Skip to content

Instantly share code, notes, and snippets.

@rubendob
Last active September 2, 2020 16:09
Show Gist options
  • Save rubendob/1bfd7efa431d851f3f690a465d1fb25e to your computer and use it in GitHub Desktop.
Save rubendob/1bfd7efa431d851f3f690a465d1fb25e to your computer and use it in GitHub Desktop.
CloudCustodian Tagging Simple Policy - How write simple policy, execute and report by command line
---
policies:
- name: ec2-tag-policy
resource: aws.ec2
filters:
- or:
- "tag:Project": absent
- "tag:Team": absent
@rubendob
Copy link
Author

rubendob commented Sep 2, 2020

Let's see how execute this policy.

docker run -it -e AWS_ACCESS_KEY_ID="XXX" -e AWS_SECRET_ACCESS_KEY="XXX" -e AWS_DEFAULT_REGION="eu-west-1" -v $(pwd)/output:/home/custodian/output -v $(pwd)/tag.yml:/home/custodian/tag.yml  cloudcustodian/c7n run -v -s /home/custodian/output /home/custodian/tag.yml

the output will be something like:

2020-09-02 14:25:42,619: custodian.commands:DEBUG Loaded file /home/custodian/tag.yml. Contains 1 policies
2020-09-02 14:25:42,628: custodian.aws:DEBUG using default region:eu-west-1 from boto
2020-09-02 14:25:43,210: custodian.output:DEBUG Storing output with <LogFile file:///home/custodian/output/ec2-tag-policy/custodian-run.log>
2020-09-02 14:25:43,222: custodian.policy:DEBUG Running policy:ec2-tag-policy resource:aws.ec2 region:eu-west-1 c7n:0.9.4
2020-09-02 14:25:48,936: custodian.resources.ec2:DEBUG Filtered from 259 to 140 ec2
2020-09-02 14:25:48,939: custodian.policy:INFO policy:ec2-tag-policy resource:aws.ec2 region:eu-west-1 count:140 time:5.72
2020-09-02 14:25:48,995: custodian.output:DEBUG metric:ResourceCount Count:140 policy:ec2-tag-policy restype:aws.ec2 scope:policy
2020-09-02 14:25:48,996: custodian.output:DEBUG metric:ApiCalls Count:1 policy:ec2-tag-policy restype:aws.ec2

@rubendob
Copy link
Author

rubendob commented Sep 2, 2020

One thing we must remember is the report sub command only supports one kind of resource, not multiples.

docker run -it -e AWS_ACCESS_KEY_ID="XXX" -e AWS_SECRET_ACCESS_KEY="XXX"  -e AWS_DEFAULT_REGION="eu-west-1"    -v $(pwd)/output:/home/custodian/output  -v $(pwd)/tag.yml:/home/custodian/tag.yml    cloudcustodian/c7n report -v  -s /home/custodian/output /home/custodian/tag.yml --format grid

Here we can see there are at least 125 EC2 which are no compliance based on the policy we already have wroted

2020-09-02 06:34:39,307: custodian.cache:DEBUG Disabling cache
2020-09-02 06:34:39,307: custodian.commands:DEBUG Loaded file /home/custodian/tag.yml. Contains 1 policies
2020-09-02 06:34:39,315: custodian.aws:DEBUG using default region:eu-west-1 from boto
2020-09-02 06:34:39,922: custodian.reports:DEBUG Found 125 records for region eu-west-1
2020-09-02 06:34:39,923: custodian.reports:DEBUG Uniqued from 125 to 125

Command will return a grid using the --format grid option

---------------------+---------------------+------------------------------------------+----------------+---------------------------+--------------+--------------------+
| CustodianDate       | InstanceId          | tag:Name                                 | InstanceType   | LaunchTime                | VpcId        | PrivateIpAddress   |
+=====================+=====================+==========================================+================+===========================+==============+====================+
| 2020-09-02 06:24:52 | i-0f9844406bd445144 | cXX-Cxx                  | t2.xlarge      | 2019-07-30T08:58:46+00:00 | vpc-XXXXX | 10.0.126.24        |
+---------------------+---------------------+------------------------------------------+----------------+---------------------------+--------------+--------------------+
| 2020-09-02 06:24:52 | i-093b3167e7480edee | cXX-Cxx                  | t2.xlarge      | 2019-09-20T20:24:53+00:00 | vpc-XXXX | 10.0.123.104       |
+---------------------+---------------------+------------------------------------------+----------------+---------------------------+--------------+--------------------+
| 2020-09-02 06:24:52 | i-09d1be7ed664c3a52 | cXX-Cxx             | m5d.4xlarge    | 2020-09-02T02:34:39+00:00 |              |                    |
+---------------------+---------------------+------------------------------------------+----------------+---------------------------+--------------+--

More examples, this time of security groups unused

+----------------------+---------------------------------------------------------------------------------+
| sg-5ed0843a          | jenkins                                                                         |
+----------------------+---------------------------------------------------------------------------------+
| sg-6c12b40b          | SecurityGroup-beta-HotTopicSecurityGroup-15IO0TW95X32Y                          |
+----------------------+---------------------------------------------------------------------------------+
| sg-c489a8a0          | SecurityGroup-prod-SolrSlaveELBSecurityGroup-MX76R697283I                       |
+----------------------+---------------------------------------------------------------------------------+
| sg-cbbff8ac          | Solr-UploadSuggester-beta-SolrUploadSuggesterSlaveELBSecurityGroup-YE1IBQV8Z4I5 |
+----------------------+---------------------------------------------------------------------------------+
| sg-d789a8b3          | SecurityGroup-prod-ChatDBSecurityGroup-VSGO10T7K3C2                             |
+----------------------+---------------------------------------------------------------------------------+
| sg-e989a88d          | SecurityGroup-prod-HotTopicSecurityGroup-19B90HBP1PWJK                          |
+----------------------+---------------------------------------------------------------------------------+


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment