►
From YouTube: Cloud Custodian Community Meeting 20220802
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/orgs/cloud-custodian/discussions
To get an invite to the meeting join the google group and you'll receive one via email: https://groups.google.com/g/cloud-custodian
A
All
right
welcome
everybody.
The
date
is
august,
2nd
2022.
This
is
the
bi-weekly
cloud
custodian
community
meeting.
Please
be
cognizant
of
the
fact
that
we
do
record
these
meetings
and
put
them
publicly
on
the
youtube
channel
and
we
publish
the
notes
as
well.
Also,
please
remember
that
we
are
abiding
by
the
cncf
code
of
conduct,
so
please
be
excellent
to
each
other,
but
I
know
we
always
are,
and
with
that
I'll
be
your
host
george
today,
we've
gotten
a
packed
agenda
here.
A
Let
me
go
ahead
and
toss
the
notes
url
in
chat.
I
know
some
of
you
are
joining
and
sometimes
determining
google
chat
doesn't
keep
the
previous
thing
right.
So
I
have
to.
I
have
to
post
a
url
on
the
regular,
so
I'll
just
get
used
to
that,
and
with
that
I'm
going
to
go
ahead
and
share
the
agenda.
A
Intros
anyone
you
want
to
say
hello,
I
think
I
see
I
see
some
familiar
faces,
but
usually
we
have
some
time
if,
if,
if
you're
new
here
or
it's
your
first
meeting,
you
want
to
say
hello,
of
course,
don't
feel
any
pressure
to
do
so.
But
if
not,
you
can
ask
questions
throughout
the
meeting,
but
anyway
welcome
we.
We
welcome
all
skill
levels
and
users
and
stuff.
First,
we
have
some
governance
updates.
I
like
to
just
bring
some
attention
to
71.49.
A
This
issue
is
our
governance.md
documents.
We
have
gotten
enough
votes
to
graduate
into
the
cncf
incubation
process
and
out
of
the
sandbox.
However,
the
voting
period
is
still
open,
so
you're
not
going
to
see
announcements
and
stuff
like
for
a
little
while,
while
people
do
press
releases
and
things
like
that,
but
one.
B
A
Those
requirements
is
to
have
a
governance
md.
That
is
how
we
add,
remove
maintainers
and
kind
of
run
the
project.
A
lot
of
this
is
kind
of
ground
has
been
treaded
before
with
projects
like
kubernetes
and
whatnot,
and
I've
have
a
draft
here.
This
isn't
a
pr
I
kind
of
wanted
to
get
consensus
before
we
started
a
pr
and
I'm
looking
for
more
feedback.
A
We've
definitely
brought
this
up
in
the
meeting
before
and
I've
taken
items
as
we
get
them
and
then
I'm
kind
of
keeping
like
a
live
little
change
log
at
the
bottom
of
things
that
I
am
making
to
the
document.
So
I've
added
an
emeritus
process
and
kapil
had
asked
me
to
look
at
the
envoy
project.
They
something
really
do
really
interesting,
where
they
give
all
their
maintainers
plus
one
vote,
but
then,
like
the
project
level,
maintainers
get
plus
two
votes
to
kind
of
be
tie
breakers.
A
I
thought
that
was
really
interesting,
so
I
put
some
thought
into
that
and
and
put
that
into
the
draft
I
also
kind
of
did
a.
I
know
some
people
had
addressed
concerns
to
me
about
well
what
happens
if
there's
like
an
underrepresented
area
of
the
project
and
someone
is
rocking
it,
and
it's
like
you
know,
hey
sorry,
you
only
got
29
prs
in
this
period.
A
We
need
30.,
so
I
kind
of
left
a
little
escape
valve
that
says
discretion
of
the
maintainers,
where
we
can
look
at
this
governance
process
and
if
we
and
if
a
majority
of
maintainers
feels
that
that
person
is
meeting
the
needs
and
is
responsible,
they
don't
have
to
actually
wait
for
any
of
the
time
periods
there.
So
it
kind
of
gives
us
chalk
outlines
to
stay
within,
but
like
also,
hopefully
doesn't
box
us
in.
So
that
is
the
quick
tl,
dr
on
that.
A
If
anyone
has
any
questions,
that's
just
a
long-standing
thing
that
I
want
to
get
done
as
part
of
the
incubation
process,
and
the
next
thing
I
have
is.
I
have
gotten
some
issue
a
contact
now
with
the
cncf
specifically
darren
you'd
asked
us
last
week
about
getting.
What
are
we
going
to
do
with
open
prs
from
a
previously
accepted
cla?
A
In
this
case
it
was
the
capital
one
cla,
and
then
the
person
has
signed
the
new
one.
What
do
we
do
with
the
open
prs
that
kind
of
stuff?
That's
mostly
just
trying
to
you,
know,
get
a
meeting
between
like
kapil,
and
maybe
you
darren
if
you'd
want
to
go
and
then
the
cncf
and
seeing
what?
What
that,
what
that
will
look
like
so
slow
progress
there,
but
I
just
had
I
went
to
a
conference
this
week.
I
went
to
scale
and
there
was
some
from
the
cncf
there.
A
I
was
doing
booth
duty
and
we
kind
of
talked
about
all
sorts
of
easy
cla
things,
and
with
that
I
will
give
you
the
quick
scale
update
southern
california.
Linux
expo
was
this
past
week
sunny
and
I
attended.
We
ran
a
workshop
that
was
basically
cloud
custodian
101
that
was
about
90
minutes.
It
was
recorded,
however,
the
videos
are
not
available
at
this
time,
but
we
thank
all
those
that
showed
up
and
as
soon
as
we
do
get
that
information
I'll
make
sure
we
put
that
in
the
show
notes.
A
C
Just
thanks
for
everyone
that
came
out,
I
don't
know,
I
don't
think
anyone
on
this
call
was
there,
but
it
was
great
fun
answered
a
whole
lot
of
questions,
so
I'm
sure
there
will
be.
Even
if
you
are
very
familiar
with
custodian,
there
may
be
some
things
in
there.
That
might
be
interesting
to
you.
A
Yeah
for
sure
I'll
see
if
I
can
get
us
a
transcript
of
that
one
as
well.
I
know
there
were
some
questions
at
the
end
that
got
got
a
little
hairy
and
I
was
like
learning
all
sorts
of
stuff,
so
that
might
be
useful
for
people.
Kapila
numero
went
to
reinforce,
which
was
the
same
week
but
over
in
boston,
new
york
on
the
other
coast,
but
he
sends
his
regrets.
It
doesn't
look
like
he's,
gonna
make
it
today,
so
hopefully
he'll
be
able
to.
A
Let
us
know
some
of
the
interesting
custodian
discussions
that
he
had
there
and
with
that
I'm
going
to
look
at
some
prs
here.
The
way
I
do
this
is,
I
run
a
little
script
that
shows
us
activities
and
pr's
and
issues
over
the
past
two
weeks
and
kind
of
give
everyone
a
chance
to.
A
If
you
see
something
interesting
that
you
think
is
worth
discussing
in
the
community
or
maybe
you
need
eyeballs
on
something,
you
know
you
can
kind
of
bring
your
issue
or
your
pr
your
bug,
and
then
we
can
help
do
that.
But
before
we
do
this,
anybody
have
anything
else.
They
want
to
add
to
the
agenda.
A
All
right
and
then
right
after
this
call
we're
gonna
try
to
do
a
release
darren.
You
looking
for
I've,
been
looking
forward
to
this
for
like
two
weeks.
So
after
we
get
to
the
end
of
this,
we
can
we
can
do
whatever
we
want
like
if,
if
we
want
to
cut
this
a
little
bit
early
or
we
want
to,
you
know,
make
it
a
huge
two-hour
block,
I'm
kind
of
flexible
aj
sunny.
I
don't
know
where
you
all
are
sitting
flexibility
wise,
but
yeah.
A
We
could
talk
about
that,
so
I've
got
a
few
here
that
were
nominated
and
those
are
the
ones
with
a
little
explosions
next
to
them.
If
there's
one
that's
already
on
here
that
you
want
to
discuss
either.
Let
me
know
or
just
add
that
little
colon
boom
emoji
the
first
one
we
have
is
adding
the
reusable
has
statement
filter
on
on
aws.
A
D
Yeah,
this
is
similar
to
the
there's,
an
existing
s3
filter
to
basically
be
able
to
go
through
access
policies,
statement
by
statement
and
check
for
certain
key
value
pairs.
So
we
have
this
requirement
for
compliance
for
several
resources,
and
this
adds
it
for
sns
and
also
sqs.
Basically,
we
want
to
be
able
to
go
through
and
make
sure
that
the
access
policies
are
doing
stuff,
like
you
know,
denying
non-secure
transport
and
stuff
like
that.
B
And
so
sonny
had
added
a
review
to
this,
and-
and
I
looked
I-
I
have
not
looked
at
it
deeply.
