Merge pull request #33 from newscorp-ghfb/develop

policy - fix tag:custodian-policy not deployed
newscorp-ghfb · Mar 18, 2022 · 4a9fdc7 · 4a9fdc7
2 parents e17bc41 + a6b54d2
commit 4a9fdc7
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -70,6 +70,7 @@ To avoid any unnecessary code conflict while merging upstream changes, we must f
 
 - support org level vars in config file
 - c7n-org supports the argument not-accounts
+- c7n-org - fix NoCredentialsError when getting creds from instance profile too frequently
 
 ### c7n_gcp
 

diff --git a/c7n/policy.py b/c7n/policy.py
@@ -517,8 +517,8 @@ def provision(self):
                     lambda assume=False: self.policy.session_factory(assume))
 
             # NOTE introduce tag:custodian-policy as version to avoid massive re-deployments
-            existing = manager.get(self.policy_lambda(self.policy).name)
-            if tags.get("custodian-policy") and tags.get("custodian-policy") == existing.get("Tags", {}).get("custodian-policy"):
+            deployed = manager.get(self.policy_lambda(self.policy).name)
+            if tags.get("custodian-policy") and deployed and tags.get("custodian-policy") == deployed.get("Tags", {}).get("custodian-policy"):
                 self.policy.log.info("Skipped due to no changes to tag:custodian-policy")
                 return
 

diff --git a/c7n/query.py b/c7n/query.py
@@ -441,6 +441,7 @@ class QueryResourceManager(ResourceManager, metaclass=QueryMeta):
 
     retry = staticmethod(
         get_retry((
+            'TooManyRequestsException',
             'ThrottlingException',
             'RequestLimitExceeded',
             'Throttled',

diff --git a/tools/c7n_azure/c7n_azure/provisioning/function_app.py b/tools/c7n_azure/c7n_azure/provisioning/function_app.py
@@ -49,6 +49,7 @@ def _provision(self, params):
         # consumption app plan
         if params['is_consumption_plan']:
             functionapp_def.kind = 'functionapp,linux'
+            site_config.linux_fx_version = FUNCTION_DOCKER_VERSION
         # dedicated app plan
         else:
             functionapp_def.kind = 'functionapp,linux,container'

diff --git a/tools/c7n_azure/tests_azure/azure-functions/templates/policies.yaml b/tools/c7n_azure/tests_azure/azure-functions/templates/policies.yaml
@@ -5,6 +5,9 @@ policies:
         type: azure-event-grid
         events: ['ResourceGroupWrite']
         provision-options:
+          identity:
+            type: UserAssigned
+            id: ${identity_name}
           servicePlan:
             resourceGroupName: ${rg_name}-consumption
     filters:
@@ -21,6 +24,9 @@ policies:
         type: azure-event-grid
         events: ['ResourceGroupWrite']
         provision-options:
+          identity:
+            type: UserAssigned
+            id: ${identity_name}
           servicePlan:
             resourceGroupName: ${rg_name}-dedicated
             skuName: S2
@@ -39,6 +45,9 @@ policies:
         type: azure-periodic
         schedule: '0 */5 * * * *'
         provision-options:
+          identity:
+            type: UserAssigned
+            id: ${identity_name}
           servicePlan:
             resourceGroupName: ${rg_name}-consumption
     filters:
@@ -55,6 +64,9 @@ policies:
         type: azure-periodic
         schedule: '0 */5 * * * *'
         provision-options:
+          identity:
+            type: UserAssigned
+            id: ${identity_name}
           servicePlan:
             resourceGroupName: ${rg_name}-dedicated
             skuName: S2

diff --git a/tools/c7n_azure/tests_azure/azure-functions/test_functions.sh b/tools/c7n_azure/tests_azure/azure-functions/test_functions.sh
@@ -3,6 +3,8 @@
 set -e
 
 rg_name=cloud-custodian-test-functions-$RANDOM
+rg_identity_name="${rg_name}-identity"
+identity_name="c7n-identity"
 
 function cleanup {
     set +e
@@ -11,13 +13,20 @@ function cleanup {
     $(az group delete -n ${rg_name} -y)
     $(az group delete -n ${rg_name}-dedicated -y)
     $(az group delete -n ${rg_name}-consumption -y)
+    $(az group delete -n ${rg_identity_name}-consumption -y)
 }
 trap cleanup EXIT
 
 echo "Logging to Azure"
 az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET -t $AZURE_TENANT_ID -o none
 az account set -s $AZURE_SUBSCRIPTION_ID -o none
 
+echo "Creating user managed identity"
+az group create -l westus -n ${rg_identity_name} -o none
+identity_principal=$(az identity create -g ${rg_identity_name} --name ${identity_name} --query clientId -o tsv)
+sleep 60
+az role assignment create --assignee-object-id ${identity_principal} --assignee-principal-type "ServicePrincipal" --role "Owner" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}" -o None
+
 eval "echo \"$(cat templates/policies.yaml)\"" > policies.yaml
 
 echo "Running Cloud Custodian"