Releases: cloud-custodian/cloud-custodian
Releases · cloud-custodian/cloud-custodian
0.9.49.0
Immutable
release. Only release title and notes can be modified.
What's Changed
aws
- aws - add 'resolver-rule' resource (#10419)
- aws - appelb - add listener-rule filter for inspecting routing rules (#10432)
- aws - cloudfront/shield - gracefully handle pricing plan distributions (#10477)
- aws - quicksight - gracefully handle missing or standard edition configurations (#10452)
- aws - quicksight - handle exception in list tags (#10501)
- aws - rds - skip cluster members in start/stop action (#10497)
- aws - service-quota - updated
account-service-limitsexample usage policy (#10439) - aws - vpc - extend the dhcp-options filter to support an 'amazon' synthetic value (#10448)
- aws - vpc - skip regional NAT Gateways in cross-az-nat-gateway-route filter (#10461)
azure
- azure - add entraid-group resource (#10424)
- azure - add the entraid-organization resource (#10426)
- azure - testing - use unittest.mock instead of a backported package (#10420)
releng
shift-left
- c7n-left - allow HCL errors to fail runs (#10414)
schema changes
aws.resolver-ruleaddedazure.entraid-groupaddedazure.entraid-organizationaddedaws.app-elb- added filters:
listener-rule
- added filters:
aws.app-elb-target-group- added filters:
json-diff
- added filters:
aws.artifact-domain- added filters:
json-diff
- added filters:
aws.comprehend-flywheel- added filters:
config-compliance,json-diff
- added filters:
aws.datasync-agent- added filters:
json-diff
- added filters:
aws.glue-database- added filters:
json-diff
- added filters:
aws.sagemaker-data-quality-job-definition- added filters:
json-diff
- added filters:
aws.sagemaker-model-bias-job-definition- added filters:
config-compliance,json-diff
- added filters:
aws.sagemaker-model-explainability-job-definition- added filters:
json-diff
- added filters:
aws.sagemaker-model-quality-job-definition- added filters:
json-diff
- added filters:
aws.ses-dedicated-ip-pool- added filters:
config-compliance,json-diff
- added filters:
aws.transfer-server- added filters:
json-diff
- added filters:
Full Changelog: 0.9.48.0...0.9.49.0
0.9.48.0
Immutable
release. Only release title and notes can be modified.
What's Changed
aws
- aws - account - add 'ami-block-public-access' filter (#10377)
- aws - add 'iam-access-key' resource (#10364)
- aws - add custom replica filter to the secretsmanager resource (#10350)
- aws - add delete action for subnet (#10296)
- aws - artifact-domain - fix cross account filter (#10446)
- aws - cache-cluster - implement the 'upgrade-available' filter (#10361)
- aws - core - consolidated query parsing (#10388)
- aws - ebs - add Server-Side Query Filtering (#10393)
- aws - firehose - delete action add support for suspended streams (#10397)
- aws - fsx - delete-file-system support other fsx types (#10391)
- aws - kafka - cross account filter (#10371)
- aws - kafka - upgrade-available (#10360)
- aws - kms - add 'last-rotation' filter (#10363)
- aws - lambda event source mapping (#10293)
- aws - r53 domain - test data fix (#10403)
- aws - route53 domain - add a detail spec
- aws - schedule mode - strip version from eventbridge schedule target arn (#10407)
- aws - secrets manager - Filter on attributes of current version (#10434)
- aws - service-quota - Add hard_limit support for service quota management (#10331)
- aws - ssm-document - support everyone-only in cross-account filter (#10413)
- aws - wafv2 set logging (#10412)
- Add VPC Resolver Query Logging Filter (#10167)
- Adding analytics-association filter for Connect instances (#10275)
- Adding support for AWS VPC Lattice resources (#10341)
- feat: add action for app elb (#10248)
- fix(guardduty): use correct key for administrator account (#10376)
- Fixing KeyError in Comprehend cross-account filter when resource has no policy (#10355)
azure
- azure - AKS / ACI Azure Container Host Enhancements (#10395)
- azure - add 'elasticache-reserved' resource (#10369)
- azure - add base Entra ID support and the entraid-user resource (#10357)
- azure - azure.keyvault-key: fix policy filter due to incompatible sdk update (#10368)
- azure - keyvault-key - add update action (#9905)
- azure - update azure mgmt keyvault version (#10352)
- azure - update azure mgmt security version (#10351)
core
- core - add GOVERNANCE.md to document project governance structure (#10320)
