Skip to content

Instantly share code, notes, and snippets.

@rubendob

rubendob/tag.yml

Last active September 2, 2020 16:09
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save rubendob/1bfd7efa431d851f3f690a465d1fb25e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save rubendob/1bfd7efa431d851f3f690a465d1fb25e to your computer and use it in GitHub Desktop.
Download ZIP
CloudCustodian Tagging Simple Policy - How write simple policy, execute and report by command line
Raw
tag.yml
---
policies:
- name: ec2-tag-policy
resource: aws.ec2
filters:
- or:
- "tag:Project": absent
- "tag:Team": absent
@rubendob
Copy link
Copy Markdown
Author

rubendob commented Sep 2, 2020
edited
Loading

Let's see how execute this policy.

docker run -it -e AWS_ACCESS_KEY_ID="XXX" -e AWS_SECRET_ACCESS_KEY="XXX" -e AWS_DEFAULT_REGION="eu-west-1" -v $(pwd)/output:/home/custodian/output -v $(pwd)/tag.yml:/home/custodian/tag.yml  cloudcustodian/c7n run -v -s /home/custodian/output /home/custodian/tag.yml

the output will be something like:

2020-09-02 14:25:42,619: custodian.commands:DEBUG Loaded file /home/custodian/tag.yml. Contains 1 policies
2020-09-02 14:25:42,628: custodian.aws:DEBUG using default region:eu-west-1 from boto
2020-09-02 14:25:43,210: custodian.output:DEBUG Storing output with <LogFile file:///home/custodian/output/ec2-tag-policy/custodian-run.log>
2020-09-02 14:25:43,222: custodian.policy:DEBUG Running policy:ec2-tag-policy resource:aws.ec2 region:eu-west-1 c7n:0.9.4
2020-09-02 14:25:48,936: custodian.resources.ec2:DEBUG Filtered from 259 to 140 ec2
2020-09-02 14:25:48,939: custodian.policy:INFO policy:ec2-tag-policy resource:aws.ec2 region:eu-west-1 count:140 time:5.72
2020-09-02 14:25:48,995: custodian.output:DEBUG metric:ResourceCount Count:140 policy:ec2-tag-policy restype:aws.ec2 scope:policy
2020-09-02 14:25:48,996: custodian.output:DEBUG metric:ApiCalls Count:1 policy:ec2-tag-policy restype:aws.ec2

@rubendob
Copy link
Copy Markdown
Author

rubendob commented Sep 2, 2020
edited
Loading

One thing we must remember is the report sub command only supports one kind of resource, not multiples.

docker run -it -e AWS_ACCESS_KEY_ID="XXX" -e AWS_SECRET_ACCESS_KEY="XXX"  -e AWS_DEFAULT_REGION="eu-west-1"    -v $(pwd)/output:/home/custodian/output  -v $(pwd)/tag.yml:/home/custodian/tag.yml    cloudcustodian/c7n report -v  -s /home/custodian/output /home/custodian/tag.yml --format grid

Here we can see there are at least 125 EC2 which are no compliance based on the policy we already have wroted

2020-09-02 06:34:39,307: custodian.cache:DEBUG Disabling cache
2020-09-02 06:34:39,307: custodian.commands:DEBUG Loaded file /home/custodian/tag.yml. Contains 1 policies
2020-09-02 06:34:39,315: custodian.aws:DEBUG using default region:eu-west-1 from boto
2020-09-02 06:34:39,922: custodian.reports:DEBUG Found 125 records for region eu-west-1
2020-09-02 06:34:39,923: custodian.reports:DEBUG Uniqued from 125 to 125

Command will return a grid using the --format grid option

---------------------+---------------------+------------------------------------------+----------------+---------------------------+--------------+--------------------+
| CustodianDate       | InstanceId          | tag:Name                                 | InstanceType   | LaunchTime                | VpcId        | PrivateIpAddress   |
+=====================+=====================+==========================================+================+===========================+==============+====================+
| 2020-09-02 06:24:52 | i-0f9844406bd445144 | cXX-Cxx                  | t2.xlarge      | 2019-07-30T08:58:46+00:00 | vpc-XXXXX | 10.0.126.24        |
+---------------------+---------------------+------------------------------------------+----------------+---------------------------+--------------+--------------------+
| 2020-09-02 06:24:52 | i-093b3167e7480edee | cXX-Cxx                  | t2.xlarge      | 2019-09-20T20:24:53+00:00 | vpc-XXXX | 10.0.123.104       |
+---------------------+---------------------+------------------------------------------+----------------+---------------------------+--------------+--------------------+
| 2020-09-02 06:24:52 | i-09d1be7ed664c3a52 | cXX-Cxx             | m5d.4xlarge    | 2020-09-02T02:34:39+00:00 |              |                    |
+---------------------+---------------------+------------------------------------------+----------------+---------------------------+--------------+--

More examples, this time of security groups unused

+----------------------+---------------------------------------------------------------------------------+
| sg-5ed0843a          | jenkins                                                                         |
+----------------------+---------------------------------------------------------------------------------+
| sg-6c12b40b          | SecurityGroup-beta-HotTopicSecurityGroup-15IO0TW95X32Y                          |
+----------------------+---------------------------------------------------------------------------------+
| sg-c489a8a0          | SecurityGroup-prod-SolrSlaveELBSecurityGroup-MX76R697283I                       |
+----------------------+---------------------------------------------------------------------------------+
| sg-cbbff8ac          | Solr-UploadSuggester-beta-SolrUploadSuggesterSlaveELBSecurityGroup-YE1IBQV8Z4I5 |
+----------------------+---------------------------------------------------------------------------------+
| sg-d789a8b3          | SecurityGroup-prod-ChatDBSecurityGroup-VSGO10T7K3C2                             |
+----------------------+---------------------------------------------------------------------------------+
| sg-e989a88d          | SecurityGroup-prod-HotTopicSecurityGroup-19B90HBP1PWJK                          |
+----------------------+---------------------------------------------------------------------------------+

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment