►
From YouTube: Cloud Custodian Community Meeting 20230125
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/orgs/cloud-custodian/discussions
To get an invite to the meeting join the google group and you'll receive one via email: https://groups.google.com/g/cloud-custodian
A
All
right,
I'll
get
started,
welcome
everybody.
This
is
the
bi-weekly
Cloud
custodian
meeting
is
our
kind
of
high
bandwidth
discussion
meeting
where
we
hop
on
here
every
two
weeks
and
try
to
walk
and
discuss
through
issues
before
we
get
started
as
usual,
we're
under
the
cncf's
code
of
conduct.
So
please
be
excellent
to
each
other
and
a
reminder.
A
We
do
record
these
meetings
and
publish
them
on
on
YouTube,
so
the
public
can
follow
along
if
they
want
so
be
cognizant
of
that,
and
with
that
I
put
the
URL
to
the
notes
in
chat.
I'll
go
ahead
and
put
them
again
for
those
of
you
that
joined
after
first
bit,
intros
anyone
want
to
introduce
themselves,
say
hello.
If
it's
your
first
time
or
you
haven't
been
in
a
while
I'm
George
I'll
be
your
host
for
this
today,
okay,
okay,.
A
All
right,
everyone's
quiet
today,
no
problem
a
few
things
before
we
get
started
here.
We've
been
moving
to
slack
over
the
course
of
the
past
year.
I
always
publish
those
notes
there
because
there's
like
an
invite
in
an
inviter
page
that
you
need
to
go
to
so,
if
you're
not
yet
on
the
slack
feel
free
to
click
through
onto
there
and
another
reminder:
you'll
see
this
in
the
notes
for
the
probably
the
rest
of
the
calendar
year.
A
At
some
point
we
are
going
to
be
moving
on
from
python
3.7,
so
we're
just
gonna.
Stick
that
warning
on
top
of
every
every
meeting
notes
that
we
have
to
give
people
a
heads
up
as
they
can
first
off
the
topic.
Kapil
added
this
about
adding
more
maintainers
and
I.
Think
I
just
saw
him
join.
If
he's
that
phone
number.
B
A
Is
that
you
Camille?
It
is
okay,
all
right,
I
I
moved
you
up.
Slot
I
know
you're
time
sensitive
today.
So.
C
So
yeah
we
we've
got
a
few
folks
that
I
think
are
we'd
like
to
ask
to
be
maintainers
produce
and
Kent
SW.
They
both
had
the
general
marker
we
try
to
use
is
the
enduring
contribution.
C
B
C
Awesome
and
thank
you
as
long
you
ever
do-
we've
I
think
you
know
I
think
you've
contributed
for
many
years
and
happy
to
get
to
this
now
soon
and
I.
Don't
know
if
Kim's
here,
but
he's
also
made
a
number
of
contributions
over
the
last
at
least
two
years
Michigan
and
then
I'll
hand
it
back
to
George
cheers.
A
Oh
nice,
okay,
all
right
all
right
and
we'll
try
to
get
a
hold
of
I
still
have
to
try
to
find
a.
A
That
Darren,
you
have
any
comments,
anything
to
say.
D
C
And,
incidentally,
if
there
were
other
people
that
folks
feel
like
should
be
or
would
like
to
consider
for
nominate
for
being
maintainers
there's
a
strong
boat,
you
know
and
so
development
select
and
we
can
discuss
there.
A
Yeah
and
as
you'll
see
throughout
the
meeting,
there's
plenty
of
opportunities
for
people
to
pick
up
reviews
and
things
like
that
and
I'll
put
this
in
here.
As
always,
the
Golden
Rule
don't
merge
your
own
stuff
all
right.
Moving
on
this
next
one's
also
years
renaming
the
master
Branch
to
Maine
I
know
we've
been
wanting
to
do
this
all
of
last
calendar
year,
but
it
looks
like
we
are
finally
doing.
C
This
and
just
to
comment
on
the
don't
work
assumes
up
demand
that
it's
totally
fine
to
merge
your
mpr's
domain
after
they've
been
approved
but
like
just
to
I,
think
it's
more
on
the
topic
of
making
sure
that
things
get
some
notion
of
community
and
then
with
regards
to
the
master
domain.
This
is
just
something
that's
been
on
our
backlog
for
a
while.
Github
has
made
this
process
really
easy
now
and
doesn't
break
anybody's
workflow
It'll.
C
The
only
Delta
is
I
think
that
will
flash
a
page
for
people
with
commit
access
to
update
their
Branch
reps,
but
it
that
is
a
not
not
a
it's
a
it's
a
suggest.
It's
a
good
thing
to
do,
but
not
a
hard
requirement.
It
won't
break
anything
and
just
trying
to
get
all
that
done
and
currently
aiming
for
I
believe
next
Wednesday
for
actually
doing
this.
I
just
wanted
to
versus
it.
Here
in
case
there
were
any
questions
or
comments
about
it.
A
Yep
and
that's
January,
31st
I'll
put
that
in
the
notes,
all
right.
Anyone
have
questions
on
this
one.
Moving
on,
we
had
a
release
since
the
last
meeting,
0.9.22
Sunny.
You
want
to
take
us
through
the
tldr
here,
yeah.
F
This
was
a
relatively
smaller
release
compared
to
the
last
few
big
ones,
but
there's
still
some
good
stuff
in
here.
Some
bug,
fixes
and
and
whatnot
so
definitely
check
it
out,
I
think
they're,
potentially
maybe
some
issues
in
the
Azure
provider.
That
is
still
being
investigated
right
now,
so
I
think
specifically,
if
you're
using
the
container
post
mode
but
again
still
not
completely
clear
on
what
what
the
issues
are
right
now
so
yeah
go
go
check
it
out.
D
A
And
that's
it
for
the
formal
agenda
before
we
move
to
the
pull
request
and
Bug
issue
section
of
the
meeting.
Does
anybody
have
anything
on
fire
or
I.
C
I,
don't
have
anything
on
fire,
but
I
did
just
want
to
mention
that
I've
been
doing
a
bit
of
work,
around
sort
of
preventative
shift,
lock,
type
of
security
or
policy
enforcement
that
extend
to
called
t7
unlock,
which
has
a
much
nicer
developer,
ux
CLI
ux.
Now
it
folks
who
want
to
check
that
out
that
that
is
it
is.
It
is
pretty
awesome.
C
I
think
we
still
have
some
things
to
do,
but
you
can
now
get
like
research
coverage
like
we'd
have
to
be
a
summary
output
at
the
end,
resource
coverage
or
policy
coverage
across
resources,
and
then
we
are
there's
also
some
work
ship,
like
looking
at
ship
left
as
an
entire
ecosystem
of
things.
C
Sorry,
not
they
don't
call
prevention,
they
call
it
proactive.
You
know
just
wanted
to
explore
what
that
was
and
Implement
support
for
in
custodian
policies.
It
is
a
little
bit
limited
I
found
as
far
as
only
having
11
resources.
I
think
it
does
re-highlight
the
need
to
also
to
to
to
also
look
at
other
capabilities
in
the
space
so
going
to
try
to
resurrect
the
AWS
Cloud
control
providers,
capabilities
around
integrating
ending
with
cloudformation
hooks
so
that
you
can
do
preventative
mode
policies
against
population
yeah.
C
This
General
theme
for
me
at
the
moment
on
that
topic
and
those
are
three
different
efforts
and
initiatives
around
it
to
what
you're
already
done
and
one
which
will
be
starting
shortly.
A
A
A
Any
other
shifts
left
ones
in
here.
You
just
have
those
two
I
think.
A
Yeah,
do
you
want
to
talk
about
81.90,
real,
quick,
that's
the
one
with
the
CLI
summary.
C
A
Cool
and
if
you
want
to
check
out
that
PR,
that's
81.80,
that's
already
been
merged.
So
all
right,
let's
take
a
look.
A
If
this
is
your
first
time
here
or
I'm
familiar
with
this,
the
way
what
we
do
is
we
have
a
script
that
checks
our
GitHub
activity
between
the
last
time
that
we
had
a
meeting
and
if
there's
something
that
you
feel
is
interesting
or
you
want
extra
eyeballs
on
or
or
something
that
needs
further
discussion,
you
can
kind
of
bring
it
to
the
meeting.
So
that's
kind
of
the
end
of
the
other
agenda.
A
If
nobody
else
has
anything
on
fire
or
anything
that
need
help
with
we'll
go
ahead
and
move
on
to
that
any
questions
before
we
move
on
to
PRS
and
issues.
A
A
F
Was
like
one
of
the
issues
I
mentioned
around
Azure
and
mailer?
This
should
resolve
it
and
basically
we'll
we'll
find
out
in
the
next
release.
Hopefully,
everybody's
mailer
is
working
as
expected.
It
was
just
some
lazy,
lazy,
loading
of
providers
and
stuff
like
that
that
we
changed
to
make
it.
So
you
didn't
have
to
install
everything
on
the
Under,
the
Sun,
if
you
just
wanted
to
run
like
an
Azure,
mailer
or
gcp
or
AWS
gotcha,.
C
No
I
mean
that's,
this
is
cool,
I
would
also,
and
there
I
have
a
PR
up
for
something
in
a
similar
vein,
where
I
could
not
install
the
sunset
provider
M1,
you
know
some
crypto
thing
and
there's
a
PR
for
that,
as
well
just
for
doing
standard
descending
development,
but
the
Miller
thing
I
think
has
already
merged,
and
you
know
all
that
look
good
as
far
as
not
requiring
photos
or
deploying
in
azure.
F
Actually,
yeah
on
the
on
the
later,
not
the
lacing
loading
but
the
skipping
of
unimportable
resources.
F
Does
it
log
that
out
and
say
like
these?
These
are
unavailable,
I!
Guess
it's
on
the
pr
right
now
right.
D
C
F
E
F
Was
wondering
so
I
guess
from
a
like
policy
authoring
standpoint?
It
would
be
good
to
know,
although
yeah,
if,
if
it
comes
up
every
single
time,
you
write
a
custodian
run
command.
C
C
Is
an
M1
Mac
workflow
like
thing
like,
if
I'm,
if
I
don't
care
about
10
cent,
what
why
are
you
log
into
it?
For
me.
F
C
F
A
All
right,
this
one's
yours,
too,
sunny
at
AWS,
backups,
filter,
consecutive
AWS,
backups
filter
to
more
resource
types
which
ones.
A
F
So
this
turns
the
consecutive
AWS
backups
filter
and
basically
takes
the
bulk
of
it
and
creates
a
base
class,
which
is
just
a
backups
filter.
So,
instead
of
checking
for,
like
specifically
the
consecutive
backups,
if
you
just
wanted
to
see
like,
are
there
any
backups
at
all
or
other
potentially
other
attributes?
You
could
do
with
this.
This
was
to
address
the
yeah
8119.
Okay
yeah.
It
was
Jamison
open,
so
yeah
James
said
if
you
want
to
take
a
look
at
the
pr
there.
F
If
that
addresses
the
the
issue
them,
we
can
move
forward.
I
think
there's,
there's
probably
some
CI
issues
with
that
right
now,
but
yeah,
okay,
yeah
I'll,
explore
that
and
see.
If
that
will.
C
Cool
sorry,
to
interrupt
that,
it's
hard
to
hard
to
follow
the
flow
with
on
phone,
but
I
it
Barons
around
like
I
I,
was
also
called
Lincoln
playing
around
with
config
roles.
I
I
did
look
at
a
capability
that
may
have
been
related
to
a
previous
PR
and
that's
effectively.
Right
now
for
Content
roles,
we
effectively
Market
resources,
either
compliant
or
non-compliant
I
think
there's
a
separate
notion,
also
marking
a
given
cassidian
policy
as
not
applicable
for
a
set
of
resources.
C
I
think
specifically
came
up
around
an
RDS
where
you
know
a
policy
they've
been
just
checking
for
you
know
my
sequel
engines,
a
particular
RDS
subset
of
the
Total
Resource
type
against
a
policy
and
didn't
want
to
Mark
the
the
things
that
were
postgres
for
being
applied
to
my
SQL
policy.
C
C
E
So
this
is
in
lieu
of
doing
it
with
what
we
have
done
with
the
pr
which
is
using
the
like
a
it's
a
Silverside
filter.
You
say
now
we
can
apply
the
future
at
the
the
the
mode
level
instead
is.
C
Everything
like
being
able
to
specify
this
at
the
policy
level
to
to
basically
say
hey
like
say
something,
may
not
be
supported
by
server-side
filtering
for
particular
resources,
but
be
able
to
say,
hey,
there's
this
subset
of
resources,
which
we
don't
care
about,
because
they're
not
they're
not
applicable,
for
this
configurable
based
on
summon
some
of
the
contributes
of
them
like
you're,
doing
a
backup
policy,
for
you
know,
as
you
know,
ec2
or
EBS
volumes
and.
C
And
the
intent
I
think
it
would
be
to
initially
apply
this
to
regular
config
roles.
I'm
not
I'm,
concerned
about
the
we
could
add
a
big
ball
roll
I
think
that
would
be
a
secondary,
Apollo
PR
on
this
topic,
but
the
intent
is
to
be
able
to
do.
You
know.
Do
the
three
value
logic
that
the
analog
service
supports
here
and
being
able
to
express
that
completely
in
policy.
A
C
On
mobile
cellular,
oh.
A
A
C
Related
topic,
yeah
I,
would
also
say
that
we're
finally
adding
on
Oregon
now
to
our
resources
for
the
notion
of
trying
to
expand
this
out
to
all
the
various
functionalities
AWS
organizations
with
the
article
administrator,
various
setups.
This
will
as
a
resource.
This
will
also
probably
need
to
be.
Not
this
will
not
be
runnable.
I
think
would
be
given
an
award
by
default
just
because
it
will
have
its
own
ability
to
do
parallels,
and
but
it
will,
it
can't
be
expressingly.
C
The
the
the
credential
dance
between
accounts
is
get
a
complex
worth
is
in
an
order,
but
this
awareness.
So
that's
what
we're
coming.
C
It
is
not
in
there
that
is
before
it
goes
in
I
was
thinking
just
having
C7
and
org
inject
a
environment
variable
and
use
that
for
validation
as
well.
Okay,.
D
A
All
right
next
up
we're
adding
resources
for
time
stream.
This
is
closing
a
bug
that.
F
F
Yeah
dropped
the
review
that
I
needed
to
address
that
I
should
be
good
to
go.
It
was
just
switching
out
for
the
resource.
Group
tagging
API,
which
I
didn't
realize,
was
supporting
time
stream.
Yet
so
it
was
just
like
one
small
change
and
then
it'll
be
good
to
go.
F
A
F
Yeah
this
one
was
interesting,
so
security
Hub
actually
supports
a
whole
bunch
of
resource
types
that
we
we
also
support,
but
in
a
like
not
in
a
native
way,
necessarily
so
with
security
Hub.
If
you
post
a
finding,
you
can,
if
you
post
it
in
the
the
resource
type,
that
is
like
explicitly
supported.
F
You
have
to
do
some
stuff
around
like
ensuring
that
certain
keys
are
in
the
shape
that,
when
you're
in
the
payload,
when
you
pass
it
through
for
all
other
resource
types,
that
we
don't
do
this
for,
we
basically
stick
it
in
as
a
other
resource
type,
and
in
this
case
the
issue
was
because
there
are
too
many
top
level
attributes
on
the
resource
metadata.
That
I
think
there
were
55.
There's
a
limit
of
50
Keys
on
there.
F
C
Definitely
curious
if
there's
folks
that
are
using
Studio
with
Pakistanian.
Like
you
know,
our
the
the
challenge
of
the
street
has
always
been
that
it
has
its
own
bespoke
format
for
all
the
resources,
and
it
requires
manual
requires
encoding
and
manual
translation
effectively.
C
A
F
Yeah
this
one
is
still
basically
under
investigation
right
now.
I,
don't
really
have
anything
to
to
add
I
guess.
Are
there
any
Azure
users
here,
not
any
Azure
users
that
specifically
use
this
container
host
mode.
C
Guess
most
people
don't
really
it
might
be
worthwhile
reaching
out
to
Tamar
to
giving
come
out
to
the
next
community
meeting
to
discuss
in
more
detail.
If
you
want
to
drop
a
comment
in
the
VR
there's
a
link
to
the
calendar.
D
Yes,
like
I,
say
from
slack,
we've
been
having
a
lot
of
good
slack
discussions
and
some
of
those
are
leading
into
doc,
doc,
updates
and
so
I
just
think
like
one
of
those
keep
it
in
your
mind,
sort
of
thing:
if
you're
using
custodians,
some
of
the
docs
are
looking
unclear
or
there's
a
slack
discussion
that
suggests
that
docs
could
help
or
trying
to
be
on
this.
But
you
mentioned
before
George.
There
are
a
lot
of
ways
to
contribute
and
yeah.
A
F
Actually,
yeah
on
the
topic
of
ducks,
there
was
a
actually
a
really
great
PR
that
just
went
in
this
morning
on
S3
bucket
deletion,
so
basically
triggering
off
of
the
the
delete
bucket
event
and
adding
a
life
cycle
policy
to
do
the
emptying
of
that
that
bucket.
So
you.
F
C
Interesting
I
feel
like
we
have
a
quick
default
to
ignoring
failed
API
calls
yeah
an
option
for
it.
F
Yeah
that's
line
30
I,
yeah
I
could
really
can't
see
it
but
line
30
on
that
dock.
There
C7
skip
error
event.
So
that's
how
we
are
able
to
capture
that
and
you.
C
Speaking
of
documentation,
this
would
be.
This
is
more
like
release
engineering
crap,
but
like
the
where
to
have
been
on
this
drive
to
try
to
reduce
our
repair
side,
and
it
feels
like
it
takes
too
long
to
get
a
checkout
and
we're
gonna
start
moving
the
docks
how
to
get
like
there's
Dr,
currently
out
of
GH
Pages
out
of
there,
and
it
should
be.
You
know,
transparent
and
seamless
and,
like
the
doc
build
process
is
the
same.
C
It's
really
just
a
question
of
obtaining
how
we
did
this
docs,
but
hopefully
that
will
also
shrink
through
both
sides
and
currently
like
almost
ordered
bags
and
I.
Think
if
we
can
get
rid
of
the
Ducks
it'll
shrink
down
around
100.,
but
that
is
work
hopefully
in
the
next
in
the
next
month,
or
so.
A
All
right
and
that's
the
end,
anybody
have
anything
else
to
add
or
say
hello
going
once
going
twice
three
times
all
right.
The
video
will
be
on
YouTube
and
check
the
usual
places
for
the
final
notes.
Thanks
everybody
have
25
minutes
back
and
we'll
see
you
all
in
two
weeks.
Thank
you.
Thanks.