gcp
- gcp - add certificatemanager certificate support (#10326)
- gcp - fix broken secret manager documentation link (#10438)
- gcp - update metric support for spanner resources (#10374)
kubernetes
- kubernetes - enhanced PatchAction with save/restore functionality and improved error handling (#10288)
releng
- releng - 2025/10 increment versions and update dependencies (#10383)
- releng - 🌱 bump github-actions group across 4 directories with 12 updates (#10410)
- releng - azure - update azure-mgmt-sql to 3.x (#10421)
- releng - ensure dependabot scans reusable workflows (#10408)
- releng - fix ci installation cache check to avoid breakage (#10404)
- releng - make awscc build script is quiet by default (#10405)
- releng - update dependencies 2025/11 (#10417)
tencentcloud:
- tencentcloud: fix metrics service name, enforce batching limits, and annotate resources with metrics (#10337)
tools
- c7n_mailer - ensure template_folders are sorted to get same sha256sum each time (#10387)
schema changes
aws.elasticache-reservedaddedaws.iam-access-keyaddedaws.lambda-event-source-mappingaddedaws.vpc-lattice-serviceaddedaws.vpc-lattice-service-networkaddedaws.vpc-lattice-target-groupaddedazure.entraid-useraddedgcp.certmanager-certificateaddedterraform._addedaws.account- added filters:
ami-block-public-access
- added filters:
aws.app-elb- added actions:
delete-listener
- added actions:
aws.cache-cluster- added filters:
upgrade-available
- added filters:
aws.connect-instance- added filters:
analytics-association
- added filters:
aws.kafka- added filters:
cross-account,upgrade-available
- added filters:
aws.kms-key- added filters:
last-rotation
- added filters:
aws.opswork-stack- removed filters:
metrics
- removed filters:
aws.secrets-manager- added filters:
current-version,replica-attribute
- added filters:
aws.subnet- added actions:
delete
- added actions:
aws.vpc- added filters:
resolver-query-logging
- added filters:
aws.wafv2- added actions:
set-logging
- added actions:
azure.keyvault-key- added actions:
update
- added actions:
gcp.spanner-backup- removed filters:
metrics
- removed filters:
gcp.spanner-database-instance- removed filters:
metrics
- removed filters:
New Contributors
- @vit-corp made their first contribution in #10351
- @yuzegao made their first contribution in #10337
- @franzramadhan made their first contribution in #10326
- @umairmkhan made their first contribution in #10320
- @linguini-dev made their first contribution in #10296
- @toastdriven made their first contribution in #10369
- @licquia made their first contribution in #10357
- @andrewhibbert made their first contribution in #10387
- @SoyTecnopata made their first contribution in #10288
- @priscila-lugon made their first contribution in #10393
- @ejohn20 made their first contribution in #10395
- @KeisukeYamashita made their first contribution in #10438
Full Changelog: 0.9.47.0...0.9.48.0
Contributors
toastdriven, licquia, and 10 other contributors
Assets 3
0.9.47.0
What's Changed
aws
- aws - Quicksight DataSource and Dashboard support (#10274)
- aws - S3 Multi Region Access Point Cross Account Filter (#10301)
- aws - add region-copy feature for rds cluster snapshot (#10271)
- aws - cross-account filter - handle multiple context keys per operator (#10267)
- aws - enable CloudWatch Synthetics service (#10324)
- aws - eventbridge pipes (#10315)
- aws - fix firehose pagination (#10313)
- aws - fix organization resources tag actions (#10294)
- aws - fsx - enable metrics filter for all file system types (#10319) (#10322)
- aws - refactor s3 bucket assembly (#10342)
- aws - subnet filter - public option for nat route checking (#10261)
- aws - update lambda runtime support to python 3.10-3.13 (#10303)
- aws - utils - fix merge_dict scalar update behavior (#10328)
- Add handle_s3_dataaccesspointaccount to PolicyChecker (#10297)
- S3 access point cross account nosuchpolicy bugfix (#10317)
azure
- azure - add backup vault resource (#10299)
- azure - machine-learning-workspace inherit from ArmResourceManager (#10277)
- azure - update compute management sdk v29 --> v34 (#10289)
releng
- releng - 🌱 bump astral-sh/setup-uv in the github-actions group (#10290)
- releng - bump github.com/docker/docker in /tools/cask (#10306)
- releng - release prep increment versions and update dependencies (#10310)
- releng - restore docker entry point compatibility (#10272)
