from common import BaseTest
class UnitTest(BaseTest):
def test_ingress_remove(self):
# replay a recorded session
factory = self.replay_flight_data(
# record a new session
#factory = self.record_flight_data(
View foo.yml
- name: ec2-resizer
resource: ec2
- type: value
key: InstanceType
op: in
- m4.10xlarge
- m4.4xlarge
View lambda-data.yml
- name: all-lambdas
resource: lambda
- name: custodian-lambdas
resource: lambda
- type: value
key: FunctionName
value: "^custodian*"
View foo.yml
- name: aws-cloudtrail-not-enabled
resource: account
region: us-east-1
- level:high
description: |
Policy scans for accounts which do not have CloudTrails enabled in the current region
- type: check-cloudtrail

Three python diff libraries were evaluated for comparing resource revisions.

  • jsonpatch
  • dictdiffer
  • DeepDiff

Additional a consideration of rolling our own thats specific to custodian's needs.


View gist:a4b0e8ff8ae1342e00568311e0bbca13
(custodian)60f81dc15d88:custodian ylv522$ custodian run -c rule.yml -s out -v
2016-10-07 07:43:04,779: custodian.output:DEBUG Storing output with <DirectoryOutput to dir:out/sg-check>
2016-10-07 07:43:04,779: custodian.policy:INFO Provisioning policy lambda sg-check
2016-10-07 07:43:04,886: custodian.lambda:DEBUG Created custodian lambda archive size: 0.51mb
2016-10-07 07:43:05,210: custodian.lambda:INFO Publishing custodian policy lambda function custodian-sg-check
2016-10-07 07:43:09,103: custodian.lambda:DEBUG Publishing custodian lambda alias current
2016-10-07 07:43:09,823: custodian.lambda:DEBUG Adding config rule for custodian-sg-check
2016-10-07 07:43:10,253: custodian.lambda:DEBUG Added event source: <ConfigRule> to function: arn:aws:lambda:us-east-1:644160558196:function:custodian-sg-check:current
(custodian)60f81dc15d88:custodian ylv522$ cat rule.yml
View cidr_refactor.diff
diff --git a/c7n/resources/ b/c7n/resources/
index bfc3793..4139f42 100644
--- a/c7n/resources/
+++ b/c7n/resources/
@@ -12,6 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
from botocore.exceptions import ClientError
View network-eni.yml
- resource: eni
name: all-nics
- resource: eni
description: Amazon ELB
name: elb-nics
- RequesterManaged: true

Docker Volumes

Examining opensource docker volumes for aws ebs support.

Key requirements in this case are simplicity, support for aws ebs volumes, with kms, snapshots, and use of instance roles for credentails.

Aka secure, encrypted, and with backups.

Ideally with some notion of zone awareness and distinguishing that on container move.

View gist:c386867f209ac1b55d33b8817c9b3f91
(custodian)60f81dc15d88:c7n ylv522$ git diff
diff --git a/c7n/ b/c7n/
index a24e1d6..e83fa32 100644
--- a/c7n/
+++ b/c7n/
@@ -289,11 +289,15 @@ class Tag(Action, ResourceTag):
batch_size ='batch_size', self.batch_size)
+ id_key = self.manager.get_model().id