Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/c7n/resources/cw.py: 56%

1# Copyright The Cloud Custodian Authors. 

2# SPDX-License-Identifier: Apache-2.0 

3import itertools 

4from collections import defaultdict 

5from concurrent.futures import as_completed 

6from datetime import datetime, timedelta 

7 

8import botocore.exceptions 

9from c7n import query 

10from c7n.actions import BaseAction 

11from c7n.exceptions import PolicyValidationError 

12from c7n.filters import Filter, MetricsFilter 

13from c7n.filters.core import parse_date, ValueFilter 

14from c7n.filters.iamaccess import CrossAccountAccessFilter 

15from c7n.filters.related import ChildResourceFilter 

16from c7n.filters.kms import KmsRelatedFilter 

17from c7n.query import ( 

18 QueryResourceManager, ChildResourceManager, 

19 TypeInfo, DescribeSource, ConfigSource, DescribeWithResourceTags) 

20from c7n.manager import resources 

21from c7n.resolver import ValuesFrom 

22from c7n.resources import load_resources 

23from c7n.resources.aws import ArnResolver 

24from c7n.query import RetryPageIterator 

25from c7n.tags import universal_augment 

26from c7n.utils import type_schema, local_session, chunks, get_retry, jmespath_search 

27from botocore.config import Config 

28import re 

29 

30 

31class DescribeAlarm(DescribeSource): 

32 def augment(self, resources): 

33 return universal_augment(self.manager, super().augment(resources)) 

34 

35 

36@resources.register('alarm') 

37class Alarm(QueryResourceManager): 

38 class resource_type(TypeInfo): 

39 service = 'cloudwatch' 

40 arn_type = 'alarm' 

41 enum_spec = ('describe_alarms', 'MetricAlarms', None) 

42 id = 'AlarmName' 

43 arn = 'AlarmArn' 

44 filter_name = 'AlarmNames' 

45 filter_type = 'list' 

46 name = 'AlarmName' 

47 date = 'AlarmConfigurationUpdatedTimestamp' 

48 cfn_type = config_type = 'AWS::CloudWatch::Alarm' 

49 universal_taggable = object() 

50 permissions_augment = ("cloudwatch:ListTagsForResource",) 

51 

52 source_mapping = { 

53 'describe': DescribeAlarm, 

54 'config': ConfigSource 

55 } 

56 

57 retry = staticmethod(get_retry(('Throttled',))) 

58 

59 

60@Alarm.action_registry.register('delete') 

61class AlarmDelete(BaseAction): 

62 """Delete a cloudwatch alarm. 

63 

64 :example: 

65 

66 .. code-block:: yaml 

67 

68 policies: 

69 - name: cloudwatch-delete-stale-alarms 

70 resource: alarm 

71 filters: 

72 - type: value 

73 value_type: age 

74 key: StateUpdatedTimestamp 

75 value: 30 

76 op: ge 

77 - StateValue: INSUFFICIENT_DATA 

78 actions: 

79 - delete 

80 """ 

81 

82 schema = type_schema('delete') 

83 permissions = ('cloudwatch:DeleteAlarms',) 

84 

85 def process(self, resources): 

86 client = local_session( 

87 self.manager.session_factory).client('cloudwatch') 

88 

89 for resource_set in chunks(resources, size=100): 

90 self.manager.retry( 

91 client.delete_alarms, 

92 AlarmNames=[r['AlarmName'] for r in resource_set]) 

93 

94 

95@Alarm.filter_registry.register('is-composite-child') 

96class IsCompositeChild(Filter): 

97 schema = type_schema('is-composite-child', state={"type": "boolean"}) 

98 permissions = ('cloudwatch:DescribeAlarms',) 

99 

100 def process(self, resources, event=None): 

101 state = self.data.get("state", True) 

102 # Get the composite alarms since filtered out in enum_spec 

103 composite_alarms = self.manager.get_resource_manager("composite-alarm").resources() 

104 composite_alarm_rules = jmespath_search('[].AlarmRule', composite_alarms) 

105 

106 child_alarm_names = set() 

107 # Loop through, find child alarm names 

108 for rule in composite_alarm_rules: 

109 names = self.extract_alarm_names_from_rule(rule) 

110 child_alarm_names.update(names) 

111 

112 if state: 

113 # If we want to filter out alarms that are a child of a composite alarm 

114 return [r for r in resources if r['AlarmName'] in child_alarm_names] 

115 

116 return [r for r in resources if r['AlarmName'] not in child_alarm_names] 

117 

118 def extract_alarm_names_from_rule(self, rule): 

119 # Check alarm references (OK/ALARM/INSUFFICIENT_DATA) 

120 pattern = r"\b(?:ALARM|OK|INSUFFICIENT_DATA)\s*\(\s*([^\)]+)\s*\)" 

121 matches = re.findall(pattern, rule) 

122 return set(matches) 

123 

124 

125@resources.register('composite-alarm') 

126class CompositeAlarm(QueryResourceManager): 

127 

128 class resource_type(TypeInfo): 

129 service = 'cloudwatch' 

130 arn_type = 'alarm' 

131 enum_spec = ('describe_alarms', 'CompositeAlarms', {'AlarmTypes': ['CompositeAlarm']}) 

132 id = name = 'AlarmName' 

133 arn = 'AlarmArn' 

134 date = 'AlarmConfigurationUpdatedTimestamp' 

135 cfn_type = 'AWS::CloudWatch::CompositeAlarm' 

136 universal_taggable = object() 

137 

138 augment = universal_augment 

139 

140 retry = staticmethod(get_retry(('Throttled',))) 

141 

142 

143@CompositeAlarm.action_registry.register('delete') 

144class CompositeAlarmDelete(BaseAction): 

145 """Delete a cloudwatch composite alarm. 

146 

147 :example: 

148 

149 .. code-block:: yaml 

150 

151 policies: 

152 - name: cloudwatch-delete-composite-alarms 

153 resource: aws.composite-alarm 

154 filters: 

155 - type: value 

156 value_type: age 

157 key: StateUpdatedTimestamp 

158 value: 30 

159 op: ge 

160 - StateValue: INSUFFICIENT_DATA 

161 actions: 

162 - delete 

163 """ 

164 

165 schema = type_schema('delete') 

166 permissions = ('cloudwatch:DeleteAlarms',) 

167 

168 def process(self, resources): 

169 client = local_session( 

170 self.manager.session_factory).client('cloudwatch') 

171 

172 for resource_set in chunks(resources, size=100): 

173 self.manager.retry( 

174 client.delete_alarms, 

175 AlarmNames=[r['AlarmName'] for r in resource_set]) 

176 

177 

178@resources.register('event-bus') 

179class EventBus(QueryResourceManager): 

180 class resource_type(TypeInfo): 

181 service = 'events' 

182 arn_type = 'event-bus' 

183 arn = 'Arn' 

184 enum_spec = ('list_event_buses', 'EventBuses', None) 

185 detail_spec = ('describe_event_bus', 'Name', 'Name', None) 

186 config_type = cfn_type = 'AWS::Events::EventBus' 

187 id = name = 'Name' 

188 universal_taggable = object() 

189 permissions_augment = ("events:ListTagsForResource",) 

190 

191 source_mapping = {'describe': DescribeWithResourceTags, 

192 'config': ConfigSource} 

193 

194 

195@EventBus.filter_registry.register('cross-account') 

196class EventBusCrossAccountFilter(CrossAccountAccessFilter): 

197 # dummy permission 

198 permissions = ('events:ListEventBuses',) 

199 

200 

201@EventBus.filter_registry.register('kms-key') 

202class EventBusKmsFilter(KmsRelatedFilter): 

203 RelatedIdsExpression = 'KmsKeyIdentifier' 

204 

205 

206@EventBus.action_registry.register('delete') 

207class EventBusDelete(BaseAction): 

208 """Delete an event bus. 

209 

210 :example: 

211 

212 .. code-block:: yaml 

213 

214 policies: 

215 - name: cloudwatch-delete-event-bus 

216 resource: aws.event-bus 

217 filters: 

218 - Name: test-event-bus 

219 actions: 

220 - delete 

221 """ 

222 

223 schema = type_schema('delete') 

224 permissions = ('events:DeleteEventBus',) 

225 

226 def process(self, resources): 

227 client = local_session( 

228 self.manager.session_factory).client('events') 

229 

230 for resource_set in chunks(resources, size=100): 

231 for r in resource_set: 

232 self.manager.retry( 

233 client.delete_event_bus, 

234 Name=r['Name']) 

235 

236 

237class EventRuleQuery(query.ChildResourceQuery): 

238 

239 def get_parent_parameters(self, params, parent_id, parent_key): 

240 merged_params = dict(params) 

241 merged_params[parent_key] = parent_id 

242 return merged_params 

243 

244 

245@query.sources.register('event-rule') 

246class EventRuleSource(query.ChildDescribeSource): 

247 

248 resource_query_factory = EventRuleQuery 

249 

250 def augment(self, resources): 

251 return universal_augment(self.manager, resources) 

252 

253 

254@resources.register('event-rule') 

255class EventRule(ChildResourceManager): 

256 

257 child_source = 'event-rule' 

258 class resource_type(TypeInfo): 

259 service = 'events' 

260 arn = 'Arn' 

261 enum_spec = ('list_rules', 'Rules', None) 

262 parent_spec = ('event-bus', 'EventBusName', None) 

263 name = "Name" 

264 id = "Name" 

265 filter_name = "NamePrefix" 

266 filter_type = "scalar" 

267 config_type = cfn_type = 'AWS::Events::Rule' 

268 universal_taggable = object() 

269 permissions_augment = ("events:ListTagsForResource",) 

270 

271 

272@EventRule.filter_registry.register('metrics') 

273class EventRuleMetrics(MetricsFilter): 

274 

275 def get_dimensions(self, resource): 

276 return [{'Name': 'RuleName', 'Value': resource['Name']}] 

277 

278 

279class EventChildResourceFilter(ChildResourceFilter): 

280 

281 # This function provides custom functionality to query event-rule-targets 

282 # using both event-rule and event-bus information. 

283 def get_related(self, resources): 

284 self.child_resources = {} 

285 child_resource_manager = self.get_resource_manager() 

286 client = local_session(child_resource_manager.session_factory).client('events') 

287 paginator_targets = client.get_paginator('list_targets_by_rule') 

288 paginator_targets.PAGE_ITERATOR_CLS = RetryPageIterator 

289 

290 for r in resources: 

291 targets = paginator_targets.paginate(EventBusName=r['EventBusName'], Rule=r['Name']) \ 

292 .build_full_result().get('Targets', []) 

293 for target in targets: 

294 target[self.ChildResourceParentKey] = r['Name'] 

295 self.child_resources.setdefault(target[self.ChildResourceParentKey], []) \ 

296 .append(target) 

297 

298 return self.child_resources 

299 

300 

301@EventRule.filter_registry.register('event-rule-target') 

302class EventRuleTargetFilter(EventChildResourceFilter): 

303 

304 """ 

305 Filter event rules by their targets 

306 

307 :example: 

308 

309 .. code-block:: yaml 

310 

311 policies: 

312 - name: find-event-rules-with-no-targets 

313 resource: aws.event-rule 

314 filters: 

315 - type: event-rule-target 

316 key: "@" 

317 value: empty 

318 

319 - name: find-event-rules-by-target-properties 

320 resource: aws.event-rule 

321 filters: 

322 - type: event-rule-target 

323 key: "[].Arn" 

324 op: contains 

325 value: "arn:aws:sqs:us-east-2:111111111111:my-queue" 

326 """ 

327 

328 RelatedResource = "c7n.resources.cw.EventRuleTarget" 

329 RelatedIdsExpression = 'Name' 

330 AnnotationKey = "EventRuleTargets" 

331 

332 schema = type_schema('event-rule-target', rinherit=ValueFilter.schema) 

333 permissions = ('events:ListTargetsByRule',) 

334 

335 

336@EventRule.filter_registry.register('invalid-targets') 

337class ValidEventRuleTargetFilter(EventChildResourceFilter): 

338 """ 

339 Filter event rules for invalid targets, Use the `all` option to 

340 find any event rules that have all invalid targets, otherwise 

341 defaults to filtering any event rule with at least one invalid 

342 target. 

343 

344 :example: 

345 

346 .. code-block:: yaml 

347 

348 policies: 

349 - name: find-event-rules-with-invalid-targets 

350 resource: aws.event-rule 

351 filters: 

352 - type: invalid-targets 

353 all: true # defaults to false 

354 """ 

355 

356 RelatedResource = "c7n.resources.cw.EventRuleTarget" 

357 RelatedIdsExpression = 'Name' 

358 AnnotationKey = "EventRuleTargets" 

359 

360 schema = type_schema( 

361 'invalid-targets', 

362 **{ 

363 'all': { 

364 'type': 'boolean', 

365 'default': False 

366 } 

367 } 

368 ) 

369 

370 permissions = ('events:ListTargetsByRule',) 

371 supported_resources = ( 

372 "aws.sqs", 

373 "aws.event-bus", 

374 "aws.lambda", 

375 "aws.ecs", 

376 "aws.ecs-task", 

377 "aws.kinesis", 

378 "aws.sns", 

379 "aws.ssm-parameter", 

380 "aws.batch-compute", 

381 "aws.codepipeline", 

382 "aws.step-machine", 

383 ) 

384 

385 def validate(self): 

386 """ 

387 Empty validate here to bypass the validation found in the base value filter 

388 as we're inheriting from the ChildResourceFilter/RelatedResourceFilter 

389 """ 

390 return self 

391 

392 def get_rules_with_children(self, resources): 

393 """ 

394 Augments resources by adding the c7n:ChildArns to the resource dict 

395 """ 

396 

397 results = [] 

398 

399 # returns a map of {parent_reosurce_id: [{child_resource}, {child_resource2}, etc.]} 

400 child_resources = self.get_related(resources) 

401 

402 # maps resources by their name to their data 

403 for r in resources: 

404 if child_resources.get(r['Name']): 

405 for c in child_resources[r['Name']]: 

406 r.setdefault('c7n:ChildArns', []).append(c['Arn']) 

407 results.append(r) 

408 return results 

409 

410 def process(self, resources, event=None): 

411 # Due to lazy loading of resources, we need to explicilty load the following 

412 # potential targets for a event rule target: 

413 

414 load_resources(list(self.supported_resources)) 

415 arn_resolver = ArnResolver(self.manager) 

416 resources = self.get_rules_with_children(resources) 

417 resources = [r for r in resources if self.filter_unsupported_resources(r)] 

418 results = [] 

419 

420 if self.data.get('all'): 

421 op = any 

422 else: 

423 op = all 

424 

425 for r in resources: 

426 resolved = arn_resolver.resolve(r['c7n:ChildArns']) 

427 if not op(resolved.values()): 

428 for i, j in resolved.items(): 

429 if not j: 

430 r.setdefault('c7n:InvalidTargets', []).append(i) 

431 results.append(r) 

432 return results 

433 

434 def filter_unsupported_resources(self, r): 

435 for carn in r.get('c7n:ChildArns'): 

436 if 'aws.' + str(ArnResolver.resolve_type(carn)) not in self.supported_resources: 

437 self.log.info( 

438 f"Skipping resource {r.get('Arn')}, target type {carn} is not supported") 

439 return False 

440 return True 

441 

442 

443@EventRule.action_registry.register('delete') 

444class EventRuleDelete(BaseAction): 

445 """ 

446 Delete an event rule, force target removal with the `force` option 

447 

448 :example: 

449 

450 .. code-block:: yaml 

451 

452 policies: 

453 - name: force-delete-rules 

454 resource: aws.event-rule 

455 filters: 

456 - Name: my-event-rule 

457 actions: 

458 - type: delete 

459 force: true 

460 """ 

461 

462 schema = type_schema('delete', force={'type': 'boolean'}) 

463 permissions = ('events:DeleteRule', 'events:RemoveTargets', 'events:ListTargetsByRule',) 

464 

465 def process(self, resources): 

466 client = local_session(self.manager.session_factory).client('events') 

467 children = {} 

468 target_error_msg = "Rule can't be deleted since it has targets." 

469 for r in resources: 

470 try: 

471 client.delete_rule(Name=r['Name'], EventBusName=r['EventBusName']) 

472 except botocore.exceptions.ClientError as e: 

473 if e.response['Error']['Message'] != target_error_msg: 

474 raise 

475 if not self.data.get('force'): 

476 self.log.warning( 

477 'Unable to delete %s event rule due to attached rule targets,' 

478 'set force to true to remove targets' % r['Name']) 

479 raise 

480 child_manager = self.manager.get_resource_manager('aws.event-rule-target') 

481 if not children: 

482 children = EventRuleTargetFilter({}, child_manager).get_related(resources) 

483 targets = list(set([t['Id'] for t in children.get(r['Name'])])) 

484 client.remove_targets(Rule=r['Name'], Ids=targets, EventBusName=r['EventBusName']) 

485 client.delete_rule(Name=r['Name'], EventBusName=r['EventBusName']) 

486 

487 

488@EventRule.action_registry.register('set-rule-state') 

489class SetRuleState(BaseAction): 

490 """ 

491 This action allows to enable/disable a rule 

492 

493 :example: 

494 

495 .. code-block:: yaml 

496 

497 policies: 

498 - name: test-rule 

499 resource: aws.event-rule 

500 filters: 

501 - Name: my-event-rule 

502 actions: 

503 - type: set-rule-state 

504 enabled: true 

505 """ 

506 

507 schema = type_schema( 

508 'set-rule-state', 

509 **{'enabled': {'default': True, 'type': 'boolean'}} 

510 ) 

511 permissions = ('events:EnableRule', 'events:DisableRule',) 

512 

513 def process(self, resources): 

514 config = Config( 

515 retries={ 

516 'max_attempts': 8, 

517 'mode': 'standard' 

518 } 

519 ) 

520 client = local_session(self.manager.session_factory).client('events', config=config) 

521 retry = get_retry(('TooManyRequestsException', 'ResourceConflictException')) 

522 enabled = self.data.get('enabled') 

523 for resource in resources: 

524 try: 

525 if enabled: 

526 retry( 

527 client.enable_rule, 

528 Name=resource['Name'] 

529 ) 

530 else: 

531 retry( 

532 client.disable_rule, 

533 Name=resource['Name'] 

534 ) 

535 except (client.exceptions.ResourceNotFoundException, 

536 client.exceptions.ManagedRuleException): 

537 continue 

538 

539 

540class EventRuleTargetQuery(query.ChildResourceQuery): 

541 

542 # This function provides custom functionality to query event-rule-targets 

543 # using both event-rule and event-bus information. 

544 def filter(self, resource_manager, parent_ids=None, **params): 

545 """Query a set of resources.""" 

546 m = self.resolve(resource_manager.resource_type) 

547 client = local_session(self.session_factory).client(m.service) 

548 

549 enum_op, path, extra_args = m.enum_spec 

550 if extra_args: 

551 params.update(extra_args) 

552 

553 parent_type, parent_key, annotate_parent = m.parent_spec 

554 parents = self.manager.get_resource_manager(parent_type) 

555 parent_resources = [] 

556 for p in parents.resources(augment=False): 

557 parent_resources.append((p)) 

558 

559 # Have to query separately for each parent's children. 

560 results = [] 

561 for parent in parent_resources: 

562 params['EventBusName'] = parent['EventBusName'] 

563 merged_params = self.get_parent_parameters(params, parent['Name'], parent_key) 

564 subset = self._invoke_client_enum( 

565 client, enum_op, merged_params, path, retry=self.manager.retry) 

566 if annotate_parent: 

567 for r in subset: 

568 r[self.parent_key] = parent['Name'] 

569 r[parent_key] = parent 

570 if subset: 

571 results.extend(subset) 

572 return results 

573 

574 def get_parent_parameters(self, params, parent_id, parent_key): 

575 merged_params = dict(params) 

576 merged_params[parent_key] = parent_id 

577 return merged_params 

578 

579 

580@query.sources.register('event-rule-target') 

581class EventRuleTargetSource(query.ChildDescribeSource): 

582 

583 resource_query_factory = EventRuleTargetQuery 

584 

585 

586@resources.register('event-rule-target') 

587class EventRuleTarget(ChildResourceManager): 

588 

589 child_source = 'event-rule-target' 

590 class resource_type(TypeInfo): 

591 service = 'events' 

592 arn = False 

593 arn_type = 'event-rule-target' 

594 enum_spec = ('list_targets_by_rule', 'Targets', None) 

595 parent_spec = ('event-rule', 'Rule', True) 

596 name = id = 'Id' 

597 

598 

599@EventRuleTarget.filter_registry.register('cross-account') 

600class CrossAccountFilter(CrossAccountAccessFilter): 

601 schema = type_schema( 

602 'cross-account', 

603 # white list accounts 

604 whitelist_from=ValuesFrom.schema, 

605 whitelist={'type': 'array', 'items': {'type': 'string'}}) 

606 

607 # dummy permission 

608 permissions = ('events:ListTargetsByRule',) 

609 

610 def __call__(self, r): 

611 account_id = r['Arn'].split(':', 5)[4] 

612 return account_id not in self.accounts 

613 

614 

615@EventRuleTarget.action_registry.register('delete') 

616class DeleteTarget(BaseAction): 

617 schema = type_schema('delete') 

618 permissions = ('events:RemoveTargets',) 

619 

620 def process(self, resources): 

621 client = local_session(self.manager.session_factory).client('events') 

622 rule_targets = {} 

623 for r in resources: 

624 event_bus = r['Rule']['EventBusName'] 

625 rule_id = r['c7n:parent-id'] 

626 rule_targets.setdefault((rule_id, event_bus), []).append(r['Id']) 

627 

628 for (rule_id, event_bus), target_ids in rule_targets.items(): 

629 client.remove_targets( 

630 Ids=target_ids, 

631 Rule=rule_id, 

632 EventBusName=event_bus) 

633 

634 

635@resources.register('log-group') 

636class LogGroup(QueryResourceManager): 

637 class resource_type(TypeInfo): 

638 service = 'logs' 

639 arn_type = 'log-group' 

640 enum_spec = ('describe_log_groups', 'logGroups', None) 

641 id = name = 'logGroupName' 

642 arn = 'arn' # see get-arns override re attribute usage 

643 filter_name = 'logGroupNamePrefix' 

644 filter_type = 'scalar' 

645 dimension = 'LogGroupName' 

646 date = 'creationTime' 

647 universal_taggable = True 

648 cfn_type = 'AWS::Logs::LogGroup' 

649 permissions_augment = ("logs:ListTagsForResource",) 

650 

651 augment = universal_augment 

652 

653 def get_arns(self, resources): 

654 # log group arn in resource describe has ':*' suffix, not all 

655 # apis can use that form, so normalize to standard arn. 

656 return [r['arn'][:-2] for r in resources] 

657 

658 

659@resources.register('insight-rule') 

660class InsightRule(QueryResourceManager): 

661 class resource_type(TypeInfo): 

662 service = 'cloudwatch' 

663 arn_type = 'insight-rule' 

664 enum_spec = ('describe_insight_rules', 'InsightRules', None) 

665 name = id = 'Name' 

666 universal_taggable = object() 

667 permission_augment = ('cloudWatch::ListTagsForResource',) 

668 cfn_type = 'AWS::CloudWatch::InsightRule' 

669 

670 def augment(self, rules): 

671 client = local_session(self.session_factory).client('cloudwatch') 

672 

673 def _add_tags(r): 

674 arn = self.generate_arn(r['Name']) 

675 r['Tags'] = client.list_tags_for_resource( 

676 ResourceARN=arn).get('Tags', []) 

677 return r 

678 

679 return list(map(_add_tags, rules)) 

680 

681 

682@InsightRule.action_registry.register('disable') 

683class InsightRuleDisable(BaseAction): 

684 """Disable a cloudwatch contributor insight rule. 

685 

686 :example: 

687 

688 .. code-block:: yaml 

689 

690 policies: 

691 - name: cloudwatch-disable-insight-rule 

692 resource: insight-rule 

693 filters: 

694 - type: value 

695 key: State 

696 value: ENABLED 

697 op: eq 

698 actions: 

699 - disable 

700 """ 

701 

702 schema = type_schema('disable') 

703 permissions = ('cloudwatch:DisableInsightRules',) 

704 

705 def process(self, resources): 

706 client = local_session( 

707 self.manager.session_factory).client('cloudwatch') 

708 

709 for resource_set in chunks(resources, size=100): 

710 self.manager.retry( 

711 client.disable_insight_rules, 

712 RuleNames=[r['Name'] for r in resource_set]) 

713 

714 

715@InsightRule.action_registry.register('delete') 

716class InsightRuleDelete(BaseAction): 

717 """Delete a cloudwatch contributor insight rule 

718 

719 :example: 

720 

721 .. code-block:: yaml 

722 

723 policies: 

724 - name: cloudwatch-delete-insight-rule 

725 resource: insight-rule 

726 filters: 

727 - type: value 

728 key: State 

729 value: ENABLED 

730 op: eq 

731 actions: 

732 - delete 

733 """ 

734 

735 schema = type_schema('delete') 

736 permissions = ('cloudwatch:DeleteInsightRules',) 

737 

738 def process(self, resources): 

739 client = local_session( 

740 self.manager.session_factory).client('cloudwatch') 

741 

742 for resource_set in chunks(resources, size=100): 

743 self.manager.retry( 

744 client.delete_insight_rules, 

745 RuleNames=[r['Name'] for r in resource_set]) 

746 

747 

748@LogGroup.filter_registry.register('metrics') 

