cloud-custodian

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources

APACHE-2.0 License

Downloads
2.6M
Stars
5.2K
Committers
448
View Code on GitHub Visit Website
Ecosystems: Amazon Web Services, Azure

Bot releases are hidden (Show)

cloud-custodian - 0.9.38.0 Latest Release

Published by kapilt 4 months ago

overview

this release is a bit smaller as we're doing it early in order to address some performance anomalies related to caching of aws clients in 0.9.37 which caused some memory increases for large environments and policies counts per #9558.

aws

  • aws - ec2 - snapshot action - add instance name to snapshot description (#9538)
  • aws - memorydb - add support for cluster (#9556)
  • aws - mu - avoid unnecessary lambda updates for vpc config (#9559)
  • aws - revert usage of caching session client (#9569)
  • aws - schedule mode - fix handle scheduler empty detail payload (#9566)

gcp

  • gcp - big query data set - delete action (#9560)

releng

  • releng - bump azure-identity from 1.16.0 to 1.16.1 in /tools/c7n_azure (#9562)
  • releng - release prep 0.9.38 (#9571)

shift-left

  • shift-left - update tfparse dep and handle json format tfvars (#9564)

schema changes

New Contributors

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.37.0...0.9.38.0

cloud-custodian - 0.9.37.0

Published by kapilt 4 months ago

What's Changed

Of note in this release, we now use python 3.12 for docker images which will provide a good performance improvement, as well
caching clients in the aws provider which should also save on memory.

aws

  • aws - TimestreamDB kms key filter (#9500)
  • aws - add eventbridge scheduler mode for policy lambdas (#9273)
  • aws - add utility function for resolving global region for tagging augments by partition (#9475)
  • aws - cache clients by region (#9107)
  • aws - elasticbeanstalk-environment - return empty tag set for deleted environments (#9453)
  • aws - elasticsearch - add the latest TLS security policy (#9542)
  • aws - fix credential test on session policy (#9520)
  • aws - sagemaker model bias job definition (#9465)
  • aws - session policy support via cli (#9416)
  • aws - timestream register aws_backup count filter (#9504)
  • aws - Sagemaker Data Quality, Model Quality, Model Explainability Job Definitions + Compilation, Processing Jobs (#9464)

core

  • core - validate policy mode in StructureParser (#9536)
  • core - value filter mod operator (#9497)

docs

  • docs - add dev docs link to john lonergan dummy's guide to adding aws resources (#9502)
  • docs - add linen.dev to readme (#9522)

releng

  • releng - 🌱 bump the github-actions group with 2 updates (#9509)
  • releng - azure - update containerregistry version (#9491)
  • releng - batch dependabot updates by package ecosystem and azure poetry lock fix (#9501)
  • releng - bump jinja2 from 3.1.3 to 3.1.4 in /tools/c7n_salactus (#9483)
  • releng - bump requests #9526
  • releng - bump tqdm from 4.66.2 to 4.66.3 (#9478)
  • releng - include c7n awscc provider in docker images (#9521)
  • releng - june 2024 dep upgrades (#9550)
  • releng - pkg increment and dep rebase (#9518)
  • releng - update ci to poetry 1.8.3, docker update to ubuntu 24.04, always pull when building (#9549)

schema changes

New Contributors

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.36.0...0.9.37.0

cloud-custodian - 0.9.36.0

Published by kapilt 6 months ago

What's Changed

aws

  • aws - account - switch to describe source (#9337)
  • aws - add workspaces bundle support (#9380)
  • aws - appmesh - add virtualnode resource (#9378)
  • aws - appmesh - update resource model, extend core docs and test support (#9290)
  • aws - ebs - add snapshots filter (#9451)
  • aws - ecs-service - fix delete for services with task sets (#9353)
  • aws - firewall - add logging-config filter and tag actions (#9339)
  • aws - lambda@edge filter - fix to use unique resourceIds (#9368)
  • aws - make account_id available to c7n-org report (#9285)
  • aws - opensearch-serverless resource and kms filter (#9358)
  • aws - rds - update stoppable engine list (#9364)
  • aws - sagemaker-auto-ml-job (#9434)
  • aws - sagemaker-cluster (#9390)
  • aws - sagemaker-domain resource (#9373)
  • aws - sagemaker-hyperparameter-tuning-job (#9418)
  • aws - update tag permissions, expand s3 assembly permissions, add missing config_types (#9154)
  • aws - update transfer.py exception catch (#9394)

azure

  • azure - api-management certificates filter (#9413)
  • azure - machine-learning-workspace - compute instance filter (#9412)
  • azure - postgresql-server.filters (#9041)
  • azure - stream-job (#9118)
  • azure - support certificate authentication (#9325)
  • azure - update azure-mgmt-rdbms major version (#9420)

core

  • core - allow variable references to pass type validation (#9237)
  • core - apply query over extra_args (#9449)
  • core - Avoid raising spurious KeyError during policy validation (#9407)

docs

  • docs - add external security audit report (#9446)
  • docs - fix several minor typos and formatting (#9361)

c7n_left

  • core - full filename in rich output (#9460)

releng

  • releng - Bump black from 23.12.1 to 24.3.0 in /tools/c7n_mailer (#9372)
  • releng - bump black from 23.12.1 to 24.3.0 (#9371)
  • releng - bump github.com/docker/docker in /tools/cask (#9370)
  • releng - bump golang.org/x/net from 0.17.0 to 0.23.0 in /tools/cask (#9450)
  • releng - bump golang.org/x/net from 0.17.0 to 0.23.0 in /tools/omnissm (#9447)
  • releng - c7n-left - update tfparse and increment (#9384)
  • releng - dependency update 2024/04/15 (#9435)
  • releng - increment c7n-left (#9467)
  • releng - move c7n-left to chainguard wolfi-base from docker hub (#9389)
  • releng - prep 0.9.36 release (#9463)
  • releng - redo 0.9.36 release prep 2024/04 (#9468)
  • releng - ruff update and lint fixes (#9381)
  • releng - transient decrement release (#9466)
  • releng - update c7n-left tfparse dependency for additional pyversion and os support (#9230)
  • releng - update cosign version (#9470)

tencentcloud

  • tencentcloud - use custodian version in user agent / request client header (#9338)

schema changes

New Contributors

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.35.0...0.9.36.0

cloud-custodian - 0.9.35.0

Published by kapilt 8 months ago

aws

  • aws - account - add support for bedrock model invocation logging configuration (#9259)
  • aws - add set-policy action for iam-profile resource (#9257)
  • aws - allow excluding specific processes when resuming ASGs (#9252)
  • aws - appmesh support (#9260)
  • aws - bedrock - support for knowledge base, bedrock-agent delete action (#9301)
  • aws - bedrock customization jobs, tag, kms-key and stop action (#9282)
  • aws - cloud watch alarm - add a filter for determining if part of a composite alarm (#9300)
  • aws - dynamodb-table - avoid key errors in continuous-backup filter (#9266)
  • aws - ec2 resize from cost hub recommendation (#9281)
  • aws - ecs-service - modify-definition with resize support (#9288)
  • aws - ism-role - fix config resource id (#9294)
  • aws - lambda update action w/ resize support from cost recommendation hub (#9283)
  • aws - rds-proxy fix cfn type (#9267)
  • aws - route53 record set delete action, hosted zone delete fix (#9291)
  • aws - s3 - support for storage lens configuration (#9271)

awscc

  • awscc - update action - ensure patch only against updatable properties, support user supplied jsonpatch (#9297)

azure

  • azure - automation-account variable filter (#8999)
  • azure - azure.vm.filters.backup-status (#9242)
  • azure - front-door waf filter (#9038)
  • azure - redis firewall filter (#9045)
  • azure - sql server auditing filter (#9097)
  • azure - sql-server filters - failover-group and security-alert-policies (#9114)

docs

  • docs - minor gcp and c7n left fixes (#9129)
  • docs - remove beta label on gcp (#9278)
  • docs - update vector.dev toml configuration (#9279)

releng

  • releng - docs publish - ensure use of pypi for awscli install (#9314)
  • releng - downgrade urllib3 for release (#9334)
  • releng - pin freeze wheel to previous release due to error (#9332)
  • releng - prep 0.9.35 release (#9328)
  • releng - update github actions versions and fix doc build (#9262)
  • releng - cryptography from 41.0.7 to 42.0.4 in /tools/c7n_mailer (#9313)

shift-left

  • c7n-left - fix policy severity level filtering for --warn-on (#9261)
  • shift-left - handle a null tag map on a resource (#9323)
  • shift-left - log policy error during execution (#9293)

tencentcloud

  • tencentcloud - security group filter - fix for empty port string (#9253)

schema changes

New Contributors

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.34.0...0.9.35.0

cloud-custodian - 0.9.34.0

Published by kapilt 9 months ago

aws

  • aws - actions - fix typo in documentation for invoke-lambda (#9180)
  • aws - add eni detach and eip disassociate actions, fix check-permissions filter (#9100)
  • aws - add in operator to vpc network-location filter (#9160)
  • aws - add python3.12 runtime support, default to python3.11 (#9231)
  • aws - batch - add tagging support and update/delete job queue actions (#9182)
  • aws - cost optimization filter (#9209)
  • aws - fix ASG config resource id (#9248)
  • aws - org unit filter (#9224)
  • aws - org unit resource (#9223)
  • aws - org-account and org-policy resources (#8194)
  • aws - policy filter & action for ou & account (#9232)
  • aws - quotas - add a special filter in query section to reduce API calls (#9193)
  • aws - rds, rds-cluster - add annotation to pending-maintenance filter (#9183)
  • aws - s3 express directory resource (#9185)

azure

  • azure - synapse resource (#9240)
  • azure - update azure dependencies / poetry lock (#9117)
  • azure - update azure poetry lock / dependencies (#9241)

kubernetes

  • kubernetes - add canonical_group for better matching in admission controller mode (#9207)

releng

  • releng - add python 3.12 to ci (#9202)
  • releng - bump jinja2 from 2.11.3 to 3.1.3 in /tools/c7n_salactus (#9234)
  • releng - bump jinja2 from 3.1.2 to 3.1.3 (#9238)
  • releng - bump jinja2 from 3.1.2 to 3.1.3 in /tools/c7n_mailer (#9236)
  • releng - bump jinja2 from 3.1.2 to 3.1.3 in /tools/c7n_sphinxext (#9235)
  • releng - bump pycryptodome from 3.19.0 to 3.19.1 in /tools/c7n_tencentcloud (#9225)
  • releng - pin referencing dep to avoid dependency conflicts (#9249)
  • releng - prep 0.9.34.0 release (#9222)
  • releng - remove remaining non-vendored distutils references (#9196)
  • releng - update dependencies - 2023-12-13 (#9201)
  • releng - update deps data dict 2023 12 4 (#9186)

schema changes

cloud-custodian - 0.9.33.0

Published by kapilt 11 months ago

aws

  • aws - add support for 'aws-iso' partition (#9103)
  • aws - support python3.11 in lambda policy schema (#9047)
  • aws - account service-limit filter - handle non-refreshable checks (#9072)
  • aws - add bedrock custom model resource (#9161)
  • aws - add support for opensearch serverless (#9058)
  • aws - add support for workspaces web (#9121)
  • aws - ami - fix ou/org regex patterns in set-permissions (#9032)
  • aws - arn parse explicit value error on invalid (#9071)
  • aws - asg - suspend includes InstanceRefresh process (#9142)
  • aws - check-cloudtrail filter - fix (#9066)
  • aws - check-cloudtrail filter - update/expand matching logic (#8968)
  • aws - dynamodb-table - delete protection config and force delete (#9125)
  • aws - ec2 - fix query parser should be scoped to describe source only (#9167)
  • aws - ec2 - security-group filter - get from sg ids from all interfaces on an instance (#9126)
  • aws - ec2 capacity reservation resource (#9147)
  • aws - ec2-reservation - fix typo in field (#9155)
  • aws - ecs - security-group/network-location filter for ecs-service and ecs-task (#8892)
  • aws - elasticsearch - fix tag operation error handling (#9070)
  • aws - fix import path for workspaces-web (#9136)
  • aws - glue - fix toggle-metrics filter (#9051)
  • aws - glue connection - handle broken vpc/subnet references (#9163)
  • aws - iam-oidc-provider - add delete action (#9063)
  • aws - internet-gateway - warn on dependency errors during delete (#9059)
  • aws - make wafv1 global, r53domains is not global (#9094)
  • aws - modify-sgs by tags - vpc id check (#9092)
  • aws - rds cluster pending maintenance filter (#9099)
  • aws - secrets manager tag, ignore reserved tags (#9110)

awscc

  • awscc - update test for new access config properties on test resource (#9146)
  • awscc - update test to use a more stable resource for attribute checking (#9165)

azure

  • azure - add additional defender resources (#9061)
  • azure - add azure.event-grid-domain (#9000)
  • azure - add desktop virtualization session-host and host-pool resources and filters (#8992)
  • azure - app-configuration (#8997)
  • azure - datalake-analytics (#8966)
  • azure - event-grid-topic resource (#9035)
  • azure - kusho log analytics resource (#8971)
  • azure - machine-learning-workspace (#9039)
  • azure - mariadb-server (#9040)
  • azure - mysql-server security-alert-policy filter (#9042)
  • azure - network watcher resource name alias (#8970)
  • azure - replace deprecated mktemp function with mkstemp (#9171)
  • azure - signalr resource (#9062)
  • azure - sql-database.filters.data-encryption (#9098)
  • azure - update dependencies (#9096)
  • azure - waf resource and waf filter for app gateway (#8641)

gcp

  • gcp - adding effective-firewall filter to gke cluster (#9030)
  • gcp - firewall - augment rules with port ranges (#9046)
  • gcp - fix workload identity federation access (#9069)

oci

  • oci - support instance principal auth (#8998)

openstack

  • openstack - add storage-container resource (#9145)
  • openstack - image resource (#9140)
  • openstack - secrets resource (#9143)
  • openstack - security-group resource (#9064)
  • openstack - server.filters.security-group (#9119)
  • openstack - user extended-info filler (#9123)

core

  • core - json dump support bytes (#9135)

docs

  • docs - clarify tag compliance and policy structure examples (#8990)
  • docs - update mailer readme docker instructions (#9105)

releng

  • releng - bump github.com/docker/docker in /tools/cask (#9122)
  • releng - golang.org/x/net from 0.7.0 to 0.17.0 in /tools/cask (#9050)
  • releng - golang.org/x/net from 0.7.0 to 0.17.0 in /tools/omnissm (#9049)
  • releng - prep for 0.9.33.0 release (#9178)
  • releng - update dependencies - 2023-10 (#9090)
  • releng - update deps and restore azure lock file (#9108)
  • releng - vendor selections of distutils (#9104)

shift-left

  • c7n-left - support policy filtering for warn on (#9029)

tools

  • tools/policystream - add limits to avoid/fix possible DoS attack (#9176)

schema changes

New Contributors

cloud-custodian - 0.9.32.0

Published by kapilt about 1 year ago

aws

  • aws - airflow - update-environment and delete-environment (#8866)
  • aws - app-elb-target-group - retry wrapper for describe_target_group_attributes (#8916)
  • aws - ec2 - use a list instead of tuple for empty tag set (#8957)
  • aws - eip - release - handle InvalidAddress.PtrSet and InvalidAddress.Locked exception (#8924)
  • aws - elasticache and rg skip deletion when linked with global ds (#8876)
  • aws - glue catalog - kms-key filter and set-encryption refactor (#8833)
  • aws - inspector-v2 finding resource (#8934)
  • aws - launch-template-version - include version number in synthetic arn (#8972)
  • aws - metrics filter - support client side evaluation across multiple periods (#8930)
  • aws - output - metrics - allow enabling specific metrics and ignore zero values via query params (#8929)
  • aws - route53 - fix arn handling in query-logging-enabled filter (#8988)
  • aws - s3 - only check account-local trails in data-events filter (#8960)
  • aws - service-quotas - request-increase fix (#8939)
  • aws - sns - fix metrics filter get_dimensions for topics (#8951)
  • aws - vpc - delete-empty action (#8854)
  • aws - waf and vpc - reduce noise from deprecated field validation (#8919)

awscc

  • awscc - use build step to fetch data files (#8840)

azure

  • azure - cdn - update package version (#8979)
  • azure - key vault - filter to check rotation policy (#8905)

core

  • core - offhours allow escaped - via ordinal hex (#8808)
  • core - value - support float value_type (#8927)

docs

  • docs - aws - fix event filter example to use op: contains (#8959)
  • docs - clarify conditions behavior on serverless policies (#8933)
  • docs - cover list-item under generic filters (#9005)
  • docs - flesh out mailer config, plus various formatting/clarity fixes (#8944)

gcp

  • gcp - bq-job - update enum_spec (#8994)
  • gcp - cloud-run iam-policy filter (#8978)
  • gcp - dns zone - records filter (#8829)
  • gcp - kms keyring filter (#8903)
  • gcp - node pool and cluster - server-config filter (#8880)
  • gcp - org - policy filter (#8982)
  • gcp - organization and folder iam policy filter (#9006)
  • gcp - spanner-backup: iam filter (#8938)
  • gcp - sql instance - set ha action for zonal/regional configuration (#8967)
  • gcp - vpc-firewall-filter (#8901)

oci

  • oci - implement resource caching (#8869)

releng

  • releng - prep 0.9.32 (#9003)
  • releng - update custodian version in dependent packages (#9025)
  • releng - update data dictionaries (#8820)
  • releng - update dependencies (#8985)
  • releng - update dependencies (#9022)

shift-left

  • c7n-left - cli entrypoint point reporter parameter (#9002)
  • c7n-left - default provider tags augment, handle empty resource tags (#8954)
  • c7n-left - dump cli command to show graph and input variables (#8974)
  • c7n-left - fix handling of relative source dir (#8993)
  • c7n-left - gitlab sast output (#8923)
  • c7n-left - handle null provider tags when augmenting (#8984)
  • c7n-left - initialize variables with default value if none provided (#8958)
  • c7n-left - junit xml output (#8931)
  • c7n-left - only consider root module variables when injecting uninitialized defaults (#8995)

schema changes

New Contributors

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.31.0...0.9.32.0

cloud-custodian - 0.9.31.0

Published by kapilt about 1 year ago

aws

  • aws - access analyzer finding resource (#8895)
  • aws - rds - fix delete action filtering (#8891)
  • aws - s3 - add bucket-replication filter (#8686)
  • aws - s3 - adding bucket_key_enabled to bucket-encryption filter (#8868)
  • aws - sg - unused/used filter don't consider self references as usage (#8821)
  • aws - tag rename action via universal/resource group tag api (#8878)

azure

  • azure - add CIDR support for network security group (#8798)
  • azure - application insights resource (#8837)
  • azure - bastion host resource (#8827)
  • azure - monitor logs profile storage filter (#8870)
  • azure - network security group - fix filter bug. destinationPortRange field is always present (#8883)
  • azure - output - blob upload fix closes #8885 (#8884)

gcp

  • gcp - compute - add suspend and pause actions (#8877)
  • gcp - gke cluster - label handling for zonal GKE clusters (#8802)
  • gcp - instance-group-manager, zone (#8825)
  • gcp - spanner-instance-backup (#8699)

oci

  • oci - native output support for logging and blob/object storage (#8810)
  • oci - remove extraneous test data from VCN cassette files (#8839)
  • oci - remove extraneous test data from group cassette files (#8845)
  • oci - remove extraneous test data on compartment cassette files (#8844)
  • oci - removed extraneous test data from the subnet cassette files (#8834)
  • oci - update test session creation and flight recorder options (#8846)

shift-left

  • c7n-left - cli output on module shows matching resource refs (#8906)
  • c7n-left - data resource types are now prefixed w/ "data." (#8861)
  • c7n-left - ensure tfmeta.type has value for all block types (#8904)
  • c7n-left - fix default tags with module resources (#8894)
  • c7n-left - support --var-file parameters (#8841)
  • c7n-left - support taggable filter and default provider tags (#8852)
  • c7n-left - terraform module resources now display instead the invoking module block (#8855)
  • c7n-left - value_from fix, env var interpolation support, and docs on data resources plus a tag test (#8882)

core

  • core - resolver - support decompression when using value_from with s3 (#8851)

docs

  • docs - add policy example for rds reserved instances (#8835)
  • docs - fix c7n-left check encryption policy (#8874)
  • docs - oci corrected some documentation typos (#8871)

releng

  • releng - handle chainguard image change re no version (#8862)
  • releng - increment c7n-left (#8920)
  • releng - pin terraform to last oss version (#8831)
  • releng - release prep for 0.9.31 (#8917)
  • releng - use ubuntu for c7n-left image (#8795)

schema changes

New Contributors

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.30.0...0.9.31.0

cloud-custodian - 0.9.30.0

Published by kapilt about 1 year ago

aws

  • aws - add more resource types (#8799)
  • aws - add value filter logic to waf-enabled and wafv2-enabled filters (#8407)
  • aws - ami - add cancel-launch-permission action (#8728)
  • aws - asg rename-tag - don't propagate tags when there are no instances (#8762)
  • aws - flow-log filter & action - refactor for kinesis/parquet support (#8757)
  • aws - key-pair unused filter - check autoscaling groups (#8755)
  • aws - rds - add pending-maintenance filter (#8793)
  • aws - rds - delete - filter aurora cluster members - use a cluster policy instead (#8713)
  • aws - rds-proxy - delete action (#8751)
  • aws - rds-snapshot - instance filter (#8764)
  • aws - rdscluster - modified_db_cluster handle serverless v1 behavior (#8806)
  • aws - ssm session manager (#8823)
  • aws - vpc modify and network usage metrics (#8628)

azure

  • azure - filters - azure advisor recommendation filter (#8770)
  • azure - front-door-policy waf resource (#8811)
  • azure - mysql server - configuration filter (#8805)
  • azure - storage container - fix public access (#8797)

core

  • core - notify use a dynamically sized buffer for notify (#8742)

docs

  • docs - value filter - list in/not-in/contains under comparison and list operators (#8784)

gcp

  • gcp - cloud run revision resource (#8697)
  • gcp - iam filters (#8792)
  • gcp - sql - force option on delete and set-deletion-protection action (#8735)

k8s

  • k8s - chore - black c7n_kube package (#8786)
  • k8s - tests - clean up threads, dont write to current directory (#8782)

oci

  • oci - bucket - fix metadata id field (#8768)
  • oci - cleanup extraneous data on user tests (#8785)
  • oci - metrics query compartment fix (#8809)
  • oci - metrics query optimization (#8754)
  • oci - multi-region and c7n-org support (#8748)
  • oci - removed extraneous test data from the bucket cassette files (#8807)
  • oci - removed the extraneous test data from zone cassette files (#8801)

releng

  • releng - dependency upgrade 2023/08/14 (#8819)
  • releng - fix aws functional test and pin linters (#8822)
  • releng - release automation and dependency updates (#8766)

schema changes

New Contributors

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.29.0...0.9.30.0

cloud-custodian - 0.9.29.0

Published by kapilt about 1 year ago

What's Changed

overview

more gcp resources, two others of note.

  • aws - breaking change - operators using cloudtrail to inspect custodian api calls in an environment, the format of the user agent field has changed due to underlying changes within the sdk
    details and new format are documented/discussed in https://github.com/cloud-custodian/cloud-custodian/issues/8739
  • oci - breaking changes - oci provider is currently alpha, the syntax for actions has been simplified in #8740

aws

  • aws - add connect-campaign resource and kms-key filter (#8681)
  • aws - alb - delete - handle ResourceInUseException (#8705)
  • aws - ebs modify - support io2 (#8717)
  • aws - ecs-cluster - ebs-storage filter (#8446)
  • aws - identity-pool - include resource details from parent augment (#8692)
  • aws - launch-template-version - add cloudformation type (#8724)
  • aws - s3 - add support for intelligent tiering (#8712)

azure

  • azure - cdn - waf enabled filter (#8672)
  • azure - frontdoor - waf enabled filter (#8662)

gcp

  • gcp - added redis instance (#8679)
  • gcp - cloud armor-policy aka waf (#8666)
  • gcp - dataproc clusters (#8677)
  • gcp - label action support w/ fingerprint refetch on gke, instance, image (#8557)
  • gcp - mu - update function runtime, update for new env variables, use struct logging (#8711)
  • gcp - patch-deployment resource (#8698)
  • gcp - recommender - handle empty recommend set (#8714)
  • gcp - remove email addresses from image label test data (#8718)

oci

  • oci - session factory & test refactor (#8700)
  • oci - filter and action name refactor (#8740)

releng

  • releng - increment versions and update dependencies (#8738)
  • releng - oci in docker image (#8688)
  • releng - update dependencies to pickup pyyaml versions with build fixes (#8747)

tools

  • tools/c7n_mailer - add ms graph api delivery for email (#8687)

docs

  • docs - remove extraneous quotes from example notify action (#8694)

schema changes

New Contributors

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.28.0...0.9.29.0

cloud-custodian - 0.9.28.0

Published by kapilt over 1 year ago

TLDR

New oracle cloud infrastructure provider, several additional resources to gcp, regular fixes and updates to extant providers.

aws

  • aws - add delete action to directory and cloud-directory (#8610)
  • aws - add ses-receipt-rule resource and delete action (#8671)
  • aws - asg - fix propagate-tags for asgs with no tags (#8612)
  • aws - core - fix fetching resources by id for types with scalar server-side filters (#8614)
  • aws - ebs - encrypt-instance-volumes handle missing tags (#8683)
  • aws - efs-mount-target - support cloudtrail mode (#8631)
  • aws - event bus delete action (#8598)
  • aws - iam-user - add include-via option to policy filter for group inherited policies (#8372)
  • aws - security-group - used filter - handle ram vpc sharing eni when run in vpc owner (#8604)
  • aws - ses - add ses-email-identity resource type (#8616)
  • aws - ses - add set-delivery-options action (#8635)
  • aws - ses - identity has-statement filter (#8640)
  • aws - user-pool - include resource details from parent augment (#8684)
  • aws - vpc - metrics filter for vpce and tgw attachment (#8674)

azure

  • azure - add recovery services vault resource (#8599)
  • azure - filter for the SQL Server TDE (#8652)
  • azure - monitor-log-profile resource (#8580)
  • azure - session - add _run_command timeout parameter (#8632)

docs

  • docs - document gcp env vars explicitly along with noting workload federated identity support (#8606)
  • docs - update tencent cloud object storage example (#8600)

gcp

  • gcp - add big table asset types metadata (#8615)
  • gcp - add datafusion resource (#8676)
  • gcp - add more bigtable resources (instance, cluster, table, backup) (#8519)
  • gcp - add support for impersonated credentials (#8571)
  • gcp - added notebook resource (#8680)
  • gcp - new resources app service and app service version (#8425)

oci

  • oci - new provider (#8620)

releng

  • releng - bump cryptography from 40.0.2 to 41.0.0 (#8627)
  • releng - bump cryptography from 40.0.2 to 41.0.0 in /tools/c7n_azure (#8626)
  • releng - bump cryptography from 40.0.2 to 41.0.0 in /tools/c7n_openstack (#8625)
  • releng - docker fix c7n-left image build via poetry install for dependency group changes (#8611)
  • releng - format c7n_left and c7n_mailer python code with black "make format" command (#8636)
  • releng - release prep for 0.9.28.0 (#8658)
  • releng - ruff whitespace config and github output (#8649)
  • releng - update issue template for new providers (#8655)

tools

  • tools/c7n_mailer - refactoring and fix SendGrid duplicated emails (#8642)
  • tools/c7n_mailer - strip newlines from slack token (#8645)
  • tools/ops - fix mugc.py policy filtering (#8670)

schema changes

New Contributors

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.27.0...0.9.28.0

cloud-custodian - 0.9.27.0

Published by kapilt over 1 year ago

aws

  • AWS - SES - Create new resource type configuration-set for SES (#8457)
  • aws - add pinpoint resource (#8514)
  • aws - codecommit - add universal_augment to pull tags (#8576)
  • aws - ebs-snapshot - cross-account filter - enable everyone_only (#8552)
  • aws - eks - adding associate-encryption-config action (#8426)
  • aws - fis - adding aws.fis-experiment resource (#8470)
  • aws - fsx - rds - register aws_backup count filter (#8494)
  • aws - kms related filter - resolve key alias to id before cache lookup (#8505)
  • aws - lambda - add has-specific-managed-policy filter (#8477)
  • aws - lambda mode - support python3.10 in schema (#8502)
  • aws - lambda mode - validate description length (#8497)
  • aws - output - strip trailing slashes from s3 output url paths (#8559)
  • aws - policy modify - handle statements without sids (#6943)
  • aws - post-finding - document usage of the title parameter (#8527)
  • aws - s3 - lifecycle - add schema for newer rule options (#8564)
  • aws - subnet - add ip-address-usage filter (#8521)
  • tests - kms - patch executor to avoid flaky test (#8534)
  • fix: get subnet_ids from all interfaces on an EC2 instance (#8500)

azure

  • azure - add cdn-custom-domain and cdn-endpoint resources (#8554)
  • azure - add mariadb resource (#8498)
  • azure - add open-shift resource (#8469)
  • azure - resource servicebus namespace authrules (#8541)
  • azure - servicebus-namespace resource (#8536)
  • azure - servicebus-namespace-networkruleset (#8546)
  • azure - spring app resources (#8558)
  • azure - sql-server - add value filter logic to the auditing filter (#8314)

gcp

  • gcp - add artifact-repository resource (#8444)
  • gcp - add compute-project (#8461)
  • gcp - deployment-manager normalize label format (#8540)
  • gcp - fix metadata on a few resource types (#8569)
  • gcp - fix report fields metadata (#8573)
  • gcp - log sink - bucket filter (#8462)
  • gcp - recommender filter (#8544)
  • gcp - region psuedo resource from static data, and makefile data update target (#8517)

core

  • core - add ability to add custom functions to jmespath (#8533)
  • core - cli entry point allows function parameters (#8464)
  • core - don't expand {now} placeholder during provisioning (#8509)
  • core - validate - report errors per file (#8565)

docs

  • docs - fix sidebar formatting for c7n_kube (#8523)
  • docs - readme update (#8516)

releng

  • releng - automated releases (#8395)
  • releng - bump github.com/docker/distribution in /tools/cask (#8560)
  • releng - consolidate mailer dependencies (#8489)
  • releng - prep 0.9.27.0 release (#8591)
  • releng - require urllib3 <2.0 to speed up dependency resolution (#8563)
  • releng - update dependencies 2023-05 (#8562)

tests

tools

  • tools/c7n_org - exit early on an empty list of accounts or policies (#8515)
  • tools/dev - aws csm observability using vector.dev (#8556)
  • tools/ops - policy lambda cfn - allow specifying just role name instead of arn (#8448)

schema changes

cloud-custodian - 0.9.26.0

Published by kapilt over 1 year ago

Fixes a package upload issue caused using poetry to upload our frozen wheels that affected (0.9.25.0), in favor of using twine to. upload, which results in proper frozen metadata.

What's Changed

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.25.0...0.9.26.0

cloud-custodian - 0.9.25.0

Published by kapilt over 1 year ago

aws

  • aws - asg - image filter - fix warning when image not found (#8473)
  • aws - asp-sync - delete action (#8419)
  • aws - ecs cluster - including settings to check for container insights (#8380)
  • aws - ecs-task-definition - support permanent deletion via force option (#8406)
  • aws - elasticsearch - cross-account bug fix handle no access policy (#8403)
  • aws - kinesis-video add tag/remove tag action (#8454)
  • aws - output - set region when using lambda exec options (#8471)
  • aws - quota - fix usage-metric exceeds the limit of 1440 data points (cont.) (#7140)
  • aws - rds - fix option group filter (#8433)
  • aws - reuse client for augment thread workers (#8456)
  • aws - route53 - recovery-control-panel - add a safety-rule filter (#8381)
  • aws - sns subscription - topic filter for unused and other use cases #8316 (#8336)

azure

  • azure - adding filter for subscription diagnostic settings (#8401)
  • azure - event mode - fix functions via include boto3 module #8203 (#8465)
  • azure - firewall filter - add option to include azure service 'magic' ip range (#8309)
  • azure - network security group - add explicit icmp to filter vocab (#8438)
  • azure - network-security group - flow log filter (#8312)
  • azure - tests - trim cassette data (#8466)

core

  • core - filters - add list-item filter (#7739)
  • core - policy - fix conditions.env_vars for c7n-org (#8434)
  • core - value filter - add jmespath value_path as option for supplying values (#8350)

docs

  • docs - fix indentation on advanced example (#8405)
  • docs - add shift-left to main readme, flesh out c7n-left readme (#8412)

gcp

  • gcp - add secret resource (#8421)
  • gcp - cloud-run service and job (#8452)
  • gcp - organization - essential-contacts filter (#8303)
  • gcp - project - access-approval filter (#8361)
  • gcp - service-account - iam-policy filter (#8404)

shift-left

  • c7n-left - fix multi resource using lists (#8447)
  • c7n-left - policy testing (#8428)
  • c7n-left - policy testing allow filters (#8460)

tencentcloud

  • c7n_tencentcloud - security-group used filter (#8399)

releng

  • releng - add black as dev dependency and add to make lint (#8378)
  • releng - c7n-left docker image (#8396)
  • releng - policy stream fix test oddity - use explicit rm (#8422)
  • releng - policy stream test ensure debug output on failure (#8409)
  • releng - release automation tweaks (#8392)
  • releng - release prep 0.9.25 (#8431)
  • releng - remove obsolete devcontainer and vscode configs (#8411)
  • releng - remove old releng artifacts (#8408)
  • releng - terraform fmt check in ci (#8413)
  • releng - update dependencies (#8474)
  • tools/dev - prcheck - add required fields and arg help (#8430)
  • tools/dev - prcheck can tag prs and recheck them (#8376)

schema changes

cloud-custodian - 0.9.24.0

Published by kapilt over 1 year ago

aws

  • aws - ami - allow no 'add' in set-permissions action (#8327)
  • aws - apigw - generate domain name arns (#8366)
  • aws - asg - let valid/invalid filters work in explicit pull mode (#8308)
  • aws - efs-mount-point - network-location filter (#8347)
  • aws - eks - add network-location filter (#8377)
  • aws - elasticsearch - enable support for server-side query filtering (#8337)
  • aws - elasticsearch - new action to enable audit logs to cloudwatch (#8232)
  • aws - enhance modify-security-groups action to support add groups by tag (#8356)
  • aws - hosted zone - explicit config_id for config-rule support (#8269)
  • aws - lambda - filter for lambda@edge (#8382)
  • aws - rds - bug fix in consecutive-snapshots filter (#8357)
  • aws - route53 ARC - control panel: add resource and tagging (#8352)
  • aws - route53.recovery-cluster - add resource and tagging support (#8301)
  • aws - s3 - check-public-filter handle access denied errors (#8374)
  • aws - s3 output bucket region determination refactor (#8289)
  • aws - security-group unused filter - add batch compute envs (#8297)
  • aws - tag variable interpolation fix (#8383)
  • aws - vpc - bug fix security-groups-used on in-use eni with no attachment (#8099) (#8390)
  • aws - wafv2 - add scope param to list call in lambda modes (#8120)
  • feat: fix marked-for-op filter bug (#8313)

c7n_azure

  • c7n_azure - adding new resource for mysql flexibleserver and a new filter (#8241)

core

  • core - filters - add headers to value_from url (#8307)
  • core - offhours filter - fixing typo on fallback-schedule schema (#7929)
  • core - pass validate to load_data so intent to validate policies or not is fully respected (#8305)
  • core - query - have resource manager init args match the base class (#8310)

gcp

  • gcp - bq-table - add augment to table for encryption config (#7952)

kubernetes

  • kubernetes - fix test via k8s registry url update (#8290)

shift-left

  • c7n-left - test handling of terraform local modules (#8286)
  • c7n-left - traverse filter supports non value type filters (#8299)

tools

  • tools/c7n-mailer - replay - support for slack (#5653)
  • tools/c7n-mailer - unique email list (#8370)
  • tools/c7n-mailer -replay - support mimicking sqs (#5655)
  • tools/c7n_mailer - handle lambda container images (#8329)
  • tools/c7n_mailer - option to assume role to send via centralized account SES (#6707)
  • tools/dev - fix devcontainer poetry installation (#8317)
  • tools/omni-ssm bump golang.org/x/sys (#8320)
  • tools/omnissm - bump golang.org/x/text (#8311)

releng

  • releng - address some linting found by new bandit release (#8365)
  • releng - cask dep updates (#8322)
  • releng - change docker :dev tag to daily build (#8342)
  • releng - ci - add 3.11 remove 3.7 python versions to matrix (#8294)
  • releng - explicitly define bash as the makefile shell (#8343)
  • releng - functional aws tests and slack results (#8359)
  • releng - get rid of generated setup.py/requirements.txt files, use poetry to publish wheels (#8348)
  • releng - omnissm - bump golang.org/x/net (#8340)
  • releng - refactor ci and makefile (#8332)
  • releng - rev version, sphinx fixes, and rebase dependencies (#8341)
  • releng - use layer cache when building images (#8331)

schema changes

cloud-custodian - 0.9.23.0

Published by thisisshi over 1 year ago

aws

  • aws - account - check-cloudtrail sns subscription lookup refactor (#8020)
  • aws - emr-serverless-app - add resource and delete, tag, mark actions (#8197)
  • aws - autotag - add principalId as option for value field (#8244)
  • aws - cloudwatch logs - added attribute to allow passing role arn to put-subscription-filter call (#8246)
  • aws - dynamodb - add update table action (#8023)
  • aws - ecr - modify-policy update action schema validation (#8254)
  • aws - elasticache - skip del replication group if not empty (#8025)
  • aws - emr - security configuration filter (#8268)
  • aws - iam-user - add set-policy action (#8125)
  • aws - kafka - migrate to list_clusters_v2 (#8077)
  • aws - rds - include db instance option values (#8236)
  • aws - rds - switch from other to db instance for post-finding action (#8183)
  • aws - rds-cluster - use DbClusterResourceId as the config id (#8285)
  • aws - route53-arc - readiness-check cross-account filter (#8235)
  • aws - secretsmanager - add set-encryption action (#8168)
  • aws - shield - handle elastic ip arn type delta (#8272)
  • aws - tags - copy-related-tag load resources during validation (#8219)
  • aws - timestream-table, timestream-database - add resources (#8159)

azure

  • azure - alert-logs - add resource (#8167)
  • azure - key vault secret - add resource (#8184)
  • azure - network watcher - add resource (#8230)

core

  • core - handle non importable resources (#8199)
  • core - policy - have conditions support vars (#8014)
  • core - policy load - fix naming conflict between validate argument and import (#8265)
  • core - utils - reduce backoff_delays jitter (#8029)

docs

  • docs - add Pratyush Mishra as a maintainer (#8206)
  • docs - add example policy to add lifecycle policy on bucket delete (#8196)
  • docs - readme - add Slack badge, add YouTube channel (#8229)
  • docs - add example policies for the finding filter (#8201)

gcp

  • gcp - filters - enabling 'missing' filter (#8234)
  • gcp - log-project-metric - add metric alert filter (#8155)
  • gcp - mu - include boto3 in cloudfunctions requirements (#8242)

kubernetes

  • c7n_kube - k8s-admission - add label and auto-label-user actions for k8s-admission mode (#7925)

releng

  • releng - 0.9.23 release prep (#8271)
  • releng - actions - use github.sha for concurrency grouping when not in a pr (#8279)
  • releng - dev script to check which prs modify a given directory (#8282)
  • releng - directly publish docs instead of merging back to gh-pages branch (#8204)
  • releng - docker test image needs new oci name field (#8243)
  • releng - docs publish fix input typo (#8217)
  • releng - fix docs publishing (#8226)
  • releng - fix poetrypkg test (#8227)
  • releng - switch to ruff for linting (#8276)

shift-left

  • c7n-left - allow for policy and resource pre execution filtering on cli (#8190)
  • c7n-left - cli summary output (#8180)

tools

  • mailer - fix module not found error for azure mailer (#8182)
  • tools/c7n_mailer - handle empty execution_start in utils.py (#8260)
  • tools/omnissm - bump github.com/aws/aws-sdk-go from 1.33.0 to 1.34.0 (#8273)

schema changes

cloud-custodian - 0.9.22.0

Published by thisisshi over 1 year ago

aws

  • aws - route53 recovery readiness-check - add resource and tagging support (#8112)
  • aws - account - organization filter (#8113)
  • aws - ami - add image-attribute filter (#8091)
  • aws - appelb - added filter and action for target group attributes (#8037)
  • aws - config - remediation filter: add rule_prefix to schema (#8171)
  • aws - connect - add set-attribute action (#8095)
  • aws - docs - network-addr moved to elastic-ip resource (#8170)
  • aws - ebs - EBS CreateDate should be CreateTime in docs example (#8153)
  • aws - fix transit-user resource type metadata (#8134)
  • aws - iam-profile, ec2 - add value filter logic to has-specific-managed-policy filter (#8104)
  • aws - rds, config-poll-rule - add server-side filter query support (#7696)
  • aws - rds-cluster - add db-cluster-parameter filter (#7729)
  • aws - rds-snapshot - fix rds-snapshot multi retrieval w/ server side scalar filter (#8135)
  • aws - redshift - fix consecutive-snapshots date filtering (#8129)
  • aws - rest-stage - Scope down apigw ids with arn:aws:apigateway (#8111)
  • aws - secrets manager delete and remove-statements action (#8152)
  • aws - userpool - register universal taggable (#8158)
  • aws - validate arn types on resources (#8143)

azure

  • azure - add azure.defender-alert resource (#8097)
  • azure - storage - fix blob-services docs (#8086)

c7n-org

  • c7n-org - support org level vars in config file (#8033)

gcp

  • gcp - api-key - Add gcp resource api key (#8094)
  • gcp - gke-cluster - fix augment when gke is not enabled (#8073)

omnissm

  • omnissm - Bump github.com/aws/aws-sdk-go from 1.15.23 to 1.33.0 in /tools/omnissm (#8107)

releng

  • releng - disable trivy for now due to rate limits causing failed docker builds (#8131)
  • releng - pkg-rebase and increment for 0.9.22.0 (#8160)

shift-left

  • c7n-left - fix matches resources on the cli and docs related to traverse (#8088)

tencentcloud

  • tencentcloud - cbs-snapshot, security-group - fix service in resource_type (#8127)
  • tencentcloud - mysql-backup - fix for casting date when status is not SUCCESS (#8126)

mailer

  • mailer - skip empty email address and filter out invalid cc email addresses (#8051)

schema changes

cloud-custodian - 0.9.21.0

Published by thisisshi almost 2 years ago

aws

  • aws - rest-stage - add regex match support for wafv2-enabled filter and set-wafv2 action (#7946)
  • aws - account - add ses send metric filters (#7874)
  • aws - account - check-cloudtrail filter: add include-management-events and log-metric-filter-pattern (#7851)
  • aws - account - managed config rule (#7029)
  • aws - ami - add set-permissions and set-deprecation actions, org support for cross-account filter (#7974)
  • aws - asg - ignore UnsupportedOperation on asg suspend (#8076)
  • aws - autotag - fix none userinfo exception (#7984)
  • aws - autotag action - autotag user with value (#7959)
  • aws - backup - add consecutive backups filter (#8030)
  • aws - cloudfront - fix wafv2-enabled filter to find waf-classic associations (#7986)
  • aws - cloudfront - updating s3 regexes for mismatch-s3-origin filter (#8045)
  • aws - cloudhsm-cluster, augment and serverless mode (#7996)
  • aws - composite-alarm - add resource and delete action (#7953)
  • aws - cross-account filter - use case-insensitive checks for allowed condition keys (#7889)
  • aws - custodian lambda policy - arm64 / graviton support (#7917)
  • aws - dlm - use native arn attribute (#8027)
  • aws - ec2 - force stop override stop protection (#8007)
  • aws - efs - add has-statement filter (#7884)
  • aws - event-rule - add set-rule-state action (#7954)
  • aws - glue-connection - tag read/write support (#8049)
  • aws - graphql-api - add api-cache filter (#8056)
  • aws - hosted-zone - query-logging-enabled: add subscription filter details (#7988)
  • aws - iam-instance-profile - set-role action (#7999)
  • aws - iam-profile, ec2 - add has-specific-managed-policy filter (#8006)
  • aws - invoke-lambda action - support for assume role prior to invoke (#7904)
  • aws - lambda - adjust kms key arn casing for securityhub finding (#7998)
  • aws - notify - prepare iam-saml-provider for notify (#8022)
  • aws - rds - add db-option-groups filter (#7807)
  • aws - rds-snapshot - skip automated snapshots during delete action (#7938)
  • aws - redshift - efs - add consecutive daily snapshot count filter (#7749)
  • aws - route53 - define rrset and healthcheck as global resources (#8042)
  • aws - route53resolver - add resolver-logs resource and associate-vpc action (#7939)
  • aws - secrets-manager - add has-statement filter (#7930)
  • aws - security-group - used filter - add interface usage annotation (#8028)
  • aws - sns - migrate to universal augment (#8075)
  • aws - tags - copy-related-tag using resourcegroupstaggingapi, support tags as key (#7223)
  • aws - transfer - add transfer resources (#6927)
  • aws - transit-attachment - Support CloudTrail mode (#7983)
  • aws - wafv2 - add logging filter (#8072)

azure

  • azure - postgresql-server - add configuration-parameter filter (#7876)
  • azure - sql-server - add value filter logic to the vulnerability-assessment filter (#7864)
  • azure - sqlserver - add auditing filter (#7664)
  • azure - storage - add blob-services filter (#8082)
  • azure - webapp - add authentication filter (#7840)
  • fix - flake8/pyflakes bump removed type comments linting (#8039)

c7n-org

  • c7n-org - cli - support not-accounts option (#8036)

core

  • core - fix issue dumping FormatDate objects as json. (#7975)

docs

  • docs - add governance-as-code day orgs (#7957)
  • docs - tencentcloud resource reference docs build (#8002)
  • docs - tencentcloud resources docs with examples (#8052)

gcp

  • gcp - add get_urns for gcp resource managers (#8061)
  • gcp - project - add compute-meta filter (#7971)
  • gcp - replace ratelimiter with pyrate-limiter (#8060)

kubernetes

  • kubernetes - report cli - fix reporting for k8s resources (#7942)

releng

  • releng - 0.9.21.0 pkg-increment and pkg-rebase (#7990)
  • releng - github actions use concurrency option to only run on latest push (#8012)
  • releng - handle extra/optional requirements in gen-frozensetup (#8001)
  • releng - install mailer extras in docker image (#7995)
  • releng - pkg-rebase to clear certifi/cryptography/grpcio/requests/ci issues (#8080)
  • releng - update poetry to 1.2.2 (#8013)
  • releng - update version file to 0.9.20 (#7948)
  • releng - fix boto3 and botocore

shift-left

  • c7n-left - graph traversal filter (#7943)
  • c7n-left - output - add description to console output (#7949)
  • c7n_left - github action output annotation fixes (#8011)

tencentcloud

  • c7n_tencentcloud - better vcr test options (#7992)
  • c7n_tencentcloud - cam - add resources (#7865)
  • c7n_tencentcloud - cls, es, vpc, tcr - add resources (#7905)
  • c7n_tencentcloud - resources - cdb & cdb_backup (#7908)
  • c7n_tencentcloud - resources - cos (#8044)
  • tencentcloud - client - support for assume role (#8043)
  • tencentcloud - refactor metrics filter to support multi dimensions (#7994)

tests

  • tests - replace misuse of assertTrue with assertEqual (#7914)

tools

  • mailer - fix - multi emails in tag for gcp (#8074)
  • tools/c7n_policystream - bump pygit2 dependency (#8058)
  • tools/cask - support tencent cloud (#8047)
  • tools/mugc - remove functions from regions where region is not set in policy (#6989)

schema changes

New Contributors

Full Changelog: https://github.com/cloud-custodian/cloud-custodian/compare/0.9.20.0...0.9.21.0

cloud-custodian - 0.9.20.0

Published by kapilt almost 2 years ago

aws

  • aws - apigwv2 - new resource and tagging support (#7881)
  • aws - appsync resource and waf filter/action (#7872)
  • aws - dynamodb - enhancement recommended for the consecuitive-backups filter (#7813)
  • aws - ec2 - set-metadata-access - include instance tags option (#7772)
  • aws - elbv2 wafv2-enabled fix to include only application loadbalancers (#7869)
  • aws - iam-user - add login-profile filter (#7804)
  • aws - log-group - add put-subscription-filter action (#7817)
  • aws - metrics - support extended statistics (#7826)
  • aws - opensearch - update tls endpoint config action (#7887)
  • aws - rds-proxy - Add new RDS Proxy resource (#7859)
  • aws - retry logic to describe listeners (#5915)
  • aws - security-group - used filter - add interface detail annotations (#7861)
  • aws - support-case - use helper to get correct region per partition (#7927)

azure

  • azure - keyvault - use list_by_subscription to enumerate vault resources with more information (#7871)

docs

  • docs - c7n-kates helm deployment docs (#7922)
  • docs - c7n_kube and c7n-kates documentation (#7883)

kubernetes

  • c7n_kube - cache - fix cache usage (#7860)
  • c7n_kube - mode/k8s-admission - add admission controller mode (#7697)
  • c7n_kube - role/cluster-role - add role and cluster role resources (#7932)

releng

  • releng - 0.9.20 pkg rebase and increment (#7852)
  • releng - c7n-kube - skaffold use the latest published version of the helm chart (#7921)
  • releng - changelog generator tweaks for shift left and tencentcloud (#7867)
  • releng - improve docker build time via better layer cache utilization (#7862)
  • releng - pin poetry and fix setup gen (#7848)
  • releng - skaffold local dev, c7n-kates container, tls for admission controller (#7885)
  • releng - tencentcentcloud fix pyproject.toml project urls
  • releng - update codecov action (#7918)
  • releng - update docker github actions (#7873)

shift-left

  • c7n-left - exit 1 when resources match policies (#7940)
  • c7n-left - update tfparse, json output includes resource, jmespath query on json output (#7928)
  • tools/c7n-left - refactor terraform support to subpackage (#7850)
  • tools/c7n-left - run policies on terraform (#7803)

tencentcloud

  • c7n_tencentcloud - metrics filter for CLB & NAT-gateway (#7902)
  • c7n_tencentcloud - resources - ami, nat gateway, cbs/volume snapshot (#7819)
  • c7n_tencentcloud - resources - clb &cbs - load balancer and volumes (#7809)
  • tencentcloud - security-group resource (#7877)
  • tencentcloud - tests - Add fixture for environment variables, and typos in query.py. (#7824)

tools

  • tools/c7n-org - support vars in run-script args (#7644)
  • tools/c7n_mailer - lazily import processor modules (#7857)

schema changes

cloud-custodian - 0.9.19.0

Published by thisisshi about 2 years ago

aws

  • aws - add lambda handler as parameter (#7652)
  • aws - account - lake formation cross account s3 filter (#7578)
  • aws - add cfn_type to rds-snapshot, redshift-snapshot and elastic-ip (#7758)
  • aws - apigw rest-stage config poll support (#7787)
  • aws - catalog-product - new resource (#7802)
  • aws - datalake-location - add resource, deregister action, cross-account filter (#7668)
  • aws - dlm-policy - fix tags, add tag/remove-tag actions (#7702)
  • aws - dynamodb - add consecutive daily snapshot count filter (#7720)
  • aws - ec2 - stop-protected filter for disableApiStop attribute (#7608)
  • aws - ecr - add metrics filter for ECR (#7705)
  • aws - eks - add kms filter (#7725)
  • aws - elasticsearch - filter/action on access policy source ips (#7828)
  • aws - es - add "has-statement" filter (#7751)
  • aws - fis - add mark-for-op action and marked-for-op filter (#7674)
  • aws - interpolate universal tags (#7532)
  • aws - kms - more cross account condition keys (#7666)
  • aws - lambda - add action set-xray-tracing (#7722)
  • aws - metrics - move end time to include now (#7651)
  • aws - output - try to determine bucket region without a client (#7682)
  • aws - rest-stage - add cloudtrail mode support (#7574)
  • aws - route-table - cross-az-nat-gw filter (#7499)
  • aws - s3 - config - handle missing configuration for regional specific feature sets (#7821)
  • aws - s3 - set-inventory: add additional optional fields (key status, checksum algo) (#7799)
  • aws - s3 sqs and sns - fix has-statement filter with action star (#7680)
  • aws - secretsmanager - kms filter (#7709)
  • aws - security group - ingress/egress rule filter - support list of cidr (#5971)
  • aws - sqs - fix queue url format via correct endpoint (#7766)
  • aws - sqs - set-encryption key usage consistency (#7822)
  • aws - tags filter-resources bug fix (#7740)
  • aws - user-pool/identity-pool - add support for tagging (#7673)
  • aws - wafv2 - support wildcards to support FMS (#7706)
  • aws - workspaces - fix connection-status filter when there is no status (#7675)
  • aws.rds - type: db-parameter fix cache usage (#7793)

azure

  • azure - add data to notify action (#7708)

tencnetcloud

  • tencentcloud - backfill unit tests and support retry, paged query, adding tags (#7723)
  • tencentcloud - metrics filter (#7806)
  • tencentcloud - resources - cvm (#7753)
  • tencentcloud - tests - support vcr for flight recording (#7735)
  • tencentcloud - new provider skeleton (#7688)

core

  • chore - add license headers to files missing (#7718)
  • core - add directory loader (#7727)
  • core - policy var formatting preserves var type (#7832)
  • core - sqlkv cache file (#7659)
  • core - use cache context manager uniformly - resolves value-from cache err (#7711)
  • core - value-from - fix issue with sqlkv cache (#7684)

docs

  • docs - Add Slack invite link (#7746)
  • docs - tencentcloud usage readme (#7790)
  • docs - update discussions URL (#7614)

gcp

  • gcp - add data to notify action (#7708)
  • gcp - gcp.build fix and resource map cleanup (#7737)
  • gcp - offhour - support gcp resources with escaped label (#7721)

releng

  • releng - 0.9.19.0 pkg rebase (#7779)
  • releng - 0.9.19.0 release prep (#7774)
  • releng - aws - ec2 tag - fix test (#7743)
  • releng - ci - move aws functional tests to github actions and ftest fixes (#7733)
  • releng - docker - fix bad merge (#7748)
  • releng - docker - fix the dockerfile symlink (#7767)
  • releng - docker - include tencentcloud provider (#7823)
  • releng - docker - sign docker images (#7701)
  • releng - docker - swap out for buildx (#7669)
  • releng - docker - update install-poetry url (#7764)
  • releng - fix docker build action (#7712)
  • releng - fix for dockerfile after poetry update (#7715)
  • releng - fix github actions ci if statement for publishing (#7726)
  • releng - fix poetry pkg script, add test (#7843)
  • releng - make tox -e docs work on ARM64 + Python3.10 (#7781)
  • releng - roll back grpcio due to yank, switch toml import to tomli (#7782)
  • releng - update ci and docker builds to use poetry 1.2.1 (#7796)

tools

  • tools/c7n-org - warn on AuthFailure when listing regions (#7687)
  • tools/c7n_logexporter - allow user specified role for put_subscription_filter (#7657)
  • tools/c7n_mailer - support for gcp (#7538)

schema changes

Package Rankings
Top 24.19% on Formulae.brew.sh
Top 0.99% on Pypi.org
Top 4.36% on Proxy.golang.org
Badges
Extracted from project README
slack CI CII Best Practices
Related Projects
cloudsplaining

Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privile...

18 Apr 2020 1,975
awesome-cloud-security

🛡️ Awesome Cloud Security Resources ⚔️

10 May 2020 1,921
terraform-aws-eks-workers

Terraform module to provision an AWS AutoScaling Group, IAM Role, and Security Group for EKS Workers

07 Jul 2018 91
terraform-aws-eks-cluster

Terraform module for provisioning an EKS cluster

07 Jul 2018 506
terraform-aws-ecr

Terraform Module to manage Docker Container Registries on AWS ECR

23 Aug 2017 187
terraform-aws-cloudtrail-s3-bucket

S3 bucket with built in IAM policy to allow CloudTrail logs

24 Mar 2018 55
terraform-aws-rds-cloudwatch-sns-alarms

Terraform module that configures important RDS alerts using CloudWatch and sends them to an SNS t...

30 May 2018 122
terraform-aws-ecs-web-app

Terraform module that implements a web app on ECS and supports autoscaling, CI/CD, monitoring, AL...

18 Jun 2018 241
terraform-aws-cicd

Terraform Module for CI/CD with AWS Code Pipeline and Code Build

22 Jun 2017 192
terraform-aws-backup

Terraform module to provision AWS Backup, a fully managed backup service that makes it easy to ce...

07 Oct 2019 99
cloudfox

Automating situational awareness for cloud penetration tests.

08 Sep 2022 1,905
terraform-aws-ec2-instance

Terraform module for provisioning a general purpose EC2 host

01 Aug 2017 165
terraform-aws-cloudwatch-logs

Terraform Module to Provide a CloudWatch Logs Endpoint

01 Nov 2017 71
devops-resources

DevOps resources - Linux, Jenkins, AWS, SRE, Prometheus, Docker, Python, Ansible, Git, Kubernetes...

07 Jan 2019 8,538
terraform-aws-ecs-codepipeline

Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS https://cloudposse.com/

07 Jun 2018 154