Generic Filters

These filters can be applied to a specific resource type, such as azure.vm, or they can be applied to all Azure resources by using azure.armresource as the resource type.

Metric Filter

MetricFilter Filters Azure resources based on live metrics from the Azure monitor.

Schema:
{
  "aggregation": {
    "enum": [
      "total",
      "average"
    ]
  },
  "interval": {
    "enum": [
      "PT1M",
      "PT5M",
      "PT15M",
      "PT30M",
      "PT1H",
      "PT6H",
      "PT12H",
      "P1D"
    ]
  },
  "metric": {
    "required": true,
    "type": "string"
  },
  "op": {
    "enum": [
      "equal",
      "lt",
      "greater-than",
      "ge",
      "ne",
      "le",
      "gt",
      "lte",
      "eq",
      "gte",
      "less-than",
      "not-equal"
    ],
    "required": true
  },
  "threshold": {
    "required": true,
    "type": "number"
  },
  "timeframe": {
    "type": "number"
  }
}

Metrics for Custodian-supported Azure resources:

Click here for a full list of metrics supported by Azure resources.

Example Policies

Find VMs with an average Percentage CPU greater than or equal to 75% over the last 12 hours

policies:
  - name: find-busy-vms
    resource: azure.vm
    filters:
      - type: metric
        metric: Percentage CPU
        aggregation: average
        op: ge
        threshold: 75
        timeframe: 12

Find KeyVaults with more than 1000 API hits in the last hour

policies:
  - name: keyvault-hits
    resource: azure.keyvault
    filters:
      - type: metric
        metric: ServiceApiHit
        aggregation: total
        op: gt
        threshold: 1000
        timeframe: 1

Find SQL servers with less than 10% average DTU consumption over last 24 hours

policies:
  - name: dtu-consumption
    resource: azure.sqlserver
    filters:
      - type: metric
        metric: dtu_consumption_percent
        aggregation: average
        op: lt
        threshold: 10
        timeframe: 24

Tag Filter

The “tag filter” is implicitly just the ValueFilter (see Generic Filters). It can be used to filter resources on the presence, absence or value of a tag.

Schema:
{
  "default": {
    "type": "object"
  },
  "key": {
    "type": "string"
  },
  "op": {
    "enum": [
      "glob",
      "contains",
      "equal",
      "eq",
      "lt",
      "ge",
      "greater-than",
      "gte",
      "not-in",
      "in",
      "regex",
      "difference",
      "ne",
      "less-than",
      "lte",
      "intersect",
      "le",
      "not-equal",
      "gt",
      "ni"
    ]
  },
  "value": {
    "oneOf": [
      {
        "type": "array"
      },
      {
        "type": "string"
      },
      {
        "type": "boolean"
      },
      {
        "type": "number"
      },
      {
        "type": "null"
      }
    ]
  },
  "value_from": {
    "additionalProperties": "False",
    "properties": {
      "expr": {
        "oneOf": [
          {
            "type": "integer"
          },
          {
            "type": "string"
          }
        ]
      },
      "format": {
        "enum": [
          "csv",
          "json",
          "txt",
          "csv2dict"
        ]
      },
      "url": {
        "type": "string"
      }
    },
    "required": [
      "url"
    ],
    "type": "object"
  },
  "value_type": {
    "enum": [
      "age",
      "integer",
      "expiration",
      "normalize",
      "size",
      "cidr",
      "cidr_size",
      "swap",
      "resource_count",
      "expr",
      "unique_size"
    ]
  }
}

Example Policies

This policy will delete all ARM resources with the tag ‘Tag1’ present

policies
  - name: delete-resources-with-Tag1
    resource: azure.armresource
    filters:
      - tag:Tag1: present
    actions:
      - type: delete

This policy will find all VMs with the tag ‘Tag1’ absent

policies
  - name: find-vms-without-Tag1
    resource: azure.vm
    filters:
      - tag:Tag1: absent

This policy will find all CosmosDBs with the tag ‘Tag1’ and value ‘Value1’

policies
  - name: find-cosmosdb-tag-value
    resource: azure.cosmosdb
    filters:
      - tag:Tag1: Value1

Marked-For-Op Filter

TagActionFilter Filters Azure resources based on previously scheduled operations via tags.

Schema:
{
  "op": {
    "type": "string"
  },
  "skew": {
    "minimum": 0,
    "type": "number"
  },
  "skew_hours": {
    "minimum": 0,
    "type": "number"
  },
  "tag": {
    "type": "string"
  },
  "tz": {
    "type": "string"
  }
}

Example Policies

Find VMs that have been marked for stopping and stop them

policies
  - name: find-vms-to-stop
    resource: azure.vm
    filters:
      - type: marked-for-op
        op: stop
    actions:
      - type: stop

Find VMs that have been marked for stopping tomorrow and notify user@domain.com

policies
  - name: find-vms-to-stop
    resource: azure.vm
    filters:
      - type: marked-for-op
        # 'Fast-forward' 1 day into future. skew_hours is used for hour increments
        skew: 1
        op: stop
    actions:
      - type: notify
        template: default
        subject: VMs Scheduled To Stop
        to:
          - user@domain.com
        transport:
          - type: asq
            queue: https://accountname.queue.core.windows.net/test

Cancel operation on resource marked for operation

policies
  - name: find-vms-to-stop
    resource: azure.resourcegroup
    filters:
      - type: marked-for-op
        op: delete
        # custodian_status is default tag, but can be configured
        tag: custodian_status
    actions:
      - type: untag
        tags: ['custodian_status']

Diagnostic Settings Filter

DiagnosticSettingsFilter The diagnostic settings filter is implicitly just the ValueFilter (see Generic Filters) on the diagnostic settings for an azure resource.

Schema:
{
  "default": {
    "type": "object"
  },
  "key": {
    "type": "string"
  },
  "op": {
    "enum": [
      "glob",
      "contains",
      "equal",
      "eq",
      "lt",
      "ge",
      "greater-than",
      "gte",
      "not-in",
      "in",
      "regex",
      "difference",
      "ne",
      "less-than",
      "lte",
      "intersect",
      "le",
      "not-equal",
      "gt",
      "ni"
    ]
  },
  "value": {
    "oneOf": [
      {
        "type": "array"
      },
      {
        "type": "string"
      },
      {
        "type": "boolean"
      },
      {
        "type": "number"
      },
      {
        "type": "null"
      }
    ]
  },
  "value_from": {
    "additionalProperties": "False",
    "properties": {
      "expr": {
        "oneOf": [
          {
            "type": "integer"
          },
          {
            "type": "string"
          }
        ]
      },
      "format": {
        "enum": [
          "csv",
          "json",
          "txt",
          "csv2dict"
        ]
      },
      "url": {
        "type": "string"
      }
    },
    "required": [
      "url"
    ],
    "type": "object"
  },
  "value_type": {
    "enum": [
      "age",
      "integer",
      "expiration",
      "normalize",
      "size",
      "cidr",
      "cidr_size",
      "swap",
      "resource_count",
      "expr",
      "unique_size"
    ]
  }
}

Example Policies

Find Load Balancers that have logs for both LoadBalancerProbeHealthStatus category and LoadBalancerAlertEvent category enabled. The use of value_type: swap is important for these examples because it swaps the value and the evaluated key so that it evaluates the value provided is in the logs.

policies
  - name: find-load-balancers-with-logs-enabled
    resource: azure.loadbalancer
    filters:
      - type: diagnostic-settings
        key: logs[?category == 'LoadBalancerProbeHealthStatus'][].enabled
        value: True
        op: in
        value_type: swap
      - type: diagnostic-settings
        key: logs[?category == 'LoadBalancerAlertEvent'][].enabled
        value: True
        op: in
        value_type: swap

Find KeyVaults that have logs enabled for the AuditEvent category.

policies
  - name: find-keyvaults-with-logs-enabled
    resource: azure.keyvault
    filters:
      - type: diagnostic-settings
        key: logs[?category == 'AuditEvent'][].enabled
        value: True
        op: in
        value_type: swap