Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to configure dead letter queue on custodian lambdas with c7n-org #2651

Closed
msull opened this issue Jul 18, 2018 · 3 comments
Closed

Unable to configure dead letter queue on custodian lambdas with c7n-org #2651

msull opened this issue Jul 18, 2018 · 3 comments
Labels
status/0-triage

Comments

@msull
Copy link

msull commented Jul 18, 2018

We are in the early stages of our cloud-custodian deployment. The one problem I'm having currently is configuring dead letter queues on our custodian lambdas. When running c7n-org run, it seems like the account_id and region values are not being interpolated in for the dlq TargetArn property.

example policy:

---
policies:
- name: ec2_required_tags
  resource: ec2
  filters:
  - 'tag:required_tags_compliance': absent
  - or:
    - 'tag:cost_center': absent
    - 'tag:environment': absent
    - 'tag:owner': absent
  actions:
  - key: required_tags_compliance
    type: tag
    value: non-compliant

  mode:
    dead_letter_config:
      TargetArn: arn:aws:sns:{region}:{account_id}:c7n-lambda-dlq
    execution-options:
      log_group: /cloud-custodian/
    role: arn:aws:iam::{account_id}:role/c7n_worker
    schedule: rate(30 minutes)
    timeout: 300
    type: periodic

I was expecting the region and account_id to be populated as c7n-org iterates the accounts, however it does not seem to work like that:

c7n-org run --config /app/awsconfig.yaml --use /app/testpolicy.yaml  --output-dir /app/output/custodian_logs
2018-07-18 20:38:16,502: c7n_org:ERROR Exception running policy:ec2_required_tags account:TestAccount region:us-east-1 error:An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: Invalid dead letter queue ARN: The resource specified by the TargetArn must be in the same region as the Lambda function it's associated with.
2018-07-18 20:38:16,519: c7n_org:INFO Policy resource counts Counter()

if I hardcode the region (so TargetArn becomes arn:aws:sns:us-east-1:{account_id}:c7n-lambda-dlq it still doesn't seem to fill in the account id:

c7n-org run --config /app/awsconfig-primary.yaml --use /app/testpolicy.yaml  --output-dir /app/output/custodian_logs
2018-07-18 20:41:02,132: c7n_org:ERROR Exception running policy:ec2_required_tags account:TestAccount region:us-east-1 error:An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: Error occurred while Publish. SNS Error Code: InvalidParameter. SNS Error Message: Invalid parameter: TopicArn Reason: Invalid namespace: {account_id}

However, it works fine for substituting e.g. the role.

I would greatly appreciate any hints on what I am doing wrong here!
@kapilt
Copy link
Collaborator

kapilt commented Jul 28, 2018

right now the the variable interpolation is attribute specific (ie why it works for role but not dead letter), there's a pr #2418 that applies it whole sale across policy usage which would also resolve this.

@msull
Copy link
Author

msull commented Jul 30, 2018

Thanks @kapilt.

I guess for now I'll write a small python script to utilize with c7n-org's run-script functionality to configure the dead letter queues after the fact.

@kapilt
Copy link
Collaborator

kapilt commented Nov 21, 2019

this is resolved now, variable interpolation is performed across all parts of a policy.

@kapilt kapilt closed this as completed Nov 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/0-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kapilt @msull