►
From YouTube: Cloud Custodian Community Meeting 20220201
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/cloud-custodian/community/discussions
To get an invite to the meeting join the google group and you'll receive one via email: https://groups.google.com/g/cloud-custodian
B
B
Sorry
about
that
welcome
everybody.
It
is
february
1st
2022.
This
is
the
bi-weekly
clock,
custodian
community
meeting
I'll,
be
your
host
today,
george.
Please
be
aware
that
the
cncf
code
of
conduct
is
in
effect,
so
please
be
excellent
to
each
other
and,
as
always,
we'll
be
recording
and
putting
the
video
up
on
youtube,
as
well
as
publishing
all
the
notes
and
whatnot
to
the
usual
google
group
before
we
get
started,
anyone
want
to
introduce
themselves
if
it's
your
first
meeting
or
if
you
haven't
been
in
a
while.
B
So,
let's,
let's
get
started
normally
we
have
an
agenda,
we
don't
have
any
workshops,
dates
nailed
down
for
the
next
month,
but
as
soon
as
we
do,
umero
be
the
first
to
let
us
know
and
we're
kind
of
in
the
doldrums
of
conference
season
here
so
not
much
to
report
on
the
way
of
events,
so
we're
going
to
get
started
with
just
basically
what's
been
happening
over
the
past
few
weeks
in
the
custodian
community
and
jameson
you're
up
first
with
this
one,
adding
a
filter,
op
logic
to,
I
am
role
filters.
D
So
within
aws
space
of
custodian,
when
scanning
all
roles,
we
had
a
use
case
where
we
wanted
to
be
able
to
match
on
role,
name
patterns
and
notice
that
the
the
current
filter,
for
I
am
role,
that's
called-
has
specific
managed
policy.
D
Just
currently
takes
a
string,
an
exact
string
and
so
open
this
pr
or
open
this
feature
request
to
add
the
capabilities.
So
you
can
do
like
a
regex
pattern
or
something
like
that
on
the
attached
policies
to
a
role,
so
example
checking
for
all
roles
that
end
in
the
word.
Full
access
like
database
manage
full
access
roles
being
able
to
find
if
any
of
those
are
attached
to
a
role
and
so
yeah.
D
I
think
this
is
aj's
been
working
on
this
one
and
I
think
he's
been
having
some
pretty
good
success
so
far,
so
this
is
looking
promising
and
should
be
helpful
to
others.
Hopefully,
any
questions
on
this
one.
B
So
aj,
I
just
saw
you
just
self-assign
this
to
yourself.
Have
you
been
working
on
this
already.
A
And
this
goes
back
to
I
had
I
had
messed
with
it.
A
little
bit
just
to
see.
Is
this
gonna
be
a
lot
of
work
or
a
little
bit
of
work?
It
seems
okay,
but
I
never
trust
that
initial
feeling,
but
yeah
it
looks
like
it's
going
to
be
all
right,
just
mainly
don't
want
to
break
existing
policies.
So
I
just
self-assigned
and
I'll
yeah
I'll
finish
up
the
work
on
that.
B
All
right,
this
one
seems
relatively
straightforward:
aj
you're
next,
with
aws
security
group,
merge
match
rules.
I
believe
this
was
more
of
a
heads
up.
Then.
A
Yeah,
this
was
one
that
we
just
every
once
in
a
while.
We
we
get
questions
from
a
couple
different
places
on
that
all
boil
down
to
the
same
issue,
and
in
this
case
it
was
that
when
you're
looking
at
the
security
group
and
filtering
by
ingress
rules-
and
there
are
multiple
rules
that
match
your
filters-
it
was
only
keeping
track
of
the
last
one.
A
So
if
you
went
to
go
remove
rules
that
were
too
permissive
or
something
it
was
only
going
to
find
that
last
at
the
last
match
and
you'd
have
to
run
the
same
filter
multiple
times
before
it
completely
remediated
something
so
so
we
that
was
some
some
getter
troubleshooting
and
some
some
other
folks
were
talking
to.
But
it
looks
like
that
should
be
fixed
now,
yeah.
A
Yeah
and
that's
just
in
it
came
out
of
the
same
discussions
which
was
okay,
the
ingress
filter
isn't
behaving
the
way
that
I
expect
and
also
what
the
heck
does
match
operator
do.
So
so
this
was
just
kind
of
a
separate
pr
just
to
add
something.
So
we
have
some
examples
on
what
it
does,
what
it
can
do,
what
it
can't
do
when
you
might
want
to
use
it.
