►
From YouTube: Cloud Custodian Community Meeting 2023-05-16
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/orgs/cloud-custodian/discussions
Check out our Slack for more info! http://slack.cloudcustodian.io
A
I'm
blanking
on
the
word
standards
for
behaving
like
decent
people.
What's
that
compel
code
of
contact
there
you
go,
yeah,
be
cool,
everybody
be
cool,
and
so
here
we
go
I'm
going
to
post
the
chat
link,
one
more
time
for
folks
who
have
come
in
fresh
and
then
we'll
start
sharing
and
talking
through
it
in
the
meantime,
while
we're
getting
the
share
going.
If
anyone
would
like
to
introduce
themselves
first
time
or
if
it's
been
a
while
feel
free
to
jump
in
and
say,
hello.
B
Hi
I'm
Kevin
long
time.
Well,
we've
been
using
it
a
couple
months,
custodian
and
now
I'm
contributing
so
yeah.
A
C
A
Welcome
thanks
for
coming
thanks
for
contributing
like
right
away,
so
very
cool
glad
to
have
you
all
right.
Anybody
else
from
any
videos
for
intros.
A
Well
agenda
here,
so
we've
covered
intros
are
pretty
quick.
We
still
have
in
here
a
little
note
just
that
this
year
we're
going
to
be
moving
on
from
python
37,
any
folks
out
there
still
using
it.
There's
just
details
in
this
linked
issue.
Just
a
heads
up,
I'm
still
pointing
out
tips
and
tricks.
We've
got
in
the
discussion
section
of
our
repo.
A
We
have
some
tips
and
tricks
threads
and
we're
trying
to
pull
some
more
in
from
slack
discussions,
older
Kidder
discussions
or
other
things
that
are
not
in
the
docs,
but
that
folks
find
helpful.
A
And
then
the
next
piece
would
be
the
next
release.
I
know
that
we've
got
some
we've
had
some
PRS
coming
in
to
prepare
for
a
next
release:
I,
don't
know
Kapil
or
sunny
or
patusia.
If
you're
aware
of
any
any
blocking
issues
in
the
way
of
a
new
release,.
E
So
I
think
there's
a
a
little
bit
of
work
to
do
because
of
the
Poetry
export
thing,
switching
out
that
groups.
C
E
Was
one
standby
after
gcp
Cloud
run
that
I
wanted
to
try
to
address?
As
far
as
like
there
was
an
IDE
named
mismatch
somewhere,
the
Florida
called
issue.
That
was
the
only
only
two
things
that
came.
C
D
A
Does
anyone
so
we've
got
a
whole
list
here
of
the
PR's
issues
that
are
open?
I've
got
a
couple
boom
just
from
some
recent
discussions.
We
can
talk
about
them,
but
if
anybody
has
any
pressing
questions
or
or
issues
before
we
get
to
that,
now
is
the
time
to
raise
them.
Okay,.
F
F
F
A
Well,
yeah
I
mean
thanks
for
making
this
change
and
for
bringing
it
up
here,
because
I
think
this
is
really
cool
and
it's
cool
enough
that
when
I
saw
it
I
I
think
there's
going
to
be
a
lot
of
times
where
there's
kind
of
an
e-jerk,
at
least
for
me,
to
want
to
just
add
more
functions
and
make
change
pads,
even
cooler.
But
just
it
these
few
things
and
a
split
has
come
up
a
lot.
So
that's
that's
very
cool
that
that's
going
to
be
available
now.
A
E
A
F
There's
there's
a
few
that
are
sort
of
more
in
the
not
necessarily
limited
to
kubernetes
but
or
more
obvious
I,
guess
in
kubernetes,
like
doing
things
like
certificate
being
able
to
like
evaluate
certificate
by
doing
like
a
x509
decode
or
if
things
are
base64
encoded
to
be
able
to
do
the
decode
and
then
read
from
that,
like
those
are
things
that
seen
in
other
custom
people
Implement
custom
functions
in
James
pad
for
that
as
well.
F
E
A
Data
for
sure
user
data
came
up
when
we
were
looking
at
some
of
the
c7lf
policies.
I
think
base64
and
also
I,
had
a
PR
recently
to
try
to
add
a
value
type
Json,
transform
and
I
could
see
there
like
I
could
say
it's
making
the
case
that
doing
a
James
path
function
would
be
cleaner
than
adding
another
value
type
transform.
You
just
do
like
a
Json
D
code
or
something
in
your
key
and
then
not.
F
I
think
yeah
for,
like
you,
can
even
imagine
like
at
folks
where
you
have
like
a
Lambda
function
and
I,
don't
know
for
some
reason:
you
have
a
Json
encoded
string
as
an
environment,
variable
like
to
be
able
to
load
that
and
check
against
values.
Like
I
mean
you
know,
most
likely
be
very
specific
use
cases
where
that'll
be
useful,
but
if
stuff
comes
up
then
this
is
the
way
to
implement
it.
A
Yeah
I'm
serious
if
anyone
else
on
the
call
has
come
up
with
these
cases,
where
you
you're,
trying
to
use
a
value,
filter
or
some
other
sort
of
instrumental
expression
to
get
something,
and
you
don't
have
enough
flexibility,
just
curious,
Beyond
split.
What
kind
of
issues
people
have
run
into
that?
We
don't
necessarily
hear
about
because
it's
not
really
a
bug.
It's
just
a
bit
awkward
to
work
with.
D
F
Although
we
do
cover
a
lot
of
the
like
I
mean
value,
filter
can
do
arithmetic
comparisons
as
well.
So
you
don't
like,
like
you,
you
could
have
like
a
you
know,
divide
function
or
add
function
whatever
to
like
an
integer,
but
it
seems
a
little
bit
I.
Don't
know
it
doesn't
seem
as
pressing
I
guess
for
the
for
the
workloads
that
you
know
custodians
typically
associated
with.
A
Yeah,
it
was
fair,
I
think
on
demolition
kind
of
thing
appeal.
You
had
a
change
recently
with
this,
this
gcp
recommender
filter
and
it
seemed
like
a
a
similarly
wide-ranging
sort
of
change
where
it
it
might
open
up
a
bunch
of
different
things.
E
So
so
see,
but
if
I
dropped
this
also
in
pin
Ops,
but
this
is
it
stretches
across
a
it's
sort
of
like
she
recommended
to
sort
of
like
trusted
advisor
in
AWS
as
to
like
it's
understandable
for
those
that
are
not
using
gcp,
and
this
basically
just
gives
us
an
ability-
and
this
is
across
cost
security-
a
couple
other
dimensions.
E
This
is
effectively
just
using
the
ability
to
use
gcp
recommenders
directly
as
a
filter
for
resources
just
be
in
this
context.
Also
takes
gives
you
a
set
of
like
remediation
activities.
You
can
do
yourself
considering,
like
generally
implements
those,
so
we
just
take
the
in
this
case.
We
just
like
there.
The
recognition
is
a
vital
list.
You
know,
snapshot
it
and
delete
it,
and
so
only
implement
the
actions
just
using
our
existing
policy
language,
and
so
it's
a
nice
detector.
E
It's
you
know
it's
a
standard
like
in
some
cases
you
know
it's
personal
advisor
tends
to
be
more
just
sustained
in
for
metrics
gcp
recommenders
are
standing
for
metrics,
but
they
also
have
some
other
stuff
going
on
there,
where
they're
doing
some
deeper
analysis,
and
so
it
was
nicer
to
expose
it
directly,
especially
on
the
IM
side,
where
they're
actually
tracking,
against,
like
the
the
actual
permission
usage
and
doing
a
bit.
E
You
know
it's
ml,
let's
say
around
things
and
no
barg
yet,
but
you
know
it
seemed
useful
to
expose
directly
if
you're
in
gcp,
it's
a
good
way
to
get
to
costwork
costs
optimizations
as
well
as
security
things,
but
they
also
have
operational
things.
So,
there's
a
couple
categories,
I,
don't
know,
I
think
the
actual
docs
have
like
a
link
of
there's
like
24
of
them
as
far
as
recommenders
themselves,.
A
Yeah
cool
thanks
for
that
was
that
that
these
docs
I
don't
remember.
A
E
For
like
the
eye,
minimization
ones
that
they
do
I,
don't
know
that
like
his,
but
you
see
a
bunch
of
pre-canned
roles
and
people
use
those
roles,
and
then
they
flag
you
for
like
having
unused
permissions
and,
like
you
know,
because
I
don't
think
it's
the
Stadium's
place
to
create
custom
roles
for
you
so
like
there
there's
something
we
can
do
not
in
all
cases,
just
based
on
what
the
what
the
actual
scenario
is.
E
Obviously,
typically
we
can
do
you
know
deletion
outside
where
that
is
an
acceptable
remediation,
but
that
is
not
always
an
acceptable
remediation.
A
Sounds
good
at
the
time
anybody
have
questions
or
comments
on
this
one
or
the
or
the
custom
James
path
function.
A
B
B
Yeah
wait
for
my
camera
to
spin
up.
It
will
spin
up
at
some
point.
Okay,
so
one
of
the
things
we
ran
into
with
our
own
implementation
is
that
we
can't
there's
no
way
to
tag
gke
clusters
and
there
were
some
prior
murder
on
this.
That
talked
about
how
that
sort
of
worked.
B
I,
re-implemented
I,
guess
that,
but
we
still
run
into
a
spot
where
it
fails,
because
the
cash
entry,
the
fingerprint,
is
like
the
first
run,
it's
fine.
The
second
run
the
fingerprint
runs
into
the
fingerprint,
is
cached
for
the
alt
label
status,
and
so
the
cache
needs
to
be
invalidated
or
the
fingerprint
needs
to
be
refreshed
in
the
cache
when
the
modification
is
made
and
I
have
been
tracing
back,
trying
to
figure
out
how
that
gets
populated
or
how
it
works
today.
B
I'm
sorry
how
it
works
for
instances,
because
the
same
process
is
required
for
instances
where
it
works,
but
not
for
PKU
clusters.
I
would
love
some
advice
on
on
where
to
find
that
oh
yeah,
there
you
go
and
then
I
would
love
some
help.
Getting
your
response
code
out
of
all
of
the
responses
of
the
tests
will
have
to
run.
E
So
two
things
on
the
fingerprint
thing,
I
think
the
right
thing.
The
simplest
thing
is
just
going
to
be
refetch
the
resource
and
retry
in
line
to
the
action
like
basically
cry
catch
fingerprint
mismatch,
go
fetch
current
right,
okay,
try
again
and
I
think
that
is
going
to
be
the
the
simplest
thing
and
the
most
robust
thing
also
because,
like
you
might
have
multiple
actions
that
try
to
tag.
Let's
say,
and
you
know
you
can
do
that
for
one
like
it
it
all.
E
It
just
keeps
the
things
relatively
simple,
insane
I
think
we've
done
that
in
at
least
one
other
resource
I
forgot,
which
one
I'm
just
beside
a
second
one
on
the
test.
Stuff
I
would
just
try
to
record
one.
We
try
to
like
inject
project
ID,
like
into
like,
like
switch
that
out
if
there's
other
stuff
that
you
feel
like
is
sensitive
to
your
environment
organization.
E
You
know,
you
know,
drop
a
message
in
slack
and
like
the
dev
Channel,
and
we
can
see
about
like
changing
like
fixing
the
recording
framework
because,
like
we
don't
want,
people
have
to
do
that
manually.
So
definitely
like
you
know,
if
there's
things
that
you
feel
like
that
are
coming
out
that
are
sensitive
but
like
the
the
intention
is,
the
default
should
do
something
sane
reporting
and,
if
not,
you
know,
happy
to
have
a
separate
discussion
about
that
as
well.
B
Yeah,
it
comes
down
to
the
included
credentials
for
the
tests,
adult
value
to
set
labels
or
there's
something
along
the
lines
where
you
get
a
credential
area
when
using
the
custodian
included,
credentials,
trying
to
run
the
tests
or
record
the
tests.
So
that's
yeah
because.
E
We've
got
transient
credential
thing
per
second,
you.
You
should
be
able
to
delete
that
like
a
those
things
are
only
valid
for
like
a
short
amount
of
time
before
they
go
invalid
B
you
can
manually,
delete
those
and
not
commit
them.
I,
don't
know
that
we
we
have
any
of
those
committed.
E
B
That
may
be
why
you
know:
recording,
doesn't
work
if
those
if
those
credentials
are.
E
Okay,
so
for
recording,
okay,
so
you're
having
a
challenge
like
became,
the
recording.
You
typically
just
run
the
podcast
directly
against
your
test.
You
switch
you
have
like.
Instead
of
Replay,
you
say
record,
so
nothing
you're,
passing
the
project
ID
and
then,
when
you're
done,
recording
the
test,
you
switch
back
to
replay
and
switch
to
project
ID
to
Cloud
I,
think
it's
Cloud
bash
custodian
for
the
project
name
and
your
your
credentials
should
never
be
saved
per
se.
I
know,
I.
I
think
this
is
actually
sorry.
E
I
said
gcp,
but
it
was
a
need
to
be
host
thing
where,
like
certain
authentication
forms
in
their
cloud
provider,
would
like
create
like
an
SDS
type
of
validation
thing,
but
I,
don't
think
that's
the
case
in
gcp.
I
know
I,
think
about
it.
B
E
Straight,
it's
a
straight
dummy.
It's
just
there
just
to
satisfy
like
the
the
client
workflow.
It's
not
it's,
not
something,
that's
necessary.
It's
just
for
the
replay
and
it's
not
it's
not
a
live
thing.
A
A
For
for
those
recordings
for
folks
to
have
to
set
like
those
environment
variables
like
Cloud,
SDK,
core
project
and
Google
application
credentials,
so
that
the
test
Poland
the
right
stuff
at
runtime.
E
E
Partly
that
was
because,
like
I
think
some
of
the
way
the
filters
or
actions
or
test
assertions
were
actually
needed
to
validate
certain
things
that
had
been
that
had
the
project
ID
in
it,
and
so
when
you
go
to
record
it's
whatever
your
actual
project,
ID
is
when
you
go
to
replay
it's
always
a
cloud
extra
saving
just
so
we
can
get
the
test
ID.
Sorry,
the
project
ID
out
of
any
recorded
data
that
we
or
get
that
submitted
to
the
repo.
E
If
a
test
doesn't
care
about
that
and
the
resource
and
filter
or
the
fields
are
acting,
doesn't
care
about
that.
Then
you
know
it's
it's
it's
fine
to
not
even
specify
project
ID
and
let
the
environment
variable
take
over.
E
Yeah
I
mean
it's
always
worth
taking
the
look
of
the
diff
like
if
you
have
I
mean,
generally
speaking,
your
test
resources
are
transient,
you're
going
to
tear
them
down
like
if
there's
like
a
public,
IP
or
something
you
know
all
that
jazz.
It
really
just
depends
on
it's
worth.
Taking
a
look
at
you
know,
and
it's
like
anything
that
you
think
is
of
concern
and
end
up
on
slack.
E
A
For
sure
I'm
gonna
learn
something
from
that
one,
that's
good
all
right.
The
next
boomed
one
here
is.
We
just
got
this
one
in
for
a
couple.
New
Azure
resources
looked
reasonable
to
me,
but
I
didn't
know
if
other
photos,
the
only
thing
that
jumped
out
of
seeming
a
little
bit
weird
is
the
the
resource
definition
just
being
all
mushed
together
looked
a
little.
