c7n.policy module¶
-
class
c7n.policy.
ASGInstanceState
(policy)[source]¶ Bases:
c7n.policy.LambdaMode
a lambda policy that executes on an asg’s ec2 instance state changes.
-
schema
= {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'events': {'items': {'enum': ['launch-success', 'launch-failure', 'terminate-success', 'terminate-failure']}, 'type': 'array'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7']}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['asg-instance-state']}}, 'required': ['type'], 'type': 'object'}¶
-
type
= 'asg-instance-state'¶
-
type_aliases
= None¶
-
-
class
c7n.policy.
CloudTrailMode
(policy)[source]¶ Bases:
c7n.policy.LambdaMode
A lambda policy using cloudwatch events rules on cloudtrail api logs.
-
schema
= {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'events': {'items': {'oneOf': [{'type': 'string'}, {'type': 'object', 'required': ['event', 'source', 'ids'], 'properties': {'source': {'type': 'string'}, 'ids': {'type': 'string'}, 'event': {'type': 'string'}}}]}, 'type': 'array'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7']}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['cloudtrail']}}, 'required': ['type'], 'type': 'object'}¶
-
type
= 'cloudtrail'¶
-
type_aliases
= None¶
-
-
class
c7n.policy.
ConfigRuleMode
(policy)[source]¶ Bases:
c7n.policy.LambdaMode
a lambda policy that executes as a config service rule. http://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigRule.html
-
cfg_event
= None¶
-
run
(event, lambda_context)[source]¶ Run policy in push mode against given event.
Lambda automatically generates cloud watch logs, and metrics for us, albeit with some deficienies, metrics no longer count against valid resources matches, but against execution.
If metrics execution option is enabled, custodian will generate metrics per normal.
-
schema
= {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7']}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['config-rule']}}, 'required': ['type'], 'type': 'object'}¶
-
type
= 'config-rule'¶
-
type_aliases
= None¶
-
-
class
c7n.policy.
EC2InstanceState
(policy)[source]¶ Bases:
c7n.policy.LambdaMode
A lambda policy that executes on ec2 instance state changes.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html
-
schema
= {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'events': {'items': {'enum': ['pending', 'running', 'shutting-down', 'stopped', 'stopping', 'terminated']}, 'type': 'array'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7']}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['ec2-instance-state']}}, 'required': ['type'], 'type': 'object'}¶
-
type
= 'ec2-instance-state'¶
-
type_aliases
= None¶
-
-
class
c7n.policy.
GuardDutyMode
(policy)[source]¶ Bases:
c7n.policy.LambdaMode
Incident Response for AWS Guard Duty.
This policy fires on guard duty events for the given resource type.
-
id_exprs
= {'account': {'type': 'subexpression', 'children': [{'type': 'field', 'children': [], 'value': 'detail'}, {'type': 'field', 'children': [], 'value': 'accountId'}]}, 'ec2': {'type': 'subexpression', 'children': [{'type': 'field', 'children': [], 'value': 'detail'}, {'type': 'field', 'children': [], 'value': 'resource'}, {'type': 'field', 'children': [], 'value': 'instanceDetails'}, {'type': 'field', 'children': [], 'value': 'instanceId'}]}, 'iam-user': {'type': 'subexpression', 'children': [{'type': 'field', 'children': [], 'value': 'detail'}, {'type': 'field', 'children': [], 'value': 'resource'}, {'type': 'field', 'children': [], 'value': 'accessKeyDetails'}, {'type': 'field', 'children': [], 'value': 'userName'}]}}¶
-
schema
= {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7']}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['guard-duty']}}, 'required': ['type'], 'type': 'object'}¶
-
supported_resources
= ('account', 'ec2', 'iam-user')¶
-
type
= 'guard-duty'¶
-
type_aliases
= None¶
-
-
class
c7n.policy.
LambdaMode
(policy)[source]¶ Bases:
c7n.policy.ServerlessExecutionMode
A policy that runs/executes in lambda.
-
POLICY_METRICS
= ('ResourceCount',)¶
-
run
(event, lambda_context)[source]¶ Run policy in push mode against given event.
Lambda automatically generates cloud watch logs, and metrics for us, albeit with some deficienies, metrics no longer count against valid resources matches, but against execution.
If metrics execution option is enabled, custodian will generate metrics per normal.
-
schema
= {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7']}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}}, 'type': 'object'}¶
-
-
class
c7n.policy.
PHDMode
(policy)[source]¶ Bases:
c7n.policy.LambdaMode
Personal Health Dashboard event based policy execution.
-
schema
= {'additionalProperties': False, 'properties': {'categories': {'items': {'enum': ['issue', 'accountNotification', 'scheduledChange']}, 'type': 'array'}, 'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'events': {'items': {'type': 'string'}, 'type': 'array'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7']}, 'security_groups': {'type': 'array'}, 'statuses': {'items': {'enum': ['open', 'upcoming', 'closed']}, 'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['phd']}}, 'required': ['events', 'type'], 'type': 'object'}¶
-
type
= 'phd'¶
-
type_aliases
= None¶
-
-
class
c7n.policy.
PeriodicMode
(policy)[source]¶ Bases:
c7n.policy.LambdaMode
,c7n.policy.PullMode
A policy that runs in pull mode within lambda.
-
POLICY_METRICS
= ('ResourceCount', 'ResourceTime', 'ActionTime')¶
-
run
(event, lambda_context)[source]¶ Run policy in push mode against given event.
Lambda automatically generates cloud watch logs, and metrics for us, albeit with some deficienies, metrics no longer count against valid resources matches, but against execution.
If metrics execution option is enabled, custodian will generate metrics per normal.
-
schema
= {'additionalProperties': False, 'properties': {'concurrency': {'type': 'integer'}, 'dead_letter_config': {'type': 'object'}, 'environment': {'type': 'object'}, 'execution-options': {'type': 'object'}, 'function-prefix': {'type': 'string'}, 'kms_key_arn': {'type': 'string'}, 'layers': {'items': {'type': 'string'}, 'type': 'array'}, 'member-role': {'type': 'string'}, 'memory': {'type': 'number'}, 'packages': {'items': {'type': 'string'}, 'type': 'array'}, 'role': {'type': 'string'}, 'runtime': {'enum': ['python2.7', 'python3.6', 'python3.7']}, 'schedule': {'type': 'string'}, 'security_groups': {'type': 'array'}, 'subnets': {'type': 'array'}, 'tags': {'type': 'object'}, 'timeout': {'type': 'number'}, 'tracing_config': {'type': 'object'}, 'type': {'enum': ['periodic']}}, 'required': ['type'], 'type': 'object'}¶
-
type
= 'periodic'¶
-
type_aliases
= None¶
-
-
class
c7n.policy.
Policy
(data, options, session_factory=None)[source]¶ Bases:
object
-
end
¶
-
execution_mode
¶
-
expand_variables
(variables)[source]¶ Expand variables in policy data.
Updates the policy data in-place.
-
get_variables
(variables=None)[source]¶ Get runtime variables for policy interpolation.
Runtime variables are merged with the passed in variables if any.
-
is_lambda
¶
-
log
= <Logger custodian.policy (DEBUG)>¶
-
max_resources
¶
-
max_resources_percent
¶
-
name
¶
-
provider_name
¶
-
region
¶
-
resource_type
¶
-
run
()¶ Run policy in default mode
-
start
¶
-
tz
¶
-
-
class
c7n.policy.
PolicyCollection
(policies, options)[source]¶ Bases:
object
-
_filter_by_pattern
(policies, pattern)[source]¶ Takes a list of policies and returns only those matching the given glob pattern
-
_filter_by_patterns
(policies, patterns)[source]¶ Takes a list of policies and returns only those matching the given glob patterns
-
_filter_by_resource_type
(policies, resource_type)[source]¶ Takes a list policies and returns only those matching the given resource type
-
_filter_by_resource_types
(policies, resource_types)[source]¶ Takes a list of policies and returns only those matching the given resource types
-
log
= <Logger c7n.policies (DEBUG)>¶
-
resource_types
¶ resource types used by the collection.
-
-
class
c7n.policy.
PolicyExecutionMode
(policy)[source]¶ Bases:
object
Policy execution semantics
-
POLICY_METRICS
= ('ResourceCount', 'ResourceTime', 'ActionTime')¶
-
-
class
c7n.policy.
PullMode
(policy)[source]¶ Bases:
c7n.policy.PolicyExecutionMode
Pull mode execution of a policy.
Queries resources from cloud provider for filtering and actions.
-
schema
= {'additionalProperties': False, 'properties': {'type': {'enum': ['pull']}}, 'required': ['type'], 'type': 'object'}¶
-
type
= 'pull'¶
-
type_aliases
= None¶
-