►
From YouTube: Cloud Custodian Community Meeting 20220913
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/orgs/cloud-custodian/discussions
To get an invite to the meeting join the google group and you'll receive one via email: https://groups.google.com/g/cloud-custodian
A
All
right
welcome
everybody.
It
is
september
13th
2022,
and
this
is
the
bi-weekly
cloud-custodian
community
meeting
a
few
announcements
before
we
get
started.
These
meetings
are
public
and
recorded
and
put
on
youtube.
So
please
be
cognizant
of
that
and,
as
always,
the
cncf
code
of
conduct
is
in
effect,
so
please
be
excellent
to
each
other.
If
you've
joined
the
meeting
here,
the
google
meet
doesn't
preserve
our
link
history,
so
I'm
tossing
the
url
for
the
notes
there
in
chat.
Basically,
I
put
together
an
agenda
and
it's
an
open
agenda.
A
So
if
there's
something
that
you'd
like
to
see
us
discuss,
feel
free
to
attack
it
on
at
the
end
of
the
agenda
section
and
we
will
get
to
it
and
after
we
get
through
the
agenda,
we
do
a
little
pr
party
and
go
through
some
outstanding
pr's
that
people
want
reviews
in
or
feedback
from
the
community
that
kind
of
stuff.
Anybody
first
timers
here
that
want
to
say
hello,
no
pressure,
but
if
it's
your
first
time
welcome.
B
A
A
Tomorrowish
expect
to
see
the
cncf
announce
custodian,
moving
into
the
incubation
phase
of
a
project,
so
tomorrow's
gonna
be
a
great
day
if
you've
been
around
for
the
project
for
a
while,
it's
taken
a
long
slog
to
get
there
so
I'll
spoil
the
surprise,
but
the
rest
of
the
internet
we'll
find
out
tomorrow.
So
thanks,
everyone
who's
been
helping.
Making
that
happen,
we're
gonna
do
a
governance
is
code
day.
A
That's
gonna
be
the
day
before
or
the
week
before,
kubecon
I'm
gonna
try
to
have
it
somewhere
in
the
washington
dc
area
the
week
of
october.
18Th
is
the
day
we're
going
to
have
to
do
it
and
it
will
be
a
hybrid
event,
so
we'll
be
doing
streaming
and
all
that
stuff.
The
cfp
actually
closed.
However,
we
have
a
full
schedule,
but
we
have
enough
interest
that
we
might
be
able
to
pull
off
another
track.
A
So
if
any
of
you
out,
there
are
still
debating
whether
you
submit
a
cfp
or
whatever
the
other
people
on
the
side
of
the
cfp
forum
is
basically
me
and
umer.
So
if
there's
more
content
that
you
want
to
present
for
the
community,
it's
always
useful
because
we
are
recording
all
of
the
talks
and
putting
them
on
youtube.
So,
if
anything,
the
more
talks
that
we
can
get
in
there
will
probably
give
us
a
year's
worth
of
content
that
we
could
refer
to
to
ourselves
in
the
future.
A
All
right
I
mentioned
this
last
time
we
are.
We
are
testing
slack
I've
linked
a
link
to
the
invite
page
there
we're
using
a
service
that
will
send
someone
an
invite
they
just
go
to
that
link
and
then
put
in
their
email
address.
There's
a
pr
in
flight
in
the
cloud
custodian
repo
for
me
to
update
the
website
and
the
readme.md.
A
B
B
A
Right
yeah,
I
want
to
follow
along
when
it
does
at
this
time.
This
is
like
the
first
time.
I've
made
a
change
since
you,
you
did
all
that
so
yeah
we're
in
slack
right
now,
I'm
kind
of
posting
both
in
getter
and
slack,
but
I
suspect
most
of
you
will
just
end
up
on
slack
because
that's
overwhelmingly
what
people
ask
for
so
in
the
meantime,
what
you
know
we're
not
doing
a
hard
cut
off
date
for
getter
or
anything
like
that.
A
C
C
So
the
the
idea
is
that
this
this
wraps,
the
defsec
hcl
parser,
which
has
some
context
aware
terraform,
parsing
and
just
provides
us
with
the
the
output
of
this-
is
essentially
a
json
representation
of
that
of
that
terraform
and
provides
us
with
the
ability
to
introspect
into
there
and
and
do
neat
and
interesting
things.
So.
D
I
was
just
gonna
elaborate
on
what
wayne's
just
saying
like
what
this
is.
It's
a
going
extension
for
python
that
versus
terraform,
and
I
think
we
had
looked
previously
at.
We
have
c7
terraform
as
a
package
and
tools
that
will
probably
deprecate
that's
based
off
of
trying
to
parse,
terraform
and
python.
I
think
a
lot
of
the
realization
was
that
it's
really
hard
to
parse
terraform
in
python
well
and
wayne
built
this
out
and
as
using
the
devsec
library,
because
it
actually
does
modular
resolution
it
uses.
E
E
A
F
Sure
yeah
I'll
talk
about
the
signing
first
so
that
I
just
went
in
for
the
new
arm.
64
images
that
we're
building,
as
well
as
the
existing
x86
images.
So
this
is
using
the
cosine
experimental
features.
So
if
you
do
a
cosine
verify,
clockwise
c7n
with
the
dev
tag
you'll
be
able
to
see
that
it's
it's
signed.
F
D
Kapil,
I
just
wanted
to
talk
through
some
of
our
next
steps
as
well
on
this
supply
chain
security-
road,
which
is,
I
think,
something
that
affects
the
entire
industry.
I
think
we
know
sonny's
done
some
great
work
on
getting
us
signed
images
here
and
we,
as
well
as
on
arm64
as
far
as
the
distribution
channels.
As
far
as
next
works
in
supply
chain
security.
F
And
then
I
guess
one
last
bit
on
ci
that
isn't
here
the
aws
functional
tests
bit
of
action
stuff
was
merged.
It's
pending
a
little
bit
of
internal
aws
configuration.
We've
got
to
do
to
get
the
the
I
am
role
set
up,
but
the
functional
test
should
be
available
inside
of
github
actions.
Now
previously
it
was
running
on
code
build
which
wasn't
really
accessible
to
the
community.
F
The
functional
tests
for
aws
are
going
to
be
running
6
a.m.
Pacific
time
I
believe
it's
6
a.m,
pacific
time
or
it
might
be
eastern
time
or
3
a.m.
Eastern,
I
forget
which
one
it
was,
but
that's
running
the
follow-up
items
for
that
are
gcp
and
azure,
which
both
support
the
federated
like
oidc
off
flow
there's
just
a
little
bit
of
a
hiccup
on
it
seems,
like
custodian,
doesn't
like
to
pick
up
the
credentials
with
gcp
on
that
flow.
F
F
It's
been
a
good
amount
of
work
done
so
right
now,
if
you
were
to
run
the
server
and
just
hit
the
just
run
a
get
on
any
endpoint,
you
get
your
list
of
policies
back.
So
in
this
case
we
have
one
that
says
for
all
deployments,
we're
going
to
patch
the
image
pull
policy
to
say,
if
not
present,
and
then
just
run
a
really
quick
demo
here.
So
we
have
a
manifest
here
that
has
image
pull
policy
equals
to
always
on
both
of
these
and
then
so.
F
We
get
a
warning
here.
I
think
the
description
is
is
not
correct,
but
it
says
all
images
must
always
be
pulled,
and
so
then,
if
we
run
a
if
we
get
our
deployment
here,
we
see
that
on
this
line,
our
imageable
policies
now,
if
not
present,
and
previously
in
the
manifest
it
was
always
and
same
thing
here,
there's
some
additional
actions
here
for
labeling
on
an
event
so
like
just
just
like
how
we
have
a
tag:
action
for
the
aws
azure
gcp
providers,
you
can
tag
when
there's
an
event.
F
Additionally,
there's
a
auto
label
users
so
inspects
the
event,
grabs
the
user
that
created
the
event
and
then
adds
the
add
to
adds
it
as
a
label,
and
you
can
specify
the
label
key
as
well.
So
by
default,
it's
owner
contact
like
we
have
for
the
other
providers,
and
that
way
makes
a
lot
easier
to
actually
track
down.
Who
owns
what
resources
in
your
kubernetes
cluster
there's
a
whole
bunch
of
other
stuff
as
well.
A
F
And
then
also,
if
anyone
has
any
use
cases
or
policy
examples,
they
would
like
to
see.
Definitely
let
me
know
you
don't
have
to
write
policy.
Just
give
me
ideas
like
what
problems
that
you're
facing
in
terms
of
sort
of
governance
on
your
cluster
and
I'll.
Try
to
see
if
I
can
make
a
policy
out
of
that.
A
All
right,
the
next
one
I
happen
to
be
hanging
out
with
aj
and
sunny,
and
we
started
to
talk
about
changelog
and
the
conventional
commits
verbs
and
things
like
that
that
people
are
putting
and
I
kind
of
round
about
when
maybe
it's
time
I
should
start
doing
a
skeleton
for
a
contributor
guy.
That
starts
mentioning
these
things,
so
I
thought
I
would
just
mention
that
it
seems
pretty
obvious
like
what
our
verbs
and
stuff
would
be.
A
We
just
need
to
define
that
conventional
commits
doesn't
really
like
enforce
anything
like
per
project
it'd,
be
up
to
us
to
determine
what
those
are,
and
so
I
just
saying:
hey,
I'm
gonna
start
to
work
on
this.
Does
anybody
have
any
feedback
or
if
anybody
has
any
like
style
guides
that
they
like
or
or
anything
like
that?
Obviously
you
know
I
don't.
I
don't
think
we'd
want
to.
You
know,
make
any
statements
about
a
thing
we
just
document.
What
we
have
now
would
be
a
better
start.
A
A
That's
kind
of
like
the
little
spec
I
don't
know
if
the
project
has
always
like
done
that
I
was
just
kind
of
following
what
the
person
ahead
of
me
did.
So
I
don't
know
what's
up
with
that,
but
I'm
gonna
start
defining
that
and
I'll
pr,
obviously,
in
chunks,
so
it'll
be
obvious.
What
I'm
working
on
cool
anything
else,
any
other
agenda
items
before
we
get
to
prs
that
need
attention
or
issues
or
bugs.
D
A
F
C
F
Is
the
other
part
of
it
once
I
think,
once
the
functional
tests
are
done,
that's
really
when
we
could
start
banging
on
it.
Okay
and
getting?
Can
you
work
done
on
that
yeah?
So
I
I'm
anticipating
it
might
be
a
thing.
That's
like
after
governance's
code
day,
slash
kubecon,
just
because
there's
some
prep
I
need
to
do
for
the
the
kubernetes
mode
stuff.
So.
A
B
B
Yeah,
so
that's
for
the
support
for
description,
this
little
misleading,
but
basically
support
it's
called
pre-query
filter
for
rds
code
in
the
when
we
use
the
config
pull
rule
and
a
pre-query
filter
defined
by
the
filter
that
you
know
it
carries
over.
This
described
db
call
as
opposed
to
the
post
query.
Filter
is
when
we
get
the
result
and
then
we
we
apply
the
custodian
filter.
B
D
Yeah
so
definitely
appreciate
the
pr,
I
think,
there's
definitely
something
that
seems
odd
in
some
of
the
conversation
about
using
a
class-based
attribute
here
that
sunny
was
highlighting
in
the
the
running
db,
incense
shouldn't
per
say,
be
running
twice
at
runtime,
so
it's
a
little
bit
unclear
where
this
will
make
there's
something
odd
here.
We
generally
would
never
use
class
data
for
this
type
of
instance
attribute,
and
so
there
feels
like
something's
out
here,
and
someone
wants
some
maintainers
to
have
to
dig
into
it
to
try
to
understand.
E
Yeah,
I
I
I
got
a
ping.
I
didn't
notice
this
one
when
it
came
in
but
steve
gunn.
I
got
a
ping
from
there
and
I
started
to
look
at
it
and
I
also
noticed
that
the
way
that
the
way
that
it's
written
right
now,
it's
it,
has
a
filter,
block
and
we're
doing
name
value
pairs,
and
it
seemed
like
it's
kind
of
mirroring
what
we've
done
with
the
ec2
on
the
ec2
resource.
But
in
that
case
it's
more
key
value.
E
So,
instead
of
having
a
filter
block
with
name
engine
value,
mariadb
you'd
have
a
query
block
and
then
like
engine
colon
maria
db,
just
for
consistency,
so
I'll
have
a
look
at
it
too.
I
know
sunny's
already
taken
a
crack
at
it,
but
I
mean
it
seems
useful
to
have
we'll
just
have
to
go
through
it
again
and
try
to
make
sure
it's
consistent
and-
and
the
second
call
does
seem
weird-
I
haven't
looked
in
enough
to
see
why
that's
doing
that
yet
but
worth
saying.
B
Yeah,
this
po
is
pretty
much
for
the
when
it's
used
combined
with
the
configural.
If
we
simply
making
the
rds
the
prequel
filter
is
not
really
useful
for
for
many
cases.
It's
just
that
when
we
have
a
config
rule-
and
let's
say
you
want
to
audit
the
oracle
instances
where
your
account
will
you
have
a
hundreds
of
mario
tv
in
the
postgres,
everything
will
show
up
in
the
config,
which
you
don't
you
don't
care
about.
So
that's
for
that.
D
G
D
D
D
B
D
But
annette
isn't
shouldn't
be
doing
an
api
calls.
We
generally
do
calls
in
process
and
when
we're
actually
processing
like
the
policy,
instantiation
itself
is
supposed
to
be
a
flywheel,
but
it's
not
so
we're
actually
processing
that
we
should
do
any
api
calls
because
you
may
want
to
do
a
policy
validation.
Let's
say
as
an
example
without
doing
api
calls
inside
of
ci.
D
H
G
G
With
this
we
need
the
ability
to
not
just
do
matching
on
the
exact
string.
So
I
think
the
question
here
is,
you
know:
do
we
want
to
go
full
regex
support
or
just
glob
wild
card
matching
kind
of
thing?
The
implementation
here
is
to
use
full
reject,
support
computers.
As
saying
you
know,
maybe
we
can
just
do
glob.
Instead,
I
think
for
our
use
case.
It
doesn't
really
matter
either
way
works.
Fine.
I
think
it's
just
a
decision
we
have
to
make
here
to
to
move
forward.
D
G
H
H
G
D
Yeah
I
mean
you
can
also
directly
do
the
policy
names
literal
here.
If
you
wanted,
you
say
that
again,
you
could
also
do
the
policy
name
here,
the
literal,
if
you
wanted,
even
with
blob
like
if
you
feel
like
it
might
match
more.
I
like
it,
I'm
very
curious
for
the
use
cases
where
and
I'm
sorry-
I
haven't
read
this
recently,
so
I
see
some
comments
from
last
day,
but
if
there's
a
use
case
where
the
glob
is
going
to
match
more.
D
H
D
H
G
So
I
guess
this
question
for
the
team
is:
is
it
recommended
to
her
to
to
mess
around
with
recorded
data
files?
For
for
me,
I
tried
to
not
to
do
that
before
simply
because
you
know
hey,
that's
the
record
data,
I
try
not
to
modify
test
and
test
data
just
so
that
things
will
pass.
I
try
to
get
things
as
close
to.
I
guess,
what's
out
there
as
possible.
F
Yeah,
we're
not,
I
mean
the
to
ask
here,
isn't
to
modify
the
test,
the
the
data,
so
the
test
will
pass
anytime.
You
have
a
significant
line,
diff
like
here.
It's
like
16
000
lines.
Most
of
the
data
there
is
redundant
really
like
we
do
this.
In
other
cases
like
with
the
service
quota
stuff,
like
that
one
was,
it
was
like
over
a
hundred
thousand
line
div
which
we
cut
down.
D
G
G
D
F
G
F
G
E
E
Actually,
on
that
note,
I
I
took
a
very
quick
look
at
this
one,
and
I
was
just
I
noticed
that
there
was
some
manual
caching
going
on
and
an
api
calls
for
describing
those
parameters
where
we
have
a
top
level
resource
for
rds
cluster
parameters,
and
I
didn't
know
if
we
could
use
that
like
in
a
resources
call
so
that
we
didn't
have
to
make
those
explicit
calls
and
and
manually
handle
the
caching,
not
that
I
want
to
jump
in
and
say
rewrite
your
pr
after
30
seconds.
Look
look
at
it.
E
E
G
E
G
A
D
F
F
F
D
10
cents
been
contributing,
I
think
we
still
need
a
readme
just
and
especially
just
the
base
provider,
and
I
think
some
vms,
but
it's
been
making
progress,
and
all
that's
looking
also
be
doing
that
as
part
of
this,
that
thanks
just
provider
as
part
of
this
release,
but
it's
still
pretty
basic.
It's
mostly
just
pull-based
evaluation
architecturally.
We
can
do
serverless
account
response
in
this
provider
as
well,
whether
or
not
that's
in
scope.
A
E
Yeah
this
address
is
an
issue
that
came
up
in
the
last
release.
Where
we
have
we
just.
We
need
to
be
able
to
determine
a
bucket
region
and
specify
that
for
our
output
buckets
and
in
certain
cases,
cross-account
cross-region
stuff-
that
account
no
matter
how
many
permissions
you
try
to
add
that
that
action
is
going
to
get
denied.
E
Just
because
of
other-
and
I
know
a
producer-
isn't
on
the
call,
but
he
mentioned
that
there's
there
is
some
confusion,
sometimes
working
with
s3
because
being
a
global
namespace,
but
needing
to
do
some
operations
with
within
the
region
where
the
bucket
lives
we
run
into
some
weird
issues.
So
this
may
be
helpful
in
other
places.
A
H
Quick
question
so
for
just
coming
back
to
that
raf
v2
support,
or
you
know,
regex
or
glob
filtering,
so
we
have
that
for
that'll
support
cloud
formation
and
also
alds.
We
want
to
also
add
support
for
appsync
and
api
gateway.
So,
like
the
rest
stage
resource,
we
did
notice
an
issue
with
the
rest
stage
resource
the
way
it's
showing
up
in
config
like
basically
the
way
the
state
stage
arn
is
getting
generated
or
something
so
we'll
have
something
else
in
for
that.