►
From YouTube: Cloud Custodian Community Meeting 20220215
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/cloud-custodian/community/discussions
To get an invite to the meeting join the google group and you'll receive one via email: https://groups.google.com/g/cloud-custodian
A
All
right
welcome
everybody.
The
date
is
february
15th
2022,
today,
after
valentine's
day,
happy
tuesday,
everybody-
and
this
is
the
cloud
custodian
community
meeting.
As
always,
we
do
record
these
meetings
and
put
them
on
youtube.
So
please
be
cognizant
of
that
and
we
are
under.
The
code
of
conduct
is
in
effect
from
the
cncf.
So
welcome
everybody.
A
A
A
We
do
not
have
any
for
this
month
for
february
we're
going
to
have
two
in
march-
that's
march,
8th
and
march
9th,
and
if
you
click
through
on
the
notes
here,
I've
got
the
urls
to
both
of
them
there.
If
you
want
to
sign
up
and
they
have
the
descriptions
there
so
the
first
one's
the
introduction
clock,
custodian,
more
of
a
high
level
conceptual
workshop
and
the
second
one
is
a
101
and
liz
is
raising
her
hand,
probably
to
add
more
detail.
B
Yeah
there's
the
yeah,
so
there's
the
workshop
and
the
101
and
a
102
and
the
102
is
on
the
16th.
It's
also.
If
you
go
on
the
live
storm,
I
believe
that's
what
that
platform
is
called.
It
should
be
on
there
and.
C
B
Yeah
in
that
webinar
we
will
be
covering
c7n,
mailer
and
c7
and
org.
So
if
you
are
curious
about
what
happens
next
after
you've
figured
out
you're
like
I
know
what
a
policy
is
and
I've
run
them
and
I've
got
that
working
now.
What
this
class
is
for.
You.
B
A
B
Subject
matter
that
matters
the
most
I
think,
and
so
yeah
so
we'll
be
covering
c7
and
mailer,
and
how
that
works
with
the
notify
action
and
c7
and
org,
and
how
you
use
that
to
run
cloud
custodian
across
multiple
accounts,
so
we'll
be
doing
that
yeah
and
there's
more
info
nice.
The.
B
A
Workshops
in
march,
as
always
they're
free
of
cost,
but
we
do
ask
that
you
click
through
to
register,
so
we
know
how
many
people
are
coming
in
that
sort
of
business.
So
all
right
thanks
for
that
anything
else.
Workshop
related.
C
One
question
that
I
have
you:
gotta
have
plan
or
ideas
on
workshop
for
people
who
actually
want
to
contribute.
For
example,
me
right
now
you
know
I'm
adding
in
prs,
but
as
kapio
pronoun.
Oh
you
know,
you
should
do
a
thing
this
way.
What
about
caching
right?
You
gotta
forgot
to
do
caching,
so
those
kind
of
things
will
be
quite
helpful
for
people
like
me.
I
don't
know
what
the
demand
for
that
is
like,
but
yeah.
Definitely
on
my
team
and
from
intuit.
C
You
know
there
are
going
to
be
other
people
beside
me
who
will
be
contributing
and
we
want
to
do
it
in
a
way
that
will
keep
the
code
in
high
quality,
as
you
guys
would
like
it
to
be.
B
And
so
I
just
want
to
make
sure
I
understand
your
question,
so
what
I
am
understanding
is
you
are
asking
about
classes
that
are
more
like
workshop,
where
it's
like.
This
is
my
use
case.
How
would
I
do
this
kind
of.
C
E
How
to
contribute
so
to
speak?
Oh.
E
So
I
am
tentatively
planning
and
sorry
to
hijack
on
an
agenda
george,
but
I'm
standing
planning
for
us
to
try
to
do
a
contributor
sprint
at
pycon.
E
So
right
after
pycon,
there
are
typically
a
few
days
set
aside
for
any
project
that
is
interested
to
get
a
room
and
effectively
have
people
come
it's
it's
free,
there's!
No,
you
don't
have
to
attend
pycon.
You
don't
have
to
do
anything
as
far
as
paying
to
to
attend.
You
do
have
to
figure
out
your
transport.
Pycon
is
in
salt
lake
city
in.
E
April
so
this
looks
like
it's
the
first
two
days
in
may.
I
think
it's
the
sprints
this
week
this
year
only
like
two
or
three
days,
and
I
think
that
sort
of
information
flow
with
regards
to
developer,
workflows
and
contributing
is
really
best
done
in
person.
I
I
definitely
think
there's
value
in
trying
to
like
encapsulate
or
talk
through
some
of
the
philosophy
of
custodian
try
to
get
recorded
or
documented,
but
if
there
is,
we
have
historically
done
these
we've
done
a
few
of
these
in
the
past.
E
Obviously,
the
last
few
years
not
been
the
case
due
to
circumstances
outside
of
our
control,
but
looking
to
do
that
again,
starting
this
year,
at
least
at
least
for
pycon-
I'm
not
really
willing
to
commit
to
other
dates,
just
based
on
external
factors
per
se.
B
Yeah,
I
absolutely
agree-
and
I
think
that's
a
wonderful
point-
darren
and
yeah.
That
is
something
I'd
like
to
develop
further
because
you're,
not
the
first
person
to
ask
about
this.
So
yeah
yeah
we'll
keep
that
that's
something
we'll
we'll
be
working
on.
A
All
right-
and
we
do
have
some
unfinished
business
from
last
time,
so
I
I
put
darren's
pr
up
top
therapy
if
we
want
to
go
over
70
29
here,
real
quick.
C
E
C
So
this
is
to
add,
manage
config
rule
and.
E
It's
actually
one
policy,
it
would
be
the
notion
this
is
like
having
having
what
do
we.
What
do
we
want
as
a
filter
for
enabling
the
action?
In
this
context?
The
action
is
not
on
against
a
resource
that
exists,
so
it's
a
creation
resource.
Therefore,
it's
against
the
the
the
account
as
a
virtual
resource
effectively
and
then,
but
from
a
detection
perspective.
We
do
want
to
have
the
detection
against
something
we
already
have
config
rules
as
a
resource
type.
E
The
account
has
a
special
case
for
this,
which
is
a
missing
filter,
which
is
basically
fires
when
something
doesn't
exist.
Basically,
it's
like
an
embedded
policy
within
a
policy
you
haven't
seen
the
missing
filter,
so
it's
like
how
do
I,
the
the
missing
filter
on
the
account,
is
useful
for
a
lot
of
different
cases.
It's
effectively.
How
do
I
assert
the
existence
of
something
that
doesn't
exist
generally,
when
you
think
about
custodian
policies,
you're,
basically,
finding
all
the
resources
and
you're
filtering
the
things?
That's
something
that's
interesting!
E
Well,
when
it's
something
that's
interesting
doesn't
exist.
How
do
you
find
that
and
that's
what
the
missing
filter
is
for,
and
so
in
that
context,
the
the
missing
filter?
In
this
case,
we
would
need
an
additional
there.
There
was
some
additional
tribute
you're
pulling
out
from
a
different
api
call
that
we
would
need
to
expose
as
an
additional
like.
Maybe
it
was
con
radiation
status.
I
think
radiation
configuration
so
on
the
config
role.
E
I
think
we'd
want
to
pull,
have
a
filter
for
doing
the
pulling
in
some
of
that
remediation
information
and
then
you'll
be
able
to
do
the
missing
filter.
So
it'll
be
one
policy
from
an
effect
from,
but
it
would
be
something
that
would
actually
it
would
only
fire
the
action
in
the
context
that
the
correct
filter
with
the
correct
configuration
and
the
correct
remediation
didn't
already
exist.
C
B
E
That
is
a
good
question.
It
is
a
slightly
different
one.
If
you,
if
you're
on
the
command
line,
you
can
should
be
able
to
do
a
clock,
stadium,
schema
or
c7
schema.
Sorry,
the
schema
on
the
account
that
filters
that
missing,
I
am
trying
to
just
double
check
that
it's
in
our
reference
stocks
right
now
and
yes,
it
is.
E
It's
not
super
well
documented
and
it
probably
could
use
a
a
long
form
documentation.
E
E
If
you
go
to
the
aws
reference
under
accounts.
Filter
is
missing,
you
you
can
find
it
there,
but
I
don't
think
it's
actually
very
helpful.
So
your
your
confu
you're,
surprised
that
its
existence
is
is,
is
not
unfounded.
E
I
think
we
need
a
narrative
doc
example
around
the
missing
culture.
It
covers
off
on
a
set
of
key
use
cases
for
the
assertion
of
something
that
doesn't
exist.
C
Yeah
without
the
documentation,
I
have
no
idea
what
how
it
works
right
now,
what
you
described
earlier,
it's
kind
of
over
the
top
of
my
head.
E
E
Yeah
just
to
at
least
facilitate
something,
so
it's
left
as
a
something
hanging
for
the
future,
but
I
do
think
we
need
some
docs,
which
I
think
george
is
captured
here
as
well
for
a
future
ongoing
thing.
