The Azure Container Host is an alternate execution mode for the cloud custodian azure provider. Running the Azure Container Host is done with the official custodian docker image. See the :ref:`ACI <azure_configuration_acitutorial>` and :ref:`Kubernetes <azure_configuration_helmtutorial>` deployment tutorials to get started running the Azure Container Host.
The Azure Container Host will periodically scan azure blob storage for a set of custodian policies to execute in either a periodic or event based mode against a target subscription. For periodic policies, the container host will execute the policy on the cron schedule that is provided. For event based policies, the container host maintains an azure queue that subscribes to events in the target azure subscription.
Once the Azure Container Host is deployed, any policies uploaded to blob storage are automatically loaded and running against an Azure Subscription. This makes it very easy to manage and run a large number of policies.
The container host will only run policies with one of the following modes specified. Otherwise, the policy will be ignored.
Periodic policies must specify a mode with type container-periodic
and a cron schedule. This
schedule can specify when the policy should run. For example: once every hour, on midnight on every
weekday, or once a month.
policies:
- name: run-every-day-at-midnight
resource: azure.resourcegroup
mode:
type: container-periodic
schedule: '0 0 * * *'
.. c7n-schema:: mode.container-periodic
Event based policies must specify a mode with the type container-event
and a set of events that
will trigger the execution. For example: after a new resource group is created.
policies:
- name: run-on-new-resource-group
resource: azure.resourcegroup
mode:
type: container-event
events:
- resourceProvider: Microsoft.Resources/subscriptions/resourceGroups
event: write
.. c7n-schema:: mode.container-event
Configuration for the container host is provided as environment variables. There are several environment variables specific to the container host:
Variable Name | Required | Description |
---|---|---|
AZURE_CONTAINER_STORAGE |
required | The URL to the azure blob container to load custodian policies from. |
AZURE_EVENT_QUEUE_RESOURCE_ID |
required | The resource id of the storage account to hold the event queue. |
AZURE_EVENT_QUEUE_NAME |
required | The name of the event queue that the container host will listen on. If this does not exist, it will be created. |
AZURE_CONTAINER_LOG_GROUP |
The application insights to send log output to. In the format: azure://<instrumentation_key_guid> . |
|
AZURE_CONTAINER_METRICS |
The application insights to send metrics output to. In the format: azure://<instrumentation_key_guid> . |
|
AZURE_CONTAINER_OUTPUT_DIR |
The URL of the storage account blob container to send log output to. In the format: azure://<storage_account_name>.blob.core.windows.net/<blob_container_name> . |
In additiona to the above environment variables, authentication must be provided to the container host. See :ref:`azure_authentication` for authenticating the container host with an azure identity.
Once an identity has been established, it will need the following roles in azure:
Reader
andStorage Blob Data Contributor
on the Storage Account that holds the policy files.Contributor
andStorage Queue Message Processor
on the Storage Account that the event queue will live in.- Any other roles that are needed to run the policies that the container host will run. For example, if there is a policy that filters the
azure.vm
resource, theReader
role will be required for the VMs that are in the container host's target subscription.
The container host can be run locally with python -m c7n_azure.container_host.host
.
You will need to provide all of the same configuration specified above through either environment
variables or CLI options. Run python -m c7n_azure.container_host.host --help
for more information.
For quick deployments, we provide tooling for 2 methods of deploying the Azure Container Host: :ref:`ACI <azure_configuration_acitutorial>`, and :ref:`Kubernetes with a Helm chart <azure_configuration_helmtutorial>`.