You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When searching for non-compliant vpc flow-logs I get an Exception when looking for a specific LogDestination (bucketname) if the policy hits a resource that has only type cloud-watch because there is NO LogDestination in cloud-watch just group name. (i hope i'm saying that right).
What did you expect to happen?
When custodian hits a flow-log that no specific type and destination it should record as a NON-Compliant resource.
Cloud Provider
Amazon Web Services (AWS)
Cloud Custodian version and dependency information
20:12 $ custodian version --debug
Please copy/paste the following info along with any bug reports:
Custodian: 0.9.17
Python: 3.9.8 (main, Nov 8 2021, 00:00:00)
[GCC 11.2.1 20210728 (Red Hat 11.2.1-2)]
Platform: posix.uname_result(sysname='Linux', nodename='910695a23d3b', release='4.14.231-173.361.amzn2.aarch64', version='#1 SMP Mon Apr 26 20:57:10 UTC 2021', machine='aarch64')
Using venv: False
Docker: True
Installed:
argcomplete==2.0.0
attrs==21.4.0
boto3==1.24.10
botocore==1.27.10
docutils==0.17.1
importlib-metadata==4.11.4
importlib-resources==5.7.1
jmespath==1.0.0
jsonschema==4.6.0
pyrsistent==0.18.1
python-dateutil==2.8.2
pyyaml==6.0
s3transfer==0.6.0
six==1.16.0
tabulate==0.8.9
typing-extensions==4.2.0
urllib3==1.26.9
zipp==3.8.0
#NODEBUGRUN:
2022-08-11 20:23:10,418: c7n_org:ERROR Exception running policy:flow-logs-not-compliant account:BLAH Production region:us-east-1 error:'LogDestination'#DEBUGRUN:
2022-08-11 20:15:11,477: c7n_org:ERROR Exception running policy:flow-logs-not-compliant account:BLAH Production region:us-east-1 error:'LogDestination'
Traceback (most recent call last):
File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n_org/cli.py", line 609, in run_account
resources = p.run()
File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/policy.py", line 1236, in __call__
resources = PullMode(self).run()
File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/policy.py", line 290, in run
resources = self.policy.resource_manager.resources()
File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/query.py", line 532, in resources
resources = self.filter_resources(resources)
File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/manager.py", line 111, in filter_resources
resources = f.process(resources, event)
File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/filters/core.py", line 337, in process
return self.process_set(resources, event)
File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/filters/core.py", line 353, in process_set
r[rtype_id] forrin f.process(resources, event)])
File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/filters/core.py", line 378, in process
return self.process_set(resources, event)
File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/filters/core.py", line 397, in process_set
resources = f.process(resources, event)
File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/resources/vpc.py", line 139, in process
fl['LogDestination'], destination)
KeyError: 'LogDestination'>/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/resources/vpc.py(139)process()
-> fl['LogDestination'], destination)
Extra information or context
I fixed it in my world with this - if i could do a PR i would. I'm sure there is a better way to fix this too.
--- /home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/resources/vpc.py 2022-08-11 20:20:19.564963795 +0000
+++ /home/cloudcustodian/vpc.py 2022-08-11 20:21:40.694324344 +0000
@@ -134,8 +134,11 @@
for fl in flogs:
dest_type_match = (destination_type is None) or op(
fl['LogDestinationType'], destination_type)
- dest_match = (destination is None) or op(
- fl['LogDestination'], destination)
+ if fl['LogDestinationType'] == "s3":
+ dest_match = (destination is None) or op(
+ fl['LogDestination'], destination)
+ else:
+ dest_match = (destination is None)
status_match = (status is None) or op(fl['FlowLogStatus'], status.upper())
delivery_status_match = (delivery_status is None) or op(
fl['DeliverLogsStatus'], delivery_status.upper())
@@ -2456,7 +2459,7 @@
},
'cloud-watch-logs': {
'required': ['DeliverLogsPermissionArn'],
- 'one-of': ['LogGroupName', 'LogDestination'],
+ 'one-of': ['LogGroupName', 'LogDestination']
}
}
The text was updated successfully, but these errors were encountered:
Describe the bug
When searching for non-compliant vpc flow-logs I get an Exception when looking for a specific LogDestination (bucketname) if the policy hits a resource that has only type cloud-watch because there is NO LogDestination in cloud-watch just group name. (i hope i'm saying that right).
What did you expect to happen?
When custodian hits a flow-log that no specific type and destination it should record as a NON-Compliant resource.
Cloud Provider
Amazon Web Services (AWS)
Cloud Custodian version and dependency information
Policy
Relevant log/traceback output
Extra information or context
I fixed it in my world with this - if i could do a PR i would. I'm sure there is a better way to fix this too.
The text was updated successfully, but these errors were encountered: