Example tag compliance policy¶
In this sample policy we are filtering for EC2 instances that are: running, not part of an Auto Scaling Group (ASG), not already marked for an operation, have less than 10 tags, and are missing one or more of the required tags. Once Custodian has filtered the list, it will mark all EC2 instances that match the above criteria with a tag. That tag specifies an action that will take place at a certain time. This policy is one of three that are needed to manage tag compliance. The other two policies in this set are, 1) checking to see if the tags have been corrected before the four day period is up, and 2) performing the operation of stopping all instances with the status to be stopped on that particular day.
1- name: ec2-tag-compliance-mark
2 resource: ec2
3 comment: |
4 Mark non-compliant, Non-ASG EC2 instances with stoppage in 4 days
5 filters:
6▣───────── - "State.Name": running
7│ ▣─────── - "tag:aws:autoscaling:groupName": absent
8│ │ ▣───── - "tag:c7n_status": absent
9│ │ │ ▣─── - type: tag-count
10│ │ │ │ - or: ─┐
11│ │ │ │ - "tag:Owner": absent ├─If any of these tags are
12│ │ │ │ - "tag:CostCenter": absent │ missing, then select instance
13│ │ │ │ - "tag:Project": absent ─┘
14│ │ │ │
15│ │ │ │ actions: ─────────────────▶ For selected instances, run this action
16│ │ │ │ - type: mark-for-op ────▶ Mark instance for operation
17│ │ │ │ tag: c7n_status ──────▶ Use the "c7n_status" tag instead of the
18│ │ │ │ legacy default "maid_status"
19│ │ │ │ op: stop ─────────────▶ Stop instance
20│ │ │ │ days: 4 ──────────────▶ After 4 days
21│ │ │ │
22│ │ │ ▣────▶ If instance has 10 tags, skip
23│ │ ▣──────▶ If instance already has a c7n_status, skip
24│ ▣────────▶ If instance is part of an ASG, skip
25▣──────────▶ If instance is not running, skip