Created
September 21, 2017 20:45
-
-
Save andrewalexander/9c528ccba3b62e743b5d858503ae5c4f to your computer and use it in GitHub Desktop.
Custodian Security Group Issue
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| policies: | |
| - name: ec2-invalid-sg-report | |
| resource: ec2 | |
| description: | | |
| Find all EC2 instances that are using soon-to-be-deprecated SGs | |
| filters: | |
| - type: value | |
| key: tag:ApplicationGroup | |
| value: ANDREWSTESTAPPLICATIONGROUP | |
| op: equal | |
| - type: security-group | |
| key: GroupName | |
| value: "LegacySecurityGroup-Common-Service" | |
| op: equal | |
| actions: | |
| - type: modify-security-groups | |
| add: sg-bdca74ce | |
| remove: matched | |
| #isolation-group: sg-bdca74ce #This line is used in case the last SG is removed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ custodian validate ec2-replace-old-all-instances.yml | |
| 2017-09-19 16:54:19,685: custodian.commands:ERROR Configuration invalid: ec2-replace-old-all-instances.yml | |
| 2017-09-19 16:54:19,687: custodian.commands:ERROR {'add': 'sg-bdca74ce', 'type': 'modify-security-groups', 'remove': 'matched'} is valid under each of {u'required': [u'add']}, {u'required': [u'add', u'remove']} | |
| Failed validating u'oneOf' in schema[8]: | |
| {u'additionalProperties': False, | |
| u'oneOf': [{u'required': [u'isolation-group', u'remove']}, | |
| {u'required': [u'add', u'remove']}, | |
| {u'required': [u'add']}], | |
| u'properties': {u'add': {u'oneOf': [{u'pattern': u'^sg-*', | |
| u'type': u'string'}, | |
| {u'items': {u'pattern': u'^sg-*', | |
| u'type': u'string'}, | |
| u'type': u'array'}]}, | |
| u'isolation-group': {u'oneOf': [{u'pattern': u'^sg-*', | |
| u'type': u'string'}, | |
| {u'items': {u'pattern': u'^sg-*', | |
| u'type': u'string'}, | |
| u'type': u'array'}]}, | |
| u'remove': {u'oneOf': [{u'items': {u'pattern': u'^sg-*', | |
| u'type': u'string'}, | |
| u'type': u'array'}, | |
| {u'enum': [u'matched', | |
| u'all', | |
| {u'pattern': u'^sg-*', | |
| u'type': u'string'}]}]}, | |
| u'type': {u'enum': [u'modify-security-groups']}}, | |
| u'type': u'object'} | |
| On instance: | |
| {'add': 'sg-bdca74ce', | |
| 'remove': 'matched', | |
| 'type': 'modify-security-groups'} | |
| 2017-09-19 16:54:19,687: custodian.commands:ERROR ec2-invalid-sg-report |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2017-09-19 19:57:34,539: root:ERROR specific_error failed, traceback, followed by fallback | |
| Traceback (most recent call last): | |
| File "/Users/andrew/anaconda3/envs/python36/lib/python3.6/site-packages/c7n/schema.py", line 61, in validate | |
| resp = specific_error(errors[0]) | |
| File "/Users/andrew/anaconda3/envs/python36/lib/python3.6/site-packages/c7n/schema.py", line 108, in specific_error | |
| return specific_error(e) | |
| File "/Users/andrew/anaconda3/envs/python36/lib/python3.6/site-packages/c7n/schema.py", line 128, in specific_error | |
| if e.absolute_schema_path[vidx] == found: | |
| IndexError: deque index out of range | |
| 2017-09-19 19:57:34,834: custodian.commands:ERROR Configuration invalid: ec2-replace-old-all-instances.yml | |
| 2017-09-19 19:57:34,836: custodian.commands:ERROR {'name': 'ec2-invalid-sg-report', 'resource': 'ec2', 'description': 'Find all EC2 instances that are using soon-to-be-deprecated SGs\n', 'filters': [{'type': 'value', 'key': 'tag:ApplicationGroup', 'value': 'ANDREWSTESTAPPLICATIONGROUP', 'op': 'equal'}, {'type': 'security-group', 'key': 'GroupName', 'value': 'LegacySecurityGroup-Common-Service', 'op': 'equal'}], 'actions': [{'type': 'modify-security-groups', 'add': 'sg-bdca74ce', 'remove': 'matched'}]} is not valid under any of the given schemas | |
| Failed validating 'anyOf' in schema['properties']['policies']['items']: | |
