Generic Filters¶
These filters can be applied to a specific resource type, such as azure.vm
, or they can be
applied to all Azure resources by using azure.armresource
as the resource type.
Metric Filter¶
MetricFilter
Filters Azure resources based on live metrics from the Azure monitor.
properties:
aggregation:
enum:
- total
- average
filter:
type: string
interval:
enum:
- PT1M
- PT5M
- PT15M
- PT30M
- PT1H
- PT6H
- PT12H
- P1D
metric:
type: string
no_data_action:
enum:
- include
- exclude
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
threshold:
type: number
timeframe:
type: number
type:
enum:
- metric
required:
- type
- metric
- op
- threshold
Metrics for Custodian-supported Azure resources:
Click here for a full list of metrics supported by Azure resources.
Example Policies¶
Find VMs with an average Percentage CPU greater than or equal to 75% over the last 12 hours
policies:
- name: find-busy-vms
resource: azure.vm
filters:
- type: metric
metric: Percentage CPU
aggregation: average
op: ge
threshold: 75
timeframe: 12
Find KeyVaults with more than 1000 API hits in the last hour
policies:
- name: keyvault-hits
resource: azure.keyvault
filters:
- type: metric
metric: ServiceApiHit
aggregation: total
op: gt
threshold: 1000
timeframe: 1
Find SQL servers with less than 10% average DTU consumption across all databases over last 24 hours
policies:
- name: dtu-consumption
resource: azure.sqlserver
filters:
- type: metric
metric: dtu_consumption_percent
aggregation: average
op: lt
threshold: 10
timeframe: 24
filter: "DatabaseResourceId eq '*'"
Tag Filter¶
The “tag filter” is implicitly just the ValueFilter (see Generic Filters). It can be used to filter resources on the presence, absence or value of a tag.
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- value
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
Example Policies¶
This policy will delete all ARM resources with the tag ‘Tag1’ present
policies
- name: delete-resources-with-Tag1
resource: azure.armresource
filters:
- tag:Tag1: present
actions:
- type: delete
This policy will find all VMs with the tag ‘Tag1’ absent
policies
- name: find-vms-without-Tag1
resource: azure.vm
filters:
- tag:Tag1: absent
This policy will find all CosmosDBs with the tag ‘Tag1’ and value ‘Value1’
policies
- name: find-cosmosdb-tag-value
resource: azure.cosmosdb
filters:
- tag:Tag1: Value1
Marked-For-Op Filter¶
marked-for-op
Filters Azure resources based on previously scheduled operations via tags.
properties: op: type: string skew: minimum: 0 type: number skew_hours: minimum: 0 type: number tag: type: string type: enum: - marked-for-op tz: type: string required: - type
Example Policies¶
Find VMs that have been marked for stopping and stop them
policies
- name: find-vms-to-stop
resource: azure.vm
filters:
- type: marked-for-op
op: stop
actions:
- type: stop
Find VMs that have been marked for stopping tomorrow and notify user@domain.com
policies
- name: find-vms-to-stop
resource: azure.vm
filters:
- type: marked-for-op
# 'Fast-forward' 1 day into future. skew_hours is used for hour increments
skew: 1
op: stop
actions:
- type: notify
template: default
subject: VMs Scheduled To Stop
to:
- user@domain.com
transport:
- type: asq
queue: https://accountname.queue.core.windows.net/test
Cancel operation on resource marked for operation
policies
- name: find-vms-to-stop
resource: azure.resourcegroup
filters:
- type: marked-for-op
op: delete
# custodian_status is default tag, but can be configured
tag: custodian_status
actions:
- type: untag
tags: ['custodian_status']
Diagnostic Settings Filter¶
DiagnosticSettingsFilter
The diagnostic settings filter is implicitly just the ValueFilter (see Generic Filters) on the diagnostic settings for
an azure resource.
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- diagnostic-settings
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
Example Policies¶
Find Load Balancers that have logs for both LoadBalancerProbeHealthStatus category and LoadBalancerAlertEvent category enabled. The use of value_type: swap is important for these examples because it swaps the value and the evaluated key so that it evaluates the value provided is in the logs.
policies
- name: find-load-balancers-with-logs-enabled
resource: azure.loadbalancer
filters:
- type: diagnostic-settings
key: logs[?category == 'LoadBalancerProbeHealthStatus'][].enabled
value: True
op: in
value_type: swap
- type: diagnostic-settings
key: logs[?category == 'LoadBalancerAlertEvent'][].enabled
value: True
op: in
value_type: swap
Find KeyVaults that have logs enabled for the AuditEvent category.
policies
- name: find-keyvaults-with-logs-enabled
resource: azure.keyvault
filters:
- type: diagnostic-settings
key: logs[?category == 'AuditEvent'][].enabled
value: True
op: in
value_type: swap