►
From YouTube: Cloud Custodian Community Meeting 20230207
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/orgs/cloud-custodian/discussions
Check out our Slack for more info! http://slack.cloudcustodian.io
A
Foreign,
the
recording
is
on
welcome
everybody.
This
is
the
bi-weekly
Cloud
custodian
community
meeting
a
few
quick
things
before
we
get
started.
This
meeting
is
recorded
and
being
broadcast
on
YouTube.
So
please
be,
please
be
cognizant
of
that
and,
as
always,
we're
under
the
cncf
code
of
conduct,
so
please
be
excellent
to
each
other.
A
Oh
this
whole
time,
hey
sorry
I
was
having
some
technical
issues,
sharing
we're
good
to
go
now.
Thank
you.
Let's
see,
let's
grab
these
and.
A
And
go
as
we
go:
does
anybody
have
anything
burning
on
fire
that
they
need
to
bring
up
for
everyone
before
we
start
looking
at
incoming
Works
work
and
PRS.
A
Our
rights,
the
first,
is
AWS
filter
to
annotate
security,
configuration
and
filter
with
security
configuration
attributes.
A
C
Just
reminder
to
take
a
look
at
it
again:
okay,.
D
C
A
Okay,
this
one
I
know
people
wanted
to
talk
about,
handle
elastic,
iparn
type,
Delta,
AJ,.
F
Yeah
so
Kapil
had
a
more
recent
comment
on
that
and
that
that
checks
out
the
the
gist
of
that
one
is
that
the
way
that
Shield
handles,
like
the
the
orange
that
Shield
expects
specifically
for
elastic
IP,
are
a
bit
out
of
whack.
I
was
trying
to
handle
that
from
The
Shield
side,
but
it
looks
like
appeal's
suggestion
is
to
just
subclass
the
shield
stuff
in
the
ief
and
the
elastic
IP
side
and
and
take
care
of
the
any
any
mismatches
there,
which
seems
fine
too.
It
can
and
tweak
stuff
there.
F
So
that
seems
fine
to
me.
So
I
think
that
just
means
just
kind
of
turning
that
PR
Inside
Out
effectively
and
moving
moving
some
stuff
around,
which
seems
okay,
I
am
going
to
need
so
I
see
Darren
you're
on
I,
don't
know
who
else
from
into
it.
I
just
don't
have
access
to
a
shield,
Advanced
Data.
You
need
like
a
subscription
to
get
that
stuff.
F
So
once
the
stuff
is
in
there,
we're
gonna
need
to
get
some
tests
together
and
get
some
recorded
data,
and
because
it's
going
to
be
hard
to
fix
that
and
verify
that
it's
actually
working
without
that.
F
Yeah
I'll
try
to
get
some
tests
in
there
and
then,
whether
we,
whether
we
try
to
sync
up
and
like
and
like
pair
on
the
testing
piece
together
or
something
I,
don't
know,
what'll
be
most
sensible
but
and
check
in
either
on
the
the
pr
or
in
slack
sure,
and
try
to
figure
something
out.
Yeah.
C
So
so
for
us,
we
have
a
question
related
to
this
whole
on
typing,
though,
which
is
how
do
we
know
if
this
is
the
only
API
where
you
know
it
is
out
of
whack
and
it
doesn't
follow
the
the
untyped
formatting?
Okay,
the
pr
that
Kapil
has
put
in
and
I
I,
don't
think
it's
possible
to
test
everything
right
in.
C
G
I
was
gonna,
say
we
we
test
arms
based
on
I,
am
effectively
yeah,
and
if
a
given
service
gets
gets
a
size
to
go
schizophrenic
and
embed
their
own
arm
format,
that
a
doesn't
happen
very
often
but
B.
We
just
have
to
deal
with
it
as
it
happens,
which
is
what
effectively
what
happened
here
and
I.
Think
in
this
particular
case
there
was
like
a
historical
EIP
allocation.
G
Don't
own
a
compatibility
thing
and
the
two
services
using
different
Notions
but
I.
G
Something
that
would
actually
be
very
common
per
se
now,
on
a
general
basis.
We
have
a
way
of
validating
all
arms
per
item,
which
is
effectively
the
gold
standard.
So
as
far
as
our
utilization
of
that
is
at
the
moment,
simply
simply
on
particular
types
and
things
I
mean
notionally,
we
could
go
further,
try
to
use
like,
instead
of
just
using
as
a
validator
use
it
that
Library
as
a
tool
to
help
generate,
but
I
feel,
like
that's
probably
marginal
value
at
this
point
versus
just
checking.
C
B
Yeah,
it's
a
little
bit
scary
because
I
mean
we're
kind
of
relying
on
documentation
and
we've
seen
AWS
docked
be
incorrect
before
so.
It's
like
you
know
this
could
potentially
have
cascading
effects,
I
guess
on
other
resources,
which
is
you
know,
we
also
kind
of
wanted
some
help
in
verifying
that
these
changes
are
not.
B
You
know,
because
we're
touching
things
in
VPC,
like
we
don't
know
from
our
side,
you
know
without
digging
super
deep
into
the
code,
whether
or
not
it's
going
to
be
affecting
potentially
other
resources
or
other
filters
or
other
actions
like
say:
Security
Group,
for
example,
like
the
used
filter
when
you're
listing
out
Enis
and
doing
matching
based
on
that
or
eips.
If
that's
used
somewhere
else.
Basically,
it's
it's
a
little
bit
scary
that
we
caught
this
after
the
release,
but
yeah
just.
C
Turns
out
to
give
you
more
context
right
that
the
pr
that
pill
that
you
have
create
that
you
have
created
and
we
have
merge
there
are
other
things
besides
elastic
IP
in
there.
So
then
we
caught
the
one
with
elastic
IP
and
then
what
about
the
rest?
How
do
we
know
if
there
are
other
Corner
cases
like
this
now,
so
we
start
looking
at
the
the
the
different
resources
that
were
the
untype
for
the
different
resources
that
will
touch
and
then
trying
to
compare
that.
C
Okay,
now
we
have
to
go
look
through
our
hundreds
of
policy
to
see
what
policy
might
be
affected
by
this
and
it's
not
as
a
straightforward
of
okay.
This
policy
is
dealing
with.
You
know
this
resource
that
that
was
changed
in
the
pr
who's
on
topic
was
changed
in
the
pr,
because,
as
a
scheme
was
saying,
it
might
be
a
related
resource
right.
So
there's
really
no
easy
way
way
for
us
to
really
validate.
C
All
of
our
policies
are
still
working
and
unfortunately
we
don't
have
a
good
way
right
now
to
I
guess
actively
monitor
all
of
the
Lambda
execution
for
her
or
for
all
about
hundreds
of
policies
across.
You
know
thousands
of
accounts
right
now,
and
even
if
we
monitor
the
Lambda
execution,
there
might
still
be
cases
where,
let's
say
either
the
filter
or
the
action,
it
doesn't
go
through
the
flow
where
it
will
actually
match.
C
B
Yeah,
like
we
may
not
get
explicit
runtime
errors,
basically,
but
yeah
just
kind
of
wanted
to
raise
it,
and
you
know
just
kind
of
run
it
through
you
guys,
if
there's
any
plans
or
ideas
to
make
like
testing
more
robust
or
hardened
before
like
releases,
so
we're
not
breaking
existing
policies
or,
basically,
you
know,
should
we
expect
users
to
you
know
retest
all
of
their
policies
on
each
release
or
can
we,
you
know
somehow
I,
don't
know
catch
beforehand,
I'm,
not
sure,
just
curious,
if
there's
better
ways
to
identify
and
kind
of
avoid
gaps.
B
G
I
there's
a
lot
of
stuff
done
back
there.
So
I
heard
a
little
bit
about
the
previous
earned
changes
which
were
when
we
corrected
what
were
obviously
incorrect
orange
to
using
I
am
the
I.
Am
reference
I,
believe
the
I'm
not
sure
I
understand
what
the
concern
there
was
I.
It
sounded
like
because
EIP
was
there
specifically
around
Shield.
The
question
was
about
other
resources
and
their
changes,
but
in
most
cases
those
were
obviously
broken.
