How do I execute a policy on creation, in addition to the criteria of the mode parameter?
See original GitHub issueGoal: I have an AWS account with a large number of ‘lost and forgotten’ resources which are accruing unnecessary costs. I’m looking to deploy a policy that will enforce some configuration options to better monitor our resources. Ideally, we can deploy a policy that will:
- Evaluate the compliance status of all existing resources
- Evaluate the compliance status of all new/modified resources
Step 2 is handled by the example policy below with the config-rule
mode. But I’m unsure how to achieve step 1.
policies:
- name: my-first-policy
mode:
type: config-rule
role: arn:aws:iam::123456789012:role/some-role
resource: ec2
filters:
- "tag:Custodian": present
actions:
- stop
AWS config rules have an action option to re-evaluate, which will evaluate all existing resources (of the specified type). Is there a way to have new policies do an initial full evaluation upon deployment, and then run in accordance to the specified mode?
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Details of the policy definition structure - Azure - Microsoft Learn
All policy definitions created through the portal use the all mode. If you use PowerShell or Azure CLI, you can specify the mode...
Read more >Parameters and Policies - RabbitMQ
Navigate to Admin > Policies > Add / update a policy. · Enter "federate-me" next to Name, "^federated\." next to Pattern, and select...
Read more >Tag your Amazon EC2 resources - AWS Documentation
Manage your Amazon EC2 instances, images, and other resources by assigning your own metadata tags.
Read more >Configure advanced issue workflows - Atlassian Support
When you click Add condition, you can choose from the available conditions, and set any necessary parameters for the condition. Additional conditions may...
Read more >Parameters - Snowflake Documentation
Used to enforce a session policy in the classic web interface and at query runtime. ... In addition, users can override default sessions...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
generally speaking provisioning or updating a config rule through any provisioning mechanism doesn’t trigger whole extant set evaluation, thats an after deploy manual step that can be achieved through the api or console. ie using custodian here is no different then using terraform or cloudformation, etc for a config-rule provisioning. ie you can do it, but then you have to do the work as a post deployment step. ie per your example c7n-org commands.
what i’m trying to raise re simple answer is that the particular issue your raising is specific to aws config rule mode, if you use a default poll mode on your policy, you’ll have whole fleet evaluation of a resource type during execution. so its partly a question of start with the why… why is using config important? but perhaps thats not material if you’ve got a work around re using config.
@kapilt I’m not sure I understand the alternatives you’ve presented. I’m working off the list of modes from https://cloudcustodian.io/docs/aws/aws-modes.html. Are you suggesting to trigger config off of specific API calls (such as using
mode: cloudtrail
?If you’d be able to point me to the relevant documentation, that’d be fantastic.