►
From YouTube: Cloud Custodian Community Meeting 20221122
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/orgs/cloud-custodian/discussions
To get an invite to the meeting join the google group and you'll receive one via email: https://groups.google.com/g/cloud-custodian
A
Foreign
everybody,
it
is
November
22nd
2022,
and
this
is
the
bi-weekly
Cloud
custodian
community
meeting
the
meeting
where
we
have
high
bandwidth
conversations
on
anything
related
to
McLeod
custodian,
I've
posted
the.
If
you're
new
here
I've
posted
the
meeting
notes
here
and
we
do
publish.
Actually
let
me
go
through
my
intros
field.
A
We
are
a
cncf
project,
so
we
do
fall
under
that
code
of
conduct.
So
please
be
excellent
to
each
other,
and
please
be
please
be
cognizant
that
we
do
record
these
meetings
and
publish
them
on
YouTube
publicly
and
then
add
them
to
a
playlist.
So
if
you're
looking
to
catch
up,
the
YouTube
playlist
is
the
way
to
go
on
the
slack
Channel.
A
If
you're
on
the
slack
I've
got
a
if
at
the
top,
I've
got
a
link
of
all
the
resources,
you
should
need
from
the
YouTube
channel
to
the
notes
archive
and
all
that
kind
of
good
stuff
with
that
I
recognize
some
new
faces.
So
what
if
any
anyone
want
to
do
introductions?
Mike
I
think
you
were
the
first
one
here
earlier
today.
B
B
We
have
about
70
million
customers
who
are
almost
99
Point,
some
percent
on
AWS
a
little
bit
of
gcp
we're
going
to
be
embracing,
Cloud
custodian
here
in
our
2023
a
roadmap
and
I'm
here
to
join
the
community
and
hope
to
learn
and
and
both
contribute.
B
I've
got
a
background
as
an
engineer
and
as
an
accountant,
so
I
speak
debits
and
credits
and
bits
and
bytes
and
I
kind
of
live
in
that
little
world
in
between
the
two
and
thank
you
for
you
know
just
being
here
and
having
this
community
is
wonderful.
A
Welcome
anyone
else
want
to
introduce
themselves
you
don't
have
to
if
you
don't
want
to,
but.
D
I
had
books,
I
am
starting
I
work
at
this
dig
as
a
senior
Enterprise
engineer
been
a
parasitic
for
almost
three
years.
At
this
point,
we
are
across
multiple
Cloud
providers,
so
I
manage
the
infra
in
AWS,
gcp
and
IBM
cloud,
and
we
are
starting
to
venture
out
in
Azure
as
well
I
personally
work,
mostly
on
the
Azure.
Sorry
on
the
AWS
and
gcp
side
of
things.
I
am
I've
been
a
user
of
cloud
custodian
for
about
five
years.
D
At
this
point
and
really
love
the
Tool,
I
came
across
the
community
itself
at
cubecon
earlier
this
year
and
I'm
really
looking
forward
to
actually
being
an
active
member
in
this
community.
E
So
I
was
done
last
week,
but
I
don't
think
I
really
introduced
myself.
I
know
a
bunch
of
you
guys
already,
but
for
those
that
I
don't
know
so
I'm
Mike
preps
I.
E
My
title
is
principal
security
architect
at
educational
testing
service
you,
you
may
be
aware
of
the
ETS
from
things
like
the
GRE
or
TOEFL,
and
you
know
sorry
or
you're,
welcome
and
so
I
I
guess:
I've
been
using
Cloud
custody,
probably
about
two
years
or
so
now
much
more
intensively
in
the
last
year,
I've
been
trying
to
contribute
back
my
my
long-term
histories
as
a
software
developer
for
more
decades
than
I
care
to
remember
the
last
15
years,
I've
been
tarred
with
the
security
architect
epithet,
but
after
a
few
too
many
years
of
going
to
meetings
and
drawing
boxes
and
lines
and
arrows
I
decided
that
was
no
longer
particularly
interesting.
E
E
F
Right
I
once
got
asked
to
If
I
Was
An
Architect
I'm,
like
what
do
you
mean
I'm,
like
I
like
to
go,
build
stuff
and
they're
like
I?
Don't
know
it
was
a
I
think
it's!
Oh,
it's
always
good
to
make
sure
you're
practicing
your
technical
skills,
yeah.
E
A
Yeah
he'll
time
out,
can
someone
paste
me
the
URL
for
the
notes
again?
A
All
right,
so
the
way
it
works
is
is
I
have
a
template
for
how
we
run
the
meeting
and,
generally
speaking,
it's
an
open
Agenda.
Usually
earlier
we
meet
every
other
Tuesday
and
earlier
in
the
week
on
the
Monday
I'll
post,
a
draft
notes
and
I
have
a
script.
That
kind
of
shows
you
all
the
activity
that
we
have
going
in
custodian
over
the
last
two
weeks.
So
that's
incoming
pull
requests
here.
A
It
looks
it
reads
better
that
way,
so
we
have
incoming
pull
requests,
pull
requests
that
are
closed
and
ones
that
might
be
outstanding.
And
then
what
happens?
Is
anyone
can
edit
this?
A
If
you
just
log
in
with
your
GitHub
or
whatever
account,
and
then
people
go
and
their
ad
they'll,
add
these
little
explosions
throughout
the
the
the
pull
requests
and
what
we
do
is
we
go
through
an
open
Agenda
and
we
usually
do
things
like
a
release
status
or
we
have
an
event
coming
up
like
say,
reinvent,
and
then
we
kind
of
have
a
working
meeting
on
on
PRS
that
you
might
be
working
on
that
you
need
some
attention
to,
or
maybe
you
worked
on
a
feature
that
needs
that
kind
of
high
bandwidth
discussion.
A
So
we
just
kind
of
go
through
that
agenda.
Usually
I
tell
people
if
they
have
something
on
fire.
Let
let
me
know
early
and
we
can
like
prioritize
that
accordingly,
but
feel
free
to
you
know.
As
we
start
going
through
this
stuff.
A
You
know,
don't
don't
feel
inclined
that
you
have
to
stay
for
the
whole
meeting,
because
we
do
publish
the
video
and
the
notes,
but
this
is
also
a
good
opportunity.
If
you
have
a
thing,
that's
blocked,
or
maybe
you'd
like
to
get
more
eyes
or
an
opinion
on
something.
That's
the
way
to
go.
So
let
me
get
the
E
the
easy
ones
out
of
the
way
we're
still
testing
slack.
A
We've
had
get
her
up
for
a
while,
and
we
have
that
there
so
I'm,
just
kind
of
leaving
that
link
there
in
the
notes.
So
as
we
publish
that
people
understand
and
then
release
update
from
sunny.
H
Yeah,
so
we
are
aiming
to
do
a
release.
Post
re
invent
so
they're
9
21
is
not
going
to
be
going
out
until
I
guess
at
least
two
weeks
from
now.
A
Oh
is
that
it
that
was
fast,
yeah
all
right
and
there's
poll
8011
there
that
Kapil
had
mentioned
I
I
put
that
link
there.
Sonny
no
fear
I've
seen
that
yet
cool
thing
of
the
week.
This
is
something
that
slipped
under
my
radar.
We
did
have
a
pull
request
from
October
as
part
of
the
hacktoberfest
from
a
student
who
was
given
an
assignment
to
contribute
to
an
open
source
project
and
we
merged
it.
So
I
thought
that
was
cool
and
it
did
lead
me
to
two
things
number
one.
A
As
far
as
open
source
projects
go.
If
you
want
to
learn
things
like
Lambda
using
python,
custodian's
a
great
place
to
start
and
something
I
think
that
we
could
all
do
a
better
job.
As
is
we
actually
do
have
help
wanted
issues
that
that
people
have
tagged.
A
That
might
be
a
good
first
bug
or
something
for
someone
to
work
on
so
just
kind
of
like
a
general
custodian
announcement
that,
like
you
know,
remember
that
we
have
that
tag
and
if
you're
as
you're
working
on
something,
if
you
see
it,
you
know
if,
if
there's
something
that
you
feel
might
be
useful
for
a
first-time
contributor,
or
maybe
you
don't
have
the
expertise
to
get
that.
You
can
always
add
that
help
wanted
there.
So
we've
got
a
bunch
of
those,
it
probably
doesn't,
and
some
of
these
are
from
2016.
A
So
the
tag
probably
could
use
a
scrub
if
anyone's
looking
to
dive
in
you
don't
need
to
ask
for
permission
for
that
yeah
as
a
project.
We
we
have
kind
of
stopped,
but
you
know
I
figured
it.
A
Wouldn't
it
wouldn't
hurt
to
mention
that
we
do
have
it
and
then,
let's
see
where,
where
we,
where
we
go
from
there,
so
if
anyone's
interested
on
that
I
run
weekly
stats
and
I
just
kind
of
put
here
on
the
notes
on
the
amount
of
PRS
and
stuff
that
are
coming
in
and
that
kind
of
finish
the
agenda
does
any
before
we
get
into
the
open
PR's.
G
I
think
all
of
these
from
us
into
it
folks,
here,
okay.
G
This
one
is
to
I
believe
enhance
The
annotation
with
some
additional
information.
Kapio
is
saying
that
the
unit
test
was
actually
missing,
so
we
I
think.
G
G
I
believe
this
one,
the
idea
is
similar
to
what
we
already
have
with
the
DB
parameter
groups.
Now
we're
just
doing
the
same
thing,
but
for
option
groups
it
was
yeah
the
the
in
terms
of
testing
there.
There
was.
H
So
Darren,
what
was
what
was
missing
on
that?
One
I
saw
that
you
were
saying
that
you
wanted
other
people
to
take
a
look
at.
H
Just
test.
H
Yeah
I
was
going
to
take
a
look
in
at
this
one
and
the
the
rest
stage,
wuff
v21
today,
okay,.
A
We'll
we'll
get
to
the
wife
one
looks
like
you'd
already
started
to
take
a
look
at
this
one.
Yeah.
G
I
think
AJ
has
some
comments
where
they
responded
and
I.
Think
AJ
is
now
okay
with
this,
but
since
Sammy
has
kind
of
reviewed
at
the
beginning
as
well,
I
think,
which
is
waiting
for
sunny
to
give
the
final
approval
as
well.
H
Okay,
yeah
yeah
I'll
Circle
back
on
that
I
think
I
lost
a
bit
of
context
on
that.
It's
been
a
while
since
I
looked.
G
C
G
A
Y'all
on
a
roll
this
week
with
manage
configural.
C
F
Okay,
so
this
has
been
on
my
plate
for
a
little
while,
if
anyone
else
I'm
gonna
put
it
back
in
the
queue
just
for
anyone
else
to
have
a
look
at
it.
So
I
I
can
make
time,
but
I
also
want
to
make
sure
that
if
there's
anyone
else
has
an
opportunity
to
look
at
it
that
they
have
a
chance.
F
A
Well,
yeah
with
the
holidays
and
and
re
invent
coming
up,
I'm
cognizant
of
you.
You
know
volunteering
for
every
single
review
and
then
we
we
end
up
in
that
the
few,
but
maybe
maybe
we
can
get
at
least
most
of
these
wav
V2.
Is
this
the
one
you
were
talking
about
sunny.
H
D
I
Is
pretty
I
was
just
gonna
call
out
that
this
one
will
be
kind
of
high
priority
for
us.
We
got
a
bunch
of
policies
that
are
kind
of
dependent
on
this,
so
yeah
would
be
great
to
get
some
eyes
on
this.
One.
C
A
All
right
next,
we
have
8001
handle
optional
extras
and
gen
Frozen
setup.
C
One
is
that
we
had
added
since
we've
added
some
extra
support
like
gcp
and
Azure
support
for
mailer.
We've
made
those
provider
packages
now
optional,
so
that,
if
you
try
to
you,
try
to
run
mailer
for
Azure,
and
you
don't
have
the
package
installed.
It'll
emit
a
warning
and
say
hey
install
with
this
extra
instead
and
the
thing
is
that,
because
we
weren't
using
extras
in
any
other
of
our
sub
projects,
we
some
of
the
the
custom,
poetry
tooling.
C
A
And
there
was
a
it's
actually
the
next
one.
There
was
ramifications
for
the
docker
image
in
this
as
well
right.
C
There
was
yeah
that
was,
that
was
a
related
piece.
We
got
a,
and
this
goes
back
to
slack
actually
because
we've
been
we're
starting
to
see
more
of
our
questions,
shift
from
getter
to
slack,
which
is
probably
a
good
thing,
and
someone
was
seeing
some
symptom
of
this-
of
that
extra
provider.
C
Extra
is
not
being
installed
when
there
was
a
in
install
during
the
docker
build,
it
was
installing
some
packages
and
then
removing
them
again
so
that
when
the
mailer
went
to
run,
it
would
say,
hey,
there's
no
package
resources
in
this
no
package
resources
available
can
import
it,
which
looked
confusing
at
first,
but
it
was
because
of
that
that
extras
piece,
so
both
of
those
should
be
resolved
now.
H
Yeah,
this
is
just
the
standard
release
PR
stuff.
It
also
includes
a
test
to
ensure
that
the
Pi
Project
Tom
all
matches
the
setup
py,
which
some
people
noted
in
920
that
when
they
did
a
pip
install
upgrade
custodian
dash
dash
version
didn't
change.
So
this
will
this
test
will
make
sure
that
the
version
in
Pi
product
matches
what
we're?
What
we're
saying.
C
No,
that's
that's.
My
Crips
I
may
have
boomed
that
one
though
just.
C
Say
thanks
thanks
for
working
on
it,
because
that
when
I,
when
I
saw
the
pr
come
in
I,
was
planning
to
comment
on
it
and
say
Hey.
You
know
it
might
make
sense
to
try
to
break
this
up
into
separate
PRS,
separate,
smaller
PRS.
But
then
all
the
functionality
in
there
looked
good,
so
I
know
we're
working
through
a
few
things
and
Mike.
If
there's
anything
that
you
want
to
to
bring
up
to
talk
through
here,
that's
cool
otherwise
just
want
to
say
thanks
for
working
on
it,
because
it
fixes
a
few.
E
I
I,
you
know
I
thought
about
doing
separate,
pull
requests,
but
there
are,
you
know
three
different
things
going
into
the.
I
E
File
and
then
my
branches
get
really
complicated,
so
it
was
easier
just
to
do
it
all
at
once,
because
I
need
all
three
of
them.
I
I
was
just
testing
the
the
your
one
comment
about
combining
the
two
API
calls
together,
like
I,
said:
I.
Think
it's
not
gonna
work
that
there's
some
hidden
thing
in
the
AWS
API.
E
That
will
not
let
you
add
and
remove
permissions
at
the
same
time,
but
if
I'm
wrong
I'll
fix
that
so
I'm
technically
off
this
week,
so
I'll
get
it
all
fixed
up
and
pushed
probably
one
day
when
I'm
officially
back.
E
And!
Happy
to
contribute
more
to
come.
F
A
So
I'm
taking
a
screenshot
because
the
guy
who
wrote
it
he's
always
asking
me,
you
know
we
should.
We
should
use
that
more
so
I'm
gonna
give
him
the
good
news
thanks
for
that,
all
right,
let's
see
what
else
we
got
going
on
a
bunch
of
stuff,
78,
89
use
case,
insensitive
checks
for
loud
conditions
and
cross
account
filters.
Oh,
this
was
the
one
that
was
done
by
that
student
I
just
wanted
to
give
him
a
shout
out
that
they
have
that
here.
A
So
very
I
just
thought
that
was
really
cool
and,
let's
see
any
outstanding
issues
that
are
biting
anybody.
E
So
if
we
got
telling
their
I
think
we
might
have
briefly
talked
about
it
last
time,
the
issues
with
some
of
the
filters
where,
if
there's
a
excess
denied
error
it
bombs
out
like
for
S3
S3
permissions,
what
do
you
call
it.
E
So
I
started
working
on
them,
but
I
was
curious
about
conceptually
like
there.
There
are
different
ways
you
can
handle
it.
I
was
just
wondering
if
there
was
a
right
way
of
handling
things
like
that,
so
that
I,
don't
you
know,
develop
some
code
only
to
have
you
guys
tell
me
no,
we
got
a
better
way.
H
H
H
The
other
thing
that
you
could
do
is
potentially
have
a
Lambda
trigger
on
put
bucket
policy
and
I
guess
like
notify
people
like
hey,
you
got
to
make
sure
that
your
bucket
policy
doesn't
isn't
too
restrictive,
but
if
it,
if
they
apply
the
bucket
policy-
and
you
can't
look
at
it,
it's
going
to
be
hard
to
write
an
effective
one.
A
write,
an
effective
policy
I
guess
to
check
that.
H
E
Yeah
and
and
I
kind
of
came
to
all
those
same
conclusions
and
it's
actually
nice
to
be
able
to
reach
out
to
somebody
to
say
you've
made
it
too
secure,
instead
of
not
secure
enough,
but
I'm
concerned
that
you
know
some
of
the
cloud
custodian
Jets
will
just
not
run
through
to
completion
in
the
interim,
while
people
have
screwed
up
bucket
policies.
E
So
it's
easy
enough
to
add
a
at
a
thing
that
says:
hey,
don't
don't
error
out
if
it's
access
denied
for
these
few
filters
that
make
individual
API
calls
see
the
difference
between
like
check
public
block
and
some
of
the
other
S3
filters
is
they're,
not
all
grabbed
at
the
beginning
and
they're,
not
all
annotated
with
the
C7
and
access
denied
so
like
so
philosophically.
If,
if
I
just
ignore
the
access
denied
error
here,
it
winds
up
matching
this
policy.
E
So
it
shows
that
your
check,
public
block
controls
are
not
set
correctly,
which
may
be
true,
may
not
be
true.
We
don't
know
because
of
the
excess
that
I
me
I,
I'm,
fine
with
that,
because
that
means
it's
going
to
be
on
a
list
to
go
and
check
out
it
right
and
that's
kind
of
what
I
was
getting
at.
So
Kapil
raised
the
same.
That's
what
I
was
getting
at
like.
Is
there
a
philosophy
on
what
to
do?
If
there's
an
error
evaluating
a
policy,
do
you
consider
it
a
match
or
not
a
match.
F
I
think
they're,
so
there's
a
couple
different
ways
to
skin
the
cat.
I
think
there
is
a
more
general
question
about
how
do
we
handle
resources
and
if
I
go
back
through
I?
Think
TJ
actually
is
our
Todd
stencil,
who
sent
here
23
minutes
I
posed
like
that.
We
actually
track
resource
level
errors
for
whatever
reason,
and
actually
you
stick-
those
in
optic,
storage,
outputs,
structured,
outputs
and
I.
Think
that
actually
has
makes
a
lot
of
sense.
It
does
require
it.
It
is
a
it's
a
long
tail
cult.
F
Let's
say
it
does
required
to
sort
of
some
degree
like
poor.
F
It
on
extant,
let's
say
two
two
we'll
get
that
one
going
through
the
flip
side,
at
least
in
this
particular
case,
and
so
that's
I
think
that's
something
we
should
drive
towards,
but
in
sort
of
the
more
immediate,
like
hey
I'm,
dealing
with
this
issue,
what
are
the
options
per
se,
then
there's
a
notion
of
using
check
permissions
on
the
I
am
roll.
F
The
custodian
tornium
as
to
validate
that
it
has
permissions,
doesn't
operate
well
in
this
particular
case,
but
it
can
operate
like
in
this
trailer
case
because
very
first
level,
permissioning
being
the
primary
Grant
or
deny,
but
it
does
operate
from
a
more
General
perspective
on
like
what
permissions
does.
Does
the
executing
role
have
enough
permissions?
Execute
these
policies,
let's
say
and
the
other
part
like.
C
F
I,
don't
know
that
we
have
a
great
other
answer
out
for
this
particular
one
on
Czech
public
some
like
well.
Actually
it
won't.
Let
me
so
I
I
identified
the
definition
of
having
his
generic
notion
on
policy
level
errors.
Right
now
we
do
have
an
option
of
like,
on
a
one-off
basis,
around
like
action
and
filter
level.
F
Errors
like
that
generate
outputs,
but
it's
not
like
holistic,
and
so
in
that
context,
doing
a
one-off
check
here
so
that
you
can
actually
have
some
sort
of
output
on
that
it
is
potentially
useful
where
eventually
the
action
itself
is
has
behavior
that
is,
recording
those
things
and
outputting
them
as
well.
E
So
I
heard
that
as
go
ahead
and
put
in
the
check
to
to
sort
of
ignore
access
guide,
if
it
you
know,
I.
F
E
F
There,
if
you're,
if
you
want
to
do
that,
I,
would
probably
expose
it
as
an
option
for
right
now.
It
would
be
a
throwaway
option.
It
wouldn't
be
something
that
they
want
to
do
consistently,
but
I
think
in
this
particular
context
like
you
do
like
you,
do
still
want
to
match
it
by
default
per
se
to
delete
skip
the
behavior.
F
E
Okay,
I
think
that's
doable
and
then
I
guess
I'm
not
sure.
Like
I
know,
S3
has
the
denied
methods
annotation,
because
there
are
so
many
of
those
API
calls
that
it
makes
should
I
set
that
as
well
just
to
be
consistent
or
don't
mess
with
it,
because
that's
kind
of
a
different
mechanism.
F
I
think
it's
actually
reasonable
to
to
hit
on
to
to
use
The
annotation
for
sure
I.
Think
we
separately
like
Esther,
is
one
of
the
first
resources
from
I.
Don't
know
geez
like
seven
years
ago
and
I
think
we've
learned
that
that
was
not
the
right
way
to
go
say
as
far
as
Auto
assembling
all
the
documents
versus
making
them
separate
filters,
because
we
collect
too
much
by
default
just
knowing
separately
there's
a
desire
I
think
to
have
an
ability
to
limit
that
annotation
from
within
the
policy
itself.
F
E
E
The
output
are
yelling
at
me
about
this
one,
so
the
sooner
it's
fixed,
the
better
and,
in
the
meantime,
I'm
gonna
do
I
think
what
Stephen
was
saying,
which
is
just
to
look
for
that
C7
have
a
policy
that
looks
for
the
denied
methods
key
being
present.
So
at
least
we
know
which
buckets
are
offensive.
I
George
I
had
a
couple
sure
PR's
just
to
get
quick
eyes
on
should
be
pretty
minor
stuff.
I,
sorry,
I
posted
them
in
chat.
I
was
trying
to.
C
I
Yeah,
so
this
one
it
looks
like
it
was
approved,
I
think
it's
still
just
waiting
on
a
merge.
This
is
just
to
add
a
has
statement.
Functionality
to
EFS.
I
Thank
you
I
think.
Maybe
there
was
a
check
that
may
be
stuck
in
a
it's
hanging
or
something
so
maybe
just
yeah
yeah
and
then
the
other
one
yeah.
This
is
one
that
jazz
is
working
on.
I.
Think
AJ
had
some
feedback
on
this
one
and
just
a
heads
up
I
think
Chaz
made
those
changes,
so
it
should
be
ready.
C
G
C
A
C
To
get
7884
through
first,
because
that
one's
like
already
the
the
other
one
79.39
I'll,
give
another
look
that
one
looked
I
mean
I.
Think
I
I
had
to
proved
it
as
it
was
before.
If
you
went
and
added
something
else,
that's
great
I'll
take
a
a
quick
look
at
it.
I,
don't
imagine,
there's
a
problem
there
I'll
try
to
get
that
one
in
there.
Also
thanks
for
mention
of.
A
All
right,
if
any
of
you
are
headed
to
AWS
or
want
to
hang
out,
feel
free
to
ping
me
in
slack
we'd
love
to
hang
out
with
you
buy
you
dinner
or
something
with
that.
We
will
meet
again
in
two
weeks
so
last
chance
anything
else.
C
A
Yeah
yep
in
in
in
the
slack
I
create
a
hash
events
Channel
and
whatever
event
is
upcoming.
That's
what
will
do
it
so
when
we're
at
kubecon
we'll
use
that
channel
when
we're
at
re
invent
we'll
just
use
that
channel.
C
A
A
That's
where
we're
going
to
put
the
I'll
meet
you
at
the
booth
in
30
minutes,
style,
conversations
and
stuff
during
conferences,
so
great
all
right
and
with
that
happy
holidays
to
those
of
you
in
the
US
that
celebrate
and
we'll
be
at
re,
invent
so
we'll
see
you
all
in
two
weeks
thanks,
everybody
appreciate
you
all
coming
out
today,
cheers
thank.