search

cloud-custodian / cloud-custodian

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
https://cloudcustodian.io
Apache License 2.0
5.38k stars 1.47k forks source link

Trusted Advisor Service Limit Checks #2037

Open cpollard0 opened 6 years ago

cpollard0 commented 6 years ago

I had an issue with the check_id of "eW7HH0l7J9" returning a not_available status. From AWS support, I heard: "while not deprecated, will possibly return stale data. It is recommend that you utilize the current check IDs listed here: https://aws.amazon.com/premiumsupport/ta-iam/#table2"

Should the service limit checks be updated to use the appropriate check ids?

kapilt commented 6 years ago

definitely

kapilt commented 6 years ago

its also important to note that trusted advisor may always return stale data, its behind the scenes doing periodic updates of its report, the limit check filter in custodian, will ask trusted advisor to generate a fresh report if the data is too stale (configurable). The break out of the limits check to adozen of separate checks, seems more about getting finer grained data api by splitting out the service limits. It looks like there adding newer service limits (kinesis) via the new checks so still worthwhile switching.

kapilt commented 5 years ago

also related to this is support for newer services advisor checks #2293

cbm-afettach commented 4 years ago

Hello @kapilt I have the same issue with the check id Here is the trace: Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/c7n/commands.py", line 283, in run policy() File "/usr/local/lib/python3.7/site-packages/c7n/policy.py", line 1049, in __call__ resources = mode.run() File "/usr/local/lib/python3.7/site-packages/c7n/policy.py", line 288, in run resources = self.policy.resource_manager.resources() File "/usr/local/lib/python3.7/site-packages/c7n/resources/account.py", line 86, in resources return self.filter_resources([get_account(self.session_factory, self.config)]) File "/usr/local/lib/python3.7/site-packages/c7n/manager.py", line 108, in filter_resources resources = f.process(resources, event) File "/usr/local/lib/python3.7/site-packages/c7n/resources/account.py", line 541, in process checks = self.get_check_result(client, self.check_id) File "/usr/local/lib/python3.7/site-packages/c7n/resources/account.py", line 523, in get_check_result checkId=check_id, language='en')['result'] File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 276, in _api_call return self._make_api_call(operation_name, kwargs) File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 586, in _make_api_call raise error_class(parsed_response, operation_name) **botocore.exceptions.ClientError: An error occurred (InvalidParameterValueException) when calling the DescribeTrustedAdvisorCheckResult operation: Unknown ID: eW7HH0l7J9**

I see that the check_id is hard coded here: https://github.com/cloud-custodian/cloud-custodian/blob/6ddcbfd4a71d56a22c1606bf89aa449808a82741/c7n/resources/account.py#L412 it isn't available in the check ids list here and i'm not sure which title/category it referred to. Tell me if I should create a new thread for the issue. Thanks :)

kapilt commented 4 years ago

please create a new issue, it looks like they decided to break this one, its been getting to deprecation status for a while I think.