►
From YouTube: Cloud Custodian Community Meeting 2023-07-11
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting in both GitHub Discussions and in HackMD:
- https://github.com/orgs/cloud-custodian/discussions
- https://hackmd.io/@c7n
Check out our Slack for more info! http://slack.cloudcustodian.io
A
A
Okay,
as
far
as
agenda
items
normal
normal
intros,
to
have
notes
on
three
seven,
we
did
have
a
couple
issues
come
through
on
on
S3
buckets.
We
don't
need
to
go
into
them
in
detail
on
this
call,
but
one
of
them
is
Jerry
is
the
issue
that
you
the
pull
request
that
you
have
open
for
a
bucket
replication,
filter
and
I?
A
Think
I
owe
Jerry
a
bit
more
detail
around
the
suggestions
here,
but
it
looks
like
in
this
in
this
pull
request,
we're
using
get
bucket
replication
to
fetch
the
replication
details
per
bucket
and
as
part
of
the
core
set
of
augments
that
S3
performs
by
default.
We
already
pull
in
replication
information,
so
we
should
be
able
to
reuse
some
of
that
and
then,
since
a
lot
of
the
functionality
that
that's
that
that
filter
is
trying
to
add,
is
around
determining
same
versus
cross
region
replication.
A
We
do
need
to
find
the
region
of
the
the
destination
bucket
and
for
that,
the
easiest
way
from
the
AWS
API
side
is
to
use
a
get
bucket
location
call,
but
I
know
we've
had
some
issues
assuming
that
we'll
have
that
access
in
the
past
and
so
I'm,
linking
in
the
notes
this
other.
It's
just
an
example
of
hitting
that
issue.
It
was
specific
to
govcloud,
but
it's.
But
when
we
had
some
issues
with
determining
regions
for
output
buckets,
we
used
a
an
inspect
bucket
region.
A
Utility
function
that
uses
HTTP
head
requests
rather
than
the
AWS
API
calls
to
figure
out
a
bucket
region,
and
we
should
be
able
to
do
that
and
save
on
some
API
call
volume
and
also
avoid
needing
certain
permissions.
You
should
be
able
to
use
those
HTTP
head
requests
and
that
utility
function
to
find
out
a
destination
bucket
region
and
that,
hopefully,
will
make
things
a
little
bit.
It'll
avoid
some
holes,
we
can
fall
in
and
it
should
make
things
a
little
bit
friendlier,
but
I
think
Jerry
had
a
a
good
point.
A
That
may
be
a
bit
in
the
weeds,
but
hopefully
hopefully
each
area.
That's
of
use
and
I'll
give
you
a
better
comment.
Anybody
have
any
Estuary
region
questions
comments,
concerns.
A
B
You
suggesting
is
your
suggestion.
Is
you
the
client
to
call
another
API
to
get
the
IC
package,
you
the
end
point
and
then
we
inject
and
pull
into
this
function
to
get
the
reason.
That's
usually
yeah.
A
A
We
need
to
make
an
HTTP
head
request
somewhere
and
that's
going
to
be
whichever
S3
endpoint
we're
targeting,
which
might
be.
It
might
be
just
like
S3
dot,
Amazon
aws.com,
if
you're
in
a
US
region
or
if
you're
in
govcloud,
it
might
be
something
else,
and
so
we
want
to
make
sure
we're
targeting
the
right
partition
and
we
can
grab
that
endpoint
from
the
from
the
execution
context.
So
I
can
get
a
I'll.
Just
add
a
like
a
comment
in
here:
how
we
can
get
to
that?
A
Okay
from
the
filter
context,
how
we
can
get
back
to
to
figure
out
the
end
point:
okay,.
B
B
A
No
sure
that's
a
good
question
too,
so,
when
we,
when
you
write
any
policy
against
the
S3
resource,
it's
going
to
call
this
assemble
bucket
function,
which
goes
through
this
whole
augment
table,
and
it
does
a
bunch
of
things
so
it'll
call
get
bucket
location
and
store
the
results
in
the
location.