It
wasn't
a
compatibility
constraint
or
concern
like
the
EIP
one.
G
It
was
very
specific
to
that
one
resource
all
the
other
ones
were
effectively
Charlie
could
tell
we're
just
not
valid.
They
had
some
of
them
at
typos.
Some
of
those
were
never
correct,
like
there
was
a
guess
in
on
the
iron,
because
that
no
one
knew
and
it
was
guessing
correct.
G
The
Civic
changes
about
Shield
are,
but
then
I
also
heard
about
related
resources,
so
in
related
filters,
I
don't
know
that
where
that
would
come
about
in
the
sense
of
related,
typically
by
resource
ID.
In
some
cases
resources
you
know
the
iron
is
the
resource
ID,
but
like
that
is
again
I.
Think
we're
taking
a
very
specific
instance
which
had
some
history
but
was
also
fairly
unique
in
that
from
a
monitoring
perspective.
Like
there's,
also
a
question
of
you
can
set
up.
G
You
know,
law,
groups
and
streaming
logs
to
aggregate
to
a
central
place.
We
could
also
look
at
metrics
for
on
the
errors
to
see
which
ones
on
cloudwatch
metrics
to
see
which
ones
you
want
to
investigate
those
steady
into
support,
directly
publishing
to
like
a
centralized
region
account
set
up
and
then
policy
testing.
We
have
a
spec
for
it.
You
know,
would
love
to
see
people
if
people
are
interested
in
working
on
Xbox,
that's
great
if
I
can
find
it
I
think
that
we
have
a
proposal.
G
You
know
it's
on
google
doc.
If
anyone
else
wants
access
to
that
Google
doc,
you
can
show
that
they
get
it,
but
yeah.
So
6407
is
a
proposal
for
policy
testing
as
a
editorial
that
you
can
actually
run
to
functionally
test
your
policies.
G
So
if
we,
if
that's
something
of
interest
and
anyone
wants
to
work
on
it,
you
know
we
can
definitely
I'm-
definitely
happy
to
walk
through
it
with
anybody.
Deep
dive
session
and
Shepherd
it
through,
but
I
I,
also
can't
complete
the
implementation
work
myself.
So
definitely
looking
for
contributors,
that's.
B
Great
that's
cool
and
then
so
this
this
I
guess
resource
was
probably
missed
because
I
think
that
the
apply
you
know
protection
and
then
the
filters
I.
Guess
we
just
weren't
testing
that
for
eips,
maybe
it
was
just
tested
for
other
resources.
I
mean
it
would
have
to
be
right.
G
Well,
generally,
for
a
lot
of
other
resources,
we
also
get
we.
We
also
have
Resource
Group
tagging
tests
in
place,
which
also
effectively
validate
on
like
for
R.
Like
so
I
mean
if
we
look
at
Shield
resources,
what
do
we
have?
We've
got
load,
balancers
platforms,
API
gateways
and
and
eips
for
all
the
other
ones.
We
actually
have
other
tests
that
are
going
through
to
validate
them
because
we're
using
them
for
research
group
taggy,
actually
there's
one
other
one
I
think
there's
an
what
is
there
like
a
Nat
thing
there?
G
Well,
it
filled
resources
again,
but
other
ones:
I
just
listed
load,
balancers,
cloudfronts,
API
gateways.
We
have
numerous
other
tests
that
you
can
use
and
constructed
and
consume
the
yarn
against
different
apis.
So
I
don't
know.
Okay,
so
I'll
data
for
Route,
53,
ec2
instances,
I,
don't
think
we
actually
use
orange
directly
anywhere
else,
but
I
think
we
feel
confident
that
those
are
correct
and
then
the
one
that
I'm
not
sure
about
is
global
accelerator.
That
one
might
be
worth
looking
at.
G
B
D
E
B
Yeah
just
a
test
to
you
know
for
the
filter
and
then
also
for
the
for
the
action
applying
it
specifically
to
the
EIP
resource.
That
would
be
the
only
thing,
probably
that
would
have
caught
this
right.
G
C
Yeah
because,
given
the
the
the
unit
test
is
all
using
recording,
so
you
will
either
catch
it.
When
you
first
do
the
the
the
the
recording
of
then
you
know
if
things
change
or
anything
like
that,
the
only
way
I
would
imagine
is
once
you
record
it.
You
have
to
like
appeal
set
just
to
you,
know
the
the
format
of
the
on
the
return
online
yeah.
G
And
so
ideally
that
like,
if
we
knew
that
we
needed
a
special
construct
around
that
particular
arm
type,
then
we
would
have
done
that.
The
flip
side
is
also
release.
Testing
I
think
was
another
part
of
the
original
grouping
of
stuff,
and
so
we
have
a
set
of
functional
tests
effectively.
If
you
write
a
test
with
pi
test
terraform,
it
gets
marked
as
a
functional
test
and
we
effectively
throw
away
the
recordings
and
run
it
live
using.
C
G
Constructs
just
you
can
do
it
mainly
with
with
it
can
be
done
without
the
terraform
setup,
but
it's
better
with
because
it's
less
recorded
data
that
we
have
to
deal
with,
and
so,
if
you're
looking
at
Stats
characters,
those
represent
sort
of
at.
G
We
used
to
have
them
running
nightly
and
they
were
running
they're
running
in
a
they
were
running
in
a
cyclic
Community
account
just
for
this
purpose.
We
I
don't
know
if
they've
been
like
wait.
There
was
at
least
one
with
setting
up
kubernetes
that
caused
it
to
go
flaky
for
a
bit.
I
think
Sunny
may
have
fixed
that
I
think
there's
a
separate
but
I,
don't
think
it's
a
type
of
question
there.
How
visible
are
those?
G
How
visible
are
those
test
results?
So
we've
been
moving
most
of
the
most
of
our
CI
infrastructure
directly
into
GitHub,
GitHub
actions
and
I
think
we're
trying
to
talk
to
cncf
separately
about
cncf,
basically
paying
the
bill
on
that,
because
it's
a
couple
hundred
bucks
a
month
and
it'll
be
good
just
to
have,
as
you
know,
project
resources
as
opposed
to
corporate
resources.
G
So
from
a
commissioning
and
executing
it
everyone
can
anyone
can
run
it
like.
It's
make,
f-test
I
think
on
CLI.
Let
me
keep
myself
and
yeah
they
get
to
us
on.
Cli
will
will
is
the
entry
point
we
just
have
to
have
some
form
of
it
ideally
running
out
of
game
of
actions
recently
as
part
of
foreign
the
doc
build.
There
is
now
we
now
publish.
We
now
have
a
like.
G
You
know,
lidc
credential
provider,
on
that
Community
account
such
that
the
actions
can
can
can
access
that
environment,
I.
Think,
there's
actually
a
separate
I.
Think
the
functional
test
running
is
actually
running
at
a
separate
account
just
to
keep
it
clean
from
like
the
website
in
case
you
have
to
like
run
a
manuka
or
something
to
clean
up,
but
tldr.
It's
there.
G
It's
not
clear
that
it's
fully
paid
attention
to
or
that
it's
fully
accessible
on
in
a
public
way
on
the
results
flip
side
is.
It
is
easy
for
anyone
to
run.
What
do
you
have
caught
this?
No
part
of
this
is
the
fact
that
Shield
requires
a
three
thousand
dollar
payment
to
even
get
enabled
which
causes
issues
for
work.
Yeah.
C
E
B
We
basically
are
holding
off
on
this
9.22
upgrade
because
we
have
some
production
policies
that
are
using.
You
know
enable
shield
on
EIP
filter
and
then
also
the
action
I
think
this
PR
from
what
I
was
seeing
is
looking
pretty
good
AJ.
It
sounds
like
you
need
to
make
some
changes
and
then
we
need
to
help
out
with
some
of
the
described.
B
You
know,
sealed
resources,
you
know
output,
but
is
this
something
we
think
we
can
get
as
part
of
the
next
release?
Which
I'm
guessing
is
probably
in
I?
Don't
know
a
couple
weeks
out
or
something.
G
Yeah
I
think
so
generally
we
target
middle
of
the
week,
so
yeah
I
guess
that
would
ideally
be
next
week.
F
F
D
F
The
service
of
better
overall
alarm
type
testing,
so
so
it
feels
like,
even
though
this
was
a
misstep
like
because
of
a
very
specific
combination
of
factors,
I
think,
overall,
that
change
makes
things
more
testable
and
more
reliable,
less,
which
is
cool,
but
something
release.
Testing
that
might
be
worth
doing
if
you're
holding
off
on
this
stuff
is
I,
mean
Drive,
running
a
whole
policy
suite
and
comparing
resource
Counts
from
one
from
one
version
to
another.
F
G
A
B
F
Wouldn't
catch
the
action,
that's
true,
but
you
were
saying
that
the
filter
was
the
filter
was
misfiring
also
yeah.
B
Yeah
we
caught
it
through
the
action
because
there
was
like
a
hard
run
time
there,
but
I'm
just
I'm
thinking
also
if
we
had
those
described
calls
for
EIP
and
we
had
a
specific
test
for
EIP
that
would
have
also
caught
this
right,
like
I
I
keep
coming
back
to
that
because
it's
like,
if
we
had,
if
there
was
you
know,
basically
a
test
against
EIP
like
apply,
you
know,
run
the
filter
and
then
apply
the
action.
Yeah
get
the
describe
output
and
then
that's
a
test
case.
It
would
have
caught
the
arm
change.
A
C
F
About
there
being
multiple
types
for
multiple
resource
types,
that
Shield
protects,
yeah.
E
F
There
was,
there
was
a
test
for
elastic
IPS.
There
was
a
test
for
testing
the
shield
filter.
There
is
a
test
for
enabling
Shield,
but
the
EIP
test
didn't
account
for
a
shield
specific
RN
because
they
wouldn't
and
the
shield
tests
weren't
targeting
EIP,
because
they
were
targeting.
They
were
listing
protections.
They
were
enabling
protections
but
not
EIP.
F
A
F
But
it's
fair
I
mean
I
I.
Don't
want
to
say
that
that
the
question
isn't
fair
because
it
is.
B
Okay,
cool
so
we'll
we'll,
probably
just
hold
off
until
we
get
the
next,
you
know
version
upgrade
and
then
any
help
you
need
with
the
fix
yeah.
Just
let
us
know
we
can
provide
some
stuff
to
you,
guys
yeah
we
were.
We
were
thinking
about
exploring
like
oh,
we
could
explore
like
firewall
manager,
because
firewall
manager
actually
applies
Shield
to
eips,
and
then
you
know
move
forward
with
this
upgrade,
but
we
think
it'd
be
better
just
to
wait
until
we
have.
You
know
the
clean
fix
for
this
one,
but
yeah.
B
F
Thanks
for
reporting
it
because
I
mean
obviously
we
would
not
have
come
across
it
without
without
using
that
that
resource.
A
C
A
Didn't
we
didn't,
we
talk
about
this
one
before
recently
right.
C
H
H
But
the
I
think
my
feedback
on
this
PR
was
that
it
was
handling
a
specific
quota
as
opposed
to
handling
all
quotas.
Here,
like
there's
a
specific
like
yeah
that
line
there,
175.
H
I
mean
I,
didn't
see
this
address,
or
nor
did
I
get
a
response
back
on
this.
So.
H
I
mean
Darren
if
you're,
if
you're
hitting
this
as
well
in
your
environment,
it's
it's
probably
easier
for
you
to
test
like
I,
don't
you
know,
I'm
I'm
operating
like
a
small
sandbox,
really
so
I.
D
I
actually
tested
this
PR
a
couple
of
months
ago,
and
it
fixed
a
problem
into
it.
Works.
D
C
Yeah,
but
I
think
Sunny's
point
is
so
valid,
though,
that
we
don't
want
to
put
in
code
that
that's
like
how
coding,
let's
say
this
quote-unquote.
If
there
are
other
scenarios
that
that
will
have
the
same
problem
right.
H
But
I
mean
yeah
if
Darren,
if
or
whatever,
if
you
know,
if
you
want
to
take
a
look
like
you,
you
can
feel
free
to
review
it
as
well
like.
D
Mean
it
was
very,
you
know
the
even
the
sample
code
in
in
the
documentation
doesn't
work
right
now
and
I
just
run
against
a
sample
code
and
yeah
and
I
just
pulled
this.
This
PR,
you
know
without
really
reading
it.
I
just
pulled
this
and
it
worked
so
now
going
inside
the
code,
and
you
know
what's
right
and
write
it
and
I
didn't
really
spend
time
on
that.
C
Let
me
make
it
my
action
item
then,
to
to
take
a
look
at
the
code
to
see
if
we
can
answers
some
of
the
Sunny's
question
here.
C
Like
Sunny
said,
it'd
be
hard
for
him
to
actually
test
this
and
and
fully
understand
this,
since
he
doesn't
have
this
problem
on
his
account.
A
G
I
I
had
an
out
of
curiosity
if
anyone
had
any
issues
with
their
main,
the
master
remain
rename
I
couldn't
hear
any
complaints
or
concerns
so
I'm,
assuming
it
just
worked
for
everybody.
A
Yeah
I
was
I
was
too
busy
to
do
the
intro
and
stuff
when
I
was
wrestling
with
my
browser,
but
I
followed
exactly
what
GitHub
said
and
it
was
like.
It
worked.
A
G
A
button
yeah
it
made
it
pretty
seamless
and
everyone
got
to
check
out
on
it.
I
think
that's
a
little
or
commit
access
on
the
repo.
It
gets
that
little
pop
up
on
how
to
switch
your
repo
or
your
checkout
to
pull
from
new
yeah.
F
Yeah
I
think
I
I
did
hit
one
issue
because
I
I
did
a
blind
copy.
Paste.
I.
Think
I
mentioned
this
in
slack,
because
I've
run
that
thing
on
other
repos
fine,
you
know
the
rename
but
I
had
origin,
pointing
to
my
fork
and
Upstream,
pointing
to
the
other
one.
So
I
did
the
rebase
I
blew
up.
A
A
B
I
had
to
call
out
for
one
PR
I
posted
in
the
chat.
It's
it's
already
approved,
I.
Think
it's
looking
pretty
good
but
wondering
if
we
can
quickly
check
that
out.
We
might
add
another
test
case
to
this.
One
click
on.
If
you
click
on
the
files
changed
yeah
I
got
you.
B
So
we're
not
sure
this
might
break
backward
compatibility.
Basically
Jazz.
The
guy
that
put
put
this
BR
in
is
going
to
retest
it,
but
right
now
it's
expecting
that
roll
iron,
so
when
it
tries
to
pull
that
role
on.
Basically,
we
have
other
policies
that
are
using
this
subscription
filter,
but
when
it
tries
to
pull
that
roll
on
I
believe
it's
going
to
be,
none
passing
none
in
there,
so
this
might
actually
break
that's.
G
B
I
asked
him
to
add
the
test
case
of
basically
when
there
is
no
role
provided,
so
it
doesn't
break
backward
compatibility.
B
Hopefully
there's
no
issues
with
it,
but
if
there
is
an
issue
with
that,
you
know
case,
then
we'll
probably
need
to
modify
this
logic
a
little
bit.
So
just
just
to
call
out
to
maybe
put
this
on,
hold,
don't
merge
it
yet.
E
Cool
added
a
comment
there
and
I'll
go
ahead
and
remove
on
or
dismiss
the
approval,
cool.
B
A
All
right
and
with
that,
unless
anybody
has
any
other
agenda,
I'll
give
22
minutes
back
going
once
going
twice
quick
reminder
for
those
of
you
watching
on
video.
If
you
stay
to
the
end,
if
you're
headed
to
towards
kubecon,
Kapil
and
I
will
be
man
Banning,
the
cloud
custodian
Booth.
So
if
you
want
to
come,
hang
out,
spend
some
time
with
us,
get
your
hands
on
some
stickers
that
kind
of
stuff
we're
always
looking
for
more
volunteers
to
help
out
with
the
booth
and
stuff
like
that.