Let
me
let
me
zoom
in
of
course
late
in
the
meeting
zoom
in
so
people
can
actually
read
stuff.
A
I
didn't
know
if
we'd
want
to
switch
to
that
Kebab
type
case
like
CDN
Dash,
custom,
Dash
domain
and
I
saw
that
we
have
Azure
resources.
We
have
existing
resources
in
both
formats.
Sometimes
we're
one
form
but
like
one
is
a
is
an
alias
for
another.
So
I
don't
know
if,
if
any
folks
on
this
call
have
strong
opinions
on
how
we
should
a
measure
resources.
E
Just
like
this
mush,
it
is
worth
jelly
when
we
Alias,
we
try
to
make
the
Alias
the
compatibility
one
and
the
actual
one,
the
real
one.
Besides,
that,
like
I
I,
mean
I
I,
guess
I
prefer
kebabs,
but
yeah
I
mean
Amy
for
consistency
across
many
contributors
is
always
a
challenge.
Yeah.
A
E
Which
is
like
you
know,
inconsistency.
It's
like
provider,
specific
consistency
like
in
some
cases
like
in
GCT.
I
was
just
like
you
know,
pubs
up,
Dash
topic
like
where
it
pops
up
is
like
even
in
the
same
resource
you
have
both
cells,
so
that's
judgment
call
I
I
would
try
to
aim
for
whatever
the
majority
is,
and
if
you
use
the
Alias
as
a
contributor
to
backwards
compatibility
aim
for
doing
the
one.
That's
that
was
intended
as
modern.
A
A
Yeah
and
that's
what
I
was
trying
to
look
for
patterns
and
I
saw
both
in
azure.
So
that's
what
it
wasn't
clear,
I
mean
I
could
see
and
what
I
wasn't
sure
about
was
the
history.
So
if
we
added
one
called
CDN
custom
domain
with
the
with
the
Kebab
style
there
would
it
be
worth
adding
the
Alias
if,
if
there's
nothing
to
be
compatible
with
because
we
didn't
because
it
wasn't
an
existing
resource,
would
it
still
be
worth
adding
that
mush
together
Alias
only
because
some
existing
resources
have
it
yeah.
E
C
It's
compatibility
thing:
okay
or
maybe
you
like
in
AWS
I,
think
for.
E
Like
IP
address
or
something
like
I
think
we
may
have
done
it
there,
because
the
default
was
cause
more
questions
about
like
hey.
What
is
you
know?
What
does
it
actually
look
like
like
people,
people
couldn't
find
the
default?
Let's
say
in
this
case
it's
the
same
name
like
in
that
case
it
was
like
a
different
name
just
to
match
what
people
expected,
but
in
this
case
it's
just
a
hyphenation
thing.
E
A
E
Yeah
so,
and
if
you
would
you
have
the
Italy
says
we
should
make
the
Kebab
the
default,
because
that
will
get
documented
yeah.
The
Alias
are
just
there
for
compatibility.
A
All
right,
those
are
the
only
ones
that
I
see
the
only
issues
appear.
Is
that
I
see
boomed
here
for
a
specific
discussion.
Some
of
the
there
were
a
couple
holdovers
from
the
the
last
meeting.
I
know:
there's
still
this
copy
related
tag
and
and
the
value
from
supporting
dynamodb
I
don't
know
of
any
updates
to
those.
D
Yeah
this
one
I
started
to
look
at
drds
earlier
agent,
oh
yeah,
yeah,
I,
I,
think
I
couldn't
reproduce
it
on
my
end,
I
think
I
have
to
like
spin
up
resources
in
a
certain
way
to
like
reproduce
the
server
on
my
local
account,
but
yeah
I'll
try
to
look
at
it
today
and
and
see
if
I
could
reproduce
the
same
errors.
I
tried
doing
it.
I
couldn't
create
the
issue,
but
it's
still
happening
I.
Don't
know
why?
But
yeah
I'll
take
a
look
at
it.