aws.autoscaling resources¶
aws.asg¶
Filters¶
capacity-delta¶
Filter returns ASG that have less instances than desired or required
- example
policies:
- name: asg-capacity-delta
resource: asg
filters:
- capacity-delta
properties:
type:
enum:
- capacity-delta
required:
- type
image-age¶
Filter asg by image age (in days).
- example
policies:
- name: asg-older-image
resource: asg
filters:
- type: image-age
days: 90
op: ge
properties:
days:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- image-age
required:
- type
invalid¶
Filter autoscale groups to find those that are structurally invalid.
Structurally invalid means that the auto scale group will not be able to launch an instance succesfully as the configuration has
invalid subnets
invalid security groups
invalid key pair name
invalid launch config volume snapshots
invalid amis
invalid health check elb (slower)
Internally this tries to reuse other resource managers for better cache utilization.
- example
policies: - name: asg-invalid-config resource: asg filters: - invalid
properties:
type:
enum:
- invalid
required:
- type
launch-config¶
Filter asg by launch config attributes.
This will also filter to launch template data in addition to launch configurations.
- example
policies:
- name: launch-configs-with-public-address
resource: asg
filters:
- type: launch-config
key: AssociatePublicIpAddress
value: true
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- launch-config
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
not-encrypted¶
Check if an ASG is configured to have unencrypted volumes.
Checks both the ami snapshots and the launch configuration.
- example
policies:
- name: asg-unencrypted
resource: asg
filters:
- type: not-encrypted
exclude_image: true
properties:
exclude_image:
type: boolean
type:
enum:
- not-encrypted
required:
- type
progagated-tags¶
Filter ASG based on propagated tags
This filter is designed to find all autoscaling groups that have a list of tag keys (provided) that are set to propagate to new instances. Using this will allow for easy validation of asg tag sets are in place across an account for compliance.
- example
policies: - name: asg-non-propagated-tags resource: asg filters: - type: propagated-tags keys: ["ABC", "BCD"] match: false propagate: true
properties:
keys:
items:
type: string
type: array
match:
type: boolean
propagate:
type: boolean
type:
enum:
- progagated-tags
- propagated-tags
required:
- type
user-data¶
Filter on ASG’s whose launch configs have matching userdata. Note: It is highly recommended to use regexes with the ?sm flags, since Custodian uses re.match() and userdata spans multiple lines.
- example
policies:
- name: lc_userdata
resource: asg
filters:
- type: user-data
op: regex
value: (?smi).*password=
actions:
- delete
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- user-data
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
valid¶
Filters autoscale groups to find those that are structurally valid.
This operates as the inverse of the invalid filter for multi-step workflows.
See details on the invalid filter for a list of checks made.
- example
policies: - name: asg-valid-config resource: asg filters: - valid
properties:
type:
enum:
- valid
required:
- type
vpc-id¶
Filters ASG based on the VpcId
This filter is available as a ValueFilter as the vpc-id is not natively associated to the results from describing the autoscaling groups.
- example
policies:
- name: asg-vpc-xyz
resource: asg
filters:
- type: vpc-id
value: vpc-12ab34cd
properties:
default:
type: object
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- vpc-id
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
Actions¶
delete¶
Action to delete an ASG
The ‘force’ parameter is needed when deleting an ASG that has instances attached to it.
- example
policies:
- name: asg-delete-bad-encryption
resource: asg
filters:
- type: not-encrypted
exclude_image: true
actions:
- type: delete
force: true
properties:
force:
type: boolean
type:
enum:
- delete
required:
- type
mark-for-op¶
Action to create a delayed action for a later date
- example
policies:
- name: asg-suspend-schedule
resource: asg
filters:
- type: value
key: MinSize
value: 2
actions:
- type: mark-for-op
tag: custodian_suspend
message: "Suspending: {op}@{action_date}"
op: suspend
days: 7
properties:
days:
minimum: 0
type: number
hours:
minimum: 0
type: number
key:
type: string
message:
type: string
op:
type: string
tag:
type: string
type:
enum:
- mark-for-op
tz:
type: string
required:
- type
propagate-tags¶
Propagate tags to an asg instances.
In AWS changing an asg tag does not propagate to instances.
This action exists to do that, and can also trim older tags not present on the asg anymore that are present on instances.
- example
policies:
- name: asg-propagate-required
resource: asg
filters:
- "tag:OwnerName": present
actions:
- type: propagate-tags
tags:
- OwnerName
properties:
tags:
items:
type: string
type: array
trim:
type: boolean
type:
enum:
- propagate-tags
required:
- type
remove-tag¶
Action to remove tag/tags from an ASG
- example
policies:
- name: asg-remove-unnecessary-tags
resource: asg
filters:
- "tag:UnnecessaryTag": present
actions:
- type: remove-tag
key: UnnecessaryTag
properties:
key:
type: string
tags:
items:
type: string
type: array
type:
enum:
- remove-tag
- untag
- unmark
required:
- type
rename-tag¶
Rename a tag on an AutoScaleGroup.
- example
policies:
- name: asg-rename-owner-tag
resource: asg
filters:
- "tag:OwnerNames": present
actions:
- type: rename-tag
propagate: true
source: OwnerNames
dest: OwnerName
properties:
dest:
type: string
propagate:
type: boolean
source:
type: string
type:
enum:
- rename-tag
required:
- source
- dest
- type
resize¶
Action to resize the min/max/desired instances in an ASG
There are several ways to use this action:
set min/desired to current running instances
policies:
- name: asg-resize
resource: asg
filters:
- capacity-delta
actions:
- type: resize
desired-size: "current"
apply a fixed resize of min, max or desired, optionally saving the previous values to a named tag (for restoring later):
policies:
- name: offhours-asg-off
resource: asg
filters:
- type: offhour
offhour: 19
default_tz: bst
actions:
- type: resize
min-size: 0
desired-size: 0
save-options-tag: OffHoursPrevious
restore previous values for min/max/desired from a tag:
policies:
- name: offhours-asg-on
resource: asg
filters:
- type: onhour
onhour: 8
default_tz: bst
actions:
- type: resize
restore-options-tag: OffHoursPrevious
properties:
desired-size:
anyOf:
- enum:
- current
- minimum: 0
type: integer
desired_size:
anyOf:
- enum:
- current
- minimum: 0
type: integer
max-size:
minimum: 0
type: integer
min-size:
minimum: 0
type: integer
restore-options-tag:
type: string
save-options-tag:
type: string
type:
enum:
- resize
required:
- type
resume¶
Resume a suspended autoscale group and its instances
Parameter ‘delay’ is the amount of time (in seconds) to wait between resuming instances in the asg, and restarting the internal asg processed which gives some grace period before health checks turn on within the ASG (default value: 30)
- example
policies:
- name: asg-resume-processes
resource: asg
filters:
- "tag:Resume": present
actions:
- type: resume
delay: 300
properties:
delay:
type: number
type:
enum:
- resume
required:
- type
suspend¶
Action to suspend ASG processes and instances
- AWS ASG suspend/resume and process docs
https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-suspend-resume-processes.html
- example
policies:
- name: asg-suspend-processes
resource: asg
filters:
- "tag:SuspendTag": present
actions:
- type: suspend
properties:
exclude:
items:
enum:
- Launch
- Terminate
- HealthCheck
- ReplaceUnhealthy
- AZRebalance
- AlarmNotification
- ScheduledActions
- AddToLoadBalancer
title: ASG Processes to not suspend
type: array
type:
enum:
- suspend
required:
- type
tag¶
Action to add a tag to an ASG
The propagate parameter can be used to specify that the tag being added will need to be propagated down to each ASG instance associated or simply to the ASG itself.
- example
policies:
- name: asg-add-owner-tag
resource: asg
filters:
- "tag:OwnerName": absent
actions:
- type: tag
key: OwnerName
value: OwnerName
propagate: true
properties:
key:
type: string
msg:
type: string
propagate:
type: boolean
tag:
type: string
tags:
type: object
type:
enum:
- tag
- mark
value:
type: string
required:
- type
aws.launch-config¶
Filters¶
age¶
Filter ASG launch configuration by age (in days)
- example
policies:
- name: asg-launch-config-old
resource: launch-config
filters:
- type: age
days: 90
op: ge
properties:
days:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- age
required:
- type
unused¶
Filters all launch configurations that are not in use but exist
- example
policies:
- name: asg-unused-launch-config
resource: launch-config
filters:
- unused
properties:
type:
enum:
- unused
required:
- type