Cloud Custodian 0.9.18.0

[ajkerrigan]

aws

This release includes a change that requires the GetBucketLocation permission on the output bucket when using the s3 output. If you are missing this permission and are doing cross account outputs to s3, ensure that your custodian role has GetBucketLocation permission for the target bucket.

aws

• aws - account - check-macie filter - return empty list if doesn't match (aws - account - return empty list if check-macie doesn't match #7536)
• aws - artifact - fix cfn type metadata (aws - artifact - fix cfn type metadata #7560)
• aws - asg - fix tagging interpolate values (aws - asg - fix tagging interpolate values #7543)
• aws - cloudfront - post-finding fix webacl attribute (aws - cloudfront - post-finding fix webacl attribute #7576)
• aws - cloudfront - support fetching with arns for trail mode (aws - cloudfront - support fetching with arns #7588)
• aws - config poll rule fix - remove evals for deleted resources (Config poll rule fix #7500)
• aws - connect-instance - new resource and instance-attribute filter (AWS - Connect - Create new Connect resource and instance-attribute filter #7561)
• aws - ec2 - terminate - fix usage of batch (fix: terminate only 'batch' number of instances a request #7607)
• aws - ec2 - terminate - minimize api calls with force option re disabling stop/termination protection (Only disable Stop/Termination Protection only when necessary #7627)
• aws - ec2 - terminate with force also disables stop protection (Make Terminate force=True work with Stop Protection #7598)
• aws - event-rule - invalid target filter - handle unknown arns and add event-bus as a valid target (aws.event-rule | Filter unknown arns and add event-bus as a valid target #7622)
• aws - filters - add aws:SourceAccount support to cross-account filter (aws - filters - add aws:SourceAccount support to cross-account filter #7611)
• aws - fsx - add consecutive-backups filter (Fsx backup checks #7252)
• aws - fsx subnet filter (aws - fsx subnet filter #7552)
• aws - kinesis - config source attribute adaptation fix (aws - kinesis - config source attribute adaptation fix #7575)
• aws - metrics - align metric window with cloudwatch retention schedule (aws - metrics - align metric window with cloudwatch retention schedule #7307)
• aws - mu - add waiter to lambda creation to support aws lamdba states (aws - mu - add waiter to lambda creation to support AWS Lamdba states #7539)
• aws - output - read bucket region prior to creating session (aws - output - read bucket region prior to creating session #7524)
• aws - quotas - include aws default service quotas (aws - quotas - include aws default service quotas #7572)
• aws - quotas - update quotas onto the default quotas (aws - quotas - update quotas onto the default quotas #7645)
• aws - rest-api - cross-account filter - handle policy mangling and use correct default (aws - apigw cross-account, handle policy mangling and use correct default #7632)
• aws - s3 - fix bucket-encryption filter for when encrypt config present but absent a kms key (Get Bucket Encryption Fails When No Encryption Configuration Is Present but KMS Bucket Key is Enabled #7592)
• aws - skip invalid tags dates instead of failing policy also flake8 fixes (fix: skip incorrect action_date instead of failing c7n #7594)
• aws - sns and sqs - add "has-statement" filter (aws - sns and sqs- add reusable "has-statement" filter #7525)
• aws - vpc - flow-logs - fix LogDestination key error (aws - vpc - flow-logs - bugfix LogDestination key error #7569)
• aws - waf/wafv2 - set-waf action for apigateway, cloudfront and elb resources (aws - waf/wafv2 - ability to associate apigateway, cloudfront and elb resources between waf and wafv2 web-acls #7519)
• aws - workspaces - Create filter for workspaces directory connection aliases (AWS - Workspaces - Create filter for workspaces directory connection aliases #7460)

core

• c7n-org - report - don't overwrite when merging account tags to resource (c7n-org - no overwrite when merge acct tags to resource result #7642)
• core - output - refactor to move write_file to blob handlers. (chore: cleanup the blob output handlers. #7579)
• core - offhour - support escaped tag restricted values with translation map (offhour - escape tag restricted chars with uxx #7631)
• core - structural validate handle explicit null filters or actions (core - structural validate handle explicit null filters or actions #7570)