Key
it'll
call
get
bucket
tagging
and
store
the
results
in
a
tag
key
for
every
resource.
Okay,.
D
A
If
we're
looking
at
location
information,
then
we
should
already
have
that
information
in
the
location
key
on
a
resource,
because
it
would
have
tried
calling
get
bucket
location
when
we
when
we
target
the
bucket.
So
that's
that's
on
the
on
the
source,
bucket
I
guess
we
would
already
have
that
pocket.
A
So
we
have
that
information
and
then
you
had
in
in
that
PR
there
was.
There
was
a
spot
in
there
where
it
said
you
know.
If
the.
If
that
annotation
isn't
present,
then
we
need
to
make
this
get
bucket
location
call.
So
I
was
saying:
well
if
we
use
location
as
that
annotation
key,
then
it'll.
Look
there
and
it'll
already
see
the
detail
that
it
got
from
the
beginning,
and
so
we'll
need
to
call
get
back
at
location
again
or
sorry
or
get
bucket
replication
again.
A
So
you
know
we
could
do
that.
It's
kind
of
cheating
but
and
it
it
it
assumes.
It
assumes
that
that
information
is
going
to
just
be
there
in
location.
So
I
don't
know,
I
was
thinking,
we
might
try,
I
mean
maybe
there's
maybe
it
would
be
smoother
and
if
other
folks,
on
the
call
have
opinions
on
this,
you
know
alternatives
are
welcome.
We
could
either
just
use
location
here
and
then
lean
on
the
information
that
we
got
from
that
initial
assemble
bucket
stuff
or
we
could
try
to.
A
If
there's
something
in
location,
we
could
copy
it
to
C7
and
bucket
replication,
and
then,
if
it's
not
there,
we
can
try
fetching
it
again,
I
think
if
it's
not
there
and
we
try
fetching
it
again,
we're
probably
going
to
run
into
whatever
issue
it
hit
during
the
initial
fetch
anyway.
A
But,
oh,
you
know
what
I'm
realizing
I
called
it
location,
but
what
I
meant
was
this
get
back
at
replication
because
we
were,
we
were
talking
about
location
and
replication
configuration
I
was
referencing
one
and
calling
it
the
other,
but
we
do
we
do
pick
this
information
up
when
we
put
a
bucket
together,
just
because
the
the
default
like
for
most
resources,
if
you
call
describe
instances
or
something
for
ec2,
you
get
back
a
bunch
of
useful
information.
A
If
you
call
list
buckets
for
S3,
all
you
really
get
is
a
bucket
name.
You've
got
to
make
extra
API
calls
to
get
anything
useful.
So
that's
why,
from
the
custodian
perspective,
Estuary
is
a
little
bit
weird
and
you
have
to
do
all
this
junk.
To
get
a
usable
resource
and
I
know,
we've
had
some
back
and
forth
over
how
many
of
these
augments
we
should
have
in
by
default,
but
right
now
we
do
a
bunch,
which
is
why
S3
policies
are
kind
of
slower
to
execute,
also
because
it
has
to
do
all
this
stuff.
C
Aj
can
I
ask
an
off-the-wall
question:
yeah
sure
love
it.
So
we
often
get
these
requests
like
hey.
Can
you
ensure
that
people
are
only
attaching
buckets
that
we
own
that
are
in
our
account
list?
I,
don't
know
of
a
way
to
do
that,
because
if
I
live
as
a
name
of
a
bucket,
I
cannot
get
the
account
list
right.
I
can't
copy
a
journey
account.
C
Yeah,
that
would
be
an
awesome
attack
method,
but
I,
don't
think
that's
what
we
want.
Okay,
yeah
I
keep
pushing
back
and
saying:
that's
not
a
realistic
approach
for
us,
but
I
and
I.
Don't
like
the
idea
of
let's
get
a
list
of
things
static
and
then
pretend
like
it's
going
to
be.
You
know
correct
when
we
look
at
the
second
time
all
right.
Thank.
A
You
I
appreciate
it,
that's
tricky
sure.
No,
that's
a
good
question.
I
think
that
that
kind
of
question
has
come
up
before
and
I.
Think
Jerry's
I,
think
that
that
this
this
PR
in
general
is
is
trying
to
find
some
amount
of
information
so
Jerry
when
you,
you
write
a
filter
like
this.
B
We're
just
looking
for
we're
really
just
looking
for
the
replication
rule,
make
sure
it's
across
region.
Okay,.
B
And
I
I.
Actually
this
issue
was
created
by
another
user
and
he's
saying:
oh,
can
we
add
functionality
to
the
Cross
region.
B
A
All
right
well,
I
mean
hey
thanks
for
thanks
for
jumping
on
it
does
if
anybody
else,
because
I
I
always
feel
hesitant
to
say
no,
if
you
have
a
bucket
name,
you
can't
you
can't
figure
out
the
owner,
because
I
feel
like
there's
always
some
weird
way,
whether
it's
an
official
way
or
whether
it's
some
weird
back
Channel
way
since
we're
on
a
recording.
Does
anyone
know
of
a
way
to
do
that
that
to
just
take
a
bucket
name
and
figure
out
who
the
owner
is?
That's,
that's
not
super
Shady.
F
I
would
assume
not
due
to
the
I
mean.
Typically,
people
tend
to
treat
the
account
number
as
semi-private
I.
Think
AWS.
Does
that
as
well,
so
it's
I
would
be
surprised
if
there's
a
way
but
I'm
not
100,
confident
in
that
either
like
I'm
sure
somebody's
got
some
way
to
do
it.
A
Yeah
yeah,
that's
where
it
was
land
too.
It's
like
you
want
to
say
well,
no,
there's
no
there's
no
way
to
do
this,
and
then
someone
says
well
actually
there's
they
just
released
this
thing.
You
can
do
it
so,
okay.
So
as
far
as
we
know,
there's
not
a
way
to
do
that
so
and
that
seems
by
Design
and
and
safer.
B
A
Go
back,
yeah,
yeah
I
mean
replication
I'm
talking
through
it
I'm
like
yeah,
I,
totally
type
the
this.
These
two
should
be
replication
I'll
edit,
that
because
you're
you're
right
and
that's
that's,
making
a
making
a
comment
more
confusing
than
it
needs
to
be,
but
yes,
replication,
not
location.
Okay,.
A
You
thank
you.
Anybody
else
any
questions
or
concerns
around
this
one
S3
stuff.
A
Well,
yeah,
thanks
for
that
one,
and
that
just
happened
to
tie
into
some
other
other
issues
that
had
come
up
before
I
don't
know.
Does
anyone
else
have
issues
or
PR's
that
you'd
like
to
bring
up.
D
Yeah
I
was
hoping
to
plug
one
PR
and
that's
for
AWS
connect.
Was
it
connect
campaigns.
B
A
A
Yeah,
but
this
looks
okay,
anybody
else
happen
to
be
familiar
with
with
connect
campaigns.
D
I
back
okay,
sweet,
so
yeah
I
think
it's
pretty
simple
they're
the
KMS
filter
I
think,
which
is
you
know,
kind
of
a
non-standard
thing,
but
yeah
that
KMS
related
key
thing.
It.
D
The
original
like
described,
call
so
that's
why
it's
done
differently.
A
A
Filter
yeah,
so
that's
so
we
have
to
get
connect.
Instance,
config,
okay
and
we're
in
nuts.
A
Oh,
oh,
so
we
use
we're
using
instance
config
for
both
of
these
filters,
then,
yes,
okay,
is
that
something
is
instance
config,
something
that
you
would
expect
to
have
all
the
time
wondering
if
it
would
be
like
worth
putting
it
as
a
detail,
spec
or
something
so
that
we
always
pulled
it
or
if
it's
worth
keeping
at
the.
D
That
I'm
not
sure
I'm
not
super
familiar
with
this.
It
was
worked
on.
It
was
I'm
trying
to
push
this
on
behalf
of
kind
of
a
colleague,
I
didn't
I
didn't
write
this
PR.
A
A
A
Oh
oh
yeah,
thanks
for
well,
thanks
for
writing.
It
yeah.
B
A
All
right,
yeah,
thanks
for
the
the
Highlight
on
that
one,
any
other
ones,
any
other
issues,
PR's.
A
E
Hey
I
I
want
to
bring
up
the
the
question
that
I
I
raised
in
the
chat
room
about
the
release,
Cadence
sure,
yeah,
so
I
think
we
previously
discussed
you.
We
tried
to
meet
the
Cadence
like
monthly
release
skaters
and
was
that
like
Satan
second
week?
Second
remember
it
was
like
we
cook
the
the
meeting
like
we
have
right.
A
Yeah
yeah,
we
still
don't
have
like
a.
We
still
don't
have
automated
releases
to
fire
on
a
specific
date.
I
think
it
was
just.
There
was
just
a
loose
like
yeah,
we'll
look
for
a
monthly
release,
we'll
aim
around
the
second
week.
I
know
the
past
couple:
it
was
slipping
a
bit
later
and
I.
Think
that's
just
a
thing.
A
That's
going
to
happen,
I
think
once
there's,
once
the
release
is
automated
and
set
on
a
schedule,
then
we
can
make
it
a
little
bit
more
predictable
right
now,
it's
just
roughly
monthly,
and
then
we
have.
We
have
these
these
things
every
couple
weeks
to
just
kind
of
highlight
in
any
issues
that
are
coming
up
right.
E
E
You're
just
curious,
we
have
a
you
know,
we
try
to
schedule
or,
or
you
know,
upgrade
our
internal
upgrade
align
with
your
recycle.
It's
just
the
last
two.
A
E
Was
already
off
and
we
couldn't
really
do
or
schedule
so
so
that
means
the
second
week
I
guess
it
was
supposed
to
be
last
week
or
this
week
or
this
month.
A
Yeah
I,
don't
I,
don't
know
I
feel
like
we
just
had
one,
but
maybe
let's
see
when
was
the
last
one.
Okay,
so
we're
two
weeks
ago,
two
weeks
ago,
on
the
latest
release,
so
yeah
I
would
not
expect
a
release
this
week.
I
don't
know
I,
don't
know
when
the
next
one
would
go
out.
I
mean
we
might
be.
A
We
might
just
go
till
till
August
and
try
to
get
back
on
that
second
week,
but
I
don't
know
I,
don't
know
that
a
specific
week
is
going
to
be
reliable
for
setting
up
your
own
maintenance,
though
I
don't
I.
Just
don't
think
we're
at
that
point
where
we
wanna
have
people
set
up
schedules:
banking
on
that.
E
It's
just
because,
well,
you
know
in
the
last
three,
this
was
delayed
because
in
such
and
such
and
but
we
still
try
to
meet
the
the
regular
release
Cadence
in
in
you
know,
July,
even
it's
only
two
weeks
apart
or
because
it
was
just
two
weeks
ago.
Let's
skip
this
month.
So
this
is
not
something
like.
We
cannot
really
predict
right.
So
I.
E
A
Yeah,
well,
that's
actually!
So
that's
a
good
question!
I,
don't
know
if,
because
we
had
one
a
couple
weeks
ago,
we'll
do
one
at
the
end
of
July
and
to
keep
that
so
it's
roughly
a
month
apart
or
if
we'll
just
say
well,
you
know
we
don't
have
critical
changes
coming
out,
let's
push
it
until
August
and
get
back
on
the
second
week.
A
That's
that's
a
fair
question
and
I
don't
have
an
answer,
but
I
did
I
talked
to
Kapil
a
little
bit
before
this
got
started
just
about
I
think
you
know
if
there's
any,
if
anybody
has
anything
pressing
to
bring
up
just
take
it
back
and
check
in
with
him
and
I
think
really
schedule's
worth
talking
through.
Maybe
we'll
just
comment
in
that
in
that
thread
that
you
already
opened
and
then,
if
there
are
any
updates,
you'll
see
them
there
in
Slack.
E
Okay,
so
in
terms
of
the
second,
the
second
week,
I
always
have
a
program
counting
like
is
this
the
second
week
or
so
technically
this
week
started
like
like
Saturday
or
Sunday
this
month
and
anything
maybe
I,
don't
know,
maybe
better
expect,
like
the
the
first
week
of
the
meeting,
so
I
mean
in
that
case
it's
in
August.
We
have
a
meeting
scheduled
in
Tuesday,
August
8th,
so
like
release
will
be
age
or.
A
A
Yeah
well,
and
if
we
were
going
to
set
up
something
with
a
with
an
automated
release
on
a
on
a
regular
schedule,
I
would
think
we'd
do
something
like
well
the
10th
of
a
month
or
something
you
know
is
something
where
it
was
where
it
was
a
lot
easier
to
just
to
sync
up
with
I
mean
Sunny.
You
may
have
thoughts
on
this
I
I,
don't
know
if
you
have
anything
you'd
want
to
add
there.
F
Yeah
I
think
maybe
the
the
first
non-community
meeting
week
of
the
month
is
probably
best
I
mean
we
usually
don't
run
because
I
mean
if
we're
talking
like
we
want
to
release
like
second
Tuesday
of
the
week
or
something
or
sorry.
Second
Tuesday
of
the
month,
it
is
I
mean,
like
I
said
it
can
be
a
little
bit
ambiguous,
I
suppose.
F
But
we
all
know
when
the
community
meeting
is
so
this
first
Tuesday
without
a
community
meeting
of
the
month,
I
think
probably
sounds
I
mean
I,
don't
think
it'd
be
too
frequent.
It
would
still
be
once
once
a
month
it
just
may
land
on
the
first
week
or
the
second
week
here
and
there,
but
I
mean
personally
like
in
terms
of
doing
the
release
process.
F
I
I
think
at
least
let's,
like
I,
would
rather
do
that
than
land
it
on
a
community
meeting
week
because
it
ideally
the
week
before
everybody
that
had
PR's
that
you
know
they
had
whatever
suggestions
or
or
needed
to
get
in
should
get
in
and
then
we'll
we'll
cut
the
release
and
also
like
just
in
terms
of
timing
like
if
we
don't
have
a
community
meeting,
then
you
know
maintainers
are
able
to
to
push
the
release
out,
even
though
it's
not
as
tedious
as
it
was
before.
It's
just.
A
E
So
first
I.
G
Wonder
if
it
I
wonder
if
it's
to
help
naito
here
with
the
planning,
if
it
makes
sense
to
have
some
sort
of
it
might
not
matter
if
it's
on
the
cons
on
the
date,
but
maybe
it's
giving
a
heads
up
on
hey
this
month,
we
plan
to
have
a
release.
Let's
just
say:
it's
gonna
be
on
this
date
right
that
way:
people
who
need
to
plan
for
it,
they
can
plan
for
it
and
then,
of
course,
if
update
need
to
happen,
we
need
to
delay
the
the
the
release.
G
Then
we
can
update
it
and
communicate
it
somehow,
but
I
think
the
main
thing
here
is
now
he's
just
trying
to
see.
Just
like
hey
for
this
given
month
is
that
is
there
a
plan
release?
Would.
E
E
G
Think
that's
what
Santa
is
suggesting
and
and
what
I'm
saying
is
I.
Think
it's
just
a
matter
of
communicating
it
too,
because
let's
say
that's
what
you're
aiming
for,
but
then
let's
say
we
just
can't
do
it
and
and
then
I
think
it's
just
to
say:
okay,
this
month
we
don't
have.
We
don't
have
a
release,
because
my
understanding
is
hey.
G
E
Yeah,
if,
if
it's
always
the
first
half
of
the
month,
I
mean
no
matter
what
right
like,
even
for
the
August,
for
example,
even
we
we
have
a
release
in
July
31st.
E
E
A
A
I
did
say
so:
Kent's
not
on,
but
I
know
he's
been
adding.
Some
he's
been
looking
to
add
some
mailer
destinations
between
jira
and
the
MS
graph
API
I
know
there
was
some
back
and
forth
on
that
stuff.