C7n Community Meeting Minutes

# C7n Community Meeting Minutes # June 21st 2022 :::info - **URL:** meet.google.com/mii-evqh-esh - **Date:** June 21st, 2022 (2:00 PM (ET) / 11:00 PM (PT) / 6PM (UTC)) - **[Timezone Converter (Click me)](https://www.timeanddate.com/worldclock/converter.html?iso=20220621T180000&p1=263&p2=224&p3=136&p4=37&p5=367&p6=438&p7=248&p8=22)** - **Agenda** 1. Intros `10m` 1. Agenda Items `20m` 1. PR Party `30m` - **Meeting Contact:** Jorge: <jorge@stacklet.io> - **Video Archive and Transcripts**: https://mtngs.io/cloud-custodian/community-meetings/ ::: [![Video Recording](https://img.youtube.com/vi/KT0gsA8svnI/0.jpg)](https://youtu.be/KT0gsA8svnI) ## Agenda Item - Intros, etc. - Cloud Custodian Workshop at SCaLE 19x - July 28th, Hilton LAX, Los Angeles - [Schedule link](https://www.socallinuxexpo.org/scale/19x/presentations/workshop-getting-started-cloud-custodian) - Release Discussion - 14th is 2nd tuesday of this month - AJ has released c7n 0.9.17.0 - Here's the video: - [![Video Recording of the Release Process](https://img.youtube.com/vi/J5FQq_6VUL4/0.jpg)](https://youtu.be/J5FQq_6VUL4) - And here is the [checklist for doing a c7n release](https://github.com/cloud-custodian/cloud-custodian/discussions/7509) - this document is not useful for most people and we're automating the process but posting it anyway for the record. ## Weekly Stats | | Opened this week| Closed this week| |--|---|-----| |Issues| 13 | 100| |PR's| 30 | 28| | | | |--|--| | New stars | 25| | New forks | 1| ## Questions looking for eyeballs Please take a look at some of [these discussions](https://github.com/cloud-custodian/cloud-custodian/discussions) and see if you can help out: * [c7n-mailer: Custodian Mailer Error](https://github.com/cloud-custodian/cloud-custodian/discussions/7501) * [Can you make a tag mandatory provided another tag key/value exists](https://github.com/cloud-custodian/cloud-custodian/discussions/7483) * [Lack of gcp-periodic mode examples](https://github.com/cloud-custodian/cloud-custodian/discussions/7497) Add a `:boom:` on items you'd like to discuss in depth: * :boom: Shiney: https://github.com/cloud-custodian/cloud-custodian/issues/7219 * ## PR's Opened * :boom: [#7500](https://github.com/cloud-custodian/cloud-custodian/pull/7500): Config poll rule fix * [#7499](https://github.com/cloud-custodian/cloud-custodian/pull/7499): aws-cross-az-nat-gw-filter * :boom: [#7498](https://github.com/cloud-custodian/cloud-custodian/pull/7498): gcp - gcp-periodic - trigger type is http, fix for delta_resource, require service-account * :boom: [#7495](https://github.com/cloud-custodian/cloud-custodian/pull/7495): aws - wafv2 - cloudfront's update distribution need webacl ARN. * :boom: [#7494](https://github.com/cloud-custodian/cloud-custodian/pull/7494): tools/c7n-org - warn and continue when failing to resolve regions * [#7493](https://github.com/cloud-custodian/cloud-custodian/pull/7493): aws - ssm-data-sync - update id, name and arn_type * :boom: [#7492](https://github.com/cloud-custodian/cloud-custodian/pull/7492): releng - 0.9.17.0 release prep * [#7491](https://github.com/cloud-custodian/cloud-custodian/pull/7491): aws - cloudfront - update formatting for post-finding * [#7490](https://github.com/cloud-custodian/cloud-custodian/pull/7490): aws - wafv2 - minor fix to remove unwanted logging * [#7489](https://github.com/cloud-custodian/cloud-custodian/pull/7489): aws - iam-group - add set-policy action * [#7488](https://github.com/cloud-custodian/cloud-custodian/pull/7488): aws - route filter * [#7487](https://github.com/cloud-custodian/cloud-custodian/pull/7487): tools/cask - dependency updates * [#7486](https://github.com/cloud-custodian/cloud-custodian/pull/7486): aws - cloudfront - recursively merge config during set-attributes * [#7485](https://github.com/cloud-custodian/cloud-custodian/pull/7485): aws - s3 - fix: handle configure-lifecycle action when lifecycle doesn't exist * [#7482](https://github.com/cloud-custodian/cloud-custodian/pull/7482): aws - remove lakeformation resource * [#7481](https://github.com/cloud-custodian/cloud-custodian/pull/7481): aws - subnet filter - public option for igw route checking * [#7477](https://github.com/cloud-custodian/cloud-custodian/pull/7477): Filter for efs_mount_target_public_subnet * [#7476](https://github.com/cloud-custodian/cloud-custodian/pull/7476): aws - account - support config poll rule evaluations * [#7475](https://github.com/cloud-custodian/cloud-custodian/pull/7475): aws - fis experiment template resource * [#7473](https://github.com/cloud-custodian/cloud-custodian/pull/7473): aws.elb | remove-tag to take in a list of tags for removal * [#7466](https://github.com/cloud-custodian/cloud-custodian/pull/7466): aws - sqs - deadletter filter * :boom: [#7465](https://github.com/cloud-custodian/cloud-custodian/pull/7465): feat: support policy interpolation with environment variables * [#7464](https://github.com/cloud-custodian/cloud-custodian/pull/7464): aws-create filter for cross-az-nat-gateway-route from vpc route table * [#7460](https://github.com/cloud-custodian/cloud-custodian/pull/7460): AWS - Workspaces - Create filter for workspaces directory connection aliases * [#7310](https://github.com/cloud-custodian/cloud-custodian/pull/7310): AWS - IAM - Update cross account filter to evaluate service principals * [#7308](https://github.com/cloud-custodian/cloud-custodian/pull/7308): Link to discussions instead of using issue templates * [#7307](https://github.com/cloud-custodian/cloud-custodian/pull/7307): aws - metrics - ensure that period is an even number of hours * [#7280](https://github.com/cloud-custodian/cloud-custodian/pull/7280): aws - cloudsearch Added enable-https action * [#7279](https://github.com/cloud-custodian/cloud-custodian/pull/7279): Added enable-https action for cloudsearch. * [#7278](https://github.com/cloud-custodian/cloud-custodian/pull/7278): Bump pyjwt from 1.7.1 to 2.4.0 in /tools/c7n_azure ## PR's Closed * [#7495](https://github.com/cloud-custodian/cloud-custodian/pull/7495): aws - wafv2 - cloudfront's update distribution need webacl ARN. * [#7494](https://github.com/cloud-custodian/cloud-custodian/pull/7494): tools/c7n-org - warn and continue when failing to resolve regions * [#7493](https://github.com/cloud-custodian/cloud-custodian/pull/7493): aws - ssm-data-sync - update id, name and arn_type * [#7492](https://github.com/cloud-custodian/cloud-custodian/pull/7492): releng - 0.9.17.0 release prep * [#7491](https://github.com/cloud-custodian/cloud-custodian/pull/7491): aws - cloudfront - update formatting for post-finding * [#7490](https://github.com/cloud-custodian/cloud-custodian/pull/7490): aws - wafv2 - minor fix to remove unwanted logging * [#7489](https://github.com/cloud-custodian/cloud-custodian/pull/7489): aws - iam-group - add set-policy action * [#7487](https://github.com/cloud-custodian/cloud-custodian/pull/7487): tools/cask - dependency updates * [#7486](https://github.com/cloud-custodian/cloud-custodian/pull/7486): aws - cloudfront - recursively merge config during set-attributes * [#7485](https://github.com/cloud-custodian/cloud-custodian/pull/7485): aws - s3 - fix: handle configure-lifecycle action when lifecycle doesn't exist * [#7482](https://github.com/cloud-custodian/cloud-custodian/pull/7482): aws - remove lakeformation resource * [#7481](https://github.com/cloud-custodian/cloud-custodian/pull/7481): aws - subnet filter - public option for igw route checking * [#7477](https://github.com/cloud-custodian/cloud-custodian/pull/7477): Filter for efs_mount_target_public_subnet * [#7476](https://github.com/cloud-custodian/cloud-custodian/pull/7476): aws - account - support config poll rule evaluations * [#7475](https://github.com/cloud-custodian/cloud-custodian/pull/7475): aws - fis experiment template resource * [#7473](https://github.com/cloud-custodian/cloud-custodian/pull/7473): aws.elb | remove-tag to take in a list of tags for removal * [#7466](https://github.com/cloud-custodian/cloud-custodian/pull/7466): aws - sqs - deadletter filter * [#7464](https://github.com/cloud-custodian/cloud-custodian/pull/7464): aws-create