c7n.filters package

Submodules

c7n.filters.core module

Resource Filtering Logic

class c7n.filters.core.AgeFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Automatically filter resources older than a given date.

date_attribute = None
get_resource_date(i)[source]
schema = None
threshold_date = None
validate()[source]
class c7n.filters.core.And(data, registry, manager)[source]

Bases: c7n.filters.core.Filter

process(resources, events=None)[source]
type = u'and'
class c7n.filters.core.AnnotationSweeper(id_key, resources)[source]

Bases: object

Support clearing annotations set within a block filter.

See https://github.com/capitalone/cloud-custodian/issues/2116

sweep(resources)[source]
class c7n.filters.core.EventFilter(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

Filter against a cloudwatch event associated to a resource type.

process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'event']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'event'
validate()[source]
class c7n.filters.core.Filter(data, manager=None)[source]

Bases: object

executor_factory

alias of concurrent.futures.thread.ThreadPoolExecutor

get_permissions()[source]
log = <logging.Logger object>
metrics = ()
permissions = ()
process(resources, event=None)[source]

Bulk process resources and return filtered set.

schema = {u'type': u'object'}
validate()[source]

validate filter config, return validation error or self

class c7n.filters.core.FilterRegistry(*args, **kw)[source]

Bases: c7n.registry.PluginRegistry

factory(data, manager=None)[source]

Factory func for filters.

data - policy config for filters manager - resource type manager (ec2, s3, etc)

parse(data, manager)[source]
exception c7n.filters.core.FilterValidationError[source]

Bases: exceptions.Exception

class c7n.filters.core.Not(data, registry, manager)[source]

Bases: c7n.filters.core.Filter

process(resources, event=None)[source]
process_set(resources, event)[source]
type = u'not'
class c7n.filters.core.Or(data, registry, manager)[source]

Bases: c7n.filters.core.Filter

process(resources, event=None)[source]
process_set(resources, event)[source]
type = u'or'
class c7n.filters.core.ValueFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Generic value filter using jmespath

annotate = True
expr = None
get_resource_value(k, i)[source]
match(i)[source]
op = None
process(resources, event=None)[source]
process_value_type(sentinel, value, resource)[source]
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'value']}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
type = u'value'
v = None
validate()[source]
vtype = None
c7n.filters.core.difference(x, y)[source]
c7n.filters.core.glob_match(value, pattern)[source]
c7n.filters.core.intersect(x, y)[source]
c7n.filters.core.operator_in(x, y)[source]
c7n.filters.core.operator_ni(x, y)[source]
c7n.filters.core.regex_match(value, regex)[source]

c7n.filters.health module

class c7n.filters.health.HealthEventFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Check if there are health events related to the resources

Health events are stored as annotation on a resource.

get_filter_parameters()[source]
permissions = (u'health:DescribeEvents', u'health:DescribeAffectedEntities', u'health:DescribeEventDetails')
process(resources, event=None)[source]
process_event(health_events)[source]
schema = {u'additionalProperties': False, u'properties': {'statuses': {u'type': u'array', u'items': {u'type': u'string', u'enum': [u'open', u'upcoming', u'closed']}}, u'type': {u'enum': [u'health-event']}, 'types': {u'type': u'array', u'items': {u'type': u'string'}}}, u'required': [u'type'], u'type': u'object'}

c7n.filters.iamaccess module

IAM Resource Policy Checker

When securing resources with iam policies, we want to parse and evaluate the resource’s policy for any cross account or public access grants that are not intended.

In general, iam policies can be complex, and where possible using iam simulate is preferrable, but requires passing the caller’s arn, which is not feasible when we’re evaluating who the valid set of callers are.

References

class c7n.filters.iamaccess.CrossAccountAccessFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Check a resource’s embedded iam policy for cross account access.

annotation_key = u'CrossAccountViolations'
checker_factory

alias of PolicyChecker

get_accounts()[source]
get_resource_policy(r)[source]
get_vpces()[source]
get_vpcs()[source]
policy_attribute = u'Policy'
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {'whitelist': {u'type': u'array', u'items': {u'type': u'string'}}, 'whitelist_vpc': {u'type': u'array', u'items': {u'type': u'string'}}, u'type': {u'enum': [u'cross-account']}, 'actions': {u'type': u'array', u'items': {u'type': u'string'}}, 'whitelist_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, 'whitelist_conditions': {u'type': u'array', u'items': {u'type': u'string'}}, 'whitelist_vpce': {u'type': u'array', u'items': {u'type': u'string'}}, 'whitelist_vpc_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, 'whitelist_vpce_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, 'everyone_only': {u'type': u'boolean'}}, u'required': [u'type'], u'type': u'object'}
class c7n.filters.iamaccess.PolicyChecker(checker_config)[source]

Bases: object

checker_config:
  • check_actions: only check one of the specified actions
  • everyone_only: only check for wildcard permission grants
  • allowed_accounts: permission grants to these accounts are okay
  • whitelist_conditions: a list of conditions that are considered
    sufficient enough to whitelist the statement.
allowed_accounts
allowed_vpc
allowed_vpce
check(policy_text)[source]
check_actions
everyone_only
handle_action(s)[source]
handle_aws_sourcearn(s, c)[source]
handle_aws_sourceip(s, c)[source]
handle_aws_sourceowner(s, c)[source]
handle_aws_sourcevpc(s, c)[source]
handle_aws_sourcevpce(s, c)[source]
handle_condition(s, c)[source]
handle_conditions(s)[source]
handle_effect(s)[source]
handle_kms_calleraccount(s, c)[source]
handle_principal(s)[source]
handle_statement(s)[source]
normalize_conditions(s)[source]
whitelist_conditions

c7n.filters.locked module

Filters for api integration with tools/c7n_sphere11

class c7n.filters.locked.Locked(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Has the resource been locked using sphere11

get_api_credentials()[source]
get_lock_status(resource)[source]
get_parent_id(resource, account_id)[source]
permissions = ('sts:AssumeRole',)
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': ['locked']}, 'region': {'type': 'string'}, 'role': {'type': 'string'}, 'endpoint': {'type': 'string'}}, u'required': ('endpoint',), u'type': u'object'}
class c7n.filters.locked.SignatureAuth(credentials, region, service)[source]

Bases: botocore.vendored.requests.auth.AuthBase

AWS V4 Request Signer for Requests.

c7n.filters.metrics module

CloudWatch Metrics suppport for resources

class c7n.filters.metrics.MetricsFilter(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Supports cloud watch metrics filters on resources.

All resources that have cloud watch metrics are supported.

Docs on cloud watch metrics

- name: ec2-underutilized
  resource: ec2
  filters:
    - type: metrics
      name: CPUUtilization
      days: 4
      period: 86400
      value: 30
      op: less-than

Note periods when a resource is not sending metrics are not part of calculated statistics as in the case of a stopped ec2 instance, nor for resources to new to have existed the entire period. ie. being stopped for an ec2 intsance wouldn’t lower the average cpu utilization, nor would

DEFAULT_NAMESPACE = {u'cloudfront': u'AWS/CloudFront', u'cloudsearch': u'AWS/CloudSearch', u'dynamodb': u'AWS/DynamoDB', u'ec2': u'AWS/EC2', u'ecs': u'AWS/ECS', u'elasticache': u'AWS/ElastiCache', u'elb': u'AWS/ELB', u'elbv2': u'AWS/ApplicationELB', u'emr': u'AWS/EMR', u'es': u'AWS/ES', u'events': u'AWS/Events', u'firehose': u'AWS/Firehose', u'kinesis': u'AWS/Kinesis', u'lambda': u'AWS/Lambda', u'logs': u'AWS/Logs', u'rds': u'AWS/RDS', u'redshift': u'AWS/Redshift', u'route53': u'AWS/Route53', u's3': u'AWS/S3', u'sns': u'AWS/SNS', u'sqs': u'AWS/SQS'}
MAX_QUERY_POINTS = 50850
MAX_RESULT_POINTS = 1440
get_dimensions(resource)[source]
permissions = (u'cloudwatch:GetMetricStatistics',)
process(resources, event=None)[source]
process_resource_set(resource_set)[source]
schema = {u'additionalProperties': False, u'properties': {u'dimensions': {u'type': u'array', u'items': {u'type': u'string'}}, u'op': {u'type': u'string', u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}, u'attr-multiplier': {u'type': u'number'}, u'days': {u'type': u'number'}, u'namespace': {u'type': u'string'}, u'period': {u'type': u'number'}, u'percent-attr': {u'type': u'string'}, u'type': {u'enum': [u'metrics']}, u'name': {u'type': u'string'}, u'value': {u'type': u'number'}, u'statistics': {u'type': u'string', u'enum': [u'Average', u'Sum', u'Maximum', u'Minimum', u'SampleCount']}}, u'required': (u'value', u'name'), u'type': u'object'}
class c7n.filters.metrics.ShieldMetrics(data, manager=None)[source]

Bases: c7n.filters.metrics.MetricsFilter

Specialized metrics filter for shield

attack_vectors = (u'ACKFlood', u'ChargenReflection', u'DNSReflection', u'GenericUDPReflection', u'MSSQLReflection', u'NetBIOSReflection', u'NTPReflection', u'PortMapper', u'RequestFlood', u'RIPReflection', u'SNMPReflection', u'SYNFlood', u'SSDPReflection', u'UDPTraffic', u'UDPFragment')
get_dimensions(resource)[source]
metrics = (u'DDoSAttackBitsPerSecond', u'DDoSAttackRequestsPerSecond', u'DDoSDetected')
namespace = u'AWS/DDoSProtection'
process(resources, event=None)[source]
schema = {u'additionalProperties': False, u'properties': {u'dimensions': {u'type': u'array', u'items': {u'type': u'string'}}, u'op': {u'type': u'string', u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}, u'attr-multiplier': {u'type': u'number'}, u'days': {u'type': u'number'}, u'namespace': {u'type': u'string'}, u'name': {u'type': u'string'}, u'percent-attr': {u'type': u'string'}, u'type': {u'enum': [u'shield-metrics']}, u'period': {u'type': u'number'}, u'value': {u'type': u'number'}, u'statistics': {u'type': u'string', u'enum': [u'Average', u'Sum', u'Maximum', u'Minimum', u'SampleCount']}}, u'required': [u'type'], u'type': u'object'}
validate()[source]

c7n.filters.offhours module

Resource Scheduling Offhours

Custodian provides for time based filters, that allow for taking periodic action on a resource, with resource schedule customization based on tag values. A common use is offhours scheduling for asgs and instances.

Features

  • Flexible offhours scheduling with opt-in, opt-out selection, and timezone support.
  • Resume during offhours support.
  • Can be combined with other filters to get a particular set ( resources with tag, vpc, etc).
  • Can be combined with arbitrary actions
  • Can omit a set of dates such as public holidays.

Policy Configuration

We provide an onhour and offhour time filter, each should be used in a different policy, they support the same configuration options:

  • weekends: default true, whether to leave resources off for the weekend
  • weekend-only: default false, whether to turn the resource off only on the weekend
  • default_tz: which timezone to utilize when evaluating time (REQUIRED)
  • tag: which resource tag name to use for per-resource configuration (schedule and timezone overrides and opt-in/opt-out); default is maid_offhours.
  • opt-out: Determines the behavior for resources which do not have a tag matching the one specified for tag. Values can be either false (the default) where the policy operates on an opt-in basis and resources must have the tag in order to be acted on by the policy, or true where the policy operates on an opt-out basis, and resources without the tag are acted on by the policy.
  • onhour: the default time to start/run resources, specified as 0-23
  • offhour: the default time to stop/suspend resources, specified as 0-23
  • skip-days: a list of dates to skip. Dates must use format YYYY-MM-DD
  • skip-days-from: a list of dates to skip stored at a url. expr, format, and url must be passed as parameters. Same syntax as value_from. Can not specify both skip-days-from and skip-days.

