aws - rest-account - Retry and Raise Client Errors (cloud-custodian#9862)

Co-authored-by: AJ Kerrigan <aj@stacklet.io>

Author: mattheidelbaugh

c7n/resources/apigw.py

@@ -31,6 +31,7 @@ class RestAccount(ResourceManager):
 
     filter_registry = FilterRegistry('rest-account.filters')
     action_registry = ActionRegistry('rest-account.actions')
+    retry = staticmethod(get_retry(('TooManyRequestsException',)))
 
     class resource_type(query.TypeInfo):
         service = 'apigateway'
@@ -55,10 +56,11 @@ def get_model(self):
     def _get_account(self):
         client = utils.local_session(self.session_factory).client('apigateway')
         try:
-            account = client.get_account()
+            account = self.retry(client.get_account)
         except ClientError as e:
             if e.response['Error']['Code'] == 'NotFoundException':
                 return []
+            raise
         account.pop('ResponseMetadata', None)
         account['account_id'] = 'apigw-settings'
         return [account]

tests/data/placebo/test_rest_account_exception/apigateway.GetAccount_1.json

@@ -0,0 +1,10 @@
+{
+    "status_code": 403,
+    "data": {
+        "Error": {
+            "Message": "User: arn:aws:sts::644160558196:assumed-role/custodian-no-access/botocore-session-1733979413 is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-east-1::/account because no identity-based policy allows the apigateway:GET action",
+            "Code": "AccessDeniedException"
+        },
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_rest_account_rate_limit/apigateway.GetAccount_1.json

@@ -0,0 +1,11 @@
+{
+    "status_code": 429,
+    "data": {
+        "Error": {
+            "Message": "Too Many Requests",
+            "Code": "TooManyRequestsException"
+        },
+        "ResponseMetadata": {},
+        "message": "Too Many Requests"
+    }
+}

tests/data/placebo/test_rest_account_rate_limit/apigateway.GetAccount_2.json

@@ -0,0 +1,14 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "throttleSettings": {
+            "burstLimit": 5000,
+            "rateLimit": 10000.0
+        },
+        "features": [
+            "UsagePlans"
+        ],
+        "apiKeyVersion": "4"
+    }
+}

tests/test_apigw.py

@@ -1,6 +1,8 @@
 # Copyright The Cloud Custodian Authors.
 # SPDX-License-Identifier: Apache-2.0
+import time
 from botocore.exceptions import ClientError
+from mock import patch
 
 from .common import BaseTest, event_data
 from c7n.exceptions import PolicyValidationError
@@ -75,6 +77,29 @@ def test_rest_api_update(self):
         after_account, = p.resource_manager._get_account()
         self.assertEqual(after_account["cloudwatchRoleArn"], log_role)
 
+    def test_rest_account_exception(self):
+        session_factory = self.replay_flight_data('test_rest_account_exception')
+        p = self.load_policy(
+            {'name': 'rest-account-exception',
+             'resource': 'aws.rest-account'},
+            session_factory=session_factory
+        )
+        with self.assertRaises(ClientError) as e:
+            p.run()
+        self.assertEqual(e.exception.response['Error']['Code'], 'AccessDeniedException')
+
+    def test_rest_account_rate_limit(self):
+        session_factory = self.replay_flight_data('test_rest_account_rate_limit')
+        p = self.load_policy(
+            {'name': 'rest-account-rate-limit',
+             'resource': 'aws.rest-account'},
+            session_factory=session_factory
+        )
+        with patch('c7n.utils.time.sleep', new_callable=time.sleep(0)) as func:
+            resources = p.run()
+        self.assertTrue(func.called)
+        self.assertEqual(len(resources), 1)
+
 
 class TestRestApi(BaseTest):
 

tools/c7n_awscc/tests/data/placebo/awscc_log_delete/cloudcontrolapi.DeleteResource_1.json

@@ -4,18 +4,18 @@
         "ProgressEvent": {
             "TypeName": "AWS::Logs::LogGroup",
             "Identifier": "/aws/apigateway/welcome",
-            "RequestToken": "be14b0b2-2aa8-4b3b-9bd5-9be1df7bcaaa",
+            "RequestToken": "547cc454-b65a-4f8c-8036-28acf607ced8",
             "Operation": "DELETE",
             "OperationStatus": "IN_PROGRESS",
             "EventTime": {
                 "__class__": "datetime",
-                "year": 2022,
-                "month": 1,
-                "day": 17,
-                "hour": 12,
-                "minute": 8,
-                "second": 32,
-                "microsecond": 514000
+                "year": 2024,
+                "month": 12,
+                "day": 11,
+                "hour": 23,
+                "minute": 36,
+                "second": 57,
+                "microsecond": 155000
             }
         },
         "ResponseMetadata": {}

tools/c7n_awscc/tests/data/placebo/awscc_log_delete/cloudcontrolapi.GetResource_1.json

@@ -0,0 +1,11 @@
+{
+    "status_code": 200,
+    "data": {
+        "TypeName": "AWS::Logs::LogGroup",
+        "ResourceDescription": {
+            "Identifier": "/aws/apigateway/welcome",
+            "Properties": "{\"FieldIndexPolicies\":[],\"LogGroupClass\":\"STANDARD\",\"LogGroupName\":\"/aws/apigateway/welcome\",\"Arn\":\"arn:aws:logs:us-east-1:644160558196:log-group:/aws/apigateway/welcome:*\",\"DataProtectionPolicy\":{}}"
+        },
+        "ResponseMetadata": {}
+    }
+}

tools/c7n_awscc/tests/data/placebo/awscc_log_delete/cloudcontrolapi.ListResources_1.json

@@ -5,7 +5,7 @@
         "ResourceDescriptions": [
             {
                 "Identifier": "/aws/apigateway/welcome",
-                "Properties": "{\"RetentionInDays\":30,\"LogGroupName\":\"/aws/apigateway/welcome\",\"Arn\":\"arn:aws:logs:us-east-1:644160558196:log-group:/aws/apigateway/welcome:*\",\"Tags\":[{\"Value\":\"Kapil\",\"Key\":\"Owner\"}]}"
+                "Properties": "{\"LogGroupClass\":\"STANDARD\",\"LogGroupName\":\"/aws/apigateway/welcome\",\"Arn\":\"arn:aws:logs:us-east-1:644160558196:log-group:/aws/apigateway/welcome:*\"}"
             }
         ],
         "ResponseMetadata": {}

tools/c7n_awscc/tests/data/placebo/awscc_log_update/cloudcontrolapi.GetResource_1.json

@@ -4,7 +4,7 @@
         "TypeName": "AWS::Logs::LogGroup",
         "ResourceDescription": {
             "Identifier": "/aws/codebuild/custodian-build-python",
-            "Properties": "{\"RetentionInDays\":7,\"LogGroupName\":\"/aws/codebuild/custodian-build-python\",\"Arn\":\"arn:aws:logs:us-east-1:644160558196:log-group:/aws/codebuild/custodian-build-python:*\",\"Tags\":[{\"Value\":\"Kapil\",\"Key\":\"Owner\"}]}"
+            "Properties": "{\"FieldIndexPolicies\":[],\"LogGroupClass\":\"STANDARD\",\"LogGroupName\":\"/aws/codebuild/custodian-build-python\",\"Arn\":\"arn:aws:logs:us-east-1:644160558196:log-group:/aws/codebuild/custodian-build-python:*\",\"DataProtectionPolicy\":{}}"
         },
         "ResponseMetadata": {}
     }

tools/c7n_awscc/tests/data/placebo/awscc_log_update/cloudcontrolapi.GetResource_2.json

@@ -0,0 +1,11 @@
+{
+    "status_code": 200,
+    "data": {
+        "TypeName": "AWS::Logs::LogGroup",
+        "ResourceDescription": {
+            "Identifier": "/aws/codebuild/custodian-build-python",
+            "Properties": "{\"FieldIndexPolicies\":[],\"RetentionInDays\":7,\"LogGroupClass\":\"STANDARD\",\"LogGroupName\":\"/aws/codebuild/custodian-build-python\",\"Arn\":\"arn:aws:logs:us-east-1:644160558196:log-group:/aws/codebuild/custodian-build-python:*\",\"Tags\":[{\"Value\":\"Kapil\",\"Key\":\"Owner\"}],\"DataProtectionPolicy\":{}}"
+        },
+        "ResponseMetadata": {}
+    }
+}