filter for cross-az-nat-gateway-route from vpc route table * [#7308](https://github.com/cloud-custodian/cloud-custodian/pull/7308): Link to discussions instead of using issue templates * [#7280](https://github.com/cloud-custodian/cloud-custodian/pull/7280): aws - cloudsearch Added enable-https action * [#7279](https://github.com/cloud-custodian/cloud-custodian/pull/7279): Added enable-https action for cloudsearch. * [#7278](https://github.com/cloud-custodian/cloud-custodian/pull/7278): Bump pyjwt from 1.7.1 to 2.4.0 in /tools/c7n_azure * [#7277](https://github.com/cloud-custodian/cloud-custodian/pull/7277): aws - wafv2 support for ELB, APIGateway and CloudFront resources * [#7275](https://github.com/cloud-custodian/cloud-custodian/pull/7275): aws - ebs - preserve tags across encrypt-instance-volumes action * [#7269](https://github.com/cloud-custodian/cloud-custodian/pull/7269): releng - bump jmespath version for c7n-azure * [#7227](https://github.com/cloud-custodian/cloud-custodian/pull/7227): AWS - Workspaces - Add deregister action * [#7222](https://github.com/cloud-custodian/cloud-custodian/pull/7222): aws - rds - add engine filter * [#7216](https://github.com/cloud-custodian/cloud-custodian/pull/7216): releng - specify subprojects as dev dependencies ## Issues Opened * [#7503](https://github.com/cloud-custodian/cloud-custodian/issues/7503): How to use mutiple op values together with regex * [#7502](https://github.com/cloud-custodian/cloud-custodian/issues/7502): c7n-mailer: Custodian Mailer Error * [#7496](https://github.com/cloud-custodian/cloud-custodian/issues/7496): AWS Elasticsearch - Add update-domain-config action * [#7484](https://github.com/cloud-custodian/cloud-custodian/issues/7484): aws.iam-group - add set policy action * [#7480](https://github.com/cloud-custodian/cloud-custodian/issues/7480): S3 bucket configure-lifecycle action * [#7478](https://github.com/cloud-custodian/cloud-custodian/issues/7478): c7n-org AssumeRole AccessDenied error handling when using "all" region keyword * [#7471](https://github.com/cloud-custodian/cloud-custodian/issues/7471): Add AWS Connect resource to Cloud custodian * [#7470](https://github.com/cloud-custodian/cloud-custodian/issues/7470): Using `config-rule` mode with `aws.kinesis` resource results in `KeyError: 'StreamName'` * [#7467](https://github.com/cloud-custodian/cloud-custodian/issues/7467): EDUCATION SECTOR * [#7463](https://github.com/cloud-custodian/cloud-custodian/issues/7463): Add a way to filter out dead-letter-queues from list of SQS queues * [#7462](https://github.com/cloud-custodian/cloud-custodian/issues/7462): Allow config-poll-rules to support resources without a CFN template * [#7459](https://github.com/cloud-custodian/cloud-custodian/issues/7459): Add filter for Workspaces directories based on existence of connection aliases * [#7309](https://github.com/cloud-custodian/cloud-custodian/issues/7309): c7n-org cannot deploy policies in multiple account same error occurring ## Issues Closed * [#7484](https://github.com/cloud-custodian/cloud-custodian/issues/7484): aws.iam-group - add set policy action * [#7480](https://github.com/cloud-custodian/cloud-custodian/issues/7480): S3 bucket configure-lifecycle action * [#7478](https://github.com/cloud-custodian/cloud-custodian/issues/7478): c7n-org AssumeRole AccessDenied error handling when using "all" region keyword * [#7467](https://github.com/cloud-custodian/cloud-custodian/issues/7467): EDUCATION SECTOR * [#7463](https://github.com/cloud-custodian/cloud-custodian/issues/7463): Add a way to filter out dead-letter-queues from list of SQS queues * [#7462](https://github.com/cloud-custodian/cloud-custodian/issues/7462): Allow config-poll-rules to support resources without a CFN template * [#7309](https://github.com/cloud-custodian/cloud-custodian/issues/7309): c7n-org cannot deploy policies in multiple account same error occurring * [#7276](https://github.com/cloud-custodian/cloud-custodian/issues/7276): Setting up Docker Custodian * [#7253](https://github.com/cloud-custodian/cloud-custodian/issues/7253): AWS