
__________________
TODO project:

DONE finish README file
DONE document spec-file structure
DONE create setup.py and package project
DONE pull functions out of __init__ into new module

CONSIDER:
a single interface executible with operation modes for all tasks:
  organization, accounts, users, delegation
a single spec file awsorgs.conf which includes all the verious spec files
allow per-account or per-team spec files for auth
create a class to store args, logger, specs and 'deployed' dict for 
  passing to functions.  see branch 'named_tuple'






__________________
utils.py

TODO:
NA in munge_path() check if default_path is defined or not
DONE validate_spec() warn if spec contains non-defined attributes?

CONSIDER:
NOT should validate_spec() return a possibly altered specl? (e.g. value = 'default')



__________________
TODO awsorgs.py:

add unit testing
IN PROGRESS change 'policy' to sc_policy everywhere

DONE (hard to test) scan_deployed_accounts: fix 'NextToken' logic.
DONE make master_id check a function. import into accounts.
DONE control order of organization tasks
DONE get rid of globals
DONE make spec-file input and report output similar
DONE create documentation (pydoc)
DONE validate/sanitize org_spec input
DONE get rid of var change_counter
DONE send messages to a text accumutator or ??  
DONE in aws-orgs.manage_accounts:
  DONE test account creation status running move_account()
DONE in specify_policy_content: test keys exist
DONE in manage_policy_attachments raise error when:
    DONE detaching default policy
    DONE attaching to an absent ou
DONE in manage_policies: dont delete a policy attached to an ou

NA in logger: prepend timestamp to messages
NA make logger write to different url



__________________
TODO accounts.py:

set account email if not specified
DONE apply new spec validation framework
DONE derive Email attribute from domain_name
DONE enforce use of Team attribute on managed accounts
DONE import more functions from awsorgs
DONE account creation
DONE fill out validate_account_spec_file()
DONE in scan_deployed_accounts:
  DONE crosscheck fully created accounts against States=['SUCCEEDED'])['CreateAccountStatuses']

CONSIDER:
NOT parse account names for compliance
NOT account-spec details allowed values for name components





__________________
auth.py:

TODO:

delete unused custom policies.  (non-attached to any role)
  see ListAccountsInOrganization in OrgMaster
recreate role,policy if path changes
report unmanaged iam resources in all accounts
when reporting roles, handle service roles as well as 'IAM' roles
harvest unmanaged roles in accounts which have the default path


DONE incorporate create/send credentials for new users from awsorgs.loginprofile

DONE require Team attribute for users
DONE incorporate theading
DONE in delegation report list accounts in alphabetical order
DONE add 'Exclude' attribute to groups and delegations for when 'ALL' is specified
DONE document spec structures
DONE validate policy specs
DONE create_groups: use boto group resourse
DONE create_groups: after deleting a group, remove it from deployed['groups']
DONE validate delegation specs
DONE handle 'ALL' special value in users[members]
DONE reconsider spec param auth_account
DONE handle 'ALL' special value in delegations[trusting_accounts]
DONE warn when a user does not exist when populating groups
DONE prevent deletion of org_access_role
DONE document all functions
DONE delete orphan delegations in accounts and groups
DONE insert account name when reporting assume role policies
DONE add debug option
DONE handle assigning group policies in auth account.
DONE check for custom policy updates
DONE get org root id
DONE report users, groups, roles
DONE report roles and policies
DONE create users
DONE create groups
DONE populate users in groups
DONE create custom policies
DONE attach policies to groups
DONE create roles
DONE populate roles in other org accounts.
DONE replace functions get_{client/resource}_for_assumed_role()

ISSUES:
how/where do we structure/deploy yaml data for teams specification?
  maybe place it in a db or ldap or redis?
  currently this resides in the spec-file used by accounts.py.

CONSIDER:
should group get deleted even if it still has users?
add options for reporting:
  allow separate reports for users, groups, delegations
  allow for multiple levels of detail in delegation reports
add spec param 'use_team_path' as boolean:
  NOT append Path after team in munge_path()




_______________
awsloginprofile

TODO:

prep_email(): don't just print() the email.  where should it write to?
prep_email(): add aws-shelltools usage, infohelp to upload ssh pubkey
prep_email(): make html version?
disable/reenable ssh keys
email credentials new users
  requires an ses resource?
  require config file for email service?


notes:

subject = "Hello"
html = "<b>Hello Consumer</b>"

client = boto3.client('ses', region_name='us-east-1', aws_access_key_id="your_key",
        aws_secret_access_key="your_secret")

client.send_email(
    Source='ACME <do-not-reply@acme.com>',
    Destination={'ToAddresses': [email]},
    Message={
        'Subject': {'Data': subject},
        'Body': {
            'Html': {'Data': html}
        }
    }
)

other mailers:
yagmail
marrow.mailer


http://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-an-email-using-sdk-programmatically.html




________________________________________________________________________________
________________________________________________________________________________


