3030LOGGER = logging .getLogger (__name__ )
3131log_level = os .environ .get ("LOG_LEVEL" , logging .INFO )
3232LOGGER .setLevel (log_level )
33+ LOGGER .info (f"boto3 version: { boto3 .__version__ } )
3334
3435# Initialise the helper
3536helper = CfnResource (json_logging = True , log_level = "DEBUG" , boto_level = "CRITICAL" )
3637
3738# Global Variables
3839UNEXPECTED = "Unexpected!"
3940BOTO3_CONFIG = Config (retries = {"max_attempts" : 10 , "mode" : "standard" })
41+ MAX_RETRIES = 12
42+ SLEEP_TIME = 5
4043
4144
4245def assume_role (role : str , role_session_name : str , account : str = None , session : boto3 .Session = None ) -> boto3 .Session :
@@ -70,7 +73,7 @@ def assume_role(role: str, role_session_name: str, account: str = None, session:
7073 )
7174
7275
73- def associate_admin_account (delegated_admin_account_id : str ) -> None :
76+ def associate_admin_account (delegated_admin_account_id : str ) -> None :# noqa CCR001
7477 """Associate an administrator account for Firewall Manager.
7578
7679 Args:
@@ -79,6 +82,7 @@ def associate_admin_account(delegated_admin_account_id: str) -> None:
7982 Raises:
8083 ValueError: Admin account already exists.
8184 """
85+ LOGGER .info (f"Admin account: { delegated_admin_account_id } )
8286 firewall_manager_client : FMSClient = boto3 .client ("fms" , region_name = "us-east-1" , config = BOTO3_CONFIG ) # APIs only work in us-east-1 region
8387
8488 try :
@@ -90,8 +94,32 @@ def associate_admin_account(delegated_admin_account_id: str) -> None:
9094 except firewall_manager_client .exceptions .ResourceNotFoundException :
9195 LOGGER .info ("Administrator account does not exist. Continuing..." )
9296
93- LOGGER .info ("Associating admin account in Firewall Manager" )
94- firewall_manager_client .associate_admin_account (AdminAccount = delegated_admin_account_id )
97+ LOGGER .info ("Attempting to associate the admin account in Firewall Manager" )
98+ try :
99+ firewall_manager_client .associate_admin_account (AdminAccount = delegated_admin_account_id )
100+ except botocore .exceptions .ClientError as error :
101+ LOGGER .info (f"Error associating admin account: { error .response ['Error' ]['Message' ]} )
102+ if error .response ["Error" ]["Code" ] == "InvalidOperationException" :
103+ LOGGER .info (f"Invalid operation exception occurred; waiting { SLEEP_TIME } )
104+ i_retry = 0
105+ while i_retry <= MAX_RETRIES :
106+ time .sleep (SLEEP_TIME )
107+ try :
108+ firewall_manager_client .associate_admin_account (AdminAccount = delegated_admin_account_id )
109+ associated = True
110+ except botocore .exceptions .ClientError as retry_error :
111+ LOGGER .info (f"Attempt { i_retry } { retry_error .response ['Error' ]['Message' ]} )
112+ associated = False
113+ if associated is True :
114+ break
115+ else :
116+ i_retry += 1
117+ if associated is False :
118+ LOGGER .error ("Unable to associate admin account." )
119+ raise ValueError ("Unable to associate admin account." ) from None
120+ else :
121+ LOGGER .error ("Unexpected error. Unable to associate admin account due to error unrelated to an invalid operation." )
122+ raise ValueError ("Unexpected error. Unable to associate admin account due to error unrelated to an invalid operation." ) from None
95123 LOGGER .info ("...Waiting 5 minutes for admin account association." )
96124 time .sleep (300 ) # use 5 minute wait
97125 while True :
0 commit comments