Cloud Custodian Versions Save

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources

0.9.16.0

2 years ago

aws

  • aws - access-analyzer - fix policy name ref for err msg if no access analyzers (#7231)
  • aws - config-poll-rule mode - optionally ignore resource support check (#7194)
  • aws - core - add TooManyRequestsException to list of default retry codes (#7163)
  • aws - cross-account filter - handle multiple principal types (#7112)
  • aws - mu - default to python3.9 for lambda execution modes (#7212)
  • aws - ebs - snapshot create with description (#7135)
  • aws - elb - support predefined policies for set-ssl-listener-policy (#7137)
  • aws - es - add cross-cluster connection filter (#7230)
  • aws - glue-job - toggle metrics action (#7151)
  • aws - metrics - include days in cache key (#7218)
  • aws - rds - add consecutive daily snapshot count filter (#7190)
  • aws - service-quota - list services in larger batches to avoid throttling (#7138)
  • aws - traffic mirror session and target resources (#7109)
  • aws - support - get support region by partition, dont use region from manager (#7220)

azure

  • azure - add defender resources (#7128)
  • azure - advisor-recommendation - fix typo in example (#7141)
  • azure - function runtime python 3.8 (#7171)

docs

  • docs - add a roadmap.md that points to the right github project (#7173)
  • docs - add link to project roadmap in the readme (#7184)
  • docs - aws - ec2 - fix typo in set-metadata-options example (#7157)

releng

  • releng - 0.9.16.0 version increment, deps rebase (#7203)
  • releng - cask dep security updates (#7235)
  • releng - tools/c7n_policystream - update pygit2 version (#7150)
  • releng - tools/cask - bump containerd version due to cve (#7147)

tests

  • ci - deploy docs to gh-pages on push to main (#7237)

tools

  • tools/c7n_mailer - fall back to empty string on missing efs name (#7142)
  • tools/c7n_mailer - use utf-8 encoding for slack delivery (#7167)

schema changes

0.9.15.0

2 years ago

0.9.14.0

2 years ago

IMPORTANT

AWS users should upgrade prior to dec 6th, 2021 to accomodate for a behavior change in lambda provisioning, which will otherwise cause errors when updating policies. See https://aws.amazon.com/blogs/compute/coming-soon-expansion-of-aws-lambda-states-to-all-functions/ for details.

aws

  • aws - apache airflow support and kms filter (#6823)
  • aws - check-permissions - gracefully handle non-existent iam entities (#6986)
  • aws - codedeploy - map resource type id applicationName (#6949)
  • aws - datapipeline - fix pipeline id capture (#6983)
  • aws - ebs - force result pagination (#6875)
  • aws - ebs snapshot - action allow copies within the same region (#6898)
  • aws - elasticache replication group - tagging support (#6858)
  • aws - iam - add validation for check-permissions filter (#6955)
  • aws - kms - support security hub bespoke format on creation date (#6895)
  • aws - log-group - subscription filter (#6865)
  • aws - mu - lambda policy deployment - handle required lambda state waiting (#6969)
  • aws - mu - support different event name vs policy name (#6840)
  • aws - notify action - sns transport return messageid for logging (#6916)
  • aws - prefix list resource (#6942)
  • aws - rds-cluster and fsx - add ability to filter by arns (#6889)
  • aws - s3 - kms fixes for bucket encryption filter/action (#6937)
  • aws - s3 access point resource (#5983)
  • aws - ssm - set id field for ssm document (#6868)
  • aws - tag copy exclude aws: prefixed tags (#6953)
  • aws - workspace image and cross-account filter (#6835)
  • aws - workspaces - add terminate action and delete image (#6902)
  • aws - workspaces directory, subnet, sg and client-properties filters and actions (#6929)
  • aws - codedeploy - application, deployment-group and deployment resources (#6806)

azure

  • azure - ci - session tests fix (#6892)
  • azure - Change ACI image name (#6888)
  • azure - advisor (cloud-custodian#6836) (#6866)
  • azure - update mysql version used for tests (#6879)

core

  • core - reduce filter - fix value_regex validation (#6899)

docs

  • docs - clarify default tag mark-for-op tag in aws (#6885)
  • docs - clarify execution mode wording and add cross references. (#6861)
  • docs - fix broken external link to point to mailer README instead (#6897)
  • docs - issue template - adopt feedback from community meeting on 2021-08-31 (#6880)
  • docs - readme - add a link to community events to aid with discovery (#6886)
  • docs - remove remaining $ from prompts in the docs (#6842)
  • docs - switch event id for AuthorizeSecurityGroup examples (#6939)

gcp

  • gcp - subnet - fix get re match string (#6933)
  • gcp - resource iam policy filter (#6771)
  • gcp - subnet - set-flow-log action pass fingerprint parameter (#6934)

releng

  • releng - docker functional tests sans terraform dependency (#6905)
  • releng - exempt sendgrid from frozen dep when releasing (#6996)
  • releng - migrate to github forms for issues (#6864)
  • releng - update deps (#6904)
  • releng - use poetry instead of tox in ci for better cache usage (#6883)
  • releng - version increment and dependency upgrade (#6856)
  • releng - dependency updates 2021-11 (#6984)
  • ci - aws - iam permission meta test - handle shared service names across resources (#6841)

tools

  • tools/c7n-logexporter - fix: run cli parameters into export mismatch (#6930)
  • tools/c7n-logexporter - fixes and update readme (#6871)
  • tools/c7n-org - support reporting against s3 outputs (Fixes: #4029) (#6912)
  • tools/c7n_sphinxext - fix typo in changed content comparision for reference doc gen (#6938)
  • tools/mugc - only include enabled regions for region=all (#6870)

schema changes

0.9.13.0

2 years ago

aws

  • aws - api gateway - metric filter fix (#6728)
  • aws - application autoscaling w offhours/resize support (#6548)
  • aws - cloudtrail - event-selectors filter (#6394)
  • aws - health filter - update chunk size per provider api breakage (#6808)
  • aws - iam policy - tagging support (#6751)
  • aws - iam-policy - only fetch local policies (#6828)
  • aws - iam-profile - unused filter fix (#6804)
  • aws - lambda-layer - cross-account ignore layers with no policies (#6827)
  • aws - rds-snapshot - type info specify filter is scalar (#6814)
  • aws - s3 - allow encryption filter to match id, alias or arn (#6829)
  • aws - security hub - enable bigger batching to improve write speeds (#6784)
  • aws - security-group - references ingress/egress rules bug fix (#6838)
  • aws - securityhub - batch findings import retry (#6809)
  • aws - service-quotas - new resource filters/actions (#6511)
  • aws - ssm data sync resource (#6622)
  • aws - s3 - encryption - bucket key options (#6558)

azure

  • azure - Update mysql deployment location (#6845)
  • azure - cli test fix (#6776)
  • azure - extra dependencies for sqlserver template (#6844)

core

  • core - introduce a deprecation framework for the policy yaml (#6133)
  • core - webhook action - no_proxy support (#6767)

docs

  • docs - aws - contribution guide (#6616)
  • docs - information on community meetings w/ videos & notes links (#6810)
  • docs - remove $ from example commands to aid in pasteability (#6830)
  • docs - update to cncf code of conduct (#6654)

gcp

  • gcp - sql-instance - start instance action (#6750)

releng

  • releng - aws - fix service quota tests (#6801)
  • releng - increment versions and update deps (#6780)

tools

  • tools/c7n-org - run-script - unset AWS_PROFILE, set AWS_REGION (#6704)
  • tools/c7n-trailcreator - support org trails (#6831)
  • tools/c7n_policystream - support specifying policy glob on cli (#6785)

schema changes

0.9.12.0

2 years ago

aws

  • aws - ami deregister exception when snapshot in use (#6706)
  • aws - asg - add update action to set max lifetime and other settings (#6612)
  • aws - batch - fix subnet and sg filters related resource expressions (#6644)
  • aws - cloud watch alarms - tag augment (#6598)
  • aws - config support for ecs service & eks cluster (#6605)
  • aws - dax fix tagging action (#6754)
  • aws - ebs - modify action - add gp3 ebs type to schema (#6753)
  • aws - ec2 svc id prefix for more resources (#6566)
  • aws - ecs-task-definition - config support (#6561)
  • aws - ecs-task-definition - fix get_resources exception due to double augment (#6705)
  • aws - eks - node group resources and delete action (#6737)
  • aws - fix datapipeline id field (#6746)
  • aws - glue connections - default describe parameters for omitting password (#6733)
  • aws - handle deprecated services and mark additional global resources (#6592)
  • aws - kafka kms-key filter for data-volume encryption (#6769)
  • aws - kinesis Analytics V2, subnet filter and delete action (#6689)
  • aws - kms - doc unification (#6626)
  • aws - kms - more resilient key lookups, fix for keyarn/arn behaviors, fix for config source (#6624)
  • aws - log metrics resource (#6694)
  • aws - network firewall resource (#6463)
  • aws - partition name available for substitution in policies and mailer templates (#6726)
  • aws - s3 toggle-logging error handling and region variables (#6610)
  • aws - sagemaker-model - fix augment (#6772)
  • aws - secrets manager - tag augmentation fix (#6663)
  • aws - ssm - document resource and filters/actions (#6574)
  • aws - support phd mode sans detail (#6639)
  • aws - swf resource (#6687)
  • aws - emr - use cluster state query from policy, if provided (#6675)

azure

  • azure - Ensure subscription override for all cases (#6629)
  • azure - custodian and c7n-org azure multi cloud bug fixes (#6614)
  • azure - data mask policy filter (#6665)
  • azure - fix delete action for resource groups (#6730)
  • azure - identity upgrade fixes (#6773)
  • azure - new resources (#6759)
  • azure - remove jsonpickle (#6632)
  • azure - review wrong schema_alias (#6569)
  • azure - sql filters (#6640)
  • azure - sql vulnerability scan filter (#6651)
  • azure - vm extensions filter (#6702)
  • azure - revert API version change in favor of resource graph (#6655)

core

  • cli - report - strip date portion from s3 output dir (#6593)
  • core - offhours support for fallback schedule when missing tag (#6603)
  • core - fix annotation merges inside or blocks (#6757)
  • core - fix value filters that specify a value type but no op (#6682)
  • core - log policy exceptions before closing log stream (#6698)

docs

  • docs - add example to aws tag action (#6653)
  • docs - aws - use detail.awsRegion as a key to access the region data (#6674)

gcp

  • gcp - dataflow - augment per api changes (#6652)
  • gcp - filter - scc findings (#6630)
  • gcp - instance effective firewall filter (#6586)
  • gcp - metric filter - custom resource mappings (#6647)
  • gcp - metrics filter (#6595)
  • gcp - pass project id into credentials constructor (#6608)
  • gcp - scc - post finding severity field (#6731)
  • gcp - security-center execution mode (#6568)
  • gcp - service account key resource (#6591)
  • gcp - adding disable,enable,delete service account actions (#6650)

releng

  • releng - dockerpkg - work around azure pipeline regression and docker client bug (#6695)
  • releng - github actions docker build fix (#6697)
  • releng - include license in generated setup and dep update (#6648)
  • releng - prep 0.9.12, rebase deps (#6606)
  • releng - static analyzers in ci (#6649)
  • releng - update dependencies (#6755)

tools

  • tools/c7n_mailer - add formatting for rds-cluster resources (#6700)
  • tools/c8m_prg - name templates for azure script (#6661)

schema changes

0.9.11.0

3 years ago

Summary

This release contains some breaking changes for the azure provider. The azure sdks from microsoft have dropped compatibility with several resources, specifically azure.keyvault-storage of note.

This release also sees the inclusion of a new openstack provider (alpha).

aws

  • aws - add set-permissions action for rds/rds-cluster snapshots (#6381)
  • aws - appelb - modify-listener - support nlb protocols (#6462)
  • aws - appflow - add resource, tag filters/actions, and delete action (#6478)
  • aws - arn resource resolver (#6383)
  • aws - asg scaling-policy filter and resource (#6273)
  • aws - config-poll-rule mode post results with chunked evaluation (#6461)
  • aws - copy-related-tag - fix exception when processing resource set (#6417)
  • aws - cw log-group kms-key filter (#6460)
  • aws - dynamodb config conversion remove manual datetime convert, as base class does it better now (#6471)
  • aws - ec2 keypair - fix id for tagging functionality (#6418)
  • aws - ecs-task - subnet filter (#6481)
  • aws - iam - allow stacked credential filters to match 0 keys (#6437)
  • aws - iam user - harden against api eventual inconsistencies (#6406)
  • aws - iam-role add ability to force on delete action (#6446)
  • aws - kinesis video streams resource, delete action, and kms-key filter (#6495)
  • aws - lambda - trim-versions action for gc old versions (#6464)
  • aws - mq message broker kms filter (#6396)
  • aws - qldb - fix exception catch to not use adhoc resource type metadata (#6483)
  • aws - rds-cluster - kms-alias filter (#6402)
  • aws - s3 - fix encryption key lookup (#6442)
  • aws - tests - convert functional s3 tag test to terraform (#6434)
  • aws - tests - convert functional vcp flow log test to terraform (#6432)
  • aws - tests - fix a recorded age based test (#6492)
  • aws - universal tag augment with arn list (#6414)
  • aws - workspaces - kms key filter (#6413)
  • aws.ebs-snapshot - add related filter for ebs volume (#6532)
  • aws.ecs-service - subnet filter for ecs-service (#6453)
  • aws.event-rule - add delete with force option and filters for event-rule-targets, invalid-targets (#6500)
  • aws - add flag "universal_taggable = True" to config (#6404)

azure

  • azure - action tracing and log improvements (#6415)
  • azure - container host bug fixes (#6416)
  • azure - fix azure mailer bugs (#6435)
  • azure - fix sku based functions (#6552)
  • azure - live test fixes (#6468)
  • azure - resolve arm tagging issues (#6502)
  • azure - skip non-public cloud test (#6473)
  • azure - storage container event support (#5610)
  • azure - support multiple azure clouds (#5423)
  • azure - sdk update (#6544)

gcp

  • gcp - firewall - delete action (#6535)
  • gcp - firewall - modify action (#6546)

openstack

  • openstack - Add OpenStack Provider (#6317)

terraform

  • terraform - add hcl parser (#5914)

tools

  • tools/c7n-org - org accounts - support templated account name (#6390)
  • tools/c7n-org - support comma separated values for cli options supporting multiple values (#6451)
  • tools/dev - initial devcontainer.json for VSCode and CodeSpaces (#6484)

core

  • core - enable richer policy metadata (#6509)

docs

  • docs - extend install instructions and clarify packaging comments (#6477)
  • docs - mention float values for value_type: age (#6488)
  • docs - removed extra comma from policy (#6553)

releng

  • releng - aws ftest fixes (#6452)
  • releng - ci - codecov fetch depth redo (#6447)
  • releng - ci - fix fetch-depth for codecov reliability (#6440)
  • releng - dependency updates (#6444)
  • releng - release prep 0.9.11 (#6466)
  • releng - update deps (#6412)
  • releng - update deps (#6428)
  • releng - update deps (#6497)
  • ci - aws arn resolver test nix thread usage for repeatability (#6467)

schema changes

0.9.10.0

3 years ago

aws

  • aws - api gateway client certificate support (#6376)
  • aws - config - cross account aggregation filter (#6384)
  • aws - config source - selectively demangle/title keys (#6377)
  • aws - event bus resource and cross-account filter (#6339)
  • aws - iam-group - add delete-inline-policies action (#6369)
  • aws - iam-users - ssh-key management (#6365)
  • aws - s3 remove-statements - handle missing Sid (#6375)

azure

  • azure - add firewall filters to postgresql servers. (#6357)
  • azure - nsg support source and destination filtering #6379 (#6380)

docs

  • docs - offhours - fix parameter name (#6363)

gcp

  • gcp - fix gcp-periodic mode w/ pubsub trigger (#6362)

releng

  • releng - prep for 0.9.10 release (#6355)

ci

  • ci - azure - disable flakey functional test (#6388)
  • ci - azure - fix tests missing teardown (#6360)
  • ci - azure - functional tests restore postgres (#6356)

tools

  • tools/c7n-org - run-script - remove None env vars (#6368)
  • tools/c7n_policystream - fix identification of removed policies (#6372)

schema changes

0.9.9.0

3 years ago

aws

  • aws - account - check macie2 filter (#6327)
  • aws - app-elb - add modify-attributes action (#6220)
  • aws - asg propagate tag changes for auto-tag-user (#6257)
  • aws - ebs-snapshot - set-permissions action (#6203)
  • aws - elasticsearch - cross-account filter and remove-statements action (#6225)
  • aws - iam certificate - add delete action (#6288)
  • aws - logs - fix tag augment (#6333)
  • aws - metrics filter - push start time back to the top of the last hour (#6329)
  • aws - rds - remove tag augmentation where builtin (#6332)
  • aws - resource type metadata fixes (#6314)
  • aws - sqs - trigger paginated queue listing (#6303)

azure

  • azure - ci - stabilize cosmos db tests (#6300)
  • azure - diagnostic-settings filter fix for absent operator (#6308)
  • azure - retry hardening (#6349)

core

  • core - webhook action - add event to payload (#6299)

docs

  • docs - fix cloud formation cli example in policylambda.py (#6311)

gcp

  • gcp - service mgmt switch to service usage api (#6320)

releng

  • releng - release prep for 0.9.9 (#6338)
  • ci - aws asg remove region specific zone usage (#6348)
  • ci - azure - fix az cosmos functional test failure (#6342)
  • ci - azure - functional tests disable flakey storage tests for now (#6344)
  • ci - azure - public ip test filter to the ip the test created (#6343)
  • ci - fix aws functional test on region for terraform (#6341)
  • ci - tests - remove hardcoded certificate arn (#6324)
  • ci - azure - stabilize cosmos db tests (#6300)

tools

  • tools/c7n-org - aws - export organization account's tags as variables (#6323)
  • tools/c7n_mailer - fix azure mailer deployment issue (#6325)
  • tools/c7n-mailer - add support for additional, arbitrary email headers (#6249)

schema changes

0.9.8.0

3 years ago

aws

  • aws - batch queue resource (#6214)
  • aws - code pipeline - config describe source (#6294)
  • aws - dynamodb - config mode deserialization fix for BillingModeSummary (#6276)
  • aws - iam identity provider resources (saml, oidc) (#6267)
  • aws - iam-role - add mark-for-op/marked-for-op support (#6230)
  • aws - mq-configuration - tagging support (#6236)
  • aws - s3 - config - bucket replication dont assume non required values (#6188)
  • aws - secrets-manager fix get-resources resource-type metadata (#6296)
  • aws - service catalog - cross-account filter fix (#6262)
  • aws - service-catalog - cross-account (#6261)
  • aws - sfn - tag augmentation (#6297)

azure

  • azure - fix logic app json schema for vscode completion (#6233)
  • azure - tests - utc normalization fix (#6284)
  • azure - vm - action to resize vm (#6247)

core

  • core - policy condition - avoid double initialization (#6235)

gcp

  • gcp - Add option to create machine image from instance (#6265)
  • gcp - label action - fix for remove only usage (#6228)
  • gcp - project - label actions support (#6270)
  • gcp - project - propagate-labels from resource hierarchy (#6287)
  • gcp - project ancestry/hierarchy abstraction (#6272)
  • gcp - project delete action (#6271)

release engineering

  • releng - 0.9.8 release prep (#6253)
  • releng - azure - update hdinsight test vmSize (#6290)
  • releng - azure - fix event sub functional test race condition (#6292)
  • releng - uniform copyright/license headers (#6286)
  • releng - upgrade to poetry 1.1 (#6291)
  • test - do not skip doc example tests by default (#6222)

tools

  • tools/c7n-mailer - customize html template for aws.iam roles (#6212)
  • tools/c7n-org - add aws_account_id env variable (#6282)
  • tools/c7n-org - fix config parsing error with aws profile (#6281)
  • tools/c7n-org - fix resolve regions when all is set (#6280)
  • tools/c7n-org - run-script - add support for azure and gcp (#6089)

schema changes

0.9.7.0

3 years ago

aws

  • aws - account access-analyzer filter (#6075)
  • aws - add delete action to iam user group (#6088)
  • aws - ami - remove permission - support only on matched cross accounts (#6009)
  • aws - auto filter classic elastic ips, we only support vpc elastic ips (#6168)
  • aws - cloud watch - contributor insight rule resource (#6157)
  • aws - code artifact support (#6119)
  • aws - config - more aws config garbage unmangling (#6185)
  • aws - config source - implicitly sniff date keys in isoformat and convert (#6181)
  • aws - ec2 dedicated host resource (#6165)
  • aws - elasticsearch - kms-key filter (#6123)
  • aws - fix phd mode error for resource 'account' without 'events' (#6141)
  • aws - iam group - delete - fix test for functional runs (#6191)
  • aws - iam role delete force removes inline policies (#6115)
  • aws - kms - fix error log statement (#6200)
  • aws - lambda network-location - check existence before referring (#5945)
  • aws - log-group last-write - bug fix - normalize timestamps (#6126)
  • aws - natgateway metrics filter (#6140)
  • aws - rdscluster network-location fix via subnet filter support (#5955)
  • aws - route53 hosted zone force delete - fix record removal (#6192)
  • aws - s3 - config normalization - handle account id missing in replication (#6136)
  • aws - s3 - fixed typo in error log format string (#6035)
  • aws - security group - unused filter accounts for codebuild projects (#6153)
  • aws - service catalog portfolio resource w/ cross-account, delete share (#6166)
  • aws - sns - modify policy - fix via change logical or to and (#6124)
  • aws - tag support for redshift subnets, ds, cloudhsm subnet filter and delete action (#6047)
  • aws - vpc-endpoint filter for vpc and subnets (#5934)

azure

  • azure - metrics filter - add to_zero support for no_data action (#6194)
  • azure - metrics filter - fix aggregation funcs (#6186)
  • azure - update policy mode reference to 'function_app_name' (#6169)

core

  • chore - minor tweak for current time with UTC tz (#6150)
  • cli - internals - change 'blacklist' to 'exclude' in function arg. (#6127)
  • cli - update the metavar for the metrics CLI help. (#6104)
  • core - refactor action and filter base classes to remove duplication. (#6128)
  • core - value_from enhancement to use sets instead of lists for speed ups on large sets (#6043)

gcp

  • gcp - add handling for disabled service api errors (#6208)
  • gcp - aws 53 zones, gke clusters, gcp dns zones - delete action
  • gcp - enable functional testing (#6196)

docs

  • docs - add value_from docstrings to value filter docs (#6195)
  • docs - aws - fix sg ingress ipv6 filtering example (#6117)
  • docs - developer testing with pytest-terraform (#6142)
  • docs - show filter/action permissions (#6116)

release engineering

  • releng - update deps, address docker build / ci issues (#6178)
  • releng - upgrade pytest-terraform to 0.5.0 (#6112)
  • test - support pytest-terraform for flight recording test setup (#6040)
  • ci - fix the intermittent test failure by explicitly setting rand seed. (#6110)

tools

  • tools - add schema diff to script that generates changelogs
  • tools/c7n-org - support just specifying role name in config file (#6177)
  • tools/cask - releng - tidy up go.mod (#6092)
  • tools/changelog - do not add to dev requirements which we use in CI
  • tools/changelog - do not repeat changes in global actions, filters
  • tools/changelog - link to resources and actions in online docs
  • tools/ops/policylambda - fix - switch func ref to arn attribute and perm name change (#6114)
  • tools/ops/policylambda - refactor, clean up tech debt, and add tests (#6094)

schema changes