►
From YouTube: Cloud Custodian Community Meeting 20220621
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/orgs/cloud-custodian/discussions
To get an invite to the meeting join the google group and you'll receive one via email: https://groups.google.com/g/cloud-custodian
A
All
right,
everyone
welcome.
The
date
is
june:
21st
2022.
This
is
the
bi-weekly
cloud
custodian
meeting
as
usual,
we're
following
the
cncf
code
of
conduct.
So
please
be
excellent
to
each
other,
and
please
remember
that
we
do
record
this
and
post
the
videos
on
youtube
for
the
public
to
see
I've
gone
ahead
and
tossed
the
url
for
the
hackmd
document.
Here,
that's
where
you
find
the
markdown
notes
for
this
document
and
has
the
agenda
and
all
the
things
that
we
will
be
discussing
today.
A
Kapil
is
at
the
phenops
conference
in
austin,
so
the
wi-fi
and
audio
there
isn't
conducive
to
long
conversations.
So
we'll
try
to
do
the
best
that
we
can
with
that,
and
let
me
just
share
the
notes
here-
makes
it
easier
for
people.
A
A
All
right,
we'll
just
go
with
this,
then
okay,
introductions,
anyone
new
that
wants
to
say
hello.
I
recognize
most
of
you
already.
A
And
I
want
to
say:
hi
looks
like
we
got
everybody
first
thing
I
have
for
the
group
is
the
clock
custodian
workshop
at
scale?
That
is
the
southern
california
linux
expo,
I
think,
is
what
that
stands
for
it's
been
around
for
a
while.
It's
community
driven
a
lot
of
cloud
folks
there.
So
I'm
heading
over
to
la
at
the
end
of
july,
and
I
put
a
link
there
to
the
session.
A
Sonny
and
I
are
just
gonna-
do
a
90-minute
workshop,
so
people
have
aws
accounts,
you
can
show
up
are
going
to
go
over
some
of
our
fake
some
of
our
favorite
policies.
You
know
the
anatomy
of
a
policy
and
go
over
some
best
practices
and,
generally
speaking,
just
hang
out
the
conference
and
help
help
people.
So
if,
if
you've
got
a
co-worker
or
you're
close
there
and
you
want
to
stop
by
a
scale,
is
rel,
it's
very
cheap
because
it's
a
community
run.
A
So
I
want
to
say
50
bucks,
something
like
that.
It's
it's
not
that
expensive
compared
to
most
conferences.
So
if
you're
interested
in
that,
let
me
know
so
I
could
bring
you
a
custodian
t-shirt
and
that's
all
that's
all
we
have
for
conferences.
A
Obviously,
if
you're
in
austin
kapil
is
in
town,
if
you're
going,
if
you're
at
the
open
source
summit
or
any
of
that
stuff-
and
that
was
really
the
only
announcement
I
have
other
than
some
release
information
aj-
I
don't
know
if
you
like,
just
want
to
give
us
a
status
report
or
are
we
opening
a
bug
to
look
at
or
or
what
here.
B
No,
I
don't
think
we
have
a
new
status.
I
just
I
had
a
published
a
release
to
test
pipei
last
week
and
just
being
ahead.
I
know
some
some
orgs
had
off
on
monday
and
just
generally
hesitant
to
push
a
release.
My
first
release
to
push
on
on
a
friday
so
just
hold
until
today
and
then
after
the
call
of
folks
are
around,
we
can
stick
ahead,
go
through
the
release
checklist
and
you
all
can
poke
holes
in
find
any
steps
that
I
miss
along
the
way
awesome.
B
So
when
are
you
gonna
do
this?
This
is
74.92
right.
Oh,
that
was
merged
so
that
yeah
yeah
that
was
merged
in
the
dependencies.
The
version
bump-
and
I
know
british,
is
on
the
call
and
had
so
anyone
who
is
trying
to
until
we
actually
have
the
official
917
release
if
anyone's
trying
to
do
anything
with
building
sub
projects.
They're
all
going
to
depend
on
this
release
version
this
new
release
version,
which
is
not
yet
published
so
we're
in
a
bit.
C
C
That
that
was
something
we
figured.
You
said:
you're
gonna
push
it
to
pipe.
I
on
tuesday,
that's
today
right.
That
is
today
no
really
shows
found
with
the
release.
A
A
Moving
on
questions
looking
for
eyeballs,
so
as
as
I
showed
last
week,
we
now
have
github
discussions
on
that
will
take
you
to
the
github
discussions
area
and
we
have
three
new
questions
that
I'd
like
if
you
have
a
chance
to
take
a
look
someone's
looking
for
a
gcp
periodic
examples
that
they
can't
seem
to
find
so
there
you
see
sonny's
already
started
to
try
to
help
answer
and
things
like
that.
So
if
you
want
to
take
a
look
at
those,
we
would
appreciate
some
eyeballs
there.
D
E
There
is
one
use
case
where
lake
formation
allow
any
third
party
in
engine
to
read
and
filter
the
data
stored
in
s3,
which
is
associated
with
link
commission
and
you
can
in
the
in
that
filter.
You
can
just
put
your
account
id
and
basis
on
that.
It
will
allow
disallow,
so
you
can
filter
the
data
and
I
think
this
can
be
achieved
cross
a
count
filter
if
we
implement
that
filter,
and
for
that
I
think
we
can
add,
link
permission
to
cloud
custodian
with
this
filter.
F
So
I
I
didn't
know
if
there's
a
new
pr
here
but
like
I
was
there,
it's
there's
a
lot
of
interesting
cross
account
and,
like
information,
can
mean
lots
of
different
things
because
there's
access
roles
as
well.
I
think
the
core
use
case
that
you
had
was
around
s3
buckets
and
I
think
that
I
think
would
make
sense
as
a
separate
like
lake
cross,
account
filter
on
the
account
resource
itself.
D
F
We
can
underneath
the
hood
go.
You
know,
look
at
all
the
s3
buckets
that
are
in
the
account
and
cross
index
to
the
ones
that
are
like
formation
resources.
Potentially
over
time
we
could
add
some
additional
capabilities
that
are
in
the
like
permission
settings
I
mean
there's
quite
a
few
there
as
far
as
sharing
and
emr
access
cross
account
and
other
things,
and
I
think
we'll
just
that'll
give
us
a
an
anchor
point
to
grow
over
to
grow
into
over
time.
But
you
know
on
the
your
core
use
case.
F
I
think
that
would
probably
be
the
best
fast
forward
that
we
can
expand
with.
F
Yeah,
I
was
thinking
like
a
link
information.
Sorry,
a
lake
cross
account.
F
Filter
on
the
account
resource
would
let
us
address
it,
because
it
doesn't
feel
right
to
model
s3
buckets
as
a
lake
formation
resource,
but
that
the
service
itself
doesn't
treat
those
as
resources
either
right
like.
If
you
look
at
the
tagging
api
for
like
formation.
F
F
To
reformatting
it,
but
just
get
the
capture
for
the
group.
B
Yeah
that
it
did
seem
like
there
were
layers
of
it.
I
mean
I
started
looking
into
some
of
this
and
it
looked
like
cross.
Account
could
mean
you've
got
lake
formation
in
one
account,
registering
an
s3
bucket
as
a
resource
and
that
s3
bucket
lives
in
another
account,
or
it
could
mean
you're
using
emr
like
kapil,
said,
and
that's.
D
F
And
there
there's
even
more
stuff
there
as
far
as
like
the
iron
rolls
that
have
access
into
the
lake
as
well.
So
there's
there's
quite
a
bit
there
in
those
settings,
but
because
it's
a
global
object,
it
does
make
sense.
I
think,
to
just
model
it
onto
like
cross
account
and
we'll
have
some
of
the
same
core
primitives
that
we
do
from
a
commonality
perspective
with
the
other
crosstalk
filters.
F
But
the
underlying
implementation
will
be
quite
different
because
we'll
try
to
use
the
same
high
level
of
traction
over
a
bunch
of
different
underlying
capabilities.
E
Right
yeah:
do
we
have
any
existing
example
where
we
have
achieved
this
kind
of
thing.
F
No,
we
don't
and
then
this
one's
going
to
be
quite
a
bit
different,
I
think,
than
existing
across
account,
because
what
we're
going
to
do
is
take.
Maybe
we
do
take
that
back,
perhaps
maybe
maybe
cross
account
on.
You
know
images.
So
in
this
context,
what
we're
for
the
core
use
case
around
making
sure
there's
no
s3
buckets
there
that
are
from
our
different
account.
Sorry,
I'm
going
to
try
to
get
to
a
fireplace
for
the
core
use
case.
F
It
would
be
sort
of
like
grabbing
the
s3
resource
manager,
grabbing
all
the
buckets
making
sure
they're
grabbing
all
the
like
permission,
resources
doing
the
intersection
finding
any
that
are
not
there
and
that
would
be
sort
of
our
first
pass
at
it
and
then
over
time
we
would
grow
into
some
of
the
settings
capabilities
and,
as
we
understand
them,
to
also
do
checks
there
as
well.
A
All
right
awesome
all
right
now
we
have
the
list
of
pr
incoming
prs
and
things
like
that.
The
way
this
works
is,
if
you
want
to
discuss
it,
either
tell
me
now-
or
you
can
just
add
a
little
explosion,
symbol
next
to
it
colon
boom
and
then
that's
we'll
just
go
top
to
bottom.
So
we
just
finished
shinies
this
one
here,
7
500,
config
poll
rule
fix.
D
Yeah,
this
is
from
my
team.
I
can
help
talk
through
this.
One
minded
by
presenter
screen
sharing
mode,
absolutely.
D
I
it's
not
allowing
me
to
share.
I
never
figured
this
out.
D
H
D
A
Okay,
we'll
go
to
74.95
and
then
come
back
to
you
all
right.
Unless
74.95
is
yours,
no
cloudfront
update
distributions
needs
web
apple
iron.
B
Oh,
that
that
looked
like
a
quicker
one
that
looked
like
harish
had
the
original
implementation
it
looked
like
it
was
looking
at
the
the
acl
id,
and
that
was
how
it
how
we
needed
to
pull
it
in
with
e1.
It
looks
like
in
my
v2.
It
needs
to
look
at
the
iron,
so
we
made
that
update
that
looked
fine,
look
like
compel!
You
would
merge
that
in
so
that
that
checked
that,
for
you
too,
I
guess.
F
Yeah
I
didn't
functionally
test
it,
but
yeah
it
made
sense
and
it
was
just
you
know
the
one,
the
diversity
two
different
setting
to
be
accounted
for.
I
think
after
he
was
doing
some
internal
testing.
B
I
would
say
that
this,
the
only
other
point
I
have
on
this
one
is
that
this
is
the
only
commit
that
has
been
merged
in,
since
I
did
the
test
pipe.
I
release
last
week,
so
I
would
plan
to
include
this
also
if
we're
gonna
do
a
release
today,
but
that's
the
only
daily
new
change
sounds
good.
A
All
right
moving
on
74.92,
this
was
just
us
discussing
bumping
all
the
dependencies,
and
things
like
that
which
we
already
went
over.
I
It
seems
useful
I
I've
also
seen
similar
syntax
with
terraform
disease
of
the
gfr
underscore
environment
variable.
I
There
was
some
discussion
in
the
pr-
I
guess
the
utility
of
it,
but
the
original
pr
poster
did
not
contribute
did
not
want
to
really
discuss
the
different
meaning
but
curious.
If
anyone
else
had
any
other
use
cases
for
it.
B
Yeah
I
didn't
get
beyond
sounds
neat,
I
mean,
looks
useful.
Having
an
extra
way
to
provide
dynamic
values
seems
cool,
but
that's
as
far
as
I
looked.
A
F
Yeah,
my
only
I
don't
have
an
objection.
I
think
it's
super
useful
for
a
variety
of
reasons.
My
only
question
would
be
do
we
have
a
non-environment
variable
way
of
doing
configuration
we
we
had
toyed
around
with
doing
a
vars
file
per
se.
We
just
haven't
figured
out.
F
We
haven't
wired
it
in
because
it's
using
the
environment
variables
it's
able
to
bypass
a
little
bit
and
goes
directly
to
the
variable
extraction
in
the
policy,
but
I
I
think
it's
a
useful
capability
is
a
change
on
public
interface
and
overall
capability,
so
I
just
want
to
at
least
make
sure
that
we
had
it
discussed
in
the
in
the
in
this
meeting,
which
is
my
comment
on
the
pr
as
well,
but
I
think,
generally
speaking,
you
know
hey
variables,
good,
keep
them
out
of
policies
simpler,
yeah,
but
generally.
This
is
a
good
thing.
F
Now
this
is
distinct
from
so
historical
context.
We
have
a
bars
section
in
our
policy
file
format,
which
is
mostly
for
ammo,
yeah,
sorry
yaml
anchor
reference.
That
is
really
not
a
variable
to
custodian
because
it
gets
substituted
in
before
before
a
via
the
animal
parts.
This
is
a
separate
notion
of
consuming
actually
has
some
actual
variables,
and
we
have
some
auto
variables
that
we
inject
being
able
to
use
your
extend
those
per
se
for
additional
ones,
and
that
generally
seems
like
a
useful
capability.
F
The
only
additional
consideration
was
whether
or
not
we
also
expose
that
via
a
vars
file
that
doesn't
have
to
be
part
of
this
pr.
I
think
that
they're
independent
topics-
it's
just
a
question
of
flushing
it
out,
so
that
it's
addressable
additionally
beyond
just
environment
variables
being
able
to
pass
images
on
file
variables
that
are
defined
now
in
c7
and
org.
This
is
already
extended
as
a
capability.
It's
just
not
exposed
through
the
regular
custodian,
cli
nc7
or
in
the
accounts
file.
You
can
define
variables
that
get
used
for
policy
interpolation.
B
B
F
F
B
Cool
yeah,
I
think
the
the
precedence
there
is
interesting
too,
like
if
you've
got.
If
you
define
something
as
an
environment
variable
and
then
you
run
it
with
c7
nmr
and
you've
got
the
same
variable
in
your
in
your
setup.
File
like
we
just
need
to
make
sure
that
we
sort
out
the
precedence
there
and
and
that's
documented
and
whatnot.
F
That's
a
good
question.
I
think
the
c7
an
org
would
interpolate
first,
so
that
would
probably
have
precedence.
F
A
F
When
the
when
this
video
is
not
like
as
far
as
what
what
is
the,
what
is
the
correct
order
of
variable
interpolation
and
open
discussion,
I
would
think
generally
treating
environment
variables
as
the
least
amount
well
actually.
Well,
it's
open
questions.
I
can
see
both
use
cases
like
which
one
like,
if
you're
stacking
variables
and
you're
overriding,
does
explicitly
configuration,
always
trump
so
to
speak,
and
that
would
be
to
be.
You
know,
cli
variables
file.
F
I
think
in
that
context
and
then,
in
the
context
to
send
an
org
account
cml
as
well
and
then
in
the
context
of
the
default,
it
would
just
be
the
environment
variables
or
sorry,
the
lowest
layer,
so
anything
on
the
higher
levels
would
would
override.
So
I
haven't.
I
I
But
in
any
case,
just
making
sure
we
have
it
written
down
somewhere,
maybe
even
in
the
cli
in
the
health
tech.
