Search code examples
amazon-web-servicescloudcustodian

Cloudcustodian - filter by tag name for on/off hours

I have the following policy:

policies:
  - name: stop-after-hours 
    resource: ec2
    filters:
      - tag:Schedule: "OfficeHours" 
    actions:
      - stop
    mode:
      type: periodic
      schedule: "rate(10 minutes)"
      role: arn:aws:iam::XXXXXX:role/LambdaRoleCloudCustodian

Which correctly identified my EC2 tagged with "Schedule: OfficeHours":

$> custodian run --dry-run -s out shutdown-out-of-office.yml
custodian.policy:INFO policy:stop-after-hours-cologne resource:ec2 region:eu-central-1 count:1 time:0.00

However, when I want to set the offhour:

policies:
  - name: stop-after-hours 
    resource: ec2
    filters:
      - tag:Schedule: "OfficeHours" 
      - type: offhour
        offhour: 11
    actions:
      - stop
    mode:
      type: periodic
      schedule: "rate(10 minutes)"
      role: arn:aws:iam::XXXXXX:role/LambdaRoleCloudCustodian

The instance is not identified anymore.

2022-07-05 12:01:04,541: custodian.policy:INFO policy:stop-after-hours-cologne resource:ec2 region:eu-central-1 count:0 time:0.78

I also tried

- type: value
  key: tag:Schedule
  value: OfficeHours

which doesn't work.

Any idea on how I can filter on tag name AND value here?

Solution

  • So, after fiddling around quite some time, I finally found the solution.

    Here's the complete policy

      # Stop instances tagged with "Schedule: OfficeHour" at offhour
  - name: stop-after-hours
    resource: ec2
    filters:
      - tag:Schedule: OfficeHours
      - State.Name: running
      - type: offhour
        tag: Schedule
        weekends: true
        default_tz: cet
        offhour: 10
    actions:
      - stop
    mode:
      type: periodic
      schedule: "rate(10 minutes)"
      role: arn:aws:iam::XXXXXXXXX:role/LambdaRoleCloudCustodian

    Some things to keep in mind

    • Here, under filters/type, I have a tag attribute for which the value is Schedule. This will tell Cloudcustodian to look for any instance which has the tag Schedule, whatever its value. If you do not specify this, you need to tag your instance with the default offhour tag which is maid_offhours
    • I also have tag:Schedule: OfficeHours which will filter out instances based on the tag Schedule's value.
    • If you want to test your policy with a dry-run, you must test in the current hour. So, if my offhour is set to 10, then the dry-run will only be able to fetch the resource if it is run between 10:00am and 10:59am.

    I hope it helps some people, I find the Cloudcustodian documentation quite difficult to understand.