docs

• docs - add Darren Dao as a maintainer (Add Darren Dao as a maintainer #7565)
• docs - add castrojo as an additional admin contact for the project (Add myself as admin contact for the project #7613)
• docs - remove references to Python 3.6 and point to upstream python support schedule instead (docs - remove references to Python 3.6 and point to upstream docs instead #7537)
• docs - update developer install docs (docs - update developer install docs #7522)
• docs - update example to use policy conditions instead of region top level key (docs - update example to use policy conditions instead of region top level key #7517)

gcp

• gcp - gcp-periodic - trigger type is http, fix for delta_resource, require service-account (gcp - gcp-periodic - trigger type is http, fix for delta_resource, require service-account #7498)
• gcp - gke - support resourceLabels as labels (gcp - labels - support resourceLabels for gke #7534)
• gcp - marked-for-op - fix to support actions and templates with hyphens (gcp - marked-for-op - fix to support actions with hyphens #7637)
• gcp - metrics - fix start/end time now need to end with Z (gcp - metrics - start/end time need to end with Z #7629)
• gcp - sql - Add labels filters and actions to the GCP SQL (gcp - sql - Add labels filters and actions to the GCP SQL  #7556)
• gcp - sql - fix augment labels ( gcp - sql - fix augment function in GCP SQL #7624)
• gcp - support GCP_PROJECT env var (gcp - also get project id from GCP_PROJECT env #7630)

releng

• releng - 0.9.18.0 - prep for release (release - 0.9.18.0 - prep for release 0.9.18 #7602)
• releng - bump package versions for 0.9.18.0 (releng - bump package versions for 0.9.18.0 #7636)
• releng - docker update poetry version and update ubuntu base image (releng - docker update poetry version and update ubuntu base image #7619)
• releng - docs build - update cache keys to address stale cache issue (releng - docs build - update cache keys to address stale cache issue #7621)
• releng - update policystream to use 22.04 and remove libgit compilation (releng - update policystream to use 22.04 and remove libgit compilation #7605)

tools

• mailer - fix - change default value to {} for dict (mailer - fix - change default value to {} for dict #7518)
• tools/c7n-mailer - fix exception with null to in notify action (tools/c7n-mailer - fix null exception of notify_action_to #7586)
• tools/c7n_mailer - jinja get_date_age support seconds (mailer - jinja get_date_age support seconds #7643)
• tools/c7n_mailer - slack delivery - allow using email address in tag's value (slack_delivery: Allow using email address in tag's value  #7221)

schema changes

• aws.connect-instance added
• aws.artifact-repo
  • added filters: config-compliance
• aws.batch-compute
  • added filters: json-diff
• aws.batch-queue
  • added filters: json-diff
• aws.fsx
  • added filters: consecutive-backups, subnet
• aws.kafka
  • added filters: json-diff
• aws.rest-stage
  • added actions: set-waf
  • added filters: waf-enabled
• aws.sagemaker-model
  • added filters: json-diff
• aws.sns
  • added filters: has-statement
• aws.sqs
  • added filters: has-statement
• aws.step-machine
  • added filters: json-diff
• aws.workspaces
  • added filters: json-diff
• aws.workspaces-directory
  • added filters: connection-aliases
• gcp.sql-instance
  • added actions: mark-for-op, set-labels
  • added filters: marked-for-op

---

This discussion was created from the release 0.9.18.0.

[MichaelDavisTSN]

After moving to 9.18, I'm getting errors running in regions other than us-east-1, and logs are not writing for those regions:

2022-08-16 11:07:55,005: c7n_org:WARNING Access denied api:GetBucketLocation policy:ec2-owner-win account: region:us-east-2

[ajkerrigan]

Thanks for mentioning this here in addition to Gitter. This is a perfect use of a release discussion 👍 . #7682 is in the works to help make those region checks a bit smoother.