F
Agree
on
documentation,
I
think
the
notion
of
explicit
parameters-
trump
environment
variables-
is
a
pretty
it's
fairly
well
established,
but
so,
but
at
the
same
time,
yeah
open
to
ideas.
But
I
agree
that
your
overall
beam
on
whatever
it
is,
let's
document
it
and
aj's
got
a
pr
to
some
extent.
That's
at
least
I'll
unblock
have
a
section
for
at
least
documenting
variables,
which
is
a
good
start.
A
Never
enough,
I
actually
today
is
my
one
year
anniversary
of
joining
cloud
custodian,
so
wow
yeah
we're
celebrating
today
all
right
anything
else
left
on
7465.
A
All
right
and
then
I'll
post
a
link
to
the
video
notes.
You
know.
Hopefully
I
know
that's
not
a
native
english
speaker,
but
hopefully
that
might
help
move
the
conversation
and
the
pr
forward.
All
right
with
that
that
that's
the
last
pr
that's
been
marked
for
discussion
darren,
I
hope
you're.
Does
your.
D
A
Is
it
working
real,
quick
david,
I'm
just
gonna
put
the
url
to
the
notes
in
the
chat
there.
If
you
want
to
follow
along.
D
So
yeah,
let
me
set
up
the
context
on
the
issue
that
we
run
into
here,
that
we
submitted
the
pr
for
this
is
for
config
poll
rule
mode.
The
problem
is
so
the
policy
will
run
it
will
identify
certain
resources
as
non-compliance,
as
you
can
see
here,
right
and
and
we
submit
it
to
aws
config.
The
problem
is
suppose
the
user
then
decide.
Oh
okay,
I
don't
want
to
fix
the
the
resource,
I'm
just
going
to
go
ahead
and
delete
the
resource,
the
bad
resource
and
then
the
next
time
the
the
policy
runs.
D
It
just
doesn't
do
anything.
It
doesn't
do
any
cleanup,
because
all
it
does
here.
It
looks
basically
we're
doing
a
a
list
of
all
the
resources
and
then
determine
if
they're,
bad
or
good
and
then
submit
the
the
evaluation,
but
it
doesn't
handle
the
fact
that
resources
are
now
gone.
D
This
is
not
an
issue
with
the
event
based
rule
one.
This
conflict
rule
where
we
actually.
D
Not
exactly
so
there's
two
lists
in
conflict:
that's
the
the
main,
the
main
list,
another
resources,
tab
and
then
there's
also
the
list
of
the
resources
under
the
under
the
conflict
rule
the
main
list
gets
cleaned
up
automatically,
but
the
list
inside
the
conflict
rule
it
doesn't
get
cleaned
up
automatically.
So
here
we
actually
have
code
where
we
check
that
the
event
is
coming
from
a
resource.
That's
been
deleted
or,
I
think
event
lab
scope.
Then
we
explicitly
send
an
evaluation
say.
F
So
to
resolve
this
because
sorry,
this
is
an
existing
pr.
Maybe
I
haven't
seen
it
yet
already,
but
the
I
mean
for
big
pull
rule
mode
to
do
out
of
band
deletion
of
the
resource
and
for
us
to
clean
up
our
evaluation.
It
would
generally
mean
the
next
time
we
evaluate.
We
have
to
pull
all
the
evaluations
against
that
research.
D
D
My
team
member-
this
is
what
he
does
he
before
doing
the
before
submitting
the
evaluation.
He
does
a
delete
of
all
evaluations
on
that
config
rule
so
basically
doing
a
cleanup.
D
My
comment
for
him
was
that
this
seems
a
little
bit
heavy-handed
in
my
opinion,
and
it
also
introduced
the
fact
that
hey,
actually,
let's
open
up
the
code
here.
F
F
D
B
And
I
think
that's
it
that
it
wouldn't,
if
you're
doing
a
poll,
then
it
would
only
show
active
resources
and
then
it
would
show
compliant
or
not
compliant
based
on
that,
so
the
delete
it
like,
I
think,
like
darren
saying
it,
does
feel
heavy-handed.
It
seems
like
it'll
work
but
you're
thinking
we'll
do
like
a
differential.
Instead,
oh.
D
All
the
results,
and
then
it's
submit
whatever
the
existing
code
is
after
it
would
then
put
evaluation
for
whatever
is
currently
out
there
for
non-compliant
and
so
yeah.
For
me,
this
is
a
little
bit
too
heavy-handed,
and
this
also
introduced
a
case
of
hey
what
happened
if,
let's
say
we
delete
this
and
then
when
we
try
to
do
the
put
down
here.
Let's
say
this
fell
for
some
reason
and
all
of
a
sudden
we're
in
a
bad
state.
F
F
F
Yeah
I
don't
know,
I
think
I'd
rather
deal
with
the
high
cardinality
scenario
as
it
comes
out,
but
doing
the
pulling
all
the
existing
evaluation
results,
figuring
out,
which
resources
on
the
set
we
didn't
actually
see
and
going
ahead
and
following
deleting
the
individual
results,
seems
like
the
right
thing.
So
it's
sort
of
a
delta
sync
yep.
D
So
that's
that's
what
this
I
haven't
submitted
this
pr
and
that's
why
I
wanted
to
share
my
screen
here.
This
is,
I
think,
it's
a
better
approach
is,
instead
of
doing
the
heavy-handed
solution
of
just
wiping
out
all
the
evaluation
for
that
conflict
rule.
This
will
try
to
figure
out
what
it
actually
needs
to
to
clean
up,
and
to
do
that,
we
can
make
this
call
right
here.
D
This
api
call
get
compliance
detail
by
config
rule,
so
we
only
need
to
look
up
the
evaluations
that
specifically
belong
to
this
conflict,
rule
that
that
we
are
evaluating
here
and
then
from
there.
We
can
compare
this
list
what
resources
it
currently
have
with
the
new
list,
and
then
we
can
figure
out
what
needs
to
be
to
be
to
be
deleted
to
be
removed.
Yeah.
F
H
Yeah
is
all
code
that
I
need
to
use
categories.
F
No
worries,
I
think
we
just
want
to
like
sort
of
keep
the
arms,
the
arms,
the
resources
we
are
processing
as
a
set
and
then
when
we
pull
the
ultimately
current
evaluations,
we're
able
to
intersect
that
list
and
then
do
the
deletions
against
it.
So
we
just
need
the
resource
earnings
in
that
context,
from
the
evaluations.
F
What
that
means?
So,
when
we
go
to
process
the
we've
got
to
do
a
poll
rule
mode,
we
basically
fetch
all
the
resources
we
evaluate
them.
We
do
complaint
non-compliant
as
we
do
that
we
can
build
up
a
list
of
arms
for
those.
F
H
B
Orange
right,
the
config
generally
uses
the
rns
the
id.
Where
I
have
security
up.
Okay,
can
we
implicitly
use
the
the
finding
filter,
which
probably
already
has
the
pagination
and
all
that
junk
built
into.
B
Oh
yeah,
my
mission
together,
you're
right
or
but
do
we
have
a
we
do,
have
a
compliance
I'll.
F
It's
a
little
bit
different
than
that,
because
oh
cubic
compliance
is
doing
pro
resource
api
calls
in
this
case
the
containing
set
that
we're
bounding.
Scoping
too,
is
the
rule
itself.
C
F
Yeah
because,
like
the
configuration
is
designed
to
go
against
arbitrary
rules,
let's
say-
and
in
this
case
when
we
grab
the
set
for
the
world
and
the
the
policy
that
we're
executing
in
but
darren
sounds
good,
like.
I
think
they
approach
the
sound.
D
So
yeah
I'll
go
ahead
and
tell
my
team
member
to
update
using
this
approaching,
skip
and
yeah
opening
up
a
code,
that's
it
and
then
outside
of
this
pr.
I
think
I
have
another
pr
follow-up
on
this
one
cider
support
for
this
subsider.
I
believe
the
follow-up
item
was
for
kapil
to
reach
out
to.
F
Want
to
resurrect
this
pr-
and
I
think
it's
missing
yeah,
I
feel
like.
A
F
I
think
there
were
some
other
folks
from
york
that
were
doing
some
network
stuff
network
wrap
filters.
Maybe
except
or
maybe
that's
a
different
group-
I
don't
know.
Perhaps
it
was
a
different
group,
but
those
subnet
filter.
It
was
like
public
subnets
and
cross
cross
ac
nets.
F
The
subnet
rap
stuff
has
down
merged
via
different
implementation,
and
I
think
we're
waiting
on
the
cross,
a
z,
nat
routes
to
to
be
resurrected.
B
All
right
heading
back
to
you,
george,
maybe
not
oh,
okay,
all
right
george!
I
I
do
have
it
looks
like
so:
we've
gone
through
the
booms
right.
We've
we've
covered
the
booms
yeah.
B
B
Going
to
potentially
add
one
boom
only
because
stephen,
I
I
see
you
on
the
call,
and
I
know
you
had
reported
that
one
about
the
season.
I.
B
B
G
B
Yeah-
and
I
think
kapila
identified
the
issue
here,
so
it
was
we
I
think
we
were
having
a
different
issue
a
while
back
people
were
running
c7
and
org
against
all
regions,
and
there
were
differences
across
accounts
with
the
way
that
we
had
opt-in
regions.
So
you
can
lock
a
region
per
account
same
thing.
We
made
that
change.
It
broke
this
case
where
you've
got
a
c7.org
file
that
has
accounts
that
don't
work
where
you've
lost
the
access.
Yes,
thank.
G
J
J
One,
oh
sorry,
one
one
topic:
what's
around
the
gcp
periodic
stuff,
so
long
story
short,
the
seems
like
the
gtp
periodic
mode
has
bit
rotted
to
some
extent,
with
some
changes
that
were
in
place
on
the
tcp
side
of
things.
J
Yeah,
just
so
for
yeah
anyone
that's
looking
into
using
that
it
is.
I
have
a
prf
that
addresses
some
of
that,
but
the
main
one
of
the
main
points
on
that
one
is
the
addition
of
a
required
field
for
service
account,
which
will
be
a
breaking
schema
change
going
forward.
So
whenever.
D
F
Given
that
it's
well,
I
don't
know
because
it's
already
broken
right,
like
the
service
provider,
changed
the
api
or
changed
the
default
behavior
underneath
the
hood,
so
it
was
already
broken.
So
I
don't
like
if
we
do,
if
we
require
a
new
field
per
schema
just
because
it
wasn't
required
before
it
doesn't
mean
it
was
actually
working
and
the
ede.
F
So
I
don't
know
that
I
wouldn't
necessarily
consider
that
a
breaking
change
on
our
part
or
just
matching
we're
just
fixing
something
that
was
broken
due
to
a
provider
touching
out,
maybe
becoming
broken
at
breaking
compatibility
themselves.
J
J
F
C
F
J
F
Think
there's
a
github
issue
somewhere
around
it.
At
least
one
yeah
gotcha
looks
like
you're
right.
J
Yeah,
hopefully
we
can
get
that
resolved.
The
the
other
question
was
there's
a
bunch
of
other
cloud
function
based
modes
as
well.
I
took
a
quick
look,
it
doesn't
seem
like
the
pub
sub.
Sync
ones
are
affected,
but
I
don't
know
if
anyone
else
has
any
other
contacts
on.
So
you.
H
F
So
what
we
have
three
modes
there,
I
mean
almost
everything
in
the
pub
sub,
based
underneath
the
hood
at
some
point,
with
the
exception
of
hp
trigger,
which
is
the
periodic
motion.
F
Now
it's
also
worth,
while
noting
that
periodic
also
supports
event,
also
like
isn't
broken
per
se,
if
you're
using
pub
sub
for
it,
because
periodic
it's
gcp
periodic
support,
http
trigger,
as
well
as
up
so
trigger
the
event
modes,
should
be
fine,
because
those
are
pub
sub
based
the
which
additional
mode
are
you
referencing
like
cloud
security
command
center
or
that's
more
of
an
action.
F
F
I'm
not
sure
how
to
describe
it
has
layered
vocabulary
on
top
of
pub
sub
in
the
form
of
event
arc,
but
that
would
be
a
new
execution
mode
per
se.
I
think
this
is
really
just
specific
to
periodical
http
trigger.
D
I
do
have
a
question
for
kapil
since
capri
mentioned
that
he's
at
phenoms
something
conference.
H
It
here
was
that
oh
yeah,
it
was
a
woman,
oh
woman,.
D
Okay,
well,
the
reason
I
brought
it
up
is
because,
right
now
we
are
using
cloud
consortium
but
like
much
much
older
version
of
custodian
for
some
of
the
what
we
call
cost
optimization,
I
would
say,
data
gathering,
I
would
say
we
kind
of
misusing
cloud
custodian.
We
have
custom
code,
as
you
know,
we're
trying
to
migrate
away
from
it,
but
in
the
custom
code
we
have
a
lot
of
custom
code
that
collects
data
which
we
would
then
use
for
what
we
call
waste
sensor
to
determine.
D
Okay,
these
things
are
not
best
configured
and
then
from
there.
We
then
generate
reports
on
how
to
better
optimize
our
usage
of
cloud
resources.
So
I'm
just
curious,
you
know:
do
you
have
any
plan
of
vision
on
what
does
car
custodian
do
in
the
realms
of
cost
optimization
beyond
what
is
currently
supported
right
now,.
F
So
right
now
like,
if
I
look
at
the
ops
matrix,
we're
doing
governance,
we're
doing
research
utilization,
we're
doing
you
know
policy
enforcement.
I
gave
a
lightning
talk
and
there's
a.
D
F
Sorry,
there's
a
working
group
around
automation
in
finance.
A
lot
of
talk,
talk
on
that.
A
lot
of
what
we
do
is
allow
you
to
take
a
cost
policy
that
is
not
amenable
to.
F
Was
that
thin
devops?
I
think
they
call
it
where,
where
it's
something
that
you
can
do
sort
of
pipeline
based
where
it's
a
and
the
in
the
interesting
part
around
phenoms
in
general,
is
that
a
lot
of
it
is
utilization
based
which
requires
history,
which
requires
deployment
which
is
evaluating
what's
already
in
the
environment.
In
that
context,
so
I
mean
where
does
custodian
excel?
There's
a
new
phrase.
F
I
heard
yesterday
zombie
resources
so
we're
great
at
figuring
out
zombie
resources
we're
great
at
figuring
out
underutilized
resources,
we're
great
at
implementing
policies
around
you
know
getting
rid
around
instant
type,
modernization
or
switching
out
to
arm,
or
you
know,
workloads
in
this
environment
should
be
spot
based,
and
so
we
helped
do
some
of
the
enforcement
on
policies
per
se
there.
You
know
there's
a
lot
of
other
things
in
phenoms
per
se
from
forecasting
I'd
like
to
see
some
additional
growth
in
the
budget
alert
setting.
F
The
the
the
working
group,
the
automation
working
group
and
phenom
foundation,
is
really
just
defining
a
set
of
vendor
neutral
use
cases
that
should
be
automated
and
as
that
list
gets
compiled,
I
think
we'll
try
to
tackle
them
as
first
class
use
cases
within
considering
itself
as
long
as
they're,
not
like
workout
unit
economics,
which
I
I
it's
an
interesting
group,
because
it's
a
mix
of
finance
and
dev,
and
so
when
they
start
talking
about
that,
I'm,
like
I
don't
understand.
Please
please.
F
Please
explain
you
know
it's
really
just
a
very
business
specific
unit,
a
metric
to
understand
what
your
cost
is
for
delivery
of
service
per
se
on
on
whatever
you're
good
you're
good
to
be
sold.
As
you
know,
I
think
pearson
gave
an
example
of
delivering
a
course
online.
What
the
what's
the
cost
of
doing
that
per
se?
Now
we
wouldn't
per
se,
play
in
some
of
that
space,
but
I
think
anything
around
the
infrastructure
space
where
it
makes
sense.
Like
say
we
automatically
create
budget
alerts
for
everything
that
has
a
resource
group.
F
Let's
say:
there's
potentially
value
there,
and
so
you
know
open
to,
I
think,
around
a
lot
of
the
automation
use
cases
around
resource
extent,
the
environment.
We
can
play
very
well
and
help
be
helpful
for
for
organizations
as
far
as
new
capabilities-
and
you
know
open
suggestions-
and
you
know
if
you,
if
you
could
classify
some
of
the
extensions
that
were
already
done.
F
You
know
they've
been
nice,
so
maybe
just
follow
a
set
of
github
issues
and
we
can
tag
all
we
can
add
a
new
tag
for
finnops
per
se
to
to
make
those
classified.
So
we
can
have
a
separate
roadmap
for
sound
finance,
use
cases.
D
Yeah
from
from
outside,
like
I
said,
the
the
what
what
we
have
been
doing
mostly
is
we're
using
cloud
custodian
to
detect.
D
Data,
like
you,
said,
historical
data.
We
need
to
be
able
to
then
keep
track
and
then,
from
there
on,
we
didn't
do
additional
things
based
on
the
correct
data,
but
yeah,
I'm
just
curious
as
to
if
coca-cola
can
do
some
of
that
things
too,
but
then
just
using
it
for
products.
F
I
think
we
absolutely
do.
I
think
you
know
a
lot
of
the
utility
is
around
metric
filters
now,
if
we
have
to
maintain
a
separate
data
store,
that's
potentially.
F
Because
that
that
speaks
to
potentially
different
use
cases,
so
I
think
we
just
want
to
collect
the
use
cases,
which
is
what
the
working
group
is
doing
today.
If
there's
when
I
love
the
chalkboard,
I
encourage
everyone
who
was
there,
because
there
were
lots
of
people
doing
lots
of
different
things
from
ri
rebalancing
across
you
know
subscriptions
or
into
like.
I
start
reserve
instance.
Purchases
rebalancing
to
is
in
lots
of
different
use.
Cases
so
definitely
want
to
try
to
support
that.
F
I
think
there's
a
open
question
on
what
are
these
cases
that
we
don't
do
today
that
are
in
our
wheelhouse,
but
also
being
perspective?
The
fact
there
are
some
use
cases
that
are
not
in
our
wheelhouse
and
and
not
drawing
the
line
there.
As
far
as
like
you're
talking
about
anomaly
detection.
G
F
Abilities
also,
the
original
creators
foundation.
G
So
we
use
them
for
we
gamify
across
our
divisions,
compliance
using
clock
and
study
and
outputs
for,
like
under
utilization,
now
we're
using
it
for
sustainability
as
well,
but
yeah
there's
some
cool
things.
I've
thought
of
you
know
that
could
go
well
in
cloud
sodium
like
the
api
stuff
that
calls
the
the
offerings,
the
you
know,
the
big
giant
catalog
like
ec2
or
whatever
from
aws,
be
kind
of
cool.
If
you
could,
we
could
somehow
merge
that
because
right
now,
I
just
I
write
code
that
just
mixes
it
all
together,
but.
G
F
I
mean
there's
potentially
some
ability
for
us
to
do
like
it
might
be
interesting
to
explore
like
I've.
Looked
at
some
other
tools
in
the
space
like
can
per
cost,
which
does
up
the
pricing
api
endpoint.
But
there
is
the
raw
data
for
the
price
books
is
ginormous.
F
It's
not
actual
as
well
yeah,
you
know
how
do
you
start
a
fight
in
the
airplane?
That's
the
person
next
to
how
much
they
pay
for
the
ticket.
Yeah.
F
Cloud
per
se
and
unfortunately,
on
the
price,
the
discount
for
larger
organizations,
it's
applied,
it's
it's
a
post,
it's
a
end
of
month,
post
build
sort
of
application,
and
so
you
have
this
like
weird
retro
effect,
but
I
think
there
is
definitely
value
per
se
in
what
you're
referencing,
which
is
like
hey.
I
don't
care
about
that.
It's
list
price.
F
It's
just
a
question
of
whether
or
not
that
would
be
an
external
service.
Would
that
be
an
external
data
set,
that's
normalized
and
queryable?
Does
that
have
to
be
like?
Is
that
something
that's
easily
deployed,
so
to
speak
in
a
without
relying
on
sas
of
some
form
or
net
or
even
a
shared
s3
bucket,
because
that
creates
risk
on
deployments
per
se
so
definitely
open
to
it
just
trying
to
figure
out
what
the
way
to
do
it
is
that.
F
Is
resilient
and
respectful
for
organizations
that
you
know
are
deployed
in
govcloud
or
right?
Some.
G
F
I
mean
if
you
have
a
specific
set
of
use
cases
that
you'd
like
to
see
beyond,
like,
I
think
what
I
heard
there
was
pricing.
G
Yeah,
what
I
do
now
is
I
just
pull
that
stuff
separate
api
jamming
into
like
sql
lite
and
then
cross
everything,
but
if
you
could
do
it
all
in
one
one
yama,
you
know
that
would
be
really
cool.
F
I
mean
it
might
be
worth
opening
up
a
discussion
just
to
brainstorm
on
this
topic
as
well.
Just
to
like
see
what
what
are
the
different
things
we
can
do
because
we
get
into
those
there's
region,
specific
pricing.
There's
it's
you
know
the
inside
price
error
root
dam,
the
configuration
pricing,
then
there's
usage
pricing
so
to
speak
and
usage
pricing
for
us
would
be
matching
up
to
a
metrics
filter
like
it
gets.
F
D
F
And
of
course,
then
this
capability
so
like,
then
you
could
do
a
cost
filter.
The
other.
G
G
The
yeah
specific
to
the
company
to
the
to
the
account,
so
maybe
custodian,
could
create
an
athena
table
off
the
cor
and
and
converge
the
data
between
the
output
of
its
custodian
and
then
the
cur
for
that
particular
company.
Then
you're
all
one
data
source
right,
you're,
not.
F
D
F
F
Carefully
considered
because
it
changes
a
lot,
has
a
lot
of
implications
downstream
for
friend
users,
yeah
the
I
mean
the
closest
thing
we
get
to
doing
a
staple
operation
over
multiple
steps
is
encrypting
abs
volumes
on
each
ec2.
In
this
case,
it
would
be
like
a
long-running
data
store
external,
which
would
be
potentially
interesting,
but
definitely
something
to
to
do
cautiously.
As
far
as
how
we
approach
it,
I
would
probably
say,
like
there
are
dedicated
tools
around
vr
stuff
like
in
this
context.
F
I
would
be
looking
at
what
fits
in
our
wheelhouse
is
more
like,
hey,
let's
use
the
cost
explorer
api
to
go
and
do
an
intersection
against
this
resource
tag
or
something
per
se.
I
think
I
think
a
first
good
start
approximation
might
be
trying
like
that
would
get
us.
The
space
might
be
looking
at
setting
up
budget
alerts
per
se.
F
F
G
There's
also,
and
also
the
sustainability,
you
know,
I
don't
know
if
you've
seen
it
aws
put
out
some
kind
of
crazy
carbon
tool.
It's
it's.
It's
not
real
good
because
it
doesn't
take
in
your
resources
or
tags
or
anything
like
that.
So
you
can't
break
it
out
into
anything.
It's
it's
kind
of
like
an
overall
green
thing,
but
maybe
that
has
future
of
you
know
like
cost
explorer
but
green
explorer
or
something
like
that.
Yeah.
F
There's
ever
working
in
a
sustainability
working
group
as
well
within
phenops,
but
I
mean
yeah.
I
know
there's
a
couple
of
different
tools
that
abs
has
been
more
on
the
solution
space
I
think,
than
product
space.
Let's
say:
yeah
has
been
putting
out
there.
You
know
it's
definitely
a
game
to
explore
and
see
where
we
can
go,
and
just
I
just
want
to
make
sure
if
we
are
going
to
take
on
the
stage
store
that
we
are
mindful
of
how
we
message
that,
because
it
changes
some
of
the
operational
aspects.
F
If
you
use
that
particular
capability,
then
it
would
be
different
than
other
filters
and
other
capabilities
per
se.
So
just
yeah
that.
B
Good
good
the
reduce
filter,
you're
thinking
like
we
can
say
just
show
me
the
ten
ten
percent
most
expensive
resources
or
something
by
raw
cost.
Well,.
F
So,
if
we're,
if
we're
doing
so,
if
we
do
the
group
thing,
if
we
do
able
to
get
an
aggregation
and
say
by
tag,
then
there's
definitely
capability
to
use
cost
explorer.
To
add
in
an
additional,
I
guess,
having
clause,
to
use
a
sql
analogy
on
the
group
by
where
we
use
cost
as
the
filter
per
se
like
show
me
all
my
applications
that
are
spending
more
than
ten
thousand
dollars
or
something.
A
B
People
want
to
hang
out
do
a
release.
That
sounds
sounds
like
good
fun.
Yeah
keep
the
recording
rolling.
You
can
all
yeah,
like,
I
said,
poke
holes
in
anything
or
yeah.
Actually,
things
go
off
the
rails.
A
Yeah
I'll
stop
the
recording
and
I'll
start
a
new
one,
so
we
have
them
both
on
youtube
separately
and
then
that
way,
that's
gonna
consume
what
they
want.
All
right
with
that
everyone
see
everyone
else
in
two
weeks,
if
you're
hanging
out
feel
free
to
hang
out.