What
I
looked
at
looks
looks
cool
to
me,
but
was
there
anything
pending
on
that
one?
I
think
so.
Oh
there
was
a
discussion
about
the
strict
parameter
from
sunny's
comment,
but
it
sounds
like
we're
just
kind
of
trying
to
match
up
with
what
we're
doing
with
s3
already.
D
B
B
Aws
core
has
stopped
yeah
yeah,
so
it's
6003.
looks
like
it
was
closed
and,
of
course
I
found
it
right
away
now.
I
didn't
find
it
when
I
was
looking
for
it
before.
B
Yeah,
I
don't
have
any
issue
with
the
one
just
going
with
the
the
sn
has
sqs1,
and
then,
if
we
need
this
more
generally
than
trying
to
extract
it
all
out
somewhere
that
it
still
works,
there's
nothing
there's
nothing
in
there.
That's
really
specific
to
sns
or
sqs
right
in
this
pr.
It's
just
just
making
sure
that
filter
is
on
the
resource
right.
D
Yeah,
correct
darren
had
some
suggestions
to
make
it
more
reusable,
so
yeah
you
should
be
able
to
add
it
to
other
resources
on
the
road
fairly
easily.
A
If
you
could
leave
a
comment
on
that,
that
would
be
great
as
well,
so
we
have
that
context
in
github
itself
that
yeah
some
someone
reminded
me.
It
was
a
totally
different
project
that
sometimes
I
make
decisions
and
meetings
and
forget
to
put
it
in
github
and
then
people
wonder
you
know
I
asked
them
to
review,
but
you
know
they
accepted
or
whatever
in
in
the
meeting,
but
they
never
followed
up
on
the
github
issue
and
that
could
confuse
people.
A
D
Aj,
are
you
still
going
to
do
another
like
more
review
of
it,
though,
as
you
said,
you
only
look
at
it
from
a
high
level.
I
mean
I
think
we
can
still
use
some
more
thorough
review
of
it.
I
mean
I
had
help
steven,
but
I
can
definitely
use
another
pair
of
eyes.
B
B
I
doubt
I'm
going
to
find
anything
breaking
in
it,
but
but
I'll
certainly
have
a
look.
B
A
Job
well,
thanks
for
the
pr
we
appreciate
it,
trying
to
make
everything
smoother.
You
know
we'll
get
there.
Oh,
and
this
is
the
opr.
So
it's
not
this
one.
Next
get
bucket
encryption
fails
when
no
encryption
configuration
is
present,
but
kms
bucket
key
is
enabled.
B
Yeah
this
one
we've
got
a
little
nit
that
we
that
it
looks
like
there's
another
comment
on
it
might
address
that
just
to
make
the
I
think
this
was
a
a
good
catch.
It's
a
case
for
you,
where
you
can
have
something
where
the
bucket
key
is
showing
up.
That's
enabled
there
so
you've
got
a
server-side
encryption
block,
but
there's
no.
D
B
Encryption
set
it's
just
kind
of
an
interesting
edge
case.
I'm
glad
kisgen
found
it
and
submitted
the
fix,
we'll
just
I
think
we're
going
to
clean
up
one
check
and
then
we
should
be
able
to
get
that
merged.
I
don't.
B
Has
run
into
that,
but
there's
a
fun
one.
A
A
All
right,
the
incoming
laugh
prs
continue.
I
think
we've
had
one
every
two
weeks
for
the
past
two
months,
so
this
one's
yours,
I
think
aj.
B
I
will
well
look
so.
B
So
has
has
harisha
chapa
ever
made
it
to
one
of
these
community
meetings,
because
I
know
I've
missed
a
few
lately.
I
don't
recall
yeah.
D
B
But
big
thanks
to
them
for
for
just
continuing
to
flush
out
f,
I
mean
this.
I
have
not
tested
this
one
to
be
honest,
but
looking
looking
it
over,
looks
good
yeah,
yeah.
A
B
Actually,
you
know
what
I
say:
nothing
jumps
out,
but
I
think
one
thing
we
are
going
to
have
to
look
at
is
they're,
defining
a
get
resources
and
kind
of
hard
coding
that
aws
partition.
Where.
B
Take
a
note
line
29
in
that
that
left
pr.
A
B
That
is
one
of
those
where
we
have
some
kind
of
functionality
and
it'll
break
if
you're
in
like
gulf
cloud
or
something
where
you're
not
in
that
default,
aws
partition,
it's
just
one
of
those
things
we
need
to
look
out.
For
so
add
a
comment
there.
I
suspect
it'll
be
relevant
but
yeah.
That's.
C
Red
x,
there
would
be
more
applicable.
A
Cool
all
right,
those
are
the
pr's
that
kind
of
stood
out
to
me
unless
anyone
wants
to
nominate
some
feel
free
to
peter
wants
to
go
over
75,
61
and
74.60
no
worries.
D
B
A
Yeah
there's
been
a
few
times
where
we've
done
the
hey:
let's
do
a
release
in
a
meeting
after
and
then
we
end
up
getting
a
lot
of
the
preparation
done
and
finding
issues
and
bugs
and
stuff
so
I
mean
maybe,
but
we
are
releasing
at
least
once
a
month
now
so
yeah
we'll
we'll
see
how
we'll
see
how
it
goes.
A
Let's
see
which
one
am
I
looking
at
here:
70
61.,
okay,
we
can
do
this.
One
aws
connect,
create
new
connect,
resource
and
instance,
attribute
filter.
E
Yeah,
so
I
recently
added
a
new
connect
instance
resource
and
compute
took
a
look
at
it
and
had
some
comments
which
I
addressed,
but
I
haven't
heard
back
since
so
I'll.
Just
we
can
get
another
look
at
it
see.
If
there's
anything
else,
I
might
need
to
do.
D
B
Yeah,
it
looks
like
we've
only
got
resolved
resolved
comment
threads
on
that
one.
So
that's
a
good
sign.
A
Yeah,
I
will
put
this
on
his
radar
today
at
a
minimum.
Anyone
else
want
to
take
a
stab
at
it
if
they
have
time.
E
Yeah,
likewise
on
this
one,
I
added
a
new
filter
for
workspaces
and
I
believe,
sunny
and
kapil
had
some
comments
for
changing
the
implementation
to
using
a
value,
filter
yeah,
I
just
like
the
other
one.
I
just
need
another
look
at
it
got
you.
A
C
Sorry,
my
like
connection
just
dropped
for
a
second.
I
missed
that
this
was
the
workspaces.
C
Yeah
I
could.
I
can
take
a
look
at
that.
Actually,
speaking
of
peter,
are
you
the
one
that
was
asking
about
the
secrets
manager?
Oh.
E
Yeah
yeah
that
one
yeah.
I
took
a
look
at
your
comment
and
I
think
you're
right
so
cool
yeah,
that
one's
not
an
issue
all
right.
A
All
right,
hopefully
we'll
we'll
get
you
unblocked
here,
peter
appreciate
the
prs
anything
else
on
these
two.
A
B
Yeah
yeah
kapil,
and
I
both
had
comments
on
that
one,
so
that
one
is
interesting,
but
that
it
is
related
to
sunny
too,
because
there
was
an
issue
with
sending
with
running
custodian
in
certain
opt-in
regions,
where
you
had
to
specify
a
location
constraint
on
the
bucket
when
specifying
the
output
bucket
and
adding
that
fix
in
means
that
you
effectively
need
that
get
bucket
location
permission
for
your.
B
Your
custodian
iam
rolls
now
most
people
have
that
most
custodian
roles
are
going
to
have
it
and
the
your
output
bucket
is
going
to
allow
that
it's
a
pretty
basic
policy
like
if
you
have
read
only
or
some
kind
of
access
to
a
bucket
you're
going
to
have
probably
get
object,
put
object
and
then
that
get
bucket
location
looks
like
for
this
issue.
B
Someone
didn't
have
that
get
bucket
location
permission,
whether
it
was
missing
from
the
roll
or
the
bucket
policy,
or
an
sap
or
whatever,
and
so
after
that,
that
fixed
pr
went
through
the
one
linked
from
here.
B
The
sending
across
regions
started
failing
and
so
the
the
question
so
my
kapil
and
I
both
commented
on
it.
I
was
thinking
we
might
want
to
just
just
to
avoid
this
kind
of
surprise.
We
might
want
to
fall
back
to
the
other
behavior,
where,
if
we
try
to
find
a
bucket
location-
and
we
can't-
we
fall
back
to
u.s
east
one,
but
then
I
think
kapil
and
sunny-
I
I've
kind
of
moved
over
to
where
they
were
coming
from,
which
is
like
that.
B
That
permission
is
a
pretty
basic
permission
that
you
you
would
expect
to
have
on
a
on
an
output
bucket,
and
so,
if
it
dies
it's
more
like
that's
something
we
need
to
fix
on
the
fix.
On
the
permission
side,
we
just
may
need
to
call
that
out
in
release,
notes
or
or
or.
B
This
issue
somewhere,
so
if
anyone
else
runs
into
it,
we
know
we
know
what
to
tell
them
where
to
go.
C
No
saying
that
get
back
application
is
an
api
that
we
use
to
construct
the
s3
resource
via
the
augment
anyway.
So
if
you're
running
a
policy
against
and
looking
at
s3
buckets,
you
should
already
have
it
on
your
on
the
in
principle.
That's
making
the
calls
there.
C
So
to
me,
it
seemed
like
rather
unlikely
that
this
would
happen,
although
I
do
understand
that
people
don't
typically
give
s3
get
star,
because
that
does
allow
you
to
get
object.
C
But
in
this
case,
like
the
permission
is
so
innocuous,
I
don't
think
it's
an
issue
as
long
as
we
document
in
the
release.
I
think
it's
fine.
B
There
is
yeah,
we
just
yeah,
there's
an
example
that
says:
you're
going
to
need:
you'll
need,
read-only
access
and
then
plus
whatever
other
other
stuff
and.
B
Access
policies
are
going
to
include
that
permission.
I
think
this
was
I
I
suspect
I
mean
I
don't
know
from
from
the
detail
on
that
ticket.
I
suspect
that
the
gap
was
coming
up
in
a
bucket
policy
or
something
else
rather
than
the
iam
role
definition.
But
I
mean
it's
a
good
call.
It's
worth
documenting
that
maybe
in
the
execution
options
section
of
our
docs,
we
say
if
you're
going
to
specify
an
output
directory,
make
sure
you
have
these
permissions
similar.
D
B
I
have
to
configuration
yeah
where
I'm
looking.
I
will
post
it
in
the
in
the
meeting
chat,
but
I'm
looking
here
in
this
this
section
on
execution
options
and
we
specify
that
you
can.
You
can
call
it
an
output
directory
yeah.
A
A
D
B
Specified
a
laminate,
but
but
I
mean
custodian
run,
you
could
specify
an
output,
direct
upper
location
there
too,
or
c7
and
org.
So
there
may
be
a
different
spot
or
multiple
spots
where
that
makes
sense.
A
A
Right
looks
like
I'll
have
something
to
do
while
y'all
are
doing
the
release?
Okay
and
the
last
one
officially
on
the
agenda,
if
you
have
more,
of
course,
keep
feel
free
to
keep
putting
them
in
the
sidebar
c7
org
condition
when
running
a
merge
policy
file
across
500
plus
accounts.
B
Yeah
and
since
kapil's
not
on
this
call
today,
I
know
he
was
mentioning
changing
the
so
he
was
suspecting
that
part
of
what's
going
on
here
is
that
we
have
to
keep
a
lot
of
cash
in
memory,
and
he
was
talking
about
changing
the
cash
implementation
to
to
use
sqlite,
where
you
can
do
a
lot
of
partial
loads
and
lookups,
rather
than
having
to
load
cache
files
in
that
are
they're
kind
of
pickled
to
disk
right
now,
and
so
that
was
at
least
the
suspicion
is
that
some
of
this
is
trying
to
just
keep
keep
a
bunch
of
cash
from
potentially
multiple
accounts,
all
in
memory
and
then
and
then
not
getting
rid
of
that
stuff
and
killing
yourself.
A
All
right
and
since
he's
not
here,
we're
gonna
have
to
table
that
one
for
next
time,
but
he's
got
some
ideas
there
that
he
wanted
to
run
by
some
of
you
we'll
get
to
that
at
some
point
and
that
those
are
the
colon
booms
of
of
the
two
weeks
there
anything
else.
People
would
like
to
see
pr
wise
issue
wise
other.
B
B
I
do
want
to
mention
that
just
dropped
the
7601
only
because
we
started
seeing
some
a
recent
pr
failed
lint
and
it
was
it
was
a
bunch
of
unrelated
stuff
and
it
was
because
pi
code
style
released
a
new
version
and
they
implemented
a
new
default
check.
So
it's
checking
for
required
white
space
around
keywords.
So
if,
if
any
of
you
submit
prs
before
7601
here
gets
merged
and
you
just
start
seeing
lint
errors
and
you're
like
where
is
this
coming
from
it's?
It's
a
pie,
code,
style
change,.
B
A
A
All
right
and
with
that,
if
you
don't
want
to
stick
around
for
the
release,
feel
free
to
bail.
Thank
you
for
coming.
We
appreciate
it
and,
let's
let
me
stop
the
recording,
we'll
see
everyone
in
two
weeks
and
then
we'll
try
to
release
this
bad
boy.
Today,.