- releng - update azure-mgmt-recoveryservices to 3.1.0 (#10298)
schema changes
aws.cloudwatch-syntheticsaddedaws.eventbridge-pipesaddedaws.quicksight-dashboardaddedaws.quicksight-datasourceaddedazure.backup-vaultaddedterraform._addedaws.fsx- added filters:
metrics
- added filters:
aws.org-account- added actions:
auto-tag-user,copy-related-tag,mark-for-op,remove-tag,rename-tag,tag - added filters:
marked-for-op
- added actions:
aws.org-policy- added actions:
auto-tag-user,copy-related-tag,mark-for-op,remove-tag,rename-tag,tag - added filters:
marked-for-op
- added actions:
aws.org-unit- added actions:
auto-tag-user,copy-related-tag,mark-for-op,remove-tag,rename-tag,tag - added filters:
marked-for-op
- added actions:
aws.rds-cluster-snapshot- added actions:
region-copy
- added actions:
aws.s3-access-point-multi- added filters:
cross-account
- added filters:
azure.machine-learning-workspace- added actions:
auto-tag-date,auto-tag-user,delete,lock,mark-for-op,tag,tag-trim,untag - added filters:
cost,diagnostic-settings,marked-for-op,metric,offhour,onhour,policy-compliant,resource-lock
- added actions:
New Contributors
- @mattordoff made their first contribution in #10322
- @areddyn made their first contribution in #10324
- @vee-han made their first contribution in #10271
Full Changelog: 0.9.46.0...0.9.47.0
Contributors
areddyn, vee-han, and mattordoff
Assets 2
0.9.46.0
What's Changed
aws
- aws - account - add new action for setting sts config (#10225)
- aws - add resource client-vpn-endpoint (#10257)
- aws - add vpc-endpoint-service-configuration resource (#10220)
- aws - cross-account filter - support additional condition keys (#10264)
- aws - delivery-destination - fix cross-account for destinations with no policy (#10254)
- aws - invoke-lambda - use keyword args for
assumed_session()call (#10252) - aws - kms - Add UnsupportedOperationException handling for getRotationStatus (#10180)
- aws - kms-key - add schedule-deletion action (#10195)
- aws - opensearch-ingestion - pipeline-config filter (#10236)
- aws - policy-statement - more partial match (#10115)
- aws - resolver-logs - skip operations on resources from other accounts (#10169)
- aws - sesv2 - dedicated ip pool bug fix for get operation (#10197)
- aws - quicksight-user delete (#10224)
- aws - Enhancing Comprehend support with new job resources and KMS filter (#10251)
azure
- azure - defender-contacts - work around upstream sdk issue (#10216)
- azure - define default values for report metadata attributes (#10255)
- azure - storage - file services filter (#10217)
docs
- docs - update from poetry to uv (#10151)
releng
- releng - 2025.06 - version increment and dep upgrade (#10229)
- releng - 2025.07 - update deps for release / specifically twine >= 6 (#10258)
- releng - 🌱 Bump codecov/codecov-action in the github-actions group (#10178)
- releng - 🌱 bump astral-sh/setup-uv in github-actions (#10238)
- releng - add initial nix support via flake with uv (#10148)
- releng - docker uv fixes (#10203)
- releng - releasee fixes for uv switch out (#10260)
- releng - remove xfail marker on c7n-left test for issue 10119 (#10259)
- releng - switch out to uv (#10140)
- releng - update dependencies for new tfparse (#10250)
tools
- tools/c7n_mailer - gcp attempt to prevent dupe delivery by ack'ing messages individually (#10221)
schema changes
aws.client-vpn-endpointaddedaws.comprehend-document-classification-jobaddedaws.comprehend-dominant-language-detection-jobaddedaws.comprehend-entities-detection-jobaddedaws.comprehend-events-detection-jobaddedaws.comprehend-key-phrases-detection-jobaddedaws.comprehend-pii-entities-detection-jobaddedaws.comprehend-sentiment-detection-jobaddedaws.comprehend-targeted-sentiment-detection-jobaddedaws.comprehend-topics-detection-jobaddedaws.vpc-endpoint-service-configurationaddedterraform._addedaws.account- added actions:
set-security-token-service-preferences
- added actions:
aws.comprehend-document-classifier- added filters:
kms-key
- added filters:
aws.comprehend-entity-recognizer- added filters:
kms-key
- added filters:
aws.comprehend-flywheel- added filters:
kms-key
- added filters:
aws.iam-oidc-provider- added filters:
config-compliance,json-diff
- added filters:
aws.identity-pool- added filters:
json-diff
- added filters:
aws.kms-key- added actions:
schedule-deletion
- added actions:
aws.memorydb-subnet-group- added filters:
json-diff
- added filters:
aws.opensearch-ingestion- added filters:
pipeline-config
- added filters:
aws.quicksight-user- added actions:
delete
- added actions:
azure.storage- added filters:
file-services
- added filters:
New Contributors
- @hussainsultan made their first contribution in #10148
- @Adelabumowe made their first contribution in #10221
- @cdemers made their first contribution in #10257
- @germangarces made their first contribution in #10252
Full Changelog: 0.9.45.0...0.9.46.0
Contributors
cdemers, hussainsultan, and 2 other contributors
Assets 2
0.9.45.0
aws
- aws - add elasticache server side query support to retrieve cluster info (#10111)
- aws - apigwv2 API and Stage update, delete actions (#9959)
- aws - cross-account filter - return_allowed configuration which returns matching allowed statements (#10001)
- aws - glue-catalog - arn generator (#10147)
- aws - keyspaces (#10012)
- aws - lexv2 bot-alias - resource and cross-account filter and delete action (#10057)
- aws - metrics - handle extended statistics keys (#10131)
- aws - quicksight-account identity region bugfix (#10173)
- aws - ram - resource-share (#10036)
- aws - rds-subscription - add topic filter (#10010)
- aws - rdscluster - chunk describe calls when fetching by ids (#10133)
- aws - timestream-influxdb - db-parameter filter (#10037)
- aws -lexv2-bot-alias delete action bug fix
- aws - Adding Comprehend Resources to Custodian (#10060)
azure
- azure - releng - update azure mgmt containerregistry version (#10110)
- azure - tags - use the TagOperations class for tag-only updates (#10136)
- azure - update azure mgmt security sdk version (#10122)
- azure - wait for async tag operation results from tests (#10155)
tencentcloud
- c7n_tencentcloud - filter - cam-policy-used support finding unused via boolean (#10097)
tools
- tools/c7n_left - add failing test for attribute presence testing (#10120)
docs
- docs - fix doc for setup in mac environment (#10150)
releng
- tests - correct assertion logic from truthiness check to equality check (#10118)
- releng - 2025-05 release prep - increment versions and update dependencies (#10166)
- releng - GitHub actions - bump actions/download-artifact in the github-actions group (#10113)
- releng - fix mailer werkzeug dep that exposed freeze plugin issue (#10171)
- releng - poetry addon group and update ruff (#10137)
- releng - slim c7n-left docker image (#9782)
- releng - tfparse 0.6.16, poetry 2.1.3 lockfiles (#10172)
- releng - update dependencies to address requests dep flapping (#10175)
- releng - update to poetry 2.1.3 (#10139)
schema changes
aws.comprehend-document-classifieraddedaws.comprehend-endpointaddedaws.comprehend-entity-recognizeraddedaws.comprehend-flywheeladdedaws.keyspaceaddedaws.keyspace-tableaddedaws.lexv2-bot-aliasaddedaws.resource-share-otheraddedaws.resource-share-selfaddedterraform._addedaws.apigwv2aws.apigwv2-stageaws.cache-cluster- added filters:
vpc
- added filters:
aws.rds-subscription- added filters:
topic
- added filters:
aws.timestream-influxdb- added filters:
db-parameter
- added filters:
New Contributors
- @emmanuel-ferdman made their first contribution in #10118
- @Ayush314932 made their first contribution in #9782
- @darjeeling made their first contribution in #10150
Full Changelog: 0.9.44.0...0.9.45.0
Contributors
darjeeling, emmanuel-ferdman, and Ayush314932
Assets 2
0.9.44.0
What's Changed
aws
- aws - account - emr - block public account access bugfix (#10018)
- aws - add rds-db-shard-group resource (#10052)
- aws - athena-data-catalog tagging (#10021)
- aws - aws.cfn add sns notification topic filter (#10013)
- aws - codedeploy-config resource and codedeploy-group config filter (#10044)
- aws - destination and delivery destination (#9995)
- aws - docs - Add example of PartialMatch for EFS (#10031)
- aws - docs - remove-keys fix example to note its creation date based (#10053)
- aws - ebs - fix resources returned in delete action results/file (#10050)
- aws - ecr - set-lifecycle - add support for 'tagPatternList' ECR lifecycle policy field (#9970)
- aws - ecr-image - support server side query in policies and remove extraneous api calls in augment (#9680)
- aws - fix-volume resource and filter and vpc filter (#10067)
- aws - lambda - bug fix on update lambda configuration for multiple values of function name (#10082)