C
E
The
missing
filter
is
transparent.
You
don't
need
to
do
anything
with
missing
filter
like
so.
The
missing
filter
is
effectively
a
way
to
nest.
A
a
fully
formed
policy
underneath
it
okay
to
so.
In
that
context,
we're
really
trying
to
do
in
this
particular
case
is
to
add
a
a
remediation
filter
to
a
configurable
so
that
you
can
assert
the
attributes
of
the
remediation
configuration
for
that.
C
I
think
I
kind
of
got
it
now,
but
yeah
definitely
seeing
some
sample
what
will
help
yeah.
A
All
right
and
if
we
have
further
questions
and
we'll
revisit
in
two
weeks,
all
right
anything
else
on
this
one
before
we
move
on
thanks
darren.
C
A
Thank
you
all
right.
Next,
one
I
got
from
maddie
was
pointing
out
that
python
disutils
is
being
removed
in
3.12
in
python
3.12.
It's
already
deprecated
and
I've
got
the
link
there,
and
we
had
a
quick
discussion
between
ourselves
that
I'd
like
to
repeat
here
about
where
we
stand
with
this
utils
for
python.
E
It's
a
little
bit
weirder
than
that.
I
just
realized.
E
It
was
initially
going
to
say,
which
is
we'll
just
push
this
one
down
the
road,
but
in
further
respect
and
further
realizing
that
there's
something
weird
going
on
in
it
and
how
they're
doing
it
realizing
that
we
should
probably
just
the
that
we.
I
think
we
have
two
things
that
we
depend
on
from
them.
From
dusty
tills.
One
was
a
version,
a
version
class
that
did
version
parsing.
E
Strong
consideration
I'll
just
do
we've
under
both
of
those
and
move
on
yeah
like
when
I
last
when
it
does
the
deprecation
right.
Now
it
actually
like
on
three
python
310.
It
actually
pulls
it
from
it's
already
gone,
so
to
speak,
and
it's
pulling
from
something
else.
So.
E
There
is
some
other
consideration
from
that
last
weekly
news
article
with
regards
to
some
of
the
going
too
fast
for
the
community
perspective
the
changes,
but
this
one
is
already
in
progress.
Thankfully,
nothing
nothing
in
our
ecosystem
on
any
of
the
serverless
platforms
from
the
cloud
has
gotten
to
310.
Yet
so
it's
not
burning,
but
it's
definitely
something.
I
think
we
want
to
be
more
proactive
as
far
as
looking
at
this
year,
as
opposed
to
in
two
years
when
3.12
comes
up.
A
A
E
Poetry
is
awesome,
it's
the
bee's
knees.
I
dig
it
at
the
same
time
as
a
project.
We
do
not
have
an
opinion
with
regards
to
what
our
users
want
to
use.
At
the
same
time.
Poetry
came
in
about
a
year
ago,
actually
almost
a
year
and
a
half
ago,
probably
just
because
we
have
a
lot
of
different
dependents.
A
lot
of
different
packages
that
we
package
up
out
of
extending
code
base
and
poetry
offered
a
clean
way
of
doing
that
that
we
could
extend
and
use
an
api
to
to
facilitate
that.
E
E
Standard
pip
requirements
files
at
the
same
time,
however,
recently
over
the
last
two
months
when
we
actually
switched
like
in
the
real
question,
is
what's
being
tested
in
ci
and
initially
poetry
was
just
in
one
small
part.
It
is
now
the
entire
pipeline
actually
runs
off
of
poetry
as
well,
and
we
actually
need
to
reintroduce
something
that
is
actually
validating
our
pip
talks
files
so
to
speak,
to
make
sure
those
things
are
good,
and
I
think
we
also
probably
need
to
document
the
default
developer
setup.
E
I
think,
for
using
poetry
at
the
same
time,
for
users
that
are
using
you
know
they
have
they're,
not
using
poetry.
That's
fine!
We
intend
to
continue
supporting
that
use
case
ongoing,
and
we
will
announce
that
at
such
a
time
if
we
ever
change
it,
it's
just
an
ex
we're
effectively.
E
Just
exporting
out,
like
the
poetry,
is
the
source
of
truth,
and
we
just
we
generate
all
of
our
packages
and
we
freeze
all
of
our
things
for
release
and
we
generate
requirements
files
all
from
the
poetry
as
sort
of
the
source
of
truth.
So
the
extra
burden
there
has
has
not
been
significant.
So
the
intent
is
to
continue
to
maintain
that
so
no
changes
per
se,
if
you're
a
user.
E
If
your
developer
would
we
should
switch
out
the
docs
to
recommend
poetry
as
what
we
do
at
the
same
time,
we
also
need
to
introduce
the
pip
requirements,
files
into
rci,
to
make
sure
that
they
don't
have
an
issue
or
if
they
do
that,
they
will
fail.
Ci.
D
A
D
E
A
B
Oh
just
it's
liz.
I
wanted
to
be
part
of
that
documentation
process,
yes
got
you
there
we
go,
and
I
know
that
george
and
I
are
working
on
that
and
that
are
we
we're
kind
of
a
little
bit
blocked
still
right
on
that
george
yeah.
A
One
of
them
is
from
aj
to
update
the
requirements.
Dot
text
is
that
the
right
file-
and
there
was
one
from
someone
earlier.
A
Okay,
I
I'll
follow
back
on
and
then
see
if
that
one
works
so
yeah,
I
so
for
everybody
else.
I
I
went
and
I
tried
to
build
the
documentation
and
talks
if
you
follow
the
documentation.
The
talks
workflow
is
was
busted,
so
I
filed
an
issue
on
that
and
hopefully
hopefully
you
merge
one
of
them
and
if
not
I'll,
follow
up
with
you
on
that.
Okay,
moving
on
we're
due
for
a
release,
we
haven't
released
this
november
15th.
A
So
I
asked
sonny
if
he
was
interested
in
doing
your
release
and
we
are
going
to
try
that
this
thursday,
I
think,
is
that
the
day
we
settled
on
one
second,
we're
gonna
hop
on
a
google
meet
and
we're
gonna
have
kapil
not
do
the
release,
he's
just
gonna
observe
and
we're
gonna
follow
the
instructions
on
how
to
do
a
release
under
kapil
supervision,
and
then,
ideally,
I've
asked
aj
to
do
a
the
next
subsequent
release
in
the
same
kind
of
manner.
A
Seeing
if
we
can
get
releases
done
by
people
who
are
not
kapil,
so
we
can
start
to
spread
the
wealth
as
far
as
the
the
technical
know-how
and
how
the
project
works.
I'm
going
to
record
all
of
these
and
we're
going
to
have
them
on
the
youtube
channel
and
if
there's,
actually
anybody
interested
in
doing
a
release.
I
would
very
much
like
to
get
us
in
a
spot
where
non-compiles
and
non-stacklet
employees
can
do
releases
at
some
point
in
the
future.
A
A
It's
cool
if
you're,
not
everyone's,
like
I'm
going
to
see
how
sunny
gets
on
and
then
I'll
make
a
decision
so
yeah
and
if
you're
interested
in
doing
that.
Please
let
me
please
let
me
know.
A
Oh
yeah,
we're
not
going
to
let
random
people
just
do
releases,
but
if
you're
interested
in
starting
that
road
and
want
to
observe
and
watch
along,
that's
probably
something
we
can
work
towards
anything
else.
On
this
one.
A
E
In
the
beginning,
no
yeah,
so
cloud
control
is
effectively
the
take.
If
you
take
the
cloud
formation
api
surface-
and
you
said
well,
I
don't
actually
care
about
writing
cloud
formation,
but
I
actually
do
like
care
about
all
those
resources.
E
Can
you
give
me
an
api
for
all
the
things
that
are
in
cloudformation
to
do
cruddle
create,
read,
update,
delete
list,
then
that
is
what
cloud
control
is
and
it
sounds
cool.
It
sounds
like
a
nice
uniform
abstraction,
but
it's
a
leaky
one.
So,
at
the
same
time
it
has
a
lot
of
resources
in
it.
Both
terraform
and
pollumi
have
new
new
providers,
not
updating
existing
that
also
target
it,
and
after
some
I
think
british
filed
the
request
that
I
you
know,
engage
with
it
on.
E
There
is
now
a
clock,
custodian
cloud
control
provider.
It
is
alpha,
it
is
not
it.
We
are
not
replacing
the
existing
aws
provider,
it
is
an
additional
provider,
it
has
completely
different
attributes
and
therefore
you
know
it's
not
isomorphic
to
pulses.
You
can't
just
change
the
resource
name
and
expect
anything
to
work.
It
does,
however,
offer
some
additional
coverage.
As
far
as
the
number
of
resources
it
covers,
it
covers
some
things
that
cassidy
native
does
not
do,
and
vice
versa.
E
But
one
interesting
thing-
and
let
me
preface
this
by
saying
it
is
pure
r
d
currently
exploring,
but
definitely
of
interest,
is
based
on
the
new
cloud
formation.
Hooks
capability
is
something
that
we
are
going
to
explore,
or
I
am
actively
exploring
as
far
as
seeing
if
we
can
bring
in
use
this.
As
with
the
new
execution
mode
as
effectively
a
form
of
preventative
control,
it
would
be
a
clock
estimating
policy.
E
D
E
E
Okay,
please
do
so
sh,
so
everyone
you
know
like,
generally
speaking,
we're
all
writing.
You
know
some
form
of
infrastructure
as
code
devops,
and
there
are
a
number
of
tools
out
there
for
that.
You
know
cloud
information
in
aws
terraform
pretty
much
for
everyone
else.
I
I
know
google
has
deployment
templates.
Oh
actually,
azure
has
been
investing
in
some
of
their
their
templates
as
well.
The,
but
I
think
from
a
market
share
perspective.
E
I
think
terraform
is
probably
fairly
predominant
now,
for
all
these
things,
there's
effectively
a
form
of
static
analysis,
linters
features
effectively
client-side
tools
that
potentially
some
with
sas
that
you
effectively
have
to
incorporate
into
your
ci
pipeline,
good,
okay,
the
and
so
aws,
I
think,
has
cfn
guard
as
a
component
written
rust.
As
a
rules,
engine
that'll
effectively
create
some
stuff.
You
have
to
pull
into
your
ci
pipeline
and
they'll
go
evaluate
it.
They
also
have
cfn
lint
literally
for
every
iac
tool,
definition
link
format.
E
E
E
Apis,
the
underlying
resource
service
apis
in
cfn,
hooks
cloudformation
hooks,
are
effectively
an
arbitrary
lambda
function,
they're
very
similar
to
a
cloudformation
custom
type
as
far
as
how
they
feel
right,
underneath
the
hood
and
they
effectively
get
evaluated
and
get
to
approve,
deny
a
a
stack
creation
or
stack
change,
and
the
context
that
the
evaluation
here
is
of
is
for
the
new
provider,
where
we
already
are
using
the
same
trip
in
the
cloud
control
provider,
reflected
we're
using
the
same
attributes
that
confirmation
consumes.
E
Therefore,
we
adhere
to
our
general
principle
that
execution
modes
are
isomorphic
to
policy
definition,
that
you
will
be
able
to
take
a
policy
and
just
put
like
a
cfn
hook
as
an
execution
mode
and
have
it
deploy
as
a
as
well,
not
just
as
a
lambda
but
as
a
cpan
hook.
E
Yes,
as
a
lambda,
but
the
see
if
in
cfn
cloud
formation,
custom
types
and
and
see
if
n
hooks
are
different
than
most
lambdas,
you
probably
have
seen
in
the
wild
they're
they're
they're
a
little
bit
more
complicated
like
there
there's
a
documentation
on
how
what
actually
happens
under
the
hood
they've
provided
sdks,
because
it
is
complex.
E
What
in
terms
of
what
does
happen
underneath
the
hood,
but
there's
you
have
to
log
into
multiple
different
accounts,
you're
actually
executing
you
have
you
have
x,
you
have
credentials
both
into
the
target
account
as
well
as
the
service
account.
A
All
right
and
then
in
the
report,
I
have
all
the
prs
that
have
been
closed
and
open
and
issues
that
have
been
closing
open
over
the
past
two
weeks.
If
anyone
wants
to
check
those
out,
is
there
anything
that
is
jumping
out
at
folks
that
they
want
to
discuss?
A
Did
you
want
to
talk
about
matthew's
idea
about
s3
url
for
policy
locations.
E
Not
per
se
I
mean
at
the
it's.
Basically,
you
were
both
we'll.
You
can
pass
the
the
cli
a
policy
at
an
s3
uri,
no
yeah.
A
E
There's
some
aj
has
a
a
really
awesome
knack
for
doing
really
small
pr's.
That,
like
make
me
go,
I
don't
know
if
this
is
safe
and
so
in
this
particular
case
I
think
I
think
we
will
probably
we'll
probably
change
this
a
little
bit,
but
in
general
we
need
to
do
it.
So
it's
just
a
question
of
doing
it
with
compatibility
and
the
implementation
on
this
pr
will
likely
change.
A
Got
you
all
right
so,
if
you're
interested
in
those,
as
always,
I
put
all
the
activity
over
the
past
two
weeks
in
the
notes
before
we
publish
and
with
that
that
kind
of
handles
our
agenda,
does
anybody
else
have
any
outstanding
items
or
anything
they'd
like
to
bring
up
open
mic?
I
guess.