controltowerlib package¶
Subpackages¶
Submodules¶
controltowerlib.controltowerlib module¶
Main code for controltowerlib.
-
class
controltowerlib.controltowerlib.
ControlTower
(arn, settling_time=90)[source]¶ Bases:
awsauthenticationlib.awsauthenticationlib.LoggerMixin
Models Control Tower by wrapping around service catalog.
-
property
accounts
¶ The accounts under control tower.
- Returns
A list of account objects under control tower’s control.
- Return type
accounts (Account)
-
api_content_type
= 'application/x-amz-json-1.1'¶
-
api_user_agent
= 'aws-sdk-js/2.528.0 promise'¶
-
property
baseline_update_available
¶ Baseline update available.
-
property
busy
¶ Busy.
-
property
catastrophic_drift
¶ List of catastrophic drift.
-
core_account_types
= ['PRIMARY', 'LOGGING', 'SECURITY']¶
-
property
core_accounts
¶ The core accounts of the landing zone.
- Returns
A list of the primary, logging and security account.
- Return type
core_accounts (list)
-
create_account
(account_name, account_email, organizational_unit, product_name=None, sso_first_name=None, sso_last_name=None, sso_user_email=None)[source]¶ Creates a Control Tower managed account.
- Parameters
account_name (str) – The name of the account.
account_email (str) – The email of the account.
organizational_unit (str) – The organizational unit that the account should be under.
product_name (str) – The product name, if nothing is provided it uses the account name.
sso_first_name (str) – The first name of the SSO user, defaults to “Control”
sso_last_name (str) – The last name of the SSO user, defaults to “Tower”
sso_user_email (str) – The email of the sso, if nothing is provided it uses the account email.
- Returns
True on success, False otherwise.
- Return type
result (bool)
-
create_organizational_unit
(name)[source]¶ Creates a Control Tower managed organizational unit.
- Parameters
name (str) – The name of the OU to create.
- Returns
True if successfull, False otherwise.
- Return type
result (bool)
-
decommission
()[source]¶ Decommissions a landing zone.
The api call does not seem to be enough and although the resources are decomissioned like with the proper process, control tower responds with a delete failed on the api, so it seems that aws needs to perform actions on their end for the decommissioning to be successful.
- Returns
True if the process starts successfully, False otherwise.
- Return type
response (bool)
-
delete_organizational_unit
(name)[source]¶ Deletes a Control Tower managed organizational unit.
- Parameters
name (str) – The name of the OU to delete.
- Returns
True if successfull, False otherwise.
- Return type
result (bool)
-
deploy
(logging_account_email, security_account_email, regions=None, retries=10, wait=1)[source]¶ Deploys control tower.
- Returns
True on success, False on failure.
- Return type
bool
-
property
deploying_messages
¶ Deploying messages.
-
property
drift_messages
¶ Drift messages.
-
property
enabled_guard_rails
¶ Enabled guard rails.
-
get_account_by_arn
(arn)[source]¶ Retrieves an account by arn.
- Returns
An account object that matches the arn or None.
- Return type
account (Account)
-
get_account_by_id
(id_)[source]¶ Retrieves an account by id.
- Returns
An account object that matches the id or None.
- Return type
account (Account)
-
get_account_by_name
(name)[source]¶ Retrieves an account by name.
- Returns
An account object that matches the name or None.
- Return type
account (Account)
-
get_accounts_with_available_updates
()[source]¶ Retrieves the accounts that have available updates from control tower.
- Returns
A list of account objects under control tower’s control with available updates.
- Return type
accounts (Account)
-
get_available_accounts
()[source]¶ Retrieves the available accounts from control tower.
- Returns
A list of available account objects under control tower’s control.
- Return type
accounts (Account)
-
static
get_available_regions
()[source]¶ The regions that control tower can be active in.
- Returns
A list of strings of the regions that control tower can be active in.
- Return type
regions (list)
-
get_changing_accounts
()[source]¶ Retrieves the under change accounts from control tower.
- Returns
A list of under change account objects under control tower’s control.
- Return type
accounts (Account)
-
get_erroring_accounts
()[source]¶ Retrieves the erroring accounts from control tower.
- Returns
A list of erroring account objects under control tower’s control.
- Return type
accounts (Account)
-
get_organizational_unit_by_id
(id_)[source]¶ Gets a Control Tower managed Organizational Unit by id.
- Parameters
id (str) – The id of the organizational unit to retrieve.
- Returns
A OU object on success, None otherwise.
- Return type
result (ControlTowerOU)
-
get_organizational_unit_by_name
(name)[source]¶ Gets a Control Tower managed Organizational Unit by name.
- Parameters
name (str) – The name of the organizational unit to retrieve.
- Returns
A OU object on success, None otherwise.
- Return type
result (ControlTowerOU)
-
get_organizations_ou_by_arn
(arn)[source]¶ Gets an Organizations managed Organizational Unit by arn.
- Parameters
arn (str) – The arn of the organizational unit to retrieve.
- Returns
A OU object on success, None otherwise.
- Return type
result (OrganizationsOU)
-
get_organizations_ou_by_id
(id_)[source]¶ Gets an Organizations managed Organizational Unit by id.
- Parameters
id (str) – The id of the organizational unit to retrieve.
- Returns
A OU object on success, None otherwise.
- Return type
result (OrganizationsOU)
-
get_organizations_ou_by_name
(name)[source]¶ Gets an Organizations managed Organizational Unit by name.
- Parameters
name (str) – The name of the organizational unit to retrieve.
- Returns
A OU object on success, None otherwise.
- Return type
result (OrganizationsOU)
-
get_service_control_policy_by_name
(name)[source]¶ Retrieves a service control policy by name.
- Parameters
name (str) – The name of the SCP to retrieve
- Returns
The scp if a match is found else None.
- Return type
scp (ServiceControlPolicy)
-
get_updated_accounts
()[source]¶ Retrieves the accounts that have no available updates from control tower.
- Returns
A list of account objects under control tower’s control with no available updates.
- Return type
accounts (Account)
-
property
guard_rails
¶ Guard rails.
-
property
guard_rails_violations
¶ List guard rails violations.
-
property
guardrail_update_available
¶ Guardrail update available.
-
property
is_deployed
¶ The deployment status of control tower.
-
property
landing_zone_update_available
¶ Landing Zone update available.
-
property
landing_zone_version
¶ Landing zone version.
-
property
organizational_units
¶ The organizational units under control tower.
- Returns
A list of organizational units objects under control tower’s control.
- Return type
organizational_units (OrganizationalUnit)
-
property
organizations_ous
¶ The organizational units under Organizations.
- Returns
A list of organizational units objects under Organizations.
- Return type
organizational_units (OrganizationsOU)
-
property
percentage_complete
¶ Percentage complete.
-
property
region
¶ Region.
-
property
region_metadata_list
¶ Region metadata list.
-
register_organizations_ou
(name)[source]¶ Registers an Organizations OU under control tower.
- Parameters
name (str) – The name of the Organizations OU to register to Control Tower.
- Returns
True if successfull, False otherwise.
- Return type
result (bool)
-
property
root_ou
¶ The root ou of control tower.
- Returns
The root ou object.
- Return type
root_ou (ControlTowerOU)
-
property
service_control_policies
¶ The service control policies under organization.
- Returns
A list of SCPs under the organization.
- Return type
service_control_policies (list)
-
property
service_landing_zone_version
¶ Service landing zone version.
-
property
status
¶ Status.
-
supported_targets
= ['listManagedOrganizationalUnits', 'manageOrganizationalUnit', 'deregisterOrganizationalUnit', 'listManagedAccounts', 'getGuardrailComplianceStatus', 'describeManagedOrganizationalUnit', 'listGuardrailsForTarget', 'getAvailableUpdates', 'describeCoreService', 'getAccountInfo', 'listEnabledGuardrails', 'listGuardrails', 'listOrganizationalUnitsForParent', 'listDriftDetails', 'getLandingZoneStatus', 'setupLandingZone', 'getHomeRegion', 'listGuardrailViolations', 'getCatastrophicDrift', 'getGuardrailComplianceStatus', 'describeAccountFactoryConfig', 'performPreLaunchChecks', 'deleteLandingZone']¶
-
update
()[source]¶ Updates the control tower to the latest version.
- Returns
True on success, False on failure.
- Return type
bool
-
property
user_landing_zone_version
¶ User landing zone version.
-
property
controltowerlib.controltowerlibexceptions module¶
Custom exception code for controltowerlib.
-
exception
controltowerlib.controltowerlibexceptions.
ControlTowerBusy
[source]¶ Bases:
Exception
The control tower is already executing some action.
-
exception
controltowerlib.controltowerlibexceptions.
ControlTowerNotDeployed
[source]¶ Bases:
Exception
The control tower is deployed at all.
-
exception
controltowerlib.controltowerlibexceptions.
EmailCheckFailed
[source]¶ Bases:
Exception
Checking of the email was not possible.
-
exception
controltowerlib.controltowerlibexceptions.
EmailInUse
[source]¶ Bases:
Exception
The email privided is already in use and cannot be used to deploy an account.
-
exception
controltowerlib.controltowerlibexceptions.
NoServiceCatalogAccess
[source]¶ Bases:
Exception
There is no access to service catalog.
-
exception
controltowerlib.controltowerlibexceptions.
NoSuspendedOU
[source]¶ Bases:
Exception
The suspended ou has not been created.
-
exception
controltowerlib.controltowerlibexceptions.
NonExistentSCP
[source]¶ Bases:
Exception
The SCP requested does not exist.
-
exception
controltowerlib.controltowerlibexceptions.
OUCreating
[source]¶ Bases:
Exception
The organizational unit is still under creation and cannot be used.
-
exception
controltowerlib.controltowerlibexceptions.
PreDeployValidationFailed
[source]¶ Bases:
Exception
The pre deployment validation failed.
-
exception
controltowerlib.controltowerlibexceptions.
RoleCreationFailure
[source]¶ Bases:
Exception
Unable to create the required roles for the deployment of control tower, manual clean up is required.
-
exception
controltowerlib.controltowerlibexceptions.
ServiceCallFailed
[source]¶ Bases:
Exception
The call to the service has failed.
Bases:
Exception
The region or regions provided to control tower to deploy in are not available.