| {'anyOf': [{'$ref': '#/definitions/resources/iam-group/policy'}, | |
| {'$ref': '#/definitions/resources/iam-role/policy'}, | |
| {'$ref': '#/definitions/resources/iam-user/policy'}, | |
| {'$ref': '#/definitions/resources/iam-policy/policy'}, | |
| {'$ref': '#/definitions/resources/iam-profile/policy'}, | |
| {'$ref': '#/definitions/resources/iam-certificate/policy'}, | |
| {'$ref': '#/definitions/resources/account/policy'}, | |
| {'$ref': '#/definitions/resources/acm-certificate/policy'}, | |
| {'$ref': '#/definitions/resources/ami/policy'}, | |
| {'$ref': '#/definitions/resources/rest-api/policy'}, | |
| {'$ref': '#/definitions/resources/app-elb/policy'}, | |
| {'$ref': '#/definitions/resources/app-elb-target-group/policy'}, | |
| {'$ref': '#/definitions/resources/asg/policy'}, | |
| {'$ref': '#/definitions/resources/launch-config/policy'}, | |
| {'$ref': '#/definitions/resources/lambda/policy'}, | |
| {'$ref': '#/definitions/resources/batch-compute/policy'}, | |
| {'$ref': '#/definitions/resources/batch-definition/policy'}, | |
| {'$ref': '#/definitions/resources/cfn/policy'}, | |
| {'$ref': '#/definitions/resources/distribution/policy'}, | |
| {'$ref': '#/definitions/resources/streaming-distribution/policy'}, | |
| {'$ref': '#/definitions/resources/cloudsearch/policy'}, | |
| {'$ref': '#/definitions/resources/cloudtrail/policy'}, | |
| {'$ref': '#/definitions/resources/codecommit/policy'}, | |
| {'$ref': '#/definitions/resources/codebuild/policy'}, | |
| {'$ref': '#/definitions/resources/codepipeline/policy'}, | |
| {'$ref': '#/definitions/resources/identity-pool/policy'}, | |
| {'$ref': '#/definitions/resources/user-pool/policy'}, | |
| {'$ref': '#/definitions/resources/alarm/policy'}, | |
| {'$ref': '#/definitions/resources/event-rule/policy'}, | |
| {'$ref': '#/definitions/resources/log-group/policy'}, | |
| {'$ref': '#/definitions/resources/directory/policy'}, | |
| {'$ref': '#/definitions/resources/cloud-directory/policy'}, | |
| {'$ref': '#/definitions/resources/directconnect/policy'}, | |
| {'$ref': '#/definitions/resources/dynamodb-table/policy'}, | |
| {'$ref': '#/definitions/resources/dynamodb-stream/policy'}, | |
| {'$ref': '#/definitions/resources/datapipeline/policy'}, | |
| {'$ref': '#/definitions/resources/kms/policy'}, | |
| {'$ref': '#/definitions/resources/kms-key/policy'}, | |
| {'$ref': '#/definitions/resources/ebs-snapshot/policy'}, | |
| {'$ref': '#/definitions/resources/ebs/policy'}, | |
| {'$ref': '#/definitions/resources/ec2/policy'}, | |
| {'$ref': '#/definitions/resources/ecr/policy'}, | |
| {'$ref': '#/definitions/resources/ecs/policy'}, | |
| {'$ref': '#/definitions/resources/efs/policy'}, | |
| {'$ref': '#/definitions/resources/efs-mount-target/policy'}, | |
| {'$ref': '#/definitions/resources/cache-cluster/policy'}, | |
| {'$ref': '#/definitions/resources/cache-subnet-group/policy'}, | |
| {'$ref': '#/definitions/resources/cache-snapshot/policy'}, | |
| {'$ref': '#/definitions/resources/elasticbeanstalk/policy'}, | |
| {'$ref': '#/definitions/resources/elasticsearch/policy'}, | |
| {'$ref': '#/definitions/resources/elb/policy'}, | |
| {'$ref': '#/definitions/resources/emr/policy'}, | |
| {'$ref': '#/definitions/resources/gamelift-build/policy'}, | |
| {'$ref': '#/definitions/resources/gamelift-fleet/policy'}, | |
| {'$ref': '#/definitions/resources/glacier/policy'}, | |
| {'$ref': '#/definitions/resources/health-event/policy'}, | |
| {'$ref': '#/definitions/resources/hsm/policy'}, | |
| {'$ref': '#/definitions/resources/hsm-hapg/policy'}, | |
| {'$ref': '#/definitions/resources/hsm-client/policy'}, | |
| {'$ref': '#/definitions/resources/iot/policy'}, | |
| {'$ref': '#/definitions/resources/kinesis/policy'}, | |
| {'$ref': '#/definitions/resources/firehose/policy'}, | |
| {'$ref': '#/definitions/resources/kinesis-analytics/policy'}, | |
| {'$ref': '#/definitions/resources/ml-model/policy'}, | |
| {'$ref': '#/definitions/resources/opswork-stack/policy'}, | |
| {'$ref': '#/definitions/resources/opswork-cm/policy'}, | |
| {'$ref': '#/definitions/resources/rds/policy'}, | |
| {'$ref': '#/definitions/resources/rds-subscription/policy'}, | |
| {'$ref': '#/definitions/resources/rds-snapshot/policy'}, | |
| {'$ref': '#/definitions/resources/rds-subnet-group/policy'}, | |
| {'$ref': '#/definitions/resources/rds-param-group/policy'}, | |
| {'$ref': '#/definitions/resources/rds-cluster-param-group/policy'}, | |
| {'$ref': '#/definitions/resources/rds-cluster/policy'}, | |
| {'$ref': '#/definitions/resources/rds-cluster-snapshot/policy'}, | |
| {'$ref': '#/definitions/resources/redshift/policy'}, | |
| {'$ref': '#/definitions/resources/redshift-subnet-group/policy'}, | |
| {'$ref': '#/definitions/resources/redshift-snapshot/policy'}, | |
| {'$ref': '#/definitions/resources/hostedzone/policy'}, | |
| {'$ref': '#/definitions/resources/healthcheck/policy'}, | |
| {'$ref': '#/definitions/resources/rrset/policy'}, | |
| {'$ref': '#/definitions/resources/r53domain/policy'}, | |
| {'$ref': '#/definitions/resources/s3/policy'}, | |
| {'$ref': '#/definitions/resources/step-machine/policy'}, | |
| {'$ref': '#/definitions/resources/shield-protection/policy'}, | |
| {'$ref': '#/definitions/resources/shield-attack/policy'}, | |
| {'$ref': '#/definitions/resources/simpledb/policy'}, | |
| {'$ref': '#/definitions/resources/snowball-cluster/policy'}, | |
| {'$ref': '#/definitions/resources/snowball/policy'}, | |
| {'$ref': '#/definitions/resources/sns/policy'}, | |
| {'$ref': '#/definitions/resources/storage-gateway/policy'}, | |
| {'$ref': '#/definitions/resources/sqs/policy'}, | |
| {'$ref': '#/definitions/resources/support-case/policy'}, | |
| {'$ref': '#/definitions/resources/vpc/policy'}, | |
| {'$ref': '#/definitions/resources/subnet/policy'}, | |
| {'$ref': '#/definitions/resources/security-group/policy'}, | |
| {'$ref': '#/definitions/resources/eni/policy'}, | |
| {'$ref': '#/definitions/resources/route-table/policy'}, | |
| {'$ref': '#/definitions/resources/peering-connection/policy'}, | |
| {'$ref': '#/definitions/resources/network-acl/policy'}, | |
| {'$ref': '#/definitions/resources/network-addr/policy'}, | |
| {'$ref': '#/definitions/resources/customer-gateway/policy'}, | |
| {'$ref': '#/definitions/resources/internet-gateway/policy'}, | |
| {'$ref': '#/definitions/resources/nat-gateway/policy'}, | |
| {'$ref': '#/definitions/resources/vpn-connection/policy'}, | |
| {'$ref': '#/definitions/resources/vpn-gateway/policy'}, | |
| {'$ref': '#/definitions/resources/vpc-endpoint/policy'}, | |
| {'$ref': '#/definitions/resources/key-pair/policy'}, | |
| {'$ref': '#/definitions/resources/waf/policy'}, | |
| {'$ref': '#/definitions/resources/waf-regional/policy'}]} | |
| On instance['policies'][0]: | |
| {'actions': [{'add': 'sg-bdca74ce', | |
| 'remove': 'matched', | |
| 'type': 'modify-security-groups'}], | |
| 'description': 'Find all EC2 instances that are using ' | |
| 'soon-to-be-deprecated Gen1 SGs\n', | |
| 'filters': [{'key': 'tag:ApplicationGroup', | |
| 'op': 'equal', | |
| 'type': 'value', | |
| 'value': 'ANDREWSTESTAPPLICATIONGROUP'}, | |
| {'key': 'GroupName', | |
| 'op': 'equal', | |
| 'type': 'security-group', | |
| 'value': 'LegacySecurityGroup-Common-Service'}], | |
| 'name': 'ec2-invalid-sg-report', | |
| 'resource': 'ec2'} | |
| 2017-09-19 19:57:34,836: custodian.commands:ERROR 'security-group' is not one of ['event'] | |
| Failed validating 'enum' in schema[0]['properties']['type']: | |
| {'enum': ['event']} | |
| On instance['type']: | |
| 'security-group' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment