
You must be signed in to change notification settings - Fork 0
/
LmbdUtil.psm1
201 lines (167 loc) · 7.64 KB
/
LmbdUtil.psm1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
<#
# This module includes utility functions that are based on
#
# the AWSPowerShell module and AWSSDK to provide help administering
#
# relevant tasks for AWS lambda functions.
#>
<#
.SYNOPSIS
Get an extended list of data on aws lambdas.
.DESCRIPTION
Retrieve a list of lambda functions, config details and function policy statuses.
#>
Function Get-AWSLmbds {
param([string]$accessKey,[string]$accessSecret,[string]$LambdaName)
if (Test-Path "$env:ProgramFiles\WindowsPowerShell\Modules\AWSPowerShell\3.3.604.0\") {
if ((Get-Module -Name AWSPowerShell) -eq $null) {
Import-Module AWSPowerShell -ErrorVariable "moduleimport" -Force
Set-AWSCredential -AccessKey $accessKey -SecretKey $accessSecret -StoreAs "credsaws"
Initialize-AWSDefaultConfiguration -ProfileName credsaws -Region (Get-DefaultAWSRegion)
} else {Trap { return Write-Host " Problem wih module - error $moduleimport" -ErrorAction Stop; } }
}
else {
Trap [System.Exception] {
return Write-Host "Path with module N/A, exiting." -ErrorAction Stop;
}
}
Try {
$awskeysecret = (Get-AWSCredential).GetCredentials()
$lmfuncs = Get-LMFunctionList -AccessKey $awskeysecret.AccessKey -Credential (Get-AWSCredential) -Region (Get-DefaultAWSRegion) | ?{$_.FunctionName -eq $LambdaName} -ErrorVariable 'exception' -ErrorAction Stop;
$lmconfigInfo = Get-LMFunctionConfiguration -AccessKey $awskeysecret -Credential (Get-AWSCredential) -Region (Get-DefaultAWSRegion) -FunctionName $lmfuncs.FunctionName -ErrorVariable 'exception' -ErrorAction Stop;
$lmpolicyInfo = ((Get-LMPolicy -FunctionName $lmfuncs.FunctionName).Policy | ConvertFrom-Json -ErrorVariable 'exception' -ErrorAction Stop).Statement;
$LmbdInfoOut = New-Object -TypeName PSCustomObject;
# Basic function information.
$LmbdInfoOut | Add-Member -MemberType NoteProperty -Name "Name" -Value $lmconfigInfo.FunctionName
$LmbdInfoOut | Add-Member -MemberType NoteProperty -Name "Handler" -Value $lmconfigInfo.Handler
$LmbdInfoOut | Add-Member -MemberType NoteProperty -Name "LatestUpdate" -Value (($lmconfigInfo.LastModified) -replace "T" , " " -replace "\+0000", "")
# Extended config information.
$LmbdInfoOut | Add-Member -MemberType NoteProperty -Name "Runtime" -Value $lmconfigInfo.Runtime
$LmbdInfoOut | Add-Member -MemberType NoteProperty -Name "TracingConfig" -Value $lmconfigInfo.TracingConfig
$LmbdInfoOut | Add-Member -MemberType NoteProperty -Name "TraceMode" -Value ($lmconfigInfo.TracingConfig.Mode)
$LmbdInfoOut | Add-Member -MemberType NoteProperty -Name "LambdaSize" -Value $lmconfigInfo.CodeSize
# Policy function information.
$LmbdInfoOut | Add-Member -MemberType NoteProperty -Name "PolicyLevel" -Value ($lmpolicyInfo.Effect | Select -First 1)
$LmbdInfoOut | Add-Member -MemberType NoteProperty -Name "PolicyType" -Value ($lmpolicyInfo.Principal | Select -First 1).Service
$LmbdInfoOut | Add-Member -MemberType NoteProperty -Name "FunctionState" -Value $lmconfigInfo.HttpStatusCode
}
Catch{
return Write-Error "Exception occured while retrieving info. Error Information - $($exception)" -ErrorAction Stop
}
return $LmbdInfoOut;
}
<#
.DESCRIPTION
Check whether an aws gateway has any HTTP methods enabled.
.PARAMETER ApiGatewayRest
The list of endpoint objects to check.
.PARAMETER resPathName
The resource name as endpoint path to perform the relevant HTTP methods check.
#>
Function Test-AWSMethodsExist {
[CmdLetBinding()]
param(
[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
[PSCustomObject[]]$ApiGatewayRest,
[string]$resPathName
)
Process{ $resultEP = ($ApiGatewayRest | ?{$_.PathPart -eq $resPathName}) }
End {return $resultEP.ResourceMethods.Count -ne 0}
}
<#
.DESCRIPTION
Function used to identify whether a lambda is enabled on an aws api gateway endpoint.
