Custodian policies for Infrastructure Code

This package allows cloud custodian to evaluate policies directly against infrastructure as code source assets.

It also provides a separate cli for better command line ux for source asset evaluation.


We currently only support python 3.10 on mac and linux. We plan to expand support for additional operating systems and python versions over time.

pip install c7n_left


$ c7n-left run --help

Usage: c7n-left run [OPTIONS]

  evaluate policies against iac sources

  --format TEXT
  -p, --policy-dir PATH
  -d, --directory PATH
  -o, --output [cli|github|json]
  --output-file FILENAME
  --help                          Show this message and exit.

We’ll create an empty directory with a policy in it

  - name: test
    resource: terraform.aws_s3_bucket
      - server_side_encryption_configuration: absent

And now we can use it to evaluate a terraform root module

$ c7n-left run --policy-dir policies -d root_module
DEBUG:c7n.iac:Loaded 3 resources
Running 1 policies
DEBUG:c7n.iac:Filtered from 3 to 1 terraformresourcemanager
test - terraform.aws_s3_bucket
  25 resource "aws_s3_bucket" "example_c" {  
  26   bucket = "c7n-aws-s3-encryption-audit-test-c"  
  27   acl    = "private"
  28 }

Execution complete 0.01 seconds


if your using this in github actions, we have special output mode for reporting annotations directly into the ui.