Run a Cloud Custodian policy file from a Python script. Most useful perhaps to be able to run Cloud Custodian from AWS Lambda.

c7n_run.py

import os
import logging
from c7n.commands import run
from c7n.config import Config

logger = logging.getLogger()
logger.setLevel(logging.INFO)

# Capture our current directory
THIS_DIR = os.path.dirname(os.path.abspath(__file__))
OUT_DIR = '/tmp'

assumed_role = 'arn:aws:iam::{{ account_id }}:{{ target_role }}'
filename = 'my-policy.yml'

default_c7n_config = {
    'skip-validation': True,
    'vars': None,
    'debug': True,
    'assume': assumed_role,
    'output_dir': os.path.join(OUT_DIR, 'out'),
    'region': 'us-east-1',
    'configs': [filename]
}
run_config = Config.empty(**default_c7n_config)

logger.info('Running policy: ' + filename)
run(run_config)

Hello there,

It's really great, your script have helped me out a lot.

I have made few modifications to the same code so that it can be ran using c7n_org module where we can run it onto multiple accounts and regions accordingly.

Can you please correct my modifications so that it would be executable on c7n_org as well.

Error Msg I am getting is :
Error: Missing option '-c' / '--config'.

Thank You !

Regards

Pavan

hello, i tested your script and i had the same problem, did you find a solution please? Thanks

Hello,

try switching the dict parameters to a list with a sequential one. Ex:

`
import c7n_org.cli

commands_ex = [
"--config", "cloudcustodian/c7n-org-config/accounts.yml",
"--use", "cloudcustodian/aws/policies/s3-check-buckets-public",
"--output-dir", "output",
"--region", "sa-east-1"
]

test = c7n_org.cli

if name == "main":
ab = test.run.main(args=commands_ex, standalone_mode=True, prog_name="run")

`