New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS add vpc-endpoint filter for vpc #5934
AWS add vpc-endpoint filter for vpc #5934
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm!
Looks like we can choose the subnets in a vpc to associate the vpc-endpoint to. For ex - If we have two subnets in a vpc, we can choose to grant one subnet access to the endpoint while blocking the other. |
@PratMis Fair point! I had an impression the original intention was to simply check if a VPC endpoint is connected to a VPC. I guess it depends on the implementation need. @anovis do you need to also look at the subnet level? I guess there could be a subtle distinction between |
yeah makes sense. i can make the same filter for the subnet resource as well. |
c7n/resources/vpc.py
Outdated
'vpc-endpoint', | ||
rinherit=ValueFilter.schema) | ||
|
||
def get_related_ids(self, resources): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
get related ids is generally intended to be a lightweight implementation, it gets called frequently, ie once per resource, doing an api call / or cache lookup isn't ideal for an implementation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah good call out. i had noticed that while writing the subnet tests.
Instead I modified the get_related and process_resource, but not sure if that is the best way.
so rather than duplicating the implementation for vpc and subnet, it would be better to have a related base class that addresses on the commonality. its distinct from the extant related base since its filtering the related resource to determine the related ids instead of using the policy resource to determine the ids. that feels like it has some reuse potential. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks
Adds vpc-endpoint filter for a vpc.
for example
closes #5933