►
From YouTube: Cloud Custodian Community Meeting 2023-05-02
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/orgs/cloud-custodian/discussions
Check out our Slack for more info! http://slack.cloudcustodian.io
A
A
So,
hey
everybody
officially
welcome
to
the
May
2nd
community
meeting
for
South
custodian
hello,
these.
If
anyone
if
it's
anyone's
first
meeting
or
if
it's
been
a
while
since
you
joined
in
you,
can
jump
in
and
say
hello
do
some
intros
before
we
get
started,
we
should
say
we
are
subject
to
the
cncf
code
of
conduct
which,
in
honor
of
George
just
be
excellent
to
each
other,
is
the
the
name
of
the
game
there?
Does
anyone
want
to
jump
in
with
some
intros.
B
Yeah,
hey
I'm,
Ryan
I'm,
a
senior
engineer
at
Capital,
One
and
I.
Do
have
something
to
add
to
the
agenda,
if
possible,
about
a
an
action.
I
would
like
to
add,
if
possible,.
A
That
would
be
helpful,
but
awesome
thanks
and
I.
Think
Dave,
that's
what
David!
That's
the
one
you
were
talking
about.
Great,
we'll.
Add
that
one
and
hey
welcome.
This
is
a
thanks
for
joining
in.
C
I
think
I
can
just
say:
hi
introduce
myself,
since
this
is
my
first
time
joining
this
meeting,
I
work
at
altruist
as
a
staff,
Cloud
engineer
and
Country
working
on
certain
things
related
to
to
this
community
work.
So
thank
you
for
opportunity
to
be
part
of
that
with
this
community.
Sorry.
A
All
right,
so
what
we've
got
in
the
meeting
link
here,
I
will
put
the
you
know:
I
usually
put
the
meeting
Link
in
the
chat,
put
it
in
here,
so
that
it
gets
so
that
it
gets
into
our
recording.
Here.
We've
got
a
weekly
report
here.
This
is
just
what's
been
going
on
issues
and
PR's
open
and
closed.
Since
last
time
we
got
together.
A
I
know.
In
the
meantime,
we've
had
kubecon
going
on
also
a
little
bit
of
a
custodian
representation
there
kapil's
or
anything
you'd
like
to
to
say
from
from
any
of
the
kubecon
stuff.
D
D
I'll
do
in
a
second
to
go
figure.
This
thing
out.
D
I've
been
traveling
for
like
two
weeks
so
I
honestly.
Definitely
remember.
I
really
didn't
want
anything
Alone,
but
those
are
the
slides.
I,
don't
know
that
there
was
anything
in
particular
of
note,
combat
stuff.
D
It's
mostly
just
like
a
review
on
PRS
and
some
of
the
things
that
we've
had
done.
I've
done
a
lot
of
work
in
release
engineering,
new
providers
and
C7
left
and
intensive
Cloud
and
wrote
that,
on
some
of
the
things
with
regards
to
doing
preventative
controls
for
what
cloudformation
hooks
for
AWS
and
slowing.
D
Azure
sdks
more
resources
for
gcp
and
for
the
ship
left
of
getting
Cloud
information
support
in
yeah,
of
course,
and
trading
shift
blocks,
as
distinct
from
cloud
Rush
house.
Just
on
the
basis
of
someone
as
a
preventative.
A
Thanks
I,
don't
see
any
so
if
anybody
sees
a
other
than
other
than
that
stuff
is
there?
Is
there
any
particular
issues
or
PR's
that
seem
particularly
interesting
to
folks
or
you
have
questions
about
them?
Feel
free
to
stay
at
the
mop,
feel
free
to
jump
in
or
you
all
should
be
able
to
to
reference
specific
issues
here,
and
we
can
talk
about
it
more.
Otherwise,
we
can
go
to
the
one
that
Ryan
was
asking
about,
which
I
guess
sounds
like
you
already
took.
A
look
at
it.
A
B
Cool
yeah
yeah
I
was
just
looking
for
General
feedback,
since
this
is
my
first
kind
of
change,
I'd
be
making
here
and
can
I
make.
So
when
we
do
something
like
update
environment
can
I
have
it
update
like
anything
available
within
that
function?
The
update
function,
yep.
D
There's
like
a
technique
as
well
for
like
if
I,
don't
know
how
many
parameters
there
are,
but
there's
like
50
parameters
and
then
they
potentially
change.
We
do
this
thing
where
we
like,
let
like
basically
pass
them
like
a
Json
arbitrary
map,
but
we
use
the
sdks
shape
to
validate
I'll,
see
if
I
can
find
an
example.
I,
don't
know
how
many
parameters
there
are
there's
only
like
a
couple,
then
you
know
you
just
enumerate
them
in
the
schema,
but
I.
F
B
Sure
but
yeah
there's
an
example.
That'd
be
great,
but
you
know
yeah
I
can
figure
it.
E
A
Yeah
I
think
I
think
the
restrictions,
but
he
just
went
mute
yeah.
We
can
try
to
so
Kapil
you're
gonna.
Look
for
an
example.
I
know.
We've
got
some
existing
update
or
modify
actions
across
other
resources
that
that
may
have
PR
set
of
useful
references
that
are
or
different
ways
of
attacking
it.
A
Cool
thanks
for
coming
right
out
of
the
gate,
with
a
with
an
issue
and
a
an
appear
and
it
works
down.
That's
awesome.
A
F
Aj
I
will
jump
in.
My
name
is
Sonia
Guardian
I.
This
is
the
first
meeting
I
attend,
so
I've
been
using
custodian
for
I
guess
almost
three
years
you
participate
sometimes
on
this
lack
conversation
being
annoying
to
you
guys,
but
so
not
know
what
to
expect
I'm
here,
Make
Me
Maybe
entertain.
Let's
see.
A
Well,
thanks
for
coming
you,
you
mentioned
it
just
like
oh
yeah,
I've
been
in
the
in
the
slack
you've
been
all
over
the
place,
the
slack
the
getter,
the
that's
you're,
offering
answers
asking
questions.
It's
great
glad
to
see
you
here
thanks
foreign.
A
Okay,
so
we
were
just
talking
about
a
adding
an
action
to
airflow
to
modify
to
update
an
environment
here,
we're
just
looking
at
other
PRS
that
are
open
and
closed
PR's
and
issues,
if
there's
anything
particularly
worth
discussing
or
if
anyone
has
comments
or
questions
about
anything
in
there.
A
One
thing
is,
and
only
Sonia,
because
you
mentioned
the
asking
questions
in
slack:
what
I'm
trying
to
keep
in
mind
and
everyone,
since
we're
recording
the
call
we
this
will
kind
of
keep
me
honest,
is
if
we
have
some
of
the
some
questions
come
in
that
seem
like
it
would
be
really
nice
to
be
able
to
just
point
someone
to
a
doc
that
would
answer
that
question,
trying
to
keep
in
mind
that
little
doc
PRS
are
a
good
thing.
A
So,
if
there's
anything
that
that
you
anybody
on
this
call
or
anybody
watching
the
recording
after
the
fact,
you
go
to
look
at
something,
and
you
realize
oh,
this
filter,
this
action
isn't
super,
isn't
super
clear
doc.
Prs
are
super.
A
Welcome
if
you're
not
sure
how
to
get
to
the
point
where
you
can
submit
a
doc
PR
asking
in
slack
and
saying
I'd
like
to
contribute
a
doc
update
is
probably
the
easiest
way
to
get
some
help,
because
making
the
docs
better
is
happy
time
for
everybody
and
the
questions
that
feed
into
those
stock
updates
are
great
too
and
Sonia.
Thanks
for
your
your
help,
because
I
know,
you've
asked
questions
but
also
answered
plenty.
A
For
sure
Patricia,
that
the
issue
that
you
were
running
into
with
the
with
the
caching
stuff
I
know
that
was
a
bit
of
a
gnarly
one
that
might
be
a
bit
deep
to
get
into
on
this
call,
but
maybe
it's
a
great
time
so
yeah.
E
It
was
kind
of
meaning
to
ask
you
how
to
go
about
the
test
case
on
that,
because
the
test
would
have
to
be
pulling
data
from
cash.
I
saw
there
was
a
setting
that
said,
cash
is
true
that
I
think
might
be
worth
taking
a
look
at,
but
I'm
not
sure
how
to
add
a
test
that
would
look
up
things
from
the
cache
itself
to
fill.
A
Any
idea,
I
think
that
we
would
be
able
to
do
it
if
we
had
multiple
policies
and
in
the
config
we
gave
it,
we
gave
it
an
in-memory
cache
option.
I
think
we
could
do
this
together
to
so
so
recap.
A
A
quick
recap
of
this
issue
is
that
we
have
a
KMS
related
filter
that
we
can
use
against
resources
like
SNS
or
sqs,
and
try
to
make
assertions
about
the
key
that
was
used
to
encrypt
a
resource
that
is
looking
at
one
target
resource
like
SNS
in
your
case
or
or
any
other
resource,
and
then
it
needs
to
make
another
lookup
against
KMS
keys,
and
if
we
already
have
KMS
keys
in
the
cache,
and
we
have
keys
that
we're
referencing
in
an
SNS
topic
purely
by
the
Alias.
A
We're
running
into
the
issue,
and
it
was
like
a
specific
Confluence
of
factors
we
we
needed
to
have
keys
in
the
cache
we
needed
to
reference
them
only
by
Alias,
and
in
that
like
in
that
unique
combination
of
factors
we
would
we
would
whiff
on
the
lookup
and
that
it
would
report
nothing
yeah.
E
The
cash
for
return
and
empty
list,
which
and
custodian
would
print
a
warning
message
saying
this
Alias
wasn't
found,
although
that
Alias
was
there
in
the
account.
A
Yeah
I
think
in
one
of
the
so
production
I
know
you
opened
the
pr
and
then
I
was
thinking.
Oh
I
I
know
I
pushed
something
to
it
and
I
think
ended
up
rolling
it
back
with
adding
the
the
memory
cache
but
yeah,
because
it
does
use
the
null
cache
by
default.
So
we
would
never.
B
A
Okay
but
yeah
we
will
I'll
try.
So
if
I
get
a
I,
try
to
get
a
failing
test
or
get
a
test
committed
for
that
one
that
would
have
reproduced
the
issue
without
the
change.
Maybe
that's
a
good
start
and
then
hopefully,
with
this
change,
it
fixes
it
but
in
your
environment,
is
this
thing
working
now
as
is
or
are
you
still
running
some
running
some
tests.
A
Okay,
that's
a
fun
one
anyway,
but
in
the
meantime,
can
we
bring
up
copying
related
tags,
yeah
I'm
not
is
there
that
just
got
reopened.
A
So
David
do
you
have
something
what's
going
on
with
this
one.
D
B
A
All
right
other
than
those
does
anybody
else
have
any
any
particular
questions,
fun,
PR's
or
issues
to
raise.
A
D
D
We
treat
them
as
Global
because
they
had
Global
Discovery
endpoints
for
most
of
the
things
and
things
like
just
keep
moving
away
from
that
to
more
Regional
like
resources
that
are
online,
containing
the
single
like
apis,
that
only
look
at
resources
in
into
the
region
and
which
makes
sense,
and
it's
totally
fine,
but
some
of
the
PRS
that
were
coming
up
or
trying
to
mimic
the
global
semantic
by
effectively
fetching
all
the
regions
and
then
get
all
the
resources
from
each
region.
D
I
think
what
we
want
to
do
is
just
pass
in
like
pass
through
on
the
dash
R
region
flag
to
gcp
and
then
speaking
with
the
Alias
on
all
what
that's
going
to
mean
for
existing
resources
that
are
that
are,
is
a
little
bit
unclear.
So
I
think
most
of
them
will
be
fine
like
it
will
have
compatibility
like
if
questions
is.
D
And
you
don't
pass
over
again:
we
changes
to
Magic
on
an
existing
one
that
was
treated
as
Global
and
we
switched
to
Regional.
How
does
that
affect
Banks?
And
it's
still
not
100
clear
but
effectively?
We're
gonna
have
to
document
it,
and
maybe
we
use
this
opportunity
to
earn
against
the
docs.
We
saw
the
gcp
provider
labels
beta,
so
we
can
also
use
this
to
help
debate
label
as
we
do
this
change.
That
was
the
only
thing
that
sort
of
came
up
as
as
significant
behind.
A
D
Is
separate,
you
can
generally
see
that
the
Steve
Works
differently
since
the
principal
can
have
different
access
to
different
environments,
but
typically
we
only
operate
on
a
given
project
that
is
passed
in
typically
the
environment
variable
right,
and
so
we
don't
typically
unless
you're
67.org,
you
would
typically
see
multi
resources
across
multiple
projects.
E
A
All
right,
cool,
Patrician,
David,
you
you
both
got
kicked.
You
got,
kicked
together.
A
Yeah,
but
we
we
were
talking
a
little
bit
about
this
guy
about
this
6667
with
the
oh
David.
It
sounds
like
you,
you're
you're
still
hitting
that
and
I
think
Kapil
you're
asking
if
it
was
with
clusters
or
instances
or
what.
D
D
A
E
A
E
It's
still
an
issue:
I
haven't
got
a
chance
to
like
look
into
it
yet,
but
it's
still
happening,
though
yeah
try
to
take
a
look
at
this.
We
can
see.
I
I
ran
a
couple
at
Center
PR
for
for
this
issue,
a
while
back
so
I'm,
not
sure
if
that's
something
yeah
I'll
take
a
look.
A
E
Yeah,
a
few
folks
showed
some
interest
in
this
I
think
there
is
some
more
work
that
needs
to
happen.
E
Is
there
anything
that
might
be
blocking
the
spear,
except
for
the
comments
that
you
have
mentioned
about
exporting
queries
into
the
output
file
output,
location
for
audit
purposes.
D
D
It
would
be
a
nice
citizen,
but
let
everyone
also
work
on
it.
Let
me
know
to
defer.
A
D
Other
sorry
there's
one
more
thing
about
this
and
that
was
making
value
the
value
filter
each
provider.
So
that
way
like
we
have
certain
semantics
around
like
value
from
S3
and
other
things,
but
the
way
we
wire
a
value
provider.
D
Currently
it's
like
a
it's
wired
in
its
Global
effective
way,
so
it'd
be
nice
to
the
these
instruments
were
able
to
customize
it
on
the
provided
basis,
so
we're
not
leaking
in
to
other
providers
that
that's
actually
been
an
issue
somewhat.
Recently,
in
the
last
few
months
we've
had
we've
been
picking
up
photo
dependencies,
especially
for
the
other
providers,
and
we
want
to
try
to
turn
down
on
that.
The
actual
term
down
on
the
plan
is
actually
it's
going
to
be.
A
D
As
questions
like
how
to
what's
the
wiring
you
look
like,
is
it
could
it
be
like?
Do
we
let
the
providers
like
poke
the
type
as
they
get
registered,
to
sort
of
like
inject?
That
type
of
thing
might
be
the
easiest
way
to
do
it
and
yeah
right
now,
it's
hard
coded
into
the
base
registry,
if
I
want
to
correctly
so
yeah
mechanics.
A
A
Anything
else-
oh
I,
did
have
a
question
for
the
group
about
sort
of
related
to
this
now
thing
do.
Does
anyone
on
this
call
use
now
as
a
tag
value
to
in
real-time
policies?
You
do
you
do
production,
okay,
yeah,
just
to
show
like
a
last
modified
or
something
like
that.
So
do
you
you
use
those
you
run
those
out
of
like
cloudtrail
mode
or
something
yep,
okay,
you're
running
out
of
cloudtrail
mode
and
where
you
set
the
the
now
do
you
have
just
the
the
curly
braces
now?
A
E
Let
me
check
that
one
second
yeah
I
think
we
have
double
curly
braces.
We
used
to
have
single
curly
braces,
but
it
was
broken
at
one
point
and
we
decided
to
move
everything
to
double
curly
basis.
Gotcha
yeah.
A
That's
I
I
was
curious
if
people
have
been
sort
of
organically
coming
across
that
I
know.
It's
come
up
in
a
couple
issues
or
discussions
too
that
if
you
have
a
Lambda,
Mode
Policy
and
you
have
that
now
it's
getting
interpolated
when
you
provision
so
it
would.
It
would
be
kind
of
like
populating
with
your
your
provision
time
instead
of
the
runtime
yeah.
A
With
this,
you
got
that
okay
yeah,
so
that's
that's
the
way
to
do
it
now,
so
this
PR
is
kind
of
trying
to
avoid
the
need
for
that,
while
that'll
still
work.
We
just
it
feels
like
a
like
a
very
minor
foot
gun,
maybe
like
a
gentle
padded
foot
Hammer
to
run
into
that
now.
E
C
A
Didn't
know
so,
if
there
was,
would
there
ever
be
a
time
that
you
or
anyone
else
on
this
call
can
imagine
actually
wanting
the
existing
Behavior,
where
the
the
single
brace
interpolates
like
the
the
provision
time
of
the
function?
Can
you
think
of
a
time
when
you
would
want
that
or
you
pretty
much
if
you're
doing
it,
you
always
want
that
run
time.
A
Silence
is
fine,
but
I
really
I
wasn't
no
is
that
is
that
the
the
now
now
now.
A
C
A
A
So
you
you
need
those
double
braces
to
make
sure
that
it
doesn't
do
that
so
that
it
can
go
into
now
when
the
policy
runs,
and
that
feels
like
what
people
would
generally
want.
I
just
didn't
know
if
I
was
oversimplifying
it,
and
maybe
sometimes
people
actually
want
the
provisioning
time
date
stamp.
A
See
you
later
Darren
thanks,
but
it
sounds
like
you
don't
yeah
and
that
works
for
me.
E
Sorry
I
got
kicked
out
at
that
point,
but
what
was
the
proposed
way
to
go
for
it.
A
I
think
so
I
would
be
curious
to
see
if
the
the
pr
as
it
stands
right
now
works
in
your
environment
and
actually
and
and
avoids
the
issue
that
you
were
running
into
yep
and
I'm
also
going
to
try
to
get
a
test
in
that
uses.
It
in
memory
cache
to
to
kind
of
recreate
the
issue
that
you
were
seeing
without
the
change
and
hopefully
fix
it
with
the
change
just
to
confirm
that
it's
doing
what
we
think
it's
doing.
A
So,
if
I,
if
I,
come
from
the
test
side
and
you
come
from
the
Real
Environment
side
and
it
works
in
both
cases,
then
hopefully
we
feel
good,
pushing
it.
Yeah.
E
E
Cool
I'll
try
to
get
that
tested
today
and
I'll
get
back
to
you
on
that
appear.
A
Okay,
thanks
David
yeah,
we
were
talking
about
the
the
copy
related
tag
issue.
It
sounds
like
there's
not
I
mean
if
you
have
anything
to
add
to
it.
Any
any
specific
comments
go
forward
it,
but
it
sounded
like
we
had
an
issue
producer
said
you're
still
running
into
it.
D
A
Sorry,
no,
that
that's
fine,
because
now
that
you
mentioned
it
I
do
remember
seeing
something
with
that
go
by
oh.
D
A
Oh
yeah
oh
see
so
this
one
said
or
said
RDS
in
the
policy
I.
Remember
this
confusing
me
actually,
so
it
said
RDS
in
the
in
the
issue
description.
But
then
the
details
were
all
talking
about
redshift,
so
it
may
be
the
same
issue.
Maybe
someone
hitting
it
with
multiple
resources.
D
Like
I
think,
the
fix
up
got
originally
proposed,
for
this
was
trying
to
fix
it
and
specific
to
RDS,
but
it
might
be
better
for
us
to
try
to
fix
it
lower
lower
down
inside
of
query.py
like
if
we
get.
If
we
know
it's
a
scalar
Service
app
filter
that
we
just
and
we
haven't
explosive
identities
that
we
just
looked
through
them.
D
I
think
that
was
try
to
trying
to
prevent
like
exploiting
on
API
calls
if
there
was
like
50
of
them
or
something
but
I,
don't
know
that
I
don't
know
the
point.
Solutions
are
gonna
fix
this
holistically.
D
Yeah
I,
just
like
we
try
to
do
it
at
a
pro
resource
level,
but,
like
you
can
copy
from
a
copy
related,
could
go
from
a
couple
different
either
side
and
it
happens
across
potentially
multiple
cases.
It
might
be
better
just
to
get
a
ballistic
fix
at
a
lower
level.