DisassociateAddress action in VPC

[davidkshepherd]

It would be very helpful if custodian could disassociate in ElasticIP address from a specific resource. This would help as a solution to a user mistakenly attaching an Elastic IP to a resource (like EC2) that should not be exposed. This would allow simple recovery from the disassociation if necessary. The majority of the code is already there as part of the VPC release action.

[kapilt]

there's a force option on release network-addr which will disassociate it as well. whats the use case for having it around if its not in use?

[davidkshepherd]

Thanks Kapil, I looked at the disassociate associated with the force option. I's like to disassoicate WITHOUT the deletion.
Use Case: Policy requires that EC2 instances DO NOT have associated Elastic IP, unless there is an approved exception. Exception is identified based on tagging on instance. Extant EC2 instance is tagged with appropriate identifier. DNS record created to associate Elastic IP with DNS Name. All is good.
User creates new EC2 instance to replace extant EC2 instance with approved exception. User neglects to tag appropriately. User moves Elastic IP from old EC2 to new EC2. Policy filters in new EC2, Elastic IP is forcefully deleted. Recovery requires recreation of Elastic IP AND DNS update for new IP address. DNS TTL impacts restoration beyond SLA.