Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties: selector: enum: - previous - date - locked selector_value: type: string type: enum: - json-diff required: - type
Permissions - config:GetResourceConfigHistory
Set flow logs for a network resource
policies: - name: vpc-enable-flow-logs resource: vpc filters: - type: flow-logs enabled: false actions: - type: set-flow-log attrs: DeliverLogsPermissionArn: arn:iam:role LogGroupName: /custodian/vpc/flowlogs/
attrs are passed through to create_flow_log and are per the api documentation
properties: DeliverLogsPermissionArn: type: string LogDestination: type: string LogDestinationType: enum: - s3 - cloud-watch-logs LogFormat: type: string LogGroupName: type: string MaxAggregationInterval: type: integer TrafficType: enum: - ACCEPT - REJECT - ALL type: string attrs: type: object state: type: boolean type: enum: - set-flow-log required: - type
Permissions - ec2:CreateFlowLogs, logs:CreateLogGroup