Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Elasticsearch policy sending DomainName as Dict, expect STR #5916

Closed
theotherothermatt opened this issue Jul 1, 2020 · 2 comments · Fixed by #5920
Closed

Elasticsearch policy sending DomainName as Dict, expect STR #5916

theotherothermatt opened this issue Jul 1, 2020 · 2 comments · Fixed by #5920
Assignees
@kapilt
Labels
kind/bug

Comments

@theotherothermatt
Copy link

Describe the bug
Lambdas created using the Elasticsearch policy are passing the DomainName to the AWS API as a dictionary, and the API needs it to be a string. You can find a gist of the full error here: https://gist.github.com/theotherothermatt/199f78ee33c0044dd2365583c9c3f604

Rolled back to version 0.9.1 and problem does not exist. There were commits to elasticsearch.py in both 0.9.2 and 0.9.3, so I think that the problem resides somewhere in those bug fixes.

To Reproduce
With c7n==0.9.3, use policy:

    mode:
        type: cloudtrail
        role: arn:aws:iam::<$account-id>:role/the-correct-role
        events:
         - source: es.amazonaws.com
           event: CreateElasticsearchDomain
           ids: "requestParameters.domainName"
    filters:
      - type: value
        key: "EncryptionAtRestOptions.Enabled"
        value: false
    actions:
        - type: delete

Then create an ES domain that is not encrypted at rest. Error will be in log stream.

Roll back to c7n==0.9.1
Try the above policy again (on a new lambda of course)
Domain will be deleted with no error

Expected behavior
The ES Domain will be deleted

Background (please complete the following information):

  • OS: OSx 10.15.5
  • Python Version: python 3.7.7
  • Custodian Version: 0.9.3
  • Cloud Provider: AWS
  • Policy: [please exclude any account/sensitive information]
    mode:
        type: cloudtrail
        role: arn:aws:iam::<$account-id>:role/the-correct-role
        events:
         - source: es.amazonaws.com
           event: CreateElasticsearchDomain
           ids: "requestParameters.domainName"
    filters:
      - type: value
        key: "EncryptionAtRestOptions.Enabled"
        value: false
    actions:
        - type: delete
  • custodian version --debug output
    Custodian: 0.9.3
    Python: 3.7.7 (default, Mar 10 2020, 15:43:03)
    [Clang 11.0.0 (clang-1100.0.33.17)]
    Platform: posix.uname_result(sysname='Darwin', nodename='', release='19.5.0', version='Darwin Kernel Version 19.5.0: Tue May 26 20:41:44 PDT 2020; root:xnu-6153.121.2~2/RELEASE_X86_64', machine='x86_64')
    Using venv: False
    Docker: False
    Installed:

argcomplete==1.11.1
attrs==19.3.0
boto3==1.13.24
botocore==1.16.24
docutils==0.15.2
importlib-metadata==1.6.1
jmespath==0.10.0
jsonschema==3.2.0
pyrsistent==0.16.0
python-dateutil==2.8.1
pyyaml==5.3.1
s3transfer==0.3.3
setuptools==46.0.0
six==1.15.0
tabulate==0.8.7
urllib3==1.25.9
zipp==3.1.0
@kapilt
Copy link
Collaborator

kapilt commented Jul 1, 2020

I think this was fixed in #5796 (trunk only) but worth confirming

@kapilt kapilt self-assigned this Jul 1, 2020
@kapilt kapilt mentioned this issue Jul 2, 2020
Merged
@kapilt
Copy link
Collaborator

kapilt commented Jul 2, 2020

confirmed issue exhibits on trunk, fix up in #5920

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kapilt kapilt

Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

aws - elasticsearch get-resources fix kapilt/cloud-custodian
2 participants
@kapilt @theotherothermatt