Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How do I execute a policy on creation, in addition to the criteria of the mode parameter?

See original GitHub issue

Goal: I have an AWS account with a large number of ‘lost and forgotten’ resources which are accruing unnecessary costs. I’m looking to deploy a policy that will enforce some configuration options to better monitor our resources. Ideally, we can deploy a policy that will:

  1. Evaluate the compliance status of all existing resources
  2. Evaluate the compliance status of all new/modified resources

Step 2 is handled by the example policy below with the config-rule mode. But I’m unsure how to achieve step 1.

policies:
  - name: my-first-policy
    mode:
        type: config-rule
        role: arn:aws:iam::123456789012:role/some-role
    resource: ec2
    filters:
      - "tag:Custodian": present
    actions:
      - stop

AWS config rules have an action option to re-evaluate, which will evaluate all existing resources (of the specified type). Is there a way to have new policies do an initial full evaluation upon deployment, and then run in accordance to the specified mode?

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
kapiltcommented, Mar 30, 2021

generally speaking provisioning or updating a config rule through any provisioning mechanism doesn’t trigger whole extant set evaluation, thats an after deploy manual step that can be achieved through the api or console. ie using custodian here is no different then using terraform or cloudformation, etc for a config-rule provisioning. ie you can do it, but then you have to do the work as a post deployment step. ie per your example c7n-org commands.

what i’m trying to raise re simple answer is that the particular issue your raising is specific to aws config rule mode, if you use a default poll mode on your policy, you’ll have whole fleet evaluation of a resource type during execution. so its partly a question of start with the why… why is using config important? but perhaps thats not material if you’ve got a work around re using config.

0reactions
Richard-Hansencommented, Mar 30, 2021

the simple answer is not using mode: config-rule 😉 this isn’t an issue in our default modes… either using describe apis, or using config as a data source like source: config which avoids the issues of having to trigger config to re-evaluate. ie. this issue is in party by using a mode not appropriate to use case.

wrt to config rule mode, the issue with re-evaluate option is that its hard to know when to do it, atm we can re-upload/change on policy change or code change, but thats technically to the underlying lambda, not the event source, we either should do it by default or not at all afaics / ala document user responsibility. ie. the problem with adding an option on config-rule mode here is how a user supposed to know if they need to do it, and in which circumstances.

@kapilt I’m not sure I understand the alternatives you’ve presented. I’m working off the list of modes from https://cloudcustodian.io/docs/aws/aws-modes.html. Are you suggesting to trigger config off of specific API calls (such as using mode: cloudtrail?

If you’d be able to point me to the relevant documentation, that’d be fantastic.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Details of the policy definition structure - Azure - Microsoft Learn
All policy definitions created through the portal use the all mode. If you use PowerShell or Azure CLI, you can specify the mode...
Read more >
Parameters and Policies - RabbitMQ
Navigate to Admin > Policies > Add / update a policy. · Enter "federate-me" next to Name, "^federated\." next to Pattern, and select...
Read more >
Tag your Amazon EC2 resources - AWS Documentation
Manage your Amazon EC2 instances, images, and other resources by assigning your own metadata tags.
Read more >
Configure advanced issue workflows - Atlassian Support
When you click Add condition, you can choose from the available conditions, and set any necessary parameters for the condition. Additional conditions may...
Read more >
Parameters - Snowflake Documentation
Used to enforce a session policy in the classic web interface and at query runtime. ... In addition, users can override default sessions...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

RDS Modify Iops

Next page

AWS: IAM iam.py errors when processing multiple filters if no action taken