Cloud Custodian in a Container
Using Capitol One Cloud Custodian in a container
Continuing with my desire to containerize as many services as possible ... I
created a container profile for Cloud Custodian
[https://github.com/cloud-custodian] (c7n) and c7n-org that I use successfully
every day. Both on my local machine and on deployed web servers.
Permissions
As with any other AWS Service you will need to declare permissions. You have a
choice of asserting Access Keys on your machine or leveraging the power of Roles
and thus limiting the risks associated with unauthorized access and usage.
On your controlling machine you need to set some AWS permissions. Custodian will
by default look for the default AWS Credentials configurations. Thus creating
the following files and configuring them accordingly.
~/.aws/credentials
[sandbox-playground]
arn:aws:iam::#YourAccount#:role/custodianAccessRole
source_profile=default
region=us-east-1
~/.aws/config
[default]
region=us-east-1
Example usage:
custodian run --profile sandbox-playground --output-dir . --verbose asg.yml
Let's look at some code
Container:
# Dockerfile
FROM python:3.7-alpine
RUN pip install c7n c7n-org \
&& mkdir -p /scripts/
Note the absence of ENTRYPOINT and CMD in this Dockerfile. This allows the
passing of commands making the usage more general. This will be better
understood as we get to the Usage section below.
Build script
#!/bin/bash
docker build -t="custodian" .
## NOTE ## Make sure to update the path (/sr/custodian/run) to the full path of the directory in which you place these files.
## The following will create a SymLink (Symbolic Link) to the run file saving you the hassle of referencing the full path
## each time you execute the command.
ln -sf /srv/custodian/run /usr/local/bin/custodian
Run Script
The "$@" appends ALL the verbiage following the $ custodian command. Reference
the Usage section below for examples.
docker run -v "${PWD}:/policies" -v "${HOME}/.aws/:/root/.aws/" -v "/tmp/custodian:/tmp" -e AWS_PROFILE -it --rm custodian "$@"
Yes, it would be more readable as below. However I have experienced too many
issues of it not being interpreted properly and use the above without issues.
Keeping in mind that I cross multiple platforms daily.
docker run \
-v "${PWD}:/policies" \
-v "${HOME}/.aws/:/root/.aws/" \
-v "/tmp/custodian:/tmp" \
-e AWS_PROFILE \
-it --rm \
custodian "$@"
Usage
$ custodian run --region us-east-1 --output-dir . --verbose custodian_aws_asg.yml
# NOTE the usage of the alias c7n
$ c7n custodian_aws_asg.yml
# NOTE the usage of the alias c7n-org
$ c7n-org run --config accounts.yml --output-dir . --tags path:/myEnv/Sandbox --dryrun --use custodian_aws_asg.yml
Aliases that I use
I use many aliases on my machines. These are meant to reduce the amount of
typing and increase efficiency not having to remember every key switch or the
unintended typos costing time to correct, etc. Here is an example alias as shown
in the Usage section above.
alias c7n='custodian run --output-dir=/tmp '
alias c7n-org='custodian c7n-org'
Example AWS User Data
#!/bin/bash
apt-get update -y --fix-missing
apt-get install -y unzip python python-pip python3 python3-pip
pip3 install awscli --upgrade
# Install Docker
curl -sSL https://get.docker.com/ | sh
systemctl enable docker; systemctl start docker
aws s3 cp s3://%% YOUR BUCKET %%/custodian_Container.zip /tmp/custodian_Container.zip
mkdir -p /srv/custodian/
unzip /tmp/custodian_Container.zip -d /srv/custodian/
mkdir -p /root/.aws/
mv /srv/custodian/aws/* /root/.aws/
cd /srv/custodian/ && chmod +x run && sh build
ln -s /srv/custodian/run /usr/local/bin/custodian