Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 04:21
    jtroberts83 commented #6226
  • 03:54
    XuejiaoZhang edited #6234
  • 03:48
    XuejiaoZhang edited #6234
  • 03:47
    XuejiaoZhang edited #6234
  • 03:43
    VishalGupta04 commented #6226
  • 03:10
    jtroberts83 commented #6226
  • 03:09
    jtroberts83 commented #6226
  • 03:07
    VishalGupta04 commented #6226
  • 02:13
    abhishektiwari starred cloud-custodian/cloud-custodian
  • 02:12

    kapilt on gh-pages

    Updated generated Sphinx docume… (compare)

  • 02:06
    jtroberts83 commented #6226
  • 02:05
    kapilt edited #6233
  • 02:04

    kapilt on master

    tools/c7n-org - run-script - ad… (compare)

  • 02:04
    kapilt closed #6089
  • 01:37
    VishalGupta04 commented #6226
  • 01:36
    VishalGupta04 commented #6226
  • 01:15
    XuejiaoZhang labeled #6234
  • 01:15
    XuejiaoZhang opened #6234
  • 00:30
    JohnHillegass commented #6227
  • 00:03
    wiredin commented #5201
Kristina Trump
@KristinaTrump_twitter
@kapilt is t here a way to placed a marked for op delete tag for a ebs snapshot while we executing the snapshot action for an ec2 resource? If not what would be the alternative approaches that can be used?
2 replies
rs324
@rs324

Hi everyone,
Im trying to get unused iam-roles with the following policy:

 - name: tag-unused-iam-roles
    resource: iam-role
    comment: |
      Mark unused IAM roles
    filters:
      - type: usage
        match-operator: all
        LastAuthenticated:
          type: value
          value_type: age
          op: greater-than
          value: 120
      - not:
          - type: value
            key: RoleName
            op: regex
            value: ^(AWSServiceRole?)\w+
    actions:
      - type: mark-for-op
        tag: c7n_iam_unused_role
        op: delete
        days: 30

When scanning the account I'm getting 1 role that has been used today.

"RoleLastUsed": {
      "LastUsedDate": "2020-10-12T11:48:54+00:00",
      "Region": "eu-north-1"
    }

its also catch roles that never been used before.
Does anyone managed to scan unused roles without mistakes ?
thanks.

5 replies
RaghvendraGit
@RaghvendraGit
Hello everyone, I am writing Elastic Load balancer for checking If Security Policy is applied on NLB or ALB not. But I found that it is not working for NLBs. It is only working for ALBs. I have even used the filter for network LB such as "filters:
  - Type: network", but it is still not working. 
10 replies
Does anyone faced such issues with NLBs before ? Is there any solution for this ?
xlrd
@xlrd
I am trying to configure CloudCustodian to configure S3 replication when specific tag is present on the bucket, I am looking at https://cloudcustodian.io/docs/aws/resources/s3.html#aws-s3-actions-set-replication but struggling to understand how to "set" the replication parameters... Does anyone have example of the policy to configure replication?
3 replies
Christian Yarros
@CYarros10
Hi all, if anyone here has recently added Cloud Custodian support for a new AWS service - I'd love to connect and learn about the process. I am looking to add support for WAFV2, Event Bus, Athena Workgroup, and more
6 replies
vkuchi
@vinaykuchibhotla
I need to filter asg's that are configured with encrypted volumes and using this policy isnt returning any results. What am i missing
policies:
  - name: asg-unencrypted
    resource: asg
    filters:
      - type: launch-config
        key: "BlockDeviceMappings[].Ebs.Encrypted"
        value: true
5 replies
rachgupt
@rachgupt
Hi, On azure ACI. Its not clear if we can run multiple subscriptions on one container? Per https://cloudcustodian.io/docs/azure/configuration/containerhosting.html#azure-containerhosting , looks like need it on each subscription? With VM we can scan the entire tenant. Please correct me if i am wrong about container.
satvan23
@satvan23

Hi. Trying out policy for Internet facing classic and new type of LB.

The below works..

policies:

  • name: elb-delete-new-internet-facing
    resource: elb
    mode:
    type: cloudtrail
    events:
     - CreateLoadBalancer
    description: |
    Any newly created Classic Load Balanacers launched with
    a internet-facing schema will be deleted right away.
    filters:
    • type: event
      key: "detail.requestParameters.scheme"
      op: eq
      value: "internet-facing"

But with "resource: app-elb" it does not. It is the same "createloadbalancer'" in both cases, but I see this error in Lambda logs...and consequently I dont get email when it creates the app-elb.
"14:34:05
[WARNING] 2020-10-13T14:34:05.870Z a63bb89e-9d95-4182-9cb7-8349c2061aff Could not find resource ids
[WARNING] 2020-10-13T14:34:05.870Z a63bb89e-9d95-4182-9cb7-8349c2061aff Could not find resource ids"

11 replies
Michael Davis
@MichaelDavisTSN
Baffling me why I'm getting this error when PyYaml is installed:
https://gist.github.com/MichaelDavisTSN/a6611447501d8446198c20b7f722de40
we use a modified version of the gcproject.py script, but it does have the statement "include yaml"
Kapil Thangavelu
@kapilt
your modified script is probably referencing a system python vs a virtualenv python
8 replies
ie check your shebang at the top of your script
Landon Dale
@landale4
Christian Yarros
@CYarros10
Is there a way to use "cloud-custodian/tools/ops/policylambda.py" via the pip install of c7n? or is required that I clone the repo to use this tool
Christian Yarros
@CYarros10
currently - I clone the repo and run "cloud-custodian/tools/ops/policylambda.py" to convert custodian policies into cloudformation templates. this tool imports c7n so I need to pip install everything (c7n*) prior to running the script. I am facing an issue where I am both pip installing c7n and cloning the repo. the cloned repo has the latest code, but pip install c7n has the latest release. and certain errors arise due to this discrepancy
8 replies
trinaryouroboros
@trinaryouroboros
hey folk, I have a stupid question pertaining to AWS metrics, I have code like this:
  - type: metrics
    name: CPUUtilization
    statistics: Average
    days: 30
    period: 86400
    value: 25
    op: less-than
I'm concerned about how to determine averages, like, for example, if I'm looking at "The Average of 7 days worth of (Average CPU of period=24hours)" or, if I'm looking at "Set true if all 7 days have (Avg CPU of period 24 hours < 25%)"
satvan23
@satvan23
Guys. Unless I'm mistaken, the s3 filter for logging is "server level logging" not "object level logging" ?
2 replies
Michael Davis
@MichaelDavisTSN

having trouble with this policy code(with or without quotes):

actions:
  - type: set-labels
    remove: ["custodian-tag-compliance"]

getting error:
c7n_org:ERROR Exception running policy:compute-label-compliance-shared-services-untag account:<removed> region:global error:'NoneType' object has no attribute 'items'

26 replies
Praveen M
@praveen8735

@kapilt this is what I did for unused s3:

    filters:
      - type: metrics
        name: AllRequests
        days: 1
        value: 1
        op: greater-than

so If I run it tomo, it should highlight buckets which not been touched for a day, did I get that right?

Getting no results for this filter. Also request metric has been enabled.

18 replies
Amit Sehgal
@amitsehgal
@kapilt Good Morning - was wondering, if we plan to release 0.9.7 this week.
2 replies
satvan23
@satvan23

Guys. So I have a lambda which does what is intended but does not send out email. I have tried three different "recepients" but doesnt work. What am I missing ?

to:

       - Owner
       - Creator
       - CreatorEmail
1 reply
Kapil Thangavelu
@kapilt
nitro
@nitrocode
nice job!
quick question, how come all the c7n tools are not in their own repos under the cloud custodian github org and instead in the cloud-custodian mono repo ?
8 replies
Nagarjuna
@Avuthu_gitlab
This message was deleted
3 replies
Chandan
@chandanb91
Hello, I have a requirement to reboot redshift clusters every Saturday. I could do this using a lambda. But really wanted to use cloud custodian. Unfortunately, Reboot is not available as an action. I also saw that pause and resume are available. But will this be equivalent to a reboot? I'm not sure. Could someone please advise.
10 replies
vkuchi
@vinaykuchibhotla
Is there a way to use rename-tag on an ec2 to address various versions of a tag key? My old keys come in all sorts of cases, like TaG, tAg, TAg, taG etc .. and I want them to be renamed to Tag. This action doesnt seem to be working -
actions: 
  - type: rename-tag
    old-key: TAg
    new-key: Tag
  - type: rename-tag
    old-key: TaG
    new-key: Tag
4 replies
aakshaik2
@aakifshaikh
Can I make the c7n-mailer to read the tag:owner value to send the notification. Example- we have email address as the owner tag (owner:you@example.com). The test-policy.yml is below and it doesn't seems to work. But if I change that to exact email address then it works.
5 replies
policies:
  - name: c7n-mailer-test
    resource: aws.sqs
    filters:
      - "tag:MailerTest": absent
    actions:
      - type: notify
        template: default
        priority_header: '2'
        subject: testing the c7n mailer
        to:
          - tag:owner
        transport:
          type: sqs
          queue: https://sqs.us-east-1.amazonaws.com/592361377849/c7n-mailer-test
Ghost
@ghost~5cde0553d73408ce4fc081f4
I am trying to install custodian from source code and I see the following error, anyone seen this? "ModuleNotFoundError: No module named 'setuptools'"
18 replies
cloudymatt
@cloudymatt
I'm trying to work out how to filter on Secrets in AWS Secrets Manager older than x days but I'm not sure if it's possible for this service?
20 replies
Karl de Castro Fonseca
@KarlCF

cloud-custodian/cloud-custodian#5201

@jtroberts83 did you manage to find a work-around for this issue?