This example policy overrides most of the defaults for an offhour policy:

policies:
  - name: offhours-stop
    resource: ec2
    filters:
      - type: offhour
        weekends: false
        default_tz: pt
        tag: downtime
        opt-out: true
        onhour: 8
        offhour: 20

Tag Based Configuration

Resources can use a special tag to override the default configuration on a per-resource basis. Note that the name of the tag is configurable via the tag option in the policy; the examples below use the default tag name, maid_offhours.

The value of the tag must be one of the following:

  • (empty) or on - An empty tag value or a value of “on” implies night and weekend offhours using the default time zone configured in the policy (tz=est if unspecified) and the default onhour and offhour values configured in the policy.
  • off - If offhours is configured to run in opt-out mode, this tag can be specified to disable offhours on a given instance. If offhours is configured to run in opt-in mode, this tag will have no effect (the resource will still be opted out).
  • a semicolon-separated string composed of one or more of the following components, which override the defaults specified in the policy:
    • tz=<timezone> to evaluate with a resource-specific timezone, where <timezone> is either one of the supported timezone aliases defined in c7n.filters.offhours.Time.TZ_ALIASES (such as pt) or the name of a geographic timezone identifier in [IANA’s tzinfo database](https://www.iana.org/time-zones), such as Americas/Los_Angeles. (Note all timezone aliases are referenced to a locality to ensure taking into account local daylight savings time, if applicable.)
    • off=(time spec) and/or on=(time spec) matching time specifications supported by c7n.filters.offhours.ScheduleParser as described in the next section.

ScheduleParser Time Specifications

Each time specification follows the format (days,hours). Multiple time specifications can be combined in square-bracketed lists, i.e. [(days,hours),(days,hours),(days,hours)].

Examples:

# up mon-fri from 7am-7pm; eastern time
off=(M-F,19);on=(M-F,7)
# up mon-fri from 6am-9pm; up sun from 10am-6pm; pacific time
off=[(M-F,21),(U,18)];on=[(M-F,6),(U,10)];tz=pt

Possible values:

field values
days M, T, W, H, F, S, U
hours 0, 1, 2, …, 22, 23

Days can be specified in a range (ex. M-F).

Policy examples

Turn ec2 instances on and off

policies:
  - name: offhours-stop
    resource: ec2
    filters:
       - type: offhour
    actions:
      - stop

  - name: offhours-start
    resource: ec2
    filters:
      - type: onhour
    actions:
      - start

Here’s doing the same with auto scale groups

policies:
  - name: asg-offhours-stop
    resource: asg
    filters:
       - offhour
    actions:
       - suspend
  - name: asg-onhours-start
    resource: asg
    filters:
       - onhour
    actions:
       - resume

Additional policy examples and resource-type-specific information can be seen in the EC2 Offhours and ASG Offhours use cases.

Resume During Offhours

These policies are evaluated hourly; during each run (once an hour), cloud-custodian will act on only the resources tagged for that exact hour. In other words, if a resource has an offhours policy of stopping/suspending at 23:00 Eastern daily and starting/resuming at 06:00 Eastern daily, and you run cloud-custodian once an hour via Lambda, that resource will only be stopped once a day sometime between 23:00 and 23:59, and will only be started once a day sometime between 06:00 and 06:59. If the current hour does not exactly match the hour specified in the policy, nothing will be done at all.

As a result of this, if custodian stops an instance or suspends an ASG and you need to start/resume it, you can safely do so manually and custodian won’t touch it again until the next day.

ElasticBeanstalk, EFS and Other Services with Tag Value Restrictions

A number of AWS services have restrictions on the characters that can be used in tag values, such as ElasticBeanstalk and EFS. In particular, these services do not allow parenthesis, square brackets, commas, or semicolons, or empty tag values. This proves to be problematic with the tag-based schedule configuration described above. The best current workaround is to define a separate policy with a unique tag name for each unique schedule that you want to use, and then tag resources with that tag name and a value of on. Note that this can only be used in opt-in mode, not opt-out.

Public Holidays

In order to properly implement support for public holidays, make sure to include either skip-days or skip-days-from with your policy. This list should contain all of the public holidays you wish to address and must use YYYY-MM-DD syntax for its dates. If the date the policy is being run on matches any one of those dates, the policy will not return any resources. These dates include year as many holidays vary from year to year so year is required to prevent errors. A sample policy that would not start stopped instances on a public holiday might look like:

policies:
    - name: onhour-morning-start-skip-holidays
      resource: ec2
      filters:
        - type: onhour
          tag: custodian_downtime
          default_tz: et
          onhour: 6
          skip-days: ['2017-12-25']
      actions:
        - start
class c7n.filters.offhours.OffHour(data, manager=None)[source]

Bases: c7n.filters.offhours.Time

DEFAULT_HR = 19
get_default_schedule()[source]
schema = {u'additionalProperties': False, u'properties': {u'weekends': {u'type': u'boolean'}, u'skip-days-from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'skip-days': {u'type': u'array', u'items': {u'type': u'string', u'pattern': u'^[0-9]{4}-[0-9]{2}-[0-9]{2}'}}, u'tag': {u'type': u'string'}, u'type': {u'enum': [u'offhour']}, 'offhour': {u'type': u'integer', u'maximum': 23, u'minimum': 0}, u'weekends-only': {u'type': u'boolean'}, u'default_tz': {u'type': u'string'}, u'opt-out': {u'type': u'boolean'}}, u'required': [u'offhour', u'default_tz', u'type'], u'type': u'object'}
time_type = u'off'
class c7n.filters.offhours.OnHour(data, manager=None)[source]

Bases: c7n.filters.offhours.Time

DEFAULT_HR = 7
get_default_schedule()[source]
schema = {u'additionalProperties': False, u'properties': {u'weekends': {u'type': u'boolean'}, 'onhour': {u'type': u'integer', u'maximum': 23, u'minimum': 0}, u'skip-days-from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'skip-days': {u'type': u'array', u'items': {u'type': u'string', u'pattern': u'^[0-9]{4}-[0-9]{2}-[0-9]{2}'}}, u'tag': {u'type': u'string'}, u'type': {u'enum': [u'onhour']}, u'weekends-only': {u'type': u'boolean'}, u'default_tz': {u'type': u'string'}, u'opt-out': {u'type': u'boolean'}}, u'required': [u'onhour', u'default_tz', u'type'], u'type': u'object'}
time_type = u'on'
class c7n.filters.offhours.ScheduleParser(default_schedule)[source]

Bases: object

Parses tag values for custom on/off hours schedules.

At the minimum the on and off values are required. Each of these must be seperated by a ; in the format described below.

Schedule format:

# up mon-fri from 7am-7pm; eastern time
off=(M-F,19);on=(M-F,7)
# up mon-fri from 6am-9pm; up sun from 10am-6pm; pacific time
off=[(M-F,21),(U,18)];on=[(M-F,6),(U,10)];tz=pt

Possible values:

field values
days M, T, W, H, F, S, U
hours 0, 1, 2, …, 22, 23

Days can be specified in a range (ex. M-F).

If the timezone is not supplied, it is assumed ET (eastern time), but this default can be configurable.

Parser output:

The schedule parser will return a dict or None (if the schedule is invalid):

# off=[(M-F,21),(U,18)];on=[(M-F,6),(U,10)];tz=pt
{
  off: [
    { days: "M-F", hour: 21 },
    { days: "U", hour: 18 }
  ],
  on: [
    { days: "M-F", hour: 6 },
    { days: "U", hour: 10 }
  ],
  tz: "pt"
}
DAY_MAP = {u'f': 4, u'h': 3, u'm': 0, u's': 5, u't': 1, u'u': 6, u'w': 2}
VALID_HOURS = (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
expand_day_range(days)[source]
static has_resource_schedule(tag_value, time_type)[source]
keys_are_valid(tag_value)[source]

test that provided tag keys are valid

parse(tag_value)[source]
parse_resource_schedule(lexeme)[source]
static raw_data(tag_value)[source]

convert the tag to a dictionary, taking values as is

This method name and purpose are opaque… and not true.

