Search code examples
botoboto3elastic-load-balancerbotocore

AWS Boto3 and Classic ELBs

I'm trying to get the active TLS policy on a classic load balancer (elb, not elbv2) and I'm having trouble identifying what is going wrong here:

import boto3
from botocore.exceptions import ClientError

#Declare Constant
EXPECTED_POLICY = 'ELBSecurityPolicy-TLS-1-1-2017-01'
IAMID = '518031149234'

def set_session(awsprofile, awsregion):
    try:
        session = boto3.Session(profile_name=awsprofile, region_name=awsregion)
        return session
    except ClientError as e:
        print("Failed to run session setter for profile: {0} %s" % e).format(awsprofile)

def assume_role_into_account(profileId, assumeId, sessionName, assetType, regionName):
    try:
        setSession = set_session(profileId, regionName)
        stsSession = setSession.client('sts')
        response = stsSession.assume_role(RoleArn=("arn:aws:iam::{0}:role/security").format(assumeId),RoleSessionName=sessionName)
        credentials = response['Credentials']
        session = setSession.client(assetType, aws_access_key_id=credentials['AccessKeyId'],aws_secret_access_key=credentials['SecretAccessKey'],aws_session_token=credentials['SessionToken'])
        return session
    except ClientError as e:
        print("AssumeRole exception for profile: {0} %s" % e).format(profileId)

def main():

    try:
        srev2 = assume_role_into_account('sre', IAMID,'Security-Audit-AssumeRole-Session2', 'elb', 'us-east-1')
        print("AssumeRole into Account: {0} for Region: {1} .").format(IAMID, 'us-east-1')

    elbs = srev2.describe_load_balancers()

    for elb in elbs:
        policy = session.describe_load_balancer_policies(LoadBalancerName=elb)

    except ClientError as e:
        print("AssumeRole: Cannot assumerole for id: {0}." % e).format(IAMID)

if __name__ == '__main__':
    main()

So when I return policy when calling describe_load_balancer_policies(), there is no way to distinguish which policy is selected.

Any help?

TIA!

Solution

  • Ok, after a long discussion with the API and ELB team folks at Amazon... here is what we came up with, note this is only for classic ELB's. This will indeed return the ELB Policy you see in the AWS Web Console, every time.

    I spent a lot of time on this and i hope it benefits someone else that has also looked into this time-suck, near-fruitless endeavor:

    elbs = client.describe_load_balancers()

for elb in elbs:
    #Get Named Policy to pass to get the active policy. -1 denotes the last in the list.
    policy_name = jmespath.search('ListenerDescriptions[].PolicyNames[] | [-1]', elb)

    policy_description = client.describe_load_balancer_policies(LoadBalancerName=elb, PolicyNames=[policyname])
    console_policy = jmespath.search('PolicyDescriptions[?PolicyName==`{0}`] | [0].PolicyAttributeDescriptions[0].AttributeValue'.format(policyname), policy_description)

    return console_policy