Azure Common Actions
Actions
auto-tag-date
Attempts to tag a resource with the date when resource was created.
This action searches from the earliest ‘write’ operation’s caller in the activity logs for a particular resource.
Note: activity logs are only held for the last 90 days.
- example:
This policy will tag all existing resource groups with the ‘CreatedDate’ tag
policies:
- name: azure-auto-tag-created-date
resource: azure.resourcegroup
description: |
Tag all existing resource groups with the 'CreatedDate' tag
actions:
- type: auto-tag-date
tag: CreatedDate
format: "%m-%d-%Y"
properties:
days:
type: integer
format:
type: string
tag:
type: string
type:
enum:
- auto-tag-date
update:
type: boolean
required:
- type
auto-tag-user
Attempts to tag a resource with the first user who created/modified it.
- example:
This policy will tag all existing resource groups with the ‘CreatorEmail’ tag
policies:
- name: azure-auto-tag-creator
resource: azure.resourcegroup
description: |
Tag all existing resource groups with the 'CreatorEmail' tag
actions:
- type: auto-tag-user
tag: CreatorEmail
This action searches from the earliest ‘write’ operation’s caller in the activity logs for a particular resource.
Note: activity logs are only held for the last 90 days.
properties:
days:
type: integer
default-claim:
enum:
- upn
- name
tag:
type: string
type:
enum:
- auto-tag-user
update:
type: boolean
required:
- type
delete
Perform delete operation on any ARM resource. Can be used with generic resource type armresource or on any other more specific ARM resource type supported by Cloud Custodian.
- example:
This policy will delete any ARM resource with ‘test’ in the name
policies:
- name: delete-test-resources
resource: azure.armresource
description: |
Deletes any ARM resource with 'test' in the name
filters:
- type: value
key: name
value: test
op: contains
actions:
- type: delete
- example:
This policy will delete any Network Security Group with ‘test’ in the name
policies:
- name: delete-test-nsg
description: |
Deletes any Network Security Group with 'test' in the name
resource: azure.networksecuritygroup
filters:
- type: value
key: name
value: test
op: contains
actions:
- type: delete
properties:
type:
enum:
- delete
required:
- type
lock
Perform lock operation on any ARM resource. Can be used with generic resource type armresource or on any other more specific ARM resource type supported by Cloud Custodian.
Lock can be of 2 types: ReadOnly and CanNotDelete. Lock type is required.
To create or delete management locks, you must have proper access. See Who can create or delete locks
- example:
Add ReadOnly lock to all keyvaults:
policies:
- name: lock-keyvaults
resource: azure.keyvault
actions:
- type: lock
lock-type: ReadOnly
- example:
Add CanNotDelete lock to sqldatabases tagged env:production
policies:
- name: lock-production-sqldatabase
resource: azure.sqldatabase
filters:
- type: value
key: tags.env
value: production
actions:
- type: lock
lock-type: CanNotDelete
lock-name: productionLock
lock-notes: Locking all production SQL databases via Cloud Custodian
properties:
lock-name:
maxLength: 260
minLength: 1
type: string
lock-notes:
maxLength: 512
minLength: 1
type: string
lock-type:
enum:
- ReadOnly
- CanNotDelete
type:
enum:
- lock
required:
- lock-type
- type
logic-app
Calls an Azure Logic App with optional parameters and body populated from JMESPath queries. Your policy credentials are used to get the trigger endpoint URL with secrets using the resource group and app name.
This action is based on the webhook action and supports the same options.
- example:
This policy will call logic app with list of VM’s
policies: - name: call-logic-app resource: azure.vm description: | Call logic app with list of VM's actions: - type: logic-app resource-group: custodian-test logic-app-name: cclogicapp batch: true body: 'resources[].{ vm_name: name }'
properties:
batch:
type: boolean
batch-size:
type: number
body:
type: string
headers:
additionalProperties:
description: header values
type: string
type: object
logic-app-name:
type: string
method:
enum:
- PUT
- POST
- GET
- PATCH
- DELETE
type: string
query-params:
additionalProperties:
description: query string values
type: string
type: object
resource-group:
type: string
type:
enum:
- logic-app
required:
- resource-group
- logic-app-name
- type
mark-for-op
Tag resources for future action.
The optional ‘tz’ parameter can be used to adjust the clock to align with a given timezone. The default value is ‘utc’.
If neither ‘days’ nor ‘hours’ is specified, Cloud Custodian will default to marking the resource for action 4 days in the future.
- example:
policies:
- name: vm-mark-for-stop
resource: azure.vm
filters:
- type: value
key: Name
value: instance-to-stop-in-four-days
actions:
- type: mark-for-op
op: stop
properties:
days:
exclusiveMinimum: false
minimum: 0
type: number
hours:
exclusiveMinimum: false
minimum: 0
type: number
msg:
type: string
op:
type: string
tag:
type: string
type:
enum:
- mark-for-op
tz:
type: string
required:
- type
notify
Action to queue email.
See c7n_mailer readme.md for more information.
- example:
policies:
- name: notify
resource: azure.resourcegroup
actions:
- type: notify
template: default
subject: Hello World
to:
- someone@somewhere.com
transport:
type: asq
queue: https://storagename.queue.core.windows.net/queuename
anyOf:
- required:
- type
- transport
- to
- required:
- type
- transport
- to_from
properties:
cc:
items:
type: string
type: array
cc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
cc_manager:
type: boolean
from:
type: string
owner_absent_contact:
items:
type: string
type: array
subject:
type: string
template:
type: string
to:
items:
type: string
type: array
to_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
transport:
oneOf:
- properties:
queue:
type: string
type:
enum:
- asq
required:
- type
- queue
type: object
type:
enum:
- notify
tag
Adds tags to Azure resources
- example:
This policy will tag all existing resource groups with a value such as Environment
policies:
- name: azure-tag-resourcegroups
resource: azure.resourcegroup
description: |
Tag all existing resource groups with a value such as Environment
actions:
- type: tag
tag: Environment
value: Test
properties:
tag:
oneOf:
- oneOf:
- additionalProperties: false
properties:
default-value:
type: string
key:
type: string
type:
enum:
- resource
type: string
required:
- type
- key
type: object
- type: string
tags:
type: object
type:
enum:
- tag
value:
oneOf:
- oneOf:
- additionalProperties: false
properties:
default-value:
type: string
key:
type: string
type:
enum:
- resource
type: string
required:
- type
- key
type: object
- type: string
required:
- type
tag-trim
Automatically remove tags from an azure resource. Azure Resources and Resource Groups have a limit of 50 tags. In order to make additional tag space on a set of resources, this action can be used to remove enough tags to make the desired amount of space while preserving a given set of tags. Setting the space value to 0 removes all tags but those listed to preserve.
- example:
policies:
- name: azure-tag-trim
comment: |
Any instances with 49 or more tags get tags removed until
they match the target tag count, in this case 48, so
that we free up tag slots for another usage.
resource: azure.resourcegroup
filters:
# Filter down to resources that do not have the space
# to add additional required tags. For example, if an
# additional 2 tags need to be added to a resource, with
# 50 tags as the limit, then filter down to resources that
# have 49 or more tags since they will need to have tags
# removed for the 2 extra. This also ensures that metrics
# reporting is correct for the policy.
- type: value
key: "length(Tags)"
op: ge
value: 49
actions:
- type: tag-trim
space: 2
preserve:
- OwnerContact
- Environment
- downtime
- custodian_status
properties:
preserve:
items:
type: string
type: array
space:
type: integer
type:
enum:
- tag-trim
required:
- type
untag
Removes tags from Azure resources
- example:
This policy will remove tag for all existing resource groups with a key such as Environment
policies: - name: azure-remove-tag-resourcegroups resource: azure.resourcegroup description: | Remove tag for all existing resource groups with a key such as Environment actions: - type: untag tags: ['Environment']
properties:
tags:
items:
type: string
type: array
type:
enum:
- untag
required:
- type
webhook
Calls a webhook with optional parameters and body populated from JMESPath queries.
policies: - name: call-webhook resource: ec2 description: | Call webhook with list of resource groups actions: - type: webhook url: http://foo.com query-params: resource_name: resource.name policy_name: policy.name
properties:
batch:
type: boolean
batch-size:
type: number
body:
type: string
headers:
additionalProperties:
description: header values
type: string
type: object
method:
enum:
- PUT
- POST
- GET
- PATCH
- DELETE
type: string
query-params:
additionalProperties:
description: query string values
type: string
type: object
type:
enum:
- webhook
url:
type: string
required:
- url
- type