Getting Started

Install Cloud Custodian and Azure Plugin

Cloud Custodian is a Python application and supports Python 2 and 3 on Linux and Windows. We recommend using Python 3.6 or higher.

The Azure provider is an additional package which is installed in addition to c7n.

Install latest from the repository to virtual Python environment

Linux and Mac OS

To install Cloud Custodian, just run:

$ python3 -m venv custodian
$ source custodian/bin/activate
$ git clone
$ cd cloud-custodian
$ pip install -e .
$ pip install -e tools/c7n_azure

Windows (CMD/PowerShell)

To install Cloud Custodian, just run:

$ python3 -m venv custodian
$ ./custodian/Scripts/activate
$ git clone
$ cd cloud-custodian
$ pip install -e .
$ pip install -e tools/c7n_azure

Write your first policy

Cloud Custodian is a stateless rules engine that filters and takes actions on Azure resources based on policies that you define.

Cloud Custodian policies are expressed in YAML and include the following:

  • The type of resource to run the policy against

  • Filters to narrow down the set of resources

  • Actions to take on the filtered set of resources

Our first policy filters to a VM of a specific name, then adds the tag Hello: World.

First, Create a file named custodian.yml with this content, and update my_vm_name to match an existing VM.

note: Some text editors (VSCode) inject invalid whitespace characters when copy/pasting YAML from a browser

    - name: my-first-policy
      description: |
        Adds a tag to a virtual machines
      resource: azure.vm
        - type: value
          key: name
          value: my_vm_name
       - type: tag
         tag: Hello
         value: World

Run your policy

Second, choose one of the supported authentication mechanisms and either log in to Azure CLI or set environment variables as documented in Authentication & Access.

custodian run --output-dir=. custodian.yml

If successful, you should see output similar to the following on the command line:

2016-12-20 08:35:06,133: custodian.policy:INFO Running policy my-first-policy resource: azure.vm
2016-12-20 08:35:07,514: custodian.policy:INFO policy: my-first-policy resource:ec2 has count:1 time:1.38
2016-12-20 08:35:08,188: custodian.policy:INFO policy: my-first-policy action: tag: 1 execution_time: 0.67

You should also find a new my-first-policy directory with a log and a resources.json. The resources.json file shows you the raw data that results from your policy after filtering is applied. This file can help you understand the fields available for your resources while developing your policy.

See Generic Filters for more information on the features of the Value filter used in this sample.

(Optional) Run your policy with Azure Monitoring

Cloud Custodian policies can emit logs and metrics to Application Insights when the policy executes. Please refer to the Logging, Metrics and Output section for further details.