749class LogGroupMetrics(MetricsFilter): 

750 

751 def get_dimensions(self, resource): 

752 return [{'Name': 'LogGroupName', 'Value': resource['logGroupName']}] 

753 

754 

755@resources.register('log-metric') 

756class LogMetric(QueryResourceManager): 

757 class resource_type(TypeInfo): 

758 service = 'logs' 

759 enum_spec = ('describe_metric_filters', 'metricFilters', None) 

760 arn = False 

761 id = name = 'filterName' 

762 date = 'creationTime' 

763 cfn_type = 'AWS::Logs::MetricFilter' 

764 

765 

766@LogMetric.filter_registry.register('alarm') 

767class LogMetricAlarmFilter(ValueFilter): 

768 """ 

769 Filter log metric filters based on associated alarms. 

770 

771 :example: 

772 

773 .. code-block:: yaml 

774 

775 policies: 

776 - name: log-metrics-with-alarms 

777 resource: aws.log-metric 

778 filters: 

779 - type: alarm 

780 key: AlarmName 

781 value: present 

782 """ 

783 

784 schema = type_schema('alarm', rinherit=ValueFilter.schema) 

785 annotation_key = 'c7n:MetricAlarms' 

786 FetchThreshold = 10 # below this number of resources, fetch alarms individually 

787 

788 def augment(self, resources): 

789 """Add alarm details to log metric filter resources 

790 

791 This includes all alarms where the metric name and namespace match 

792 a log metric filter's metric transformation. 

793 """ 

794 

795 if len(resources) < self.FetchThreshold: 

796 client = local_session(self.manager.session_factory).client('cloudwatch') 

797 for r in resources: 

798 r[self.annotation_key] = list(itertools.chain(*( 

799 self.manager.retry( 

800 client.describe_alarms_for_metric, 

801 Namespace=t['metricNamespace'], 

802 MetricName=t['metricName'])['MetricAlarms'] 

803 for t in r.get('metricTransformations', ()) 

804 ))) 

805 else: 

806 alarms = self.manager.get_resource_manager('aws.alarm').resources() 

807 

808 # We'll be matching resources to alarms based on namespace and 

809 # metric name - this lookup table makes that smoother 

810 alarms_by_metric = defaultdict(list) 

811 for alarm in alarms: 

812 alarms_by_metric[(alarm['Namespace'], alarm['MetricName'])].append(alarm) 

813 

814 for r in resources: 

815 r[self.annotation_key] = list(itertools.chain(*( 

816 alarms_by_metric.get((t['metricNamespace'], t['metricName']), []) 

817 for t in r.get('metricTransformations', ()) 

818 ))) 

819 

820 def get_permissions(self): 

821 return [ 

822 *self.manager.get_resource_manager('aws.alarm').get_permissions(), 

823 'cloudwatch:DescribeAlarmsForMetric' 

824 ] 

825 

826 def process(self, resources, event=None): 

827 self.augment(resources) 

828 

829 matched = [] 

830 for r in resources: 

831 if any((self.match(alarm) for alarm in r[self.annotation_key])): 

832 matched.append(r) 

833 return matched 

834 

835 

836@LogGroup.action_registry.register('retention') 

837class Retention(BaseAction): 

838 """Action to set the retention period (in days) for CloudWatch log groups 

839 

840 :example: 

841 

842 .. code-block:: yaml 

843 

844 policies: 

845 - name: cloudwatch-set-log-group-retention 

846 resource: log-group 

847 actions: 

848 - type: retention 

849 days: 200 

850 """ 

851 

852 schema = type_schema('retention', days={'type': 'integer'}) 

853 permissions = ('logs:PutRetentionPolicy',) 

854 

855 def process(self, resources): 

856 client = local_session(self.manager.session_factory).client('logs') 

857 days = self.data['days'] 

858 for r in resources: 

859 self.manager.retry( 

860 client.put_retention_policy, 

861 logGroupName=r['logGroupName'], 

862 retentionInDays=days) 

863 

864 

865@LogGroup.action_registry.register('delete') 

866class Delete(BaseAction): 

867 """ 

868 

869 :example: 

870 

871 .. code-block:: yaml 

872 

873 policies: 

874 - name: cloudwatch-delete-stale-log-group 

875 resource: log-group 

876 filters: 

877 - type: last-write 

878 days: 182.5 

879 actions: 

880 - delete 

881 """ 

882 

883 schema = type_schema('delete')