Azure Common Actions

Actions

auto-tag-date

Attempts to tag a resource with the date when resource was created.

This action searches from the earliest ‘write’ operation’s caller in the activity logs for a particular resource.

Note: activity logs are only held for the last 90 days.

example:

This policy will tag all existing resource groups with the ‘CreatedDate’ tag

policies:
  - name: azure-auto-tag-created-date
    resource: azure.resourcegroup
    description: |
      Tag all existing resource groups with the 'CreatedDate' tag
    actions:
      - type: auto-tag-date
        tag: CreatedDate
        format: "%m-%d-%Y"
properties:
  days:
    type: integer
  format:
    type: string
  tag:
    type: string
  type:
    enum:
    - auto-tag-date
  update:
    type: boolean
required:
- type

auto-tag-user

Attempts to tag a resource with the first user who created/modified it.

example:

This policy will tag all existing resource groups with the ‘CreatorEmail’ tag

policies:
  - name: azure-auto-tag-creator
    resource: azure.resourcegroup
    description: |
      Tag all existing resource groups with the 'CreatorEmail' tag
    actions:
     - type: auto-tag-user
       tag: CreatorEmail

This action searches from the earliest ‘write’ operation’s caller in the activity logs for a particular resource.

Note: activity logs are only held for the last 90 days.

properties:
  days:
    type: integer
  default-claim:
    enum:
    - upn
    - name
  tag:
    type: string
  type:
    enum:
    - auto-tag-user
  update:
    type: boolean
required:
- type

delete

Perform delete operation on any ARM resource. Can be used with generic resource type armresource or on any other more specific ARM resource type supported by Cloud Custodian.

example:

This policy will delete any ARM resource with ‘test’ in the name

policies:
  - name: delete-test-resources
    resource: azure.armresource
    description: |
      Deletes any ARM resource with 'test' in the name
    filters:
      - type: value
        key: name
        value: test
        op: contains
    actions:
      - type: delete
example:

This policy will delete any Network Security Group with ‘test’ in the name

policies:
   - name: delete-test-nsg
     description: |
       Deletes any Network Security Group with 'test' in the name
     resource: azure.networksecuritygroup
     filters:
       - type: value
         key: name
         value: test
         op: contains
     actions:
      - type: delete
properties:
  type:
    enum:
    - delete
required:
- type

lock

Perform lock operation on any ARM resource. Can be used with generic resource type armresource or on any other more specific ARM resource type supported by Cloud Custodian.

Lock can be of 2 types: ReadOnly and CanNotDelete. Lock type is required.

To create or delete management locks, you must have proper access. See Who can create or delete locks

example:

Add ReadOnly lock to all keyvaults:

policies:
   - name: lock-keyvaults
     resource: azure.keyvault
     actions:
       - type: lock
         lock-type: ReadOnly
example:

Add CanNotDelete lock to sqldatabases tagged env:production

policies:
   - name: lock-production-sqldatabase
     resource: azure.sqldatabase
     filters:
       - type: value
         key: tags.env
         value: production
     actions:
       - type: lock
         lock-type: CanNotDelete
         lock-name: productionLock
         lock-notes: Locking all production SQL databases via Cloud Custodian
properties:
  lock-name:
    maxLength: 260
    minLength: 1
    type: string
  lock-notes:
    maxLength: 512
    minLength: 1
    type: string
  lock-type:
    enum:
    - ReadOnly
    - CanNotDelete
  type:
    enum:
    - lock
required:
- lock-type
- type

logic-app

Calls an Azure Logic App with optional parameters and body populated from JMESPath queries. Your policy credentials are used to get the trigger endpoint URL with secrets using the resource group and app name.

This action is based on the webhook action and supports the same options.

example:

This policy will call logic app with list of VM’s

policies:
  - name: call-logic-app
    resource: azure.vm
    description: |
      Call logic app with list of VM's
    actions:
     - type: logic-app
       resource-group: custodian-test
       logic-app-name: cclogicapp
       batch: true
       body: 'resources[].{ vm_name: name }'
properties:
  batch:
    type: boolean
  batch-size:
    type: number
  body:
    type: string
  headers:
    additionalProperties:
      description: header values
      type: string
    type: object
  logic-app-name:
    type: string
  method:
    enum:
    - PUT
    - POST
    - GET
    - PATCH
    - DELETE
    type: string
  query-params:
    additionalProperties:
      description: query string values
      type: string
    type: object
  resource-group:
    type: string
  type:
    enum:
    - logic-app
required:
- resource-group
- logic-app-name
- type

mark-for-op

Tag resources for future action.

The optional ‘tz’ parameter can be used to adjust the clock to align with a given timezone. The default value is ‘utc’.

If neither ‘days’ nor ‘hours’ is specified, Cloud Custodian will default to marking the resource for action 4 days in the future.

example:

policies:
 - name: vm-mark-for-stop
   resource: azure.vm
   filters:
     - type: value
       key: Name
       value: instance-to-stop-in-four-days
   actions:
     - type: mark-for-op
       op: stop
properties:
  days:
    exclusiveMinimum: false
    minimum: 0
    type: number
  hours:
    exclusiveMinimum: false
    minimum: 0
    type: number
  msg:
    type: string
  op:
    type: string
  tag:
    type: string
  type:
    enum:
    - mark-for-op
  tz:
    type: string
required:
- type

notify

Action to queue email.

See c7n_mailer readme.md for more information.

example:

policies:
  - name: notify
    resource: azure.resourcegroup
    actions:
      - type: notify
        template: default
        subject: Hello World
        to:
          - someone@somewhere.com
        transport:
          type: asq
          queue: https://storagename.queue.core.windows.net/queuename
anyOf:
- required:
  - type
  - transport
  - to
- required:
  - type
  - transport
  - to_from
properties:
  cc:
    items:
      type: string
    type: array
  cc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  cc_manager:
    type: boolean
  from:
    type: string
  owner_absent_contact:
    items:
      type: string
    type: array
  subject:
    type: string
  template:
    type: string
  to:
    items:
      type: string
    type: array
  to_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  transport:
    oneOf:
    - properties:
        queue:
          type: string
        type:
          enum:
          - asq
      required:
      - type
      - queue
      type: object
  type:
    enum:
    - notify

tag

Adds tags to Azure resources

example:

This policy will tag all existing resource groups with a value such as Environment

policies:
  - name: azure-tag-resourcegroups
    resource: azure.resourcegroup
    description: |
      Tag all existing resource groups with a value such as Environment
    actions:
     - type: tag
       tag: Environment
       value: Test
properties:
  tag:
    oneOf:
    - oneOf:
      - additionalProperties: false
        properties:
          default-value:
            type: string
          key:
            type: string
          type:
            enum:
            - resource
            type: string
        required:
        - type
        - key
      type: object
    - type: string
  tags:
    type: object
  type:
    enum:
    - tag
  value:
    oneOf:
    - oneOf:
      - additionalProperties: false
        properties:
          default-value:
            type: string
          key:
            type: string
          type:
            enum:
            - resource
            type: string
        required:
        - type
        - key
      type: object
    - type: string
required:
- type

tag-trim

Automatically remove tags from an azure resource. Azure Resources and Resource Groups have a limit of 50 tags. In order to make additional tag space on a set of resources, this action can be used to remove enough tags to make the desired amount of space while preserving a given set of tags. Setting the space value to 0 removes all tags but those listed to preserve.

example:

policies:
  - name: azure-tag-trim
    comment: |
      Any instances with 49 or more tags get tags removed until
      they match the target tag count, in this case 48, so
      that we free up tag slots for another usage.
    resource: azure.resourcegroup
    filters:
        # Filter down to resources that do not have the space
        # to add additional required tags. For example, if an
        # additional 2 tags need to be added to a resource, with
        # 50 tags as the limit, then filter down to resources that
        # have 49 or more tags since they will need to have tags
        # removed for the 2 extra. This also ensures that metrics
        # reporting is correct for the policy.
       - type: value
         key: "length(Tags)"
         op: ge
         value: 49
    actions:
       - type: tag-trim
         space: 2
         preserve:
          - OwnerContact
          - Environment
          - downtime
          - custodian_status
properties:
  preserve:
    items:
      type: string
    type: array
  space:
    type: integer
  type:
    enum:
    - tag-trim
required:
- type

untag

Removes tags from Azure resources

example:

This policy will remove tag for all existing resource groups with a key such as Environment

policies:
  - name: azure-remove-tag-resourcegroups
    resource: azure.resourcegroup
    description: |
      Remove tag for all existing resource groups with a key such as Environment
    actions:
     - type: untag
       tags: ['Environment']
properties:
  tags:
    items:
      type: string
    type: array
  type:
    enum:
    - untag
required:
- type

webhook

Calls a webhook with optional parameters and body populated from JMESPath queries.

policies:
  - name: call-webhook
    resource: ec2
    description: |
      Call webhook with list of resource groups
    actions:
     - type: webhook
       url: http://foo.com
       query-params:
          resource_name: resource.name
          policy_name: policy.name
properties:
  batch:
    type: boolean
  batch-size:
    type: number
  body:
    type: string
  headers:
    additionalProperties:
      description: header values
      type: string
    type: object
  method:
    enum:
    - PUT
    - POST
    - GET
    - PATCH
    - DELETE
    type: string
  query-params:
    additionalProperties:
      description: query string values
      type: string
    type: object
  type:
    enum:
    - webhook
  url:
    type: string
required:
- url
- type