Cloud Custodian Versions Save

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources

0.9.6.0

3 years ago

docs

docs - add c7n-org example usage with mugc (#6101)
docs - minor grammar fixes (#6084)

releng

releng - ensure version file increment, fix wheel dep pre-publish (#6076)
releng - prep release 0.9.6 (#6095)

tools

tools/ops/policylambda - config rule support (#6067)

0.9.5.0

3 years ago

aws

aws - asg image filter - fix use whole image data instead of just image id (#6041)
aws - cloudtrail fix tag augment (#5986)
aws - copy-related - skip aws prefixed tags if doing wild card copy (#5977)
aws - elasticsearch - reserved instances resource (#5974)
aws - glue-security configuration - kms-key filters (#5960)
aws - iam access analyzer - use a getter to account for resource w/o finding result (#6022)
aws - iam role - support mark-for-op (#5978)
aws - log group - metrics filter dimension fix (#5958)
aws - log-group last-write handle empty streams (#6069)
aws - rds ancillary resources tag support and subscription delete (#5962)
aws - security hub new resources (asg, vpc, volume) (#5931)
aws - sns topic - config support (#5980)
aws- replication group encryption,delete and kinesis encryption alias (#5990)

core

core - generic reduce filter (#5874)
core - policy - add metadata key (#5969)
core - policy conditions support value_from (#5951)
core - support numbers as days and hours (#5953)

docs

docs - fix indentation in filters example. (#6063)
docs - fix typo in OWNERS.md (#6030)
docs - fix typo on username (#5996)
docs - k8s - patch action example (#5998)
docs - update gcp getting started workflow (#5944)

gcp

gcp - vpc network enumeration fix (#5935)

releng

releng - 0.9.5 release prep (#5997)
releng - add click dependency to c7n_sphinxext (#6004)
releng - add owners / codeowners (#5994)
releng - configure away pytest looking at data files (#6068)
releng - switch to spdx license header instead of preamble (#6000)
releng - test_policy conditions - fix the test date to avoid issues in some timezones (#6071)
releng - update deps (#5981)

tools

tools/c7n-mailer - slack template message color option (#5930)
tools/c7n_mailer - address azure function provisioning regression and support msi/csi (#6027)

0.9.4.0

3 years ago

aws

aws - sns subscription resource (#5868)
aws - access analyzer finding filter (#5821)
aws - account basic filter to check enablement of securityhub (#5855)
aws - add ThrottledException to resource manager default retry codes (#5912)
aws - don't cache unaugmented resources (#5850)
aws - ec2 - set-metadata-access action (#5847)
aws - ec2 keypair supports tags (#5883)
aws - ecs task definition - augment throttling retry (#5910)
aws - elastic ip - get resources regression fix (#5849)
aws - elasticsearch get-resources fix (#5920)
aws - elb - attributes filter (#5898)
aws - elbv2 attributes filter (#5902)
aws - emr - subnet and security group filters (#5900)
aws - kms-key - pull in alias names automatically (#5865)
aws - network-location filter - handle empty sgs/subnets (#5888)
aws - shield filter/action for cloudfront streaming distribution (#5926)
aws - rds modify db fix (#5866)

azure

azure - function app policies - require client certs and configure https only (#5860)
azure - functions policies using msi and uai for identity (#5867)

gcp

gcp - blob and log native outputs (#5824)
gcp - get-permissions (#5873)

core

core - jsonschema mapping types (#5872)

docs

docs - readme update the markdown to remove raw html on pypi (#5890)
docs - update link to lambda config rules (#5879)

releng

releng - 0.9.4 release prep - upgrade deps (#5882)
releng - dockerpkg retry image push to handle transient hub errors (#5884)

tools

tools/c7n_mailer - add starbank ecsda dep for serverless deploys (#5928)
tools/c7n_mailer - allow splunk sourcetype to be configurable (#5893)
tools/c7n_trailcreator - handle potentially missing keys on athena queries (#5875)
tools/c7n_trailcreator - load only aws provider resource types (#5880)

0.9.3.0

3 years ago

aws

aws - glue-catalog - cloud-trail mode default for api calls that don't provide ids (#5841)
aws - asg - propagate tags actions skip api call if asg has no instances (#5792)
aws - cloudtrail mode - support processing delay (#5764)
aws - code commit & code pipeline taggable typo fix (#5807)
aws - config workaround broken select resource api and normalize rds cluster snapshot (#5802)
aws - config-compliance - work around security hub inconsistent rule resource ids (#5801)
aws - elasticsearch - regression fix augment batch size (#5796)
aws - glue-catalog - remove-statements action (#5808)
aws - lambda modes - log filter details to help with debugging (#5825)
aws - missing filter in lambda skip jsonschema validate (#5832)
aws - redshift - reserved node resource (#5844)
aws - serverless app support (#5823)
aws - ssm parameter - delete action (#5818)
aws - streaming_distribution set-attributes action and config filter (#5694)
aws - lambda - missing comma in param list (#5806)

core

cli - run on exit log policies that errored (#5816)

docs

docs - garbage collect unused elastic ip example (#5788)

gcp

gcp - asset inventory source (#5766)
gcp - functions use loader for initializing policy (#5814)

releng

releng - fix warnings on regex escape sequences (#5843)
releng - prep 0.9.3 (#5804)
releng - upgrade dependencies (#5846)

tools

tools/c7n_guardian - multiple improvements (reporting multi-threaded, handle member acct resignation, etc) (#5781)

0.9.2.0

4 years ago

aws

aws - account - emr block public access configuration filter/action (#5642)
aws - add cfn types to resources (#5681)
aws - add redshift set-attributes action (#5721)
aws - additional config resource support (#5408)
aws - cloudtrail status - dont process foreign account org trails (#5715)
aws - code commit & pipeline tags and delete action (#5682)
aws - config-poll-rule mode (#5695)
aws - cwe - event-rule resource group tagging support (#5676)
aws - dynamodb - continuous backups filter and action for tables (#5701)
aws - dynamodb - remove resource specific implementation for status filter (#5709)
aws - ec2 - add tags mapping to snapshot creation (#5700)
aws - ec2 - security hub post-finding include public ips (#5686)
aws - image-age filter - check launch template found else fallback (#5749)
aws - refactor resource specific state filters to reuse common (#5717)
aws - s3 - event based policies include CreationDate (#5765)
aws - securityhub - update native resources supported (#5248)
aws - subnet groups - unused filter update (#5669)
aws - vpc - unused key pair filter and delete action (#5726)
aws - glue-catalog - boolean filter support for glue catalog, cleanup schemas (#5702)
aws - ecs container instance arn fix typo

azure

azure - container host handles attribute errors while unloading (#5737)
azure - nested management group subscription support for serverless policies (#5672)

core

cli - schema command - add --outline option (#5747)
cli - schema command skip uninstalled providers (#5663)
cli - schema command supports aliased resources (#5771)
core - normalize jsonschema output generation (#5731)
core - notify message w/ custodian version (#5746)
core - policy conditions don't evaluate event filters for dry run and provision (#5727)
core - python 2 to 3 cleanups - remove six usage (#5704)
core - upgrade deps / mailer declare additional deps (#5708)

docs

docs - asg example policies for mark-sweep-notify on capacity/size (#5186)
docs - aws security hub integration needs enablement w/ 0.9+ (#5685)

gcp

gcp - asset type info for resources (#5744)
gcp - support for enabling uniform bucket access (#5688)

releng

releng - address lint issues found by new flake8 version (#5752)
releng - doc build - dont set tox path (#5706)
releng - restore github action cache (#5667)
lint - python 2 to 3 cleanup - remove versioninfo checks (#5725)
lint - style - convert more set literals (#5733)

tools

tools/c7n_mailer - remove inadvertent splunk-sdk dependency (#5751)
tools/c7n_mailer - replay entrypoint (#5714)
tools/c7n_mailer - support sqs vpc endpoints (#5770)

0.9.1.0

4 years ago

Change Log

There's been quite a few changes in this release, highlights

This is our first release to drop python 2.7 compatibility.
lazy loading by default, greatly reduces cli and serverless cold start latency.
docker images have been significantly trimmed using multi-stage builds with the distroless container.
poetry is now being used for package management, existing workflows using pip/setuptools will work without any changes.
pypi release artifacts are being published with fully frozen dependency graphs, to ensure repeatable installation over time.

Breaking Changes

Custodian strives for backwards compatibility, however in this release some planned deprecations and removals have been enacted.

python 2.7 compatibility has been removed
metrics and logs cli have been removed

aws

aws - account - set password policy (#5634)
aws - account -service-limit filter move to new trusted advisor checks (#5373)
aws - accounts - add set glue catalog encryption action (#5539)
aws - acm describe certs across all key types (#5363)
aws - add additional usg region partitions (#5544)
aws - add vpc filter to subnet and route-table (#5342)
aws - ami policies can use server side query filters (#5570)
aws - ami resolve template missing version key (#5458)
aws - app-elb - metrics filter support net-elb and add example policy (#5614)
aws - appelb - allow is-not-logging filter for network ELBs (#5612)
aws - asg - allow msg in mark-for-op for consistency (#5399)
aws - asg - handle null launch template versions (#5648)
aws - backup vault resource (#5378)
aws - cfn - add force delete to auto-disable termination protection (#5638)
aws - cfn delete and set-protection retries (#5605)
aws - change default lambda runtime to python3.8 (#5291)
aws - check-permissions - respect permission boundaries by default (#5531)
aws - cloudfront - distribution-config filter (ie. check logging) (#5577)
aws - cloudfront add update-distribution action (#5390)
aws - cw log delete use retry / ignore on missing (#5349)
aws - cw log set retention action use retry (#5339)
aws - cwe/eventbridge support passthrough on event pattern matching (#5412)
aws - directconnect tag augment and filter/actions (#5575)
aws - dms-endpoint add tag augments and filter/actions (#5526)
aws - ebs - skip missing volumes in get_resources(vol_ids) (#5650)
aws - ec2 - allow disabling implicit state filter in offhours filter (#5337)
aws - ec2 - set-monitoring action (#5268)
aws - ec2 - stop action - allow hibernation of instances (#5348)
aws - ec2 ssm compliance filter (#5472)
aws - ecr - fix lifecycle policy rule validation (#5595)
aws - efs - configure lifecycle policy action (#5275)
aws - efs - lifecycle-policy filter (#5302)
aws - eks - delete nodegroups & fargate profiles (#5585)
aws - elastic-ip alias for network-addr resource (#5541)
aws - elasticip - use allocation id for filtering (#5630)
aws - emr - security-configuration resource (#5643)
aws - fix copy-related for universal/resourcegroup tags (#5607)
aws - fix filter merge_annotation for iam access keys (#5535)
aws - get resources sans ids returns empty set (#5545)
aws - glue - security configuration filter (#5465)
aws - glue dev endpoint - subnet filter (#5572)
aws - glue-catalog - cross-account filter (#5622)
aws - glue-catalog as its own resource with encryption actions/filters (#5573)
aws - iam - credential report - include inactive keys w/ create dates (#5551)
aws - iam role implement get-resources (#5384)
aws - iam usage fix for match-operator all partial matches (#5449)
aws - iam user & role - set permissions boundary action (#5532)
aws - internet-gateway - delete action (#5582)
aws - invoke-lambda - add execution context to payload (#5276)
aws - kafka - normalize tag formatting (#5401)
aws - kafka set-monitoring and tag actions (#5386)
aws - lambda - kms key filter (#5624)
aws - last-write retry on describe streams (#5600)
aws - mu - add retries for provisioning ops on targets for cwe rules (#5656)
aws - new glue resources (#5523)
aws - only append region suffix if not using custom paths w/ region (#5616)
aws - provisioning policy output contains region (#5481)
aws - qldb resource w/ tag and delete actions (#5411)
aws - rds - add validation for monitoring interval and monitoring role arn (#5609)
aws - rds cluster snapshot - cross-account filter (#5640)
aws - rds cross-account snapshot retry (#5603)
aws - redshift pause/resume and offhours support (#5442)
aws - revert security hub product arn change (#5444)
aws - s3 - check-public-block fix annotation usage; add state for set-public-block (#5580)
aws - s3 - config source normalization - include replication account id (#5381)
aws - s3 - enhance toggle-logging and add logging filter (#5206)
aws - s3 - set public block - refactor (#5520)
aws - s3 - set-inventory - support additional optional fields (#5318)
aws - s3 - set-inventory action support for additional formats (#5312)
aws - s3 - set-replication action (#5387)
aws - s3 individual bucket public block filter & action (#5451)
aws - sagemaker - kms key filter (#5626)
aws - security group - set-permissions action to enable add/remove rules (#4973)
aws - security hub - post-finding add support for severity label (#5589)
aws - security-group - ingress/egress filter SGReferences to filter by other group attributes (#5604)
aws - security-group - metadata for name use GroupName instead of GroupId (#5341)
aws - security-group used/unused take into account ecs cloud watch event targets (#4846)
aws - securityhub - change product-arn from default to cloud-custodian (#5500)
aws - securityhub - use assigned product arn (#5431)
aws - sqs modify-policy action (#5546)
aws - ssm parameter fix arn generation (#5392)
aws - tests - replace flight recording account id swap from fake to test id (#5594)
aws - use partition when generating lambda policy iam role arn (#5253) (#5254)
aws - vpc - set-flow-log - create log group if non-existent (#5645)
aws - vpc - set-flow-log - enable setting aggregation interval (#5455)
aws - vpc endpoints - resource group tag actions (#5367)
aws - waf - tag support (#5590)
aws - xray usage docs and updates (#5467)
aws.elasticache-group - support elasticache replication group resource (#5319)

azure

Azure - Indirect Dependency (#5345)
azure - Update max tag count to 50 (#5416)
azure - actions - fix automatic creator tagging (#5298)
azure - async azure functions build + helper script to wait for status (#5418)
azure - azure functions using remote build (#5393)
azure - docs - example gitops workflow (#4886)
azure - fix consistent failures in live functionals (#5308)
azure - fix lazy load output plugin regression (#5328)
azure - fix some issues related to lazy load (#5394)
azure - fix storage set-firewall-rules action (#5305)
azure - nightly tests fix (#5578)
azure - unify autotag for event resource (#5446)
azure - fix cache key (#5447)

core

c7n-org - azure subscription config generator checks subscription state (#5615)
cli - fix schema output with no args, remove argcompletion around schema (#5608)
cli - report - fix --raw output on py3 encode (#5274)
cli - run - add dry-run alias for -dryrun (#5518)
cli - schema command using lazy load (#5599)
cli - version --debug shows installed depgraph versions (#5542)
core - add resources.load_available that will load installed providers/resources (#5343)
core - aws notify implementation only register with aws resources (#5413)
core - examples doc test improvements (#5441)
core - fix lazy load schema gen for empty policy set (#5504)
core - fix value_from/resolver cache usage (#5548)
core - generate requires fixes for python_version (#5327)
core - lazy load resources (#5032)
core - new data provider (#5601)
core - policy execution conditions (#4466)
core - remove metrics/logs infra and mark cli commands as obsolete (#5487)
core - remove pkg_resources from custodian_archive (#5493)
core - remove py2 support syntax (#5528)
core - remove py2.7 compat vendored ipaddress module (#5479)
core - serverless incorporate lazy loading (#5247)
core - switch registry subscriber notify to on resource load (#5382)
core - use poetry for dependency management (#5320)
core - use set comprehensions directly when creating a set (#5651)
core - value filter better handling of millisecond timestamps (#5369)
core - vendored ipaddress use 3.8 compatible interpolation (#5428)

docs

docs - add github actions ci badge to readme (#5563)
docs - advanced usage info - fix typos and yaml errors (#5368)
docs - document editor integration via jsonschema and yaml language server (#5488)
docs - editor integration - fix links (#5519)
docs - fix aws iam credential example (#5435)
docs - fix broken links (#5496)
docs - fix example for aws config source (#5641)
docs - fix spelling errors (#5652)
docs - fixed example policy iam permission typo (#5490)
docs - generate execution mode reference docs (#5623)
docs - quickstart - enhance the language server documentation (#5506)
docs - remove extraneous permission (#5565)
docs - sns kms filter example and typo fix (#5569)

gcp

gcp - audit mode - support event actions and metrics (#5156)
gcp - cscc handle svc breaking change w/ source properties validation (#5338)
gcp - delete log sinks action (#5181)
gcp - detach disks action for instances (#5102)
gcp - docs - regex example update description, add quotes and more examples (#5263)
gcp - reporting fields for all resources (#5629)

release engineering

releng - 0.8 release branch github actions for ci (#5362)
releng - add a docker build and test to ci (#5613)
releng - docker build pipeline fix tag cli option (#5637)
releng - docker build pipeline updates (#5617)
releng - docker building compatible with setuptools scm sans .git dir (#5284)
releng - docker image building refactor (#5571)
releng - docker image includes k8s provider (#5282)
releng - docker images retain source dirs for editable distributions (#5485)
releng - docker images using multi-stage build with distroless base target image (#5515)
releng - drone doc build compatible with setuptools scm (#5287)
releng - fix azure lrucache backports dep for py<3.3 (#5331)
releng - github actions for ci on master (#5388)
releng - makefile use cd instead of pushd/popd for portability (#5505)
releng - minimize syscalls/disk writes during tests (#5358)
releng - move more ci to github actions (#5574)
releng - pin pytest, remove xray monkey, add pytest-sugar (#5620)
releng - remove problematic wheel pin (#5453)
releng - remove travis config file and py27 from tox (#5557)
releng - switch to setuptools scm for managing version.py (#5279)
releng - temporarily disable cache (#5406)
releng - tools/dev/changelog - support filtering by user and end date (#5432)
releng - update base docker image to python 3.8 debian buster slim (#5433)
releng - upgrade dependencies to resolve ci cache issue (#5550)
releng - use dev suffix on fallback version to prevent pypi installs (#5299)
releng - use github issue templates (#5356)
releng- downgrade and pin sphinx, upgrade rest of dependency set (#5475)
ci - aws test recording - auto anonymize and slim (#5561)
ci - workaround github actions matrix/include regression (#5463)

tools

tools/c7n-mailer - fix format util for cloudtrail (#5272)
tools/c7n-org - aws - org account gen script allow for ignoring set of accounts (#5402)
tools/c7n-org - python 3.8 osx compatibilty with multiprocessing spawn (#5353)
tools/c7n_mailer - allow multiple emails to be specified via tag value ":" separators (#5448)
tools/c7n_mailer - azure send grid delivery fix for multiple recipients (#5376)
tools/c7n_mailer - sendgrid for AWS (#5434)
tools/c7n_mailer - switch default runtime to python3.7 (#5543)
tools/c7n_mailer - switch ruamel dependency to pyyaml (#5521)
tools/c7n_org - allow account-id/project-id/subscription-id filtering in addition to name (#5311)
tools/c7n_org - fix/remove old region condition check (#5514)
tools/c7n_policystream - fix diffing policies in sub directories (#5372)
tools/c7n_policystream - pin pygit2 versions for docker builds (#5410)

0.8.46.0

4 years ago

aws

asg - use mixed instances policy launch template if present (#5006)
aws - account glue encryption filter (#4338)
aws - appelb web-acl filter restore support for any webacl (#5148)
aws - aurora cluster and snapshot using resource group tagging (#4941)
aws - backup plan tag action/filters and bug fix (#5252)
aws - cloud trail tagging augment/actions/filters (#5100)
aws - config s3 normalization of location for us-east-1 buckets (#4891)
aws - ebs snapshot action, copy-volume-tags when Snapshotting (#5119)
aws - ec2 - start action - add new error code for graviton instances insufficient capacity (#5244)
aws - ec2 - set-monitoring action (#5268)
aws - ecr set-immutable & set-scanning actions (#5062)
aws - eks tag actions/filters (#5061)
aws - eks tag normalization (#4947)
aws - enabled region check for --region all (#4866)
aws - fix cloud watch log group name construction (#5014)
aws - fix typo in account registry names (#5083)
aws - flow-log filter handle s3 destinations when checking log-groups and log-format support (#5149)
aws - glacier - support name for id instead of arn (#5168)
aws - iam policy is "used" if it is used as a permissions boundary (#4989)
aws - iam-user - allow access key filter chaining (#5233)
aws - kinesis firehose and analytics tagging (#5051)
aws - lightsail-db - fix resource type describe metadata (#5257)
aws - phd mode - allow 'events' to be optional on account resource (#5066)
aws - phd mode - fix all events support (#5133)
aws - phd mode use global health endpoint in us-east-1 (#5147)
aws - python 3.8 lambda policy support in schema (#5219)
aws - rds upgrade filter and action fix pagination of available engine versions (#5058)
aws - redshift filter & action for logging (#5179)
aws - rest-stage fix tag, untag operation (#5022)
aws - retries for config rule put to workaround iam eventual consistency (#4859)
aws - revert sts regional endpoints (#4900)
aws - route53 domain - simplify and retry tag augment (#5198)
aws - sechub custom action uses self filtering pattern (#5042)
aws - security group ingress/egress filters - ToPort and FromPort update schema to support full value filters, not just integers. (#5000)
aws - security hub - allow post finding to up date record state (#5223)
aws - security hub - hub modes support cross account execution (#5230)
aws - ssm ops center - restrict dedupe size per breaking api change (#5025)
aws - storage gateway tagging augment bug fix (#4933)
aws - storage gateway tags (#4767)
aws - sts global region default, don't pass endpoint url, release - 0.8.45.3 (#5052)
aws - sts regional endpoint support (#4875)
aws - sts regional endpoints are off by default for now (#5043)
aws - universal augment arn type check (#4981)
aws - use sts regional endpoints revisit (#4987)
aws - validate and fix iam permission annotations (#5242)
aws.rds - modify sg action fix missing vpcid expression when using sg names (#4867)
aws.rds-snapshot - default create time if not present to None (#4975)
aws.redshift-snapshot - fix tag augment and actions (#4990)
aws.rest-api - delete action (#4954)
aws.route53 - set query logging bug fix (#4869)

azure

azure - Added documentation on using resource tags (#4917)
azure - Update lock prefixing (#4895)
azure - Update nightly tests paths (#4904)
azure - add azure resource graph as a query provider (#4924)
azure - add extra exception type (#5045)
azure - add patch for auth in tests (#4843)
azure - add support for azure search resource (#4996)
azure - added lock name and notes feature to lock action (#4824)
azure - aliasing for key vault keys (#4896)
azure - arm resource type validation (#4935)
azure - container host docs (#4800)
azure - container host mp (#4831)
azure - disable flaky tests for now (#5104)
azure - doc updates (#4883)
azure - event resource type validation (#4923)
azure - fix Azure nightly tests (#5060)
azure - fix cosmos db test (#4880)
azure - fix merge (#4960)
azure - fix metrics dimension (#4888)
azure - fix nic effective route test (#5117)
azure - function increase timeout and logging (#5114)
azure - include report example in getting started (#4835)
azure - log and metric tweaks (#4865)
azure - pin major version for azure storage sdks (#5019)
azure - refactor lock action test & replace expensive sku (#5151)
azure - resource type in app insights log (#4902)
azure - review default fields (#4804)
azure - sql firewall action (#4811)
azure - test regressions(#4914)
azure - tests folder rearrangement (#4840)
azure - update AppServicePlan & Subscription tests (#4928)
azure - update tests for azure sdk breaking change (#4889)
azure - updated functions structure & updated azure-mgmt-resource (#5035)
azure - use bash to run nightly tests & use LKG commit for sphinx_rtd_theme (#4909)

core

c7n - resource aliases (#4699)
cli - report - fix --raw output on py3 encode (#5274)
cli - run add support for multiple --policies and --resource arguments (#4897)
cli - validate - structure parsing should exit 1 on error (#5101)
core - dependency updates (#4638)
core - extend structure validation to policy verification (#4982)
core - fix bag/config attribute mutation (#5081)
core - frozen requirements generator (#5127)
core - improve missing provider import error (#5150)
core - move structure parsing to separate module (#4986)
core - schema semantic error should handle filters/actions with a resource key (#5005)
core - structural parser for more better top level error messages (#4967)
core - update dependency freezes (#5120)
core - value filter add a version value type (#4936)
core - webhook action - use date aware json serializer (#4951)
docker - exclude .git directory from docker build context (#4991)

docs

docs - additional mugc information (#5107)
docs - mailer - add more info about custom owner contact tags (#5210)
docs - minor readme corrections in additional tools section (#5126)
docs - security hub - document mapping from CloudCustodian attributes to the ASFF (#5192)
docs - security hub - post-finding add schema defaults (#5190)
docs - update iam policy document for quick start (#5176
docs - gcp regex example update description, add quotes and more examples (#5263)

gcp

gcp - label/tagging actions/filters support (#5015)
gcp - set iam policy action for resource manager resources (#4894)
gcp - actions fix ignore_error_codes name typo (#4978)
gcp - add option to set project_id where to save metrics (#5002)
gcp - disk snapshot - allow user formatting of name (#5053)
gcp - entrypoint import common infra modules for registration (#4976)
gcp - fix disk snapshot action and add option to delete disks (#4930)
gcp - offhours fix default label value (#4995)
gcp - pubsub add option to delete subscriptions/topics/snapshots (#5033)
gcp -load balancer delete address action (#4974)

tests

build - publish docker nightly after functionals (#4932)
ci - address boto3 and azure sdk install issues (#5030)
ci - azure fix tests to work around sdk breaking change (#5195)
ci - change additional schema validation to py3.7 runner only (#4925)
ci - disable windows builds (#5047)
ci - enable python 3.8 test runner (#5082)
ci - fix another azure sdk breakage for cosmosdb mgmt (#5078)
ci - fix some test deprecation warnings (#5099)
ci - mailer build context (#4963)
ci - re-enable windows runners via pywin32 pin on win32 (#5048)
ci - switch badge url (#5103)
ci - windows testing with pip wheel cache (#4870)
packaging - minor release tweaks for readmes (#4850)
tests - test infra pytest support fixture for non unittest based tests (#4919)

tools

tools - automatic dependency pinning (#4901)
tools/c7n-mailer - template functions add from_json as a filter (#5054)
tools/c7n-mailer - utils fix incorrect resource_type provider prefix stripping (#5152)
tools/c7n-mailer, azure - update templates to use full path (#4913)
tools/c7n-mailer - fix format util for cloudtrail (#5272)
tools/c7n-org - aws account id regex schema validation (#5077)
tools/c7n-org - run-script exit(1) on failure (#5131)
tools/c7n-trailcreator - fix athena loading and update readme (#5135)
tools/c7n_mailer - add mailer logging of provisioned lambda region (#4882)
tools/c7n_mailer - fix tests, update doc build (#4979)
tools/c7n_mailer - handle plaintext response from Slack Webhook API (#4654)
tools/c7n_mailer - slack default template add newline as delimiter for resources (#4656)
tools/c7n_mailer - update dependencies (#4910)
tools/c7n_org - fix vars usage for gcp and azure accounts (#5010)
tools/c7n_org - respect policy region (#4868)
tools/dev - changelog generator support since date and a few more aliases (#5141)
tools/dev - changelog tool (#4860)
tools/dev - pinned package generator use mu library (#5142)
tools/ops/mugc - fix prefix compatibility and document new features (#5098)
tools/ops/mugc - support removal of policies in file and regex policy selection (#5067)

0.8.45.0

4 years ago

Compatibility Warning

A bug fix (#4277) around custodian schema validation of boolean filter blocks (or, and, and not) may now cause some validation errors on invalid policies. Previously these policies would have passed validation as it was not performed recursively on boolean blocks. Please check your policies with the latest release.

AWS

aws - handle missing ec2 launch template (#4579)
aws - acm certificate tag actions (#4529)
aws - arn resolver and type info class (#4104)
aws - auto tag support federated user (#4352)
aws - code commit resource by name (#4236)
aws - config rule mode validation of supported resource type (#4760)
aws - copy related tag more explicit handling of missing related ids (#4762)
aws - ebs default encryption filter & action (#4337)
aws - ebs resize - adjust max chunk size to stay under api filter limits (#3778) (#4350)
aws - eni vpc filter fix related ids expression typo (#4463)
aws - fix custodian lambda tag values to values supported in lambda (#4455)
aws - fix rds modify-security-groups via vpc filter fix (#4456)
aws - glue tables and databases w/ delete action (#4248)
aws - iam usage filter catch and go on no such entity (#4467)
aws - invoke step function (sfn) action (#4169)
aws - invoke-lambda support targeting lambda in different region (#4449)
aws - log-group normalize age to seconds since epoch (#4194)
aws - logging - support account, region log sinks and configurable log streams names (#4809)
aws - metrics filter allow optional fill value for missing metric data (#4348)
aws - metrics support user supplied dimensions, schema fix, s3 config fix (#4291)
aws - sechub - description is now non-null required (#4249)
aws - security hub event support (#4388)
aws - security hub finding mode event pattern fix (#4524)
aws - securityhub move all related functionality to securityhub module (#4622)
aws - sg ingress/egress cidr k:v fix (#4258)
aws - sg ingress/egress filter fixes (#4292)
aws - ssm ops center support (#4374)
aws - update set-flow-logs validation (#4759)
aws - various resources fix get-permission chaining (#4380)
aws.acm - set compatibility to false for universal tagging (#4633)
aws.appelb - modify-security-groups action (#4417)
aws.cloudtrail - delete action (#4472)
aws.cloudtrail - delete action check for shadow (org and multi region) (#4480)
aws.iam-role - adding force option for deleting an iam role (#4220)
aws.iam-user - set-groups action (#4730)
aws.lambda - modify-security-groups action (#4385)
aws.rest-api - tag actions and filters (#4755)

Azure

Azure - Add mailer support to the Container Host helm chart (#4711)
Azure - AzureDNS Resource Types (#4303)
Azure - Inline docs for a bunch of resources. (#4280)
Azure - Retention test fixes (#4787)
Azure - Update lookup schema and allow tag value to be lookup type (#4609)
Azure - docs - firewall scenario (#4444)
azure - API Management resource (#4109)
azure - Add custom prefix for NSG rules (#4722)
azure - Adding link to Azure functions doc from modes page (#4283)
azure - Lock filter and action. (#4223)
azure - Make on/off hours available on all arm (#4335)
azure - Resize API management resource (#4369)
azure - SQL db resize & filter event action (#4794)
azure - Skip certain tests when run live (#4745)
azure - Storage account permission issues exception messages + Delete locked resource group should be logged and skipped (#4384)
azure - Update 'delayed operations' docs (#4192)
azure - Update NSG policy example (#4225)
azure - Update key replace code & rerecord cassettes (#4272)
azure - access control functions bug (#4351)
azure - action - hdinsight resize action (#4758)
azure - add event hub resource (#4534)
azure - add execution mode permissions for azure functions test (#4780)
azure - add firewall-bypass filter (#4778)
azure - add handling of linux and consumption app service plans (#4584)
azure - add logic app E2E scenario (#4318)
azure - add metrics config option & update Application Insights & metrics docs (#4361)
azure - add more logging to notification delivery in mailer (#4408)
azure - add postgresql support (#4708)
azure - add storage container support (#4710)
azure - add storage diagnostic settings filter (#4222)
azure - add support for aci (#4533)
azure - app service test improvements (#4650)
azure - async provision\cleanup scripts & ability to run live tests (#4673)
azure - auth file parity with environment variables (#4373)
azure - autotag created date action & Tags tests refactor (#4416)
azure - cache metrics filter (#4541)
azure - child resource report fields (#4634)
azure - container host (#4426)
azure - container host aci template (#4632)
azure - container host cleanup (#4681)
azure - container host docs (#4732)
azure - container host k8s tooling (#4604)
azure - container host remove event filter (#4678)
azure - cosmos db throughput state (#4639)
azure - cosmos resources (#4305)
azure - cosmosdb firewall action (#4627)
azure - cost management exports resource (#4701)
azure - delete recordset (#4321)
azure - deployment unit & logic app tests fixes (#4792)
azure - docs - hosting options (#4607)
azure - docs - teams notification (#4620)
azure - docs and example fixes (#4610)
azure - docs fix sample (#4637)
azure - docs fix sql example (#4616)
azure - docs nav fix (#4286)
azure - docs page on azure policy (#4281)
azure - document azure use for mailer replay (#4323)
azure - event hub firewall filter (#4544)
azure - event_subscription functional test fix (#4757)
azure - firewall enhance (#4431)
azure - fix mailer sub id issue (#4475)
azure - fix Event Grid resource id extract & get_resources (#4473)
azure - fix app service plan scale out (#4735)
azure - fix applicationinsights functions packaging (#4434)
azure - fix azure functions runtime (#4368)
azure - fix functions sub id (#4798)
azure - fix knack dependency and rg regression (#4766)
azure - fix op for regeneration-period filter (#4645)
azure - fix packager code to remove duplicates (#4325)
azure - fix patch updates for tags (#4546)
azure - function app test name fixes (#4790)
azure - function cache bug (#4432)
azure - function event schema max array size (#4716)
azure - functional tests pipeline (#4688)
azure - host naming fixes (#4763)
azure - improve getting and naming loggers (#4720)
azure - improved handling of authentication errors (#4696)
azure - include Resource Groups in 'azure.armresource' (#4712)
azure - inline docs for the last batch of resources (#4304)
azure - keyvault certificates resource (#4630)
azure - keyvault integration (#4389)
azure - kv integration docs (#4427)
azure - kv managed storage (#4642)
azure - live pipeline and resource type (#4715)
azure - live tests pipeline fixes (#4707)
azure - marked for op - time zone reset (#4817)
azure - metric support for child resources (#4743)
azure - metrics - error handling (#4703)
azure - notification example docs (#4635)
azure - parent filter for child resources & bugfix (#4611)
azure - period modes cron regex (#4695)
azure - pipeline rename variables group (#4706)
azure - remove azure functions machinedecryption & dashboard app settings (#4411)
azure - remove supported resources doc section (#4536)
azure - remove timeout in azure tests pipeline (#4704)
azure - replace cosmos offer (#4332)
azure - require SP credentials for Azure Functions mode (#4598)
azure - require ssl action (#4657)
azure - resize sql action (#4324)
azure - resource cost filter (#4314)
azure - resources inline docs (#4284)
azure - session refactor (#4810)
azure - session supports override for cli auth (#4785)
azure - set storage access action (#4764)
azure - skip failed container enumerations (#4784)
azure - some resource docs (#4255)
azure - storage firewall action and service tag lookups (#4567)
azure - storage logging action (#4301)
azure - storage public access docs (#4599)
azure - support tag, resize from resource (#4588)
azure - test fix - test_lock_action fix (#4777)
azure - test fixes cosmosdb (#4748)
azure - tests fixes for KeyVault, Storage permissions, deployment units (#4786)
azure - text fixes for lock filter (#4791)
azure - timestamps on function archives (#4429)
azure - two nav fixes (#4287)
azure - update arm templates (#4742)
azure - update azure-functions (#4364)
azure - update container host keyword args (#4768)
azure - update cosmosdb tests patched function (#4652)
azure - update cost filter (#4336)
azure - update cost filter docs (#4672)
azure - update firewall tests (#4749)
azure - update firewall-rules filter to use effective rule set (#4756)
azure - update kv tests (#4728)
azure - update linux app service plan provisioning region
azure - update lookup schema (#4646)
azure - update provision\cleanup scripts to support --skip option (#4747)
azure - update provisioning of win consumption app service plans (#4789)
azure - update role assignment scope filter (#4509)
azure - update test_subscription.py (#4725)
azure - use cli options for azure container host (#4565)
azure - vm image docs update (#4282)
azure - web app functional test fix (#4788)
azure - web app ssl configuration (#4733)
azure - resource - Added support for hdinsight resource (#4731)
azure - Enable docs examples verification tests for Azure (#4214)
azure - support policy resource limits (#4649)

core

cli - default report field fixes (#4319)
c7n - allow webhook action to use proxy (#4726)
core - certifi dependency optional for serverless envs (#4197)
core - jsonschema boolean blocks validation (#4277)
core - load only known cloud providers by default (#4195)
core - postpone initializing webhook lookup data (#4342)
core - remove debug code which created serverless dep on boto3 (#4237)
core - uri resolver supports http gzip encoding (#4752)
core - value filter fix the expression value_type (#2148)
core - yaml utils simplify conditional import (#4232)
utils - remove worker decorator (#4746)

docs

docs - Update generated html for Schema arrow (#4199)
docs - Update inline comments to get rid of docs warnings (#4317)
docs - add manual groups and individual resource pages (#4306)
docs - automated reference docs (#4166)
docs - aws s3 global-grants filter document default and how to disable (#4468)
docs - aws ebs examples update (#4354)
docs - aws gettingstarted.rst fixed typo in policy(#4059)
docs - aws unique example policy names (#4262)
docs - azure docs refactor (#4316)
docs - azure inline docs for a bunch of resources (#4288)
docs - c7n-mailer readme: document lambda_tags (#4590)
docs - clean up intro, fix gcp getting started link (#4206)
docs - fix guard-duty example to reflect actual attribute value (#4355)
docs - gcp bigquery resources add rest api links (#4274)
docs - gcp dataflow (#4227)
docs - gcp dns examples (#4250)
docs - gcp pubsub examples (#4226)
docs - improve regex example. (#4562)
docs - link and formatting fixes for aws topics (#4457)
docs - link manheim-c7n-tools repo (#4254)
docs - no yaml aliases in schema docs (#4805)
docs - readme add stackoverflow and alphabetize list (#4806)
docs - readme fix a typo in the docker run command example (#4419)
docs - reference docbuilder fix output path normalization (#4479)
docs - reiterate tox config (#4648)
docs - update code of conduct link (#4816)

gcp

gcp - add autoscalers resource, actions, docs (#4538)
gcp - add kubernetes nodepools resource (#4208)
gcp - add stack driver logging initial setup (#3820)
gcp - cloud dataflow get method updated tests resource (#4308)
gcp - delete action for cloud router and docs (#4356)
gcp - delete sql-database resource (#4294)
gcp - deployment delete action and docs (#4307)
gcp - fix cloudbilling-account get method (#4091)
gcp - fix sqldb exception caused by retrieval of children from stopped parents (#4173)
gcp - fixed get method on network resources (route, router, interconnect, interconnect attachment) (#4089)
gcp - gce instance templates resource and delete action (#4507)
gcp - iam project-role backfill event data test (#4207)
gcp - image delete action (#4135)
gcp - kms resources and docs (#4171)
gcp - load balancer - backend bucket delete action (#4346)
gcp - load balancer policy delete action (#4345)
gcp - load balancer service - fix get methods across many resources (#4110)
gcp - ml fix get method and tests for models and jobs (#4309)
gcp - resourcemanager docstrings and parent folder query (#4231)
gcp - set-iam-policy base use resource metadata id field instead of 'name' string (#4691)
gcp - spanner - delete and generic set-iam-policy action (#4454)
gcp - support for usage of serverless modes in other regions than us-central1 (#4664)
gcp - support policy resource limits (#4649)

tools

cask - bug (#4246)
cask - Update links (#4328)
cask - auto rm after run, fix some golint warnings (#4458)
cask - azure release pipeline (#4224)
cask - bug fixes (#4469)
cask - docker wrapper initial commit (#4159)
cask - docs, installer, pipeline (#4694)
cask - image pull if there is no image (#4663)
cask - linux install file overwrite (#4718)
cask - windows installer bugs (#4516)
cask - windows powershell and instructions (#4322)
dockerfile - azure functions cache (#4247)
tools/c7n_mailer - Azure SMTP fix & c7n_mailer functional test (#4186)
tools/c7n_mailer - fix slack://tag/ delivery method and add tests (#4228)
tools/c7n_mailer - remove enum, which isn't part of 2.7 and increment version (#4204)
tools/c7n_mailer - slack transport dont decode json before checking status codes (#4462)
tools/c7n_mailer - Update string encoding for printing for py3 (#4440)
c7n_mailer - format utility strip provider when matching (#4601)
mailer - implement org_domain logic for for non-events based policies (#4229)
mailer - kv integration for azure (#4602)
mailer - rename directory to avoid conflicts with sdk (#4409)
mailer - support channel name without # in tags (#4421)
tools/c7n-org - when provisioning lambda policies don't count them for resource counts (#4357)
tools/c7n_logexporter - click options with help text (#4647)
tools/c7n_org - aws & azure account gen use c7n yaml_dump to avoid inline anchors (#4211)
tools/c7n_org - aws org account gen script populate account tags (#4690)
tools/c7n_org - fix package metadata readme content type as markdown (#4289)
tools/c7n_org - support reporting across providers (#4256)

tests

ci - cache pip downloads (#4451)
ci - docs build split into separate job (#4461)
ci - gcp strip test data (#4615)
ci - revert cache (#4474)
ci - use codecov bash uploader (#4327)
test - registered skiplive marker (#4813)
tests - clean up deprecations (#4719)
ci - Fix CI docker build (#4596)

0.8.44.0

4 years ago

Authors: 42 Pull Requests: 136

Core

webhook action (#4074) (#4113)
add value_type: date to value filter (#4052)
value filter support extracting values from strings using regex (#4019)
reformat spacing in log messages (#3971)
update dependencies and ci matrix responsibilities (#3902)
jsonschema shrink fix typo in ref (#3866)
jsonschema shrink via inline and reference value_filter parts, more aliases, with better error messages (#3808)
notify - send policy execution start time in notify messages and expose in mailer templates (#3884)
cli - expand refs in schema command (#3983)

Aws

ebs snapshot use consistent snapshot api (#4151)
remove-statements support wildcard removal in schema (#4152)
glue job resource and delete action (#4129)
securityhub - post-finding action support custom finding type categories and classifiers (#4116)
account service limit filter - check and poll on check status (#4035)
eni delete action (#4101)
glue dev endpoint tagging (#4079)
remove locked filter, sphere11 is sandbox/unsupported (#4071)
security group filter support value_from on nested attributes (#4068)
asg mark for op batch size fix (#4050)
cloudtrail is-shadow filter fixes (#4040)
enable offhours for rds cluster (#3977)
acm certificate fix augment (#3950)
rds-reserved resource (#3855)
s3 get resources implementation (#3909)
copy-related-tags action skip aws prefixed tags (#3917)
remove dynamodb tagging waiter (#3898)
update default lambda timeout, also better handling of errors in pythonpackage del (#3889)
config select resource query support (#3847)
fix set-snapshot-copy-tags action, also mark deprecated (#3891)
config recorder resource (#2367)
rds fix start/stop permissions (#3876)
policy phd mode include lambda mode schema for full configuration (#3863)
serverless policy fix role name expansion (#3848)
ebs-snapshot unused filter handle no block device mapping in launch template (#3833)
security hub post-finding - add title to action schema (#3823)
sns - add delete topic action (#4062)
sechub - use target region in product arn when posting cross-region (#3976)
asg - handle launch template version type inconsistency via cast to string (#3832)

Azure

logic app action (#4139)
update autotag doc (#4163)
sqldatabase backup retention actions (#4153)
Enable tag operations for 'armresource' (#4154)
Examples for cleaning orphan resources (#4146)
add 'type' attribute for resource groups (#4130)
Databricks stub (#4108)
aks resource (#4107)
update resource examples in docs (#4081)
Fix hierarchy of Azure advanced usage section (#4075)
update sync triggers and test script (#4065)
Add Auto Scaling to App Service Plans (#3885)
fix azure-mgmt-subscription api and pin azure-cli-core (#4064)
refactor actions and fix sdk break(#4034)
mailer fixes (#4028)
function packaging fixes sas generation signature change and modules (#4016)
Storage firewall rules filter (#3920)
KeyVault Keys resource & filters (#3897)
SqlDatabase Backup Retention Policy Filter (#3874)
Remove Azure Functions extensions dlls (#3930)
Replace cache folder with prebuild cache zip archive (#3857)
test infrastructure improvements (#3911)
remove future pkg from dependencies (#3914)
Sqlserver firewall filter (#3845)
Fix environment variable name to match docs (#3912)
Key Vault Update Access Policy Action (#3836)
set network rules storage (#3797)
management group support (#3814)
Child Resources and SQL Database (#3856)
getting started doc (#3865)
keyvault with zero policies throws error (#3621) (#3815)
add azure route table resource (#3827)
add v1 of effective route table filter (#3802)

Gcp

fix sql-backup-run and sql-ssl-cert get method (#4083)
fix pubsub-subscription get method (#4084)
fix get method on sql instance resource (#3873)
fix test dns flights names and get parameters (#3900)
add big query tables resource (#4067)
spanner database (#4111)
remove organization get method (#4046)
app engine firewall rule - use priority field instead of id for an id (#3926)
appengine (firewall, domain mapping, app, certificate) resources (#3899)
sql - user, ssl cert, backup resources (#3908)
deployment manager deployment resource (#3858)
machine learning job resource (#3835)
add support for nested resources (#3736)
dataflow jobs use aggregate multi-region list (#3819)

Tools

auto doc generator (#4150)
org log operation name on access denied (#4134)
add SMTP support for Azure (#4077)
mailer - Splunk delivery support (#4044)
creator log fix, another readme example (#4039)
include readme for long description (#4008)
org - use describe_regions method instead of get_available_regions (#4006)
org - work around python osx multiprocessing bug (#3934)
aws resource creator retroactive tagging script (#3850)
mailer - document using sdk environment variables for aws profile (#3871)
support doc builds in docker (#3882)
org - chained sts role support (#3859)
mailer - redo c7n-mailer docker packaging for azure support (#3838)
compatibility with latest sendgrid sdk (#3852)

Docs

fix ec2 unpatched workflow example (#4145)
gcp developer guide and policy examples (#4088)
expand metrics docs to mention master and namespace options (#4058)
readme minors (#4036)
updates to readme and AWS Getting Started (#4004)
pycon 2019 sprint (#4002)
add svg and transparent png logos (#3980)
update repo links (#3901)
readme update coverage and gitter links (#3878)
update aws periodic function example with role information (#3841)

0.8.43.0

5 years ago

core

cli schema support showing mode documentation #3744
cli schema summary group by provider #3654
validate now checks for duplicate keys on mapping #3675
report supports json output #3692
value filter support case sensitive regex #3666
serverless accept default configuration from cli (metrics, log dir, etc) #3610
ebs snapshot handle invalid
iam role support tags actions/filters #3542
inline policy docs validation #3767
support max resources count and percent #3743

azure

packaging fixes #3706 #3705
function dep packaging fixes #3673

aws

security hub default batch_size to 1 work around ui bugs in the service #3512
iam entity usage filter #3648
workspace resources and tag actions and metrics filter #3757
aws api gateway support for config rules/query #3725
eks support updating configuration #3708 #3769
vpc related filters for subnets, nat, igw #3715
rds modify cluster action #3711
ebs unused filter #3651
lambda policies allow role by name in addition to arn #3661
s3 has statements interpolate bucket info when checking statements #3655
invoke-lambda action configurable timeouts #3632
account guard duty filter fix #3627
kms key filter for efs, redshift, sqs #3772
iam role delete action #3741
trail status filter handle shadow trails #3762

gcp

big query job and project resources #3747
iam global role resource #3749
pub sub snapshot and subscriber resource #3735
data flow jobs #3748
zone and policy resources #3748
report subcommand compatibility via id on metadata #3697
spanner resource #3766
network-router #3791
load-balancer associated resource #3775 #3780 #3788

k8s

support custom resources definitions #3717
generic label and delete actions #3707

tools

c7n-org - py3 compat around file opening (affected by LC_LANG_ encodings) - #3732
c7n-org - fix docker build #3634
autodoc - configuration defined in config file, ui improvements #3731
mailer - support jmespath search in templates #3678
mailer - render subject with additional variables #3751
mailer - py3 compat around file opening for replay command #3676
mailer - on slack error show status and error code #3652
traildb - py3 support #3671
log_exporter - bug fixes around new internal signature #3624

docs

mailer install docs #3646
new subreddit #3647
lambda config rule setup #3613