China Lambda Not Triggering * [#7247](https://github.com/cloud-custodian/cloud-custodian/issues/7247): [GCP] sourcerepo resource type fails to scan * [#7245](https://github.com/cloud-custodian/cloud-custodian/issues/7245): Where can I find docs for all types of keys that I can use in my policies? * [#7233](https://github.com/cloud-custodian/cloud-custodian/issues/7233): What permissions/roles does cloud-custodian require for each cloud type? * [#7211](https://github.com/cloud-custodian/cloud-custodian/issues/7211): c7n-org crashing when it hits an account not authorized * [#7208](https://github.com/cloud-custodian/cloud-custodian/issues/7208): Add `deprecated` option to RDS `upgrade-available` filter * [#7204](https://github.com/cloud-custodian/cloud-custodian/issues/7204): Custodian policy for S3 buckets which are unused * [#7202](https://github.com/cloud-custodian/cloud-custodian/issues/7202): Generate docs from the awscc provider * [#7201](https://github.com/cloud-custodian/cloud-custodian/issues/7201): Keep track of resources that Cloud Custodian removes due to violations? * [#7199](https://github.com/cloud-custodian/cloud-custodian/issues/7199): One lambda function multiple ec2 instance stop automatically different time cron scheduler possible ? * [#7195](https://github.com/cloud-custodian/cloud-custodian/issues/7195): Filter on EC2s in public subnet * [#7187](https://github.com/cloud-custodian/cloud-custodian/issues/7187): Security Group Ingress Rule Policy Does Not Scan Other Regions But us-east-1 * [#7180](https://github.com/cloud-custodian/cloud-custodian/issues/7180): External IDs when run cross-account audit policy * [#7179](https://github.com/cloud-custodian/cloud-custodian/issues/7179): using cross account eventbridge * [#7178](https://github.com/cloud-custodian/cloud-custodian/issues/7178): Search for more specific AWS unused policies * [#7176](https://github.com/cloud-custodian/cloud-custodian/issues/7176): Check Load balancers for CIDR range * [#7169](https://github.com/cloud-custodian/cloud-custodian/issues/7169): AWS ssm-data-sync resource has id mapped incorrectly to 'DataSync' when it should be 'SyncName' * [#7164](https://github.com/cloud-custodian/cloud-custodian/issues/7164): alert on changed items * [#7136](https://github.com/cloud-custodian/cloud-custodian/issues/7136): c7n-org for AWS no longer recording account tags and vars to resources.json * [#7124](https://github.com/cloud-custodian/cloud-custodian/issues/7124): GCP saving resource details to GCS bucket * [#7123](https://github.com/cloud-custodian/cloud-custodian/issues/7123): Cloudcustodian as a wrapper around ansible * [#7119](https://github.com/cloud-custodian/cloud-custodian/issues/7119): GCP c7n-org with resource gcp.project and iam-policy filter runs against all projects in org when single project is specified * [#7096](https://github.com/cloud-custodian/cloud-custodian/issues/7096): Adding varible to GCP action URL * [#7095](https://github.com/cloud-custodian/cloud-custodian/issues/7095): Question: Add tag to custodian lambda function * [#7085](https://github.com/cloud-custodian/cloud-custodian/issues/7085): C7n email policy action to email calculated from iam resource[username] * [#7067](https://github.com/cloud-custodian/cloud-custodian/issues/7067): AWS.ECS-SERVICE Resize operation * [#7054](https://github.com/cloud-custodian/cloud-custodian/issues/7054): Add ability for a policy to say if it is restricted to some regions * [#7045](https://github.com/cloud-custodian/cloud-custodian/issues/7045): c7n-org: Nothing gets executed when specifying "-t" / "--tags" multiple times. * [#7039](https://github.com/cloud-custodian/cloud-custodian/issues/7039): Use of md5 which is an unsecure hash algorithm * [#7035](https://github.com/cloud-custodian/cloud-custodian/issues/7035): AWS.EKS onhour/offhour filtering * [#7034](https://github.com/cloud-custodian/cloud-custodian/issues/7034): How to delete azure image if it not tagged in 24 hours from creation * [#7024](https://github.com/cloud-custodian/cloud-custodian/issues/7024): Cross region event sending * [#7003](https://github.com/cloud-custodian/cloud-custodian/issues/7003): Scanning EventBridge rules in custom event buses * [#6975](https://github.com/cloud-custodian/cloud-custodian/issues/6975): setting MinimumProtocolVersion in Cloudfront distribution fails * [#6961](https://github.com/cloud-custodian/cloud-custodian/issues/6961): setting MinimumProtocolVersion in Cloudfront distribution * [#6957](https://github.com/cloud-custodian/cloud-custodian/issues/6957): Api Gateway Rest-resource exception flow * [#6954](https://github.com/cloud-custodian/cloud-custodian/issues/6954): Filter condition not removing offending security group rule when another rule already satisfies the condition * [#6946](https://github.com/cloud-custodian/cloud-custodian/issues/6946): How can I check my AWS account for HIPAA compliance via Cloud Custodian? * [#6944](https://github.com/cloud-custodian/cloud-custodian/issues/6944): Remassage the output logs to s3 for AWS glue * [#6941](https://github.com/cloud-custodian/cloud-custodian/issues/6941): how to do c7n-mailer logs integration with AWS Cloudwatch, so I can see c7n-mailer logs in Cloudwatch for all metrics * [#6926](https://github.com/cloud-custodian/cloud-custodian/issues/6926): mailer doesn't declare dependency on c7n * [#6922](https://github.com/cloud-custodian/cloud-custodian/issues/6922): Getting error after enabling MFA - DescribeInstances operation: AWS was not able to validate the provided access credentials * [#6913](https://github.com/cloud-custodian/cloud-custodian/issues/6913): Cloud Custodian: Unpredictable output - custodian.actions:WARNING stop implicitly filtered 0 of 1 resources key * [#6906](https://github.com/cloud-custodian/cloud-custodian/issues/6906): iam-role cross-account flagging cognito-identities within own account * [#6901](https://github.com/cloud-custodian/cloud-custodian/issues/6901): c7n-org report does not show me stopped or started instances * [#6874](https://github.com/cloud-custodian/cloud-custodian/issues/6874): Document support for server-side filters via the query block * [#6872](https://github.com/cloud-custodian/cloud-custodian/issues/6872): multiple whitelist_from urls in cross-account filter * [#6862](https://github.com/cloud-custodian/cloud-custodian/issues/6862): Does Value filter support joint value of multiple AWS resources tags * [#6850](https://github.com/cloud-custodian/cloud-custodian/issues/6850): Documentation should be updated for correct reference * [#6849](https://github.com/cloud-custodian/cloud-custodian/issues/6849): How to delete GCF function or How to change trigger type of existing one? * [#6848](https://github.com/cloud-custodian/cloud-custodian/issues/6848): GC function is not running if we create periodic rules of pubsub type * [#6740](https://github.com/cloud-custodian/cloud-custodian/issues/6740): c7n lamdba deployment with additional packages * [#6739](https://github.com/cloud-custodian/cloud-custodian/issues/6739): Purging the (legacy) 'current' Lambda function aliases * [#6708](https://github.com/cloud-custodian/cloud-custodian/issues/6708): Azure my first event based policy deployment failure * [#6686](https://github.com/cloud-custodian/cloud-custodian/issues/6686): GCP {account_id} get value of project_id * [#6683](https://github.com/cloud-custodian/cloud-custodian/issues/6683): chat.postMessage webhook gives 200 OK but no message received * [#6662](https://github.com/cloud-custodian/cloud-custodian/issues/6662): Is it possible to send email notification to AWS Account owner? * [#6660](https://github.com/cloud-custodian/cloud-custodian/issues/6660): botocore.exceptions.ParamValidationError: Parameter validation failed: * [#6658](https://github.com/cloud-custodian/cloud-custodian/issues/6658): api gateway version 2 support * [#6594](https://github.com/cloud-custodian/cloud-custodian/issues/6594): Filter to verify custom domain TLS version (API Gateway) * [#6582](https://github.com/cloud-custodian/cloud-custodian/issues/6582): How do I execute a policy on creation, in addition to the criteria of the mode parameter? * [#6534](https://github.com/cloud-custodian/cloud-custodian/issues/6534): Send custodian logs to datadog * [#6531](https://github.com/cloud-custodian/cloud-custodian/issues/6531): Azure - "All Resources" Support required for Inventory * [#6526](https://github.com/cloud-custodian/cloud-custodian/issues/6526): Azure: Filter Configuration - Need Examples * [#6515](https://github.com/cloud-custodian/cloud-custodian/issues/6515): aws - tagging - universal_augment backwards compatibility * [#6476](https://github.com/cloud-custodian/cloud-custodian/issues/6476): c7n Discussions * [#6409](https://github.com/cloud-custodian/cloud-custodian/issues/6409): EMR - Not able to Terminate EMR cluster as Job flows are termination protected * [#6373](https://github.com/cloud-custodian/cloud-custodian/issues/6373): Testing for list difference * [#6346](https://github.com/cloud-custodian/cloud-custodian/issues/6346): AWS - aws.rest-api and aws.distribution filters are not being interpreted * [#6336](https://github.com/cloud-custodian/cloud-custodian/issues/6336): c7n-mailer - Possible to set SES Endpoint URL? * [#6307](https://github.com/cloud-custodian/cloud-custodian/issues/6307): Feature to support role / resource specific whitelisting for cross account access validation * [#6264](https://github.com/cloud-custodian/cloud-custodian/issues/6264): Documenting Code Contribution * [#6252](https://github.com/cloud-custodian/cloud-custodian/issues/6252): AWS Cloudwatch Logstream Subscription filter check * [#6246](https://github.com/cloud-custodian/cloud-custodian/issues/6246): Compare two lists in custodian policy * [#6234](https://github.com/cloud-custodian/cloud-custodian/issues/6234): How to CleanUp Resources Created by Executing Custodian Policies * [#6193](https://github.com/cloud-custodian/cloud-custodian/issues/6193): Run custodian across multiple tenants * [#6179](https://github.com/cloud-custodian/cloud-custodian/issues/6179): How to interpolate date variable during runtime * [#6147](https://github.com/cloud-custodian/cloud-custodian/issues/6147): possible to copy-related-tag from AMI to ebs-snapshot? * [#6145](https://github.com/cloud-custodian/cloud-custodian/issues/6145): remove statements from s3 * [#6143](https://github.com/cloud-custodian/cloud-custodian/issues/6143): How to contribute aws resource type. * [#6139](https://github.com/cloud-custodian/cloud-custodian/issues/6139): Retrieve all open ports of AWS ec2 ,application load balancer, network load balancer and azure vm * [#6138](https://github.com/cloud-custodian/cloud-custodian/issues/6138): Local testing cloudtrail events against a policy * [#6125](https://github.com/cloud-custodian/cloud-custodian/issues/6125): Security Group : Want to filter the "Default" security group which is having any rule either egress or ingress * [#6093](https://github.com/cloud-custodian/cloud-custodian/issues/6093): aws:SecureTransport S3 cloud custodian * [#6065](https://github.com/cloud-custodian/cloud-custodian/issues/6065): Problem using template field 'slack_msg_color' * [#6061](https://github.com/cloud-custodian/cloud-custodian/issues/6061): EBS fault-tolerant filter doesn't filter as expected * [#6058](https://github.com/cloud-custodian/cloud-custodian/issues/6058): Allow inspection of lambda aliases and versions * [#6055](https://github.com/cloud-custodian/cloud-custodian/issues/6055): Possible Documentation Typo - Offhours "weekend-only" should be "weekends-only" * [#6053](https://github.com/cloud-custodian/cloud-custodian/issues/6053): Filter gke-clusters by labels * [#6037](https://github.com/cloud-custodian/cloud-custodian/issues/6037): Should the tag action default to using UTC? * [#6029](https://github.com/cloud-custodian/cloud-custodian/issues/6029): Default value filters do not seem to work properly for app-elb matching * [#6018](https://github.com/cloud-custodian/cloud-custodian/issues/6018): Is there a way to call an API to external web https link and pass , receive the the status ?