aws.fsx

Filters

config-compliance

consecutive-aws-backups

consecutive-backups

event

finding

kms-key

list-item

marked-for-op

metrics

ops-item

reduce

subnet

value

volume

vpc

consecutive-aws-backups

Returns resources where number of consective backups (based on the periodicity defined in the filter) is equal to/or greater than n units. This filter supports the resources that use AWS Backup service for backups.

example:

policies:
  - name: dynamodb-consecutive-aws-backup-count
    resource: dynamodb-table
    filters:
      - type: consecutive-aws-backups
        count: 7
        period: days
        status: 'COMPLETED'

properties:
  count:
    minimum: 1
    type: number
  period:
    enum:
    - hours
    - days
    - weeks
  status:
    enum:
    - COMPLETED
    - PARTIAL
    - DELETING
    - EXPIRED
  type:
    enum:
    - consecutive-aws-backups
required:
- count
- period
- status
- type

Permissions - backup:ListRecoveryPointsByResource

consecutive-backups

Returns consecutive daily FSx backups, which are equal to/or greater than n days. :Example:

policies:
  - name: fsx-daily-backup-count
    resource: fsx
    filters:
      - type: consecutive-backups
        days: 5
    actions:
      - notify

properties:
  days:
    minimum: 1
    type: number
  type:
    enum:
    - consecutive-backups
required:
- days
- type

Permissions - fsx:DescribeBackups, fsx:DescribeVolumes

kms-key

Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

example:

Match a specific key alias:

policies:
    - name: dms-encrypt-key-check
      resource: dms-instance
      filters:
        - type: kms-key
          key: "c7n:AliasName"
          value: alias/aws/dms

Or match against native key attributes such as KeyManager, which more explicitly distinguishes between AWS and CUSTOMER-managed keys. The above policy can also be written as:

policies:
    - name: dms-aws-managed-key
      resource: dms-instance
      filters:
        - type: kms-key
          key: KeyManager
          value: AWS

properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - kms-key
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - kms:ListKeys, tag:GetResources, kms:ListResourceTags, kms:DescribeKey

Actions

auto-tag-user

backup

copy-related-tag

delete

invoke-lambda

invoke-sfn

mark-for-op

notify

post-finding

post-item

put-metric

remove-tag

tag

update

webhook

backup

Create Backups of File Systems

Tags are specified in key value pairs, e.g.: BackupSource: CloudCustodian

example:

policies:
    - name: backup-fsx-resource
      comment: |
          creates a backup of fsx resources and
          copies tags from file system to the backup
      resource: fsx
      actions:
        - type: backup
          copy-tags: True
          tags:
            BackupSource: CloudCustodian

    - name: backup-fsx-resource-copy-specific-tags
      comment: |
          creates a backup of fsx resources and
          copies tags from file system to the backup
      resource: fsx
      actions:
        - type: backup
          copy-tags:
            - Application
            - Owner
            # or use '*' to specify all tags
          tags:
            BackupSource: CloudCustodian

properties:
  copy-tags:
    oneOf:
    - type: boolean
    - items:
        type: string
      type: array
  tags:
    type: object
  type:
    enum:
    - backup
required:
- type

Permissions - fsx:CreateBackup

delete

Delete Filesystems

If force is set to True, this action will attempt to delete all dependencies necessary to delete the file system.

You can override the default retry settings for deletion by specifying retry-delay (default: 1 seconds, if force is True defaults to 30 seconds) and retry-max-attempts (default: 1, if force is True defaults to 10). Adjust the retry settings, as necessary when using force set to True. FSx for Ontap takes extra time to delete all volumes before it can delete the file system. OpenZFS also takes extra time to delete S3 access points.

Note:

If skip-snapshot is set to True, no final snapshot will be created.
FSx for OnTap resources do not create snapshot backups on deletion even if skip-snapshot is set to False.
FSx for Lustre resources using the Scratch deployment type do not support final backups on deletion. Set force to True to delete these when skip-snapshot is set to False.

Annotated Permissions:

fsx:DeleteFileSystem (required)
fsx:CreateBackup (if skip-snapshot is False or not set)
fsx:DescribeStorageVirtualMachines (if force is True for ONTAP)
fsx:DeleteStorageVirtualMachine (if force is True for ONTAP)
fsx:DescribeVolumes (if force is True for ONTAP and OpenZFS)
fsx:DeleteVolume (if force is True for ONTAP and OpenZFS)
fsx:DescribeS3AccessPointAttachments (if force is True for OpenZFS)
fsx:DetachAndDeleteS3AccessPoint (if force is True for OpenZFS)
s3:DeleteAccessPoint (if force is True for OpenZFS)

example:

policies:
    - name: delete-fsx-instance-with-snapshot
      resource: fsx
      filters:
        - FileSystemId: fs-1234567890123
      actions:
        - type: delete
          copy-tags:
            - Application
            - Owner
          tags:
            DeletedBy: CloudCustodian

    - name: delete-fsx-instance-skip-snapshot
      resource: fsx
      filters:
        - FileSystemId: fs-1234567890123
      actions:
        - type: delete
          force: True
          retry-delay: 30
          retry-max-attempts: 10
          skip-snapshot: True

properties:
  copy-tags:
    oneOf:
    - items:
        type: string
      type: array
    - type: boolean
  force:
    type: boolean
  retry-delay:
    minimum: 1
    type: number
  retry-max-attempts:
    minimum: 1
    type: number
  skip-snapshot:
    type: boolean
  tags:
    type: object
  type:
    enum:
    - delete
required:
- type

Permissions - fsx:DeleteFileSystem, fsx:CreateBackup, fsx:DescribeStorageVirtualMachines, fsx:DeleteStorageVirtualMachine, fsx:DescribeVolumes, fsx:DeleteVolume, fsx:DescribeS3AccessPointAttachments, fsx:DetachAndDeleteS3AccessPoint, s3:DeleteAccessPoint

update

Update FSx resource configurations

example:

policies:
    - name: update-fsx-resource
      resource: fsx
      actions:
        - type: update
          WindowsConfiguration:
            AutomaticBackupRetentionDays: 1
            DailyAutomaticBackupStartTime: '04:30'
            WeeklyMaintenanceStartTime: '04:30'
          LustreConfiguration:
            WeeklyMaintenanceStartTime: '04:30'

Reference: https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html

properties:
  LustreConfiguration:
    type: object
  WindowsConfiguration:
    type: object
  type:
    enum:
    - update
required:
- type

Permissions - fsx:UpdateFileSystem