Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

c7n-org not deleting snapshots

See original GitHub issue

Describe the bug

I have this rule:

policies:
  - name: ebs-snapshots-90-days-old
    resource: ebs-snapshot
    comment: Delete old EBS snapshots
    filters:
      - type: age
        days: 90
        op: ge
    conditions:
      - type: value
        key: account_id
        op: in
        value:
          - "1111111111111" # monolith-production
    actions:
      - delete

In my entrypoint:

python3 /orgaccounts.py --role "arn:aws:iam::{Id}:role/cloud-custodian" -f accounts.yml -a
c7n-org run --debug -c accounts.yml -s output -u /tmp/custodian.yml

Its generating the accounts.yml perfectly:

accounts:
- account_id: '22222222222'
  display_name: security
  email: redact
  name: security
  org_id: o-9xlgluoje3
  role: arn:aws:iam::22222222222:role/cloud-custodian
- account_id: '1111111111'
  display_name: monolith-production
  email: redact
  name: monolith-production
  org_id: o-9xlgluoje3
  role: arn:aws:iam::1111111111:role/cloud-custodian

It runs from account 22222222222

output from teh container

2021-10-26 00:36:52,456: c7n_org:INFO Ran account:monolith-production region:us-east-1 policy:ebs-snapshots-90-days-old matched:1 time:7.65
2021-10-26 00:36:52,843: c7n_org:INFO Ran account:monolith-production region:us-east-1 policy:nifi-ebs-snapshots-14-days-old matched:1 time:8.04

however its not deleting the snapshot despite finding it. Its not an IAM issue, this is working in non-org (regular c7n), but wont work when i migrate the yaml to work from c7n-org

What did you expect to happen?

woudl delete the found snapshots

Cloud Provider

Amazon Web Services (AWS)

Cloud Custodian version and dependency information

c7n-org==0.6.10 which bundles c7n latest

Policy

above

Relevant log/traceback output

above

Extra information or context

works as normal c7n without role assumption does not work in c7n despite many other policies working (all mode:cloudtrail and mode:rate work great in this set up)

I added -v --debug but it didnt add any helpful logs, only a whole lot of DEBUG’s for it not deploying this to other accounts

Issue Analytics

State:
Created 2 years ago
Comments:11 (11 by maintainers)

Top GitHub Comments

2reactions

myoung34commented, Oct 26, 2021

@ajkerrigan that got it 🤦

2021-10-26 17:34:44,985 - custodian.ebs - INFO - Deleting 1 snapshots, auto-filtered 0 ami-snapshots

Thanks!

1reaction

myoung34commented, Oct 26, 2021

As for cloudtrail there is nada

Top Results From Across the Web

cloud-custodian/cloud-custodian - Gitter

Is there any way I can create a policy that delete ebs snapshots of last 2 years, from the day it is executing?...

c7n-org: Multi Account Custodian Execution

c7n -org: Multi Account Custodian Execution¶. c7n-org is a tool to run custodian against multiple AWS accounts, Azure subscriptions, or GCP projects in...

Source code for c7n.resources.ebs - Cloud Custodian

[docs]@Snapshot.filter_registry.register('unused') class SnapshotUnusedFilter(Filter): """Filters snapshots based on usage true: snapshot is not used by ...

aws.ebs-snapshot — Cloud Custodian documentation

policies: - name: snapshot-with-no-volume description: Find any snapshots that do not have a corresponding volume. resource: aws.ebs-snapshot filters: ...

Source code for c7n.resources.rdscluster - Cloud Custodian

[docs]@RDSCluster.action_registry.register('delete') class ... days: 21 value: 1.0 op: le actions: - type: delete skip-snapshot: false delete-instances: ...