►
From YouTube: Cloud Custodian Community Meeting 20220719
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/orgs/cloud-custodian/discussions
To get an invite to the meeting join the google group and you'll receive one via email: https://groups.google.com/g/cloud-custodian
A
All
right
welcome
everybody.
It
is
july
19th
2022,
and
this
is
the
bi-weekly
bi-weekly
cloud
custodian
community
meeting
welcome
everyone
I'll
be
your
host.
Today,
george
castro,
we
have
some
people
who
send
their
regrets
that
are
on
holiday,
so
we're
gonna
just
keep
on
going
through
the
agenda
and
if
there's
anything
that
we
need
to
discuss
we'll
just
tack
it
on
to
the
agenda
for
the
next
few
weeks,
I've
pasted
the
notes
url
there
in
chat
and
if
you're,
watching
along
on
youtube.
A
If
you
go
to
github
in
the
discussion
sections,
you
should
find
these
notes
and
I
always
send
a
copy
of
these
notes
to
the
mailing
list,
as
always
we're
under
the
cncf
code
of
conduct.
So
please
be
excellent
to
each
other
and
do
be
aware
that
we
do
record
these
meetings
and
post
the
videos
on
youtube.
So
please
be
cognizant
of
that.
A
A
So
if,
if
we
get
through
some
stuff-
and
you
want
us
to
look
at
something
or
maybe
you're
having
a
problem
with
a
specific
policy
or
something
consider
this
a
an
open
agenda,
a
few
things
that
I
have,
though,
is
darren.
Dao
is
now
a
co-maintainer,
so
he
was
merged
here
over
the
weekend.
He
is
not
attending.
A
Today
it
looks
like
so
we
will
we'll
go
ahead
and
save
the
congratulations
for
him
when,
when
he
returns
speaking
about
governance,
semi-related
I've
gone
ahead
and
updated
the
draft
for
what
cloud
govern
or
cloud
custodian
governance
looks
like.
So
this
is
how
we
pick
maintainers
and
the
kind
of
life
cycle
of
contributors
and
what
not
to
the
project.
This
is
issue
7149,
and
what
I've
done
here
is
basically
drafted
a
proposal
of
what
the
governance
for
the
project
should.
A
Look
like
and
then
we're
leaving
this
open
for
a
while
to
get
feedback
from
the
community
and
then
at
some
point
we'll
do
a
pr
once
we
have
a
semblance
of
of
consensus
from
existing
maintainers,
so
some
changes
that
I've
done
since
last
time.
I
don't
want
to
line
by
line
this
through
a
meeting.
A
That's
probably
a
separate,
that's
probably
a
separate
topic,
but
some
changes
here
is,
after
our
review
last
time
we
needed
an
emeritus
process,
so
I
went
ahead
and
added
that
and
I
added
a
separate
lead,
maintainer
role
and
a
description
for
that.
That's
in
there
as
well
and
kapil
had
asked
that
I
looked
at
the
envoy
project
governance
and
they
have
an
idea
on
how
to
get
consensus
on
things
via
simple
majority
voting.
So
I
went
ahead
and
adapted
that
for
our
needs
and
I
tossed
it
in
there.
A
So
if
you
want
to
take
a
look,
what
that
looks
like
that
is
issue
7149
and
I've
left
a
link
in
the
notes.
Does
anybody
have
any
questions
for
that.
A
Darin
we
just
finished
congratulating
you
on
your
co-maintainership
status.
I've
got
a
cake,
we'll
have
a
cake
at
some
point,
but
thank
thanks
for
joining
we're
just
going
through
the
announcements
here
and
then
we'll
get
to
the
usual
stuff.
Next
week.
I
will
be
on
a
plane
on
wednesday
and
headed
to
scale.
That's
the
southern
california,
linux
expo
at
lax,
and
I'm
doing
a
workshop
there
all
afternoon
with
sunny
on
clock
custodian.
A
So
if
you
have
anybody
in
the
area
or
anything
like
that,
that
might
be
interested
in
hanging
out
feel
free
to
send
them.
The
show
is
free
to
attend
and
the
workshop
is
free
to
attend
as
well.
So
if
you're
in
the
area-
and
you
just
want
to
figure
out
how
cloud
custodian
works
and
hang
out
with
me
and
sunny-
that's
always
a
good
time,
and
I
know
there's
always
a
lot
of
cloud
professionals
that
attend
the
show.
So,
if
you're
in
the
area,
it's
a
good
investment,
it's
one
of
my
favorite
shows.
A
Next,
we
have
is
a
quick
status
for
me
on
the
cncf
talk
vote.
We
now
have
a
six
of
the
seven
votes
needed
to
move
to
incubation
with
within
the
cncf.
So
if
you
come
in
here.
A
And
you
go
and
you
can
count
all
the
votes
that
people
are
doing
to
plus
one
custodian
moving
to
the
incubation
phase
of
of
of
a
cncf
project,
we're
basically
waiting
for
one
more
binding
vote.
Tldr.
The
way
it
works
is
the
cncf
talk.
Committee
has
binding
votes
and
they
need
a
majority.
A
So
seven
out
of
11
of
them
need
to
vote
to
include
us,
and
then
they
have
a
concept
of
what's
called
a
non-binding
vote,
which
is
when
people
who
don't
aren't
don't
really
have
a
vote,
get
to
just
say:
hey
plus
one.
I
use
this
project,
I
like
it.
So
if
you
have
someone
or
you
yourself
are
using
custodian
and
you're
comfortable
going
in
there
and
giving
a
non-binding
plus
one-
that's
how
they
kind
of
gauge,
how
you
know
how
the
community
receives
a
project.
A
Even
though
you
don't
you
don't
really
have
like
a
binding
vote,
it's
a
way
to
support
the
project.
So
it's
looking
so
far.
No
one
has
minus
one
so
far,
so
it's
looking
like
we've
dotted
our
eyes
and
crossed
our
t's.
So
far,
any
questions
on
that
one
before
I
move
on.
A
B
Also
be
you
know,
we've
got
two
other
people
joining
sarah
who's
fan,
email
and
we'll
be
at
ford
cloudsec
as
well.
C
A
All
right
and
on
that
one,
if,
if
you're
in
the
area
or
you're
going
to
reinforce-
and
you
want
to
attend,
we
will
be
throwing
a
small
reception.
A
This
is
free,
but
please
fill
out
your
name,
so
we
know
how
many
people
are
going,
so
we
can
plan
for
food
and
all
those
sorts
of
logistics
and
I've
got
that
link
in
the
notes
as
well
with
that
that
kind
of
closes
the
quote,
unquote
official
agenda
we
have
next,
we
have
incoming
prs
and
issues
or
things
that
might
be
burning.
A
So
I've
got
a
few
here
that
aj
has
tagged
but
he's
he
let
me
know,
he's
running
a
little
bit
late,
so
he
might
show
up
later,
but
is
there
anything
opening
it
for
the
floor?
Anything
anyone
have
that
they
want
to
check
out.
C
D
C
B
Rdes
encryption
is
typically
just
it's
just
an
attribute
on
the
rds,
and
then
you
can
put
it
into
real
time,
cloudtrail
mode
on
any
create
instance
or
create
database
cluster
to
have
it
do
real-time
enforcement
as
a
lambda.
I
think
you're
asking
for
in
the
actual
tribute
game.
B
So
you
just
do
a
value
filter
for
rds
encrypted.
Then
you
can
do
delete
the
actual
attribute
name.
Excuse
me,
but.
C
A
D
Okay
is:
are
there
cases
where
the
policy,
because
I
had
it
where
the
policy
validated,
but
when
I
and
the
lambda
function
is
created
when
I
run
the
policy,
but
it
is
not
implying
the
what
it's
supposed
to
do.
So
I
was
also
tagging
tagging
rds
instances
with
my
policy,
so
the
policy
validated
and
it
created
lambda
function,
but
it
did
not
actually
tag
it
when
I
tested
it
out.
B
B
Typically
this,
this
types
of
discussions
are
better
in
the
chat
room,
because
you
can
actually
push
show
the
text
of
the
policy
and
stuff
as
well,
but
if
you're
having
an
issue
with
the
lambda
policy
like
it's
not
behaving
the
way,
you
expect
to
do
to
behave
the
best
big
the
first
place
to
look
is:
it
belongs
to
the
lambda
policy
in
cloud
watch
logs.
C
B
D
C
D
Okay,
all
right,
I
did
test
it
so
it
even
when
it
becomes
available.
It
wasn't
tagging
it,
but
I
will
post
the
policy.
I
believe
I
got
that
policy
from
the
docs
too.
D
Yeah
I
had
access
to
the
logs
and
I
knew
it
wasn't
a
permission
issue
either,
because
when
you
do
the
debug
it
actually
tells
you
or
when
you
do
a
dry
run.
It
tells
you
what's
the
issue,
so
I
know
it
wasn't
a
permission
issue
that
it
was
giving
either,
but
it
was
just
not
tagging
it
for
whatever
reason,
but
I
will
go
back
and
look
more
into
it.
B
Yeah
definitely
come
chat
on
gitter,
I
think
that's
probably
the
best
form
or
the
easiest
form
to
sort
of
debug
that
more
interactively
on
on
the
call
it's
sort
of
like
missing
context.
What's
the
policy
with
the
log
so
to
speak,
it
probably
works
a
little
bit
better
on
the
async,
but
I
think
we're
happy
to
help
help
out
but
yeah,
just
transgender
together
when
you
have
access
to
the
vlogs.
A
No
worries,
I
I
put
the
link
to
the
rds
section
in
the
notes
and
I
also
just
posted
it
in
chat.
If
you
get
there
and
feel
free
to
ping
me
if,
if
getting,
that
is
a
problem.
A
No
worries,
okay,
it
looks
like
darren
has,
has
four
things
and
anything
else
on
this
one
before
we
move
on
all
right.
Thank
you.
All
right.
We've
got
four
today
from
darren
fsx,
backup,
check,
7252.
E
I
think
this
has
some
comments
from
kapil,
which
collide
has
fixed
based
on
the
feedback,
so
I
think.
E
A
matter
of
giving
another
pass
to
go
if
you,
if
you
can.
C
B
I
was
just
looking
at
it
I'll
take
a
look
at
that.
A
That's
one
snn
sqs
has.
E
Statement
filter
this
one
is
new,
so
the
idea
was
that,
for,
I
believe
for
s3
bucket.
We
have
a
pretty
good
filter
for
checking
to
see
if
it
has
matching
policy
statements,
and
we
wanted
to
extend
it
to
other
resources
that
that
that
has
the
same
kind
of
access
policy
statements
as
well
as,
namely
sns
and
sqs.
E
So
stephen
has
put
in
this
pr
need
somebody
to
take
a
look
cool.
B
Yeah,
I
have
noticed
the
activity
on
this
one
and
I
did
see
students.
I
think
the
watster
show
getting
an
extra
eyes
from
your
aj.
Thank
you
for
taking
a
look
at
it
as
well.
A
A
And
kapil
was
on
holiday
until
yesterday,
so
yeah
aws
cross
aznet
gw
filter.
This
one's
been
around
a
bit.
E
C
E
This
one
is
to
the
the
use
case
for
this
one
is
performance
and
cost
optimization
so
that
we
let
users
know
if
they
have
set
up
routing
table
where
the
the
next
hub
to
the
net
gateway
is
in
a
different
subnet
which
got
you
is
not
the
best
in
terms
of
cost
and
performance.
B
And
reliability
availability
as
well.
E
B
B
B
Of
the
mismatches
from
the
subnet
to
the
gateway
which,
but
those
are
the
two
things
that
are
easy
associated,
whereas
the
rock
table
itself
is
rigid
based,
but
it's
in
the
route
table,
as
if
you're
saying
so,
I
don't
know,
I
could
go
either
way.
C
E
Do
with
yeah.
A
So
I
I
filed
a
ticket
with
their
system
and
then
I
it
ends
up.
I
fouled
it
with
the
wrong
system
and
I
fouled
it
with
the
right
system
and
they
just
responded.
It
just
accidentally
sent
it
to
my
personal
email,
so
I
thought
they
had
just
abandoned
it
and
then
they
sent
it
back.
For
me,
it
is
a
long.
A
A
Yeah,
like
I
don't
I
don't
I
I
didn't
even
like
know
how
to
respond,
because
it
was
like
this
long
thing
but
yeah.
I
would
definitely
like
like
to
get
some
guidance
with
you
on
that
on
how
to
proceed
so
yeah,
but
they
are
aware
of
our
our
in
in
progress
pr,
so
yeah.
That
was
definitely
still
on
me.
Any
any
other
questions
on
that
one.
A
A
All
rights
these
other
ones
were
aj
had
marked
as
wanting
to
discuss,
but
he
just
pinged
me
that
he's
not
able
to
make
it
to
the
meeting
so
I'll
table
those
for
next
time.
Any
of
these
pr's
or
issues
jumping
out
at
anyone
that
they
would
like
to
see,
review
or
have
discussion
on
I'll
give
people
a
minute
here
to
check
it
out
or
if
you
have
your
own
personal,
private,
your
own
personal
issue
or
pr
that
you
want
to
bring
up.
B
C
B
C
B
It
can
handle
source
account
condition
on
it,
so
this
is
useful
like,
if
making
sure
for
services
that
support
that
that,
like
you've
grant
the
service
access
to
a
resource
that
it's
only
doing
that
on
behalf
of
events
originating
from
the
same
account
type
of
thing,
which
is
generally
good.
The
question,
then,
is:
what
happens?
B
What
would
the
behavior
be
for
things
that
are?
Are
we
going
to
switch
any
defaults?
I
guess
is
my
only
concern
consideration
on
it.
So
if
anyone
else
has
a
moment
and
wants
to
give
a
look
over,
I
would
appreciate
another
set
of
eyes.
A
E
The
one
thing
I
want
to
bring
up
to
the
phil
remember
how
there
was
that
one
pr
that
I
put
in
to
fix
the
lambda
state
active
state.
E
E
Let's
have
I
asked
them,
the
tagline
is
fine.
It's
the
update,
config,
one
that
update
lambda
config
like
the
confirmation
of
the
function.
We
only
do
it
for
the
update
of
the
lambda
code,
but
not
the
lambda
configuration.
B
Yeah,
that's
it.
We
didn't
do
it
previously,
because.
B
Well,
actually,
that's
a
good
question:
do
we
need
to
do
it.
E
E
B
B
To
like
config
or
something
okay
yeah,
if
you
want
to
add
them,
that's
fine,
I'm
just
wondering
if,
for
the
purposes
of
like,
if
we
updated
the
function
config
and
is
that
still
going
to
block,
say
config
from
attaching
to
it
typically
in
an
update,
it's.
B
Per
se,
but
I'm
fine
with
just
being
cautious
here
and
adding
in
the
additional
check.
That's
fine.
B
I
was
working
on
something
for
new
land
execution
mode
around
database
budgets
so
that
we
can
attach
a
attach
a
budget
to
the
account
to
effectively
when
an
account
exceeds
a
budget
that
a
custodian,
lambda
policy
will
fire
and
you
can
do
whatever
you
want
in
terms
of
running
notifications
or
whatnot
to
it.
B
B
But
may
not
be
of
interest,
but
here
I
definitely
came
up
at
the
fen
ops
conference
as
something
people
are
interested
in
help
with.
As
far
as
managing
budgets.
E
Oh
yeah,
one
more
thing
I
want
to
ask
this:
can
I
be
the
next
person
to
do
whenever
the
next
releases.
B
If
you
want
to,
I
think
it
would
probably
be
prepare
to
watch
on
final
release.
We
generally
want
to
do
releases
with
multiple
people,
but
so
I
think
it
would
be
tackle
one
for
one
and
to
see
what
the
process
is.
We
have
it.
I
think
we've
got
like
one
or
two
videos
of
it
recorded
already,
but
yeah.
A
Yeah
what
I
was
going
to
do
is
when
sunny
comes
back
from
holidays.
I
was
I
was
thinking
about
just
scheduling
like
a
separate
meeting
that
is,
do
a
release
and
then
whoever
wants
to
to
hop
in
we
could
figure
that
out.
Did
you
get
the
link
to
the
I
published
these
steps?
That
sunny
was
following
last
time.
I
don't
know
if
you
got
those
yeah.
I
tried.
Okay,
all
right.
E
A
E
Not
not
the
problem
with
getting
to
the
dock
more
following
the
instructions.
A
Well
as
soon
as
sunny
gets
back
then
we'll
we,
we
can
sort
that
out
then
and
then
we'll
just
are
you,
okay
with
us
just
scheduling
something.
E
C
A
All
right,
and
with
that
thanks
everyone
for
attending
you
can
have
30
minutes
back
and
we'll
see
everyone
in
two
weeks
and
if
you're
going
to
reinforce
and
scale
hope
to
see,
you
then
cheers
everyone.