3 replies
Kristina Trump
@KristinaTrump_twitter
@kapilt , can we use the filters as a below to identify a range between 30 - 60, filters:
  - type: state-age
    op: ge
    days: 30
  - type: state-age
    op: le
    days: 60
3 replies
Freddy Esteban Perez
@freddyesteban
Hi, I'm new to Cloud Custodian. I'm trying to manage multiple accounts using c7n-org in an automated fashion from a CI/CD Pipeline. At the moment I'm using Terraform to create resources on a master account, an sqs for mailer along with a role for the mailer lambda and a IAM user called c7n-deployer that will be used to create roles and permissions on the target accounts. The c7n-org accounts config requires a role on the target account that has permissions for the user c7n-deployer in the master account to assume, am I understanding that correctly? but in order to create the correct permissions in the target accounts, it sounds like the role needs to exist prior to running c7n-org. I'm sorry if these question are trivial, I'm also new to AWS.
2 replies
Nagarjuna
@Avuthu_gitlab

@Avuthu_gitlab
Azure policy for auto-tag-user with random characters:

 policies:
  - name: custodian_arm_resource_disk_write
    resource: azure.armresource
    mode:
      type: azure-event-grid
      events: [{
          resourceProvider: 'Microsoft.Compute/disks',
          event: 'write'
        }]
      provision-options:
        servicePlan:
          name: c7n-azure
          resourceGroupName: c7n-azure
          location: East US 2
        appInsights:
          name: c7n-azure
        identity:
          type: UserAssigned
          id: c7n-aci
    description: |
      Tag a newly created disk with the 'Owner Email' tag.
    actions:
      - type: auto-tag-user
        tag: Custodian_onwer
      - type: auto-tag-date
        tag: DateCreated
        format: "%m-%d-%Y"

Activity logs clearly states that Onwer tag is supposed to be tagged with email id.

   "properties": {
        "statusCode": "Accepted",
        "serviceRequestId": "fe65b5a4-bf7f-49fe-bff4-9bf8bf109708",
        "responseBody": "{\"name\":\"azure-tagging\",\"location\":\"eastus2\",\"tags\":{\"Owner\":\"navuthu@xxxxxxxxxxx.com\"},\"managedBy\":\"/subscriptions/XXXXXXXXXXXXXXXXXXXX/resourceGroups/CloudCustodian-RG/providers/Microsoft.Compute/virtualMachines/tag-testing-123\",\"sku\":{\"name\":\"StandardSSD_LRS\",\"tier\":\"Standard\"},\"properties\":{\"creationData\":{\"createOption\":\"Empty\"},\"diskSizeGB\":4,\"provisioningState\":\"Updating\",\"isArmResource\":true,\"faultDomain\":0}}",
        "eventCategory": "Administrative"

OP on console is

1 reply
image.png
Matt Clark
@matticulous

as i understand it (please correct me where i'm wrong), there is a "syntactic sugar" style for value filters, such that - Engine: aurora-postgresql is the equivalent of

- type: value
  key: Engine
  value: aurora-postgresql
  op: eq

i would like to learn more about this style of filter definition, but haven't come across much in the documentation (there are examples using the style without much explanation). can someone point me toward docs or other resources?

4 replies
Codgedodger
@Codgedodger
I'm sure this has been asked a million times, but how are you guys deploying CloudCustodian with AWS? Currently I just have it locally installed on my machine through Powershell, but wondering if there's a more 'enterprise' setup that someone is running.
13 replies
I have a stackset deploying the roles and trust relationships to all the accounts in the org, then just running my policies locally through an access/secret key through c7n-org.
5 replies
Amit Sehgal
@amitsehgal
seems like mugc does not delete the config-rules generated by c7n ? is there a feature request ?
1 reply
sheldonhull
@sheldonhull
If anyone has some Cloud custodian custom rules for AWS SSM inventory I could use a jump start. I want to deploy an AWS config rule that checks SSM inventory on all windows instances for a specific role. I found the cloudformation schema but any jump start would help.
sonali kumar
@v2sonk_twitter
which is the latest release of cloud custodian
3 replies
satvan23
@satvan23
Guys. trying to filter app-elb bases on Security group. My policy...I have a SG like that but does not show up
policies:
  • name: elb-test
    resource: app-elb
    filters:
    • type: value
      key: groupId
      op: equal
      value:
      • sg-0038a9bc18a2da291
7 replies
satvan23
@satvan23
Guys. One of the actions is "invoke-lambda". As I understand, this is a "one-way" communication and there is no way for the Lambda to send result back to the c7n policy ?
4 replies
Giulio Denardi
@gelouko

Hey guys, quick question

Checking the cross-account filters, I've realized that there is no whitelist for org units (just orgs)

I also couldn't find any issues on it.

Is there currently a way to filter cross-account and whitelist some OUs?

davyt10
@davyt10
Hi, CC newbie here, what architecture are people using for deploying CC into an AWS landing zone for managing resources across multiple accounts?
2 replies
trinaryouroboros
@trinaryouroboros
I have a cloud custodian question, maybe it's easy but I can't seem to find documentation about it
2 replies
I have a policy that looks for specific metrics on EFS volumes, but some of these volumes have no metrics at all so there's no data to analyze, I'm aware that policies ignore things that don't have metrics, but how can I tell a policy to filter also on volumes that have no metrics at all, as these are likely unused?