This also checks that any http methods are included for the relevant resource.
.PARAMETER LambdaPart
The name of the lambda function to validate.
.PARAMETER AgResEndPointName
The name of the api gateway used to perform the check.
.PARAMETER AgResName
The resource name on the api gateway.
#>
Function Test-AWSLambdaEnabled {
[CmdletBinding()]
param(
[Parameter(Mandatory=$true,Position=0)]
[string]$LambdaPart,
[string]$AgResEndPointName,
[string]$AgResName
)
$endpointId = (Get-AGRestApiList -Region (Get-DefaultAWSRegion) | ?{ $_.Name -eq $AgResEndPointName}).Id
$resourceId = (Get-AGResourceList -RestApiId $endpointId -Region (Get-DefaultAWSRegion) | ?{$_.Path -ne "/" -and $_.PathPart -ne $null -and $_.PathPart -eq $AgResName}).Id
if ($resourceId | Test-AWSMethodsExist -resPathName $AgResName) {
return Write-Error "$([System.ArgumentException]::new("EndPoint setup does not include any http methods"))";
}
return ((Get-AGIntegration -HttpMethod "GET" -RestApiId $endpointId -ResourceId $resourceId).Uri -ilike "*$LambdaPart*")
}
<#
.DESCRIPTION
Used to call a lambda that is set on an aws api execution url.
The function first checks that the endpoint has the function associated with it and
that the lambda is not in an error state. On error while calling the function,
a default s3 bucket content can be set as an alternative response.
.PARAMETER RestEndPointName
The relevant rest api that hosts the function.
.PARAMETER AGWStageName
The stage name that is used for deployment on the gateway.
.PARAMETER AGWResourceName
The name of the resource on the gateway.
.PARAMETER LmbdName
The name of the lambda that is associated with the relevant gateway.
#>
Function Invoke-AWSLambdaEndPoint {
param (
[string]$RestEndPointName,
[string]$AGWstageName,
[string]$AGWResourceName,
[string]$LmbdName
)
Try {
if (Test-AWSLambdaEnabled -LambdaPart $LmbdName -AgResEndPointName $RestEndPointName -AgResName $AGWResourceName) {
$lmbdres = (Invoke-LMFunction -FunctionName $LmbdName);
if ($lmbdres.StatusCode -eq 200) {
$regionName = ((Get-AWSRegion | ?{$_.Region -ilike "*us-west*"}) | Select -Last 1).Region;
$awsEpId = (Get-AGRestApiList -Region (Get-DefaultAWSRegion) | ?{ $_.Name -eq $RestEndPointName }).Id;
$resapigate = Get-AGResourceList -RestApiId ($awsEpId) -Region (Get-DefaultAWSRegion) | ?{$_.Path -ne "/" -and $_.PathPart -ne $null -and $_.PathPart -eq $AGWResourceName}
$fullapiurl = "https://{0}.execute-api.{1}.amazonaws.com/{2}/{3}" -f $awsEpId, $regionName, $AGWStageName, "$($resapigate.PathPart)";
$apiurl=$fullapiurl -replace "/ ","/";
$response = Invoke-RestMethod -Uri $apiurl -UseDefaultCredentials -UseBasicParsing
} else {
return ("{'ErrorContent':'Function is in an error state.'}" | ConvertFrom-Json);
}
} else {
return ("{'ErrorContent':'Function not included in the endpoint.'}" | ConvertFrom-Json);
}
}
Catch {
Write-Host "Failed to properly invoke function, getting default bucket response." | Out-Null; $_ | Out-File ".\error-awslambda.log";
$response = ((Invoke-WebRequest -Uri "https://xxxxxx.s3-xxxx.amazonaws.com/xxxxxx/data.json").Content)
} # Catch Exceptions retrieve default dataset from an s3 bucket.
return ($response | ConvertFrom-Json);
}
<#
.DESCRIPTION
This function checks that a lambda has vpc configuration.
.PARAMETER LambdaName
Name of the function used for the relevant check.
#>
Function Test-AWSVpcCfg {
param(
[string]$LambdaName
)
return (Get-LMFunctionConfiguration -Credential (Get-AWSCredential) -FunctionName $LambdaName).VpcConfig -ne $null;
}
<#
.DESCRIPTION
Check whether a lamdba has an associated s3 policy enabled.
.PARAMETER LambdaName
Name of the function used for the relevant check.
#>
Function Test-S3Enabled {
param(
[string]$LambdaName
)
$lambdapol = Get-LMPolicy -Credential (Get-AWSCredential) -FunctionName $LambdaName -Region (Get-DefaultAWSRegion);
$policy = $lambdapol.Policy | ConvertFrom-Json;
return (($policy.Statement.Principal.Service | ?{$_ -ilike "*s3*"}).Length -ne 0)
}