- aws - macie2 - use get administrator account vs deprecated (#10014)
- aws - mu - remove scope from periodic rules (#10008)
- aws - payment-cryptography tag and delete (#9829)
- aws - s3 - set-inventory - add additional optional fields to schema (#10020)
- aws - secrets manager - handle access denied errors (#10055)
- aws - sesv2 - Dedicated IP Pool Tagging Fix (#10077)
- aws - sesv2 - dedicated ip pools support (#9913)
- aws - shield - bug fix for clear-stale on elastic-ips (#10006)
- aws - sso - delete idp action (#10085)
- aws - timestream influxdb - cluster resource (#10027)
- aws - utils - schema from shape (#9771)
- aws - wafv2 - add web-acl-rules filter (#9868)
- aws - workspace - filter by active directory (#10066)
- fix - avoid key error cases in policystatement filter (#10026)
- fix - conditional for key error in policystatement filter (#9977)
- fix - more consistent lambda mode execution. (#9997)
- modify-security-groups action - removed check for maximum of 5 security groups (#9789)
azure
- azure - add postgresql-flexibleserver resource (#10009)
- azure - disk - add modify-disk-type action (#9986)
- azure - event-mode - fix parent id on child resources (#9906)
- azure - session - handle azure-identity call signature change (#10079)
- azure - update azure mgmt storage and compute libraries (#10054)
- azure - update azure-mgmt-redis version and update resource (#9662)
gcp
- gcp - bucket - fix gcp-scc mode use (#10005)
- gcp - kms - remove duplicate location function / chore (#9983)
shift-left
- c7n-left - taggable filter - match resources from v3 of the azurerm provider (#10046)
- tests - add c7n-left xfail for merging local map with unknowns (#10045)
- tests - add xfail tests for known c7n-left/tfparse issues (#10034)
tools
- tools/cask - update dependencies and code for new docker/moby api (#9975)
- tools/omnissm - remove obsolete tool (#9976)
- tools/ops - aws iam permission generator for policies (#9964)
docs
- docs - add a separate SECURITY.md (#10094)
- docs - fix typo in quickstart (#9981)
- docs - tools/c7n-org update README.md example w/ quotes around run-script args and relative path (#9960)
releng
- releng - 🌱 bump codecov/codecov-action in the github-actions group (#9855)
- releng - changelog generator - handle missing docker hub images (#10087)
- releng - dep updates and release prep (#9994)
- releng - dep updates april 2025 v2 (#10104)
- releng - pin github actions (#10093)
- releng - reintroduce urllib3 pin in root package (#10103)
- releng - release workflow - update poetry freeze plugin (#10095)
- releng - remove end of life python 3.8 from ci (#9966)
- releng - tools/c7n_salactus - Bump jinja2 (#10019)
- releng - update dependencies for release (#10092)
- releng - update tfparse to 0.6.15 (#10058)
- releng - workaround vs pinning for poetry plugin freeze issue on urllib (#10096)
schema changes
aws.athena-capacity-reservationaddedaws.athena-data-catalogaddedaws.athena-work-groupaddedaws.cloudhsm-backupaddedaws.codedeploy-configaddedaws.delivery-destinationaddedaws.destinationaddedaws.fsx-volumeaddedaws.kafka-configaddedaws.kendraaddedaws.lexv2-botaddedaws.log-destinationremovedaws.payment-cryptography-keyaddedaws.quicksight-accountaddedaws.rds-db-shard-groupaddedaws.ses-configuration-set-v2addedaws.ses-dedicated-ip-pooladdedaws.ses-ingress-endpointaddedaws.timestream-influxdbaddedaws.timestream-influxdb-clusteraddedazure.afd-custom-domainaddedazure.afd-endpointaddedazure.postgresql-flexibleserveraddedtencentcloud.dns-recordaddedtencentcloud.eipaddedtencentcloud.subnetaddedterraform._addedaws.cfnaws.codedeploy-group- added filters:
config
- added filters:
aws.directory- added filters:
is-log-forwarding
- added filters:
aws.dms-endpoint- added filters:
kms-key
- added filters:
aws.efs- added actions:
remove-statements - added filters:
cross-account
- added actions:
aws.elastic-ip- added filters:
used-by
- added filters:
aws.fsxaws.iam-saml-provider- added actions:
delete
- added actions:
aws.ses-email-identity- added actions:
remove-policies - added filters:
cross-account
- added actions:
aws.shield-protection- added actions:
auto-tag-user,copy-related-tag,mark-for-op,remove-tag,tag - added filters:
finding,marked-for-op
- added actions:
aws.swf-domain- added filters:
configuration
- added filters:
aws.wafv2- added filters:
web-acl-rules
- added filters:
aws.workspaces-directory- added filters:
directory
...
