aws - [ERROR] KeyError: 'name' - CodePeipeline Custodian Policies with mode Config-rule fails
See original GitHub issueDescribe the bug -> After deploying the CodePipeline Tag Compliance policy and Artifact Store Encryption key check with config-rule mode in the AWS environment, I am encountering an error listed below:
Note: The error is same for both the policy logs.
[ERROR] KeyError: ‘name’ Traceback (most recent call last): File “/var/task/custodian_policy.py”, line 4, in run return handler.dispatch_event(event, context) File “/var/task/c7n/handler.py”, line 166, in dispatch_event p.push(event, context) File “/var/task/c7n/policy.py”, line 1138, in push return mode.run(event, lambda_ctx) File “/var/task/c7n/policy.py”, line 854, in run resources = super(ConfigRuleMode, self).run(event, lambda_context) File “/var/task/c7n/policy.py”, line 442, in run resources = self.policy.resource_manager.filter_resources( File “/var/task/c7n/manager.py”, line 112, in filter_resources resources = f.process(resources, event) File “/var/task/c7n/filters/core.py”, line 325, in process sweeper = AnnotationSweeper(self.get_resource_type_id(), resources) File “/var/task/c7n/filters/core.py”, line 383, in init ra_map[r[id_key]] = {k: v for k, v in r.items() if k.startswith(‘c7n’)}
The config rule created, for both the checks, through this policies shows “No resources in scope”
To Reproduce 1.Deploy this cloudformation template to create a a codepipeline. codepipeline-codecommit-events-yaml.yaml.zip SampleApp_Linux.zip
- Deploy the policy in your account and check your config rule and cloudformation logs.
Note: Change the account number and role name.
Expected behavior On successful execution of the policy, the config rule should flag the Code pipelines with missing required tags as Non-compliant resource.
Background (please complete the following information):
- Python Version: 3.8.5
- Custodian Version: 0.9.7
- Cloud Provider: AWS
- Policy: [please exclude any account/sensitive information]
Tag Compliance
---
policies:
- name: d-codepipeline-missing-tags-1
resource: aws.codepipeline
description: >
Type: Config Rule|
Compliance: Codepipeline missing tags
mode:
type: config-rule
role: "arn:aws:iam::<acc_number>:role/<role_name>"
timeout: 200
filters:
- or:
- tag:abc: absent
- tag:def: absent
- tag:efg: absent
- tag:__dwf: absent
ArtifactStore Encryption Key Check
---
policies:
- name: d-codepipeline-encryption-2
resource: aws.codepipeline
description: >
Type: Config Rule|
Compliance: Codepipeline not encrypted
mode:
type: config-rule
role: "arn:aws:iam::<account_numer>:role/<role_name>"
timeout: 200
filters:
- type: value
key: artifactStore.encryptionKey
value: absent
- tag:__CPEncryption: absent
Here are the cloudwatch log files for both policies lambda execution. CodePipelineEncryptionKeyCheckCWLogs.docx CodePipelineTagComplianeCWLogs.docx
Additional context Custodian: 0.9.7 Python: 3.8.5 (default, Jul 21 2020, 10:42:08) [Clang 11.0.0 (clang-1100.0.33.17)] Platform: posix.uname_result(sysname=‘Darwin’, nodename=‘f8ffc201b550.ant.amazon.com’, release=‘18.7.0’, version=‘Darwin Kernel Version 18.7.0: Mon Aug 31 20:53:32 PDT 2020; root:xnu-4903.278.44~1/RELEASE_X86_64’, machine=‘x86_64’) Using venv: True Docker: False Installed:
argcomplete==1.12.1 attrs==20.2.0 boto3==1.16.10 botocore==1.19.10 importlib-metadata==1.7.0 jmespath==0.10.0 jsonpickle==1.3 jsonschema==3.2.0 pyrsistent==0.17.3 python-dateutil==2.8.1 pyyaml==5.3.1 s3transfer==0.3.3 setuptools==47.1.0 six==1.15.0 tabulate==0.8.7 urllib3==1.25.11 zipp==3.4.0
Issue Analytics
- State:
- Created 3 years ago
- Comments:5
Top GitHub Comments
@kapilt - Hey Kapil, these issues are similar to https://github.com/cloud-custodian/cloud-custodian/issues/6176 which you have already resolved. Could you please take a look on this as well.
Config Service Team Developer has reproduced the issue and agrees a defect exists