Skip to content

Instantly share code, notes, and snippets.

@andrewalexander
Created September 21, 2017 20:45
Show Gist options
  • Save andrewalexander/9c528ccba3b62e743b5d858503ae5c4f to your computer and use it in GitHub Desktop.
Save andrewalexander/9c528ccba3b62e743b5d858503ae5c4f to your computer and use it in GitHub Desktop.
Custodian Security Group Issue
policies:
- name: ec2-invalid-sg-report
resource: ec2
description: |
Find all EC2 instances that are using soon-to-be-deprecated SGs
filters:
- type: value
key: tag:ApplicationGroup
value: ANDREWSTESTAPPLICATIONGROUP
op: equal
- type: security-group
key: GroupName
value: "LegacySecurityGroup-Common-Service"
op: equal
actions:
- type: modify-security-groups
add: sg-bdca74ce
remove: matched
#isolation-group: sg-bdca74ce #This line is used in case the last SG is removed.
$ custodian validate ec2-replace-old-all-instances.yml
2017-09-19 16:54:19,685: custodian.commands:ERROR Configuration invalid: ec2-replace-old-all-instances.yml
2017-09-19 16:54:19,687: custodian.commands:ERROR {'add': 'sg-bdca74ce', 'type': 'modify-security-groups', 'remove': 'matched'} is valid under each of {u'required': [u'add']}, {u'required': [u'add', u'remove']}
Failed validating u'oneOf' in schema[8]:
{u'additionalProperties': False,
u'oneOf': [{u'required': [u'isolation-group', u'remove']},
{u'required': [u'add', u'remove']},
{u'required': [u'add']}],
u'properties': {u'add': {u'oneOf': [{u'pattern': u'^sg-*',
u'type': u'string'},
{u'items': {u'pattern': u'^sg-*',
u'type': u'string'},
u'type': u'array'}]},
u'isolation-group': {u'oneOf': [{u'pattern': u'^sg-*',
u'type': u'string'},
{u'items': {u'pattern': u'^sg-*',
u'type': u'string'},
u'type': u'array'}]},
u'remove': {u'oneOf': [{u'items': {u'pattern': u'^sg-*',
u'type': u'string'},
u'type': u'array'},
{u'enum': [u'matched',
u'all',
{u'pattern': u'^sg-*',
u'type': u'string'}]}]},
u'type': {u'enum': [u'modify-security-groups']}},
u'type': u'object'}
On instance:
{'add': 'sg-bdca74ce',
'remove': 'matched',
'type': 'modify-security-groups'}
2017-09-19 16:54:19,687: custodian.commands:ERROR ec2-invalid-sg-report
2017-09-19 19:57:34,539: root:ERROR specific_error failed, traceback, followed by fallback
Traceback (most recent call last):
File "/Users/andrew/anaconda3/envs/python36/lib/python3.6/site-packages/c7n/schema.py", line 61, in validate
resp = specific_error(errors[0])
File "/Users/andrew/anaconda3/envs/python36/lib/python3.6/site-packages/c7n/schema.py", line 108, in specific_error
return specific_error(e)
File "/Users/andrew/anaconda3/envs/python36/lib/python3.6/site-packages/c7n/schema.py", line 128, in specific_error
if e.absolute_schema_path[vidx] == found:
IndexError: deque index out of range
2017-09-19 19:57:34,834: custodian.commands:ERROR Configuration invalid: ec2-replace-old-all-instances.yml
2017-09-19 19:57:34,836: custodian.commands:ERROR {'name': 'ec2-invalid-sg-report', 'resource': 'ec2', 'description': 'Find all EC2 instances that are using soon-to-be-deprecated SGs\n', 'filters': [{'type': 'value', 'key': 'tag:ApplicationGroup', 'value': 'ANDREWSTESTAPPLICATIONGROUP', 'op': 'equal'}, {'type': 'security-group', 'key': 'GroupName', 'value': 'LegacySecurityGroup-Common-Service', 'op': 'equal'}], 'actions': [{'type': 'modify-security-groups', 'add': 'sg-bdca74ce', 'remove': 'matched'}]} is not valid under any of the given schemas
Failed validating 'anyOf' in schema['properties']['policies']['items']:
{'anyOf': [{'$ref': '#/definitions/resources/iam-group/policy'},
{'$ref': '#/definitions/resources/iam-role/policy'},
{'$ref': '#/definitions/resources/iam-user/policy'},
{'$ref': '#/definitions/resources/iam-policy/policy'},
{'$ref': '#/definitions/resources/iam-profile/policy'},
{'$ref': '#/definitions/resources/iam-certificate/policy'},
{'$ref': '#/definitions/resources/account/policy'},
{'$ref': '#/definitions/resources/acm-certificate/policy'},
{'$ref': '#/definitions/resources/ami/policy'},
{'$ref': '#/definitions/resources/rest-api/policy'},
{'$ref': '#/definitions/resources/app-elb/policy'},
{'$ref': '#/definitions/resources/app-elb-target-group/policy'},
{'$ref': '#/definitions/resources/asg/policy'},
{'$ref': '#/definitions/resources/launch-config/policy'},
{'$ref': '#/definitions/resources/lambda/policy'},
{'$ref': '#/definitions/resources/batch-compute/policy'},
{'$ref': '#/definitions/resources/batch-definition/policy'},
{'$ref': '#/definitions/resources/cfn/policy'},
{'$ref': '#/definitions/resources/distribution/policy'},
{'$ref': '#/definitions/resources/streaming-distribution/policy'},
{'$ref': '#/definitions/resources/cloudsearch/policy'},
{'$ref': '#/definitions/resources/cloudtrail/policy'},
{'$ref': '#/definitions/resources/codecommit/policy'},
{'$ref': '#/definitions/resources/codebuild/policy'},
{'$ref': '#/definitions/resources/codepipeline/policy'},
{'$ref': '#/definitions/resources/identity-pool/policy'},
{'$ref': '#/definitions/resources/user-pool/policy'},
{'$ref': '#/definitions/resources/alarm/policy'},
{'$ref': '#/definitions/resources/event-rule/policy'},
{'$ref': '#/definitions/resources/log-group/policy'},
{'$ref': '#/definitions/resources/directory/policy'},
{'$ref': '#/definitions/resources/cloud-directory/policy'},
{'$ref': '#/definitions/resources/directconnect/policy'},
{'$ref': '#/definitions/resources/dynamodb-table/policy'},
{'$ref': '#/definitions/resources/dynamodb-stream/policy'},
{'$ref': '#/definitions/resources/datapipeline/policy'},
{'$ref': '#/definitions/resources/kms/policy'},
{'$ref': '#/definitions/resources/kms-key/policy'},
{'$ref': '#/definitions/resources/ebs-snapshot/policy'},
{'$ref': '#/definitions/resources/ebs/policy'},
{'$ref': '#/definitions/resources/ec2/policy'},
{'$ref': '#/definitions/resources/ecr/policy'},
{'$ref': '#/definitions/resources/ecs/policy'},
{'$ref': '#/definitions/resources/efs/policy'},
{'$ref': '#/definitions/resources/efs-mount-target/policy'},
{'$ref': '#/definitions/resources/cache-cluster/policy'},
{'$ref': '#/definitions/resources/cache-subnet-group/policy'},
{'$ref': '#/definitions/resources/cache-snapshot/policy'},
{'$ref': '#/definitions/resources/elasticbeanstalk/policy'},
{'$ref': '#/definitions/resources/elasticsearch/policy'},
{'$ref': '#/definitions/resources/elb/policy'},
{'$ref': '#/definitions/resources/emr/policy'},
{'$ref': '#/definitions/resources/gamelift-build/policy'},
{'$ref': '#/definitions/resources/gamelift-fleet/policy'},
{'$ref': '#/definitions/resources/glacier/policy'},
{'$ref': '#/definitions/resources/health-event/policy'},
{'$ref': '#/definitions/resources/hsm/policy'},
{'$ref': '#/definitions/resources/hsm-hapg/policy'},
{'$ref': '#/definitions/resources/hsm-client/policy'},
{'$ref': '#/definitions/resources/iot/policy'},
{'$ref': '#/definitions/resources/kinesis/policy'},
{'$ref': '#/definitions/resources/firehose/policy'},
{'$ref': '#/definitions/resources/kinesis-analytics/policy'},
{'$ref': '#/definitions/resources/ml-model/policy'},
{'$ref': '#/definitions/resources/opswork-stack/policy'},
{'$ref': '#/definitions/resources/opswork-cm/policy'},
{'$ref': '#/definitions/resources/rds/policy'},
{'$ref': '#/definitions/resources/rds-subscription/policy'},
{'$ref': '#/definitions/resources/rds-snapshot/policy'},
{'$ref': '#/definitions/resources/rds-subnet-group/policy'},
{'$ref': '#/definitions/resources/rds-param-group/policy'},
{'$ref': '#/definitions/resources/rds-cluster-param-group/policy'},
{'$ref': '#/definitions/resources/rds-cluster/policy'},
{'$ref': '#/definitions/resources/rds-cluster-snapshot/policy'},
{'$ref': '#/definitions/resources/redshift/policy'},
{'$ref': '#/definitions/resources/redshift-subnet-group/policy'},
{'$ref': '#/definitions/resources/redshift-snapshot/policy'},
{'$ref': '#/definitions/resources/hostedzone/policy'},
{'$ref': '#/definitions/resources/healthcheck/policy'},
{'$ref': '#/definitions/resources/rrset/policy'},
{'$ref': '#/definitions/resources/r53domain/policy'},
{'$ref': '#/definitions/resources/s3/policy'},
{'$ref': '#/definitions/resources/step-machine/policy'},
{'$ref': '#/definitions/resources/shield-protection/policy'},
{'$ref': '#/definitions/resources/shield-attack/policy'},
{'$ref': '#/definitions/resources/simpledb/policy'},
{'$ref': '#/definitions/resources/snowball-cluster/policy'},
{'$ref': '#/definitions/resources/snowball/policy'},
{'$ref': '#/definitions/resources/sns/policy'},
{'$ref': '#/definitions/resources/storage-gateway/policy'},
{'$ref': '#/definitions/resources/sqs/policy'},
{'$ref': '#/definitions/resources/support-case/policy'},
{'$ref': '#/definitions/resources/vpc/policy'},
{'$ref': '#/definitions/resources/subnet/policy'},
{'$ref': '#/definitions/resources/security-group/policy'},
{'$ref': '#/definitions/resources/eni/policy'},
{'$ref': '#/definitions/resources/route-table/policy'},
{'$ref': '#/definitions/resources/peering-connection/policy'},
{'$ref': '#/definitions/resources/network-acl/policy'},
{'$ref': '#/definitions/resources/network-addr/policy'},
{'$ref': '#/definitions/resources/customer-gateway/policy'},
{'$ref': '#/definitions/resources/internet-gateway/policy'},
{'$ref': '#/definitions/resources/nat-gateway/policy'},
{'$ref': '#/definitions/resources/vpn-connection/policy'},
{'$ref': '#/definitions/resources/vpn-gateway/policy'},
{'$ref': '#/definitions/resources/vpc-endpoint/policy'},
{'$ref': '#/definitions/resources/key-pair/policy'},
{'$ref': '#/definitions/resources/waf/policy'},
{'$ref': '#/definitions/resources/waf-regional/policy'}]}
On instance['policies'][0]:
{'actions': [{'add': 'sg-bdca74ce',
'remove': 'matched',
'type': 'modify-security-groups'}],
'description': 'Find all EC2 instances that are using '
'soon-to-be-deprecated Gen1 SGs\n',
'filters': [{'key': 'tag:ApplicationGroup',
'op': 'equal',
'type': 'value',
'value': 'ANDREWSTESTAPPLICATIONGROUP'},
{'key': 'GroupName',
'op': 'equal',
'type': 'security-group',
'value': 'LegacySecurityGroup-Common-Service'}],
'name': 'ec2-invalid-sg-report',
'resource': 'ec2'}
2017-09-19 19:57:34,836: custodian.commands:ERROR 'security-group' is not one of ['event']
Failed validating 'enum' in schema[0]['properties']['type']:
{'enum': ['event']}
On instance['type']:
'security-group'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment