Comments (18)
@robertsigler I'm definitely in favor of including a --mugc
flag in the cli to do automated garbage collection of lambda policies but the problem i'm still facing here is that again, custodian doesn't have a definitive list of all policies that are supposed to be running in an account. adding a tag for the name of the policy file seems like a start to fixing this.
The original proposal for changing the prefix wouldn't be something that custodian would do "under the hood". Users would need to explicitly specify the function-prefix inside of their policies.
from cloud-custodian.
It seems to me that tagging the lambda funcs could help this... if each separate system running vault tagged the lambdas with a unique tag, they should be able to clean up only their own resources...
from cloud-custodian.
This isn't a default feature? If I remove something from a configuration; I'd expect it to be removed from my infrastructure. Kind of ironic that Cloud Custodian doesn't cleanup after itself - this may be a non-starter for me.
from cloud-custodian.
@desponda There's a separate tool for this in the git repository, called mugc.py in the tools/ops/ directory, with documentation in tools/ops/README.md
from cloud-custodian.
its available in multiple forms, mugc.py as well policylambda.py (same dir) which is a cfn style deploy tool.
its something we need to do additional engineering work on today i agree, but its more targeted atm for additional serverless provider implementations for parity
from cloud-custodian.
so its not part of the custodian cli, but i've dropped a mugc.py script in tools that will look at policy file and remove non current lambdas based on prefix and a cwe source. i'd like to add it to custodian proper, but the operation mode is implicit at the moment based on prefix and sniffing the event source, i'd like it to work against the deployed config file vs the current one to do a proper diff, but that will have to wait.
from cloud-custodian.
even with mugc to cleanup, its a separate step, it does seems like we need to have this as part of the default run semantics. we'll need to store the config to the output location to do a diff during run and auto-cleanup.
from cloud-custodian.
unfortunately its not quite as simple as a config file diff, as in many cases we have multiple config files run from separate systems targeting the account. at the moment using tools/mugc.py and passing in all config files intended to run against the account provides for the desired outcome.
from cloud-custodian.
@thomasbiddle we distribute a script: tools/ops/mugc.py to diff your aws lambda inventory against your current set of policies, as of now it's unsafe to delete during policy execution as a single policy file isn't necessarily the entire set of policies for a specific account. if you only use a single policy file, running mugc.py is straightforward and not much additional overhead. Perhaps we can include an option in the run command to include cleanup via mugc, but doing it by default is definitely not tenable imo
from cloud-custodian.
@thisisshi Makes sense. A flag to the run command would definitely make sense IMO!
When you state "single policy file" do you mean just that - a single policy file? Or do you mean a single run? (Pointing custodian at a set of files)
from cloud-custodian.
a single policy file containing all of the policies you would ever execute against your aws account or a set of files that are always executed together. For instance, policies can be separated as compliance/hygiene, or perhaps by cadence, a weekly/daily execution. In the case of splitting by cadence, you wouldn't be executing both at the same time, so there's a risk for removing the policies from one of the files when the other is executing. But, if you aren't doing that (running a single policy file or running the same set of files each time), you should be able to cleanup without fear of removing lambdas that should be there. running mugc as a separate tool enables you to consolidate all the policies together to ensure you're garbage collecting policies correctly.
from cloud-custodian.
another way around this would be to use the function-prefix
option in the various lambda modes and restricting mugc to only target lambdas with the prefix you specify in the policy
possible solution:
policies:
- name: prefixed-lambda
mode:
type: periodic
function-prefix: custodian-1
...
$ custodian run policy.yml -s output -v --mugc --mugc-prefix=custodian-1
this would deploy a lambda with the name: custodian-1-prefixed-lambda
and the mugc portion would only target lambdas that have the prefix custodian-1
we could extend this such that all weekly policies have the prefix custodian-weekly
and dailies with custodian-daily
to ensure that policies don't step on each other
from cloud-custodian.
@thisisshi It sounds like cleanup is already possible, provided that you provide a unique prefix for every policy file, and then call mugc for each policy file with that unique prefix. Is this something that could ever become the default behavior? It seems like a few of us were surprised when we removed a policy from our policy file and didn't see the deletion reflected in our account.
I expect people would be unhappy if their Lambda functions changed names without them 'opting in', so maybe Lambda functions could be tagged with the name of the policy file which manages them instead. Then, mugc could find all of the Lambda functions with that tag, and delete functions which are not defined in the policy file anymore.
There's still a use case through which an obsolete Lambda function could "leak" and go undeleted (that is, if you create a policy file with a cloudtrail policy in it, run cloud custodian with that policy file, and then delete the file), but I suspect that there is no way around this, so long as cloud custodian has no 'central authority' for which policies are supposed to exist in an account at a given time.
from cloud-custodian.
adding a tag for the name of the policy file seems like a start to fixing this.
I understand that this is just one of many possible solutions, but is this something that is in Capital One's backlog? If not, is it something that you would accept a pull request for?
from cloud-custodian.
@robertsigler definitely something we would like to see implemented, either by us or via pull request
from cloud-custodian.
@kapilt @thisisshi did this issue fall out of the radar? Was there any final recommendation?
from cloud-custodian.
I see this issue is still open, but is placed in the aws "Done" pipeline. Has this functionality made its way into the codebase (outside of mugc.py)?
from cloud-custodian.
What if there was an enabled
flag for each policy that was always set to true. If you set any of the policies to false then when custodian ran, it would automatically delete the policy. The end result would be a disabled policy in code but at least it would be removed from the infrastructure.
policies:
- name: prefixed-lambda
enabled: false
from cloud-custodian.
Related Issues (20)
- Datasync - Add list locations visibility
- Cloud Custodian Periodic Mode for analysing metrics filters working wrong compared to pull mode.
- Add support for SageMaker Hyperparameter Tuning Job resource
- Leverage IAM session policies to extend custodian actions to users safely HOT 1
- GCP: Error using service account from one project (A) to run policy on another projects (B) HOT 1
- Request to add support for region-wide support for AMI/EBS snapshot public access setting HOT 1
- No Handlers for S3 Data Access Point Account/ARN and ACLs
- Update documentation on ECS service action resize
- Error when getting max Percentage CPU on Azure VM HOT 1
- rds-snapshot instance filter not does not work HOT 2
- Include c7n_awscc in the official docker image, use recent version
- Add support for SageMaker Auto ML Job resource HOT 1
- Add support for SageMaker Compilation Job resource
- Tencent Cloud bucket encryption check fails for buckets that have encryption disabled
- custodian run doesn't allow (AWS) --region=all with non-default --profile
- aws - delete subscription filter on log group
- Add support for SageMaker Data Quality Job Definition resource
- azure-event-grid mode failing to make event subscription
- Add support for Sagemaker Processing Job resource
- Add support for Sagemaker Model Bias Job resource
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloud-custodian.