AWS Cloud Control Common Actions

Actions

• auto-tag-user

• mark-for-op

• normalize-tag

• remove-tag

• rename-tag

• tag

• tag-trim

• webhook

auto-tag-user

Tag a resource with the user who created/modified it.

policies:
  - name: ec2-auto-tag-ownercontact
    resource: ec2
    description: |
      Triggered when a new EC2 Instance is launched. Checks to see if
      it's missing the OwnerContact tag. If missing it gets created
      with the value of the ID of whomever called the RunInstances API
    mode:
      type: cloudtrail
      role: arn:aws:iam::123456789000:role/custodian-auto-tagger
      events:
        - RunInstances
    filters:
     - tag:OwnerContact: absent
    actions:
     - type: auto-tag-user
       tag: OwnerContact

There’s a number of caveats to usage. Resources which don’t include tagging as part of their api may have some delay before automation kicks in to create a tag. Real world delay may be several minutes, with worst case into hours[0]. This creates a race condition between auto tagging and automation.

In practice this window is on the order of a fraction of a second, as we fetch the resource and evaluate the presence of the tag before attempting to tag it.

References

CloudTrail User https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html

properties:
  principal_id_tag:
    type: string
  tag:
    type: string
  type:
    enum:
    - auto-tag-user
  update:
    type: boolean
  user-type:
    items:
      enum:
      - IAMUser
      - AssumedRole
      - FederatedUser
      type: string
    type: array
  value:
    enum:
    - userName
    - arn
    - sourceIPAddress
    - principalId
    type: string
required:
- tag
- type

mark-for-op

Tag resources for future action.

The optional ‘tz’ parameter can be used to adjust the clock to align with a given timezone. The default value is ‘utc’.

If neither ‘days’ nor ‘hours’ is specified, Cloud Custodian will default to marking the resource for action 4 days in the future.

policies:
  - name: ec2-mark-for-stop-in-future
    resource: ec2
    filters:
      - type: value
        key: Name
        value: instance-to-stop-in-four-days
    actions:
      - type: mark-for-op
        op: stop

properties:
  days:
    minimum: 0
    type: number
  hours:
    minimum: 0
    type: number
  msg:
    type: string
  op:
    type: string
  tag:
    type: string
  type:
    enum:
    - mark-for-op
  tz:
    type: string
required:
- type

normalize-tag

Transform the value of a tag.

Set the tag value to uppercase, title, lowercase, or strip text from a tag key.

policies:
  - name: ec2-service-transform-lower
    resource: ec2
    comment: |
      ec2-service-tag-value-to-lower
    query:
      - instance-state-name: running
    filters:
      - "tag:testing8882": present
    actions:
      - type: normalize-tag
        key: lower_key
        action: lower

  - name: ec2-service-strip
    resource: ec2
    comment: |
      ec2-service-tag-strip-blah
    query:
      - instance-state-name: running
    filters:
      - "tag:testing8882": present
    actions:
      - type: normalize-tag
        key: strip_key
        action: strip
        value: blah

properties:
  action:
    items:
      enum:
      - upper
      - lower
      - titlestrip
      - replace
    type: string
  key:
    type: string
  type:
    enum:
    - normalize-tag
  value:
    type: string
required:
- type

remove-tag

Remove tags from ec2 resources.

properties:
  tags:
    items:
      type: string
    type: array
  type:
    enum:
    - remove-tag
    - unmark
    - untag
    - remove-tag
required:
- type

rename-tag

Create a new tag with identical value & remove old tag

properties:
  new_key:
    type: string
  old_key:
    type: string
  type:
    enum:
    - rename-tag
required:
- type

tag

Tag an ec2 resource.

properties:
  key:
    type: string
  tag:
    type: string
  tags:
    type: object
  type:
    enum:
    - tag
    - mark
  value:
    type: string
required:
- type

tag-trim

Automatically remove tags from an ec2 resource.

EC2 Resources have a limit of 50 tags, in order to make additional tags space on a set of resources, this action can be used to remove enough tags to make the desired amount of space while preserving a given set of tags.

policies:
  - name: ec2-tag-trim
    comment: |
      Any instances with 48 or more tags get tags removed until
      they match the target tag count, in this case 47 so we
      that we free up a tag slot for another usage.
    resource: ec2
    filters:
          # Filter down to resources which already have 8 tags
          # as we need space for 3 more, this also ensures that
          # metrics reporting is correct for the policy.
        - type: value
          key: "length(Tags)"
          op: ge
          value: 48
    actions:
       - type: tag-trim
         space: 3
         preserve:
           - OwnerContact
           - ASV
           - CMDBEnvironment
           - downtime
           - custodian_status

properties:
  preserve:
    items:
      type: string
    type: array
  space:
    type: integer
  type:
    enum:
    - tag-trim
required:
- type

webhook

Calls a webhook with optional parameters and body populated from JMESPath queries.

policies:
  - name: call-webhook
    resource: ec2
    description: |
      Call webhook with list of resource groups
    actions:
     - type: webhook
       url: http://foo.com
       query-params:
          resource_name: resource.name
          policy_name: policy.name

properties:
  batch:
    type: boolean
  batch-size:
    type: number
  body:
    type: string
  headers:
    additionalProperties:
      description: header values
      type: string
    type: object
  method:
    enum:
    - PUT
    - POST
    - GET
    - PATCH
    - DELETE
    type: string
  query-params:
    additionalProperties:
      description: query string values
      type: string
    type: object
  type:
    enum:
    - webhook
  url:
    type: string
required:
- url
- type