Cloud Custodian Versions Save

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources

0.9.26.0

1 year ago

Fixes a package upload issue caused using poetry to upload our frozen wheels that affected (0.9.25.0), in favor of using twine to. upload, which results in proper frozen metadata.

What's Changed

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.25.0...0.9.26.0

0.9.25.0

1 year ago

aws

  • aws - asg - image filter - fix warning when image not found (#8473)
  • aws - asp-sync - delete action (#8419)
  • aws - ecs cluster - including settings to check for container insights (#8380)
  • aws - ecs-task-definition - support permanent deletion via force option (#8406)
  • aws - elasticsearch - cross-account bug fix handle no access policy (#8403)
  • aws - kinesis-video add tag/remove tag action (#8454)
  • aws - output - set region when using lambda exec options (#8471)
  • aws - quota - fix usage-metric exceeds the limit of 1440 data points (cont.) (#7140)
  • aws - rds - fix option group filter (#8433)
  • aws - reuse client for augment thread workers (#8456)
  • aws - route53 - recovery-control-panel - add a safety-rule filter (#8381)
  • aws - sns subscription - topic filter for unused and other use cases #8316 (#8336)

azure

  • azure - adding filter for subscription diagnostic settings (#8401)
  • azure - event mode - fix functions via include boto3 module #8203 (#8465)
  • azure - firewall filter - add option to include azure service 'magic' ip range (#8309)
  • azure - network security group - add explicit icmp to filter vocab (#8438)
  • azure - network-security group - flow log filter (#8312)
  • azure - tests - trim cassette data (#8466)

core

  • core - filters - add list-item filter (#7739)
  • core - policy - fix conditions.env_vars for c7n-org (#8434)
  • core - value filter - add jmespath value_path as option for supplying values (#8350)

docs

  • docs - fix indentation on advanced example (#8405)
  • docs - add shift-left to main readme, flesh out c7n-left readme (#8412)

gcp

  • gcp - add secret resource (#8421)
  • gcp - cloud-run service and job (#8452)
  • gcp - organization - essential-contacts filter (#8303)
  • gcp - project - access-approval filter (#8361)
  • gcp - service-account - iam-policy filter (#8404)

shift-left

  • c7n-left - fix multi resource using lists (#8447)
  • c7n-left - policy testing (#8428)
  • c7n-left - policy testing allow filters (#8460)

tencentcloud

  • c7n_tencentcloud - security-group used filter (#8399)

releng

  • releng - add black as dev dependency and add to make lint (#8378)
  • releng - c7n-left docker image (#8396)
  • releng - policy stream fix test oddity - use explicit rm (#8422)
  • releng - policy stream test ensure debug output on failure (#8409)
  • releng - release automation tweaks (#8392)
  • releng - release prep 0.9.25 (#8431)
  • releng - remove obsolete devcontainer and vscode configs (#8411)
  • releng - remove old releng artifacts (#8408)
  • releng - terraform fmt check in ci (#8413)
  • releng - update dependencies (#8474)
  • tools/dev - prcheck - add required fields and arg help (#8430)
  • tools/dev - prcheck can tag prs and recheck them (#8376)

schema changes

0.9.24.0

1 year ago

aws

  • aws - ami - allow no 'add' in set-permissions action (#8327)
  • aws - apigw - generate domain name arns (#8366)
  • aws - asg - let valid/invalid filters work in explicit pull mode (#8308)
  • aws - efs-mount-point - network-location filter (#8347)
  • aws - eks - add network-location filter (#8377)
  • aws - elasticsearch - enable support for server-side query filtering (#8337)
  • aws - elasticsearch - new action to enable audit logs to cloudwatch (#8232)
  • aws - enhance modify-security-groups action to support add groups by tag (#8356)
  • aws - hosted zone - explicit config_id for config-rule support (#8269)
  • aws - lambda - filter for lambda@edge (#8382)
  • aws - rds - bug fix in consecutive-snapshots filter (#8357)
  • aws - route53 ARC - control panel: add resource and tagging (#8352)
  • aws - route53.recovery-cluster - add resource and tagging support (#8301)
  • aws - s3 - check-public-filter handle access denied errors (#8374)
  • aws - s3 output bucket region determination refactor (#8289)
  • aws - security-group unused filter - add batch compute envs (#8297)
  • aws - tag variable interpolation fix (#8383)
  • aws - vpc - bug fix security-groups-used on in-use eni with no attachment (#8099) (#8390)
  • aws - wafv2 - add scope param to list call in lambda modes (#8120)
  • feat: fix marked-for-op filter bug (#8313)

c7n_azure

  • c7n_azure - adding new resource for mysql flexibleserver and a new filter (#8241)

core

  • core - filters - add headers to value_from url (#8307)
  • core - offhours filter - fixing typo on fallback-schedule schema (#7929)
  • core - pass validate to load_data so intent to validate policies or not is fully respected (#8305)
  • core - query - have resource manager init args match the base class (#8310)

gcp

  • gcp - bq-table - add augment to table for encryption config (#7952)

kubernetes

  • kubernetes - fix test via k8s registry url update (#8290)

shift-left

  • c7n-left - test handling of terraform local modules (#8286)
  • c7n-left - traverse filter supports non value type filters (#8299)

tools

  • tools/c7n-mailer - replay - support for slack (#5653)
  • tools/c7n-mailer - unique email list (#8370)
  • tools/c7n-mailer -replay - support mimicking sqs (#5655)
  • tools/c7n_mailer - handle lambda container images (#8329)
  • tools/c7n_mailer - option to assume role to send via centralized account SES (#6707)
  • tools/dev - fix devcontainer poetry installation (#8317)
  • tools/omni-ssm bump golang.org/x/sys (#8320)
  • tools/omnissm - bump golang.org/x/text (#8311)

releng

  • releng - address some linting found by new bandit release (#8365)
  • releng - cask dep updates (#8322)
  • releng - change docker :dev tag to daily build (#8342)
  • releng - ci - add 3.11 remove 3.7 python versions to matrix (#8294)
  • releng - explicitly define bash as the makefile shell (#8343)
  • releng - functional aws tests and slack results (#8359)
  • releng - get rid of generated setup.py/requirements.txt files, use poetry to publish wheels (#8348)
  • releng - omnissm - bump golang.org/x/net (#8340)
  • releng - refactor ci and makefile (#8332)
  • releng - rev version, sphinx fixes, and rebase dependencies (#8341)
  • releng - use layer cache when building images (#8331)

schema changes

0.9.23.0

1 year ago

0.9.22.0

1 year ago

0.9.21.0

1 year ago

aws

  • aws - rest-stage - add regex match support for wafv2-enabled filter and set-wafv2 action (#7946)
  • aws - account - add ses send metric filters (#7874)
  • aws - account - check-cloudtrail filter: add include-management-events and log-metric-filter-pattern (#7851)
  • aws - account - managed config rule (#7029)
  • aws - ami - add set-permissions and set-deprecation actions, org support for cross-account filter (#7974)
  • aws - asg - ignore UnsupportedOperation on asg suspend (#8076)
  • aws - autotag - fix none userinfo exception (#7984)
  • aws - autotag action - autotag user with value (#7959)
  • aws - backup - add consecutive backups filter (#8030)
  • aws - cloudfront - fix wafv2-enabled filter to find waf-classic associations (#7986)
  • aws - cloudfront - updating s3 regexes for mismatch-s3-origin filter (#8045)
  • aws - cloudhsm-cluster, augment and serverless mode (#7996)
  • aws - composite-alarm - add resource and delete action (#7953)
  • aws - cross-account filter - use case-insensitive checks for allowed condition keys (#7889)
  • aws - custodian lambda policy - arm64 / graviton support (#7917)
  • aws - dlm - use native arn attribute (#8027)
  • aws - ec2 - force stop override stop protection (#8007)
  • aws - efs - add has-statement filter (#7884)
  • aws - event-rule - add set-rule-state action (#7954)
  • aws - glue-connection - tag read/write support (#8049)
  • aws - graphql-api - add api-cache filter (#8056)
  • aws - hosted-zone - query-logging-enabled: add subscription filter details (#7988)
  • aws - iam-instance-profile - set-role action (#7999)
  • aws - iam-profile, ec2 - add has-specific-managed-policy filter (#8006)
  • aws - invoke-lambda action - support for assume role prior to invoke (#7904)
  • aws - lambda - adjust kms key arn casing for securityhub finding (#7998)
  • aws - notify - prepare iam-saml-provider for notify (#8022)
  • aws - rds - add db-option-groups filter (#7807)
  • aws - rds-snapshot - skip automated snapshots during delete action (#7938)
  • aws - redshift - efs - add consecutive daily snapshot count filter (#7749)
  • aws - route53 - define rrset and healthcheck as global resources (#8042)
  • aws - route53resolver - add resolver-logs resource and associate-vpc action (#7939)
  • aws - secrets-manager - add has-statement filter (#7930)
  • aws - security-group - used filter - add interface usage annotation (#8028)
  • aws - sns - migrate to universal augment (#8075)
  • aws - tags - copy-related-tag using resourcegroupstaggingapi, support tags as key (#7223)
  • aws - transfer - add transfer resources (#6927)
  • aws - transit-attachment - Support CloudTrail mode (#7983)
  • aws - wafv2 - add logging filter (#8072)

azure

  • azure - postgresql-server - add configuration-parameter filter (#7876)
  • azure - sql-server - add value filter logic to the vulnerability-assessment filter (#7864)
  • azure - sqlserver - add auditing filter (#7664)
  • azure - storage - add blob-services filter (#8082)
  • azure - webapp - add authentication filter (#7840)
  • fix - flake8/pyflakes bump removed type comments linting (#8039)

c7n-org

  • c7n-org - cli - support not-accounts option (#8036)

core

  • core - fix issue dumping FormatDate objects as json. (#7975)

docs

  • docs - add governance-as-code day orgs (#7957)
  • docs - tencentcloud resource reference docs build (#8002)
  • docs - tencentcloud resources docs with examples (#8052)

gcp

  • gcp - add get_urns for gcp resource managers (#8061)
  • gcp - project - add compute-meta filter (#7971)
  • gcp - replace ratelimiter with pyrate-limiter (#8060)

kubernetes

  • kubernetes - report cli - fix reporting for k8s resources (#7942)

releng

  • releng - 0.9.21.0 pkg-increment and pkg-rebase (#7990)
  • releng - github actions use concurrency option to only run on latest push (#8012)
  • releng - handle extra/optional requirements in gen-frozensetup (#8001)
  • releng - install mailer extras in docker image (#7995)
  • releng - pkg-rebase to clear certifi/cryptography/grpcio/requests/ci issues (#8080)
  • releng - update poetry to 1.2.2 (#8013)
  • releng - update version file to 0.9.20 (#7948)
  • releng - fix boto3 and botocore

shift-left

  • c7n-left - graph traversal filter (#7943)
  • c7n-left - output - add description to console output (#7949)
  • c7n_left - github action output annotation fixes (#8011)

tencentcloud

  • c7n_tencentcloud - better vcr test options (#7992)
  • c7n_tencentcloud - cam - add resources (#7865)
  • c7n_tencentcloud - cls, es, vpc, tcr - add resources (#7905)
  • c7n_tencentcloud - resources - cdb & cdb_backup (#7908)
  • c7n_tencentcloud - resources - cos (#8044)
  • tencentcloud - client - support for assume role (#8043)
  • tencentcloud - refactor metrics filter to support multi dimensions (#7994)

tests

  • tests - replace misuse of assertTrue with assertEqual (#7914)

tools

  • mailer - fix - multi emails in tag for gcp (#8074)
  • tools/c7n_policystream - bump pygit2 dependency (#8058)
  • tools/cask - support tencent cloud (#8047)
  • tools/mugc - remove functions from regions where region is not set in policy (#6989)

schema changes

New Contributors

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.20.0...0.9.21.0

0.9.20.0

1 year ago

aws

  • aws - apigwv2 - new resource and tagging support (#7881)
  • aws - appsync resource and waf filter/action (#7872)
  • aws - dynamodb - enhancement recommended for the consecuitive-backups filter (#7813)
  • aws - ec2 - set-metadata-access - include instance tags option (#7772)
  • aws - elbv2 wafv2-enabled fix to include only application loadbalancers (#7869)
  • aws - iam-user - add login-profile filter (#7804)
  • aws - log-group - add put-subscription-filter action (#7817)
  • aws - metrics - support extended statistics (#7826)
  • aws - opensearch - update tls endpoint config action (#7887)
  • aws - rds-proxy - Add new RDS Proxy resource (#7859)
  • aws - retry logic to describe listeners (#5915)
  • aws - security-group - used filter - add interface detail annotations (#7861)
  • aws - support-case - use helper to get correct region per partition (#7927)

azure

  • azure - keyvault - use list_by_subscription to enumerate vault resources with more information (#7871)

docs

  • docs - c7n-kates helm deployment docs (#7922)
  • docs - c7n_kube and c7n-kates documentation (#7883)

kubernetes

  • c7n_kube - cache - fix cache usage (#7860)
  • c7n_kube - mode/k8s-admission - add admission controller mode (#7697)
  • c7n_kube - role/cluster-role - add role and cluster role resources (#7932)

releng

  • releng - 0.9.20 pkg rebase and increment (#7852)
  • releng - c7n-kube - skaffold use the latest published version of the helm chart (#7921)
  • releng - changelog generator tweaks for shift left and tencentcloud (#7867)
  • releng - improve docker build time via better layer cache utilization (#7862)
  • releng - pin poetry and fix setup gen (#7848)
  • releng - skaffold local dev, c7n-kates container, tls for admission controller (#7885)
  • releng - tencentcentcloud fix pyproject.toml project urls
  • releng - update codecov action (#7918)
  • releng - update docker github actions (#7873)

shift-left

  • c7n-left - exit 1 when resources match policies (#7940)
  • c7n-left - update tfparse, json output includes resource, jmespath query on json output (#7928)
  • tools/c7n-left - refactor terraform support to subpackage (#7850)
  • tools/c7n-left - run policies on terraform (#7803)

tencentcloud

  • c7n_tencentcloud - metrics filter for CLB & NAT-gateway (#7902)
  • c7n_tencentcloud - resources - ami, nat gateway, cbs/volume snapshot (#7819)
  • c7n_tencentcloud - resources - clb &cbs - load balancer and volumes (#7809)
  • tencentcloud - security-group resource (#7877)
  • tencentcloud - tests - Add fixture for environment variables, and typos in query.py. (#7824)

tools

  • tools/c7n-org - support vars in run-script args (#7644)
  • tools/c7n_mailer - lazily import processor modules (#7857)

schema changes

0.9.19.0

1 year ago

0.9.18.0

1 year ago

aws

This release includes a change that requires the GetBucketLocation permission on the output bucket when using the s3 output. If you are missing this permission and are doing cross account outputs to s3, ensure that your custodian role has GetBucketLocation permission for the target bucket.

aws

  • aws - account - check-macie filter - return empty list if doesn't match (#7536)
  • aws - artifact - fix cfn type metadata (#7560)
  • aws - asg - fix tagging interpolate values (#7543)
  • aws - cloudfront - post-finding fix webacl attribute (#7576)
  • aws - cloudfront - support fetching with arns for trail mode (#7588)
  • aws - config poll rule fix - remove evals for deleted resources (#7500)
  • aws - connect-instance - new resource and instance-attribute filter (#7561)
  • aws - ec2 - terminate - fix usage of batch (#7607)
  • aws - ec2 - terminate - minimize api calls with force option re disabling stop/termination protection (#7627)
  • aws - ec2 - terminate with force also disables stop protection (#7598)
  • aws - event-rule - invalid target filter - handle unknown arns and add event-bus as a valid target (#7622)
  • aws - filters - add aws:SourceAccount support to cross-account filter (#7611)
  • aws - fsx - add consecutive-backups filter (#7252)
  • aws - fsx subnet filter (#7552)
  • aws - kinesis - config source attribute adaptation fix (#7575)
  • aws - metrics - align metric window with cloudwatch retention schedule (#7307)
  • aws - mu - add waiter to lambda creation to support aws lamdba states (#7539)
  • aws - output - read bucket region prior to creating session (#7524)
  • aws - quotas - include aws default service quotas (#7572)
  • aws - quotas - update quotas onto the default quotas (#7645)
  • aws - rest-api - cross-account filter - handle policy mangling and use correct default (#7632)
  • aws - s3 - fix bucket-encryption filter for when encrypt config present but absent a kms key (#7592)
  • aws - skip invalid tags dates instead of failing policy also flake8 fixes (#7594)
  • aws - sns and sqs - add "has-statement" filter (#7525)
  • aws - vpc - flow-logs - fix LogDestination key error (#7569)
  • aws - waf/wafv2 - set-waf action for apigateway, cloudfront and elb resources (#7519)
  • aws - workspaces - Create filter for workspaces directory connection aliases (#7460)

core

  • c7n-org - report - don't overwrite when merging account tags to resource (#7642)
  • core - output - refactor to move write_file to blob handlers. (#7579)
  • core - offhour - support escaped tag restricted values with translation map (#7631)
  • core - structural validate handle explicit null filters or actions (#7570)

docs

  • docs - add Darren Dao as a maintainer (#7565)
  • docs - add castrojo as an additional admin contact for the project (#7613)
  • docs - remove references to Python 3.6 and point to upstream python support schedule instead (#7537)
  • docs - update developer install docs (#7522)
  • docs - update example to use policy conditions instead of region top level key (#7517)

gcp

  • gcp - gcp-periodic - trigger type is http, fix for delta_resource, require service-account (#7498)
  • gcp - gke - support resourceLabels as labels (#7534)
  • gcp - marked-for-op - fix to support actions and templates with hyphens (#7637)
  • gcp - metrics - fix start/end time now need to end with Z (#7629)
  • gcp - sql - Add labels filters and actions to the GCP SQL (#7556)
  • gcp - sql - fix augment labels (#7624)
  • gcp - support GCP_PROJECT env var (#7630)

releng

  • releng - 0.9.18.0 - prep for release (#7602)
  • releng - bump package versions for 0.9.18.0 (#7636)
  • releng - docker update poetry version and update ubuntu base image (#7619)
  • releng - docs build - update cache keys to address stale cache issue (#7621)
  • releng - update policystream to use 22.04 and remove libgit compilation (#7605)

tools

  • mailer - fix - change default value to {} for dict (#7518)
  • tools/c7n-mailer - fix exception with null to in notify action (#7586)
  • tools/c7n_mailer - jinja get_date_age support seconds (#7643)
  • tools/c7n_mailer - slack delivery - allow using email address in tag's value (#7221)

schema changes

0.9.17.0

1 year ago

aws

  • aws - account - support config poll rule evaluations (#7476)
  • aws - cloudfront - recursively merge config during set-attributes (#7486)
  • aws - cloudfront - update formatting for post-finding (#7491)
  • aws - cloudsearch - add domain-options filter and enable-https action (#7280)
  • aws - config-rule - fetch tags via universal augment (#7241)
  • aws - ebs - preserve tags across encrypt-instance-volumes action (#7275)
  • aws - elb - remove-tag - fix for list of tags (#7473)
  • aws - fis experiment template resource (#7475)
  • aws - iam-group - add set-policy action (#7489)
  • aws - kinesis - add force parameter to delete action (#7261)
  • aws - rds - add engine filter (#7222)
  • aws - s3 - fix: handle configure-lifecycle action when lifecycle doesn't exist (#7485)
  • aws - sqs - add deadletter filter (#7466)
  • aws - ssm-data-sync - update id, name and arn_type (#7493)
  • aws - subnet filter - igw bool option for checking on igw route (#7481)
  • aws - wafv2 - minor fix to remove unwanted logging (#7490)
  • aws - wafv2 resource and filters for elb, apigateway and cloudfront resources (#7277)
  • aws - wafv2 - cloudfront's update distribution need webacl ARN. (#7495)
  • aws - workspaces - add deregister action (#7227)

gcp

  • gcp - metrics - remove unnecessary pytz dependency (#7274)
  • gcp - sourcerepo - fix typo in scope_template (#7267)

releng

  • releng - 0.9.17.0 release prep (#7492)
  • releng - bump pyjwt from 1.7.1 to 2.4.0 in /tools/c7n_azure (#7278)
  • releng - link to discussions instead of using issue templates (#7308)

tools

  • tools/c7n-org - warn and continue when failing to resolve regions (#7494)
  • tools/cask - dependency updates (#7487)

schema changes