Merge branch 'main' into add_wait

Author: kcantrel

Management-Utilities/auto_set_fsxn_auto_grow/README.md

@@ -27,6 +27,7 @@ The Lambda function doesn't leverage that many AWS services, so only a few permi
 | Allow:logs:CreateLogGroup | arn:aws:logs:<LAMBDA_REGION>:<ACCOUNT_ID>:* | This is required so you can get logs from the Lambda function. |
 | Allow:logs:CreateLogStream<BR>Allow:logs:PutLogEvents | arn:aws:logs:<LAMBDA_REGION>:<ACCOUNT_ID>:/aws/lambda/<LAMBDA_FUNCTION_NAME>:* | This is required so you can get logs from the Lambda function. |
 | Allow:secretsmanager:GetSecretValue | <ARN_OF_SECRET_WITHIN_SECRETS_MANAGER> | This is required so the Lambda function can get the credentials for the FSxN file system. |
+| Allow:dynamodb:Scan | <ARN_OF_DYNAMODB_TABLE> | This is optional, depending on if you put your secretsTable in a DynamoDB. |
 | Allow:fsx:DescribeFileSystems<BR>Allow:fsx:DescribeVolumes | * | You can't limit these API. They are required to get information regarding the file system and volumes. |
 | Allow:ec2:CreateNetworkInterface<BR>Allow:ec2:DeleteNetworkInterface<BR>Allow:ec2:DescribeNetworkInterfaces | * | Since the Lambda function is going to run within your VPC, it has to be able to create a network interface to communicate with the FSxn file system API. |
 
@@ -40,6 +41,7 @@ FSxN file system is attached to.
 
 - FSx
 - SecretsManager
+- DynamoDB - You only need this one if you are going to store you secrtsTable in DynamoDB. It can be a Gateway endpoint.
 
 ### Create the Lambda Function
 Create a Lambda function with the following parameters:
@@ -60,6 +62,12 @@ is a dictionary with the following keys:
     - secretName - The name of the secret in Secrets Manager.
     - usernameKey - The name of the key in the secret that contains the username.
     - passwordKey - The name of the key in the secret that contains the password.
+
+    **NOTE:** Instead of defining the secretsTable in the script, you can define
+dynamodbSecretsTableName and dynamodbRegion and the script will read in the
+secretsTable information from the specified DynamoDB table. The table should have
+the same fields as the secretsTable defined above.
+
 - secretsManagerRegion - Defines the region where your secrets are stored.
 - autoSizeMode - Defines the auto size mode you want to set the volume to. Valid values are:
     - grow - The volume will automatically grow when it reaches the grow threshold.

Management-Utilities/auto_set_fsxn_auto_grow/set_fsxn_volume_auto_grow.py

@@ -33,12 +33,21 @@
 # a different secret and/or keys for the username and password for each
 # of the FSxId.
 secretsTable = [
-        {"id": "fs-0e8d9172fa5XXXXXX", "secretName": "fsxn-credentials", "usernameKey": "fsxn-username", "passwordKey": "fsxn-password"},
-        {"id": "fs-020de2687bdXXXXXX", "secretName": "fsxn-credentials", "usernameKey": "fsxn-username", "passwordKey": "fsxn-password"},
-        {"id": "fs-07bcb7ad84aXXXXXX", "secretName": "fsxn-credentials", "usernameKey": "fsxn-username", "passwordKey": "fsxn-password"},
-        {"id": "fs-077b5ff4195XXXXXX", "secretName": "fsxn-credentials", "usernameKey": "fsxn-username", "passwordKey": "fsxn-password"}
+        {"fsxId": "fs-0e8d9172fa5XXXXXX", "secretName": "fsxn-credentials", "usernameKey": "fsxn-username", "passwordKey": "fsxn-password"},
+        {"fsxId": "fs-020de2687bdXXXXXX", "secretName": "fsxn-credentials", "usernameKey": "fsxn-username", "passwordKey": "fsxn-password"},
+        {"fsxId": "fs-07bcb7ad84aXXXXXX", "secretName": "fsxn-credentials", "usernameKey": "fsxn-username", "passwordKey": "fsxn-password"},
+        {"fsxId": "fs-077b5ff4195XXXXXX", "secretName": "fsxn-credentials", "usernameKey": "fsxn-username", "passwordKey": "fsxn-password"}
     ]
 #
+# If you don't want to define the secretsTable in this script, you can
+# define the following variables to use a DynamoDB table to get the
+# secret information.
+#
+# NOTE: If both the secretsTable, and dynamodbSecretsTableName are defined,
+# then the secretsTable will be used.
+#dynamodbRegion="us-west-2"
+#dynamodbSecretsTableName="fsx_secrets"
+#
 # Set the region where the secrets are stored.
 secretsManagerRegion="us-west-2"
 #
@@ -77,9 +86,10 @@
 # find the credentials.
 ################################################################################
 def getCredentials(secretsManagerClient, fsxnId):
+    global secretsTable
 
     for secretItem in secretsTable:
-        if secretItem['id'] == fsxnId:
+        if secretItem['fsxId'] == fsxnId:
             secretsInfo = secretsManagerClient.get_secret_value(SecretId=secretItem['secretName'])
             secrets = json.loads(secretsInfo['SecretString'])
             username = secrets[secretItem['usernameKey']]
@@ -113,7 +123,7 @@ def getVolumeData(fsxClient, volumeId, volumeARN):
 ################################################################################
 def lambda_handler(event, context):
 
-    global logger
+    global logger, secretsTable
     #
     # Set up "logging" to appropriately display messages. It can be set it up
     # to send messages to a syslog server.
@@ -138,6 +148,19 @@ def lambda_handler(event, context):
     retries = Retry(total=None, connect=1, read=1, redirect=10, status=0, other=0)  # pylint: disable=E1123
     http = urllib3.PoolManager(cert_reqs='CERT_NONE', retries=retries)
     #
+    # Read in the secretTable if it is not already defined.
+    if 'dynamodbRegion' in globals():
+        dynamodbClient = boto3.resource("dynamodb", region_name=dynamodbRegion) # pylint: disable=E0602
+
+    if 'secretsTable' not in globals():
+        if 'dynamodbRegion' not in globals() or 'dynamodbSecretsTableName' not in globals():
+            raise Exception('Error, you must either define the secretsTable array at the top of this script, or define dynamodbRegion and dynamodbSecretsTableName.')
+
+        table = dynamodbClient.Table(dynamodbSecretsTableName) # pylint: disable=E0602
+
+        response = table.scan()
+        secretsTable = response["Items"]
+    #
     # Get the FSxN ID, region, volume name, volume ID, and volume ARN from the CloudWatch event.
     fsxId      = event['detail']['responseElements']['volume']['fileSystemId']
     regionName = event['detail']['awsRegion']