B
C
C
Because
I
want
to
work
on
that
or
I
was
gonna
work
on
the
issue
and
then
it
turned
out
that
someone
had
been
working
on
it
but,
like
hadn't,
said
anything
about
it,
which
is
fine
just
because
that's
not
clarified
anywhere
and
then
like
as
soon
as
I
had
mentioned,
something
about
it
then
they're,
you
know
we're
like.
C
Oh
I've
actually
been
working
on
this,
which
is
awesome,
but
that
this
is
something
that
I
want
to
address
from,
like
a
community
point
of
view,
just
so
that
we
do
have
like
some
process
around
that.
So
people
don't
end
up,
doing
redundant
work
and
then
this
also
kind
of
segues
into
highlighting
or
maybe
bringing
up
or
surfacing
that
we
do
have
a
label
or
tag
for
documentation
issues.
So
if
you
want
to
file
a
ticket
or
submit
an
issue,
there
is
a
documentation
tag
right,
there's
a
label
for
that.
C
B
E
Quick
question:
well,
two
comments
sounds
great
to
help
document
like
good
practices
with
regards
to
communicating
and
claiming
an
issue,
or
at
least
commenting
that
you
want
to
work
on
it.
E
That's
generally
a
good
practice,
regardless
of
the
documentation
of
that,
but
you
should
always
be
aware
that
not
everyone's
good.
That's
why
I
do
that
flip
side.
I
don't
know
if
we
have
a
document
on
the
issue
template
if
we
have
it
the
ability,
if
we
have
our
template,
actually
includes
one
for
documentation.
Otherwise,
as
a
you
know,
that
is.
B
E
C
D
C
B
Yeah
liz:
this
is
maybe
a
good
action
item.
We
should.
We
should
think
about
whether
it
makes
sense
to
look
at
the
issue
templates
for
something
like
this.
Maybe
I
don't
know
if
it's
like
hey,
if
you're
interested
in
working
this,
you
know
assign
it
to
yourself,
maybe
or
something
like
that.
C
E
And
if
anyone
knows
a
project
or
an
open
source
project
that
they
like
that
has
like,
like
wow,
those
are
really
nice
tags,
please
let
us
know
because
we
could
use.
I
think
ours
are
more
than
a
little
bit
bit
rotted
and
always
on
the
lookout
for
projects
that
are
effectively
using
tags.
B
F
F
E
Backlog
there
was
one
or
two
minor
things
I
think
around
error
checking
or
like
there
was
like
one
of
your
buyers.
I
was
just
going
to
tweak
and
merge,
but
I
haven't
made
the
time
on
it.
I
can
probably
at
least
comment
on
it.
What
I
was
looking
at
specifically,
but
yes,
that
that's
definitely
on
the
merge
queue
things
merge
queue
is
unfortunately
not
life,
though
it's
closer
to
fight,
though
at
the
moment.
F
In
the
top
of
the
list,
and
then
for
the
second
pr
again,
I
have
a
question
back
for
kapil
on
his
comment.
Just
for
clarification,
I'm
not
sure
if
you
have
a
chance
to
take
a
look.
This.
F
E
What
I
was
trying
to
note
is
that,
typically,
in
general,
when
we
have
an
action,
we
also
have
a
corresponding
filter
so
that
the
policy
doesn't
find
non-compliant
resources
with
like
if
you,
if
you
have
an
action
that
you
can
never
detect
to
the
filter,
then
the
pulse
is
always
basically
reporting
something's,
not
compliant,
and
therefore,
to
complement
that
effectively
for
any
action
that's
going
to
take
action,
there
should
be
a
corresponding
filter
that
allows
you
to
detect
if
you
need
to
take
an
action.
E
Still
not
clear
on
what
that
means.
So,
in
the
context
of
a
managed
role
or
sorry
on
the
account
resource,
it
would
be
a
filter
that
says:
hey
does.
Is
this
manager
already
enabled
in
this
in
account
environment,
and
if
so,
then
it
basically
it
won't.
It
will
basically
filter
out
the
account
resource
that
way.
If
you
have
a
policy,
that's
about
hey,
I
want
to
enable
make
sure
that
these
configurables
are
enabled
the
policy
isn't
going
to
actions
unless
there
are
managed
configurables
that
are
missing
in
that
account.
G
F
Right
so
I
I
think
it's
just
a
different
perspective
on
how
we
think
it
should
work,
then,
because,
from
my
perspective,
I
I
was
thinking,
hey
cloud,
custodians
should
enforcing
say.
This
is
what
I
want
my
manager
conflict
rule
2
looks
like
so
I
would
imagine
hey
if
it's
already
enabled,
but
this
is
what
I'm
telling
cloud
custodian
it
should
be
enforcing.
I
would
expect
that
it
should
update,
but
it
sounds
like
you
don't
think,
that's
how
it
should
be
done.
E
I
think
it
should
update
the
resource.
What
I'm
saying
is
that
whenever
we
go
to
take
an
action,
we're
typically
taking
multiple
actions,
we're
potentially
doing
notifications,
we're
admitting
metrics
about
the
policy,
and
so
the
policy
should
always
have
a
way
to
detect.
If
it's
already
in
its
target
state,
and
if
it
is
through
through
filters,
it
should
always
have
the
ability
to
detect
if
it's
in
this
target
state,
if
so
be
able
to
filter
out
the
resources
and
avoid
actions
for
resources
that
don't
need
it.
F
F
F
E
Like
you
know,
filtered
can
like
exist
and
configure
correctly,
the
filter
should
be
inclusive
about
both
of
those
things
like.
If
we
look
at
you
know,
security
or
filter
or
a,
I
am
check
permission
filter.
It's
really
about
checking
to
whatever
degree
the
user
wants
to
configure
the
filter,
but
the
intent
is
that
if
the
filter
doesn't
match
the
resource,
then
the
resource
can
be
considered
already
a
compliance
state.
E
Otherwise,
when
the
policy
is
going
through,
we
emit
a
bunch
of
metrics
and
outputs
from
the
policy
based
on
what
what
resources
match
the
set
of
filters.
So
you
know
the
action
itself
being
item
potential
is
great,
but
the
ability
to
not
even
having
to
execute
the
actions
against
the
resources
which
are
already
compliant
is
an
important
part
of
the
syrian
philosophy.
F
I
don't
want
to
take
more
more
people
time,
but
let's
take
a
look
back
at
the
sample
policy
that
I
have
in
this
pr,
real,
quick
and
and
see
what
the
filter
would
be
like.
Are
we
saying
the
filter
will
be
the
exact
thing
of
what
I
want
the
action
to
do
here
so
that
it
can
check
that
hey?
Is
the
manage
config
enabled
and
have
these
settings?
E
That
is
fairly
accurate,
though,
for,
like
ideally
you'd,
be
able
to
separate
out
the
configuration
to
to
a
common
block.
E
B
Let
me
size
this
back
down
here
all
right,
thanks
for
thanks
for
those
daring
it
before
any
bi-weekly.
If
anyone
has
a
list
of
pr's
that
you
want
to
go
over,
you
can
always
either
ping
me
either
via
mail
or
just
tossing
it
in
chat
when
the
meeting
starts
and
then
I'll
just
toss
into
the
agenda
and
we'll
get
to
it
all
right
with
that,
we
have
a
few
other
ones
that
hit
the
q.
Over
the
past
two
weeks,
c7n
mailer
gcp
support.
E
It
looks
like
it's
got
a
couple
of
issues
in
ci.
It
looks
like
it's
actually
hitting
the
api
live.
It's
also
based
on
some
work
that
brent
clements
did.
I
think
when
it
was
at
capital
one,
but
so,
but
building
that
part
aside
and
say
that
the
focus
so
I
might
maybe
need
to
touch
base
with
them.
But
the
right
now
just
needs
some
additional
work
to
actually
pass
through
ci
and
actually
make
sure
it's
doing
all
recorded
tests
for
the
gcp
interactions.
B
B
E
Yeah
it
worked.
I
since
took
a
deeper
look
at
open,
telemetry
and
it
now
has
effectively.
E
I
mean
different
degrees
of
support
around
different,
the
three
different
channels
we
care
about
as
far
as
logs,
which
are
probably
alpha
traces
which
are
probably
prod
and
metrics,
which
also
prod,
but
it's
a
big
package
of
several
megabytes
between
their
dependency
stacks
and
that's,
and
it
also
requires
a
separate
exporter
or
daemon
to
to
actually
do
anything
with
the
actual
metrics.
E
So
I'm
looking
at
whether
or
not
we
want
to
just
have
a
separate
package
that
you
can
install
to
have
just
direct
open,
telemetry
support,
but
if
anyone's
interested
in
statsd
like
this
works
and
if
there's
interest,
we
can
merge
this
independently.
It's
very
lightweight
as
far
as
the
dependency
it's
a
couple.
It's
basically
100
lines
of
pipeline
code
as
far
as
our
additional
and
and
zero
depths.
As
far
as
additional
footprint.
E
B
E
So
the
problem
with
trying
to
modify
any
css
servers
directly
pcs
services
are
typically
governed
through
auto
skill
groups,
sorry
application,
auto
scaling
and
the
application
auto
scaling.
E
So
I
mean
there's
two
different
parts
here
like
there's
the
notion
that
ecs
is
going
to
run
on
some
underlying
compute
data
structure
and
that
one
compute
data
structure
is
either
a
regular
ec2
instance
more
commonly
an
all-scale
group
or
increasingly
more
commonly
some
sort
of
target
cluster.
The
target
cluster
represent,
represents
infinite
capacity
and
effectively
scaling
down
the
ecs
servers
directly
scaled
down
and
compute
on
the
auto
scaling
groups
and
ec2
that
that's
less
clear,
but
the
other
part
of
it
is
application,
auto
scaling.
E
So
if
we,
if
application
auto
scaling,
is
managing
the
service
cardinality
count
with
guard
from
units,
then
simply
modifying
it
directly.
You
get
effectively
do
what
I
call
dueling
control
loops,
where
each
of
them
is
trying
to
twist
the
knobs
and
they're
trying
to
do
very
time:
productive
behaviors.
E
There
is
a
notion
that
we
could
detect
if
this
was
a
target
for
a
an
autoscale
life
cycle.
But
tldr
is
that
this
probably
needs
some
to
be.
General
purposes
probably
needs
a
clear
consideration
of
that.
Other
control
loop,
potentially
a
filter
around
making
sure
that
auto
salt
life
application
on
scaling
is
not
enabling
the
service,
because,
if
it
is,
we
have
a
separate
resize
operation
for
application,
auto
scaling,
which
was
what
you,
what
would
be
preferred
to
use
in
that
context.
If
it
is
being
managed
through
that.
E
Yeah,
so
we
already
have
support
for
a
source
for
cloud
asset
inventory
for
those
not
familiar
class
inventories
if
you're
running
for
aws
lan
is
effectively
like
aws,
config
or
in
different
context
from
azure
azure
resource
graph,
and
it
does
support
event-based
notifications
around
resource
changes.
So
the
effective
feeling
of
a
resource
like
this
would
be
an
abs
config
rule.
It's
a
little
different
in
the
sense
that
the
notification.
E
Wouldn't
necessarily
allow
us
to
filter
based
on
resource
types,
so
there's
some
a
little
bit
work
to
be
done.
There
there's
some
additional
work
around
cloud
acid
inventory
in
the
here
in
the
next
mpr
around
gcp
folder
scaling
that
would
ideally
be
merged
prior
to
working
on
this.
E
We
have
traded,
documented
inconsistencies
for
undocumented
inconsistencies.
The.
E
I
I'm
gonna
actually
pass
the
mic
to
aj,
since
I
think
he's
actually
kicked
the
tires
on
it,
yeah
and
actually
aj.
If
you
can,
if
you
work,
I
think
patricia
was
also
mentioning
that
he
wanted
to
kick
the
tires
so
well
I'll.
Let
them
chime
in
on
what
they
thought.
B
B
Someone
a
give
us
all
just
a
30
second
summary
here,
because
I
know
this.
This
one's
been
going
on
over
multiple
meetings.
A
Sure
sure
so
so
the
promise
of
the
cloud
control
provider
and
the
cloud
control
api
is
that
aws
with
its
history
of
incredibly
inconsistent
apis
across
services.
We
can
instead
use
this
cloud
control
api
and
there
will
be
some
probably
reduced
set
of
actions,
but
it'll
be
consistent
across
services.
A
It
sounds
like
there
will
be
unicorns
and
hugs
and
everything
will
be
really
fun.
There
should
be
it's
crud,
l
sort
of
operation,
so
you'll
be
able
to
create,
read,
update,
delete
and
list.
That's
that's
the
hope.
That's
the
promise.
The
first
thing
that
I
wanted
to
try
with
it
was
looking
at
waff
v2,
the
the
second
revision
of
the
of
the
web
application
firewall,
because
we've
gotten
some
community
requests
for
that,
and
we
don't
have
any
existing
support
for
it.
A
So
it
seemed
like
if
we
can
cover
that
through
cloud
control.
Api.
It's
you
know
it's
kind
of
a
double
win,
but
when
I
tried
to
do
just
the
most
like
a
basic
list
policy,
it
came
back
that
it
didn't
have
enough
information
to
do
that,
and
that's
because
you
can't
just
say
show
me
all
web
acls
for
the
web
v2
resource.
It
needs
to
know
like
what
type
of
web
acl.
Are
you
looking
at?
A
Are
you
looking
at
a
regional
one,
or
are
you
looking
at
a
cloudfront
one,
and
so
the
fact
that
it
needs
to
know
that
additional
information
like
it's
not
hard
to
give
it?
But
as
far
as
looking
at
this
schema
for
that
resource
and
knowing
the
information
that
you
have
to
provide
and
then
having
some
sense
of
of
defaults,
that
we
can
define
in
custodian
for
that?
That
was
a
little
bit
unclear
to
me
and
from
talking
it
over
with
kapil.
It
sounded
like
that
is
unclear
in
general.
A
So
I
don't
know
if
someone
else
has
has
worked
with
this
much.
I
have
only
worked
with
it.
As
far
as
I've
commented
there.
E
A
E
The
challenge
there
is
that
it
there's
no
way
he
went
for
these
additional
parameters,
so
it's
effectively
because
it's
an
api
with
inconsistent
parameters
which
makes
it
consistent
as
a
whole.
E
There
is
a
separate
we
currently
expose
more
resources.
I
think,
in
that
provider
than
I've
done,
verification,
there's
probably
about
30
resources
that
need
to
be
trimmed
just
on
the
basis
of
what,
in
some
cases,
not
all
resources,
support
I'll,
provide,
not
all
cloud
control
resources
support
the
list
operation
just
based
on
the
underlying
provider,
implementation
not
having
implemented
it.
So
those
still
need
to
be
trimmed
as
well,
but
I
think
you're
in
this
context
exposing
additional
case
where
paper
reports
support
it,
but
they
need
additional
parameters
that
are
not
documented.
A
E
A
E
Yeah,
I
think
we
would
hand
edit
the
json,
but
we
would
have
to
do
that
in
a
way
that
the
thing
that's
automatically
downloading
and
updating
them
is
respectful
of
the
hand
annotations
and
like
a
set.
E
Yeah
effectively,
instead
of
look
for
horizon
in
that
context,
and
then
additionally,
the
thing
that
was
trimming
it
was
was
particularly
looking
for
trimming.
The
full
resource
model
set
of
the
few
hundred
resources
that
are,
there
was
only
doing
those
that
that's
the
type
provider
said
hey.
I
don't
support
this,
so
there
would
still
be
this
context
of
we
should
probably
split
that
list
and
actually
or
put
a
gift
up
and
attached
to
this.
E
The
other
thing
with
the
not
supported
list
is
obviously
that
list
will
change
over
time,
so
will
need
to
be
revalidated
periodically,
but
I
mean
I'm
still
hopeful.
This
will
gain
us
a
good
amount
of
support.
I
think
it
is
mostly
as
far
as
what
works.
E
Well,
it's
mostly
things
that
are
on
the
long
tail
and
like
a
lot
of
a
lot
of
the
common
types
like
sns,
sqs
ec2,
don't
work,
but
some
esoteric
things
like
nimble
studio
do
work
so
and
some
more
some
that
bridge
the
two
like
lambda
as
well.
G
Produce
yeah,
I
did
some
testing
with
ecs
services
and
ecs
container
instances.
I
found
that
the
responses
for
both
the
services
were
not
consistent.
G
The
only
other
thing
I
wanted
to
test
was:
does
it
work
with
lambda,
because
we
have
a
call
with
aws
lined
up
where
they
want
to
talk
about
these
apis,
and
I
wanted
to
make
sure
I
called
those
in
inconsistencies
on
that
call.
So
I
was
trying
to
test
it
with
lambda,
but
I
didn't
get
that
far.
Yet
I'm
trying
to
yeah
lender.
E
Works,
I
think
the
underlying
issue
with
using
this
versus
going
direct
is
that
you
don't
know
some
of
these
providers
are
potentially
doing
a
lot
of
api
calls.
That
was
another
thing
is
in
some
cases.
The
list
operation
was
enough.
In
some
cases
we
had
to
do
both
the
list
operation
as
well
to
get
on
every
resource,
and,
yes,
pretty
it's
pretty
all
over
the
place.
As
far
as
the
consistency
aspect
there,
which
makes
it
it
makes
it
useful
for
those
long
tail
resources
of
low
cardinality,
but
for
any
high
volume
resource.
B
C
B
All
right
with
that,
we'll
give
everybody
25
minutes
back.
Thank
you
so
much
for
coming
good
turnout
today,
so
glad
to
see
that
you're
all
enjoying
this,
if
you
have
any
feedback
for
the
meeting,
feel
free
to
reach
out
to
me
always
trying
to
make
this
meeting
as
useful
for
you
as
we
can
and
with
that.
Thank
you.
Happy
tuesday.
Everyone
and
we'll
see
everyone
in
two
weeks.