Note: This is a lower level, open source / policy-level response to this announcement.
Cloud Custodian allows folks to write policies that help manage cloud resources. c7n-left provides a way to apply Cloud Custodian's policy structure to infrastructure as code (IaC) resource definitions.
Tagging is just one helpful use case here. Consider an organization that expects to use tags to track resource owners. They might use Cloud Custodian to catch and fix untagged resources at creation time with a policy like this:
- name: ec2-auto-tag-owner
resource: "aws.ec2"
description: |
If an EC2 instance doesn't define an Owner tag, add one based
on information in the CloudTrail event.
mode:
type: cloudtrail
role: custodian-auto-tagger
events:
- RunInstances
filters:
- tag:Owner: absent
actions:
- type: auto-tag-user
tag: Owner
And that's a great step! It does come with some challenges though. For example:
- If resources are created through a CI/CD pipeline, the owner information may not be useful.
- If resources are defined in Terraform templates, "fixing" them may create configuration drift.
A c7n-left policy like this tries to catch those misconfigurations before they exist in live resources:
- name: tf-check-tags
description: |
All resources require must define an Owner tag.
resource: "terraform.aws_*"
filters:
- tags: absent
And as a nice bonus, it can target multiple Terraform resources in a single policy.