►
From YouTube: Cloud Custodian Community Meeting 20220412
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/cloud-custodian/community/discussions
To get an invite to the meeting join the google group and you'll receive one via email: https://groups.google.com/g/cloud-custodian
A
All
right
welcome
everyone.
It's
april
11th,
I'm
sorry
april
12
2022-
and
this
is
the
cloud
custodian
community
meeting
for
this
two
week
period
got
a
few
things
on
the
agenda.
I've
pasted
the
url
to
the
notes
in
chat
and
let
me
just
share
the
notes
so
that
you
can
check
it
out
and
then
we'll
get
started.
A
A
This
is
what
are
the
dates
on
this
may
2nd
to
may
3rd
and
if
you
click
on
the
link
in
the
notes,
it'll
take
you
to
the
cloud
custodian
section
there
and
if
you
are
attending
pycon
we'd
love
to
have
you
stop
by,
even
if
you
don't
want
to
hack
on
stuff.
If
you
just
use
cloud
custodian,
you
can
drop
by
and
say
hello,
we'd
love
to
have
you
all
right.
A
Moving
on
from
that
really
I
put
release
today,
question
mark
sunny.
We
had
talked
about
automated
releases
and
I've
added
that
to
the
board
now
and
sonny's
gonna
start
working
on
it
and
we
were
kind
of
thinking.
What
would
be
a
good
cadence
to
start
and
kapil
throughout.
Second
tuesday
of
the
month
sounds
good
and
that
is
today
so
sonny
figured
he
would
start
doing
stuff.
So
do
you
have
do
you
have
anything
for
us
today?
A
B
Yeah,
I'm
in
the
you
know
getting
the
this
pr
fixed
and
working
for
some
reason.
I'm
just
saying
hitting
some
ci
issues,
but
hopefully
either
today
or
tomorrow,
try
to
get
a
release
out.
A
Okay,
awesome
and
when
that
happens,
we'll
go
ahead
and
post
that
on
the
list
and
the
usual
places
if
you're
looking
for
a
romance
just
another
reminder,
if
you
just
go
to
the
clock,
custodian,
org
click
projects
and
it
says
roadmap.
A
It
gives
you
the
list
of
stuff
on
there,
but
I
like
to
do
the
board
view
we'll
kind
of
show
you
what
we're
working
on.
There
are
some
items
from
the
old
road
map
that
have
not
made
it
into
here
and
I'll,
be
going
through
those
and
triaging.
Seeing
what
makes
sense
and
what
doesn't
make
sense.
C
How
are
the
releases
notes
generated
reason
we're
asking
this
is
because
we
don't
really
have
a
good,
automated
way
to
retest
all
of
our
policies
right
and
if
we
were
to
upgrade
how
do
we
have
confidence
that
you
know
nothing
is
broken.
We
were
relying
on
looking
at
the
release.
Note
things
like
adding
new
functionality
right.
We
can
just
all
ignore
those.
We
will
assume
that
that
wouldn't
break
anything,
but
we
see
something
oh
modify.
Let's
say
the
way
this
filter
works
or
something
like
that.
C
B
Yeah,
so
on
each
each
release
will
contain
release
notes
on
the
github
tag
itself.
Those
are
generated
through.
We
have
a
basic
script
that
crawls
the
github
commit
history
in
the
repo.
So
it's
not,
I
believe
it's
under
dev,
slash
it's
vlog,
py
or
something
I
can
pull
it
up.
B
Yeah,
so
it's
right
here,
I'll
post
it
in
the
chat.
Thank
you
there's
a
little
bit
of
like
manual
massaging
like,
for
example,
if
a
commit
message
doesn't
exactly
match
the
format
but
basically
run
that
creates
the
change
log
and
then
we
create
the
tag
in
github.
C
So
does
it
mainly
look
at
the,
I
guess,
either
the
commit
messages
or
the
log
messages
to
figure
out
how
it
generated
or.
B
Right,
it's
the
commit
messages
yeah
on
the
the
main
branch.
B
So
that's
I
mean
it
depends
on
what
you
mean
by
breaking
like
if
you're
saying
interface
changes,
we
typically
try
not
to
have
any
interface
changes
on
the
policy
dsl
itself
like
if
a
bug
is
introduced,
like
obviously
it's
hard
to
know
when
you're
generating
the
release.
Notes
like
oh
this
implementation,
or
this
functionality
is
buggy,
but
for
big
things.
B
C
Oh
yeah,
talking
about
versioning,
you
guys
don't
really
follow
december.
I
mean
you
guys,
go
at
zero
point
something.
What's
the
plan
moving
forward.
B
B
If
you
do
that's
not
intended
so
like,
like
your
policy,
language
and
stuff
that
should
be
safe
and
the
the
behavior
I
mean
the
underlying
behavior
may
change
a
little
bit,
but
it's
it
shouldn't.
It
shouldn't
be
like
breaking.
C
Yeah
save
several
things
I
mean,
I
mean
we
are
in
the
process
of
progress
of
migrating
right
now
or
it's
interesting
using
background.
We
were
relying
on
having
the
ability
before
to
have
I'll,
say,
custom
code
and
all
that
got
ripped
out
and
now
so
we're
in
the
migration.
Now
but
yeah
it
was
just
a
minor.
C
It
was
called
you
know,
but
it's
not
december
for
sure,
unless
you're
treating
the
the
minor
version
as
a
major
version
right
now,.
B
So
I
think
the
custom
plugin
interface
stuff
was
never
fully
public
yeah,
as
as
far
as
I
remember,
which
is
why
it
wasn't.
I
mean
there
was
a
note
about
it
from
what
I
recall.
Okay,
but
you
should.
I
mean
I'm
talking
specifically
in
the
dsl
like
that
itself
should
not
break
from
version
of
version.
Okay,.
A
B
Yeah,
I
think
the
the
the
policy
syntax
is
the
main
interface
that
people
that
that
we
support,
like,
as
in
a
public
interface
yeah
like
if
you're
writing,
code
off
of
considering
as
like
a
sdk
or
api.
Like
that's,
not
that's,
not
the
public
interface.
C
Well,
here's
another
example
of
what
I
would
consider
to
be
breaking
breaking
change.
That
kind
of
relates
to
one
of
the
pr
that
we
have
opened
right
now,
too,
is
in
the
past
config
poll
rule.
We
were
able
to
use
it
for
pretty
much
any
resources,
but
there
was
a
change
to
throw
an
error
if
it
detect
that
resource
is
supported,
natively
by
config
rule
mode.
So
that
is
a
breaking
change,
because
we
can
it's
not
throwing
an
error.
B
Gotcha
I
mean
I'm
unaware
of
the
specifics
on
that
one
I
yeah.
I
haven't
really
used
like
conflict
figural
stuff
much,
but.
D
C
C
Especially
an
automated
way
too,
which
I
do
want
to
have
an
automate
release,
but
how?
If
we
move
toward
that
path,
how
do
we
ensure
the
release
logs
generated
and
things
that
call
out,
so
we
can
watch
out
for
when
they're
breaking
changes.
E
D
E
Out
breaking
changes
in
notes
and
using
a
version.
This
game,
based
on
based
more
on
dates,
can
make
sense
in
that
case,
but
we
just
we
don't
have
that
lock
down
yet.
A
You
know
what
the
versioning
and
the
feature
landing
and
all
that
stuff
is
implied
when
you
automate
releases,
but
okay,
I've
got
I've
got
this
down.
Everyone
see
the
notes
there.
Hopefully
I
didn't
make
fires
out
of
us,
but
yeah
all
right.
We,
I
could
definitely
bring
that
up
to
kapil.
You
know
what
I
know
that
we've
said
sever
ish
is,
I
think,
the
term
I've
heard
thrown
around,
but
we
could
definitely
either
make
a
more
firm
statement
or
add
another
here
be
dragons.
A
If
that's
the
case
for
certain
parts
of
it,
you
know
what
I
mean,
but
the
dsl
and
syntax
sunny.
Would
you
we
call
that
pretty
frozen
like
that's,
not
a.
B
Yeah,
it
should
be
only
additive.
A
A
All
right
onward
to
it
one
point
now
for
the
next
one
before
we
look
at
the
prs
still
waiting
on
a
review
on
70
29.
darren.
That's
yours,
that's
mostly
just
trying
to
get
compelled
enough
time
to
review
it.
I
just
wanted
to
note
it
here
that
it's
still
on
his
to-do.
A
We
have
a
few
pro
that
we're
open
in
the
last
two
week
period
and
aj
did
you
have.
I
think
you
had
one
that
you
wanted
to
talk
about.
If
there
are
any
other
pr's
that
people
would
like
to
go
over
or
discuss,
you
can
either
toss
the
number
in
the
in
the
chat
or
go
into
the
notes
and
paste
it
in
and
we
can
go
over
those
as
well.
A
A
I've
got
the
first
one
here
that
I
I'd
like
to
talk
about
is
7201,
which
was
just
a
question
from
the
community,
which
is
how
do
we
keep
track
of
resources
that
clock
custodian
removes
due
to
violations
and
jameson
left
some
tips
here?
A
dedicated
mailbox
is
useful.
You
could
also
do
a
versioned
s3
bucket.
I
just
wanted
to
point
that
out
that
we
posted
that
there,
if
anyone
has
any
other
tips
or
anything
they'd
like
to
recommend
that
issue
is
7201.
A
If
you
have
any
opinions
on
that,
so
that's
the
one
I
brought
today.
A
Anyone
else
have
any
other
ones
pending
review
darren.
I
think
7029
is
the
main
one
that
you
have
right
and
I
think
aj
merged
the
other
one.
Do
you
have
any
outstanding
ones
that.
C
Okay,
I
mean
there's
no
point
in
talking
about
the
the
two
older
ones
since
okay
waiting
for
for
unless
aj
wants
to
take
a
look
at
them,
which.
E
C
The
other
one
was
the
one.
E
E
C
E
Older
one
712
is
that
the
one
that
it
was,
let's
see,
no,
no,
no,
that's
a
different
one.
E
So
it's
good
to
say
numbers
yeah
and
I
think
what
might
be
useful
here-
and
this
is
a
good,
hey
george.
This
is
a
good
idea
for
a
community
meeting
yeah.
I
think
that
5971
that
came
out
of
a
discussion
with
a
few
different
folks
and
that
the
logic
there
looks
pretty
good
to
me
looks
like
it
just
got.
It
got
hung
up
there,
but
some
of
the
work
in
in
the
other
one
in
71
29
had
some
nice
documentation
some
examples.
A
Yeah,
if,
if
you
do
the
what's
the
good
thing
to
make
sure
that
the
other
person
gets
the.
E
E
Right
so
I
want
I
want
okay,
I
I
want
the
the
credit
to
show
up
and
that's
your
co-worker
right.
C
E
Yeah
katie
and
so
yeah.
I
want
him
to
get
the
credit
for
that,
not
for
just
adding
the
documentation
in
the
examples,
but
also
for
resurfacing
the
issue
so
that
we
don't
lose
track
of
it.
So,
yes,
that
sounds
good
to
me
all
right.
Let's
do
that
I'll.
Take
that
action
item.
A
E
Yeah
and
then
so
separate
from
that
one
which
I
think
is
a
good
one,
the
other
a
and
there's
the
config
managed
one
which
I
I
will
add,
no
use.
Well,
you
too,
but
darren
did
you
have
another
one
open.
C
Yes,
it's
on
the
open
pr
list
that
george
just.
A
What's
the,
what
was
the
number.
C
That
one
is
71.94
there,
it
is
okay,
okay,
so
this
one
is,
I
think
it's
pretty
interesting
and
you
know
in
case
we
missed
something.
I
I
really
think
this
is
something
that
we
we
should
fix
or
allow
again
relate
to
what
I
was
talking
about,
the
breaking
change,
which
is
right
now
for
config
beside
manage
config,
which
we're
trying
to
add
right.
Now
we
can
run
config
poll
rule
a
config
rule.
C
The
way
that
a
quick
summary
of
it
is
config
portal
is
more
periodic
mode
versus
config
rule
is
more
event
based
now
there
is
a
check
in
conflict
poll
rule
that
will
error
out
if
you're
trying
to
use
config
poll
rule
on
the
resource
that
is
natively
supported
by
conflict
rule.
C
The
problem
that
we
see
here
is
event
base,
doesn't
work
all
the
time,
especially
well
specifically
for
resources
and
filter
where
the
filter
is
on
something.
It's
not
really
part
of
the
resource
itself.
C
An
example
would
be,
the
resource
is
vpc,
but
the
the
filter
is
a
flow
lock
as
an
example,
you
can
see
right
there.
So
basically,
this
this
policy
is
saying
marketing
as
non-compliant
mark
the
vpc
as
non-compliance.
If
it
doesn't
have
flow
log
setup,
this
will
work
on
creation
right
because
it's
creation,
you
create
vpc,
you
get
the
event
but
on
update.
C
C
So
for
for
this
kind
of
situation,
we
have
been
relying
on
periodic
mode
to
check
daily.
I
mean
it's
not
near
real
time,
but
at
least
we
have
daily
report
of
things
that
combine
and
not
complying.
So
this
pr
is
to
have
a
way
to
override
and
say,
hey
skip
that
check
to.
Let
us
use
config
poll
room
mode
if
we
really
want
to
so
it's
just
adding
in
a
new
new
property
under
the
mode
right.
There's
the
ignore
config
support
check.
D
E
At
that,
I'm
sure
I'm
trying
to
think
about
the
the
motivation
behind
putting
this
in
there,
and
I
know
when
you,
when
we
have
any
of
those
periodic
modes,
there's
always
a
little
bit
of
reservations
around
that
because
it
there
it's
a
lot
of
the
api
volume.
It
can
be
kind
of
slow
we're
not
getting
we're
not
benefiting
from
the
caching,
so
it
tends
to
be
kind
of
a
foot
gun.
C
There
are
other
kinds
of
policy
where
you
have
again
the
the
pattern
is
you
have
a
resource
and
in
the
future,
is
on
I'll,
say
it's
confirmation
aws
treat
the
filter
as
a
separate
resource.
It's
not
a
property
of
the
resp
of
the
resource
itself.
So
when
the
event
happened,
it
happened
under
a
different
resource.
Yeah.
B
Okay
yeah:
this
would
be
like
any
you're
saying,
like
any
related
resource
like
the
security
of
rules
under
a
easy
that
an
ec2
instance
is
using
changes.
It
wouldn't
yeah.
I
get
reasoning.
E
C
Right
now
we're
migrating
it
yeah.
Okay,
we
were
something
similar
like
paul
config
poll
rule,
but
this
was
before
you
guys
start
adding
support
for
comfy.
Okay,
all
right
thanks
I'll,
take
a
look
at
that
one.
E
Well,
while
we're
talking
about
darren
adjacent
pull,
requests
the
distributed
dara
network
that
is
coming
in,
and
updating
custodian,
the
one
from
your
teammate
about
adding
the
rds
consecutive
snapshot
filter
that
was,
that
was
neat.
That
was
a
cool
one.
So
so,
thanks
to
you
for
the
assist
on
that,
thanks
to
chess
grover
for
for
authoring
it
that
was
good
fun.
D
A
Yeah,
were
we
able
to
get
more
information
on
that
because
I'm
going
to
be
talking
to
the
easy
cla
folks.
C
It
was
how
he
would
set
up
the
email-
okay,
it's
just
his
gig
configuration
yeah,
okay,
okay,
all
right
so.
A
C
There
was
a
scenario
where
we
have
to
so
after
we
set
up
the
user
or
whatnot
what
in
cla,
we
have
to
manually
click
on
the
red
button.
Where
I
say
you
know,
I'm
missing:
cla
yeah
once
you
click
on
it,
then
then,
somehow
whatever
happened
behind
the
scene,
then,
and
it
okay,
yeah.
A
Okay,
if
those
come
up,
I'm
trying
to
collect
all
the
issues
that
we're
having
to
take
it
to
the
easy
cla
authors
to
make
that
make
that
easier,
because
it's
been
it's
been
a
pain
point
in
the
past
good
to
know
on
that
one,
though
all
right,
so
this
one
got
merged.
So
we're
happy
with
that
one
anything
else
on
the
list
jumping
out
at
anyone.
A
And
I
can
open
it
up
for
questions
as
well.
If
you,
if
you
join
late
and
just
had
a
question
about
custodian,
that
you'd
like
answer
while
we
have
everyone
here,
that's
pretty
much
the
end
of
the
the
agenda.
There.
C
One
item
that
I
have
I
know
in
the
past
appeal
has
talked
about.
What's
it
called
what
is
it
called
policy
as
code
or
something
like
that?
It's
more
about
shifting
left
in
terms
of
doing
the
policy
check
more
at
build
time
as
versus
after
things
already
deployed
or
in
the
process
of
deploying,
and
I
think
he
dropped
up
some
proposals,
but
never
seen
any
updates
or-
or
I
don't
think,
there's
any
progress
on
it
is
that
something
is
still
looking
at.
Is
anybody
looking
at
it?
B
That
yeah,
so
under
the
tools
directory,
it
has
been
sort
of
paused
like
there
has
been
a
lot
of
activity
on
it.
But
if
you
go
to
c7n
terraform,
that's
basically
the
the
shift
left
stuff,
so
it'll
inspect
your
terraform
hcl
files,
and
then
you
could
write
policies
against
it.
B
D
Oh,
I
just
thought
about
it
through
this
george.
Let's
see
because
are
we
having
we
don't
so
next
week
we
have
a
c7n
101
class
sets
wednesday
april
20th,
and
it's
in.
If
you
go
to
live
storm,
oh
here,
I'm
about
to
get
you
the
link
so.
D
Yeah
yeah,
I
just
I
was
just
like
that's
next
week:
it's
the
same,
it
just
goes
it
or
it
will
cover
basic
policy
and
basic
anatomy
of
a
policy
and
with
some
demos.
So
might
not.
You
know,
I
think
everyone
here
might
be
beyond
that.
But
if
you
know
someone
who
maybe
is
like
new
on
your
team
or
something-
and
you
want
to
show
this
to
them
or
you
want
them
to
attend,
it's
free,
and
we
just
ask
that
you
register
at
that
link.