You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When this policy runs the following error occurs -
Invalid value for field 'resource.enableFlowLogs': 'true'. If enable flow logging and enable in LogConfig are both set, they must also match.
The only way we could get this to work was with this update to the SetFlowLog member function get_resource_params -
From:
def get_resource_params(self, m, r):
params = super(SetFlowLog, self).get_resource_params(m, r)
params['body'] = dict(r)
params['body']['enableFlowLogs'] = self.data.get('state', True)
return params
To:
def get_resource_params(self, m, r):
params = super(SetFlowLog, self).get_resource_params(m, r)
return {
'project': params['project'],
'project': params['region'],
'subnetwork': params['subnetwork'],
'body': {'fingerprint': r['fingerprint'], 'enableFlowLogs': self.data.get('state', True)}
With this the policy runs and flow log enabled for specified subnet.
What did you expect to happen?
Specifying the set-flow-log action for the gcp.subnet resource results in that subnet executed against having flow logs enabled.
Cloud Provider
Google Cloud (GCP)
Cloud Custodian version and dependency information
$ custodian version --debug
Please copy/paste the following info along with any bug reports:
Custodian: 0.9.13
Python: 3.9.6 (tags/v3.9.6:db3ff76, Jun 28 2021, 15:26:21) [MSC v.1929 64 bit (AMD64)]
Platform: win32
Using venv: False
Docker: False
Installed:
argcomplete==1.12.3
attrs==21.2.0
boto3==1.17.102
botocore==1.20.102
c7n==0.9.13
cachetools==4.2.2
certifi==2021.5.30
cffi==1.14.5
chardet==4.0.0
google-api-core==1.30.0
google-api-python-client==1.12.8
google-auth==1.32.0
google-auth-httplib2==0.1.0
google-cloud-core==1.7.1
google-cloud-logging==1.15.1
google-cloud-monitoring==0.34.0
google-cloud-storage==1.40.0
google-crc32c==1.1.2
google-resumable-media==1.3.1
googleapis-common-protos==1.53.0
grpcio==1.38.1
httplib2==0.19.1
idna==2.10
importlib-metadata==4.6.0
jmespath==0.10.0
jsonschema==3.2.0
packaging==20.9
protobuf==3.17.3
pyasn1==0.4.8
pyasn1-modules==0.2.8
pycparser==2.20
pyparsing==2.4.7
pyrsistent==0.18.0
python-dateutil==2.8.1
pytz==2021.1
pyyaml==5.4.1
ratelimiter==1.2.0.post0
requests==2.25.1
retrying==1.3.3
rsa==4.7.2
s3transfer==0.4.2
setuptools==56.0.0
six==1.16.0
tabulate==0.8.9
typing-extensions==3.10.0.0
uritemplate==3.0.1
urllib3==1.26.6
zipp==3.4.1
Policy
policies:
- name: vpc-flow-logs-enabled-audit
description: |
guardrail_description: Detects vpc subnets that do not have flow logs enabled
filters: Trigger on vpc subnet creation and vpc subnet update
actions: None
guardrail_type: Detective
resource: gcp.subnet
mode:
type: gcp-audit
methods:
- v1.compute.subnetworks.insert
- v1.compute.subnetworks.patch
filters:
- not:
- enableFlowLogs: true
actions:
- set-flow-log
Relevant log/traceback output
Invalid value forfield 'resource.enableFlowLogs': 'true'. If enable flow logging and enablein LogConfig are both set, they must also match.
Extra information or context
No response
The text was updated successfully, but these errors were encountered:
Describe the bug
Policy -
resource: gcp.subnet
mode:
type: gcp-audit
methods:
-v1.compute.subnetworks.insert
-v1.compute.subnetworks.patch
filters:
- not:
- enableFlowLogs: true
actions:
When this policy runs the following error occurs -
Invalid value for field 'resource.enableFlowLogs': 'true'. If enable flow logging and enable in LogConfig are both set, they must also match.
Midway on this page this issue is discussed -
https://gitter.im/cloud-custodian/cloud-custodian?at=5e278ba4b674071d4ed2b285
The only way we could get this to work was with this update to the SetFlowLog member function get_resource_params -
From:
def get_resource_params(self, m, r):
params = super(SetFlowLog, self).get_resource_params(m, r)
params['body'] = dict(r)
params['body']['enableFlowLogs'] = self.data.get('state', True)
return params
To:
def get_resource_params(self, m, r):
params = super(SetFlowLog, self).get_resource_params(m, r)
return {
'project': params['project'],
'project': params['region'],
'subnetwork': params['subnetwork'],
'body': {'fingerprint': r['fingerprint'], 'enableFlowLogs': self.data.get('state', True)}
With this the policy runs and flow log enabled for specified subnet.
What did you expect to happen?
Specifying the set-flow-log action for the gcp.subnet resource results in that subnet executed against having flow logs enabled.
Cloud Provider
Google Cloud (GCP)
Cloud Custodian version and dependency information
Policy
Relevant log/traceback output
Extra information or context
No response
The text was updated successfully, but these errors were encountered: