In our previous discussion, we delved into the process of cleaning up old EBS snapshots using Cloud Custodian. We explored how this policy could be executed against a single AWS account. Now, let's extend to multiple accounts using the handy tool, c7n-org. This tool supports various cloud environments like AWS, Azure, GCP, and OCI.
c7n-org allows us to execute Cloud Custodian policies in parallel across different accounts, maintaining governance uniformly. The tool provides a straightforward way to generate necessary configuration file (aka account list) through a script that accessing AWS Organization service.
python scripts/orgaccounts.py -f aws/accounts/my-org-a.ymlLet's take a look at an example AWS account configuration file generated by c7n-org:
accounts:
- account_id: "123456789012"
email: my-dev-account@example.com
name: my-dev-account
regions:
- us-east-1
role: arn:aws:iam::123456789012:role/CloudCustodianTenantRole
tags:
- path:/develop # This is AWS Organization OU path
# More accounts go heresource: aws/accounts/my-org-a.yml
This file includes essential information such as the account ID, email, name, regions, and the role to assume. The tags section contains the OU paths in AWS Organizations so that we can apply policy targeting on specific OUs, instead of applying to all accounts.
Executing policies across multiple accounts is now a breeze with the c7n-org CLI:
c7n-org run -s . -c aws/accounts/my-org-a.yml -u aws/policies/ebs-snapshot-cleanup-lite.ymlThis command applies the EBS snapshot cleanup policy to all the accounts specified in the configuration file.
In scenarios where a corporation oversees multiple companies or when distinct requirements exist within different organizational units, localized policy adjustments become crucial. For instance, development and production accounts might demand different retention periods for EBS snapshots.
To address such variations, we introduce a variable, ebs_snapshot_retention_days, to the policy configuration:
policies:
- name: ebs-snapshot-delete-old-snapshots
resource: ebs-snapshot
description: Delete aged EBS snapshots
filters:
- OwnerId: "{account_id}"
- type: age
op: greater-than
days: {ebs_snapshot_retention_days}
actions:
- type: delete
skip-ami-snapshots: truesource: aws/policies/ebs-snapshot-cleanup-lite.yml
Now, the policy dynamically determines the retention period based on the specified variable.
In the AWS account configuration file (e.g., aws/accounts/my-org-a.yml), we can set default values and customize them for specific accounts:
vars:
ebs_snapshot_retention_days: 90 # default value for all accounts
accounts:
- account_id: "123456789012"
name: my-dev-account
tags:
- path:/develop
- ebs_snapshot_retention_days:7 # specify the customized vaule through tag
vars:
ebs_snapshot_retention_days: 7 # customized value for this account
- account_id: "123456789013"
name: my-prod-account-1
tags:
- path:/prod
- account_id: "123456789014"
name: my-prod-account-2
tags:
- path:/prod
- ebs_snapshot_retention_days:365
vars:
ebs_snapshot_retention_days: 365This structure allows for efficient policy management by specifying customized values where needed while maintaining defaults for others.
The c7n-org provides a powerful solution for globalizing policies across diverse cloud environments. The ability to introduce variables and customize policies on a localized level ensures adaptability to varying organizational needs. With these tools, policy management becomes a streamlined and flexible process, adhering to the principle of "write once, apply everywhere."