- added filters:
Contributors
benbridts, jflim, and 7 other contributors
Assets 2
0.9.43.0
aws
- aws - account - fix has-virtual-mfa (#9848)
- aws - add support for lexv2 bot (#9937)
- aws - add support for timestream influxdb (#9858)
- aws - athena workgroup, capacity-reservation, data-catalog (#9933)
- aws - bugfix for IAM role arn parsing (#9885)
- aws - cfn - search template filter (#9768)
- aws - cfn - stacks - Add ARN definition (#9936)
- aws - cloudhsm - backup (#9721)
- aws - directory - fix - filtering directories without trusts (#9899)
- aws - directory service log subscription filter (#9837)
- aws - dms-endpoint - kms-key filter (#9871)
- aws - efs - cross-account filter and remove-statements action (#9856)
- aws - elastic-ip - used-by filter (#9958)
- aws - event-rule and target - handle non-default event buses (#9874)
- aws - glue - fix table ARN to include the database name (#9880)
- aws - guard duty- update to use get administrator account instead of deprecated get master (#9840)
- aws - handle concurrent deletes better when fetching resource details (#9902)
- aws - has-statement filter - multiple statements bugfix (#9865)
- aws - kafka-cluster config resource (#9926)
- aws - kendra resource (#9881)
- aws - lex - set maxResults (#9944)
- aws - network-manager - handle shared networks (#9927)
- aws - networkmanager - mark all resources as global (#9900)
- aws - policystatement - has-statement partial-match (#9877)
- aws - quicksight-account settings resource (#9876)
- aws - quota - usage filter - fix too many datapoints (#9897)
- aws - rest-account - Retry and Raise Client Errors (#9862)
- aws - ses - ingress - endpoints (#9947)
- aws - ses-email-identity - cross-account filter (#9759)
- aws - sesv2 - sesv2 configuration sets (#9911)
- aws - shield - mark all resources as global (#9901)
- aws - shield - tagging (#9909)
- aws - sns-subscription - get_resources fetch only passed resource ids (#9867)
- aws - ssm - fix iam permission metadata (#9962)
- aws - swf - domain configuration filter (#9850)
- aws - timestream-influxdb - add network-location filter (#9892)
- aws - workspaces-web - fix and test matching an empty browser policy (#9949)
azure
- azure - add afd endpoint and afd custom domain resources (#9831)
- azure - appserviceplan - add webapps filter (#9930)
- azure - azure.storage - add management-policy-rules filter (#9838)
- azure - releng - update mgmt ml lib and enable additional properties (#9931)
- azure - storage - set minimum tls version on buckets (#9904)
- azure - support custom namespace for c7n azure metrics filter (#9863)
- azure - update azure.mgmt.network (#9830)
- azure - vm - add jit policy ports filter (#9950)
gcp
- gcp - instance - add support for discard_local_ssd in stop action (#9946)
- gcp - loadbalancer-target-tcp-proxy - remove stray space from asset_type (#9956)
tencentcloud
- c7n_tencentcloud - resources - eip & dns-records (#9878)
- c7n_tencentcloud - resources - subnet (#9935)
- tencentcloud - testing allow pass through credential env vars when recording (#9919)
shift-left
- c7n-left - docs and a test around jmespath w/ json string (#9940)
- c7n-left - handle reference list declared in __tfmeta (#9783)
- feat(c7n-left): add option to select Terraform workspace (#9869)
tools
- tools/c7n_org - gcp - handle empty project name (#9929)
docs
- docs - fix typo in azure.webapp example (#9955)
releng
- releng - 2025-01 - update data dictionaries (#9928)
- releng - prepare 2025-02 release - dep update and version increment (#9965)
- releng - tools/c7n_mailer update jinja2 to 3.1.5 (#9920)
- releng - tools/c7n_salactus update jinja2 (#9925)
- releng - update jinja2 from 3.1.4 to 3.1.5 (#9943)
- releng - update tools/cask golang deps (#9922)
schema changes
aws.athena-capacity-reservationaddedaws.athena-data-catalogaddedaws.athena-work-groupaddedaws.cloudhsm-backupaddedaws.kafka-configaddedaws.kendraaddedaws.lexv2-botaddedaws.quicksight-accountaddedaws.ses-configuration-set-v2addedaws.ses-ingress-endpointaddedaws.timestream-influxdbaddedazure.afd-custom-domainaddedazure.afd-endpointaddedtencentcloud.dns-recordaddedtencentcloud.eipaddedtencentcloud.subnetaddedterraform._addedaws.cfn- added filters:
template
- added filters:
aws.directory- added filters:
is-log-forwarding
- added filters:
aws.dms-endpoint- added filters:
kms-key
- added filters:
aws.efs- added actions:
remove-statements - added filters:
cross-account
- added actions:
aws.elastic-ip- added filters:
used-by
- added filters:
aws.ses-email-identity- added actions:
remove-policies - added filters:
cross-account
- added actions:
aws.shield-protection- added actions:
auto-tag-user,copy-related-tag,mark-for-op,remove-tag,tag - added filters:
finding,marked-for-op
- added actions:
aws.swf-domain- added filters:
configuration
- added filters:
azure.appserviceplan- added filters:
webapp
- added filters:
azure.storage- added filters:
management-policy-rules
- added filters:
azure.vm- added filters:
jit-policy-port
- added filters:
New Contributors
- @ghorondo made their first contribution in #9840
- @wgrant made their first contribution in #9880
- @Singha22 made their first contribution in #9768
- @judysychen made their first contribution in #9919
- @karthik221 made their first contribution in #9856
- @CR-EvgenyT made their first contribution in #9929
- @rvichery made their first contribution in #9946
- @tjamet made their first contribution in #9897
Full Changelog: 0.9.42.0...0.9.43.0
Contributors
wgrant, rvichery, and 6 other contributors
Assets 2
0.9.42.0
aws
- aws - account - ec2 instance metadata defaults (#9765)
- aws - add support for global accelerator (#9738)
- aws - aws.cloudwatch-dashboard - set global_resource=true (#9781)
- aws - directory-service - add trust-relationships filter (#9795)
- aws - ds - filters for LDAP & Directory Settings (#9743)
- aws - dynamodb cross-account and has-statement (#9731)
- aws - elasticache-user resource (#9761)
- aws - event-bridge-bus - kms filter (#9802)
- aws - global accelerator - add attribute filter (#9764)
- aws - kinesis - cross account filter (#9775)
- aws - kinesis-video - set maxresults to reduce api calls (#9805)
- aws - lambda - function url config (#8765)
- aws - log destination resource (#9767)
- aws - quota - cast to float to avoid type error (#9791)
- aws - rds-snapshot - fix cross-account "everyone_only" behavior (#9803)
- aws - rest api - add has-statement filter (#9814)
- aws - s3 - check destination bucket existence in bucket-replication filter (#9745)
- aws - ses-configuration - delete action (#9778)
- aws - sfn - update remove-tag test (#9770)
- aws - step functions - activities resource, tagging and encryption support (#9697)
- aws - transfer-server - fix detail-spec (#9825)
- aws - workspaces-web - browser-policy filter bugfix (#9801)
azure
- azure - app service environment resource (#9820)
- azure - keyvault - fix parameters for update-access-policy action (#9732)
- azure - security-group - flow-logs filter - Fix network security group and flow-logs in another resource group (#9816)
c7n-org
- c7n-org - run-script - use shlex parsing for better passthrough
docs
- docs - add security audit to community resources (#9796)
- docs - advanced usage - fix multiple region example command (#9806)
- docs - aws - fix typo in lambda doc. (#9726)
- docs - aws - sec group remediation - add modify sec group to event list (#9735)
- docs - continue to fix example policies (#9810)
- docs - fix example policies (#9786)
- docs - fix invalid example policies, add note to notify docs (#9808)
- docs - rename old references to c7n kates to c7n kube (#9749)
releng
- releng - azure - update azure-mgmt-eventgrid version to 10.3.0b4 (#9819)
- releng - data dictionaries update (#9751)
- releng - fix c7n-left docker image build (#9800)
- releng - prep for 10/2024 release (#9807)
- releng - update deps (#9832)
shift-left
- c7n-left - graph.get_refs handle blocks that are interpolated (#9737)
schema changes
aws.elasticache-useraddedaws.globalacceleratoraddedaws.log-destinationaddedaws.sfn-activityaddedazure.app-service-environmentaddedterraform._addedaws.account- added actions:
set-ec2-metadata-defaults - added filters:
ec2-metadata-defaults
- added actions:
aws.directoryaws.dynamodb-table- added filters:
cross-account,has-statement
- added filters:
aws.event-bus- added filters:
kms-key
- added filters:
aws.kinesis- added filters:
cross-account
- added filters:
aws.lambda- added filters:
url-config
- added filters:
aws.rest-api- added filters:
has-statement
- added filters:
aws.ses-configuration-set- added actions:
delete
- added actions:
aws.step-machine- added filters:
kms-key
- added filters:
New Contributors
- @kiqdestro made their first contribution in #9735
- @evercast-mahesh2021 made their first contribution in #9726
- @matthewdeanmartin made their first contribution in #9786
- @ifduyue made their first contribution in #9806
- @archinksagar made their first contribution in #9778
- @goodwillstack made their first contribution in #9749
Full Changelog: 0.9.41.0...0.9.42.0
Contributors
ifduyue, matthewdeanmartin, and 4 other contributors
Assets 2
0.9.41.0
core
- core - add terraform back to provider resources and ensure jsonschema for validation (#9639)
- core - value filter et all - add from_json jmespath function (#9657)
aws
- aws - asg - update invalid filter to allow default subnets usage if they exist (#9652)
- aws - cloudfront - add origin-access-control resource (#9645)
- aws - config-recorder retention filter (#9528)
- aws - ecr normalize keys from config source to match service apis (#9642)
- aws - has-statement filter - ignore the order of statement actions (#9647)
- aws - memorydb - add support for user and acl resources (#9717)
- aws - memorydb - snapshot resource w/ tags and delete action (#9667)
- aws - opensearch-ingestion - fix spelling
- aws - opensearch-injestion resource and filters & actions (#9654)
- aws - refactor on child resource query and fix an ecs container instance bug (#9663)
- aws - security group - de-duplicate matched egress/ingress rules (#9681)
- aws - storage-gateway - add detail spec (#9702)
- aws - workspaces-web - Add UserAccessLoggingSettings Filter (#9670)
- aws - workspaces-web - add user-settings filter (#9668)
- aws - workspaces-web - subnet filter (#9688)
- aws-workspaces-web - add browser-policy filter (#9644)
azure
- azure - appserviceplan - Add detailed true on App Service Plan List Operation (#9600)
- azure - defender-assessment - use the simpler extra_args class method (#9675)
- azure - releng - update azure-mgmt-rdbms version (#9658)
- azure - retry - increase retry / sleep count to 8 (#9682)
- azure - snapshot resource and delete action (#9641)
- azure - tweak retry behavior to avoid flaky tests (#9715)
gcp
- gcp - recommender filter - remove duplicate resource ids (#9683)
shift-left
- c7n-left - fix summary pass counter for cli output (#9672)
- c7n-left - reset traverse filter for each related resource (#9689)
- c7n-left - validate command (#9525)
- tools/c7n_left - traverse filter - allow boolean blocks in attrs (#9705)
docs
- docs - add jquery extension to fix rtd theme (#9655)
releng
- releng - fix dep flapping on importlib-metadata with c7n_gcp via base pin (#9729)
- releng - prep 0.9.41 release (#9691)
schema changes
aws.memorydb-acladdedaws.memorydb-snapshotaddedaws.memorydb-useraddedaws.opensearch-ingestionaddedaws.origin-access-controladdedazure.snapshotaddedterraform._addedaws.config-recorder- added filters:
retention
- added filters:
aws.storage-gateway- added actions:
auto-tag-user,copy-related-tag,mark-for-op,remove-tag,rename-tag,tag - added filters:
marked-for-op
- added actions:
aws.workspaces-web- added filters:
browser-policy,subnet,user-access-logging,user-settings
- added filters:
0.9.40.0
What's Changed
Primarily a critical fix for 0.9.39 that required all cloud providers to be installed for the cli to run, versus being optional.
Full Changelog: 0.9.39.0...0.9.40.0
Contributors
kapilt