cft_code package

Subpackages

• cft_code.dnslib package
  • Submodules
  • cft_code.dnslib.bimap module
  • cft_code.dnslib.bit module
  • cft_code.dnslib.buffer module
  • cft_code.dnslib.client module
  • cft_code.dnslib.digparser module
    • digparser
  • cft_code.dnslib.dns module
  • cft_code.dnslib.fixedresolver module
  • cft_code.dnslib.intercept module
  • cft_code.dnslib.label module
  • cft_code.dnslib.lex module
  • cft_code.dnslib.pan_client module
  • cft_code.dnslib.proxy module
  • cft_code.dnslib.ranges module
  • cft_code.dnslib.server module
  • cft_code.dnslib.shellresolver module
  • cft_code.dnslib.test_decode module
  • cft_code.dnslib.zoneresolver module
  • Module contents
    • dnslib
    • Classes
    • Usage
    • Changelog:
    • License:
    • Author:
    • Master Repository/Issues:

Submodules

cft_code.add_eni module

/*************************************************************************

• Copyright (c) 2016, Palo Alto Networks. All rights reserved. *
• This Software is the property of Palo Alto Networks. The Software and all *
• accompanying documentation are copyrighted.

*************************************************************************/

Copyright 2016 Palo Alto Networks

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

cft_code.add_eni.abandon(context, asg_message)

Method to send a response to the auto scale life cycle action.

Parameters:

• context –
• asg_message –

Returns:

cft_code.add_eni.associateAddress(AllocId, nifId)

Parameters:

• AllocId –
• nifId –

Returns:

cft_code.add_eni.attachEni(ec2Id, eniId, index)

Method to attach and ENI to an instance :param ec2Id: :param eniId: :param index: :return:

cft_code.add_eni.count_eni(msg, instanceId)

Parameters:

• msg –
• instanceId –

Returns:

cft_code.add_eni.createEni(subnetId, securityGroups, index)

Method to create and Elastic Network Interface :param subnetId: :param securityGroups: :param index: :return:

cft_code.add_eni.done(success, context, asg_message)

Method to send a successful response to an ASG lifecycle action.

Parameters:

• success –
• context –
• asg_message –

Returns:

cft_code.add_eni.getUnassociatedAddress(eip_list)

Parameters:eip_list – Returns:

cft_code.add_eni.get_eip(mgmt_eniId, mgmt_instanceId)

Parameters:

• mgmt_eniId –
• mgmt_instanceId –

Returns:

cft_code.add_eni.get_event_rule_name(stackname, instanceId)

Parameters:

• stackname –
• instanceId –

Returns:

cft_code.add_eni.get_lambda_cloud_watch_func_name(stackname, instanceId)

Parameters:

• stackname –
• instanceId –

Returns:

cft_code.add_eni.get_stack_params(queue_url)

Parameters:queue_url – Returns:

cft_code.add_eni.get_statement_id(stackname, instanceId)

Parameters:

• stackname –
• instanceId –

Returns:

cft_code.add_eni.get_target_id_name(stackname, instanceId)

Parameters:

• stackname –
• instanceId –

Returns:

cft_code.add_eni.handle_instance_termination(fwApiKey, instanceId, NATGateway, delicenseKey)

Execute the sequence to deactivate the Firewall in the case of BYOL.

@param fwAPiKey: Api key to interact with the firewall @type `str` @param instance_id The id of the instance @type `str` @param NATGateway If a nat gateway is required @type `str` @param delicenseKey @type `str`

@return Status of the firewall license deactivation workflow @rtype bool

cft_code.add_eni.lambda_handler(event, context)

The entry point when this lambda function gets invoked.

Note

The primary objective of this lambda funciton is to handle life-cycle hooks and to create / delete elastic network interfaces to assign / disassociate to / from instances.

Parameters:

• event – Encodes all the input variables to the lambda function, when the function is invoked. Essentially AWS Lambda uses this parameter to pass in event data to the handler function.
• context – AWS Lambda uses this parameter to provide runtime information to your handler.

Returns:

None

cft_code.add_eni.random_string(string_length=10)

Parameters:string_length – Returns:

cft_code.add_eni.removeEni(eniId1)

Method to disassociate an ENI from an instance. :param eniId1: :return:

cft_code.add_eni.remove_eni(message)

Parameters:message – Returns:

cft_code.add_eni.remove_eni_in_subnet(subnet)

Parameters:subnet – Returns:

cft_code.add_eni.retrieve_fw_ip(instance_id, NATGateway)

Retrieve the IP of the Instance

@param instance_id The id of the instance @type `str` @param NATGateway If a nat gateway is required @type `str`

cft_code.add_eni.waitEniReady(eniId)

Method to check if an ENI is ready :param eniId: :return:

cft_code.init module

/*************************************************************************

• Copyright (c) 2016, Palo Alto Networks. All rights reserved. *
• This Software is the property of Palo Alto Networks. The Software and all *
• accompanying documentation are copyrighted.

*************************************************************************/

Copyright 2016 Palo Alto Networks

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

cft_code.init.UpdateActiveSessions(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.UpdateDataPlaneBufferUtilization(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.UpdateDataPlaneCPUUtilization(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.UpdateGPActiveTunnels(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.UpdateGPGatewayUtilization(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.UpdateSessionUtilization(stackname, asg_name, arn_scalein, arn_scaleout)

Parameters:

• stackname –
• asg_name –
• arn_scalein –
• arn_scaleout –

Returns:

cft_code.init.common_alarm_func_update(asg_name, metricname, namespace, arn_scalein, arn_scaleout, alarmname, desc)

Method to create alarms to be monitored on instances in an ASG :param asg_name: :param metricname: :param namespace: :param arn_scalein: :param arn_scaleout: :param alarmname: :param desc: :return:

cft_code.init.create_load_balancers(r)

This function is not used. :param r: :return:

cft_code.init.create_new_table(event)

Parameters:event – Returns:

cft_code.init.create_resources(event)

This method is called from the lambda handler entry point. The following actions are performed:

• validate the AMI-ID
• deploys the `sched_evt1` lambda function.

Parameters:event – Returns:None

cft_code.init.delete_load_balancers(r)

Parameters:r – Returns:

cft_code.init.delete_new_table(event)

Parameters:event – Returns:

cft_code.init.delete_resources(event)

Method to handle the delete of resources when the CFT stack is deleted.

Parameters:event – Returns:

cft_code.init.get_event_rule_name(stackname)

Method to create a unique name for the event rules.

Note

The event name is constructed by appending a fixed string to the stack name.

Parameters:stackname – Returns:

cft_code.init.get_panorama_ip(contents)

Parameters:contents – Returns:

cft_code.init.get_sha(bucket, folder, lambda_sha)

Method to compute the SHA-256 encoding for the contents of the given file :param bucket: :param folder: :param lambda_sha: :return:

cft_code.init.get_target_id_name(stackname)

Parameters:stackname – Returns:

cft_code.init.lambda_handler(event, context)

Note

This function is the entry point for the `init` Lambda function. This function performs the following actions:

• invokes `create | delete | update_resources()` based on the action

  required.

• creates the `sched_evt1` lambda function

  and configures the same.

• validates that the PAN FW AMI-ID specified as input

  is valid and supported.

Parameters:

• event (dict) – Encodes all the input variables to the lambda function, when the function is invoked. Essentially AWS Lambda uses this parameter to pass in event data to the handler function.
• context (LambdaContext) – AWS Lambda uses this parameter to provide runtime information to your handler.

Returns:

None

cft_code.init.no_asgs(elbname)

Parameters:elbname – Returns:

cft_code.init.random_string(string_length=10)

Parameters:string_length – Returns:

cft_code.init.read_s3_object(bucket, key)

Method to read data from and S3 bucket.

Note

This method is used to read bootstrap information, in order to license and configure the firewall.

Parameters:

• bucket –
• key –

Returns:

cft_code.init.remove_sched_func(stackname)

Remove the sched_evt function, in order to cleanup when the CFT stack is deleted.

Parameters:stackname – Returns:

cft_code.init.send_response(event, context, responseStatus)

Method to send a response back to the CFT process.

Parameters:

• event –
• context –
• responseStatus –

Returns:

cft_code.init.subnetToList(listoflist)

Parameters:listoflist – Returns:

cft_code.init.update_alarm(stackname, asg_name, event)

Method to update alarm parameters if they have been changed when the CFT stack was updated.

Parameters:

• stackname –
• asg_name –
• event –

Returns:

cft_code.init.update_resources(event)

Method to handle any updates to the CFT templates.

Parameters:event – CFT input parameters Returns:None

cft_code.init.validate_ami_id(event)

Validate that the AMI-ID provided is a valid PAN FW AMI. :param event: The CFT event params :return: bool

cft_code.metrics module

/*************************************************************************

• Copyright (c) 2016, Palo Alto Networks. All rights reserved. *
• This Software is the property of Palo Alto Networks. The Software and all *
• accompanying documentation are copyrighted.

*************************************************************************/

Copyright 2016 Palo Alto Networks

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

cft_code.metrics.ActiveSessions(root, namespace, asg_name)

cft_code.metrics.DataPlaneBufferUtilization(root, namespace, asg_name)

cft_code.metrics.DataPlaneCPUUtilization(root, namespace, asg_name)

cft_code.metrics.GPActiveTunnels(root, namespace, asg_name)

cft_code.metrics.GPGatewayUtilization(root, namespace, asg_name)

cft_code.metrics.SessionUtilization(root, namespace, asg_name)

cft_code.metrics.getChassisReady(response)

cft_code.metrics.getJobProgress(response)

cft_code.metrics.getJobResult(response)

cft_code.metrics.getJobStatus(response)

cft_code.metrics.getJobTfin(response)

cft_code.metrics.getTag(instanceid)

cft_code.metrics.getUntrustIP(instanceid, untrust)

cft_code.metrics.isAutoCommit(gcontext, gwMgmtIp, api_key)

cft_code.metrics.isChassisReady(gcontext, gwMgmtIp, api_key)

cft_code.metrics.isNatRule(gcontext, gwMgmtIp, api_key)

cft_code.metrics.lambda_handler(event, context)

cft_code.metrics.pan_print(s)

cft_code.metrics.pushNatRules(gcontext, gwMgmtIp, api_key, untrust, ilb_ip, hostname)

cft_code.metrics.runCommand(gcontext, cmd, gwMgmtIp, api_key)

cft_code.metrics.setTag(instanceid, value)

cft_code.metrics.test()

cft_code.metrics.valueToDict(v, s)

cft_code.metrics.valueToString(v, s)

cft_code.sched_evt1 module

/*************************************************************************

• Copyright (c) 2016, Palo Alto Networks. All rights reserved. *
• This Software is the property of Palo Alto Networks. The Software and all *
• accompanying documentation are copyrighted.

*************************************************************************/

Copyright 2016 Palo Alto Networks

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

cft_code.sched_evt1.AddActiveSessions(asg_name, arn_scalein, arn_scaleout)

Method to create the ActiveSessions Alarm. This alarm will trigger when the Active Sessions exceeds the specified threshold.

Parameters:

• asg_name – Name of the ASG
• arn_scalein – ARN of the scale-in metric
• arn_scaleout – ARN of the scale-out metric

Returns:

bool

cft_code.sched_evt1.AddDataPlaneBufferUtilization(asg_name, arn_scalein, arn_scaleout)

Method to create the DataPlaneBufferUtilization Alarm. This alarm will trigger when the DataPlaneBufferUtilization exceeds the specified threshold.

Parameters:

• asg_name – Name of the ASG
• arn_scalein – ARN of the scale-in metric
• arn_scaleout – ARN of the scale-out metric

Returns:

bool

cft_code.sched_evt1.AddDataPlaneCPUUtilization(asg_name, arn_scalein, arn_scaleout)

Method to create the DataPlaneCPUUtilization Alarm. This alarm will trigger when the Data Plane CPU Utilization exceeds the specified threshold.

Parameters:

• asg_name – Name of the ASG
• arn_scalein – ARN of the scale-in metric
• arn_scaleout – ARN of the scale-out metric

Returns:

bool

cft_code.sched_evt1.AddGPActiveTunnels(asg_name, arn_scalein, arn_scaleout)

cft_code.sched_evt1.AddGPGatewayUtilization(asg_name, arn_scalein, arn_scaleout)

Method to create the GPGatewayUtilization Alarm. This alarm will trigger when the GPGatewayUtilization exceeds the specified threshold.

Parameters:

• asg_name – Name of the ASG
• arn_scalein – ARN of the scale-in metric
• arn_scaleout – ARN of the scale-out metric

Returns:

bool

cft_code.sched_evt1.AddSessionUtilization(asg_name, arn_scalein, arn_scaleout)

Method to create the SessionUtilization Alarm. This alarm will trigger when the SessionUtilization exceeds the specified threshold.

Parameters:

• asg_name – Name of the ASG
• arn_scalein – ARN of the scale-in metric
• arn_scaleout – ARN of the scale-out metric

Returns:

bool

cft_code.sched_evt1.DelActiveSessions(asg_name)

Method to delete the Active Sessions alarm

Parameters:asg_name – Name of the ASG Returns:None

cft_code.sched_evt1.DelDataPlaneBufferUtilization(asg_name)

Method to delete the Session Utilization alarm

Parameters:asg_name – Name of the ASG Returns:None

cft_code.sched_evt1.DelDataPlaneCPUUtilization(asg_name)

Method to delete the DataPlaneCPUUtilization Alarm. This alarm will trigger when the Data Plane CPU Utilization exceeds the specified threshold.

Parameters:asg_name – Name of the ASG Returns:None

cft_code.sched_evt1.DelGPActiveTunnels(asg_name)

cft_code.sched_evt1.DelGPGatewayUtilization(asg_name)

Method to delete the Session Utilization alarm

Parameters:asg_name – Name of the ASG Returns:None

cft_code.sched_evt1.DelSessionUtilization(asg_name)

Method to delete the Session Utilization alarm

Parameters:asg_name – Name of the ASG Returns:None

cft_code.sched_evt1.check_and_send_message_to_queue(queue_url, str_message)

Check for the existance and the liveliness of a message on the specified SQS queue.

Parameters:

• queue_url – URL of the SQS to interrogate
• str_message – Message to be inserted into the queue

Returns:

None

cft_code.sched_evt1.check_ilb_health_status()

Returns:

cft_code.sched_evt1.choose_subnet(subnet, AvailabilityZone)

Method to retrieve name / id of a subnet in the specified Availability Zone

Parameters:

• subnet –
• AvailabilityZone –

Returns:

cft_code.sched_evt1.common_alarm_func_add(asg_name, metricname, namespace, arn_scalein, arn_scaleout, alarmname, desc, Unit)

Method that supports a common interface to add cloud watch alarms along with the associated threshold metrics.

Parameters:

• asg_name – Name of the ASG that this alarm is associated with.
• metricname – Name of the metric.
• namespace – Name of the namespace.
• arn_scalein – ARN of the scale-in metric.
• arn_scaleout – ARN of the scale-out metric.
• alarmname – Name of the alarm that will be raised.
• desc – Description of the alarm
• Unit – The unit to be used.

Returns:

bool

cft_code.sched_evt1.common_alarm_func_del(alarmname)

Common interface to delete alarms :param alarmname: Name of the alarm to delete. :return: None

cft_code.sched_evt1.create_asg(ip_address, s3_bucket_name, AvailabilityZone)

Method to create an Auto Scale Group with the configuration provided.

Note

This method performs the following critical functions

• reads in configuration from an S3 bucket
• creates a launch configuration
• creates an ASG
• associates the policies with the ASG
• registers to ASG life-cycle hook events and provides handlers for these events.

Parameters:

• ip_address –
• s3_bucket_name –
• AvailabilityZone –

Returns:

cft_code.sched_evt1.create_asg_life_cycle(asg_name, AvailabilityZone, ip_address)

Method to register ASG life cycle hook actions.

When and ASG lifecycle hook is triggered the targets as registered by this method get triggered with the appropriate data fields.

Parameters:

• asg_name – Name of the ASG.
• AvailabilityZone – Name of the AZ
• ip_address – IP address of the instance

Returns:

bool

cft_code.sched_evt1.find_ip_address(asg_response, ip_address)

Method to check ASG’s against configured IP addresses on the ILB.

Parameters:

• asg_response –
• ip_address –

Returns:

int

cft_code.sched_evt1.fix_subnets(data1)

Manipulate the subnet data and massage accordingly. :param data1: :return: str

cft_code.sched_evt1.fix_unicode(data)

Method to convert opaque data from unicode to utf-8 :param data: Opaque data :return: utf-8 encoded data

cft_code.sched_evt1.getAz(ip, response_ilb)

Method to return the availability zone that a configured IP address belongs to.

Parameters:

• ip –
• response_ilb –

Returns:

cft_code.sched_evt1.get_ilb_ip_addresses(event, content, response_ilb)

Method to retrieve the IP addresses that are configured on an ILB.

Parameters:

• event –
• content –
• response_ilb –

Returns:

str

cft_code.sched_evt1.internal_load_balancer_work(event, context)

Method to monitor the private IP’s on the Internal Load Balancer and the actions as necessary.

The actions performed by this function are:

• describe (list) the network interfaces on the ILB

• describe (list) the currently configured auto scale groups

• perform a comparison between the auto scale groups configured and the IP’s configured on the ILB. - if there is a mismatch, then either delete the ASG or add

  a new ASG as the case maybe.

Parameters:

• event (dict) – Encodes all the input variables to the lambda function, when the function is invoked. Essentially AWS Lambda uses this parameter to pass in event data to the handler function.
• context (LambdaContext) – AWS Lambda uses this parameter to provide runtime information to your handler.

Returns:

None

cft_code.sched_evt1.is_another_instance_in_service(stackname, asg_name, ip)

Parameters:

• stackname –
• asg_name –
• ip –

Returns:

cft_code.sched_evt1.lambda_handler(event, context)

Note

This function is the entry point for the `sched_event1` Lambda function.

This function performs the following actions:

invokes `internal_load_balancer_work()`

desc: detect changes to the IP’s on the ILB and take the necessary

action

invokes `check_and_send_message_to_queue()`

desc: Checks the messages on the queue to ensure its up to date

and for any changes as the case maybe.

Parameters:

• event (dict) – Encodes all the input variables to the lambda function, when the function is invoked. Essentially AWS Lambda uses this parameter to pass in event data to the handler function.
• context (LambdaContext) – AWS Lambda uses this parameter to provide runtime information to your handler.

Returns:

None

cft_code.sched_evt1.lookup_ilb_for_delete(ip, asg_name, response)

Parameters:

• ip –
• asg_name –
• response –

Returns:

cft_code.sched_evt1.random_string(string_length=10)

Parameters:string_length – Returns:

cft_code.sha module

/*************************************************************************

• Copyright (c) 2016, Palo Alto Networks. All rights reserved. *
• This Software is the property of Palo Alto Networks. The Software and all *
• accompanying documentation are copyrighted.

*************************************************************************/

Copyright 2016 Palo Alto Networks

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

cft_code.sha.code_sha(filename)

Method to compute the SHA-256 encoding for the contents of the file specified by the filename.

Parameters:filename – Returns:str

Module contents