class c7n.filters.offhours.Time(data, manager=None)[source]

Bases: c7n.filters.core.Filter

DEFAULT_TAG = u'maid_offhours'
DEFAULT_TZ = u'et'
TZ_ALIASES = {u'aet': u'Australia/Sydney', u'ast': u'America/Phoenix', u'at': u'America/Phoenix', u'brt': u'America/Sao_Paulo', u'bst': u'Europe/London', u'cdt': u'America/Chicago', u'cet': u'Europe/Berlin', u'cst': u'America/Chicago', u'ct': u'America/Chicago', u'edt': u'America/New_York', u'est': u'America/New_York', u'et': u'America/New_York', u'gmt': u'Etc/GMT', u'gt': u'Etc/GMT', u'ist': u'Europe/Dublin', u'it': u'Asia/Kolkata', u'jst': u'Asia/Tokyo', u'kst': u'Asia/Seoul', u'mdt': u'America/Denver', u'mst': u'America/Denver', u'mt': u'America/Denver', u'pdt': u'America/Los_Angeles', u'pst': u'America/Los_Angeles', u'pt': u'America/Los_Angeles', u'sgt': u'Asia/Singapore', u'utc': u'Etc/UTC'}
get_default_schedule()[source]
get_tag_value(i)[source]

Get the resource’s tag value specifying its schedule.

classmethod get_tz(tz)[source]
match(now, schedule)[source]
process(resources, event=None)[source]
process_resource_schedule(i, value, time_type)[source]

Does the resource tag schedule and policy match the current time.

schema = {u'properties': {u'weekends': {u'type': u'boolean'}, u'skip-days-from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'skip-days': {u'type': u'array', u'items': {u'type': u'string', u'pattern': u'^[0-9]{4}-[0-9]{2}-[0-9]{2}'}}, u'opt-out': {u'type': u'boolean'}, u'weekends-only': {u'type': u'boolean'}, u'default_tz': {u'type': u'string'}, u'tag': {u'type': u'string'}}, u'type': u'object'}
time_type = None
validate()[source]
c7n.filters.offhours.brackets_removed(u)[source]
c7n.filters.offhours.parens_removed(u)[source]

c7n.filters.related module

class c7n.filters.related.RelatedResourceFilter(data, manager=None)[source]

Bases: c7n.filters.core.ValueFilter

AnnotationKey = None
FetchThreshold = 10
RelatedIdsExpression = None
RelatedResource = None
get_permissions()[source]
get_resource_manager()[source]
process(resources, event=None)[source]
process_resource(resource, related)[source]
validate()[source]

c7n.filters.revisions module

Custodian support for diffing and patching across multiple versions of a resource.

class c7n.filters.revisions.Diff(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

diff(source, target)[source]
get_revisions(config, resource)[source]
get_selector_params(resource)[source]
mode = None
parser = None
permissions = (u'config:GetResourceConfigHistory',)
process(resources, event=None)[source]
resource_shape = None
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'diff']}, 'selector': {u'enum': [u'previous', u'date', u'locked']}, 'selector_value': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}
select_revision(revisions)[source]
selector_value = None
transform_revision(revision)[source]

make config revision look like describe output.

validate()[source]
class c7n.filters.revisions.JsonDiff(data, manager=None)[source]

Bases: c7n.filters.revisions.Diff

diff(source, target)[source]
classmethod register_resources(klass, registry, resource_class)[source]

meta model subscriber on resource registration.

We watch for new resource types being registered and if they support aws config, automatically register the jsondiff filter.

sanitize_revision(rev)[source]
schema = {u'additionalProperties': False, u'properties': {u'type': {u'enum': [u'json-diff']}, 'selector': {u'enum': [u'previous', u'date', u'locked']}, 'selector_value': {u'type': u'string'}}, u'required': [u'type'], u'type': u'object'}

c7n.filters.vpc module

class c7n.filters.vpc.DefaultVpcBase(data, manager=None)[source]

Bases: c7n.filters.core.Filter

Filter to resources in a default vpc.

default_vpc = None
match(vpc_id)[source]
permissions = (u'ec2:DescribeVpcs',)
vpcs = None
class c7n.filters.vpc.NetworkLocation(data, manager=None)[source]

Bases: c7n.filters.core.Filter

On a network attached resource, determine intersection of security-group attributes, subnet attributes, and resource attributes.

The use case is a bit specialized, for most use cases using subnet and security-group filters suffice. but say for example you wanted to verify that an ec2 instance was only using subnets and security groups with a given tag value, and that tag was not present on the resource.

filter_ignored(resources)[source]
permissions = (u'ec2:DescribeSecurityGroups', u'ec2:DescribeSubnets')
process(resources, event=None)[source]
process_resource(r, resource_sgs, resource_subnets, key)[source]
schema = {u'additionalProperties': False, u'properties': {u'key': {u'type': u'string', u'description': u'The attribute expression that should be matched on'}, u'max-cardinality': {u'title': u'', u'type': u'integer', u'default': 1}, u'type': {u'enum': [u'network-location']}, u'match': {u'type': u'string', u'enum': [u'equal', u'not-equal'], u'default': u'non-equal'}, u'compare': {u'type': u'array', u'items': {u'enum': [u'resource', u'subnet', u'security-group']}, u'default': [u'resource', u'subnet', u'security-group'], u'description': u'Which elements of network location should be considered when matching.'}, u'ignore': {u'type': u'array', u'items': {u'type': u'object'}}, u'missing-ok': {u'type': u'boolean', u'default': False, u'description': u'How to handle missing keys on elements, by default this causesresources to be considered not-equal'}}, u'required': [u'key', u'type'], u'type': u'object'}
validate()[source]
class c7n.filters.vpc.SecurityGroupFilter(data, manager=None)[source]

Bases: c7n.filters.related.RelatedResourceFilter

Filter a resource by its associated security groups.

AnnotationKey = u'matched-security-groups'
RelatedResource = u'c7n.resources.vpc.SecurityGroup'
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'match-resource': {u'type': u'boolean'}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'security-group']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'operator': {u'enum': [u'and', u'or']}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}
class c7n.filters.vpc.SubnetFilter(data, manager=None)[source]

Bases: c7n.filters.related.RelatedResourceFilter

Filter a resource by its associated subnets.

AnnotationKey = u'matched-subnets'
RelatedResource = u'c7n.resources.vpc.Subnet'
schema = {u'additionalProperties': False, u'properties': {u'default': {u'type': u'object'}, u'value_type': {u'enum': [u'age', u'integer', u'expiration', u'normalize', u'size', u'cidr', u'cidr_size', u'swap', u'resource_count', u'expr', u'unique_size']}, u'match-resource': {u'type': u'boolean'}, u'key': {u'type': u'string'}, u'type': {u'enum': [u'subnet']}, u'value_from': {u'required': [u'url'], u'type': u'object', u'additionalProperties': u'False', u'properties': {u'url': {u'type': u'string'}, u'expr': {u'oneOf': [{u'type': u'integer'}, {u'type': u'string'}]}, u'format': {u'enum': [u'csv', u'json', u'txt', u'csv2dict']}}}, u'value': {u'oneOf': [{u'type': u'array'}, {u'type': u'string'}, {u'type': u'boolean'}, {u'type': u'number'}, {u'type': u'null'}]}, u'operator': {u'enum': [u'and', u'or']}, u'op': {u'enum': [u'regex', u'glob', u'not-in', u'equal', u'gt', u'less-than', u'not-equal', u'lte', u'contains', u'in', u'intersect', u'ne', u'greater-than', u'eq', u'difference', u'ge', u'gte', u'lt', u'le', u'ni']}}, u'required': [u'type'], u'type': u'object'}

Module contents