You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are in the early stages of our cloud-custodian deployment. The one problem I'm having currently is configuring dead letter queues on our custodian lambdas. When running c7n-org run, it seems like the account_id and region values are not being interpolated in for the dlq TargetArn property.
I was expecting the region and account_id to be populated as c7n-org iterates the accounts, however it does not seem to work like that:
c7n-org run --config /app/awsconfig.yaml --use /app/testpolicy.yaml --output-dir /app/output/custodian_logs
2018-07-18 20:38:16,502: c7n_org:ERROR Exception running policy:ec2_required_tags account:TestAccount region:us-east-1 error:An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: Invalid dead letter queue ARN: The resource specified by the TargetArn must be in the same region as the Lambda function it's associated with.
2018-07-18 20:38:16,519: c7n_org:INFO Policy resource counts Counter()
if I hardcode the region (so TargetArn becomes arn:aws:sns:us-east-1:{account_id}:c7n-lambda-dlq it still doesn't seem to fill in the account id:
right now the the variable interpolation is attribute specific (ie why it works for role but not dead letter), there's a pr #2418 that applies it whole sale across policy usage which would also resolve this.
I guess for now I'll write a small python script to utilize with c7n-org's run-script functionality to configure the dead letter queues after the fact.
We are in the early stages of our cloud-custodian deployment. The one problem I'm having currently is configuring dead letter queues on our custodian lambdas. When running
c7n-org run
, it seems like theaccount_id
andregion
values are not being interpolated in for the dlq TargetArn property.example policy:
I was expecting the region and account_id to be populated as c7n-org iterates the accounts, however it does not seem to work like that:
if I hardcode the region (so TargetArn becomes
arn:aws:sns:us-east-1:{account_id}:c7n-lambda-dlq
it still doesn't seem to fill in the account id:However, it works fine for substituting e.g. the role.
I would greatly appreciate any hints on what I am doing wrong here!
The text was updated successfully, but these errors were encountered: